Cyber Security Due Diligence

Automatic Data Processing (ADP) recently purchased WorkMarket, a payroll company, in January of this year after WorkMarket.  In and of itself this Merger and Acquisition story is uneventful, except that the WorkMarket positioned itself above other possible acquisition targets by having solid cyber security.    WorkMarket satisfied the Risk Management, Cyber Security and Financial Crime specialists ADP sent to the company as part of the due diligence process phase of the acquisition.  ADP rejected other companies that did not pass this new aspect of due diligence.

Companies cyber security is now a part of the acquisition due diligence phase of mergers and acquisitions.  The most popular impact that failed cyber security has had on an acquisition is the story of Verizon’s purchase of Yahoo.  Initially, Verizon offered $4.48 Billion for Yahoo but ultimately renegotiated the acquisition deal after discovering the extend of Yahoo data breaches.  Verizon bought Yahoo for $350 Million – a loss of $4 Billion for Yahoo shareholders!

The question is: What gets accessed?  The assessment is a logical evaluation of the data and network.  Here’s the inspection points:

An in-depth assessment of the Network:  A physical assessment of the network is completed including penetration testing, a check to make sure that all patches are current and a check that the network is properly protected.  The policies and procedures are also evaluated.  Undiscovered breaches would be a bad thing to happen in this phase!

National Institute of Standards and Technology:  Does the company follow and adhere to cyber security best practices that address interoperability, usability and privacy? Do they adhere to suggested configurations and vulnerability management?

 Network Employee Evaluation:  The Certifications and training of their network employees will be evaluated.

Third Party Vendors:  An evaluation of which services are relied upon to deliver portions of the network or network services will be reviewed.  The structure of the network will be reviewed including its cloud components and how the company assesses the vendors for their network components.

Their Physical security:  All the best cyber security in the entire world can quickly be undone is someone can enter your facility and access the network.

Regulation:  Relationships with regulators and regulatory action will be investigated. Prior breaches and how breaches are handle would be assessed.

Data Usage and Privacy policies.  A check of various Privacy policies, since they change over time, will be made and an evaluation of various data usage policies and how the Acquiring company can use the data moving forward.

Startups and small companies who want to be targeted for acquisition, must now make cyber security and safeguarding their network a high priority to avoid being discarded as too risky in the due diligence phase.

Sources:, Cyber Security Due Diligence in M& A Transactions, Sullivan and Cromwell, LLC., John Evangelakos





GitHub Amplification Attack

According to, “On Wednesday, February 28, 2018 was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack…. Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Amplification attacks are a specific type DDOS attack in which the attacker uses a botnet to leverage a vulnerability in the User Datagram Protocol (UDP) protocol to spoof the victims IP address and trick legitimate servers (called “reflectors” or “amplifiers”) into sending packets of data ‘back’ to the victims DNS servers flooding them.  The amplification happens when the response data to the victim is larger, up to 51,000 times greater for the UDP protocol, than the packet sent to the reflectors by the attacker.   The legitimate servers are simply responding to a UDP packet request received on port 11211 and have no idea they are part of a leveraged attack.

Why target the servers using the UDP protocol?

Companies use UDP to speed up data exchange between servers; it’s faster because the packets are not error checked. This means there is no process to verify if the packet has been sent or received.  Since there’s no packet checking, there literally is no way to check if the request is legitimate.  The server simply responds to each request making UDP servers perfect ‘reflectors’ for Amplification attacks.

How to Stop Amplification attacks?

Detecting an Amplified attack is trivial: GitHub had an alarm set when the ratio of ingress and egress traffic triggered a threshold.   That’s the easy part.  Once you realize there’s a problem, your response is limited.  In the case of the GitHub attack last week, the traffic was routed to Akamai who provided a service that scaled and distributed the huge packet volume using Akamai network capacity and software to create automated access control lists.  They blacklisted legitimate servers to stop the attack.

