Your credit information may be available on the dark web, but at least we’re learning about cyber security!

Before we get started talking about Equifax, I’d like to apologize for the brief interruption in our regularly scheduled programming, err… blog… posting? As you may know, our company resides in beautiful St. Petersburg, FL, which recently found itself in the path of Hurricane Irma.

We’re glad to say that we made it out safe and relatively unscathed. Most of us have power back by now. I actually had mine back shortly after the storm but continued to eat room temperature beans out of aluminum cans by candlelight while living without electricity for fear of looters.

Anyway, while we’ve been bailing water, a lot has happened in the world of cyber security. Namely, the Equifax Breach. So I figured this would be an excellent opportunity to go over what happened and what we can learn from this whole situation.idUSKCN1BN1WN

What is the Equifax Breach?

Equifax, an equestrian telecommunications company… [Editor’s Note: This was the point that we sent Carl back to do some more research] Scratch that. Equifax is one of the world’s largest credit reporting agencies. It keeps information on over 800 million consumers and over 88 million businesses worldwide.

On July 29^th, Equifax discovered that it had been breached. Over the coming days and weeks, it was discovered that over 143-million consumer records – including full names, addresses, social security numbers and other personal identifying information – had been compromised. As more and more scrutiny has been applied to Equifax, additional troubling information has emerged that raises serious questions about the company’s security practices.

As far as data breaches go, this could be the motherload. Per a report by Reuters, verified credit card information – meaning a card that has been tested and is still active – can fetch 10-20 dollars per card on the dark web. Full ID dossiers – which include all the information to carry out identity theft – can fetch up to $10. It may seem like a trivial amount, but when you’re pulling down 143-million records it can turn into a nice haul. Some experts are already calling this the worst breach in history.

What Happened with Equifax?

From the sounds of it, Equifax really needs to overhaul its security policies and practices. A lot of what occured comes down to gross negligence. The vulnerability that was used against Equifax is called Apache Struts CVE-2017-5638. Apache Struts is an open-source framework for developing Java web applications. Researchers identified the vulnerability that was used against Equifax on March 6, 2017. It was patched a week later.

Now, if you do the math, Equifax had roughly four and a half months to patch its own systems and remove this vulnerability. It clearly didn’t. Now, 143-million consumer records have been exposed.

And that just appears to be the tip of the iceberg. Hold Security, a Milwaukee-based security firm was able to crack one of Equifax’s Argentinian database and harvest employee information with little more than guesswork. In this case, Equifax was using “admin” as both a username and the accompanying password for the database. Let’s pause for a second and appreciate a major international credit monitoring agency that has secured its database with the same level of sophistication as the average internet user sets up a router with—using just the default settings.

Let’s just put it this way. I’ve been tricked, duped and ripped off on the internet so much that my coworkers have sarcastically taken to calling me “Cautious Carl.” I got ransomware my first day working here. To this day, I’m considered such a danger I have to ask permission just to use the internet at work. The point I’m making is that when I can look at your company’s security implementation and tell you it’s awful—it must really be bad.

What Can We Learn From Equifax?

There used to be a great baseball player named Gary Sheffield that had an amazing swing, which, ironically enough, was also a pretty textbook example of how not to swing a baseball bat. Commentators used to remark that you could look at him in action and teach a young player exactly what not to do. Equifax’s security is a lot like Gary Sheffield’s swing, except for rather than using it to mash 509 career homers like Gary did, Equifax just took a fastball in its daddy bits.

Actually, that’s probably a terrible analogy for a number of reasons, the least of which is that I’m trying to talk to the cyber security community using an example that includes the word “baseball.” (It’s the game with the bases and the outs and the wooden bats—no, not Cricket. Nevermind. Just nevermind.)

Anyway, the point I’m making is that we could probably write a book on how not to secure a company or organization just using Equifax examples. In fact, someone probably will. The infosec community is petty like that. For our purposes though, there is one big lesson we can take away from Equifax.

Always stay up to date on Security Updates

Apache Struts had been patched for months before Equifax was breached. This wasn’t some zero day exploit where nobody had any warning, this was a well-documented vulnerability that should have been dealt with immediately. Or, at least within four and a half months of its disclosure. Granted, this kind of feels like your newly eclipse-blind friend telling you that this was a great lesson about not staring at the sun – it’s that obvious – but it’s still good advice. Advice that goes unfollowed far too often, even in this day and age. You just can’t ignore patches and updates. I mean, I guess you can, but this is what happens.

