My Security Christmas List

I have been asking my son for the last month what he wants Santa to bring him for Christmas.  After many discussions and a huge list I had to tell him Santa only takes list of 5 items or less and that he would have to figure out what he really wanted.

It got me thinking about what my letter for Security Santa would look like  and here is what I came up with:

Dear Security Santa,

I hope everything is well at the North Pole and your big brother has stopped cyber-bullying you about wanting to be in security and not follow in the family business. Did you remind him that he one time let an Elf become a dentist?!?!

Anywho I have been a very (mostly) good boy this year.  Much, much better than my friends at the NSA have been!  So hopefully you can see it in your heart to give me these five things:

Painless Patching Kit
It is 2013 right? Keeping a Windows machine up-to-date shouldn’t take a network administrator. If you somehow could take the idea of Secnuia PSI and make it a workable solution you would be my hero! Think of the number of problems you could solve if Flash, Java and Reader automatically updated themselves correctly!

Security Conference Cloud.
I go to my fair share of conferences a year but I never see all the talks I want to see.  You need to invent a company that travels around and records all the security talks and hosts them behind a pay wall.  I would pay $100 a year for a membership and I know there are a lot of other good Security professionals who can’t go anywhere that would also.

Less Basements and More Boardrooms.
I have some incredibly intelligent friends who I would love to see break out of their IT Crowd thinking and move out of the basement and into real security leadership roles in their companies.  Help them understand talking to people who wear a suit everyday isn’t that hard!

World IT Department Peace
I ask for this every year but I still talk to a lot of security professionals who see their role as chief adversary officer in their IT department.  Think about how much further we could move security if everyone actually tried to work with the developers and the system admins in their companies!  

A Puppy
I really want a puppy and I have asked the real Santa for one for the past couple of years but I think him and my wife are in cahoots to stop it from it happening.  So I figured I would go all shadow IT on them and ask you!

As you can see I don’t think I am asking for much this year so if you could please bring me all this stuff (mostly the puppy) that would ROCK!

Yours Truly,


I helped a local company pay off hackers.

From time to time I get called by small organizations, law firms and companies in my local area to do some consulting on security issues.  Yesterday afternoon <redacted organization> called me and told me they were getting this pop up on one of their computers:


That pop-up is known as CryptoLocker and once your machine is infected with CryptoLocker it will then begin to scan all physical or mapped network drives on your computer for common picture and office files and when it finds these types of files it encrypts them with a basically unbreakable encryption and gives you 72 hours to send them $300 or they will destroy the key to unlock your files.

I had a hard time figuring out what to suggest <redacted organization> do.  They only backed up their files on Friday evenings and so they were looking at loosing 3 full days worth of work if they didn’t pay.

After a lot of back and fourth they decided that it was worth a $300 gamble to try to pay off the hackers knowing that it might not work.  So they went down to WalMart and bought a Green Dot MoneyPak loaded with $300 and followed the somewhat complicated instructions to transfer the money.

<redacted organization>’s IT guy called me this morning when he got back into the office and said their files had been decrypted successfully and they removed the infected machine from the network. 

I think this is a turning point in Security.  There were some steps that <redacted organization> could have done to protect themselves better:

  • Better Share Managment
  • Better E-Mail Filtering
  • Better AV
  • Better Backup Schedule
  • Security Awareness Training

Overall <redacted organization> is just a normal small company though.  They try to be security aware but they dont have the time or resources to do everything the way they should and in the end it made sense for them to pay $300 to recover their files.

If I had to guess Cryptolocker is just the start of a wave of malware that holds your files hostage until you pay.  I dont like it but I doubt this is the last company I help pay off hackers.

I will be talking part in this Dell Security Think Tank on the 17th of September.

The Unglamorous Work of a Security Practitioner

Here is a stack 105 computers we are surplusing at work after 5 years in service.

Before they get sold at auction it is my job to make sure all the data is securely and permanently removed from the drives.   For this tedious job I turn to a copy of DBAN to wipe the drive 7 times (also known as the DoD 5220.22-M wipe).  It takes about 4 hours per PC so for most of the last 3 weeks I have been babysitting this stack of computers to make sure they finish correctly and without errors.

This is what “real security” work boils down to for most practitioners.  As much as I want to pretend that my job is chasing down hackers, adding new firewalls and yelling cheesy movie lines… it is taking care of the little stuff like this that ensures we don’t sell our users data that is one of the most valuable things I do at work.

BYOD is actually a user-led rebellion against poor IT practices, inflexibility, and infosec autocracy.

Stay Safe Shopping Online This Holiday Season

Christmas is quickly approaching and that means Black Friday and Cyber Monday will soon be upon us with their unbelievable must have sales. As more and more people do their holiday shopping online it is important to stay safe.

Here are my top 5 security hints for shopping safely online:

Update your security software and other applications.
Keeping the software on your system up-to-date is an important part of keeping your system safe and secure.   I recommend that everyone runs Secunia PSI on their pc.  It automatically finds all of you outdated software and updates it for you.  

Don’t shop online with your debit card.
If you have a problem with a purchase or the card number gets stolen your debit card is vulnerable because it is linked to your bank account and you don’t want to have to spend the time you could be watching  A Christmas Story fighting with your bank to get your money back in your account.

Watch out for phishing emails.
Watch out for “special deal emails" you receive that appear to be from legitimate retailers. Look for poor grammar or misspellings in the email and URLs that take you to places other than the retailer’s website. If in doubt go directly to the retailer’s website and check for the deal there.

Use OpenDNS.
Using OpenDNS is a great way to make sure your PC doesn’t end up on a site that might steal your passwords or credit card number.  It does this by being the “GPS” for your browser and makes sure your computer doesn’t end up in a neighborhood it shouldn’t.

Different passwords for every website.  
This is the most important and one of the hardest things you can do to keep safe online. Every website is going to get hacked sooner or later and a great way to limit the damage done to you is by never having the same password on two websites.  If you can’t remember all the passwords write them on a notepad and keep it with you.   When hackers hack a website and find a usernames and passwords the first thing they do is try to on as many popular websites as possible.  If your passwords don’t match they will move along and try the next one on the list.

Or, you could always leave your house and go shopping at a real store over the holiday season:

Everyone is a target on the internet. You are either a primary objective or a target of opportunity.

Site Footer