Stopping these types of attacks is difficult.  Generally, recommendations are focused on longer term best practices;

  1. Developers should stop using the UDP protocol and only use TCP instead so that packets can be verified and checked.
  2. Re-configure poorly configured UDP servers and do not use the default settings. Try to limit their responses to only trusted sources.
  3. Push to have all Internet Service Providers (ISPs) use Unicast Reverse Path Forwarding (URPF) that can detect spoofed IP addresses from senders and dump the packet when malicious activity is discovered; such as an out-of-range IP address for the sender.

Sources:, Scaling memcache at Facebook.


OilRig: Iran’s Cyber Hackers

OilRig is Iran’s State-sponsored hacking unit established in 2015.  Since inception, OilRig’s capabilities have grown to the level of becoming the subject of articles on Palo Alto’s security blog.  Having started out with general Phishing attacks, they’ve matriculated into a more sophisticated distributor of targeted malware using compromised servers at IT companies throughout the Middle East.

What I find the most interesting about OilRig is they have developed skillsets that allow them to attack Israeli IT vendors and government agencies in a Nation-State that isn’t a financial powerhouse.  In essence, they’re scrappy cyber street fighters who continue to evolve into a capable unit with cyber-reach in the US East.

Their current Modus Operandi is to compromise the servers of IT vendors and send targeted email Phishing attacks to companies who use those vendors which carry an executable.   The latest attacks contained the OopsIE Trojan attached to emails that originated from the IT company servers.  What should be of particular interest is that one of their recent attacks was against a financial institution in Lebanon and that OilRig has already attacked a Vermont company to steal that companies SSL certificate codes to Phish targets.

According to Secure Reading this is how the attack works: “The macro creates a scheduled task which runs after waiting one minute to decode base64 encoded data using Certutil application.  It also creates a second scheduled task which waits for two minutes and runs a VBScript to execute the OopsIE trojan and clean up the installation.  The OopsIE Trojan is packed with SmartAssembly and obfuscated with ConfuserEx v1.0.0. It creates a VBScript file to run persistently on the system. The malware also creates a scheduled task to run itself every three minutes.  It uses HTTP to communicate with its command and control server using InternetExplorer application object.  The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon.”

We’ll continue to hear more about OilRig in the future, especially as behind-the-scene political shenanigans among Nation-states create new alliances against the United States.


Unlocking the Iphone

Apple triggered a large-scale security and privacy debate after the 2015 San Bernardino terrorist attack that claimed 14 lives.  The government wanted the IPhone unlocked to access the digital intelligence inside to ascertain if there was actionable intelligence.  Apple refused.

Apple’s position was focused on user privacy and encryption used in their IOS operating system; Apple wanted to protect the data from user base and prevent future security issues in IOS if they created a back door.  The Federal Bureau of Investigation (FBI) wanted the device unlocked quickly so to interdict other plots or identify co-conspirators in the attack.  I appreciate both sides of the debate.

Ultimately an Israeli company, Cellebrite, who that specializes in mobile digital intelligence, was contracted to unlock the device without Apple’s help and the IPhone5 was unlocked.  The court order served upon Apple to unlock their own device was withdrawn by the Government.  There will likely be similar fight someday in the future.

The Cellebrite website offers a service that unlocks, “Apple IOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running IOS 5 to iOS 11”.  “Devices are unlocked and returned within 10 days”.  IOS 11 is installed on Apple’s latest phone offering the IPhone X, which implies that it could be unlocked.

Unlocking Apple devices is both good news and bad; good if it’s in the public interest to quickly access a specific phone for actionable intelligence and bad if Apple cannot make an IOS version that keeps everyone’s personal data safe – which is the thrust of their argument against unlocking their own devices in the first place.  Fortunately, the true need to quickly access an IOS device very quickly is rare, so the debate has been shelved until the next need arises.

Don’t worry Android OS users, Cellebrite doesn’t discriminate – they offer the same service on a long list of devices that use the Android operating system.  Sometimes I wonder if any device can truly be made secure.

My final thought; isn’t it interesting that this unlocking service isn’t offered by a U.S. company? Why would that be?


Crypto-Jacking Tesla

Tesla just mined some bitcoin for hackers.

