Sunday, January 04, 2015

Why Willie Sutton Robbed Banks: the real answer, and what it has to do with the #SonyHack

Willie Sutton was one of the most notorious American bank robbers of the twentieth century, spending two years on the FBI's list of Ten Most Wanted Fugitives.

Sutton is also the subject of one of the most frequently cited - and bogus - anecdotes in all of security (we're talking everything from physical security to information security and cybersecurity). At just about every security conference that I've attended, someone has used some version of the following:
"When a reporter asked the bank robber Willie Sutton why he robbed banks, Sutton replied: "Because that's where the money is.""
Before we look at what Sutton really said, please note that if you like this anecdote, you can still use it with one small change to the wording:
"When a reporter asked the bank robber Willie Sutton why he robbed banks, Sutton is said to have replied: "Because that's where the money is.""
That's right, according to Sutton's autobiograhpy, he never said he robbed banks because that's where the money is. The reality, claims Sutton, is that a reporter fabricated the exchange (Sutton, 1956). Here's what Sutton really thought:
"Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life."
Willie Sutton's Autobiography
You don't have to be a criminologist to find that answer both illuminating and fascinating, maybe even frightening. That's because the bogus "where the money is" anecdote supports the Rational Choice Theory of criminal behavior underpinning Situational Crime Prevention programs that are a major component of crime reduction policy in some countries (notably the U.K.). At security conferences and in security writing (Felson and Clarke, 1998) the Sutton anecdote is presented as both amusing and educational, implying that security should focus on protecting the most valuable and convertible assets. (In fairness to Felson and Clarke, they use the "said to have said" version.)

In fact, I have used the anecdote myself, for example: "Why do [criminal hackers] seek unauthorized access to networks and digital devices? Because that's where the data is, and data is the new currency." However, in that same 2011 SC Magazine article I also noted Sutton's true motivation, and not just to be snarky. The serious message here is that the reality of Sutton robbing banks because he enjoyed it is immediately recognizable to anyone who has studied the thrill of hacking and the phenomenon of hacktivism. In other words, Sutton may be a poster boy for expressive crimes, those "containing a high emotional or ‘expressive’ element" (Hayward, 2007); these are crimes in which reason plays only a small role, if any. Expressive crimes are potentially immune to crime prevention measures based on Rational Choice Theory and Classical criminology.

Which brings us to late 2014 and the multiple hacking attacks on Sony, both the destruction of data at Sony Pictures and the sustained denial of service attack on the PlayStation Network (PSN). We already know that the latter was perpetrated by a group of people going by the name of Lizard Squad and motivated, first and foremost, by the fun of it (see interview transcripts such as this one). While many organizations focus IT security efforts of protecting data that can be readily converted to cash, Sutton and Sony remind us that for some criminals, the thrill of the crime is the primary motivator. And if the fear of apprehension and detention is not stronger than the love of the crime act, the chances of creating an effective deterrent are slim.


Felson, M., Clarke, R. (1998) Opportunity Makes the Thief: Practical theory for crime prevention, Police Research Series, Paper 98, Editor: Webb, B. Home Office Policing and Reducing Crime Unit Research, Development and Statistics Directorate, U.K.

FBI, Famous Cases and Criminals: Willie Sutton:

Hayward, K. (2007) "Situational Crime Prevention and its Discontents: Rational Choice Theory versus the ‘Culture of Now’" Social Policy & Administration (3): 232-250.

Sutton, W. and Linn, E. (2004). Where the Money Was: The Memoirs of a Bank Robber. Broadway Books. New York City. (First published 1976 Viking Press, New York City, New York), p. 160.

Saturday, December 20, 2014

Why the #SonyHack is not cyberwar

Here are two links that are essential reading for anyone tempted to invoke the term "cyberwar" to describe the hacking of Sony Pictures and its subsequent canceling of The Interview.

Book: The Tallinn Manual on the International Law Applicable to Cyber Warfare. This is the primer on the subject. Readable online at no charge.

Article: Cyberwar: reality or a weapon of mass distraction. Very readable paper by my friend and boss, security expert Andrew Lee (.pdf file).

Hopefully, politicians and commentators talking about the Sony Pictures hack will familiarize themselves with the facts and arguments laid out in the above publications before crying War!

