Phishing Exercises, without the “Ish”

Much like open offices and outsourcing in business, information security is subject to trends. One you probably saw in your vendor spam folder over the past couple of years is phishing awareness exercises.

The premise sounds simple – phish your employees before the bad guys do, monitor how they respond, and react accordingly.  In reality, people’s experiences have been more complex. There’s not much middle ground in the discussion of phishing exercises. I see either glowing articles praising their merits (most of which are selling something), or bemused cynicism about them from security professionals. In my experience, there really can be benefits to running phishing test exercises in a sensible way, but many organizations are not implementing them in a sensible way, so they end up pretty worthless.

When you’re setting up a phishing test program, you have the option of developing your own phishing exercise infrastructure and metrics collection toolkit, combining open source solutions like King Phisher or (SET), or purchasing one of many available commercial solutions. I won’t advocate for one brand over another in this blog – most will work (in the right configuration and conditions). A similar set of concerns exist, whether you develop a deployment and metrics solution, or you buy a commercial solution in a box. Let’s discuss how any and all of these tools are being used incorrectly.

 

Before spending money, or implementing anything

Develop a clear goal for your program with your senior leadership fully involved. This goal should not be, “stop employees from clicking on phishing messages”. That’s simply unattainable. Yeah, you want that number to decrease, but even top security professionals have fallen for well-crafted phishing messages. People click on things when they’re busy and distracted, and it theoretically only takes one compromised host to breach a network. A real attacker only has to get that one, inattentive click. If your senior management measures your success by phishing clicks reaching zero, you’ll ultimately find yourself dumbing down campaigns to look more successful. This won’t do anybody any favors.

A more realistic goal is improving the quantity and speed of reporting of suspicious emails. Detecting phishing with tech is hard. Most organizations spend a great deal of money on modern solutions to catch and alert on phishing messages, and even those can be circumvented. Your last line of defense against phishing and social engineering is a good relationship with end users who will promptly tell you they are being attacked. While it takes only one phish to compromise a network, it takes only one prompt report to security to shut an attack down.

Next, you should bring your HR and Legal teams into the conversation and discuss anonymity. There is no room for gray area here. You will either conduct phishing exercises anonymously or you will not. If you conduct the phishing exercises anonymously, you must develop the program in a double blind way where even network security can’t practically retrieve the names of people who clicked. You’ll still see an overall view of the health of your organization, but nobody can be pressured to provide identifying data, even by angry executives.

If you choose to not conduct exercises anonymously, I recommend that you clearly document any repercussions for clicking, and ensure they are uniform across your organization. Otherwise, your exercises could easily become a public humiliation game or end in unequal punishment by managers, putting you in hot water with HR.

 

A carrot, instead of a stick

Regardless of if you conduct your exercises anonymously or not, you may decide to provide extra security training to people who click on your test phishes. Frankly, a lot of security awareness training is pretty awful, “death by PowerPoint” stuff. If your users can fly through every slide and kludge their way through your multiple choice test, chances are it’s a waste of time. Try to have some empathy for how an end user is feeling when they click on a test phish and are routed to a long, mandatory training. They’re embarrassed, frustrated, and it’s very possible they clicked because they were already frantically busy. In their minds, you aren’t helping – they feel like you tricked them. There’s now hostility in your relationship, not a willingness to help “the team” stop attackers.

If possible, in-person training is a great option (snack bribery highly encouraged). Offer a lunch and learn, or a social hour with IT security. Offer this in lieu of traditional web-based training, and have a conversation with your end users. People are statistically more inclined to help somebody they have met in person and feel some connection to. You want to try to make your phishing exercises a positive thing that people want to improve, not a negative thing that people subconsciously associate with punishment or embarrassment.

If training has to be computer-based, try to make it quick, effective, and interactive. This is a space where you may wish to spend some money to get something good quality and enjoyable.

Be clear about what you’re trying to accomplish with phishing exercises and why they are important to your organization. Ensure you give credit to people who report phishing and help your team improve more than you punish people who make genuine mistakes. It’s better to provide measures to protect victims and help them learn, rather than encourage them to circumvent your security team.

 

Who should you phish?