Hackers accessed Tesla’s Kubernetes administration console which was not password protected. Kubernetes is an open-source system for automating deployment, scaling and management of containerized applications.  As it turns out, companies that use Kubernetes are known to lake password protection – so It’s a known exploit.

Once inside Kubernetes, hackers then accessed servers run from within Kubernetes, on Amazon AWS.  They installed mining pool software using a version of WannaMine and created a server that sent completed cryptocurrency calculations to a private IP which thwarted malicious IP detection.  The hackers also configured the server to run at a lower CPU usage setting to avoid usage alarms and CPU usage spikes.

It’s clear that a more lucrative business model for hackers is to steal computer resources to mine bitcoin rather than to steal and sell data, especially when bitcoin prices trend higher.

According to WENY News, “As bitcoin and other cryptocurrency prices soar, “cryptojacking” attackers surreptitiously take over web browsers, phones and servers to make some serious profit.”

If you suspect your computer is running too many resources, check your CPU usage and act.  The simplest way to stop a malicious crypto-miner installed on your machine is to simply kill the process by closing the application you think has been hijacked.


The Philadelphia Cyber Security Job Market

Since the University’s Computer Science Department offers a Computer Security Certificate and Cyber Security is a growing area of interest for college grads, I was curious how many entry level jobs are currently available in the Cyber Security field, especially in the Philadelphia region.

I decided to check two sources; and using a general search on “Cyber Security” to capture most types of jobs related to the field.   I started with a search on Indeed which returned 491 full time jobs within 25 miles of Philadelphia, PA.   I was surprised there were so many.  Cyber is popular right now but that seemed high.  If it wasn’t high, then local grads might be well positioned to capitalize on a favorable job market!  How many Cyber jobs in New York City I wondered? Indeed returned 1653 full-time jobs.  There’s literally four times the number of Cyber jobs in New York City than in Philadelphia. I then decided to check the region that should have the most Cyber jobs: Silicon Valley of course.  I searched all of California and noted 3525 full-time jobs in Cyber Security.  I expected there to be more.  Finally, I was struck by the idea of checking Washington, DC for Cyber jobs and there it was – the Cyber jackpot: 9197 full-time jobs!  The Government sector is clearly the largest Cyber employer.

It was time to compare these results to which is known as a jobsite for the tech industry.    I searched Philadelphia for ‘Cyber Security’ and was surprised:  only 205 full-time jobs!  I searched New York and only found 824 jobs.  California returned 1310 jobs and the Cyber Holy Grail in Washington, DC, returned 1960 jobs.  To my surprise, there’s a very significant discrepancy, a factor of 4 or greater, between the two job ad sites.

I needed to figure out why.  Here’s where job sites get murky; they need to monetize their platforms.  Indeed monetizes by inserting ‘sponsored’ job ads inside your search results.  This simply means there are multiple duplicates of the same job ad on each page you view which means it completely inflates the number of available jobs in your search results.  Dice monetizes their platform by charging per ad and with banner and sidebar ads.  Trying to interpret which sight would have the most accurate data is subjective without more data. I’ll assume for this post that Dice has more accurate job posting volumes simply because each ad costs a company $395 to post from an HR budget.  The negative of Dice is that searched are less granular; Searching Cyber jobs in Philadelphia also serves job posting from New York.  Very perplexing algorithm – obviously intentional – so even Dice has inflated job posting numbers because of this.

As I looked closer, I also noticed a problem for aspiring Cyber graduates:  There’s a discrepancy in the volume of entry level positions against the mid-level positions.  Translation:  most jobs are mid-level tier requiring experience.  This holds true across the entire industry.  I’ll use Indeed data because they differentiate entry level, mid-level and senior level jobs.  The ratio of entry level jobs to available jobs is about 23%.  In New York and California, the ratio is 18%.  In Washington, DC, the ratio dips to 12%.  A generic conclusion is there’s fewer entry level jobs in Cyber.

There’s also a geographical consideration with jobs in Cyber.  New York is clearly focused on Financial – Goldman Sachs has the most job offerings.   In California, Cyber jobs are very granular and niched at the largest tech companies.  In Washington, DC, almost all jobs are Government sector jobs.  In Philadelphia, Cyber isn’t financial; it’s Lockheed Martin and Comcast along with a diverse spread of postings from many regional companies in various business sectors.

