Book review: Spies, Lies and Cybercrime by Eric O’Neill

Posted on by
Reply

Spies, Lies, and Cybercrime: Cybersecurity Tactics to Outsmart Hackers and Disarm ScammersEric O’Neill has had an interesting career hunting down some of the worst spies and cybercriminals (he was one of the principals behind the takedown of Robert Hanssen). His book is a part travelogue, part instruction and best-practices manual, and part a detailed narrative of how cyber attackers ply their trade. If you haven’t heard of a few of the exploits (Colonial Pipeline, Solar Winds, WannaCry, and many others), this book is useful in describing the back story of these and others that have receded from the headlines. He draws on his own experiences at fighting these attackers from real life IT workers that are trying to keep their networks secure and protected, and “another grim reminder that once your data is out there, it’s out there for good—­ and the dark web has no return policy,” as he writes. The dark web – where criminals operate – has a gross cybercrime haul greater than Germany and Japan’s GDP combined.

We have already reached the place where we can’t trust everyday sites such as texts, FaceTime, Teams and other social sharing platforms. “Trust has become an uncommon commodity.”

O’Neill has spent years as a national security lawyer, corporate investigator and part of the threat response teams for cybersecurity vendors, so he knows the landscape very well. He wrote this book for a laudable purpose: “If enough of us become covert agents and learn to safeguard our personal data, we can also make the world safe from cyberattacks. This is how we start. One data point at a time.” His philosophy is that we must do better and start thinking like our adversaries if we are to repel their digital advances. “There are no hackers, there are only spies.” His years in law enforcement “left me with a simple axiom: Criminals are lazy. If they weren’t, they’d get day jobs.” So true. And being patient in understanding how your business has been compromised will pay off in finding where the breach took place and how to shore up your defenses.

The end of the book is worthy of clipping as a ready reference, what he calls the Spy Hunter Tool Kit. It is a list of dozens of valuable suggestions, such as never respond to a phishing text (such as the one I got while I was writing this review, asking me to change my PayPal password. (I no longer have a PayPal account, having gotten tired of all the scams and come-ons such as this one.)

His book was written while AI blossomed (I guess that is one way to describe it) and audio and video deepfakes became more common. One way to suss out if they are fake is to move your hands wildly at the beginning of a video conference call, although eventually AI will figure out a solution to this too.

If you are an experienced cybersecurity professional and want a book to give your friends, family, and co-workers, this is a good place to start with their education. If you are new to the cybercriminal world, this book will show you its depths and darkest corners, and hopefully motivate you to use better and unique passwords and other protective techniques.

This is a great introduction to cybercriminals and how to protect yourself from being their next victim.

Book review: Good Intentions by Marisa Walz

Posted on by
Reply

book cover for Good IntentionsThis book takes on several tough subjects as part of its winding plot involving two terrible accidents on Valentine’s Day: one twin sister and one child are killed in two separate auto accidents. The surviving twin and the boy’s mother are brought together in grief, as their worlds fall apart. The twin runs her own event management business, and her husband has his own business too. The psycho drama of these three adults is woven expertly by the author as we watch their conflicts over loss and adjusting to various circumstances that I don’t want to reveal to spoil the plot. As someone who has lost an adult child, their grief journeys aren’t sugar-coated and seem very realistic and raw. And the strong ending is somewhat surprising but brings the novel to an appropriate close. Highly recommended.

Beware of Clawdbot, a new AI tool and potential threat

Posted on by
4

When I began writing about the potential dangers and benefits of AI a few years ago, I quickly came to the conclusion that the two are very closely tied and both directions present new challenges for enterprise IT managers. The latest development of Clawdbot (AKA Molt.bot or OpenClaw) are a very instructive case study. So what does it do, and what is the threat?

Basically, it is a powerful way to automate your digital life using a variety of AI agents. It is an AI-based assistant, and its use is spreading like wildfire. The top line is that Clawdbot is taking over — Token Security has found it has collected more than 60,000 Github reviews and nearly a quarter of its enterprise customers are using it and running it mostly from their personal accounts. They say “It is also a security nightmare, with exposed control servers that can lead to credential theft and remote execution over the internet.” This is no Chicken Little deal — “This rapid adoption signals a significant shadow AI trend that security teams need to address immediately.”

Here are two places that provide a deeper dive: First is security blogger Samuel Gregory, who has an excellent 15 minute demo video where he says “If you don’t know what you are doing, you can cause a lot of damage.” He shows you some of the guardrails you need to install, explains a bit of the bot’s history, and is well worth watching. But many of his suggestions mean you have to do a lot more work to isolate the bot from your online life — which shows quite starkly the tradeoff of security with ease of use.