Establish the scope of your exercises. Must certain employees be exempt for legal reasons? Are multiple languages spoken in your organization which will require separate exercises? Will your exercises be conducted across global business hours and all shifts? Have you done some OSINT to generate a list of exposed users and email addresses that require special attention?

I highly advise against phishing everybody at once. The only things that travel faster than light in workplaces are rumors. Once one person realizes he or she has fallen for the phishing exercise, it’s nearly impossible to contain the “helpful warnings” to neighbors and friends. This is good, but won’t necessarily give you accurate metrics about individual performance.

 

Designing your phish

Security teams everywhere look forward to this part with glee. I must remind my blue team friends of a lesson that successful red teamers learn early in their careers: your job is not to “get” your target for the laughs. Your job is to educate your target and improve their security. You are on their team. Yes, you can phish nearly anybody with a well crafted message and insider knowledge. Conversely, you can produce excellent metrics by selecting an absurdly easy phish. Neither results in any significant security training.

Your phishing exercises are a scientific experiment, and a good experiment has as few variables as possible. The variables that do exist must be well quantified, and should include the difficulty of the phishing message, which is easier said than measured. Comparing clicks on an excellent phish with perfect grammar and a timely topic to one that applies to few employees and is written in poor English is apples to oranges. If you want to change the variable of phishing difficulty, do not change the variable of employee selection or time of day, and vice-versa.

If you’re having trouble with this, look to your phishing awareness training. Most commercial training programs list warning signs of a phish. When developing your messages, choose a specific number of these specific warning signs to include.

 

Avoiding phishing-related divorces, and other unpleasantness

Writing a phishing email seems fun and easy. You copy one you’ve seen in your filters, or use a common phishing theme, and send it out with a link or attachment, right?

Or not.

Bad guys have it a lot easier than us, as defenders and pen testers. Bad guys can emulate any public company or person they want in their phishing messages, and abuse any emotion. While we want to make test phishes as realistic as possible, there are good reasons why we have to put more thought into ours.

The reaction of a human being to a phishing email depends on a lot more factors than just their corporate security training. They’re also influenced by their outside security education, their biases and experiences with the content of the message, and their emotions. Imagine a phishing test email that uses the classic “payment received” scam, ostensibly from some real online payment firm. Some people will look at the phish, see it for what it is, and report it appropriately. Others will Google the payment provider and report the phish to them instead; a black eye (or even a blacklist) for your company. In a worst case scenario, an employee could receive the message and apply a personal context, forwarding it to their spouse as ‘proof’ they’re hiding money.

You must try to keep your phishing exercise contained. Remember, you are handling live lies. Not only could forwarding of your test message alter your metrics, but it could also result in more dire legal or ethical consequences if it should leave your network perimeter. Ensure you thoroughly prevent this, and clean up after your exercise as soon as possible once you’re done.

Ask Lesley InfoSec Advice Column: 2017-02-26

This week, we discuss red team and blue team self-study, getting kids interested in security, and security paranoia. As always, submit your problems here!


Dear Lesley,
I am a threat intelligence analyst who is currently underutilized in my current job, and feel like my skills and tradecraft are slipping because of it. I’m wanting to give myself some fun projects to work on in my off-time but am not really sure where to start. What types of things would you recommend?
-M

Dear M,
You’re certainly in a great field to want work in, in 2017. Not only do you have the whole pantheon of nation state actors conducting cyber operations to study, but you have a huge range of commodity malware, botnets, insider threats, malware authors, and dark web markets to study.  If you’re not feeling inspired by anything in that list, perhaps reach out on Intel sharing lists or social media to see if an existing project could use your skill set? Lots of folks are doing non-profit threat research work and need extra hands.


Dear Lesley,
If you do not have the budget to send people to SANS or to conferences, what free supplement resources would provide fundamental training for someone studying DFIR?  
-Curriculum Writer

Dear Curriculum Writer,
I can totally appreciate not being able to send somebody to a thousand dollar (or more) commercial conference or training program. However, most BSides conferences are free (or under 20 dollars). I suppose if you are totally geographically isolated and there is no BSides in any city in driving distance, those may be impossible, but I would definitely explore the conference scene in detail before writing them off. Sending somebody to a BSides or a regional conference for the cost of gas and a few bucks provides a lot of value for the money.