Are they Cyber jobs available? Absolutely.  Are there a lot of Cyber jobs available?  Yes – but your ability to land one is likely related to the amount of experience you have.


AutoSploit – Automated Hacking

AutoSploit recently made news as a potential cyber security threat.  The threat comes from the perspective that AutoSploit is an automated version of the metsploit package found in Kali Linux, a popular open source Linux distro popular with pen testing.

I was curious to read peoples reaction to AutoSploit – I was wondering why automating features of a Kali Linux distro would be a problem.    I didn’t understand the threat of configuring and using 5  tools manually versus configuring the same 5 tools and hitting one button to start the process.

AutoSploit was authored by Real_Vectors, who announced the release on Twitter and made the code available on GitHub.  I read the comments and determined there’s generally two camps of responses; one is ‘this is a terrible!’ and the second is, ‘nice tool’.

The nay-sayers surface arguments about empowering the ‘Script Kiddies’ with automated hacking and how unethical it is.   Those who view it as a useful tool couldn’t wait to use it in their current workflows.

There’s nothing new here.  Automated scripts are nothing new in computer security,  the necessary discussion is one of ethics and intended use.   Anyone can take a valid tool or service and use it for criminal purposes – be it a car, a gun, a pencil sharpener or a hairdryer.  Keeping products and services out of the hands of ill-intended individuals isn’t realistic, especially from an open-source perspective where we want people to have and use the tools others have made.    It’s what makes open-source so powerful and useful.  Without open-source, we wouldn’t have Kali or Parrot, we’d only have expensive proprietary products.

It’s up to the individual to either use pen tools ethically or to cross the line.  An automated process isn’t going to change a person’s character.

There will always be people seeking more efficient ways to perform a task.  If networks are protected against individual metaspoilt attacks, then automating these attacks shouldn’t matter.


Sources:  “Threatwire”


The End of the Password Era is Another Step Closer.

This post was the result of an article I read dated February 8, 2018 by Lee Mathews at titled, “Microsoft Ditches Passwords In New Version Of Windows 10”

Passwords are hassle for everyone; for the user and for the company who must securely maintain them in their databases.  No one cares if a single person loses their password due to poor security on their own PC or is scammed/phished into surrendering their password – we think ‘shame on them’ for not keeping their machine up to date.  But if a company loses it for the same reasons – it is a company-value-crushing event.  At least until we heard about the next large data breach.

Passwords are such a nuisance to create and remember.  Different companies have different rules for generating ‘strong’ passwords.  It’s like a game, each time you satisfy their special characters, length, repetition and capitalization requirements your green progress bar grows fuller – you feel like you’re winning the computer security game and creating a secure password at the same time.  You smugly think to yourself, “Take that you hackers”.  Study computer security for longer than five minutes and you quickly learn it’s a false sense of security.  Trying to remember them isn’t a trivial task either – especially if need to remember numerous passwords created using different generation rules for each site you need to log into.  I actually wouldn’t be able to remember a single computer generated password of 16 characters; can you remember ‘wzdHgV5D}X!Eme.9’?  (Thank-you, but I’ll pass)

You’re not supposed to write passwords down.  Not even at home where they should be most safe.  I use a secure app to store mine, but If I lose my phone, I’ll spend half a day resetting all my passwords after buying a new expensive phone.  Of course, trying to use the silly validation questions because I need to reset the password for a specific site is arguably a futile practice; I can remember a pet’s name – but which one did I use?  What was my favorite vacation destination?  Chain a few of these useless queries together and I start to laugh.  So 90’s…


Passwords need to become a thing of the past.

Saying goodbye to passwords would be fantastic – though I don’t expect it to happen anytime soon.  What we’re talking about in the article is simplifying the login process on a single account or computer.  We’re still some distance from using a coordinated cloud with a single AAAS provider to access all of your apps one place.  That implies the concept of Authentication As-A-Service.  Big companies are starting to do it – Amazon AWS and now Microsoft, but only for their own accounts.  It’s exciting to watch – It’s my opinion that Authentication will eventually be a single point process in the cloud which will provide all my apps and services.

