Tuesday, March 24, 2015

Regarding FSB, Forget Kaspersky Lab. Check out Group-IB Instead.

Bloomberg's piece on Kaspersky Labs' ties with its own nation's security services is such a non-story that I'm surprised that journalists as good as Michael Riley even ran it. What do you expect from a Russian company, and as if they had any choice in the matter (they don't).

If you're looking for Russian companies with serious connections to the FSB, then look no further than Group-IB. Here's a small portion of the due diligence report that my company Taia Global produced for our paying clients on their government affiliations.
Group-IB is Russia's second largest private Information Technology (IT) security company after Kaspersky Labs. Group-IB's specialty is computer forensics and protection against cyber-crime with customers that include the 10 largest Russian banks and foreign companies. Group-IB has offices in New York. Group-IB, however, performs functions that under Russian law are assigned to the Federal Security Service (FSB), Russia's domestic security service. 
Group-IB maintains both English language (www.group-ib.com) and Cyrillic (www.group-ib.ru) web sites. The sites structure are similar although the information presented on web pages differs somewhat. For example, the Cyrillic About Us web page states that Group-IB has an FSB license to work with state secret information while the English About Us web page does not mention the FSB license.
 Both Group-IB web sites deviate from normal Russian commercial web site practice and provide no information on company management and no financial data such as Russian Federation tax identification (ID) numbers and corresponding bank information.
Group-IB states that company capabilities include “access to domestic and international filtering systems.” However, Russia's domestic and international filtering system is run by the Federal Security Service (FSB), Russia's domestic security service.
Group-IB General Director Ilya Sachkov discussed security service relations explicitly in Russian press interviews. In a Russian Forbes interview, Sachkov stated he started the company while a student after the Bureau of Special Technical Measures (BSTM) Ministry of Internal Affairs (MVD Directorate K) told him there were no job vacancies. Sachkov stated that Group- IB often worked for the MVD and FSB for free during the company's early years, presumably to generate future business. Sachkov stated that many Group-IB employees were former law enforcement. 
Group-IB's client list includes very large U.S. companies:


Again, trying to stigmatize any security company for having ties to its own government's security services is ludicrous. In some nations like Russia, companies have no choice but to comply when asked. In other nations like the U.S., companies do it for commercial reasons. The best one can hope for is that the company in question is transparent about who they do business with. That's actually easier to discover about Russian companies than it is about U.S. companies.

Cyber Security Startup? Pitch Our Attendees At Suits and Spooks NYC.

If you've got a cyber security startup and want ten minutes to pitch 80 influential decision makers in between speakers like Dan Geer, Christofer Hoff, Joe Fitzpatrick and David Kilcullen at our New York Suits and Spooks All Stars event, then I'd like to hear from you as soon as possible.

For the first time since our very first event in Palo Alto in 2011, I'm bringing back the lightning round for startups on a trial basis. This is part of a paid sponsorship which includes:

  • One ten minute speaking slot to pitch your product and give one use case
  • Distribution of company materials including white papers to all attendees and speakers
  • Banner placement at the event
  • Article placement at SecurityWeek.com or InfoSecIsland.com
  • Other benefits as included in the sponsorship prospectus for Silver, Gold, or Platinum sponsors
This is limited to six companies, and no more than 3 companies will present each day. Sponsorships are first-come, first-served and there are no constraints on company size or funding rounds. For more information, shoot me an email.


Sunday, March 22, 2015

Open Letter to Premera Blue Cross CEO Jeffrey Roe

22 March 2015

Dear Mr. Roe,

My wife and I were Premera Blue Cross customers during my tenure with Microsoft. During that time, we both had surgeries done and she has a long history of medical treatments. In other words, Premera Blue Cross holds a lot of very sensitive information on both of us, separate and apart from our social security numbers, dates of birth, and other personally identifiable information. I'm sure that many of your customers could say the same. This open letter serves to notify you of my intention to see that Premera Blue Cross is made an example of for the insurance industry, much like Target was for the retail industry for the following reasons:

You Knew About The Problems Beforehand And Didn't Fix Them

The U.S. Office of Personnel Management's Office of the Inspector General conducted an audit of Premera's controls regarding the protection of federal employees' personal information. Your predecessor Gubby Barlow received the results on April 18, 2014, three weeks before attackers gained access to your networks. Here are my top three:

SLOW TO PATCH
Primera failed to implement its own patch policy leaving its network exposed to hackers who monitor patch announcements and then look for targets who are slow to implement those patches.