Otherwise, a DFIR lab will be your best friend for self study. Unfortunately, I can’t guarantee a home lab will be totally free to implement. Let’s talk about some fundamental requirements:

– One or more test hosts running assorted operating systems.
– An examiner system running Linux
– An examiner system running Windows (recommended)
– Intermediate networking
– Free (or free non-corporate) forensics and malware analysis tools.
– A disk forensics suite
– A memory forensics suite
– A write blocker, associated cables, and drives.

An ideal comprehensive DFIR lab, where money is no object, might look something like:

– A host PC with 16GB (or more) RAM.
– VMWare Workstation
– Ubuntu (free), Windows 7, 10, and Server 2008 VMs
– A SANS Sift Kit examiner VM (free)
– A REMnux Kit examiner VM (free)
– A Cuckoo Sandbox VM (free)
– A Server 2k8 examiner VM
– An EnCase or FTK forensics suite license
– A write blocker, associated cables, and a number of hard drives.

But, we can do it more cheaply, sacrificing convenience. We can virtualize with VirtualBox (losing the ability to take non-linear, branching snapshots), or on bare metal machines we scrounge from auctions or second hand stores (the least optimal solution). This can work, but every time we infect or corrupt a machine, we’ll have to spend time restoring the computers to the correct condition. We can stick with analyzing Windows versions that are out of support, but we won’t be totally up to date.

One of the most difficult things for people studying the “DF” side of DFIR is the inability to get expensive licenses for industry-standard corporate forensics suites. There’s really no great solution for this. There are limited demo versions of this software that come with some forensics textbooks. SANS Sift Kit does include The Sleuth Kit, an open source suite which performs some similar functions.

Physical forensic toolkits aren’t cheap, but aren’t in the same ludicrous territory as forensics software. You can pick up an older used Tableau forensic bridge for about 150 dollars on eBay. Perhaps if you network within your local security meetup, somebody will be able to lend you one, as many college and training courses provide them.

Once we have something resembling a lab, we can follow along with tutorials on SecurityTube and on blogs, in forensics and malware reversing textbooks, in open courseware, and exploring on our own.


Dear Lesley,
I have a daughter that I would like to encourage her to go into IT and possibly security if she’s interested. I know your father was influential to you getting into security. Do you have any suggestions to me as a dad on things I can do to encourage my daughter to become interested in IT and security?
-Crypto Dad

Hi Crypto Dad,

Yep, both of my parents had a big influence on my career! A hard question to answer, but an important aspect was not pushing me hard towards or away from hobbies. I was treated like a small adult and provided the opportunity to follow along with whatever my dad was doing in his shop, and even at a very young age he answered my questions without patronizing me or getting frustrated. He didn’t dumb things down; he just started at the beginning. I always had access to stuff to learn how it worked and how it was made. By the time I found out I ‘wasn’t supposed to’ know or like things , I already knew and liked them.


Dear Lesley,
I’m a penetration tester who seems to be falling behind with the times. My methods aren’t efficient. Recently I discovered there are better ways of doing things than my three year old SANS curriculum taught me. How can I stay current without becoming a lonely crazy old cat lady?
-Just a crazy cat lady

Hi Crazy Cat Lady,
You’re ahead of many folks by realizing there’s a problem. I see a lot of infosec people let their skills stagnate for many years after training or college, and our field changes really fast. No quick fix, but here are some suggestions:

– Participate in CTFs. Ignore the scoreboard and the dudebros and “rock stars”. Just compete against yourself, but do it genuinely and learn from your mistakes.
– Jump over to the blue team side for a bit and read some really thorough incident and threat reports from the past couple years. Sometimes seeing what other people are doing will give you interesting ideas of avenues to research.
– If you’re still reaching for Kali, escape its clutches. Kali is an amazing VM, but it will only take you so far and lacks some newer tools. It can also discourage thinking “out of the box” about how to compromise a network. After all, it is a box.
– Get out to cons to watch red team talks. Watch recent ones on YouTube, too. See what other folks are up to. Your cats will be okay for a couple days, and you’ll make new friends.
– PowerShell Empire. 💖💖💖
– Don’t be embarrassed to make mistakes and ask questions.
– Don’t be embarrassed to make mistakes and ask questions.
– Don’t be embarrassed to make mistakes and ask questions.