Shelly Palmer, who actually uses the tech he writes about has this post where he documents what it took to get it up and running across his digital life. The bot connects his Slack, iMessage, WeChat, and Discord accounts. He has spent several hundred dollars in tokens to fine-tune it, and says it costs him anywhere from $10-$25 a day — “the bot just eats tokens.”

Part of Clawdbot’s problem is that you can run it on your local hard drive, but that it sends its feelers deep into your corporate SaaS infrastructure. For this to work, the bot needs access to your accounts and credentials. The bot’s website (mentioned above) is proud of this connectivity, saying up front that it “Clears your inbox, sends emails, manages your calendar, checks you in for flights. All from WhatsApp, Telegram, or any chat app you already use.” A story in El Reg goes into further details about the security implications. Not surprisingly, as they mention, “Users are handing over the keys to their encrypted messenger apps, phone numbers, and bank accounts to this agentic system.” Gulp.

The bot has its own package registry where you can download various “skills” as they are called to do various tasks for you. This sounds great until you realize — as this one researcher describes (sorry it is a Tweet, forgive me), there is absolutely no vetting, and 100% chance that something you have downloaded has evil intent.  Daniel Miessler Tweeted this warning shown below on how to harden any Clawdbot implementation. But many of the fixes depend on personal choices deeply rooted in the realm of Shadow IT. The issue is that it is easy to install, but difficult to install securely, something that many users might not realize in their joy of having a clean inbox and automatically delegating their mundane tasks.

Image

SOCPrime used its own tool to find users who have jumped on the Clawdbot bandwagon, and I am sure other threat intel tools will soon have similar posts.

“Yes, there are real issues: plain-text secret storage, misconfigured admin UIs on the open internet, and a skills ecosystem where people blindly install untrusted code,” says Matt Johansen. So keep your eyes open, scan your networks for the appropriate indicators, and educate yourself and your end users on what they are doing and how they do it more securely.

When spreadsheets first entered businesses, I recall how hard IT had to work to stay ahead of our users who were enamored with the new tech. But that was a single piece of software. With Clawdbot, we have an entirely new layer of digital infrastructure, and one that is complex and could be costly as well as open up multiple security sinkholes. Proceed with caution.

Book review: Fidelity, an old book with a tale as old as time

Posted on by
Reply

Fidelity

For a book that is more than 100 years old, it is surprisingly modern and relevant. The story is universal — a woman breaks up a marriage with an affair, and the subsequent couple is run out of a small town in Iowa. The reaction to the town might be old-fashioned, but the raw human emotions, and the inner conflict of the characters is thoroughly modern. The couple can’t get married because the ex-wife doesn’t want to divorce her husband. “Some people, could go on with the life love had made after the love has gone,” says Ruth, the character at the center of this novel, which explores what happens when someone gets stuck emotionally, and how things might have turned out differently if Ruth had just fallen in love with someone else “like other girls in her crowd.” I think my only quibble is that the title of the book might be better with “resentment” because a lot of the emotional content which is brilliantly written is about what one character feels towards others.

I read the Belt Publishing version which has a wonderful introduction that ties its narrative to contemporary times.

Book review: Rich Mironov’s Money Stories

Posted on by
1

I have known Rich Mironov for more than two decades through numerous product management positions across the tech universe. His new book is “Money Stories: Communicating the Value of Product Work” and it is a great guidebook to what he calls members of the maker set and how they can talk to the other part of the company that doesn’t make anything but money (whom he collectively calls go-to-market execs), and hopefully profits to pay for all the fancy product stuff.

Money stories are good for providing the basis of why a company should build a product, creating a shared vocabulary that both makers and marketing execs can understand each other, and help rank development priorities and set strategies. And that is a good name for them, because making money is fundamental to a business (sometimes makers forget this), and decisions on knowing what to do something and when are often based on magical thinking, or emotions, or anything but money. These stories fall into six general patterns, such as upselling, boosting volume, reducing churn, acquiring new customers, entering a new market, or saving operational costs. For each pattern, he provides sample narratives, walks the reader through the underlying math, and calls out mistakes to avoid.

