The ultimate outsider threat?

Not so fast there, Alf…

I know I have been blathering on about insider threats lately, so let’s go to the other extreme – the ultimate outsider threat.

A pair of researchers have given some thought to the possibility of aliens hacking us (us being Earth) via interstellar messages.

From their paper:

Our main argument is that a message from ETI cannot be decontaminated with certainty. For anything more complex than easily printable images or plain text, the technical risks are impossible to assess beforehand. We may only choose to destroy such a message, or take the risk. The risk for humanity may be small, but not zero. The probability of encountering malicious ETI first might be very low. Perhaps it is much more likely to receive a message from positive ETI. Also, the potential benefits from joining a galactic network might be considerable.

If the aliens have the ability to create Flash content, we are doomed.

The ultimate outsider threat?

The other big hack of 2016?

Obligatory stock photo of masked hacker.

According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people.  The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:

…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.

In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.

Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).

There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.

The price for this treasure trove?  US$600.

With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision.  They could choose victims to concentrate their effects on for maximum profit.  Real world attackers could also use this information to plan crimes such as burglaries or kidnappings.  Governments (both foreign and domestic) could use this information to select targets for surveillance.

The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use.  If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection.  If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.

This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real.  If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.

Stay tuned.

The other big hack of 2016?

no, it’s not the end user’s fault

No, you’re not.

According to a survey released by endpoint security solution vendor Bromium, 79 percent of surveyed information security professionals view end users as their “number 1 security risk.”

What security people need to understand is that the end users are not the problem.  The end users are our customers (and one of the main reasons we have jobs).  The problem arises from the increasing sophistication of attackers and their tools and ruses.  In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money).  Since then, the attackers have been getting better and better at their jobs.  They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails.  They do their homework, mining social media for personal and business information to make their clickbait more convincing.  End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.

I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks.  It has a great return on investment for just about every organization.

We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them.  Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).

End users are not stupid.  They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day.  We have to step up our efforts to protect them, not call them a problem.  That’s what we get paid for.

Go hug an end user today.

no, it’s not the end user’s fault

sometimes the “it department” isn’t the it department

For your social engineering reading pleasure…  the take aways?  First, operational security is important – this scam worked (at least for a while) because the scammer was able to speak the language of her victims, as she was familiar with Lowes procedures and systems.  Documentation and information capable of making an outsider seem like an insider or which gives a technical hacker names of systems, IP addresses and the like needs to be protected from unauthorized access.  Second, educating your users to be suspicious of out of the ordinary requests from (seemingly) internal sources should be a key part of your security awareness strategy.


MARCIA MURPHY at 410-209-4885
June 24, 2013


Defrauded Lowe’s of at Least $250,000 by Calling Lowe’s stores and Pretending to be from Lowe’s IT Department

, Maryland – Lucerte “Lisa” Abellard, age 35, of Dobbs Ferry, New York, pleaded guilty today to conspiracy to commit wire fraud in connection with a scheme to defraud Lowe’s stores.

The guilty plea was announced by United States Attorney for the District of Maryland Rod J. Rosenstein and Acting Special Agent in Charge Lisa Quinn of the United States Secret Service – Baltimore Field Office.

According to her plea agreement, Abellard called employees at Lowe’s stores around the United States, pretending to be from the “IT department” at Lowe’s headquarters, telling the Lowe’s employee that she received a report there were problems with a register at the Lowe’s store.  She would then ask the employee to run a series of diagnostics on the register, often pretending to be able to see the tests remotely.  The purported diagnostics ended with a “test” transaction that put a credit on a Lowe’s gift card – usually about $3,000 to $4,000.  In reality, this “test” transaction put a credit onto a Lowe’s card possessed by Abellard or her co-conspirators. Abellard was usually successful in deceiving employees into believing she was calling from Lowe’s IT department because she was very familiar with Lowe’s internal procedures and systems – including the names of systems and databases routinely accessed by Lowe’s employees.

Abellard received a portion of value on the gift card she fraudulently credited from the co-conspirators to whom she sold the cards.  After obtaining the fraudulent credit, Abellard would contact the co-conspirator that had paid her for the card, advise that person of the credit and that the card needed to be used quickly before Lowe’s detected the fraud.  Phone records connect Abellard and her co-conspirators to the fraudulently obtained gift cards, and confirm that Abellard made most or all of the fraud calls to Lowe’s stores.

The total loss to Lowe’s as a result of the scheme was more than $250,000.  The government contends that Abellard was the leader of the scheme and will offer evidence to prove that at sentencing

Abellard faces a maximum sentence of 20 years in prison and a fine of $250,000.  U.S. District Judge Ellen L. Hollander scheduled his sentencing for September 26, 2013, at 10:00 a.m.

Today’s announcement is part of efforts underway by President Obama’s Financial Fraud Enforcement Task Force (FFETF) which was created in November 2009 to wage an aggressive, coordinated and proactive effort to investigate and prosecute financial crimes. With more than 20 federal agencies, 94 U.S. attorneys’ offices and state and local partners, it’s the broadest coalition of law enforcement, investigatory and regulatory agencies ever assembled to combat fraud. Since its formation, the task force has made great strides in facilitating increased investigation and prosecution of financial crimes; enhancing coordination and cooperation among federal, state and local authorities; addressing discrimination in the lending and financial markets and conducting outreach to the public, victims, financial institutions and other organizations. Over the past three fiscal years, the Justice Department has filed more than 10,000 financial fraud cases against nearly 15,000 defendants including more than 2,700 mortgage fraud defendants. For more information on the task force, visit

United States Attorney Rod J. Rosenstein thanked the U.S. Secret Service for its work in the investigation.  Mr. Rosenstein praised Assistant U.S. Attorney Justin S. Herring, who is prosecuting the case.



sometimes the “it department” isn’t the it department