Why do I do what I do ?

I ask myself this several times a month … why am I doing this ?

Yet again, another compromised site, more unpatched software – I could scream ! Well … I could … but I don’t. Each person has their own incident – to them it is a personal disaster and so I respect that.

April 2013 and I was sat in bed, the missus asleep and kids climbing all over me. I picked up my tablet and logged in to Twitter. It’s about 8am and there it was .. another leak of a database. I still don’t know why I felt compelled to act but I did. It was medical data. Maybe it was the first record being a young child and I empathised ? I don’t know … but I did respond.

I found the website of the source and it was a small charity. How cruel I thought. A small charity doing its best and someone compromised them and leaked their data – no ethics amongst thieves.

I called the charity – and yeah, I didn’t really know what I was going to say so I thought go with the facts. The lady I spoke to was upset, but I knew I could help. Sunday disappeared in a blur – calls, emails, web forms – within a very short space of time, the leaked data was removed from the net and a Police report filed.

Why ?

Why would I give up my Sunday – one of the few days I get with my kids to help some tiny charity who had been attacked ? The answer is quite simple. This is what I do. I help people when they have been attacked, I dig and I find and I sort out the mess.

And in this case, they were saved from ICO fines, the data was protected as best as possible and the charity continued.

Around Christmas I saw a post on their Twitter account that a new website was launched and there was also good news with regards to treatments in their specific area. It really did give me such a great feeling to know that a few days of my and my colleagues time resulted in them continuing. It felt great and I sent them a quick note to wish them well.

Today is Saturday and I have just checked my email to receive some of the best news ever. I have quoted it in full below.

Why a sledgehammer can’t smash our butterfly
A personal letter to members from CEO, Liz Glenister

On a Sunday morning in early April last year, the phone rang. I didn’t recognise the number so I let the answer phone pick up. ‘Hello, my name’s Stuart Coulson and I’m calling from a company called Secarma….’ which he proceeded to spell out. ‘Great, a cold caller on a Sunday morning!’ I thought and was heading downstairs when I heard the words ‘…..and your Twitter account has been hacked.’ Was this for real? I hesitated. ‘I’m an Information Security Professional and your patient database has been leaked.’ My blood ran cold. ‘Look up LulzsecWiki on Twitter; I’m afraid you’ve got a pretty big issue going on here.’ I picked up the phone and was launched into a nightmare that lasted 4 months.

Hacked off

Lulzsec are a notorious hacking group, an offshoot of the Anonymous collective, who hack for the ‘lulz’ or laughs but it was about as far from funny as you can get for us. The group had closed down the CIA server that very same morning – which did at least make us feel that maybe we couldn’t have been any more careful. They hacked into our patient database (apparently under the impression that it was a UK hospital database as part of an ongoing April Fool raid on the NHS), dumped the information (user names, passwords, medical details etc) in a site called Pastebin and then posted the link on their Twitter account, announcing the deed to the world with the word ‘Enjoy‘. I was completely shocked and devastated. As was Ivor, our webmaster, and the executive committee. We have always taken the security of our members very seriously indeed and were extremely worried. We barely slept for the next week as we took every step possible to track down and remove data, inform and protect our members.

Wonderful webmaster

We were supported at this point by our wonderful webmaster, Ivor Humphreys. Ivor has given years of his time to us voluntarily and had to shoulder this burden while driving miles back and forth to care for his mother who was severely ill. He was a complete and utter star. It was an extremely stressful and difficult time involving a huge amount of work but Ivor left no stone unturned and saw us safely through to recovery. We will always be grateful for his loyalty, his dogged persistence and especially his uplifting humour.