Dear Lesley,
How do you deal with any overbearing paranoia being in InfoSec? Example: I want my home network to be as secure if not more than my work network… How can I explain my paranoia regarding outside threats (however unlikely), and to cope with it 🙂
-Too Paranoid to enter my name

Hi Paranoid,

Fear is healthy in small doses. Fear keeps us alert to potential threats, and helps us survive dangerous situations. However, constant fear is not helpful and is patently unhealthy. If you see illusory threats in every dark corner, you won’t notice when a real one is there, and you’ll be too tired to respond properly to it.

You need approach this as analytically as you can. Let’s talk about measuring real risk.

– Evaluate your assets. What would somebody genuinely target you for? This isn’t necessarily items or information, but could also include your job position or connections.
– Evaluate real threats to you. Who rationally has motive to “get you”, and do they have the means and the opportunity to?
– Evaluate your vulnerability. How could somebody attack you or your assets, and how much effort and resource would it take to do it? How well do you mitigate vulnerabilities? Are you a harder target than others facing similar threats?

Risk is a direct result of the level of threat against you and your assets, and your vulnerabilities. It’s impossible to change the level of threat. All one can do to change risk is change assets, or change vulnerabilities.

People make personal decisions about acceptable risk. A firefighter lives with a different level of risk than a librarian. The firefighter likely has to deal with occasional moments of quite rational fear and adrenaline (due to actual threats and vulnerability), but does not live in constant fear of burning buildings. The librarian might consider running into burning buildings an unacceptable level of risk, which is why he found a less risky profession. However, both people live comfortable with their overall risk and their mitigations, and not in irrational fear.

With all this in mind, consider the things that you’re paranoid about carefully. What is the real level of risk each poses? What level of real risk will you choose to accept on a daily basis? If your overall level of risk is actually too high to cope with on a daily basis, reduce your targeted assets, or reduce your vulnerabilities. If you find your level of risk acceptable, then maintain that level rationally and try not to be unduly afraid. You likely have more to fear from chronic health problems than nameless threats.

Is Digital Privacy a Privilege Of The Wealthy?

It’s a chilly spring morning in 1987, and things aren’t going so well for you. The threats and stalking weren’t your fault, but you’re genuinely afraid for your safety and the police couldn’t help much. After thinking long and hard, you’ve decided your best option is to disappear and start over. You pack your family’s belongings into your Fiero, empty your bank accounts (a couple grand in cash), close out your accounts without forwarding, and hit the road. You’re sick to your stomach scared to leave, but you’re also relatively confident – you can find cash work and lodging pretty much anywhere, (under an assumed name with counterfeit papers, if necessary). Go far enough and keep your head down, and it’s not likely he’ll find you again without a good PI or a string of bad luck.

★ ★ ★

It’s 30 years later, and the business of fleeing an abuser has changed dramatically. Many elements of our world are still familiar, but the nature of personal privacy has changed dramatically. The internet, mobile phones, and social media brought the world closer, often in incredible and inspiring ways, but also in ways that fundamentally harm our ability to keep any element of our daily activity private or secure. The field of network security has grown from an afterthought to a standard college degree program and a major element of global military forces. News coverage shows us terrifying ways our personal data and digital devices can be abused, constantly bombarding us with reminders to restrict access to our data and internet presence.

Yet, the “common sense” security and privacy advice we offer frequently carries costs. Security experts can tweet about an Android version being obsolete and horrifically vulnerable to snooping a thousand times, but billions of people in the world simply can’t go out and buy a good quality new phone. There are wonderful commercial identity monitoring and digital privacy services available, for a yearly fee that might cut into many people’s medication budget. Even finding quality security education has tangible and intangible costs.

Whenever I tackle an extremely complex and contentious security topic, I endeavor to offer a variety of differing expert views to readers. Through a series of eight scenarios, I’ve invited seven security and digital privacy professionals to join me weighing in on the fundamental question of how much of a privilege digital privacy, and the abilities to “restrict” or  “remove” our digital footprint, really are. The discussion is generally North America-centric  – international privacy laws vary greatly. However, many of our privacy and personal security solutions are not specific to any country. Our general conclusion is that while convenience and absolute anonymity can be a privilege that comes with resources, there are many effective low-cost ways to drastically improve personal digital privacy.

