Amazing mind reader reveals his ‘gift’

Amazing mind reader reveals his 'gift'

Now that I have your attention, over the weekend, I remembered this video that debuted back in 2012.

It was a great public service announcement piece from Belgium. What made the video such a hit was the eccentric individual was no ordinary mind reader – he gets all his information from Facebook, Twitter, Social Media, and the web.

He is also warning you against sharing too much private information.

[The video] begins with random people being selected from the streets of Brussels.  They are asked if they would like to participate in an upcoming TV program featuring Dave, described as a gifted clairvoyant.  Once they agree, they are ushered into a white tent to meet Dave. He hugs them and dances around as he seemingly tries to get a sense of the person’s energy.  As people are seated across from him, Dave tells them random facts about them, from the color of the motorcycle they own to their bank account number and even the types and locations of their tattoos.

As the unassuming subjects become absorbed in Dave’s trance and the factual information he is providingthe truth behind his magic is revealed.  A curtain drops, and behind it is a group of computer hackers dressed in all black searching the Internet for information about each of the individuals.  In fact, a large monitor sits in front of the hackers, displaying pictures and personal information about the subjects.  Each person seems astonished, first at the curtain dropping and then at the reveal as they realize what has taken place.  [Emphasis added]

Over here at Net Force, we still see too much over sharing of information on social media sites. Even the most harmless and innocuous pieces of information individuals share on social media is worth its weight in gold when combined with other pieces of information.

We all need a little reminder to “Be vigilant, because Internet fraudsters can (and will) use information against you.”

See the entire video below:

 

Encouraging Aspiring Future Cyber Defenders

Encouraging Aspiring Future Cyber Defenders

IMG_1102_largeThe process of building, nurturing, encouraging, developing, inspiring, and training future cybersecurity professionals is an ongoing lifecycle for us at Net Force. For the second straight year, our team has been working with Cal-Poly Pomona, Los Angeles Unified School District and CyberPatriot to identify and encourage new and rising talent in the industry.

This past weekend especially was a landmark occasion for those of us in Los Angeles. Over 350 middle and high school students from across Southern California gathered together for the first annual “Cyber Day Los Angeles”. Students as young as sixth grade were given Windows images to debug and remediate security issues while the advanced and battle-tested students also engaged in a Linux Capture-The-Flag (CTF) Competition.

These students represent our future team members and colleagues. It is such a huge priority for those of us at Net Force to have more friends than enemies. We want to see these students become our allies rather than those who go to the dark side. It makes our lives significantly easier.

Training future talent is a key component to defending our systems. As I wrote before, defense is not easy. Competitions like CyberPatriot and events like Cyber Day Los Angeles ensures that we have the brightest minds working on the ongoing battle against cybercrime. Cyber Threats continue to be the biggest threat to organizations alike with increased sophistication. Adversaries are becoming more adept in this field to a point where adversaries are making a profession of being evil. Knowing that these young minds are coming down the pipe brings some comfort.

At the end of the day, I find it inspiring and encouraging to see so many students, from both middle and high schools across the Southern California, gather and share a passion for cyber security.

Teaching CyberSecurity in Higher Academia

Teaching CyberSecurity in Higher Academia

Teaching Cyber Security in Higher Academia has always been a subject that’s struck a chord with both academia and industry. There is always this balance that both sides seek to achieve.

On one hand, there are risks when teaching such a subject, including, having the proverbial “Dog biting the hand that feeds it.” Reading this thread on Reddit made my stomach churn as I see students try to advance their careers, knowledge and understanding of cyber security.

I won’t go down this rabbit hole too much on pointing the negatives out, but I would like to point out the obvious: The students are meeting in an unofficial capacity.

Whether it is sanctioned or unsanctioned by Higher Academia, the students have formed a community to share and learn. The very fact these students want to take it to the next level with the blessing of the administration indicates the willingness by students to do this the right way and ensure this community stays out of trouble.

It is also a wonderful opportunity for the administration to teach and help students learn the right ethics, morals, and understanding the consequences of ‘going to the dark side’. These students will be this academic institution’s first line of cyber defense in future years as they may notice suspicious and unusual behavior of computers they use on campus. They may even join the ranks as staff members of a higher academia institution, including the one they currently attend.

This is a relationship I encourage any student and higher academia to grow, nurture and cultivate. The benefits will always outweigh the concerns, and I ask that higher academia to avoid simply saying no and let that be the end of the conversation and dialogue.

Rather, identify the concerns (and yes they are legitimate concerns) and find ways to teach and educate these young minds that “With great power comes great responsibility.

The Shaming and Heckling of #Infosec

The Shaming and Heckling of #Infosec

Do not let any unwholesome talk come out of your mouths, but only what is helpful for building others up according to their needs, that it may benefit those who listen.” – Ephesians 4:29

First, I understand this blog entry might sound a bit like “Monday Night Quarterbacking” or “Jumping on the Bandwagon”, and you are entitled to your own opinion.

Reading what my good friend Rafal Los wrote about “Living in Glass Houses – #Infosec Industry’s Culture of Shaming” wrote Monday evening, I have to agree with him. Information Security is Hard.

I like to equate being in the information security/cyber security industry being the same as in the intelligence community.