Superheroes to the rescue

We discovered that there was an entire community out there that we had not known existed and to whom we owe everything: the information security professionals. They are truly the superheroes of today, looking out for us and guarding against hackers. They had already taken steps themselves and we worked with them over the months, being guided through a quagmire of legalities and technicalities and out the other side. We had a massive amount of support from professionals who appeared out of the blue like this to offer help and advice. I would like to take this opportunity to publicly thank everyone who helped us and gave so freely of their expertise and time, particularly Stuart Coulson of SECARMA , online security specialists http://www.secarma.co.uk/about.html and James Cleeter of the Computer Security and Incidence Response team for JANET, the UK’s network for education & research communities https://www.ja.net/about-janet/about-us. I had an email from Stuart at Christmas whose personal delight in seeing us get back up and carry on I found very touching. Without him we probably wouldn’t be here. There are a lot of good guys out there too!

All these agencies were horrified that a small patient support charity had been so unusually targeted in this way and many articles appeared in both IT and healthcare press about the incident. You can read a typical summary here in PHIprivacy.net which reports and investigates health and medical related privacy breaches http://www.phiprivacy.net/uk-support-organization-hacked-data-leaked/. Thank you to author ‘Dissent‘ who moved fast to highlight our plight.

New forum

So then began the arduous task of choosing, and setting up a new forum. For this I would like to thank Ivor Humphreys, for the initial phase, and Mandy Mainland, forum administrator, and Su Clifton and Lisa Burke, forum moderators who worked long and hard to see it through to going live as swiftly as possible. They did a really fantastic job. We chose to look on this enforced shut down as an opportunity for positive change and we think the new forum is greatly improved! We hope you like it. Although each of you has received an email about it, not everyone who had registered on the old forum has yet re-registered on the new one so if you would like to show your support for all our work we’d be really pleased if you would go and sign up now. www.hypopara.org.uk/board.

Further to this is also this poem (I’ve never had a poem about me before!).

Hacked Off
Su Clifton

We came across some hackers
I won’t reveal their name
Hacking on the internet
What a pointless claim to fame

They saw our little website
And thought ‘oh how divine
Lets rummage through their details
Then we’ll post them all online’

Secarma was our saviour
To guide us through this mess
Like knights in shining armour
To our damsels in distress

Stuart Coulson helped us out
Thank you most sincerely
Now no fine from ICO
That would have cost us dearly

Beefed up our security
Got a brand new forum
Usernames and passwords safe
All moderators awesome

So if you are a hacker
Please leave our site alone
We ask you most politely
As to us it feels like home.

So why do I do what I do ?

The arrival of this news today in my inbox helped my to finally write this blog. It is something I have tried to do several times before, but it is a difficult topic. Who you are.

So … why do I do what I do ?

Well the answers are many; for the love of it, because I care. But the most important one surely is because I can and so I do. I will always have a hand in security – my kids have amazing passwords, my 10yr old can pick locks. I’m building a secure future there. Just spreading the message by one person just helps to make the world safer. Even if it is one person at a time.

I’m hoping my blog hits home with some of the security community and maybe spur you to see what you can do to help small charities around you. Free vulnerability scan ? Quick 2 day pen test ? Protect a small charity that is fighting to get its voice heard ? Pro-active protection to help the little man from the cruel criminal community.

 

I wish the Hypopara supporters and team all the best wishes for the future. The new site looks great and with the leaps in the Natpara treatment, it looks like the charity has a bright future. You really are an amazing team and your incident response was second to none. You really did a great job. Genuinely humbled by you all. Thank you.

Security Valentines

So for Valentines, I decided to create a Hashtag #SecurityValentine partly for some fun but also to get some ideas together for simple security messages.

Roses are red,
Violets are blue,
I’m sat here,
Waiting to help you.

Roses are red
Violets are blue
All my base
Are belong to you

Snort is good
Kali is better
Get that signature
On the authorising letter

I hacked in
Found the data
I’m zipping it up
To exfiltrate later

Talk to me

I’m a Social Engineer
I won’t use your password
There’s nothing to fear (honest!)

I really regret
The hacker I dated
Get me a WAF
I’ve been penetrated. (Source David Powell)

I’m a virus
I’m here to destroy
There’s also a backdoor
That was my ploy

Give me your money
Ransomware is here
I’ll give you your data
After I’ve had this beer

Roses are red
Your password was weak
You’re now in a Pastebin
For hackers to seek. (Source @DeathsPirate)

Some malware is bad
But Cryptolocker is clever
I know your tactics
Click that Link – NEVER !