Friday, December 19, 2014

Dear George Clooney - A word about cybersecurity

The following letter was written in response to remarks made by the actor and activist, George Clooney, in this article: Hollywood Cowardice: George Clooney Explains Why Sony Stood Alone In North Korean Cyberterror Attack

Dear Mr. Clooney,

I have great respect for your work sir, on film and off; I have a feeling we hold many of the same views on politics and economics and social justice. So it makes me sad to see how badly people have briefed you on the stark realities of cybersecurity. You seem to be under the impression that America can, with impunity, tell cyber criminals to "bring it on". You appear to be having difficulty understanding why big companies don't want to provoke hackers. Please allow me to explain.

In my own work I have seen the way in which multinational companies generate billions of dollars in profits by applying digital technology to improve productivity. My job has been, for the better part of two decades, advising companies on how to defend this highly profitable digital technology that they deploy.

Sadly, time and again, too many times to count, my fellow security professionals and I run into companies and company executives who reject our advice as too costly to implement, as an unreasonable burden on their business. When we say that the path they are taking comes with a large amount of risk, they either don't believe us or they say, "fine, we'll risk it."

The result? America's corporate ecosystem, like those of many other countries, suffers from systemic cyber weakness to the point where no company today can afford to say "bring it on". Why? Because they know they are not impervious to potentially crippling hacking attacks.

I used to be in the penetration testing business, that's where you pretend to be bad guys in order to test another company's cybersecurity; our guys had a 100% success rate. They always found a way in, and they didn't even break the law to do it. Every pen tester I've ever spoken to has a similar record.

Let me give you some real world numbers to put things in perspective. This summer hackers raided JPMorgan Chase, impacting over 75 million households and 7 million small businesses. The company CEO publicly stated that the bank spends $250 million a year on cybersecurity. And the hackers still got in, which is why the CEO also said he expects the bank to raise that budget to $500 million. Let's assume the extra $250 million is the annual cost to fix the problem and keep hackers out; that amount is less than one sixtieth of the bank's average annual net income over the last five years ($16.5 billion).

And here's the kicker: JP Morgan Chase will not be spending $500 million in 2015, they're going to ramp up to that number over the next five years. In other words, even a huge bank is going to live with risk. However, you can bet they will try to minimize that risk by avoiding confrontation. Surely, you've made enough action movies to know the score here. The bad guys have powerful weapons, weapons against which you do not, as yet, have adequate defenses. Do you choose to fight anyway, even though seasoned experts tell you such a course of action risks the privacy and pocketbooks of thousands, maybe even millions of lives? Or do you regroup, take stock, get smart, harden your defenses, and figure a way forward.

Trust me when I say that is the way things are today. It's not that I don't believe in free speech. But as you know, exercising freedom of speech on the streets, in the real world, well that sometimes requires police protection. In cyberspace there is no police protection to speak of, not yet anyway. Rather than berate those who are being realistic about our current weaknesses, let's put our anger and our energy into demanding companies and governments do a better job of securing our digital assets and defending the digital world.

That's a petition I'd happily sign.


Stephen Cobb, CISSP
Tweet @zcobb if you'd like
to connect or stay in touch

Saturday, August 23, 2014

The Continuing Pain of Cybercrime Explained in One Simple Graph

Let the line A show the rate at which we are increasing the following variables:
  • number of people with cyber skills
  • the amount of resources devoted to deterring cybercrime
  • the level of regulatory compliance
  • the national resolve to address the problem
  • international resolve to address the problem
Now let line B show the rate at which the following are increasing:
  • number of people on the Internet
  • number of things on the Internet (IoT)
  • the ease of use and accessibility of cybercrime tools
  • the number of people prepared to engage in cybercrime
Graph these over time and you can see C = the pain of cybercrime. The more we can increase the upward angle of A, while reducing the upward angle of B, the less cybercrime we will experience.

Just to be clear, globally speaking, C is a net negative. Cybercrime can be positive for criminals and their immediate economic environs, such as communities with limited options for legal employment of a gainful nature. However, C undermines the primary factors by which the upward angle of A can be increased: economic prosperity and political stability.

Saturday, August 09, 2014

Is this your Sample Information Security Policy?

If you or your organization is the original creator of the following Sample Information Security Policy then I would like to hear from you: 
Every organization needs an Information Security Policy (although they may call it something different). When used appropriately the organization's whole approach to security will be guided by the policy document, a copy of which may well be requested during discussions around mergers, partnerships, and bids for new business. I have discussed the role and importance of security policy in several webinars, including this one directed at small and medium sized businesses.

