FIR B2B #61 podcast: The care and feeding of fake news

We  are awash in a sewer of fake news stories, and we only have ourselves to blame. It has become an epidemic, and a profitable one at that for these purveyors of click-bait that sound like the truth but are far from it. In this episode, Paul and David discuss why this has happened, who are the players who profit from these stories, and what the major web operators such as Google and Facebook can do about it.

Listen to the 12 minute podcast here:


iBoss blog: DDoS for sale: what is a booter or a stressor and why you should care

DDoS attacks are on the rise, and one of the reasons is the plethora of service providers that make it easy to mount your attacks, especially if you are a lazy or inexperienced criminal. Dozens if not hundreds of these pre-packaged booter or stresser  DDoS services make it a very profitable business and can generate thousands of dollars a week for these criminal operators.

You can read more in my blog post for iBoss here.

iBoss blog: The challenges and opportunities for managing the Internet of Things

The Internet of Things (IoT) has been in the news lately for facilitating numerous DDoS exploits across the planet. A global non-profit think tank called the Online Trust Alliance (OTA) has published a paper entitled IoT, a vision for the future. It outlines how the IoT can grow and thrive, especially given that “users’ confidence that their data is secure and private is at an all-time low.”

You can read my latest post for iBoss’ blog here.

Everyone is now a software company (again)

Several years ago I wrote, “everyone is in the software business. All of the interesting business operations are happening inside your company’s software.” Since then, this trend has intensified. Today I want to share with you three companies that should come under the software label. And while you may not think of these three as software vendors, all three run themselves like a typical software company.

The three are Tesla, Express Scripts, and the Washington Post. It is just mere happenstance that they also make cars, manage prescription benefits and publish a newspaper. Software lies at the heart of each company, as much as a Google or a Microsoft.

In my blog post from 2014, I talked about how the cloud, big data, creating online storefronts and improving the online customer experience is driving more companies to act like software vendors. That is still true today. But now there are several other things to look for that make Tesla et al. into software vendors:

  • Continuous updates. One of the distinguishing features of the Tesla car line is that they update themselves while they are parked in your garage. Most car companies can’t update their fleet as easily, or even ever. You have to bring them in for servicing, to make any changes to how they operate. Tesla’s dashboard is mostly contained inside a beautiful and huge touch LED screen: the days of dedicated dials are so over. These continuous updates are also the case for The Washington Post website, so they can stay competitive and current. The Post posts more total articles than the NYTimes with double the reporting staff of the DC-based paper. That shows how seriously they take their digital mission too.
  • These companies are driven by web analytics and traffic and engagement metrics. Just like Google or some other SaaS-based vendor, The Washington Post post-Bezos is obsessed with stats. Which articles are being read more? Can they get quicker load times, especially on mobile devices? Will readers pay more for this better performance? The Post will try out different news pegs for each piece to see how it performs, just like a SaaS vendor does A/B testing of its pages.
  • Digital products are the drivers of innovation. “There are no sacred cows [here, we] push experimentation,” said one of the Post digital editors. “It is basically, how fast do you move? Innovation thrives in companies where design is respected.” The same is true for Express Scripts. “We have over 10 petabytes of useful data from which we can gain insights and for which we can develop solutions,” said their former CIO in an article from several years ago.
  • Scaling up the operations is key. Tesla is making a very small number of cars at present. They are designing their factories to scale up, to where they can move into a bigger market. Like a typical SaaS vendor, they want to build in scale from the beginning. They built their own ERP system that shortens the feedback loop from customers to engineers and manages their entire operations, so they can make quick changes when something isn’t working. You don’t think of car companies being so nimble. The same is true for Express Scripts. They are in the business of managing your prescriptions, and understanding how people get their meds has become more of a big data problem. They can quickly figure out if a patient is following their prescription and predict the potential pill waste if they aren’t. The company has developed a collection of products that tie in an online customer portal to their call center and mobile apps.

I am sure you can come up with other companies that make normal stuff like cars and newspapers that you can apply some of these metrics to. The lessons learned from the software industry are slowly seeping into other businesses, particularly those businesses that want to fail fast and more quickly as their markets and customers change.

The changing nature of IT security: Bryan Doerr, CEO at Observable Networks

Bryan Doerr has been involved with tech companies for decades, most recently leaving Savvis/Century Link as their CTO before agreeing help bootstrap Observable Networks. I asked him to reflect back on his career and where the infosec industry is headed in general. “There is a lot of security industry maturation still to come, a lot of wood left to chop,” he told me in a phone interview last week. “While there are still some pockets of maturity here and there, they usually are only found with the largest companies who can afford it.”

Looking back more than a decade, the biggest change has been being able to deliver security as a subscription service, he said. “First we had pre-built security appliances, but lately we have seen managed detection and response services,” such as what his company delivers. “And it isn’t just a change in how protection is delivered, but how the subscription service can be more affordable for mid-market customers.”

Another big change is how end user customers finally are getting some benefit from sharing threat intelligence. “No one wanted to talk about where or how they were attacked and share these specifics with anyone else,” he said. This intelligence sharing has made the subscription service vendors more potent and compelling and has boosted the ability to respond effectively to threats.

“Ten years ago security was built on a simple idea: that we know about our attackers and threats, and through some means we could prevent those bad guys from getting inside our networks. Back then, we had a limited number of threats, so we could more readily recognize and block them. That is so far from where we are today. The fundamental nature of what is a threat and how attacks use technology has changed completely. The idea of tracking attack signatures makes a lot less sense when every attack is unique.”