Roses are #C91D1D
Violets are #6411D5
…or would you prefer those in RGB?

Security gets me down
My Password is my DoB
What do you mean I’ve been hacked
Thought my AV was there to protect me

Valentines Day
Girls love me
I clicked this girls profile
Worst infection I coulda got me !

The roses have wilted
The violets have died
I didn’t do patch management
I’ve just been fired.

Website is down
Log files are blank
Fixing this stuff
Is not going to be fun at all is it ?

Compliance is dull
And sometime is effective
Its trying to implement it
To the great collective

Scada attack
Wow that sounds quite a fright
I’ll be OK
Hey, who turned out the light ?

Burp is the best,
Zap is nice too,
But stay inside scope,
Or you’ll end up in poo. (Source @PMason00)

I’m a script kiddie
I’m a DDoS king
Does that make me a Leet Hacker?
Or an annoying little thing ?

Roses are red
Pineapple’s yellow
Auto connecting …
Beware of the peril!(Source @DeathsPirate)

“I know who is
Who’s behind the @th3j35ter ”
Yet another troll out there
Reputation to be messed up !

Roses are red
This hat is white
Network Security’s
an ongoing fight!(Source @DeathsPirate)

Lock picking is fun
Use an electric gun
But using a bump kep
Is just as fun

Roses are red
Defcon badges are blue
Who’ll pay for a ticket
For Defcon #22 ?

I have a risk register
It did us some harm
I’ve never updated it
No need for alarm!
(is there?)

Log files are read
Language is blue
Firewalls opened up
Who was it .. was it you ?

Buried in the basement
Where no-one can see
Sysadmins everywhere
Are protecting you and me

Ethical hacking
Pen Testing too
Whatever you call it
Finding holes for you

Love em or hate em
Whistleblowers are here
It’s the data the still have
The govts/companies fear

Roses are red
Violets are blue
My security is weak
The hackers for through !

It’s time to talk

Talk .. its a simple thing. Sometimes we get criticised for talking too much, sometimes to the wrong person and often for not saying enough.

And yet the phrase is “talk is cheap.” I disagree, talking can be expensive!

Talking is a unique skill, animals can communicate but the breadth of language we have achieved across the earth is staggering; common languages, country specific languages, local languages, dialects, sign languages, the list seems endless.

But all this time there is something unique about talking. Because we use our face, we therefore use expression and so talking is a more genuine method of communication. Is this why it is easier to write an email to let someone know bad news than speak to them face to face?
Today we have a special chance though to talk.

Today, 6th February is #TimetoTalk day.

Time to Talk
#TimeToTalk

I talk to my partner all the time. She hears my woes and successes and I know I am in a special situation in the fact she is a good listener. For that I am eternally grateful.

However, in our communities whether it is information security, web design, marketing or wherever you work, do we talk? I think no. We say a lot without actually talking. Today is a day when we need to focus on talking.

So let me talk, and I want you to listen and think about who you are going to talk to and about what. Some of the issues I talk about below have never been talked about openly for many years.

Yes, mental health is an issue. It creeps in to our lives without actually ever making itself evident. Depression is a classic, tiny things can start it off and it grows over time – over time it becomes like an all-consuming virus until it affects all areas of our lives.

I know I suffer with mental health issues. Yep, more than one. Some of my closest friends probably don’t even know it … but they are there. Today is my Time to Talk and help others take some courage to talk too.

Digiholic.

I am a digiholic. You only have to be around me for a short space of time before you see the manifestation of what this looks like. I am fascinated by technology, I have been since owning a BBC Micro. I played Elite properly by working out the algorithm behind the game and how to rise through the ranks of the game (*Spoiler – it was based on 255). I drew maps of text adventures until I had whole worlds drawn out on music rule wide carriage paper. When I got my first PC, I took it apart. Every jumper off the motherboard, every screw … later in life this actually helped me pass my university course as I fixed PCs in payment for help with coursework.