USED OUT-DATED/UN-SUPPORTED SOFTWARE
Primera persisted in using un-supported and/or out-of-date software which is essentially an always-open door to attackers.

INSECURE SERVER CONFIGURATIONS
You had servers that standard vulnerability tests revealed were insecurely configured. Malicious hackers frequently use those same vulnerability testing tools to identify which servers on a network will be easiest to crack.

You claimed that your company suffered a "sophisticated attack". Considering the above issues, I highly doubt that. Any one of those would allow even a novice hacker (or script kiddie) to gain access to your network. To have all three means that your IT department has been negligent at best. To then respond to the IG's audit by saying that they'll be remediated in eight months instead of immediately tells me that the security of your customers most sensitive information is simply not a priority for you, your board, or your senior executives.

Two Years Of Free Credit Monitoring Is Laughably Inadequate

Your notification letter contains a paragraph entitled "What is Premera doing to protect you?". Let's start with the fact that the state of your network security pre-breach tells me that you didn't protect me before the breach, and your offer of free credit monitoring certainly won't protect me after the breach. That's because the risk for your customers goes WAY beyond simple identity protection. They become targets for new spear phishing attacks with the end result being the the customers' banking information and/or entree' to the next corporate network - probably an employer of one of Premera's customers such as Microsoft, Amazon and Starbucks to name a few. 

While companies like yours have frequently gotten away with giving customers whose information has been compromised while under your stewardship nothing more than free credit monitoring service, that time is coming to an end because it does not address the vast potential for harm that Premera's poor security practices have negligently permitted.

Inadequate Breach Response

Your customer notification letter didn't contain enough information to know the state of our sensitive data. It should specify what happened. Your job is to protect your customers by providing enough information for us to gauge the seriousness of the breach, not make it easier for your breach remediation company to gather information for their own purposes and benefit. 

Incident Responders Cannot "Clean" Your Network
If you believe that your network is now "clean" and will stay that way, you've been misinformed. Incident responders cannot give any company a "clean bill of health", because no one has sufficient visibility across a global network with tens of thousands of endpoints accessed by thousands of employees and vendors, any one of whom could have their network credentials used by malicious actors who are simply dormant during the investigation. The proper assumption for companies like yours to make about the state of their network is that it is either in a state of breach currently or it will be tomorrow. Your goal should not be to keep attackers out. It should be to keep your critical data, especially your customers' data, secure. 

Instead of wasting six to seven figures on incident response, you should spend at least some of that money finding and hiring an experienced Chief Information Security Officer who can properly manage the security of your network; something that Premera apparently has never seen fit to do. The rest of it should be spent on better securing your customers personal and clinical data so that even if an attacker has access to your network, they can't access the data that you should be protecting. 

Then you won't have to send me a breach notification letter with ambiguous language like "attackers may have gained access to your data". Instead, you'd be able to say "Mr. Carr, we had a breach but your data is safe." 

Unfortunately, you can't say that and I'm forced to do what I can to hold companies like yours responsible for more than just two years of credit monitoring.

Sincerely,

Jeffrey Carr
President and CEO, Taia Global, Inc.

Wednesday, March 18, 2015

Beauty, Brains, and Bad-Assery: Suits and Spooks All Stars NYC June 19-20

With 12 Suits and Spooks Collision events on the books, I decided it was time to do our very first All Stars event featuring the best of the best of the several hundred speakers that we've had in the past. 

Unlike our typical "collision" event, our All Stars will have at least 60 minutes each for their talks. And seating will be limited because we're going to hold it in one of our most popular venues - Soho House NYC - on Friday June 19 and Saturday June 20th. It'll be our last event there because they're converting the library to a member-only space starting July 1st. So think of this as your exclusive invitation to spend 8 to 16 hours talking security, multi-disciplinary problem-solving, and out-of-the-box thinking with some of our best bad-ass game-changers.

