Here is a copy of my introductory statement from the May 22, 2018 briefing where L0pht revisited its historic Senate testimony of twenty years earlier. (supporting links at the end.)

Good Afternoon, I’m Space Rogue. Twenty years ago, out of fear of corporate retaliation through lawsuits Space Rogue was the only name I used. Today I also use the name Cris Thomas, although not as frequently, and I work as the Global Strategy Lead for IBM’s X-Force Red which is the offensive security services part of IBM Security.

We are here today to talk about how things have changed in information security over the last twenty years. When we were here twenty years ago a lot of people said, we were a voice of reason attempting to warn people about just how much risk was inherent in our critical systems. A lot of people in information security, or I guess we call it cyber security now, that’s one change right there, will tell you that nothing has changed, that we still have issues with passwords from password reuse, to weak passwords, to no passwords. We still have organizations who ignore the problems either through ignorance, ambivalence or just greed. And we still have people who try to blame users for technological failures.
Continue reading →

On the second Tuesday in November I burned a vacation day, woke up at five in the morning and drove to a church down the street from where I live. I sat at a long table for thirteen hours and looked up names in a book. While I wasn’t at the church to pray I still felt as though I was cleansing my soul in some way. Over the years for various reasons I had amassed what I felt was extremely high level of personal voter debt and I felt this was a way to at least begin to pay some of it back.

During the last election I spent a lot of time being a pundit preaching about the integrity of the voting process. I figured if I am going to keep talking about elections I should get a look at what actually happens at polling places. So a few months before this election I did a few google searches, found my county’s voter information website and sent an email to the address listed for volunteers. The district where I vote was full so they assigned me to the neighboring district. In Pennsylvania the state voting website has a few videos to help explain to volunteers what to expect on Election Day. Despite them requiring Flash, I watched them all.

Of course I had to live tweet the whole day. When I arrived on Election Day morning it was just me and ‘Mary’ the Judge of Elections. Even though there wasn’t much to see she showed me around, pointed out the coffee and the restrooms and mentioned the voting machines which were already set up off to the side. In my district we use a Direct Record Electronic (DRE) voting machine. They weren’t much to look at but I still had to fight my urges to immediately start pulling them apart. I wasn’t here to test or even play with the machines anyway.

Continue reading →

I don’t think there is another word in the English language that provokes as much of an emotional response from information security professionals as much as ‘cyber’. In fact, half of the people who just read that last sentence are like yeah, but cyber is not a word it’s a prefix. (The other half probably just started giggling.) Unfortunately for them Merriam-Webster and the Oxford English Dictionary have both recently listed cyber as a stand-alone word as an adjective with the definition ‘of, relating to, or involving computers or computer networks’ which to me is an extremely broad definition. The Cambridge, Macmillan and Longman dictionaries all still lists cyber as a prefix but I am sure they will upgrade it to full word status soon. Can official use as a noun, the cyber, be far behind?

Cyber is generally understood to have originated in the Greek word ‘?Uß???????’ or ‘kybernetes‘ which originally meant helmsman, as on a ship, which came to mean ‘to steer’ and eventually ‘to govern’. Norbert Wiener chose this word when, in 1948, he entitled his book Cybernetics or Control and Communication in the Animal and the Machine It was Wiener’s work on the automatic aiming and firing of anti-aircraft guns during World War II that caused Wiener to investigate information theory. This was the first documented use of the word ‘cybernetics’ in English.

Continue reading →

Southwest Airlines recently aired a TV ad in their “Wanna Get Away” series that features some serious password blunders. In the ad a General is asked for his password so that they “can lock down the system” which he then reluctantly provides. The password, “ihatemyjob1”, is rather embarrassing and hilarity ensures. Lets watch…

https://www.ispot.tv/ad/AEjj/southwest-airlines-wanna-get-away-sale-sharing-your-password

Let us count the bad security practices used in this ad…

1. A Single point of failure. (The General)
2. He verbally shares his password for everyone to hear instead of typing it in himself.
3. The password is displayed without a mask.
4. The password is displayed in 100 point type on a 20 foot screen for everyone in the room to see.
5. Password does not use uppercase or special characters.
6. While the password uses a number it is appended to the end.
7. No 2 factor authentication.
8. Everyone who sees this ad thinks that while ‘ihatemyjob1’ may be an embarrassing password it is perfectly acceptable since a general uses it.

Let us count the good security practices in this ad

1. The password is longer than eight characters.
2. The password uses a number.
3. Everyone who watches this ad hopefully realizes that they use a similar password and quickly changes it to something better.

Lets face it, while slightly funny this ad will make no one stop and think about how secure their own password may or may not be. However, it might make some people think that ‘ihatemyjob1’ or something similar is perfectly ok to use.

Addendum: The general’s uniform in this ad is a disgrace. Although probably done on purpose so as to not offend any one service they have in fact offended all services.

Trying to track down the origins of an Internet meme can be an almost fruitless endeavor. Other than giving credit to its originator and perhaps giving them a few minutes of Internet fame there really isn’t a lot at stake by determining who was the kid in the success.gif or what meme Laina Morris is responsible for. Finding the origin of a story involving the breach of critical infrastructure however, can be rather important.