Mironov has seen it all, having been part of six Silicon Valley startups and consulted for hundreds of private clients. He now lives in Portugal, which I documented in that post. Money Stories is a fast read, but filled with lots of his wisdom. While the book is less than 90 pages, it is chock full of useful and actionable information. For example, “It’s much more productive to have a strategic portfolio-level argument about R&D resources and focus, rather than dragging executives through a 900-row spreadsheet.” And, “It is more important to agree on one simple calculation than throw punches,” presumably at the non-makers in the room.

One metric worth repeating is that “products need to earn six times their direct maker-team costs to fund the rest of the company.” That is the ultimate money story. “Either a product is earning its keep, or it is subject to summary execution.” Plain and simple. This is because the maker group has a heavy lift, and needs to support a constellation of services and specialities such as sales, marketing, finance, HR and so forth.

Much of his full-time experience has been with tech companies in the B2B space, where he is familiar with lengthy sales cycles, multiple people involved in purchase decisions, inability to quickly adapt pricing to market changes, or other sins. You would think this would harden a weaker person, but Mironov goes about his day with plenty of ironic humor (such as this post he wrote more than 20 years ago) and a can-do attitude that shows how he has survived and thrived in the product space.

Throughout the book are very handy “generic money story” diagrams that use simple math to calculate from three factors whether a new feature or product is going to worth the effort. It is important that this calculation is expressed as a range, to emphasize that we can’t accurately forecast the future (absent a working time machine, he hastens to add). “Money stories are communication tools, so should help drive a lot of conversations and raise interesting issues.” His last chapter reviews how to put these stories into practice, and some words on how AI fits into his worldview.

CSOonline: AI-powered polymorphic attack lures victims to phishing webpages

Posted on by
Reply

AI-fueled attacks can transform an innocuous webpage into a customed phishing page. The attacks, revealed in research from Palo Alto Networks’ Unit 42, are clever in how they combine various obfuscation techniques. The combination though can be lethal, difficult to discover, and represent yet another new offensive front in the use of AI by bad actors to compromise enterprise networks. You can read more in my story today for CSOonline.

I have too much security today

Posted on by
3

This morning, I had three tasks to complete that involved using various web sites. First, I had found an old recall on a part to my Cuisinart food processor. The recall notice cited a web page that (I assume) was such an old reference that the page has since evaporated.  Then I was trying to review the latest charges on my credit card. And finally, I wanted to pay a doctor bill online. Each of these tasks would have taken minutes to accomplish. Instead, the elapsed total time was several hours.

Now, I am not one of those Gen Z’ers that would rather text (or use the web) than talk to an actual human being in real time. Nevertheless, that was going to be how I would solve the Cuisinart Challenge. While the URL for the recall wasn’t in service, they had provided a phone number in the recall notice.

So I called the number and I was told all lines would be busy for the next five minutes and if I wanted them to call me back, just press 1, which I did. A few minutes later I got  my calll back. Once the support person took down my info, it quickly processed and a new part was promised within a few weeks. Excellent service: I think I bought that appliance probably 17 years ago.

Next, on to checking my credit card. I called the bank, they started to walk me through the process, and then we both realized that I was using a “secure” browser (Opera Air) that I remembered had some odd quirks, particularly because it blocks ads and popups. Sure enough, once I brought up Chrome, I was off to the races and able to login without any problems.

That made me think my doctor’s bill was suffering from the same condition, so I tried that in Chrome and hot diggity, problem solved and I could pay my bill just in time for lunch. So much for my morning.

Now, you might ask why am I using Opera Air? I got tired of all the popups and effluvia that I was experiencing with Chrome, and also annoying with the Googleplex in general. (Yes, I know, Opera is based on the Chrome code base, but that is just the way the modern browser worlds operate these days — with the exception of Safari and Firefox. Even Microsoft uses Chrome for Edge nowadays.)

Is there such a thing as using too much security? No. But there is a constant trade-off among security, privacy, and usability. It is a three-way tug-of-war. And the more you tug on one of the three legs, the more the other two will give way.

CSOonline: Secure web browsers for the enterprise compared: How to pick the right one

Posted on by
Reply

The web browser has long been the security sinkhole of enterprise infrastructure. While email is often cited as the most common entry point, malware often enters via the browser and is more difficult to prevent. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle (MitM), and other exploits all take advantage of the browser’s creaky user interface and huge attack surface, and the gullibility of most end users.

