Monday, May 15, 2017

WannaCry ransomware: mayhem, money, scenarios, hypotheses, and implications

I think my ESET colleague Michael Aguilar had the best opening for an article on Friday's epic WannaCry ransomware outbreak:
"That escalated quickly! For those of you who did not read any news on Friday (or had your heads in the sand), you need to know that a massive tidal wave of malware just struck Planet Earth, creating gigantic waves in the information security sphere and even bigger waves for the victims." (We Live Security).
The English language version of the message WannaCry presents to victims 

And in the days since Friday you may have been caught up in the waves of breathless WannaCry reporting, tracking, analysis, advice (hashtag #wannacry). All of which was soon followed by the first rounds of finger-pointing and victim-blaming. I am hoping to write more about the latter shortly, but for now I want to speculate about "what the heck happened" as they say in Fargo-land.

Never speculate?

As a rule, cybersecurity professionals refuse to speculate in public about what the heck is going on in any given data breach of malicious code scenario. And by speculate I mean suggest explanations for the events at hand that go beyond the facts on hand. You especially don't want to point fingers at perpetrators unless you have an abundance of corroborating evidence (including some that is not digital, meaning "more than just code analysis").

All that said, it is helpful, and entirely justified IMPO, to consider, in the abstract, possible explanations for an exceptional course of events such as we have just witnessed with WannaCry.

1. It was just a money-making play: WannaCry presented itself as ransomware, the goal of which is to make money by charging people for the key to their data, which you have just encrypted without their permission. You can make a lot of money with ransomware, but it works best if you roll out your campaign in a controlled fashion, one that allows you to keep up with payments and key requests and customer service calls (yes, that is a thing; for example, many victims need help figuring out Bitcoin, the preferred method of ransom payment).

2. It was a narcissistic idiot play: Somebody figured they could create better ransomware than anyone else but didn't anticipate all of the implications of adding the NSA's eternalblue SMB exploit to a standard phishing based ransomware program (and yes, that link takes any person with an internet connection to the eternalblue code repository - which IMPO is crazy, but that's another article).

3. It was an intentional mayhem play: WannaCry spread faster than any sane cybercriminal would intentionally spread a ransomware campaign. So maybe the idea was to cause mayhem. When ESET holds its annual Cyber Boot Camp my colleague Cameron will award "mayhem points" to students who come up with a particularly imaginative way of causing chaos on the test network, but we conduct that camp under tightly controlled conditions in a secured facility. Nation states or their surrogates may feel inclined to conduct mayhem in the real world, as a distraction, to send a message, or even to undermine consumer confidence in technologies to which some countries do not yet have access, and so on.

4. It was a revenge play: What better way to show you are pissed off at the US government in general and the NSA in particular than to wreak global cyber-havoc with malware that is openly enabled by code developed by the NSA, leaked code that the NSA refuse to barter for.

So what are the implications?

Each of these four scenarios seems plausible to me, but of course I'm going to refuse to speculate as to whether one is more plausible than another. What I will assert is that pondering the scenarios may help investigators consider the full range of possibilities as they seek to identify the perpetrators.

For more background on WannaCry and what you should be doing to protect your IT systems against it, see Michael's original We Live Security article. There is also a follow up article on We Live Security and more to come, so be sure to sign up for the email alerts.

If you are interested in thinking more about what it means for government agencies to handle malware, consider this article and attached peer reviewed paper, presented at the NATO conference on cyber conflict.

Monday, February 20, 2017

Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap

Last year I wrote a dissertation in partial fulfillment of the requirements for my Master of Science in Security and Risk Management in the Department of Criminology at the University of Leicester in England. The title was: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap. The dissertation was submitted for examination in September of 2016 and in November it was approved by the examiners (who described it as ‘a meaningful and accessible, critically analysed report’ and also ‘a very pleasing piece of work’). I graduated in January, 2017.

That is when I decided to make the dissertation available to the public via the Internet and you can download it from here (PDF file). My primary motive for doing this is to enable any value that my work may provide – to the efforts to close the cybersecurity skills gap and advance the security profession – to be realized sooner, rather than later. After all, cybersecurity is a rapidly evolving field and many experts agree that the need to narrow the skills gap is urgent. Although the examiners said ‘elements of this dissertation are potentially publishable as journal articles and/or white papers’ I wanted to get the document out there in its entirety, and immediately. Of course, I may pull from, or build on, this work in peer-reviewed articles and white papers down the road, and it has informed several conference presentations that I have already delivered.

I should warn you that the dissertation is quite long – almost 25,000 words, although that count includes the 171 references. It runs to 68 pages but that includes screenshots of the survey instrument I used. Here is the Abstract to help you decide if you want to download the whole thing.