My colleagues, who generously contributed their time and knowledge to this article without compensation or sponsorship, are as follows:

  • Viss / Dan Tentler – Founder of Phobos Group. Dark Wizard. Breaker of things. Essentially a static analog for “targeted, skilled espionage for hire”.
  • Munin / Eric Rand – Blue team consultant; amateur blacksmith; consistently paranoid
  • Krypt3ia – Old Crow, DFIR, Threat Intel, Targeter: krypt3ia.com @krypt3ia
  • Lloyd Miller – Managing Director at Delve, a competitive intelligence, research, and policy consulting firm
  • plum / Chris Plummer – Former IBM, DoD, now staff at exeter.edu. Oxford commas at 603security.com, chasing120.com, and @chrisplummer.
  • CiPHPerCoder / Scott Arciszewski – CDO at Paragon Initiative Enterprises, writes and breaks cryptography code. https://paragonie.com/blog/author/scott-arciszewski – @CiPHPerCoder on Twitter
  • evacide / Eva Galperin – Director of Cybersecurity at the Electronic Frontier Foundation.

 


Question 1: Mobile Device Privacy

Smartphones are woefully vulnerable to compromise and surveillance by numerous sources, from advertisers, to criminals, to suspicious spouses, to nation state adversaries. As our “second brain”, they contain massive amounts of our sensitive information, such as where we’ve been, our contacts, and our account logins. The common security boffin recommendation is to always own an up to date phone (often specifically an iPhone), replacing it whenever it becomes obsolete. Good quality phones aren’t cheap, but smartphones are frequently a necessary part of modern life. What are your privacy and security suggestions to somebody who can’t afford a new iPhone every few years, but needs a smartphone for work or school?

Munin – Limit your threat surface. Only install those apps that are essential for what you need, and avoid random web browsing on it. Don’t open attachments on it – set your email client to text only. Apply updates if they’re available for your platform. Don’t root or jailbreak it – yes, it lets you do a bunch of cool things, but it also opens up significant maintenance problems.

Lesley – Even if you can’t afford a new phone, please routinely check the version of Android or iOS you’re using. Once the phone is out of date and no longer receiving updates, reset it to factory and treat it as cautiously as you would a public computer. No matter the age of your phone, avoid installing any apps with too many permissions, including access to your microphone, GPS, camera, contacts, or phone identification. Keep location services turned off.

On another note, while the ubiquitous iPhone has pretty good security “out of the box”, there are also very good arguments for using an up-to-date Android phone from which the battery can be physically removed, if privacy is a big concern. There are few things more reliable than physically breaking a circuit.

Viss – There are carrier free phones that you can buy that cost half of what carrier phones do. A OnePlus2 will cost you around $300, and they get software updates several times a year. You can also get a Google Nexus or Google Pixel. All of these non-carrier phones get software updates way way more often than any phone that a carrier will try to sell you. That alone is a pretty huge improvement, even before taking personal measures to secure a mobile device. Also, a OnePlus, Nexus or Pixel will likely last years, and remove the need to buy a new phone every 12 months.

Lloyd – I don’t think good security comes cheap with phones, but Munin gives the best advice – if nothing else, only do the bare minimum necessary to accomplish what you need to do, and cut out the rest.

plumIn theory, devices purely for work or school should not be all that demanding in terms of features, so they should be remotely affordable. The carrier market is white hot right now.  Chances are, there’s at least one in your region with a pretty compelling deal on a handset. This is difficult because for short money you’re into a new phone that you may not necessarily understand how to secure.  To that end, don’t go out on an island – buy something your friends and family are familiar with, so they can help you.  While many are averse to working with salespeople, you may find one that knows quite a bit about keeping your handset locked down. It’s worth the ask; there are really good people out there who know a lot more than simply how to sell you a phone.  You may not get it perfect, but it will be better than out-of-the-box.

Krypt3ia Phones, like much of the technology today we buy and use that could lead to compromise of significant amounts of our data are coming down in price in certain spaces while going up in others. So if you want to have a burn phone (and now you can get smart phones too cheaply) you can try to firewall yourself off by only doing certain things with a burner phone. I guess the thing is that generally here any phone at any time could be that device that leads to your data being open to attack.