Dan Geer (In-Q-Tel - Suits and Spooks 2012, 2013)

Janina Gavankar (actress and geek - Suits and Spooks 2012)

Christofer Hoff (Security CTO, Juniper Networks - Suits and Spooks 2013)

Carmen Medina (Deloitte; Retired CIA - Suits and Spooks 2013, 2014)

David Kilcullen (Founder and Chairman, Caerus Strategic Solutions - Suits and Spooks 2013)

Joe FitzPatrick (Hardware Security Researcher - Suits and Spooks 2014)

Niloofar Howe (Endgame, Paladin - Suits and Spooks 2014)

More speaker announcements will be forthcoming over the next few weeks. Janina is confirmed pending her shooting schedule. 

Your ticket will include a continental breakfast and lunch on both days, plus all sessions. Seats are limited to 75. Of those, we are offering a special super early bird rate of only $515 to the first 25 people who enroll between March 19th and April 10th (that's a $310 savings from the standard rate of $825). Register today and secure your admission at the best price before we sell out. 

REGISTER NOW

The Military Charity Third Party Fundraising Scam: Operation Warrior Support

Operation Warrior Support (OWS) claims to be a third party fundraiser for military 501(c)3 charities but is not itself authorized to collect any funds on behalf of charities by the California Attorney General's office. If this organization approaches you for donations or hire, you should immediately contact the California Attorney General's office and file a complaint against them as an unregistered fundraising professional.

It's difficult enough for most military charities to raise money, let alone have to worry about suffering from attacks on social media from the very same people who claim to be trying to help them. That's exactly what @opwarriorteam (OWS's Twitter account) has been doing to multiple Naval Special Warfare charities. I've spoken to several of them who have been on the receiving end of online nastiness and other ethically questionable acts (including raiding one charity's donor list) and while all are angry, most just want this group to go away and leave them be. I'm going to honor their wishes and not lay out the many spiteful acts conducted by this fake fundraising operation and stick to the core problem; i.e., they're operating illegally.

It is not enough in CA to simply register as a nonprofit corporation, which Lori Douhan (the group's founder) did. All charitable trustees and fundraising professionals who do business in California are required to register with the Registry of Charitable Trusts at the Attorney General's office and file annual financial disclosure reports. You can check on Operation Warrior Support's status for yourself at this website. Once you plug in their name and hit [Search], here's the result:


Figure 1: Search results for Operation Warrior Support as a fundraising professional in CA.

Notice in Figure 1 where it says "Registration Status". The returned response is "Not Registered".

Anyone can register a corporation in CA and receive an FEIN number, which is what Operation Warrior Support presents on their website. That's irrelevant for this purpose and unfortunately that has fooled legitimate 501(c)3 charities who have contracted with them in the past. The registration number which a California charity or professional fundraiser is required to have is a CR or Charity Registration number.

Here is what California law requires of a professional fundraiser:
"Prior to soliciting any charitable donations, a commercial fundraiser must register with the Registry of Charitable Trusts on a form provided by the Attorney General, pay a fee of $350, and obtain a $25,000 bond. The commercial fundraiser must renew that registration and bond annually and pay a fee of $350. A commercial fundraiser must also file an annual financial report with the Attorney General accounting for funds collected during the preceding year." - CA Attorney General's Guide for Charities, p. 30

Also:
"A commercial fundraiser must file a notice with the Attorney General’s Registry of Charitable Trusts no less than 10 working days prior to commencing each solicitation campaign, event or service. (Notices of solicitations for victims of emergency hardship or disasters must be filed no later than the commencement of solicitation.) The notice must include certain information which is set forth in Government Code section 12599, subdivision (h)." - CA Attorney General's Guide for Charities, p.27
Whatever money OWS has raised to date for charities in addition to the money that they have kept for themselves wasn't in compliance with California law and most likely not in compliance with other State laws regarding professional fundraising; for example - the Commonwealth of Virginia where LZ Grace Warriors Retreat is based (a military charity that OWS raised money for). Virginia has similar registration requirements as California. Guess whether or not OWS is registered in Virginia? If you guessed no, you're right.

    Figure 2: Search results for Operation Warrior Support as a fundraising professional in VA.