Tuesday, January 24, 2017

The Amazon Echo Dot echo effect: Alexa and the accidental dollhouse orders

Earlier this month I was involved in a technology news story that went a little bit viral, at one point threatening to become a virtual virus, self-propagating across the airwaves. This chain of events was created by voice recognition technology which is now being installed in millions of homes around the world. I have written about the technology on We Live Security, a site to which I urge you to subscribe if you are into all things cybersecurity. This article is the back story, which some may find interesting.

The heart of this particular thing/story was a spoken phrase, a phrase which you should avoid speaking out loud if you are within hearing distance of an Amazon Echo device like the one on the right. The phrase is: "Alexa, order me a dollhouse."

When the morning TV news program on station CW6 in San Diego reported that a young girl had accidentally used her parents' Amazon account to purchase a very expensive dollhouse via Alexa, the news anchor Jim Patton said: "I love the little girl saying ‘Alexa order me a dollhouse.’” As soon as Jim said that, the phones at the TV station started ringing. Viewers were calling to complain that their Alexas had tried to order dollhouses. In other words, a whole lot of people had been awoken to the fact that the current generation of Alexa devices will take orders from anyone: they use voice recognition technology to understand what people say, but not to distinguish who is saying it.

Later that Thursday morning, CW6 called ESET, the US headquarters of which are in San Diego, and asked if I could comment on this phenomenon. I said yes because I was already doing research on digital devices with voice recognition including, oddly enough a doll called "My Friend Cayla". Reporter Carlos Correa and I chatted for a while and a number of my comments about Alexa-type devices, but not all, were reported on air that evening. That story, which was a story about a story about Alexa, was rapidly syndicated and picked up around the world. Within a few days, the logo cloud of media sites that were quoting me looked a bit like this:
For the first 24 hours I was not aware that the story was spreading. Then I got a ping on Twitter from Oludotun "Dotun" Adebayo at the BBC. Could he talk to me in the early hours of Monday, his time, late Sunday my time? At that point I felt compelled to dig a little deeper into Alexa, starting with the installation process. At about 11PM on Saturday night I ordered the Amazon Echo Dot you see above. It arrived at 10AM on Sunday morning.

By the time I spoke with Dotun it was clear to me just how easy it was for someone to 'accidentally' buy something with an Amazon Echo. The magic word is not dollhouse, it could be drone or hoverboard; the "magic" is Alexa, which triggers a response from these devices. In the default configuration, the state of the system if you simply take it out of the box and plug it in following the installation instructions, is a. linked to your Prime account, and b. prepared to place orders with a simple verbal confirmation (using your "1-Click" settings as default payment method and shipping address).

And to be clear, Alexa will offer to ship you products even if you are not talking about buying something. For example, suppose you say, "Alexa, what's the best hoverborard?" The response will be a recitation of the product listing for the top rated hoverboard currently offered for sale on Amazon, immediately followed by an offer to ship it to you. If you say no, Alexa will then describe another product and offer to ship that. You need to say something like "Alexa cancel" or Alexa stop" to terminate the conversation. It so happens that the dollhouse ordered by the young girl that sparked the story was the second offering, suggesting that she had refused the first offer to send her a dollhouse.

Where does the story go from here? Hopefully, all Echo owners are now familiar with the "microphone off" button that stops the device listening (see picture on right - probably worth clicking before you go out, especially if you tend to leave the TV or radio on). And I'm sure many folks have been changing the default settings, turning off automated ordering or protecting it with a PIN.

At some point Amazon may enable two Echo features that could further reduce problems. First, allow owners of the devices to set a custom trigger word. At least that would enable you to talk about Alexa without waking her up. Second, but harder, would be to limit the voices to which Alexa responds, namely authorized users only. Of course, all of these things would add "friction" to the customer experience, which Amazon may be loath to do.

One question remains in my mind: Did Amazon ever consider that TV broadcasts would trigger the device? The CW6 experience was random, an accident. But if you intentionally broadcast the right words with the right timing you could trigger a mass ordering of products. And while Amazon has said it will accept returns of all 'accidental' orders, you can't use your Echo to cancel purchases. You have to go to the Amazon website or mobile app. Imagine a malicious broadcast that ordered expensive baby carriages, not the easiest things to return to sender. Does Amazon have an algorithm to detect that? Would some percentage of the orders be undetected until they turned up on doorsteps? How much would that cost in terms of dollars and good will?