It may also be of use to have a phone that has less functionality like a flip phone to carry out some tasks as the lesser the technology level the less the adversary has to work with as attack surfaces go. The reality however is no matter what you do you are subject to technologies that you do not have control over completely. As an example, I recently gave up a phone that I liked quite a bit because the provider did not update the operating system for security patches and had not done so in over a year. They just don’t really care, so I had to move on to a system that I could push the updates on. Still though, if you are relying on technology to protect you and YOU aren’t in control of every aspect of that, and are competent at it, it is a null sum game. Best I can advise you is to compartmentalize as much as you can. Use code words for things (i.e. appointments in calendars, names in phone books, etc) to obfuscate and make it that much harder for the adversary to get a toe hold.

CiPHPerCoderNon-carrier phones like One Plus are a good idea, as Viss said, but one important obstacle is how purchasing is structured. If you get a carrier phone, you probably aren’t dropping $800 right then and there; instead, they roll the cost of the device into your monthly payments. If you get a non-carrier phone, you have to purchase it yourself. I believe it’s worth it to find a way to overcome this obstacle (so that you won’t be left vulnerable when an Android vulnerability surfaces if your carrier is negligent) but this comes down to a cost-benefit decision.

A related concern for most people is data privacy. For example, using a secure, private messaging app like Signal or WhatsApp instead of an insecure choice (Telegram, unencrypted SMS) to communicate with your friends is a great move. Encrypting your phone with a passphrase (to be clear: not a PIN code, swipe pattern, or fingerprint; you want a passphrase) prevents anyone (for example, at the airport) from accessing your private data while it’s powered off. I recommend a longer passphrase (e.g. 20 lowercase letters, generated randomly) instead of mixing different character classes, to minimize frustration and typos.

evacide – (most of the useful technical advice has already been given, so I am going on a bit on a tangent here) Phones are one of the most clear-cut examples of money buying security, but when you’re making digital security/privacy decisions, always keep in mind the attacker in mind. Your most up-to-date iPhone will not help you if you’ve been coerced into giving your password to your abusive partner or that partner has installed an app (covertly or otherwise)  on your phone that allows them to spy on you. For these cases, it may be appropriate to covertly purchase a cheap second burner phone, which may not be as secure against hackers, but which may allow you to covertly communicate without alerting your abuser.

Question 2: You, on the Internet

Companies like FamilyTreeNow and Intelius collect data about every US citizen they can; even ones who don’t regularly use a computer. This data often includes addresses, phone numbers, social media profiles, criminal history, as well as family member names and birthdates. Obviously, this data can be very damaging when used inappropriately, and generates global privacy and security concerns far beyond simply being in a local phone book. Removing this data from hundreds of these companies is a huge undertaking, but commercial subscription services that do it reliably aren’t cheap. What’s the best option on a tight budget?

Viss https://www.abine.com/deleteme/landing.php – spend $129.

Munin – Do what you can to minimize the harm – that’s the name of the game here. If you can’t afford a good service, do what you can by yourself. It won’t be perfect, but reducing the threat surface to a minimum will help. Remember, you don’t always have to outrun the bear – you can last a lot longer if you can outrun the other campers.

Lloyd – I don’t believe takedown notices are an effective strategy in the whack-a-mole world of personal data aggregation. You can send them, but the sites can ignore them. Additionally, a lot of that information including birth, property, voter registration, and criminal/legal records are government-generated and legally protected public records. There are several very reputable services, including Intelius (get it?), you can pay to do help remove some of this information, but I would ensure they offer guarantees and other identity/credit protection services.

Lesley – Third party privacy services are out of many people’s’ price range, but certainly the most effective solution for everyday privacy concerns short of a new identity. Privacy is also a constant battle – you need to look at a subscription service more than a one-time removal. If you absolutely can’t afford one, you can opt-out of many services for free, but it’s a time consuming and convoluted process. As a last resort, at least remove your data from the top 20-25 services to try to delay and frustrate people trying to research you. Don’t make a harasser’s life easy.

plumTwo years ago I discovered a downloadable database of voter registration data that included DOB from eight US states, and it had already been online for several years and mirrored in Europe. For the individuals in these states, through no fault of their own, their identities are permanently at risk.  In truth we’re talking about mitigation, not prevention. Anyone’s best hope is an annual ID theft monitoring service. Some employers actually offer these free of charge.  Tight budget? You’re left to pull a free credit report once a year and hope you catch something. The system is pretty broken here.