To illustrate; To log into my AWS console I simply enter an email address and use Googles Authenticator app that generates numeric codes linked to my specific AWS account.  I have 25 seconds to enter the correct code before it generates a new 6-digit code.   I appreciate the simplicity.   If Amazon(or Microsoft) were to become the single repository of all the apps I use and offer a single login, I would declare such a service to be “brilliant!”.

According to Lee Mathews, who penned the article that got my attention, “ In the new version, you simply tap a notification on your phone to authorize your account.

That app is the Microsoft Authenticator, and it, too, has been in app stores for quite a while. While you can use it to sign yourself in to a number of Microsoft’s services, you couldn’t use it to authenticate yourself on a Windows computer.

That’s changed with the arrival of Windows 10 Build 17093, which Windows Insiders are testing now. Install Microsoft Authenticator on your phone and sign in with your Microsoft account. Sign in with the same account on your computer. When Microsoft sees that you’re trying to sign in, it will send an alert to your phone and ask you to approve the request.”

Of course, there are also biometric ways to log into accounts which financial services seem to prefer right now.   I appreciate those too.  The key take-away is that it’s nice to take a step in the right direction, but the reality is I’m still faced with the same basic problem; redundant layers of Authentication for each computer, app or service I use.   There will be a better way in the future…after large companies finally realize that a coordinated single platform for Authentication will be more secure and convenient for everyone.


My WordPress Security Process and AWS Lambda

WordPress is a popular content management system(CMS) that allows people to quickly launch a web property online without building one from scratch using HTML and CCS.  I chose to use WordPress as the CMS for my CSC301 Computer Security blog.

My experience with WordPress has been positive.  WordPress has a shallow learning curve and the platform is customizable with countless themes and plugins available.  In short order, you can get your web property looking the way you want.  But there is a downside to any CMS – security is an issue.

Since the WordPress CMS usage and community are so large, the primary vulnerability with WordPress is that there are literally tens of thousands of themes and plugins written by thousands (or more) developers that allow you to customize your site with the functionality you desire – there’s a plugin for it.  Herein lies the problem.  Thousands of developers of all skill levels are writing great plugins as well as complete garbage.  In fairness, I see that most of the popular plugins have gone through many iterations and are reputable.  New and untested plugins are a cause for alarm.

I decided to look into WordPress security further.  How does someone secure their WordPress site?   Searching ‘WordPress Security scan’ is an immediate quagmire of monthly services offering everything from malware scan, DDOS attack protection to personalized pen testing.  It’s a rabbit hole.  Searching WordPress Security plugins is also a rabbit hole – many offer free basic service but charge premiums for more encompassing services.    You can take a hands-off approach and have a third party manage the hosting of your site at $29.99 a month.   These hosts all say the same thing, if they anything at all about security – we scan for malware, SQL injections and have backend rules to ban offending IP addresses.  Those companies rely on whatever service they subscribe to that protects their own network. Like I said, WordPress is a large platform with many people angling for financial success.

I decided that perhaps I should read the docs about security at to learn more about WordPress security, the security of the WordPress API or security best practices for a developer.  Guess what I found? I was surprised to find nothing about security in the docs.  I suspect there’s an internal process for managing security for the platform itself at the organizational level, but at the developer level, there is none.   It’s the developer’s responsibility to write a secure theme or plugin and the communities responsibility to report bugs.  I’m still disappointed at the lack of security discussion at  A constructive suggestion would be for them to create a security tab and at link some resources or create a simple best practices doc.

What’s my security solution for WordPress (Because I do appreciate it as a platform)?  I’m using Amazon’s AWS Lambda.  What is Lambda?  It’s a Serverless instance configured by AWS.  I simply click the application I’d like to initiate and I’m done.   AWS offers a WordPress Application for Lambda that I was curious to try since leveraging the AWS backend seems to make sense, especially if I don’t have to configure a thing.   When I decided to read the docs about security at AWS, I was presented with multiple resources and services.  There’s enough to be confused about especially if you’re not familiar with their ever-evolving services.

