What is the best password strategy to pursue?

When it comes to passwords, there are a variety of opinions.

And that is the problem. Most people choose password is based on requirements brought forced to them by the system.

Still, on password breaches, data analysis shows that most passwords are very weak.

When asking user is why they choose week passwords the common answer is that they can’t remember complex passwords, and H presents too much of a challenge for them.

Yet even choosing a supposedly strong password based on requirements isn’t necessarily the best solution.

I could go into the mathematics of Y system required, strong passwords are weaker than actually choosing a common phrase that you can easily remember.

And that brings us to the solution to having a strong password, Which is not only easy to remember but is mathematically even more complex.

Take a phrase that you can easily remember: the sun is shining in my street at house number 17.

Running a brute force attack on the passphrase like that is very complex. Yet, it is very easy for you to remember because it’s going to be difficult to forget where you actually live.

This is obviously only and example. However, it shows that complex passwords don’t have to be complex and such a way that they are very difficult for a user to remember. Plus, the typing of such information is very easy.

Let me know what you think about this password strategy which is been around for quite a while.

Is your organizations data valuable to outside threats?

Whether or not your organizations data as valuable to outsiders depends heavily on what business you’re in.

Generally said, your organizations data is valuable :period.

There is an ever increasing amounts of data being taken from paper, and digitized.

Therefore they are not only victim to attempts of corporate espionage, but also to data collection spies, And even more persistent threats.

While ago I worked on a case of CEO Frade, in which the main enabler was the fact that the email server of the organization had a vulnerability, which was exploited, and allow the perpetrators to monitor email communication between the chief executive officer, and The chief financial officer.

This angle was then exposed by the attackers to lose a couple of million euros; unretrievable.

So you see, it’s not only corporate espionage that as a threat of valuable information, but much less appearing information can be utilized to harm your organization.

How do you handle antivirus alerts

That depends on the policy behind antivirus incidence.

Should be alert be for a legitimate file, it can be white listed.

Upon the incident being positive and a malicious file being in the system, it needs to be quarantined and delete it.

After the quarantine the source of the file needs to be checked in order to determine where it came from and where the vulnerability is in order to prevent future incidents.

Overtime these anti-virus alerts can be fine-tuned so that’s the frequency of alerts can be reduced.

Removable media control, Endpoint security and The Problem of transportability of data

One of the major problems in the digital age is the transportability of data. Even large quantities of files and papers can be moved on a device smaller than a coin. Therefore, removable media control is one of the essential things to include into your cyber security risk assessment.

One of the countermeasures was the tendency of endpoint security; meaning, that computers and servers were locked down in such a way that files cannot be copied to mobile devices and taking out of the office.

Approximately 10 years Ago I served on a project in which the lack of endpoint security lead to significant damage of the company. The client was a large law firm with the global footprint, and had repeatedly become victims of extortion of employees who were pressed into retreating sensitive data from the organization’s systems.

What we ended up doing was not only implementing an end point security scheme but went one step further and made the general moving files much more difficult, without limiting business operations.

Our solution was to make files available on The company server without making them copyable by any element. Obviously, 100% security could never be guaranteed but the point of the operation was that the possibilities of extracting a file in sensitive information from the corporate server was much more difficult.

Specifically this meant that files which were shared with employees are third-party assets were opened in a browser and could only be sent via link. The link within open the file for review, but classified files could not be downloaded, copied, or otherwise removed from the system.

While this didn’t entirely solve the problem, it took the edge off, and made it possible for the technical personnel to sleep a bit more comfortably.

Cyber insurance versus insurance companies

Getting cyber insurance cover is easy.

Getting cyber insurance coverage that is adequate and up to speed to current threats: totally different story.

Currently, very conservative and traditional insurance companies are trying to deliver top-of-the-line products; mostly to customers who don’t need them.

So what’s up with that?

While ago, I tried to sign an e-commerce business with an insurance company that appeared to be very advanced in signing cyber insurance contracts.

During the negotiations however, it turns out that they generally ruled out e-commerce businesses.

The main argument was that an e-commerce business could fall victim to a denial of service attack.

My counter argument was that any conventional business could burn down, and still they wrote insurance policies for the buildings of this client.

I went on to argue that denial of service attack’s are easily mitigated through various means; the most important one of which is a content distribution network.