But then I hit an interesting patch. My early jobs as helpdesk for an EDI Messaging company led me to research the land of e-commerce pre-2000 when to be cool meant putting an ‘e’ at the front rather than an ‘i’ or ‘cyber’. I used to spend over 18 hours a day at the keyboard reading, watching, learning. And there … right there, the obsession was born.

In the information security landscape, we see this described as autistic, ADHD trait, on the spectrum. This compulsion to find stuff out – curiosity on steroids. There in a bedsit I stared at a screen one Sunday morning and realised it had been over 50 hours with no sleep and I was staring at a screen trying to learn everything about e-commerce products and competitors. I locked the computer and walked out of the door. I walked. I walked for about 10 miles, I walked in silence. I ran away if you like until I found myself in a deer park and it was late, really quite late. I hadn’t eaten for 2 days and I was sat on a park bench. I took my time inside my head to have the conversations, to talk, and put in place my personal protection plan. I realised there and then how close I had become to just disappearing into a world that would have been difficult to come out of.

I knew I had to protect myself and my Personal Protection Plan is still in place today. I won’t go more than 24 hours behind a keyboard. I will always break it. I own the computer not the other way round. Recently my family went camping to an area with poor phone signal and for 2 weeks I spent a total of 2 hours on the internet. It was heaven but I also felt that twinge – like an addiction.

We need to un-jack ourselves. Power down. Step away from the keyboard. In the 80s the UK kids TV program had it right…

Why don’t you just switch off your television set and go and do something less boring instead?

I am still obsessed and still have this compulsion, but concentrating it into shorter burst means I am more effective which gives me greater pleasure in being always connected.

Depression.

Or should I more accurately put it – the lack of depression. It is normal to have depression, it is a chemical reaction, but I don’t get the same reaction. I recently was told by a senior member of staff that he had been concerned about me, was I depressed, having a breakdown – I found the comment very amusing as I knew what he was trying to get to, but he also was being quite offensive and unfortunately did not understand what was actually going on. Let me explain.

As a child I was bullied. I was bullied for many reasons, I was short, fat, intelligent, socially awkward and I had an accent which didn’t fit with the school. To protect myself, I lost my accent – try doing that when you are 5 years old! I took control of my emotions – yes, I could be beaten up, kicked to the ground and yet I would not cry, I would not show emotion. I had mastered my emotions. This was so useful as a child in that I could not break in front of my attacker. However, the danger was there was no place I could let it out. And so one day I held my attacker by the throat against my classroom wall holding him about 18 inches off the ground and screamed in his face “Don’t ever touch me again.” I came to my senses very quickly and realised he was struggling and I let him go and walked out the classroom. I hid and cried. I cried for about 10 minutes before sorting myself out. Then when I came back to the classroom, the silence was deafening. My bully eventually became a great friend and he later apologised for the years I had been bullied.

As I have spent now over 30 years with my emotions in control, manipulative and pressure tactics used by managers have rarely worked. This control means that I can put myself into difficult situations and control my emotions enough to control the output. It also means that I have an interesting life – I don’t do stress, I don’t do depression. These negative emotions and habits are just not needed, so I find emotional workarounds. If I am feeling lower, I use music to raise my mood. If make sure that tough deadlines become realistic ones.

But … and this is a big but … I have to find my releases. I have to find a way to allow natural emotions come out. I have many ways to do this – and each of them is done in a controlled manner.

How do you control your emotions ? I have absolutely no idea if I am totally honest.  I wish I could. Part of it is definitely having an understanding about what you want as an outcome to a situation and understanding how you need to behave to get it to happen. But depression is a no-no. It only serves to undermine your view, your psyche, your emotional stable. I therefore don’t let things get me down. No matter how hard things get, I am not at the bottom of the tree. I believe some of this is also my own personal integrity. Knowing myself means that I also know what I am sacrificing if I needed to and what I won’t compromise on.