Of course, there are other smaller, more specific lessons that you can glean from this fiasco as well. Like, for instance, don’t ever use admin as a password for anything. Ever. Especially if your username is also “admin.” Or how about maybe don’t offload $2-million worth of stock before your company has a chance to disclose a security breach. Again, that’s very specific but it’s sound advice.

A Final Word

Let this serve as a lesson to you. The next time you get a notification about updating new security settings, spend the minute or so it takes to implement them. Granted, chances are the personal data of 143-million consumers doesn’t hang in the balance, but don’t let that stop you from updating.

And hey, at at least if you learn this one lesson you’ll be able to say you gained something from this entire debacle when your identity inevitably gets stolen sometime around Christmas.

Thanks, Equifax.

74% of SMBs have been targeted by hackers

Your business is not too small to get hacked, trust me. We’ll get to that in a second though, first let me tell you a story. I used to have this friend named Jim. He had the same mindset. ‘Nothing’s going to happen to me.’ He did everything right. Crossed all his T’s, dotted every I. Successful at all levels of life. Beautiful wife. Good job. Then during his last week of work his spacecraft suffered critical power cell failures, started leaking oxygen and almost killed him.

Ok, so that’s actually the plot of Apollo 13, and as I reread it I’m not entirely sure how it relates to your website getting hacked except to say that anything can happen.

You may think nothing’s going to happen to you. That you and your small business fly beneath the radar and scope of hackers and cyber criminals. But the odds of Jim’s Service Module suffering a catastrophic energy failure were astronomically low, too.

…he never did get to walk on the moon…

Anyway, business owners who think their business isn’t at risk are misguided. The odds of a small or medium-sized business getting hacked are not small at all. In fact, according to a 2016 study by Symantec – the top security brand in the world – 74% of small and medium-sized businesses have been target by hackers and cyber criminals.

These Cyber Criminals Would Make John Dillinger Blush

A lot of people try to paint the internet like it’s the Wild West. That’s lazy and uninspired. Like the plot of a Hallmark Channel movie. Besides, it’s not nearly as lawless. No, the better comparison would be during the depression era when bank robbers and the FBI were constantly battling across the nation’s headlines.

To follow this metaphor to its absurd conclusion you should look at the MO of a lot of these bank robbers. Sure, you could knock off a big bank, but that took more planning, more resources. And the banks typically had security, the ability to investigate and possibly find the culprits, see? Sorry. (I didn’t mean to start writing in a James Cagney mobster voice right there.)

You see my point though, yes you can knock off a big bank but that could make things go sideways, fast. A lot of times it was easier to knock off a smaller bank in a rural county. It was a quicker job. Less security. Lower risk of getting caught. You could knock out several in a weekend without drawing much heat.

Sound familiar?

Don’t Let Your Business Become the Modern Equivalent of a Po-Dunk Bank

The fact of the matter is that small and medium-sized businesses make attractive targets to cyber criminals and hackers because they’re far less likely to have the resources to invest in good security.

Whereas large enterprise-level companies can afford to staff entire teams for cyber defense, a small or medium size business can’t.

Another advantage enterprise-level businesses have is that they’re far more likely to survive a cyber-attack. According to the National Cyber Security Alliance, 60% of the SMBs that suffer a cyber-attack go out of business within six months.

So, not only can you get hacked—it could also put you out of business.

It’s Time to Invest in Protection—And Not the Sopranos Type

You don’t wear a seat belt because you think you’re likely to get into an accident, you wear one because what COULD happen when you don’t is too serious to take any chances with. Hell, you even wear a seat belt on an airplane and there is NO WAY that’s going to help you in a crash—hey, at least they’ll know what seat to look for your corpse in.

The point is, even if you want to ignore the statistics and the likelihood you could be a target, the seatbelt logic still exists. What COULD happen if you aren’t staying current with security trends is your entire business could go up in flames. Remember, three out of five small and medium sized businesses that get attacked are out business within half a year.