Still, the insurance company wouldn’t budge.

Having close connections inside the insurance company I went ahead and looked at their exclusion list. And it was terrifying!

I ended up working with them to reduce the general exclusions, and softened up some of their strict policies towards certain types of businesses. And now, they are doing tremendously well and signing up risks, which are manageable.

Cyber Insurance: What is a DDoS attack and how to mitigate it?

I don’t know how often I had to answer the question what a DDoS attack is. Yet one of the most prominent questions was when I was confronted by an insurance company offering cyber insurance products.

Together with a friend I run a cyber insurance brokerage. Obviously, the clients have to be signed by the insurance company. The products most of the companies have are crap.

And if they are not, their underwriting policies are… well, worth getting used to.

A client of mine operates a rather large e-business, particularly an e-commerce shop.

Like pretty much all of the e-commerce sites, this one was also concerned about the safety of their site, and wanted insurance if they got taken down.

We did my famous analysis of their operation and ruled out most of the obvious risks.

This would give me an easier stance trying to pitch it to the insurance company.

None the less, the first thing the genius underwriter tells me with a frown on his face is that the risk is not coverable because it’s an e-commerce operation relying too heavily on the income from the website.

His main argument, however, was that the risk of a DDoS attack was too big, before resting his case, and trying to send me off.

I asked him if he was even aware of what a DDoS attack was, upon which a large discussion erupted which was mainly focussed on me having crushed his ego.

However, it was fruitful from the angle that I was able to find a “noob” explanation to the issue, which I outlined by explaining to him that it was like a million people trying to exit an aircraft after it had landed, and all of them had to fit through the door. (very short version).

Against all odds, he understood what I was trying to convey to him; yet now came the bigger problem… explaining the solution fo fighting off a DDoS attack.

You see, probably one of the most easiest things to do is to put a content distribution network Infront of your operation. A CDN will take malicious traffic and deal with it differently than with legit traffic coming to a site.

So: bye bye DDoS attacks.

I told him the we could make this a prerequisite for the client to receive insurance coverage… yet the discussion was and burned.

 

 

Finding your next employer on the dark web?

Obviously free from state sanctioned pension plans, and otherwise inhibiting characteristics, I recently stumbled upon job advertisements on several marketplaces on the dark web during an investigation.

Probably the most interesting, and first job advertisement was that by liberty market who were looking for a French speaking content “cleaner”.

And they are increasing in number.

Wear this trend originates, and how the specifics are of such an employment leaves to be discovered.

Fact is: the dark web is the most dynamic ecosystem on the planet; currently. All of the business conducted there in requires a lot of ingenuity, Good designers, and even more so very good security experts.

About John Cryan and the nonsense of the cashless society

In his speech at the world economic forum in Davos The former Deutsche bank CEO was one of many to support the quest to rid the world of cash.

Again, he stands in a long line of defenders of this practice.

And while it is true that a large quantity of crime is being committed on the back of cash, the alternative is much more Grimm.

I work together with a variety Of crisis response companies Who reacts to cases of kidnapping and ransom, extortion, and similar risks.

Unanimously these companies I work with sai dad’s paying a kidnapper in conventional currency is one of the most promising factors to retrieve the loot, and to trace the assets back to an individual or organization.

So his cash were taken out of the equation entirely, criminals would resort to alternatives.

In the recent past, and increasing amount of kidnapping around some cases have been changed in appearance by the perpetrators requesting bitcoin and other crypto currency’s in favor of dollars, euros, and other conventional currencies.

The problem is that crypto currency is in general very difficult to trace.

If done right a bitcoin can be in obfuscated that it will never be able to be traced.

The dark web would not be the dark web if it hadn’t invented algorithms to support these types of obfuscation.

Once these have been utilized, criminals often take their new and washed with calling to introduce them to an offshore casino there by entirely eliminating any trace that the crypto currency, which is now conventional currency, was used in a crime.

Mitigating sophisticated phishing attacks

Phishing has always been a rather difficult issue to solve.

I’ve spent countless hours trying to create programs to successfully keep employees from opening suspicious emails, believe me!

The new generation of phishing, however, is even more complex and the threat is even more difficult to mitigate.

In the most recent cases I worked on, the email sent to the victim was either announced or followed up by a phone call from a seemingl legitimate source.