So there we go, maybe next year I will share some of my other mental health areas. If you want to talk to me about your mental health and how healthy you think you are or not, then please feel free. I will listen.

The world is too small to not get on with each other.

You’re a long time dead, so enjoy the living.

In the infosec world, we have lost too many great people to mental health problems, depression, anxiety, autism, adhd, today is a time to talk.

Many thank to my old friend Mariel for bringing this to my attention.

Stu

Things that each of us should do

This is for all of us … yes … I know you’re a leet hacker ‘n all, but c’mon, we all have to do this stuff.

So let’s start… right now

 

  1. Password re-use. Yep, don’t be that idiot ! Make each password different.
  2. Change your passwords every 90 days. That’s 4 times a year … Oh and while you’re at it … change your Pin numbers too. When did you last change your debit card pin number ?
  3. Someone elses Wi-Fi. If you didn’t set it up then don’t connect. There is nothing so critical in the world that means you have to connect insecurely.
  4. Get a shredder. A good one. Spend your money and get something that you know will keep you safe.
  5. Use the shredder. You bought it so use it ! then spread the paper about. If you have a pet you now have bedding / litter !
  6. Sharing is bad. Don’t share. If they take your USB pen drive away, did they recover anything. Your WiFi is yours .. don’t share.
  7. Challenge if you’re not sure. If your CEO isn’t wearing an iD badge … be nice but challenge people who might be using social engineering techniques.
  8. Windows Key L or Linux variant. Just remember the old days of meatspin. LOCK IT.
  9. Work is work. Don’t mix your work email / social media with your home life. Keep your digital identities separate.
  10. Have iD at all times. Appropriate, current and relevant. Be ready to challenge people who aren’t ready.
  11. Help your friends. They can be just an easy route back to you so help them be secure.
  12. Offer a free training course for colleagues on securing themselves. Start the wheels in motion.
  13. There is never a 13.
  14. Hack yourself. Yes, that’s right. I recommend looking yourself up to see how much data you are leaking. Then pen test yourself. is your home secure ?
  15. Alarm and alert. Not just house alarm, house locks, car alarm, immobiliser, alerts for you online –  use Google alerts for encrypted versions of your passwords, usernames, addresses.
  16. Have a business continuity plan for yourself. What would you do if …. ?

 

Well there you go … let me know in the comments below if you have any others you think should go on the list and we can develop it over time.

 

Keep Safe !

#FF 03 January 2014

It’s a bit later than usual but with a death in the family, I couldn’t commit as usual. Thank you everyone for your support.

I would normally do my #FF list as a deck of cards but as there are a whole host of people to thanks, this is just a big list !

(Note : It’s alphabetical and not in some special order !!)

@__Freakyclown__
@AaronMoorcroft
@B1gGaGa
@bhconsulting
@BigLesp
@BillBrenner70
@BrianHonan
@Cephurs
@cisecurity
@ColetteWeston
@CyberSolicitor
@DanchoDanchev
@digininja
@drjessicabarker
@FrankMorris
@hackerfantastic
@KevinMitnick
@KPoulsen
@krypt3ia
@lothie
@Mikko
@Moxie
@NakedScientists
@NeiraJones
@nuWARP
@PMason00
@Prohest
@rjacksix
@security_faqs
@SecurityAffairs
@SecurityNinja
@serachewhi
@Spacerog
@TeamCymru
@tekwizz123
@TripwireInc
@TroyHunt
@Wh1t3Rabbit
@wmpllc
@WTF

Thanks everyone – if you have any suggestions then drop me a note !

#FF 08 November 2013

It’s that time of the month where I give you my #FFs as a deck of cards.

I got the inspiration for this from Mafia Cards. One of these days when I get round to this I’ll actually do the cards too but until then … enjoy my list !

Thanks to everyone who has Fav, RT, MT or #FF’d this month, it has been a really interesting month to be fair. Thank you everyone.

I also want to give a special shout to @Wh1t3Rabbit on the birth of his twins. Congratulations Raf and good luck !
Welcome to the world you two – look after your mum and dad !!