Sunday, April 27, 2014

Business Continuity Management: Sounds boring yet saves lives, companies, butts

Lately, I've been revisiting an area of information security into which I have dived deeply on several occasions over the years: Disaster Recovery, which is pretty much the same as Business Continuity Management or BCM, which includes Business Continuity Planning (BCP). Along the way I have assembled a list of high quality BCM resources and articles that folks might find useful (and available for free in most cases). You will find the list at the end of this article. Here's a scene-setting quote from one of the articles:
Disasters can strike at any time – often with little or no warning – and the effects can be devastating. The cost in human lives and property damage is what makes the evening news because of the powerful tug of human interest. Much less coverage, however, is given to the disruption, struggle and survivability of business operations. A study fielded by the Institute for Business and Home Safety revealed that 25 percent of all companies that close due to disasters – hurricanes, power failures, acts of terror and others – never reopen. (Disaster Preparedness Planning: Maintaining Business Continuity During Crisis, Disruption and Recovery)

Monday, April 14, 2014

Internet voting security: a scary tweet that reached 227,391 (even before Heartbleed)

Last month I tweeted a picture of some computer code that was part of an Internet voting system. That picture was re-tweeted so many times it reached more than 220,000 Twitter users. So, that had to be some pretty amazing code, right? Yes, as in amazingly frightening. Take a look, and then read on for a short explanation, and also a long one if you have the time.

A very clever computer scientist, Joe Kiniry, has been concerned about the security of Internet voting applications for some time. Joe is a former Technical University of Denmark professor, now Principal Investigator at Galois. In his research Joe noted this section of code in a program that was actually used for national elections in a European country.

The coder(s) have included a comment reminding themselves that security checks still need to be coded. My tweet suggested that this slide nicely illustrated the question of “what could possibly go wrong?” when it comes to Internet voting. Of course, the best answer to that question is: So much could go wrong you simply cannot use the Internet to elect public officials in a fair, honest, secret ballot!

Saturday, January 18, 2014

A call to action we ignore at our peril

You don't have to watch all of this video to know that Josh Corman has clearly articulated the massive scope of the IT security challenges we face today, and he has done it using language that even a CEO or a Middle School teacher can understand. I think the whole thing is worth watching, but if you cut to minute 15 you get to the crux of the matter:
"Our dependence on technology is growing faster than our ability to secure it....Issues of public safety and public concern require public discussion and public solutions...We are going to be the ambassadors of technical literacy."
My committment to my ambassadorial duties is my New Year resolution. Let the educational outreach begin.

Thursday, January 16, 2014

The Privacy Meter Redux

My prediction that data privacy is going to be a hot topic in 2014 was not surprising, but I am surprised at how many interview requests I've had so far, and we're barely halfway through January. Yesterday I found myself filling a last minute request to appear on a local TV channel. So I dusted off the trusty privacy meter.
The Privacy Meter
I created this learning device in 2001 and it went into my privacy book that came out in 2002. And it is just a visual device, an image to use as a tool when discussing privacy. (Feel free to use it, you have my permission, it is released to the public domain.)

The idea is to ask people to self-assess where they fit on a scale from closed book to open book. They do not need to reveal their "privacy reading" but they do need to think about whether or not it is fair to impose their position on others.

In other words, there is no correct reading, but plenty of scope to use the meter as a basis for discussion. For example, suppose you are an open book. Is it fair to make others become open book about their personal data if they prefer to be more of a closed book? On the other hand, if you think you are a closed book, are you prepared to provide information about yourself in order to authenticate your identity and establish trust?

Friday, January 10, 2014

Why there is so much cyber crime: #1 It's our spending priorities

With the number of potential victims of the Target data breach now topping 100 million, a lot of people who have never really given much thought to cyber crimes are asking: Why? How is it that criminals can commit computer crime on this scale with apparent impunity? After all, we pay taxes to be protected from the kind of scum that perpetrate crimes like this.

There are a number of answers to the question "why is there so much cyber crime?" But for me, the first answer on the list, the one that has been ignored by most of the talking heads who've been hashing over the scant details of the Target breach on TV, looks like this:
Despite all the hot air from politicians over the last 15 years, repeatedly pledging to do something about computer crime, the U.S. has failed to make fighting cyber crime a priority. I think these relative spending numbers make that clear. I would love to hear anyone argue that we are spending enough money to track down and prosecute cyber criminals right now.

An academic study published in 2012 put the total U.S. law enforcement spend on the fight against cyber crime at $200 million per year. I decided to be generous in my chart and rounded it up to $250 million.

The figure of $15 billion is often cited as the annual cost of the war on drugs, so apparently that is 60X more important than cyber crime. We know from the Snowden revelations that spy agencies spend over $52 billion per year, so apparently we think that what they do is 200X more important than fighting cyber crime.