Thereby, the victim was dooped into opening the attachment to infect the system/network, and there is pretty much no training that will help to reduce that risk.

One of the issues we began working on was to have existing contacts confirm their identity through an IM. Of course this only works if the source is internal, and/or the source is available on an IM service.

Stay safe folks! These new attacks are devious with potentially devastating consequences, essentially with no one to blame.

@Cloudflare and @TorProject: Speeding up #Privacy

One of the most annoying things when using TOR browser, and surfing to conventional websites using Cloudflare CDN was that you got a reCaptcha.

More often than not this would not happen once, or twice – but multiple times over before you actually got the content you wanted.

Appearently, this has changed because in September Cloudflare annouced that it worked together with the Tor Project to mitigate this annoying issue, but in the course of their coop, they actually found a genius way to make Tor faster with their technology.

This is great for those seeking privacy… yeah, I know… the criminals, too. But hey, you can use a knife to cut onions. Oh, wait – stupid analogy…

This just as a heads up… go to the website to read the technicallities yourself; and how to activate them in the case you run a .onion TLD website.

Why is it important to have a BOYD policy

BOYD, or bring your own device describes the scenario in which an employee is encouraged to bring their own computer hardware to the office, and use it for productivity purposes.

Obviously, this has benefits for the company. The company does not need to invest into equipment for the employee to be productive. Also, the employee will be more familiar with their own hardware, then they would be with a computer or telephone provide it for them.

However, a bring your own device policy brings along certain risks.

The company will have less influence on the hygiene of the devices. Also, there are certain drawbacks in terms of control the company has over the device.

A majority of users will – if they bring their own device Dash feel as if the company has no influence on the device.

The case of the spying paper shredder

When you think of spies, you never think of a harmless paper shredder.

A few years back, and one of my most meaningful contracts, was to find out and stuff a leak inside and organization with offices six of the seven continents.

I have been introduced to the company through a mutual connection between myself and the chief executive of the organization a question.

Aforementioned CEO was dissatisfied with the work of my predecessors. These had conducted extensive analyses in the organization; but all by the book.

The result was: the leak was still there or not fixed even some $3.5 million later.

The mutual connection I mentioned earlier got a hold of this information and was so Milyer with my out-of-the-box thinking and introduced us through an email upon which I was hired to conduct another analysis to find out where the leak was and to submit a proposal on how to stuff it.

I spent the next next weeks on planes traveling to pretty much all of their facilities and offices around the globe.

Very quickly managed to isolate the office where the leak originated. So for the next weeks I was in that office conducting research as to how the sensitive information got out of the office and into the hands of the competition.

We conducted everything from radio frequency and analysis to exclude the possibility that the information was sent out of the building to the obvious suspects being a leak in the IT infrastructure and even to suspecting certain Individuals in the organization.

None of this yielded any results turning the excitement from the beginning and to somewhat have a frustrating project.

Some weeks later I was sitting in a conference room at 2 AM chewing on a piece of stale pizza that was left over from dinner, while playing carousel with an office chair I was sitting in.

Every time I made a turn a paper shredder caught my attention with the red LED on top.

One of our desperate measures was too exchange parts of the furniture, artwork, and office equipment. This pull through to replacing parts of the coffee canisters placed in that specific meeting room. What we had not taken into consideration previously was the old style of information extraction.

This organization was still rather paper heavy and a lot of the meeting notes were taken on paper; and parts of them disposed through conventional means.

No I was curious to find out whether or not this paper shredder was the culprit. And so 230 in the morning I went to the janitor of the building and asked him for a screwdriver and other tools; if you want to know that you’re right, he wants and village at that moment!

I opened the case of the paper shredder, disconnected it from the power supply, and as I opened it I saw a perfectly integrated scanner which snapped scans of every piece of paper from both sides before it was destroyed. It’s took me two or three closer looks to find it, and the contraption was brilliantly engineered have to agree where strips were fit it inside so that no light of the scanning process what escape the housing.

Bottom line: the competitor in question went through a lot of trouble to place this device. The cost of engineering it was quite extensive: further, the reason the information was not discovered by the radio frequency analysis is that the middleman of the competitor and bribed One of the cleaning ladies to replace a USB key if they had inserted into the machine on a weekly basis.

So you see: not even are we safe from paper shredders anymore.

