Two factor authentication on web apps should be the default


tl;dr – If you are using Microsoft Office 365 (or any other hosted email solution) and have not enabled two factor authentication, you are bad and you should feel bad

Microsoft and other cloud vendors really need to make two factor authentication the default for their email and other business critical cloud applications.  You should have to make an active decision to turn off 2FA and be forced to watch a video about companies who were hacked as a result of lack of 2FA in order to make the decision stick.

I spent too much time today dealing with two business partners (one small and the other large) from whom my users received multiple emails containing PDF phishing documents.  These emails were hard for users to recognize as bad –  they came from a real email account of a real person at a real firm that they had done business with.

What had happened is that our partners were using hosted email and had not enabled two factor authentication.  A user at each got phished and the attacker in each case took control of their email to send the evil documents to all of their contacts.

Fortunately for us, our protections worked – user awareness training and multiple layers of web and email filtering alerted us to the problem and none of our users fell into the trap lain by the attacker.

It could have been much worse.  A more sophisticated attacker could have utilized the identities of the email senders in a more sophisticated way, such as to redirect payments on invoices or to get our users to disclose confidential information.  Or who knows what.

That being said, it still is pretty bad – any information we sent to those email accounts in the past is now in the hands of who knows who. We are reviewing the traffic to the hacked accounts to  determine what could have been exposed.  While it seems that these guys were not after intellectual property, we will never know where that information ends up.

The decision on the part of these two partners to not have 2FA has real costs for my firm – users had to be notified, all emails sent to those partners need to be reviewed for sensitive information and an incident report written.

For now, I am pulling all of our email logs to determine which of our vendors are using various hosted email platforms and sending them a note inquiring as to whether they use 2FA.   If not, we are going to have some serious talks with them about their security posture.  We’re also going to start monitoring for partners who move from on-prem to hosted email.

This type of attack is happening way too often and opens up companies who never signed up for these hosted services to risk which just should not be there.

Off to look at emails…

Two factor authentication on web apps should be the default

Insider Threat Resources – 01-Feb-2018


I have the privilege as serving as a mentor for a course at SUNY-Albany focusing on the problems posed by insider threats.   Since I am SUCH a wonderful mentor, I will be keeping an eye out for interesting resources for the students.  Since these might also be useful to others, I will be a list of them blogging them each week.

Best Practices

Mitigating the Inside Threat: Boeing’s Successful Approach
Security Magazine – Feb 2018
Requires free registration to read (which seems to be busted right now – hope they fix this as it sounds like an interesting piece)

Updating our Knowledge of Insider Threats
Measuring Organizational Confidence in Addressing Insider Threats
Conference Board of Canada – Jan 2018

7 Insider Attacks Behavioral Analytics Detects
CSO Magazine 2018-01-31

Recent Insider Incidents

2017 US State of Cybercrime Highlights on Insider Threats
US Veterans’ Administration

Just Interesting

What the Count of Monte Cristo Teach can teach us about Cybersecurity
IEEE Spectrum – Jan 2018

Insider Threat Resources – 01-Feb-2018

Response to Russian government cyber attacks – a lost opportunity?

Where is James Bond when you need him?

Russia’s apparent interference in the United States’ Presidential election marks an escalation in the targeting of state sponsored cyber attacks.  What the US does in response to this strike against the very basis of our (somewhat) fair and free elections process really matters.

Letting Russia achieve its goals without any response is problematic, as it would encourage them and other state and non state actors to continue to target the US without fear of retribution.  If you believe (as I do) that cyber operations will play a significant role in 21st century conflicts, doing nothing is clearly not an acceptable response. 

So, if the US were to respond, what is a proportionate response?  As imperfect as our electoral system is, interference in Putin’s sham elections in which there is no opposition with a snowball’s chance in hell of winning, is clearly a non starter.  A limited attack on critical infrastructure (shutting down the electric system in Novosibirsk) sounds good at first, but would seem to violate the laws of war about collective punishment and targeting civilians. There is also a risk that mounting such an attack would tip off Ivan to methods and sources, and make it harder to use such weapons in war time.  An attack on a manufacturing control system aimed at shutting down production or damaging machinery might be more appropriate as a demonstration of both capabilities and intent.  

So, if the US were to take out Vodka Distillery No. 6, should we take public credit or would a private note government to government be enough to deter future attacks?  It seems to me that taking public responsibility for such an attack is important if we want to deter Russia and other state and non state actors in the future.  