States have these regulations because so much fraud happens with military fundraising by third parties who rip off both the public and the charities that they claim to help. Lori Douhan and her associates at OWS need to either comply with the law or get out of the fundraising business.

If your military charity is approached by this group, I can only recommend that you do your due diligence first before signing any contracts. If you are one of the charities that they have harmed through malicious acts either online or offline, I recommend that you report them to the California Attorney General's Office or the AG's office in the State in which you reside.

UPDATE:
The OWS Facebook page has responded to this post with the following statement:
Just so we are clear...a Commercial Fundraiser is an organization that gets PAID to fund raise for a charitable organization. It's run like a business where an organization is contracted to fund raise on behalf of a 501c3 organization. We do not operate as such.
Since we do not charge a fee for our fundraising efforts, nor do we take a salary...nor do we "Hire" our services out...nor did we require a written contract from the organizations we fundraised for, we are not required to be registered as one. For more information:
http://oag.ca.gov/charities/cfr.
It's been a long time since I've seen this level of self-delusion:
1. OWS calls itself a third-party fundraiser.
2. They ask donors to a charity to pay them money.
3. They use some of that money in unspecified ways.
4. They give the rest to the charity.
5. They believe that the State of CA won't see that as requiring registration.

I don't have the time to play footsie with this group so I'll let the California Attorney General decide if Operation Warrior Support needs to register with the Registry of Charitable Trusts by filing a complaint. I encourage those readers who are as offended by their activities as I am to do the same.

Wednesday, March 11, 2015

Former Sr. Pentagon Official Labels Sony as a Cyberwar Conflict

"Obama Needs A Cyberwar Cabinet" by Todd Rosenblum is one of the worst opinion pieces that I've read in a long time. Rosenblum has a long history in government service (DoD, DHS, Senate Staffer) and just left three months ago to start his own consulting company.

The point of the OpEd was that President Obama needed to form a cyberwar cabinet which pulls equally from the Federal government and the private sector. In order to make his point, he inflated the Sony attack almost beyond recognition:
The president quickly assembled his war cabinet: the intelligence community to tell him the what, why, and how; departments of State, Defense, and Treasury to review response options; and the FBI and Department of Homeland Security to assess whether the attack to be part of a larger threat that could put the nation’s critical infrastructure in danger.
My understanding is that a "war cabinet" is a committee formed during a time of war. What actually happened according to Lisa Monaco who called the meeting was that the President wanted to know the details of what happened. There was no "war cabinet".
After all, a nuclear-armed state committed an act of cyberwarfare against a private company that owned and managed its own networks. While many debate the exact definition of cyberwar, there is no debate that North Korea used a virtual weapon to cause damage on American soil, and did so with political intent. This was not an act of vandalism, theft, espionage, or crime.
In fact, Merriam-Webster defines vandalism as "willful or malicious destruction of private or public property." President Obama called it vandalism. It clearly did not rise to meet the right of self defense bar as established by Article 51 of the U.N. Charter or the Law of Armed Conflict.
But something was different with the Sony hack than any previous conflict.
Really? The Sony hack is a "conflict" now?

I have no idea what motivated Todd Rosenblum to write such an enormous pile of horse shit but I hope that it isn't representative of what "un-named senior Administration officials" tell journalists because Rosenblum considered himself one of them:
As a former senior administration official at both the Pentagon and Department of Homeland Security ...

Tuesday, March 3, 2015

Announcing our 1st Suits and Spooks All Stars event at Soho House NYC (June 19-20, 2015)

We've held 10 Suits and Spooks events since 2011. 

Who have been some of your favorite speakers?


Beginning July 1, 2015, Soho House, our Suits and Spooks home in NYC, will be closing the Library (our past venue) for renovations and will turn it into a members-only space, which means that we won't be able to hold future events there after June 30th. 

Therefore, in honor of that great venue, we've selected NYC for our first All-Stars Suits and Spooks event. We want to feature some of our most popular speakers and give each of them more time (45 minutes) to talk and interact with our attendees.

Attendance will be limited to 75 people and there will be a commemorative t-shirt designed for the occasion. 

Please contact me with your nominations for speakers, and if your employer is interested in sponsorship, please contact our events manager

Early bird tickets will go on sale in mid-March. Please watch SuitsandSpooks.com for a future announcement.