Winn Writes & Wrants

A cop comes to your house. “We need you downtown, now.” And you’re expected to drop everything… even though you have no legal obligation to do so. Authority says to comply.

“Yes, you can afford this mortgage… and we can always refinance in a couple of years…” Expert authority speaks and too damned many people listened. (Someone – a lot of someones need to go to jail for that one.)

Too many people are conditioned to react to authority by cowering to demands, even if they border on or exceed the ridiculous.

“RESPOND TO THIS EMAIL OR YOUR PAYPAL ACCOUNT WILL BE CLOSED.”
“IF YOU DON’T ANSWER THIS RIGHT AWAY YOUR BANK ACCOUNT WILL BE SEIZED.”

The sheep or lemming mentality – whatever you call it, is responsible for the astounding findings that 23% of corporate workers will fall to spear phishing attacks. So, I, as the bad guy, target “YourBank.Com” with 20,000 workers. Statistically, 4,600 of them will fall for my scam.

They might provide personal data; they might respond to the e-mail or click through to the hostile web site.

Worse, they will <Click> on some unknown “REPLY URGENTLY” link and download and install a hunk of nasty software that becomes the beachhead for a massive data breach.

The Intrepidus Group’s study showed a few things quite clearly:

• Intimidation and authority in e-mails work. 23% positive response is insanely unacceptable.
• Current corporate user training is not effective.
• Companies are not practicing penetration studies against people; just technology. Stupid, stupid, stupid.
• People are sheep, and we give them incredible access to information and technology when they are not skilled enough to use it.

What to do?
I’ve done social (human) penetration testing in many forms. I have also gotten my clients to agree to fire at least 10% of the people who fail. Extreme? Yes. Effective?

You bet.

I’ve been doing this for a long time, and the latest hack into a DHS coordination and planning network was really no surprise. If it wasn’t them it was going to be… what some nation-state keep screwing with the FAA systems (with 3,800+ holes)… and that’s really bad.

Point is, back in 1987, Congressmen (people?) Glickman and Valentine were the point men on the CSA, Computer Security Act of 1987. (This is the committee that told me cyberwar/terrorism/etc. was a figment of my imagination. Quality folks, there.) One major goal of the Act was called “C2 by ‘92”.

In the old security parlance of the Orange Book, C2 security was good enough for “sensitive but unclassified” information. Big push. Big initiatives. Big goose egg of security tongue wagging.

So, the DHS is downplaying this sensitive but unclassified hack as, “no information can be posted on HSIN that would cause anything more than minor damage to the homeland security mission.”

I am sorry. No, they should be!

Any data leak is potentially monstrous. So, this data was C2. Fine. Then another C2-level hack here and another there… and you glue together all of the data from these hacks and suddenly the amalgamated data is MJ-12 (alien technology) secret.

OK, you get the point.

Data in isolation may seem worthless, but a cut, a snip and a paste later you’ve got yourself a database worth boatloads to the bad guys.

What is even worse, that these days, the flipping DHS can’t practice Security 101 and avoid getting hacked? It’s not that hard… if you let the geeks do their jobs.

I find it immeasurably embarrassing that the guys and gals who are supposed to protect us can’t even protect themselves to the most minimal standards.

Of course the public information doesn’t say whether the situation was caused by a poorly configured machine (of what OS, by the way), unpatched vulnerabilities or the same type of criminal stupidity that allowed the details of Obama’s Helo to get into the hands of the Iranians.

Come on people: every bit of data is valuable. Just cause you don’t see that doesn’t make it true.