The most complex case of CEO Fraud… yet; and how to mitigate it.

CEO fraud was probably one of the most devious forms of cyber crime. Above that, it is the highest form of social engineering.

Do you know that feeling when you get to a project and you’re thinking: how in the hell could this have happened?

Recently happened to me in the form that I was called, and sitting in a helicopter being airlifted to a midsized organization in which The most complex case of the CEO Friday I’ve seen today it had happened.

In short: the perpetrators head injected malware into the email server of the organization, thereby being able to monitor both the CEOs and the CFO$ mailboxes permanently.

The CEO was about to contact to deal with an organization in London, and all of his itinerary was in his mailbox; even The telephone number of his hotel.

Long before this happened, the perpetrators had hired someone with a similar voice to that of the CEO, and above that spoke his native language. The CEO used Voice Memos frequently, which allowed the perpetrators to also copy a style of speaking.

The CEO arrived in London, and the deal did not come to fruition. However, the perpetrators called the CFO and the organization, and the impersonator they had hired claimed that the deal had in fact been signed.

The impersonator then gave the CFO the bank details upon which DCF I will execute the transfer of €25 million.

Upon the CEOs returned to the organization into the office A day later to see if I congratulated him to the deal closure.

The CEO then replied that the deal had not been closed, and the things started to unravel

The damage turned out mildly, and we put the necessary precautions and methodology is in place so that the kids like that can never repeat again; at least not with this organization.

Why it’s a good idea to isolate EOL applications/software with insufficient patches, and how to do it

Software and applications are the Achilles’ heel of the information technology; when they reach end of life which is inevitable, or when they are not updated in high enough frequency, protocol suggests to stop using them altogether.

However, a lot of applications are mission critical for an organization.

In this case, and as I have seen and applied in the wild, one of the ways to continue using them is to isolate them from the rest of the network.

Isolating specific pieces of software or applications from the rest of your IT environment is by running them inside dedicated virtual machines there by cutting them off from most of the rest of the network.

Why you don’t want your RJ 45 sockets available in the wild

A few weeks ago I had friends visiting from Thailand. Being the good host I try to be I took them to see several A few weeks ago I had friends visit from Thailand. Being the good host I try I took them on a variety of sightseeing tours; one of them was inevitably to one of the castle switch around here.

While we were strolling through the facility I couldn’t help but see a wire running throughout the complex, which obviously didn’t exist back in the 1800s.

Lo and behold it was a network cable.

This network cable was not only connected to the sprinkler system and the fire alarms, the exit signs and alarm system; it was also the same cable that ran to the cashier. Meaning, that the entire network infrastructure was exposed to interception.

Technically, it would be possible to separate the cable and install a device which will give you permanent access to the network.

As if this wasn’t bad enough, I found at least half a dozen RJ 45 sockets throughout the complex which would have made my work even easier; had I been a criminal.

It’s important to understand that these sockets were at locations where I would have been undisturbed four hours.

After this startling experience I kept my eyes open for rogue RJ 45 sockets in the wild.

A few days after the visit I mentioned, I had to go to a public and ministration building: and what was the first thing that smiled at me? Right! Another rogue RJ-45 socket.

Now, unless you have very specific MAC address filtering in place, rogue sockets will allow criminals to get a very good scan of your organization. If the access to systems is limited to, even then would it be possible to conduct a scan of the network, Which would reveal devices that are vulnerable, and allow for penetration of the network through that device.

Well this may seem obvious to a lot of us, they’re obviously a lot of people out there in our profession that do not take such Warnerville it is as a given fact.

Therefore, I dedicated an entire part of my cyber security risk assessment checklist to not only wrote RJ-45 sockets in the wild, but also to their placement, the mapping of the placement in case someone tampers with the box, and a variety of other issues.

Contact me if you’d like to get a copy of my checklist for your work.

European Parliament: Special Committee on Terrorism > Brief by Lars Hilse on the risks of Cyber Terrorism

European Parliament Lars Hilse Cyber Terrorism

In July 2018, I was invited to provide a briefing to the Special Committee on Terrorism of the European Parliament about the risks of cyber terrorism on critical infrastructure and public spaces.

The trip to Brussels was exciting and insightful, a lot of interesting questions mostly after the taping of the session which you can see above.

If you want the slide-deck of my presentation, please email me.