Aces = These are people who have been outstanding and need special recognition.

#FF Aces : α

@Tech_Geek_Girl @TeamCymru @BrianHonan @Prohest

– thanks for your support and fun this month!

Hearts = Big Love, people I want to specifically mention for being awesome !
#FF Hearts : 

@Tech_Geek_Girl @ColetteWeston @Dick_Turpin

@TripwireInc @DPWallace @Futurian

@MethodDan @MrKoot

Diamonds = Top People and inspirations. Thanks.
#FF Diamonds : 

@Wh1t3Rabbit @__Freakyclown__ @TeamCymru

@BillBrenner70 @NeiraJones @nuWARP

@Mikko

Clubs = Hack Work interesting crew to watch and learn from (and by hack I don’t necessarily mean criminal)
#FF Clubs : 

@DigiNinja @Prohest @Essobi @HackerFantastic

@Cephurs @Les_Diaboliques @Steel_Con

Spade = Great Research. Some great researchers – keep the content coming !

#FF Spades : 

@Lothie @BrianHonan @DanchoDanchev

@SecurityAffairs @bhconsulting @drjessicabarker

@Viss

Is there a Joker?

#FF Joker :  

No Joker this month. I wanted to do something about the Million Mask March … but equally I don’t want to get my blog attacked !!

Thanks everyone – if you have any suggestions then drop me a note !

#FF 04 October 2013

It’s that time of the month where I give you my #FFs as a deck of cards :

It’s been a great month since the last #FF list and I want to thank everyone who has favourited, re-tweeted and engaged in conversation with me. Thank you everyone.

Aces = These are people who have been outstanding and need special recognition.

#FF Aces :

@ColetteWeston @3poundbrain @hackerfantastic @SecurityAffairs

– thanks for your support and fun this month!

Hearts = Big Love, people I want to specifically mention for being awesome !
#FF Hearts :

@nuWARP @BigLesp @WTF @TripwireInc

@BillBrenner70 @ColetteWeston @drjessicabarker

@hackerfantastic @tekwizz123 @AaronMoorcroft

Diamonds = Top People and inspirations. Thanks.
#FF Diamonds :

@Wh1t3Rabbit @NeiraJones @Mikko

@FrankMorris @BrianHonan @TeamCymru

@KevinMitnick @Spacerog @KPoulsen @Moxie

Clubs = Hack Work interesting crew to watch and learn from (and by hack I don’t necessarily mean criminal)
#FF Clubs :

@Prohest @B1gGaGa @3poundbrain @SecurityNinja

@NakedScientists @hackerfantastic @rjacksix @Cephurs

@krypt3ia  @__Freakyclown__ @PMason00 @TroyHunt

Spade = Great Research. Some great researchers – keep the content coming !
#FF Spades :

@DanchoDanchev @lothie  @digininja

@serachewhi  @CyberSolicitor @SecurityAffairs

@bhconsulting @security_faqs @cisecurity @wmpllc

Is there a Joker?

#FF Joker :

I’ll claim this spot this month for my wonderful gaffe :

@BillBrenner70
Silk Road, Tor and the Threat of DDoS – The Akamai Blog: https://blogs.akamai.com/2013/10/silk-road-tor-and-the-threat-of-ddos.html …

@SPCoulson
@BillBrenner70 to be fair, there aren’t any websites up at the moment apart from http://notice.usa.gov  ! Not much to DDoS !

@BillBrenner70
@SPCoulson True. But we’ll see what the coming days bring. I’ll be pleased if proven wrong.

‏@SPCoulson
@BillBrenner70 It is definitely one of those moments when you crack open the popcorn and sit back and watch !

‏@BillBrenner70
@SPCoulson Given the subject matter, your use of the word “crack” amuses me. 🙂

Yep – thanks to @SecurityNinja for pointing out my OPSEC mistake !

” I shall either feed the troll or fear the community”
Thanks everyone – if you have any suggestions then drop me a note !