Of course, all of this seems to be academic as the next administration clearly benefited from this attack and seems to include many with close ties to Russia and Putin.  Even if the Obama administration could plan, mount, and execute a response it is unclear whether the new administration would pursue a policy of continuing response over the next four years. Without threats of future retaliation for new cyber attacks, a response now would be a one time gesture of revenge. 

Getting political here for a minute, it seems to me that a President who does not pursue a program of responding to serious attacks by a nation state on our homeland would be, at the very least, not be doing their job and at worst, acting as an agent of a foreign state. Time will tell what President Trump will do, but you will have to pardon me if my expectations are low.

In the coming days, the Obama administration should make every effort to collate and make public all the evidence of the Russian government’s role in this affair.  Then, it is up to we as a people to demand a proportional response from our elected officials.

Response to Russian government cyber attacks – a lost opportunity?

The other big hack of 2016?

Obligatory stock photo of masked hacker.

According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people.  The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:

…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.

In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.

Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).

There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.

The price for this treasure trove?  US$600.

With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision.  They could choose victims to concentrate their effects on for maximum profit.  Real world attackers could also use this information to plan crimes such as burglaries or kidnappings.  Governments (both foreign and domestic) could use this information to select targets for surveillance.

The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use.  If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection.  If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.

This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real.  If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.

Stay tuned.

The other big hack of 2016?

Today, I want to be a Canadian

canadaflagThis morning, I read an amazing story in the New York Times about a Syrian refugee family building a new life in Canada.  As you would expect, the piece highlighted the many challenges they are facing, from cultural differences to finding work.  What really stood out for me however was that Canada not only took these people in, but that everyday Canadians “adopt” each family and volunteer their time to help them make the transition.

When I contrast the attitudes expressed here in the US about taking in these refugees, who are truly fleeing persecution and death, it makes me very sad.  Canada’s response seems much more in keeping with American values than anything I have heard down here in a long time.  I fear that the US has lost its place in the world as a beacon of hope and democracy.

If I wore a hat, it would be off to the government and people of Canada.

Today, I want to be a Canadian

Sometimes the helpers need help too


I received some very sad news this morning – Melissa Claros (one of my colleagues at the Weehawken Volunteer First Aid Squad) lost her husband, Robert, suddenly this weekend.  Melissa and Rob shared love and a common desire to help their communities.  Rob was an EMT for the West New York ambulance squad and a volunteer fireman in their town in Pennsylvania and Melissa is a volunteer EMT here in Weehawken.   Rob was just 28 years old and he leaves Melissa not only with a broken heart, but also two young children to raise while she attends nursing school.

While there is nothing we can do to fill the void in Melissa’s heart left by Rob’s untimely passing, we can help her and her kids deal with some of the financial burdens which they face now and in the future.

Rob’s colleagues in West New York have set up a GoFundMe page to help the family out at this difficult time.  Rob and Melissa have consistently stepped up to help their communities.  Rob was and Melissa is “good people” who could use some help.

If you would like to help out someone who has spent a lot of time helping out others, please consider making a donation at



Sometimes the helpers need help too

Best infosec quote of all time…


Sometimes, saving money can cost you money (like $81 million)…  Apparently the hackers who made off with millions from the Central Bank of Bangladesh had some help from the bank’s IT department, who decided to save money by foregoing firewalls and purchasing used routers that could not segregate private from public traffic.   My new favorite information security quote of all time was in this article:

A firewall would have made attempts to hack the bank more “difficult” Mohammad Shah Alam, a forensic investigator who works on the Bangladesh team investigating the theft, told Reuters.

Yes.   Yes it would.  Can’t get anything past this guy.


Best infosec quote of all time…

malware strikes non jailbroken iOS devices

Walled gardens don’t provide 100% protection.

A reminder that while iOS still seems to be safer from malware threats (as long as you don’t jailbreak your device), Apple’s walled garden is not totally weed free.  Researchers found malicious apps in Apple’s App Store which use vulnerabilities in iOS’s digital rights management software to install malware on standard (non jailbroken) devices.  This particular family of malware only targets devices located in mainland China, but there is no guarantee that others may try and exploit this issue to infect other users.

Apple removed the malicious apps from the App Store when they were informed of the issue, but it is important to note that the apps stayed up in spite of multiple reviews by Apple until then.

We iDevice users have been quite lucky when it comes to malware, but it is important to remember that iOS is not immune to malware attacks.  The best defense is to be choosy about the apps you install – if you have not heard of an app, look for reviews and information out on the net before downloading it to your phone.

Of course, Donald Trump promises to build a “terrific” wall around Apple’s App Store and make Mexico pay for it…

malware strikes non jailbroken iOS devices