Like funny Internet memes, stories about compromises of water plants, steel factories, power companies or other systems controlled by SCADA or ICS can be repeated over and over until they are accepted as facts with no one questioning their authenticity. Previous events such as power outages in Brazil, a water pump failure in Illinois, the improper shut down of a blast furnace at a German steel mill, a pipeline explosion in Turkey were all originally attributed to cyber attacks. In fact cyber attacks were blamed in almost all cases not because there was any actual evidence but rather the lack of any other explanation. Since nothing else could have caused the problem it must have been those meddling hackers.

I recently heard of a new incident that seems to fall into this same scenario. The story claims that hackers broke into the control system of a floating oil rig off the coast of Africa, somehow messed with the ballast control and caused the rig to tilt. The rig had to be taken offline while the systems were cleaned up. As with most of these types of stories no supporting information is given. No actual dates, no name of the oil rig or its owner, even the location in this story is vague, ‘off the coast of Africa’, an entire continent.

Continue reading →

CSI has a proven formula for making popular TV shows. Unfortunately that history does not include accurate TV shows. When it comes to tech and things ‘cyber’ this is probably the preeminent example of CSI being bad and wrong at the same time. I thought there was no way they could top this, I was wrong.

Hollywood has had a long history of doing tech wrong. Take a look at the recent Scorpion TV show, on second thought don’t, its almost as bad. Occasionally Hollywood does get Tech correct, like with the recent Blackhat movie, but while the tech was good the movie itself was bad for other reasons. The last time, perhaps the only time, Hollywood got the movie and the tech right was Sneakers, which is coming up on a quarter century in age.

While I think it is great that TV shows like this bring technical issues to a mass audience, scaring people into thinking that the Internet is out to get them is probably not in anyone’s best interest. Humans often do stupid things when they are scared.

Let me talk first about the few things that CSI:Cyber got right. The show mentions that social media is a huge aide to law enforcement and one of the characters jokingly says that’s why he doesn’t use it. This is absolutely correct; Facebook, Twitter and other sites are often the first step in an investigation of any sort, often even before they interview witnesses or suspects.

The softball shaped camera that is thrown through an open window into the bad guys lair near the end is an actual thing that is actually used by law enforcement. They got this right.

In another scene one of the technical characters, who is labeled as ‘the greatest hacker in the world’ (I’m not even going to touch that statement) claims that RATs or Remote Access Trojans are easy to get for $40 on the ‘surface net’. He is right about the easy to get part although his price is a little high and I have no idea what the ‘surface net’ is. But yes, tools that online criminals use like RATs are very easy to come by. The thing about Remote Access Trojans is that they are very similar to legitimate Remote Access Tools like say Go To My PC or Remote Desktop,

Probably the most important thing that they got right in this show was when the Worlds Greatest Hacker was berating the lowly tech employee for allowing a vulnerability to exist in the companies software and the tech guy responds with “I took it upstairs but they didn’t listen.” This is an all to common theme that is often repeated in the information security world. Company executives often refuse to listen to security concerns and instead focus more on the bottom line. This is probably the single truest thing this show got right.

The second most important thing they got right was the weak security present in many Internet connected cameras. Many such cameras have default passwords and are easily searched for over the Internet allowing anyone to connect to the camera and watch and listen to what is happening. There have been cases where people will connect to a camera and then yell at the sleeping baby. Manufacturers of these cameras were told about their default password problems but most refused to fix the problem, that is until these stories started to hit the press and the FTC started to levy fines. Even after the companies issues an update to the devices firmware it is up to the owner of each camera to learn about the update and apply the patch themselves. This seldom happens leaving tens of thousands of devices installed in peoples homes that anyone can access.

Other than that just about everything else in the show is just completely unbelievably wrong. Not only are things wrong but they play on known false tropes, like that lead can block radio signals (it can’t), that convicted criminals are allowed to work in the field on active investigations, that you can quickly separate overlaid audio and translate it, that you need big wall sized monitors in order to catch bad guys, that hackers who could be half way across the world are conveniently just an hour or less away, that non-smart phones can have GPS aps and that cops treat forensic data so carelessly.

One of the most egregious examples was the speed at which the characters analyzed the cameras source code and it came up all green and then turned red. Source code doesn’t just magically turn red when malware is found. Reverse engineering is painstakingly hard, and it takes a lot of time. If code could just magically turn red if it did bad things, like it does in this show, the world would be a much much better place.

I was especially troubled by one of the statements made early in the show “Any crime involving electronic devices is by definition, cyber” While this is just a TV show there are people who believe this or at least will be influenced by this. This scares me as I guess that makes my electric drill cyber.

Also I loved how the characters on the show could do these crystal clear remote videoconferences from remote locations? How? They never bothered to explain where the camera was or what are they are using for bandwidth. If they did it with their cell phones I want to get on that data plan.

And I could not overlook that they had the one black person on the show repeat a racist nursery rhyme “Einie meane miny moe, catch a…” well they changed the word on the show but I’m really surprised they let that through.

If you didn’t watch this show you didn’t miss anything, at all, and I encourage you not to watch it, in fact just forget that that it exists and with any luck it will be canceled. And then we just have to wait for the next TV show to do tech wrong.