And of course, buying things is not the only thing these devices can do. They can control thermostats and door locks and all manner of Internet of Things (IoT) devices. Pair that with the malicious broadcast scenario and you have some frightening possibilities. (I have been writing and talking about abuse of the IoT at We Live Security and other places.)

Tuesday, October 25, 2016

A quarter of a century of computer and network security research and writing

Twenty-five years ago this month McGraw-Hill published a book I wrote about computer and network security. And the first thing I tell people about this book is that I did not put the word "complete" in the title! That was the publisher's decision. Because if there was one thing that I learned in the three years during which I researched the book it was this: there will never be a "complete book" of security.

The second thing I tell people is that The Stephen Cobb Complete Book of PC and LAN Security was not a big seller. Indeed, it was a complete flop compared to some of the other books I wrote in the late 1980s and early 1990s. My best seller...

Thursday, October 13, 2016

More about the cybersecurity skills gap

[Update 2/25/17: now available, 68-page dissertation/report on the cybersecurity skills gap and the makings of effective CISOs.]

In October of 2016, I presented a paper titled "Mind This Gap: Criminal Hacking and the Global Cybersecurity Skills Shortage, a Critical Analysis." The venue was Virus Bulletin, a premier event on the global cybersecurity calendar that is particularly popular among malware researchers (for the story of how "VB" achieved this status, see below).

Papers and Slides

When your proposed paper is accepted by the VB review committee, you first have to submit the paper, then deliver the high points in a 30 minute presentation at the conference, which takes place several months later. In this case, the elapsed time between paper and presentation was very helpful because it allowed me to incorporate some of the findings from my postgraduate research into my conference slides, which are available for download here: Mind This Gap.

The VB conference papers are published in an impressive 350 page printed volume. However, the conference organizers have kindly given me permission to share my paper - which is only 8 pages - here on the blog:
As you may know, I've been studying various aspects of the cybersecurity skills gap this year, I put together a short white paper about the size of the gap:
Later this year I hope to publish the full results of my postgraduate research which looks at some of the assumptions behind efforts to close cybersecurity skills gap.

A note about Virus Bulletin

Monday, September 26, 2016

Email account breached? There's a website for that

Recent news that half a billion Yahoo accounts have been compromised has prompted me to again tell friends about a great website for exploring the effect of security breaches on your online accounts. The site is called: haveibeenpwned and I encourage you to explore it.

Friday, September 02, 2016

Surveys galore: cybercrime wave, government prodding, and more

One of the biggest problems with fighting cybercrime is knowing how much of it there is. If you or your organization have been a victim of cybercrime - and a recent study said that 80% of organizations have* - then you know there is too much of it. Indeed, another recent survey suggests that 69% of US adults agree their country is experiencing a wave of cybercrime.** This state of affairs has many people thinking that the government is not doing enough to fight cybercrime. How many? About 63% in a recent survey.***

And right there, in that short paragraph, you see how important it is to measure the problems you are trying to solve, whether it's "how big is that gap in the planking that's letting water into the boat?" or "to how big is that gap between the number of people we need to fight cybercrime and the current supply?" That latter question has been preoccupying me a lot this year and it's a tough one to answer, but that doesn't mean we shouldn't try. After all, this gap is causing serious problems for many organizations. According to a CSIS/Intel-McAfee survey more than 70% of enterprises had suffered losses that they attributed to lack of skilled security professionals.

Friday, July 15, 2016

Sizing the Cybersecurity Skills Gap: A white paper

Whether you're in charge of the security of your organization’s data and systems, or working in IT security, or looking for a career, it is hard to ignore headlines like this: “One Million Cybersecurity Job Openings in 2016.” The term “cybersecurity skills gap” is now being used as shorthand for the following assertion: there are not enough people with the skills required to meet the cybersecurity needs of organizations. (You will also see cyber skills gap as a short form of cybersecurity skills gap, but some people also use cyber skills gap for the broader lack of people with skills like coding, networking, etc. so I often use cybersecurity skills to avoid ambiguity)

But is this gap real? Is the million missing people claim true? The security industry has a shaky record when it comes to numbers, something I talked about at Virus Bulletin last year in the context of cybercrime (see paper and video of session here). At this year's Virus Bulletin in Denver I will be presenting a paper about efforts to address the cybersecurity skills gap. I am also studying aspects of the problem for my MSc dissertation (see CISO Survey).

In the midst of all this work I accumulated some observations about the size of the cyber skills gap and wrote them up in my spare time, in the form of a paper titled Sizing the Cyber Skills Gap. I hope folks find this useful.

Monday, July 11, 2016

The Effective CISO Survey: A call for participation


Are you a CISO? Do you work for or with a CISO?