How about we shave $0.5 billion off the intelligence agency budgets and spend it on bringing cyber criminals to justice? That's a 3X increase over what we spend right now. That might well be enough to put a significant number of perpetrators behind bars, including the ones we could afford to bring to the U.S. from other countries, thereby tipping the risk/reward equation against the bad guys and in the favor of honest citizens.

I'm writing to my representatives in Washington to tell them what I think our priorities should be. I'm sending them this chart. If you agree, I invite you to send it to the folks who are supposed to be representing you.

Wednesday, January 01, 2014

My #4 personal privacy and security prediction for 2014: A BIG year for good/bad news

As we enter 2014 it is clear that two events in 2013 have rocketed data privacy and information security to the highest level of public awareness that these the complex topics have ever attained. I'm talking about the Snowden revelations and the Target breach.

For me, this surge in public awareness of the importance of data privacy and cybersecurity is both exciting and frightening.Why? Because 2014 is obviously going to be a big year for those of us who work in these closely intertwined fields, a year when more people than ever before will be concerned about securing their data, yet more distrustful than ever of the folks who are trying to help them do that (among whom I count myself).

Consider that I have spent the better part of 20 years writing and speaking about these issues, starting with computer security, then network security, system security, information assurance, data privacy, and now "cybersecurity." You could say that I have wanted nothing more than to make the world aware of the importance of these things, for the simple reason that, without such awareness, the true potential of digital technology will never be realized.

Let me put it a different way: Are you wondering where the flying cars are? Are you disappointed that in 2014 we don't yet have them, or transoceanic high speed rail service, or the handheld medical scanner that can diagnose the top 100 medical conditions in a single swipe? I believe we would have achieved these or similar technological marvels by now if it were not for the massive distraction of information insecurity.

I don't want to wander off into too many examples, but consider one: Towards the end of the last century email was poised to become a universal tool for managing transactions cheaply and easily. Then came the spam-plosion, a massive surge in unsolicited commercial email that rose to become 80% or more of all email and had Internet service providers (ISP's) buying new servers once a fortnight just to maintain legitimate service. Combine that with the inability of the major email providers to agree on improvements to email protocols, and you have the death of transactional email that is still hampering large slices of our economy, like banking, healthcare, government, and retail.

So the good news / bad news in 2014 goes like this:
  • Are most consumers now aware that cybercrime is a serious problem? Yes. Can a young working mother buy diapers at a discount store without fear of losing her identity, and all the money in her back account, despite the billions that have been spent on cybersecurity? No, because we have grossly under-funded the vital work of catching the cyber-scum at the root of that fear. 
  • Are most companies now aware that cybercrime is a serious problem? Yes. Can a company develop new products without fear of them leaking from their computers to a nation state agency and/or its clients? No, because it is possible that every piece of hardware and software you buy to build your dreams has already been hacked, back-doored, or otherwise compromised, thanks in part to your own tax dollars at work (see this article or the pictures here if you are not clear on this).
Now this next bit may sound self-serving, but I assure you it is not. I am employed by a company that sells security software, some of which requires root access in order to protect systems. However, the company doesn't pay me to sell this software, they pay me to think about security and privacy and explain of much of this stuff as I can to as many people as possible. The company has, in my considered opinion as a 20-year industry veteran, the very highest ethical standards. All of the people that I work with, in this company and in many of our leading competitors, are dedicated to eliminating the scourge of malware and other threats perpetrated by the world's cyber-scum. A fair number of us have been at this for 10 or 20 years or more. Yet today, in 2014, we are being asked: Are you helping the government spy on its people?"

The answer is no, but although part of me feels hurt and even insulted by this line of questioning, objectively-speaking I cannot object, particularly when I see these pages from a catalog of hardware and software crippled by the NSA, in other words, produced by my own government. I am sure that the people who developed these things thought they were doing the right thing, and only intended them to be used for righteous purposes like defending our nation. But the people in charge clearly failed to consider what would happen to the nation when the world found out about them.

I bet you a box of donuts that in 2014 at least one person will ask me where they can get a USB cable that is certified uncompromised. The fact that I don't have a good answer really bothers me. More people than ever before are going to be asking security professionals for help in creating secure systems, even as those professionals try to deal with NSA-fueled doubts about the very building blocks of such systems. One way or another, or both, it's going to be a BIG year.

My #3 personal privacy and security prediction for 2014: Cyber won't be icky any more

I predict, and sincerely hope, that in 2014 most of us information security professionals will stop apologizing whenever we use the letters c-y-b-e-r like in cyber crime, or cyber security. I also predict/hope we will stop putting "cyber" in ironic air quotes or pronouncing it in a snide tone that implies we are above using words that the world has thrust upon us.