Krypt3ia The ONLY way to avoid this is to not be you any more. So, you fake your own death after getting decent documentation with another name. Get credit set up for that person, a whole “new suit” as they say and then live that life and never talk to anyone from your past.

But oh wait… Now you have a new name and series of datapoints to worry about!

Best bet, go live off the grid in the woods or become homeless.

Another null sum game.

CiPHPerCoderI’ve got personal experience with the downside of these services. When I was a teenager, my mother’s hobby (which consumed most of her waking hours when not working) was genealogy research through websites like Ancestry.com. It’s kind of funny in that, as I taught myself more about computer security and online privacy, she was unwittingly working hard to ensure that I would never have privacy online. Many years ago (either 2009 or 2010), an Internet troll had used this publicly available data to send me harassing emails, demanding that I take my blog offline forever.

Despite that experience, I don’t have a solution here.

It’s obviously an extortion racket; using the threat of public exposure to get people to pay up. The alternative to reaching into your wallet is playing whack-a-mole with third parties that mirror your personal information. The first option provides this industry with the incentive and resources to continue harming people’s’ lives. The other maximizes the harm they cause your own life (by wasting time trying to achieve a modicum of the privacy you should, rightfully, already have).

However, like many other areas of security, layered defenses work wonders to fend off attackers. Making a new pseudonym and linking it to a false persona is challenging and requires a ton of discipline to be successful. Even if you can’t protect your personal information, you can prevent malicious parties from connecting your screen name to your real name without drowning in a moral quandary.

Question 3: Traveling Abroad with Digital Devices

Travel is often considered a privilege, but people from all backgrounds do travel internationally. There are firm warnings from security professionals about bringing mobile devices and computers into less friendly countries (especially ones that conduct extensive monitoring and seizure) as they may conduct forensics on them or insert surveillance hardware or software. This adds a layer of risk to somebody who is trying to remain unseen. The blanket advice is usually to bring a separate, disposable computer and phone if they’re required. Computers and phones aren’t cheap. What would you recommend to somebody who needs to travel overseas to a dubious location but doesn’t have a big budget?

Munin – If you’re travelling for business, see about having your company handle the purchase of separate, designated equipment. If you’re there for a conference or just visiting, see if any of your friends in that country [social media’s great for making friends in foreign parts] will be willing to let you borrow equipment while you’re there. Remember that any kind of electronics you bring across a border – especially these days – is probably going to get searched, so avoid the problem if possible. Also, take some time ahead of time to set up a benign social media profile – put some noncontroversial or patriotic looking activity on it, and lock down or suspend your real accounts before you travel. If you end up being forced, coerced, or pressured into giving up online activity, refer to that account as your only account. Part of being safe is looking like you’re not worth harassing – so keep the lowest profile possible.

Viss – Do you HAVE to travel with your phone? Or your laptop? Can you use a chromebook, and just buy a burner phone while you’re in another country? Do you feel that you’re in a position where customs here or there will try to get into your phone? Here’s a fun trick: Select a cloud backup provider (Spideroak, Box, Dropbox, ec2, whoever, doesn’t matter). Make a titanium backup or nandroid backup of your phone. Make sure to use the encryption option. Put your encrypted phone backup into cloud storage before you leave. Format your phone in the air on the plane. If anybody wants to look at your phone, they can see it – there’s nothing on it. Have fun. When you get to your destination, pull down your phone backup and restore it. You may want to remove all your downloads and stored media beforehand. If you take the time to either A) have a dedicated travel phone that you do this to, or B) just occasionally trim your phone storage down you can get this to under a gig.

Lesley Echoing Viss, consider very carefully if you really need the phone, or you just feel irrationally naked without it. Payphones may be rare, but they still exist in most transportation hubs, as do calling cards that work internationally (they are often sold in airports), and paper maps. If there is no way you can function without a phone, there are relatively cheap (<$40) options for unlocked disposable phones such as BLU’s, and SIM cards can usually be purchased a convenience stores when you arrive at your destination. Leave your sensitive personal data, including your fingerprints, off of any burner phone. Use it for travel essentials only. Stick to a “dumb phone” if you can.