Now, no one security product is a cure-all. You’re going to need to build a set of defenses to help you mitigate everything from eavesdropping to DDoS attacks.

An SSL certificate is a great place to start. It won’t solve all your problems, but it will protect your website’s sensitive data, encrypt all communication between your business and its customers and prevent anyone from tracking visitors on your site.

Some certificates even provide verified proof of identity, to help put your customers’ minds at ease. Adding SSL to your website is the perfect first step towards securing your business’ online interests.

And it’s never been more important. Granted, nowadays the robbers have names like “Fancy Bear” and “Guccifer” instead of “Machine Gun Kelly” and “Babyface” Nelson—but the stakes are the same: your livelihood.

So, don’t wait for one of these crooks to come waltzing through your bank lobby to think about security, see.

Stay cautious, my friends.

Dynamic Site Seals offer immediate, indisputable assurance of SSL protection

Have you ever been so nervous about being robbed that you hid your whole wallet in your rectum? No? Me neither…

I am however convinced that Google planted a tracking chip in me during an airport cavity search in Atlanta back in 2003. How else does my smart phone know where I am, where I’m going and what the weather is like there? [Editor’s Note: By that logic, wouldn’t it always be 98.6 degr—just grossed myself out].

Continue reading There Are No $20 iPads… and Some Stuff About Site Seals →

Seriously, the end is nigh.

Normally we reserve our discussions for SSL, encryption and how you can personally stay safe online. But sometimes I like to update you on emerging technology, too. So today we’re going to talk about how Artificial Intelligence (AI) is going to alter the cyber security landscape very soon.

In fact it’s already beginning to.

When I say Artificial Intelligence, your mind probably goes right to the Terminator movies and SkyNet. When I first saw that movie I ruined a good pair of pants and spent the next few months in adult diapers while I waited for the flashbacks to stop. So you can probably imagine how many Tide pods it took to rectify my reaction when I saw AI and Machine Learning (ML) in the news recently.

Granted, AI isn’t designed to turn murderous – just like cell phones aren’t designed to eradicate our social skills – it starts as a tool that humans design with the noblest of intentions. It’s just that at the end you wind up with an entire generation of fidgety kids that don’t know how to hold a conversation, much less make eye contact—in the case of cell phones. Or just mass human extinction in the case of AI.

But Carl, what does AI have to do with cyber security?

Sorry, started to go off on a tangent there, let’s get back on track. In the years before an AI wipes out humanity, we will be able to apply the technology to cyber security and use it to help make our networks safer. You see, at the heart of cyber security is a constant game of cat and mouse between cybercriminals and the brave men and women who protect our networks.

The problem is, if you’re a hacker all you’re looking for is a vulnerability to exploit. Whereas, for a cyber security professional, you’re attempting to holistically secure an entire network—a much broader task. Have you ever seen Star Wars? The very first one—there’s like ten of them now. The Death Star is a perfect metaphor for cyber defense. You built this whole big death star, and spent copious amounts of time on its defenses, but you totally forgot to cover that one hole in the trench over there and now the other guys have used it to blow you up.

At least they knew they had been breached right away at the Death Star. Notice came in the form of hot, fiery death. It takes the average organization 226 days to even detect a breach, and then 69 more days to contain it. That’s due to the human element being incapable of processing large amounts of data rapidly.

Enter AI and Machine Learning.

Currently, new products like Intruno , that use AI and ML to monitor your network 24/7/365, are emerging.

How is that different from other products that do the same thing? Well, over time these products get smarter. The Machine Learning aspect means that they analyze all of your network data and start to identify patterns of use. What employees are using what logins from what access points, what areas they typically access, what times they typically log on—everything.

Then it looks for deviations from those trends and notifies administrators when something is off.

You can probably see how that would help to mitigate threats. Suddenly, if Ivan the Russian hacker – or it could be China or some guy in his home in New Jersey – tries to breach your network, the AI will see an unfamiliar location, or that the compromised login is behaving differently than normal (for instance, trying to access new parts of your network). At that point it will work to mitigate the issue. This happens in real time, as opposed to the way things have typically be done—which takes much longer.

It’s an exciting development and one that promises to make us all much safer, but it’s worth noting that AIs are not going to be exclusively used for defense, either. No, eventually cyber security will shift from man vs. man to AI vs. AI as cybercriminals unleash AI technology that will help advance their own nefarious objectives.