Let's face it, computers, networks, information systems, endpoints, digital devices, tablets, smartphones, Internet-enabled-DVD-players, Bluetooth insulin pumps, they are all cyber. 

So computer security, network security, information system security, endpoint security, digital device security, tablet security, smartphone security, Internet-enabled-DVD-player security, Bluetooth insulin pump security, they are all cyber security, or cyber-security, or cybersecurity.

In 2014 we are going to have to answer a lot of questions about the security of digital information. In our answers we can call it digital security, or refer to "the security of all things digital", but it is also okay to say cyber security. And referring to the bad guys as cyber criminals is a lot easier than saying "those who would subvert any or all things digital with criminal intent."

In 2013 there were times when I said things like cyber scammers and cyber scum well as cyber criminals. I'm not going to apologize for that because I think the general public gets what cyber means. It means all things digital, it means my data and the devices and systems that process and store them. Cyber security is about protecting that stuff. Let's save our erudition and expository powers for the many other, more complex and nuanced concepts that will need to be explained in 2014, like why public key encryption needs private keys, and what pseudo random number generators have done for us lately.

Sunday, December 15, 2013

My #2 personal privacy and security prediction for 2014: NSA-GCHQ-NRO will dominate

Here is another of the privacy and security predictions I am making for 2014. This is in addition to the ones I contributed to We Live Security where I had the honor of presenting predictions from my fellow researchers at ESET. Note that the following are my personal opinions, which may differ from those of my employer (although my employer has some pretty cool opinions).

The #1 privacy and security story in 2014 will be the NSA

Snowden-sourced papers will continue to leak, further revealing just how thoroughly America's National Security Agency has pursued the goal set by its leadership: make sure no piece of information about any person anywhere is beyond reach. While the NSA has dominated much of the privacy and security news in 2013, the story may evolve into a triple play in 2014, with GCHQ on one side, NRO on the other.

The National Reconnaissance Office has already made a big play for attention with its latest spy satellite, NROL-39, launched in early December sporting a logo that many pundits will claim says it all: NOTHING IS BEYOND OUR REACH.

While NSA and GCHQ are initials known to millions around the world, the NRO has lurked in the shadows, despite having a budget about the same size as the NSA; that's $10.3 billion and $10.8 billion, for the NRO and NSA respectively for 2013, according to the Washington Post.

Note that in the mid-1990s the budgets were $6 billion and $3.6 billion, with NRO spending far-outpacing the NSA and CIA.

Expect someone to put more detailed spending numbers together as the work of these agencies comes under increased scrutiny in 2014. For example, all three have a history of using military employees who are paid out of their respective armed forces budgets. So the total U.S. spend on surveillance and code-breaking activities may be more than has yet been reported.

If the NROL-39 logo is any indication, very little of the NRO budget has gone into public relations and incident response planning. It is hard to imagine more disastrous imagery and sloganeering for a spy satellite launched post-Snowden. No wonder that within a few days we heard loud and clear from the world's technology giants demanding global surveillance reform. (A topic I discussed recently over on Tech Republic.)

My #1 personal privacy and security prediction for 2014: Antivirus will be slandered, again

Here is one of the privacy and security predictions I am making for 2014. This is in addition to the ones I contributed to We Live Security where I had the honor of presenting predictions from my fellow researchers at ESET. Note that the following are my personal opinions, which may differ from those of my employer (although my employer has some pretty cool opinions).

The media will repeat a massive lie about antivirus technology

I predict that in 2014 every major newspaper and magazine will perpetuate, to the detriment of data security and human understanding, the grossly erroneous notion that "for an antivirus firm to spot malware, it first needs to have seen the malware, recognized that it's malicious code, and written a corresponding virus signature for its products."

I predict that, although this assertion is simply not true, and has not been true for many years, that fact will not deter people from repeating it, over and over. This is a bit like Car and Driver or Consumer Reports saying that cars cannot be started without first engaging the crank handle.

True, there was a time, long ago, when crank handles were routinely used to start cars, just as some antivirus programs were, in the distant past, based solely on signatures derived from known bad code. I've got a free t-shirt and more for the first mainstream journalist who breaks rank from the ill-informed herd and points out that any AV app worthy of the name today uses a lot more than signature matching to protect systems from malicious code. 

(With huge hat tip to the guys in Norway who posted that YouTube video of a hand-crank start: they are braver men than me; I've seen how much pain a crank handle can cause.)