This is why enterprise secure browsers have finally gotten their moment. The category, which has been mostly flying under the radar for the past six years, has seen a lot of changes since I last wrote about them three years ago. Google announced its own entry into the field last year. Talon and Perception Point — who were in that post — were acquired by Palo Alto Networks and Fortinet respectively, showing how this technology has become part of a larger security context. To that end, other established security vendors have brought forth products in what Gartner is now calling the “remote browser isolation” market to complement their zero trust, secure services edge, or posture management security platforms.

I have updated my post for CSO this week and provide more recent information on how to evaluate this class of products, what are typical protective features, and describe the more than a dozen products and what they offer.

Coming f2f with a nuclear missile

Posted on by
5

Last week I happened to be on a vacation in Tucson and stopped by a rather unique museum. Those of you who are long-time readers will recognize this as a feature, not a bug (see my work on the St. Louis AquariumNSA’s museum, UX museum design, and the Lincoln presidential library). I went to the site of the last Titan Missile silo.

Titans were first created to launch a massive retaliatory strike back in the 1960s. Each missile contained a single 9 megaton warhead, perhaps the biggest bomb ever deployed. (By way of comparison, the original blast over Hiroshima was 15 kilotons.) They were designed to be launched within a minute or so after receiving the go-code. Three locations were picked, each field containing 17 silos that were essentially self-contained underground environments consisting of a dormitory, a control center and the silo itself. In the mid-1980s, all of the other silos were completely decommissioned and made inoperable.

The museum contains the last remaining silo that has a missile in it (minus propulsion and the warhead of course). If you take the tour you spend about an hour underground seeing it up close as well as witnessing a simulated launch sequence with some of the original control gear.

Now, I thought I knew a lot about nuclear missiles, but I found the experience both fascinating and chilling, especially as we seem to be talking about them more often these days. One fact that I learned is that the Titan collection would be launched entirely when the order was given: that meant that all 54 of them would be airborne at once. Whether life on Earth could survive that combined blast isn’t clear, it reminded me of the “Doomsday Machine” that was popularized in the 1960s — of course, that machine was automated. To launch each missile required two human operations to go through a sequence of authentication steps (double-keyed locks, one-time passcodes and the like) to verify things. The movies represent this sequence in spirit. In reality – at least in our simulation – is very involved with multiple steps, which makes sense.

One of the reasons the Titan was decommissioned was the era of a single big bomb per missile evolved into having one rocket with multiple smaller warheads, which is what the vast majority of the world’s some 12,000 weapons look like today. Another point in Titan’s disfavor is that it doesn’t make sense to have much in the way of land-based weaponry, since they are essentially sitting ducks for the enemy to target. Most of today’s weaponry is mobile, based in subs or on planes, such as the UK or France.

But whether you count by warheads or rockets requires a lot more nuance. China, for example, has a huge stockpile, but fewer weapons that are ready to launch. And I would argue that another aspect that doesn’t get much discussion is the world’s 400-plus nuclear power plants that are scattered around 30-some countries. While these plants are doing something useful – producing electricity – they are also sitting ducks for enemy targets. Russia has specialized in this arena, sadly. About a year ago, the Chernobyl nuclear power plant was targeted by Russian drones that punched a hole in its protective roof. Some have said it was an accident, and Russia denies they fired anything, both not very credible statements.

As you might remember, the damaged reactor was encased in a huge building with several layers of steel and concrete, designed to keep the escaping radiation inside and away from humans. To my way of thinking, this was the second time a nuclear strike was used in warfare. The first was an earlier Russian missile fired at Ukraine’s nuclear power station. Why no one is making a bigger deal out of these events is curious.

After my friend and I did the Titan tour, we decided to watch Dr. Strangelove to see how accurate their depiction of nuclear warfare was. While the exact details differed, the movie has held up well over the years, and I would recommend you screen it too.

LinkedIn Live: Inside the threat hunt, turning signals into evidence

Posted on by
Reply

I recently moderated a live event (which has been recorded and can be accessed here, with registration), about how to do threat hunting using Corelight’s Investigator tool. My partner is Mark Overholser, who is their technical marketing engineer. Mark is an accomplished threat hunter and veteran of numerous Black Hat SOC tours of duty, so he has seen a lot of wonky circumstances go across his screens.

We talk about why being proactive is important in learning how to hone your investigations, how to use the MITRE ATT&CK foundation (shown above) and schema to hone your focus and guide your efforts.  (I wrote about the evolution of ATT&CK for CSO back in 2021 here), We also discuss how to drill down to suss out what is going on across your network. .

Corelight also has an excellent threat hunting guide that is keyed to the ATT&CK categories, with loads of suggestions to how you can leverage it to help in your hunts.