So how does an AI that monitors network activity end humanity, Carl?

If the prospect of an AI vs. AI cyberwar doesn’t send a shiver down your spine, what inevitably comes next definitely will. Eventually, one of the AIs tasked with defending a large network will postulate that the only surefire way to keep its network completely safe from being breached by humans is to simply eliminate humans entirely. How it goes about carrying out that task is something I’ll leave almost entirely up to your imagination, though I picture it liquefying us.

Anyway, it’s just a matter of time before we go completely extinct.

But in the interim, we should enjoy vastly improved cyber security. And hey, the eradication of our entire species is a small price to pay so that Target can avoid another data breach. Totally worth it.

Stay cautious, my friends.

A political data analysis company has exposed 198 million US voter records

Chances are you’ve never heard of Deep Root Analytics, and in this case that may actually be a good thing. The fewer people that know of the GOP data analysis company—the lower the odds your voter records were compromised.

That’s because, according to security firm UpGuard, Deep Root Analytics left a database containing 198 million voter records exposed for the world to see.

To provide a little bit of context, according to US Census information there are approximately 200 million registered American voters. Carl wasn’t a math major, but 198 over 200 is… basically, ALL the voter records.

An UpGuard Cyber Risk analyst named Chris Vickery, who found the files, notified federal authorities who we can only assume wrote a sternly worded letter or some other bureaucratic foolishness.

What? I Read It for the Articles!

A Deep Root spokesman told the celebrity gossip blog, Huffington Post, “we take full responsibility for this situation.”

Deep Root also said that it believes only Vickery accessed the information, which is a lot like when you come home after a hard day’s work, open your son’s bedroom door to say hello and catch him trying to stuff an old Playboy under his mattress. Then when you ask him about it he tells you he only looked at it the one time.

You know, the one time you caught him.

I’m not saying I don’t believe Deep Root Analytics, I’m just—well, actually, yes that is what I’m saying. I don’t believe Deep Root.

Deep Rooted Analysis of Your Personal Information

What’s more frightening than the fact that your personal information – names, addresses, political affiliations – was potentially just compromised by a group whom you never even consented to having possession of your data in the first place?

How about the analysis they were performing on that questionably obtained information?

Vickery downloaded over 1.1 terabytes of unsecured information. What he found was staggering, Deep Root uses 9.5 billion (with a B) data points to build a terrifyingly accurate model of 198-million US voters’ political preferences using advanced algorithmic modeling across 48 political issues.

Not only does Deep Root have an obscene amount of data about you – data you never even agreed to let it have – that data has been used to profile you and segment you into demographics.

Ok, How Deep Are We Talking Here?

DEEP. Without getting overly political, there was even more valuable data on both the 2008 and 2012 elections available on those servers. This information is potentially way more dangerous than your voter records.

This is information from DataTrust, the “GOP’s exclusive data provider.” There are two sets of 51 files, one for each state and the District of Columbia. Each file, which is in .CSV form, contains 32-character RNC IDs – one for every voter in the database, regardless of affiliation – that link a number of data points together.

The IDs can be used to look up voters by name. For a frame of reference, here is a list of all the .CSV categories:

For those who don’t want to parse all of that, these data sets include things like: date of birth, addresses, phone numbers, party affiliations, racial demographics, religious leanings, registration status, income information—even if someone is on the federal “Do Not Call” list.

That data appears to have been used by another GOP analytics group, TargetPoint, to create a model for the 2016 election.

In a 50GB file, each potential voter is scored against 46 columns, each of which contains a policy or candidate that the voter may or may not be likely to vote for. The GOP then uses this information for micro-targeting (both parties do this, it’s not as if the GOP are the only ones performing this analysis).

Here’s a look at the issues you’re being modeled on:

Per Dan O’Sullivan, who wrote the UpGuard report and looked himself up: “It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate.”

When I read that last quote, I got so scared a little bit of pee came out. That’s a terrifying amount of information. And all that data was exposed online for who knows how long.

But it’s OK, Deep Root believes the only one who accessed it during that time is the guy who reported it.

How reassuring.

Stay cautious, my friends.