Doerr agrees that the days of the perimeter being the sole point of defense are also long over. As an example, he points out the recent IoT botnet attacks.

One benefit from the last decade has been the move towards increasing virtualization. “This absolutely was a positive influence, and helped us to better design and operate more secure systems and more complex infrastructure,” he said. Before virtualization, we had too many different fiefdoms dedicated to particular circumstances. Each one had different configurations and staffs who were maintaining them. All of that variation left us vulnerable.”

But with virtual machines, “a lot of automation has been brought to bear to keep a consistent environment running. That means we can provision VMs, kill them off, and recreate them easily. This makes it more efficient to scale up and down and we don’t have to spend our time patching systems.”

Another issue is the nature of modern network traffic. “Our networks are becoming increasingly encrypted, we can’t even see what is going on over the wire and view the payloads, and this adds another layer of difficulty. Right now less than half of all traffic is encrypted, but it won’t be long before it becomes 100%. We won’t be able to readily examine any of this traffic, which will make networks harder to defend and detect exploits.”

When he was at Savvis, one memorable experience was upgrading one of their data centers. Thanks to a routing bug the entire data center couldn’t come back online. “We tripped over it on a Saturday, and didn’t immediately understand what we were doing. It was easy to miss a single use case that caused the problem. That was a humbling experience and gave me an appreciation of the magnitude of the business that we had running. You don’t feel it until something terrible happens and you see how significant these outages are.” The situation drove home the point that he needed to stay in touch with his technology and understand that it is not just an abstraction, but also a very real entity.

I asked him who had the better job, the CTO or the CIO? He was firmly behind the CTO position. “CTOs will have jobs for forever, because they help organizations understand the evolution of technology and anticipate the direction of that evolution. The CIOs still have some soul searching to do.”

Like what you are reading?

Subscribe to Inside Security!

Email Address

// < ![CDATA[
// < ![CDATA[
// < ![CDATA[

Hacking 911 systems: an update

It isn’t often that there is a very short trajectory from an academic research paper to reality, but when it comes to hacking the 911 emergency phone network this is indeed the case. The paper was written earlier this year and first given to the Department of Homeland Security before being published online this fall.

The researchers from Ben Gurion University in Israel describe how an attacker could knock a 911 service offline by launching a distributed denial of service (DDoS) attack using a collection of just 6000 smartphones. While that is a lot of phones to gather in one place, it is a relatively small number when this is compared to computer-based attacks. And you don’t really need to gather them together physically: you can infect these phones with some malware and control them all remotely.

Like other DDoS attacks, phones (rather than computers) make repeated calls to 911, thereby blocking the system from getting legit emergency calls. It is a chilling concept, because unlike other DDoS attacks, the hackers aren’t just bringing down a website with large bursts of traffic: they could prevent someone from getting life-saving assistance.

In the paper, the researchers simulated a cellular network modeled after the 911 network in North Carolina and then showed how attackers could exploit it.

Now 911 attacks aren’t new: indeed, the DHS issued this alert three years ago and mentioned that more than 600 such attacks have been observed over the years. What is new is how easily the attacks could be launched, with just a few thousand phones and some malware to make it all work. Also, these previous attacks were launched against the administrative phone numbers of the alternate 911 call center, not to the actual 911 emergency lines themselves. If you are interested in how the 911 center operates, I posted a piece many years ago about this here.

There are other stories about hospitals and other businesses that have had their phone systems flooded with calls, blocking any business calls from being connected. And where there is fire, there is at least one security vendor to put it out or protect an enterprise network from being exploited by telephone-based DDoS attacks.

The problem is in the design of the 911 call centers. These centers have no built-in way of blacklisting or blocking callers: they want to be able to answer any call from anyone who has an emergency. Therefore, in the face of a large attack, they would have no choice but to answer each and every call. But let’s say we could implement such a service: that would prevent an unintentional owner of an infected and blacklisted phone from making a legitimate emergency call.

Well, that was the theory behind the paper. It didn’t take long before someone actually did it “in the wild,” as they say when an actual attack has been observed. Last month a teen was arrested for allegedly doing such an attack and is facing three felony counts. The teen, Meetkumar Hiteshbhai Desai, discovered an iOS vulnerability that was used for launching the attack and flooding a call center in Arizona. Now his phone supposedly was the only one used and it made just 100 calls in a matter of minutes. But that was enough to get the cops on his case.

It is distressing to be sure. But whether these attacks are done by script kiddies or by professional criminals, certainly the opportunity is there and very real indeed.

Why runtime application self-protection is critical for next gen security

raspToday most of us go about implementing security from the outside in. The common practice to define and then defend a perimeter isn’t viable any longer. With the added complexities of more mobile endpoints, agile development and more sophisticated malware, better protective methods are needed.

In this whitepaper for Vasco (the link to my paper is on the right-hand menu), I describe a method that is gaining traction by defending the actual apps themselves using runtime self-protection. RASP, as it is called, comes from a Gartner 2012 report, but is catching on with several vendors, including Arxan Technologies, HPE App Defender,, Lookout App Security/Bluebox, Prevoty, Vasco Digipass for Apps, Veracode and Waratek.

RASP can be a solid defense and a way to isolate and neutralize a potential threat, so you can operate your business safely in these uncertain environments.