I've been thinking a lot about security and how to better protect organizations and assets. And this applies to both financial institution security and policing as we both are responsible for securing people and property.
So many times we remain unaware of an adversaries technique or tactics until it is applied to our organization. A new ATM exploit, method of depositing fake checks, or laundering gift cards. "We didn't know about it".. is only a valid excuse if you are Victim-0. You should be actively seeking out new threats, new tactics, and new procedures and then altering your security posture to protect your organization or streamline your criminal investigations.
Traditionally, in security and in policing, we are reactive. We stand the post. We wait for something to happen. We wait for the bad guy to make himself known. Then we react. The traditional sheepdog guarding the flock. But what if we went out and watched the wolves? We studied them. Learned their methods and techniques. Knew when they were coming and were ready for them. And trained the sheep to protect themselves.
I get it. We are so busy working on existing cases that there is no time to study what happened to someone else. Time to read, communicate, and share, is at a premium. There are only so many hours in a day. In a week. But that is how you become a better investigator. Recognize the TTPs - Tactics, Techniques, Procedures - of the bad guy. Recognize the signatures. Know what is connected and what isn't. Make your organization more secure. If you can prevent some cases then you won't have so many to investigate and therefore won't be so busy. Have the route planned before you need to take the trip.
We have two obligations:
1) Seek this information. Learn every day. Dedicate yourself to becoming a more knowledgeable practitioner each day, not just on training days.
2) Share information when you become patient 0 or 500. Pride has no place here. Acknowledge victimization to help others and others will do the same to help you.
We must be out in front- offensively. We can't wait until the enemy is already inside the city. Go find them. Study them. And when they come to our city we'll meet them at the gate, with a snarky smile, and tell them not today.
Granular tracking
Many smartphone applications utilize a custom designed web browser that operates strictly with the application. Apple has been attempting to force app creators to launch external links through the Safari browser. Instagram and Facebook apps don’t do this and still utilize in-app browsers. And even worse, explains security researcher Felix Krause, they track your every move while operating within that web browser - every single tap. https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser
“We did a thing and we’re great!”
Cloudflare explains how they defeated a heavy phishing attack and give themselves props for doing it “this was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached”. Seriously, it’s a good write up and worth the few minute of time to read it. https://blog.cloudflare.com/2022-07-sms-phishing-attacks/
But not that great
Cloudflare may have done something good, but people still got hurt. Dan Goodin is a cybersecurity reporter. Dan Goodin is one of the best, if not the best, security reporters. Dan Goodin still got phished. https://arstechnica.com/information-technology/2022/08/im-a-security-reporter-and-got-fooled-by-a-blatant-phish/
Non-negotiable
Ransomware operators don’t like ransom negotiators because bargaining cost them money. The Register interviewed a professional negotiator who works on behalf of victim companies to reduce the ransom payment. His primary concern - being outed as a negotiator. https://www.theregister.com/2022/08/06/interview_ransomware_negotiator/
The Rest…
It’s easier to get insurance for your 16 year-old driver than insure your small business for cyber-attacks. https://www.computerweekly.com/news/252523617/Cyber-insurance-getting-harder-to-obtain
Maryland man sentenced for an identity theft scheme that targeted New York State unemployment system. https://www.justice.gov/usao-ndny/pr/maryland-men-sentenced-prison-terms-membership-computer-fraud-and-identity-theft-ring
Two Virginia men are convicted of laundering more than 13 million dollars from Business Email Compromise schemes. https://www.justice.gov/usao-edva/pr/two-men-convicted-laundering-proceeds-business-email-compromise-scheme
Cool Jobs
Risk Strategist, Fraud - Stripe. https://stripe.com/jobs/listing/risk-strategist-fraud/4479877?gh_src=73vnei
Fraud Strategist - FanDuel. https://boards.greenhouse.io/fanduel/jobs/4477708?gh_src=ba823b7b1us&s
Cool Tools
Schedule an email to remind you. https://www.followupthen.com/
Do you use Signal?
And you should be using Signal.
Secure messaging application Signal uses Twilio as a VOIP number provider. Twilio was compromised by a phishing attack (see Cloudflare link above). Signal issued a statement. “Twilio Incident: What Signal users need to know”. https://support.signal.org/hc/en-us/articles/4850133017242
Thank You for opening this weeks email. Two lawyers unsubscribed last week. How do I know they were lawyers? Because within 1 hour of publishing the newsletter I received two unsubscribe notices. The only controversial thing I wrote was about lawyers, specifically, the legal counsel at financial institutions. Thin skinned I guess.
Matt
“NINETY PERCENT OF BEING AN ADULT IS PRETENDING YOU’RE AN ADULT” - someone watching my life.