If you answered yes to any of those questions, please consider taking the 12 minute survey I am conducting for my MSc in Security and Risk Management at the University of Leicester in England. Your participation would be greatly appreciated and you can get an early copy of the resulting report. To get right to it, the survey starts here:
Why am I doing this? To find answers to this question: What do you need to be an effective Chief Information Security Officer? This is the subject of my dissertation, a piece of original research about 15,000 words in length, conducted in Leicester's Criminology Department, pictured below (it may look like Hogwarts, but it ranks among the world's top universities).

University of Leicester, Department of Criminology
(I kid you not, I took this myself on my first visit)
The question about what it takes be an effective CISO is not merely academic, it is also of immediate practical importance. Right now, under-staffed crews of information security folks are struggling to hold the line against criminal activity in cyberspace. And there are not enough people in the education and employment pipeline to fill all of the open defensive positions. 

This situation is referred to as the "cyber skills gap" and later this month I will be releasing a white paper in which I examine the claim that there are one million unfilled cybersecurity positions globally (there will be a link on this page). In the US alone the gap could be as big as 200,000. This situation, which has been building for some time, has caused many countries to begin pouring money into cybersecurity education and workforce training. However, some of these funds may be wasted because there has been very little research into what a cybersecurity career is like. What does success look like? What is job satisfaction like? What personality traits are a good fit for cyber roles, and so on. On the bright side, by studying these questions we may find ways to close the skills gap and make cyberspace a safer place (hmm, I wonder if optimism is an important trait).

I decided to devote my dissertation to one small part of this cyber research gap: what it takes to do the top job, to be the person who manages information security for the organization: the CISO. My research led me to create the Effective CISO survey, which is carried out through SurveyMonkey but accessed via a website I created at, all of which has passed the university's ethics review process.

If you want further verification, or have any questions about this project at all, please email my university email account which is stcnn at, where nn = is a two digit number, the one you get when you multiply four by itself. The address is also displayed beneath the university logo at the top of the page.

So, if this survey subject is of interest to you, and you would like to get an early look at my results, and you have about 12 minutes, please consider participating at


Wednesday, June 15, 2016

20 years of CISSP, ELOFANTs and other cybersecurity acronyms

This article is about some things I don't know, and some other things that you might not know.

For example, I don't know who was the first person to pass the exam to become a Certified Information System Security Professional or CISSP (pronounced sisp). The CISSP website says the certification program was launched in 1994.

(That means if someone tells you they've been a CISSP for more than 25 years, and the current year is 2016, then they may be fibbing.)

I became a CISSP in May of 1996, something that I wrote about recently in an article on We Live Security: What the CISSP? 20 years as a Certified Information Systems Security Professional. The CISSP qualification has served me very well over the last 20 years, so I felt obliged to address some of the reasons some people criticize it, and did so in that article. Those criticisms not withstanding, I would encourage anyone who meets the experience requirements for the CISSP to apply for, pass the test for, and then maintain CISSP certification (you need to earn continuing education credits every year to stay certified).

The place to start learning about CISSP is the website of the issuing body, the International Information Systems Security Certification Consortium. This non-profit organization is known as (ISC)2 which is pronounced “I-S-C-squared” because the name contains two each of those three letters, which is cute but sometimes a pain for typographers and search engines.

Another cybersecurity acronym that's been on my mind lately is CISO, as in Chief Information Security Officer, a title often used to designate the person most directly responsible for the organization's information system security. I am studying CISOs as part of my studies at the University of Leicester. I will soon be launching a survey on the subject (that I will link here when it goes online).

Of course, a lot of CISO's have certifications from (ISC)2 and that reminds me of something else I don't know, the answer to an interesting question, one that is not asked during the six hour CISSP exam: Is (ISC)2 an acronym?

Seriously, I don't know the answer, but speaking of acronyms and unknowns, I coined an acronym for an unknown a few weeks ago: ELOFANT. Those letters stand for Employee Left Or Fired, Access Not Terminated. (Those letters also account for the image at the top of the article.) I wrote about ELOFANTs here.

The point of coining this acronym was to draw attention to the fact that one of the biggest risks to company networks and data are people who have departed the organization but still have access to some of all of its data: ELOFANTs. Here are a few data points to back that up:
ELOFANTs are not a new problem, but these days they may be a bigger problem than in the past thanks to the proliferation of apps that companies use, particularly cloud-based sharing and collaboration apps, credentials for which might not be centrally tracked like corporate network access usually is. So let me leave you with a couple of questions to which your organization's CISOs should know the answer: how do you determine what access to the organization's data a departing employee has, and how do you revoke it?