I launched my blog in less than 30 minutes.  It would have been faster, but I had to wait about 10 minutes for “” to clear through the AWS Route53 domain name system and I had to skim a couple articles about AWS Lambda applications and FAQ.

My WordPress security strategy is to host my blog for $5 a month at AWS with a Serverless instance.  The other part of my strategy is to use the most popular, simple and vanilla theme with as few plugins as possible so to limit my exposure to vulnerabilities.  It’s not difficult to do my part and keep a simple theme and one or two plugins up to date without breakage.

The rest of my strategy involves integrating and testing additional AWS security offerings and discussing my thoughts on this blog as an interesting security project and learning experience.

In my next article:  A deeper discussion of AWS Lambda and my WordPress security adventure.


Chronicle: Alphabet’s Cyber Security Company

According to USA Today, Chronicle, a Cyber Security offering, was incubated and just spun out of Alphabet’s experimental lab X, known as the “Moonshot Factory” for its pursuit of big challenges such as driverless cars.

The global cyber security market is worth nearly $100 billion according to Gartner.  That number continues to climb since Cyber Security continues its climb up the funding ladder of many companies.  There is an ever-growing list of companies offering Cyber Security services ranging from simple PC monitoring to comprehensive network log analysis and audit.  Chronicle is the first from a company deep rooted in Artificial Intelligence of the magnitude of Alphabet.

My initial reaction to the announcement was curiosity and to wonder if Chronicle is a Machine Learning(ML) solution that integrates with their open-sourced Tensor Flow platform.  The USA Today article was vague.   Being one of Alphabet’s primary strengths, ML makes sense as the next logical iteration in Cyber Security — an algorithmic learning component tailored to a company’s or sector’s unique attack/threat vectors.  For example, it would make sense that Chronicle would offer a ML service that identifies and defends against attacks on the financial sector; Whomever is attacking Vanguard is likely attacking Fidelity and Schwab.  In other words, Chronicle may be able to quickly specialize in any business sector.

Digging further, it was clear the USA Today article missed how Alphabet plans to incorporate ML into their Chronicle offering:  According to Reuters, “Chronicle is betting on the premise that machine learning software, a type of artificial intelligence, can sift and analyze massive stores of data to detect cyber threats more quickly and precisely than is possible with traditional methods”.

Initial speculation has the service focused on log analysis across large networks.  Since there’s already many companies offering logs analysis, there should be more than one facet to their service; unless the speed at which they identify attacks is superior to competitors.

I wonder if Chronicle is supposed to be a enterprise sized offering or is the roadmap heading toward a could offering even at the PC level?  Time will tell.

Interestingly, Alphabet enters the Cyber Security market laterally instead of from the ground up meaning their solution is unproven.  I don’t believe it hurts their business case since they are leveraging well-established resources –  which in this, is superior ML.  Google is a ML Goliath; if they have a bona fide solution, they could easily leverage their brand into businesses worldwide with a Cyber Security solution that should cost markedly less than existing offerings because the backend is already in place and profitable.  Look out Check Point, Symantec and Palo Alto, you need to take notice – Alphabet is eyeing your lunch!

If Chronicle has early success, Microsoft and Amazon will take notice quickly and rush to leverage their AI platforms into Cyber Security offerings.  I you’d like to peruse a clever article on the subject, read Steve Morgan’s article about who will be the players in Cyber Security in 2018.  It’s short, succinct and clever.

The premise of using ML quickly and at scale in Cyber Security makes perfect sense; especially since Tensor Flow is currently the de-facto ML platform – likely because it has been open-sourced for several years.  A clear advantage.  I think Chronicle will initially be successful, but themselves will get their lunch eaten by Amazon.  I’m not sure if Amazon’s ML offering would be on par with Alphabets at first, but I am very certain that Amazon’s AWS services can provision a Cyber Security service anywhere in the world within minutes.  They will certainly change the way Cyber Security services are delivered.   That’s the real story, which has been missed.