To quote the movie The Recruit,

Our failures are known. Our successes are not.”

The work and life of those in the intelligence community is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

The work and life of security and IT audit professionals share similar parallels. It is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

Security is, and will always be, challenging on both offensive and defensive. It is a matter of degree. Both sides generally lack the support and resources to do the job while at the same time are some of the first scapegoats in the wake following a security incident.

From an offensive/penetration tester perspective, there is always a finite amount of time and resources trying to rush in and identify risks without breaking the business or the piggy bank in the process. I somewhat question when a penetration tester announces they found a single vulnerability and concludes their job is complete. As part of any security engagement I have been on, there is always that lingering feeling that I missed something and warrants a closer look.

From a defensive/information security analyst perspective, it’s not easy as between managing the day job (Layer 1-7 issues, putting out fires, doing investigations on security incidents, and normal responsibilities) and managing the night job (Layer 8 and 9 issues: Finances and Politics), it is miracle in some sense that some firms actually have security in the first place given the finite budgets they are given to work with and the sheer level of red tape they have to go through to get anything accomplished.

Being part of the Western Regional Collegiate Cyber Defense Competition for the last four years has taught me that playing defense is never as simple as doing a single thing. Whether it be people, process, or technology, something will fail, and that failure will lead to the compromise of a system or entire network. These blue teams (defenders) consistently have to anticipate every single strategy the red team (attackers) will use and win every single battle red team wages. In contrast, red team has the opportunity to win a single battle (or a few small skirmishes) to win the war. The same is true in the real world.

I challenge anyone out there, whether you are in the information security industry or information technology field, or simply a bystander to understand the complexities we face together. The criticisms, and demanding someone should be fired for this illusion, this perception of incompetence needs to stop. The heckling, shaming must stop, even if it is at a cyber competition. There is no such thing as secure. Even security firms are a target.

I challenge everyone that instead of shaming or heckling, we should be encouraging, and edifying one another. Don’t tear people down. Build them up to be even better security professionals. As cliche as this is, we are all in this together.

Creating Secure Passwords

Creating Secure Passwords

October is National Cyber Security Awareness month, and we figured we would provide some great tips and tricks on how to create secure passwords.

We use passwords so much these days that it’s second nature. What we don’t realize is that it’s often the first and last line of defense keeping ‘baddies’ out of your email, Twitter, Facebook, financial accounts, and life.

According to one study, 73% of all Americans have fallen victim to some type of Internet crime during their lifetime. Nine million people are victims of identity theft and an estimated 600,000 Facebook accounts are compromised daily.

Here are some great tips and tricks to creating secure passwords.

 

Forget using a password. Use passphrases.

Passwords are dead. The typical password lengths we see at our firm are somewhere between 8-9 characters in length. Unfortunately, it is pretty much the limitations of our minds. Instead, choose a passphrase that allows you to get to 20 or 25 characters in length. It is far more difficult to remember “Dc#GRe3!” than it is “My mother is an amazing and beautiful women!” It is far easier to remember, and at the same time, far more challenging to crack. Don’t forget to include Upper Case, Lower Case, Numbers and Special Characters! (Use them all)

Please avoid: using dates (birthdays, anniversary dates, birthstones, gemstones, kid’s names, friend’s names pet names, nicknames, swear words, or any of the above in a foreign language). Basically avoid anything you can find on your Facebook or Social Media.

It doesn’t hurt to use your favorite lyrics, bible verse, poem, or script to reference upon. I’m sure everyone has “a lovely bunch of coconuts” (Think Merv Griffin and Lion King)

Mix it up.

Don’t use the same password on every single site. Ask yourself this: If I were to loose access to this account, how much trouble would I be in? Typically, that means your financial accounts would come in as number one, with your email accounts a close second. These accounts are the ones you want to avoid using the password on any other site.

If you do online banking especially, it is even more imperative to ensure that that particular password is never used elsewhere.

We must tell lies

I hate those pesky security questions. Essentially it’s the same as if a bad guy can’t get in the front door, they will get in the backdoor. Information to those security questions can be found with a quick Google search.  Especially your high school mascot.

If anything, avoid the question at hand and replace it with something else only you would know. For example, what is your favorite color is one of my personal pet peeves. No matter how hard you try, there will always be a set number of colors and it is as simple as writing a small programming script to guess it. If you are absolutely stuck, add a few adjectives in front to help, like instead of brown, answer with “baby diarrhea brown”. Extremely horribly visual, but it slows the bad guy down.

Like earlier, avoid using anything that can be found on Facebook or Social Media.

Embrace Change

CHANGE THOSE PASSWORDS EVERY THREE TO SIX MONTHS! That includes your WiFi passwords my friends.

Too many passwords?

Use a service like LastPass. Please do not use those password managers found on browsers though. They are extremely easy to get at.  However, remember to use a brilliant secure, one of a kind password for LastPass. If a baddie gets in, they get into EVERYTHING.

Advanced Security: Two Factor Authentication

It never hurts to have it, but with services like Google, Twitter, and Facebook, they will send you a small six digit code as part of their two-factor authentication. While your password may be compromised, having two-factor authentication buys you some additional time to change your password in the event your account is compromised. This excludes the fact if your phone has been compromised by malware.