Lloyd – For short term use, you can get used smartphones off Craigslist, get a prepaid SIM card, install just the contacts and apps you need for the trip, and then toss it on your way home. And, as everyone else has said, if you don’t need it, don’t bring it.

plum – I would never travel internationally with personal devices. Everyone has done well to discuss the risks, and from a practical perspective the logistics alone of getting a lost device returned to you from across a border – presuming a scenario that involves total honesty and goodwill – we’re talking long odds.

Krypt3ia – A USB stick with TAILS and an internet cafe or other access to a PC. Light footprint or you are in trouble. At this point you are dealing with nation states, and you will not win. INFIL and EXFIL into and out of countries is best done with very little on you. A mini USB (32 gig) can easily be tossed or eaten or destroyed. Not so much any other more expensive and luggable assets. For that matter you can cache them and in some cases secret them in your luggage where the color X-Ray and other schemes of detection can be obfuscated.

CiPHPerCoder – These are all good answers, so the only thing I can really offer is my setup. For domestic travel, I just have an encrypted laptop and encrypted mobile phone. If I’m traveling internationally, however, I’ll do the following:

  1. Rent a throwaway Virtual Private Server (VPS) from one of the providers on LowEndBox.
  2. Configure the VPS so that I can only SSH in via a Tor Hidden Service, using public key authentication (no passwords) with a SSH keypair unique to that server. (Ed25519.)
  3. Encrypt anything I need and store it on the server. (Veracrypt.)
  4. Purchase or repurpose a new laptop with a fresh Windows install for traveling purposes.
  5. Carry a USB or SD card with a Veracrypt-encrypted file containing the SSH private key.

TAILS can be procured on-site, and verified through other channels. I’d leave the phone at home.

Total cost: less than $10 if you already have the hardware on hand.

evacide – If you’re traveling for business, your business should have a policy in place your digital devices and travel. If they don’t already have one, this is the time to encourage them to do so. If you are crossing the US border, I recommend reading the advice EFF has written up as part of Surveillance Self Defense on this subject: https://ssd.eff.org/en/module/things-consider-when-crossing-us-border.  In general, I would make sure my devices are password-protected, encrypted, and turned off when crossing the border. Particularly sensitive information should be removed from the device in advance, encrypted, and stored on a server for (secure! encrypted!) download if you need it when you arrive at your destination.

Question 4: Credit and Identity Theft Monitoring

Identity goes hand in hand with privacy. More Americans have had a credit or debit card stolen in the past couple years than those who have not, and data breaches and identity theft are huge problems. Services that proactively monitor and protect against this come with a monthly or yearly fee. What’s an affordable and effective solution for responsibly keeping an eye on your identity and credit? Are there solutions for people who can’t get a credit card?

Viss – Most credit cards these days come with alerting capabilities that will tell you if a charge comes through past a certain amount. Turn that on and set it to like $50. Anything over $50 and you get a text or an email. INSTANT notification if something sneaky is going on. You can’t do much about it not getting stolen in the first place, for example in the case of Target, the malware was in the cash registers and nobody knew. But you can know immediately if an attacker tries to use your card for evil, and you can call it in right away. Simply do this with every card.

Munin – If at all possible, do -not- use a debit card for anything. Every transaction is a gamble – so gamble with the bank’s money, not your own, and use a credit card if at all possible. An affordable alternative to paid services is to be ‘lucky’ enough to be in a breach – haven’t we all, at this point, received several years’ worth of “credit monitoring” to compensate us for the time and stress of having our identities compromised? More seriously, though, follow Krebs’ advice – lock down your account with the major credit bureaus, and unlock it if you have a specific need for a credit check. It’s not perfect, but it’s affordable and will reduce harm.

Lloyd – Using anonymizing services like Sudo, Blur (Abine), or Privacy.com allow you to make purchases with credit cards you have 100% control over. Therefore, if an online store’s is comprised, you can just delete the card and move on. Lock down your credit reports and do that for any of your children as well – people don’t monitor their children’s credit, making them vulnerable to identity theft as well. You can also get prepaid credit cards using very little information. You should research which features you prefer like ease of reloading, low or no monthly fee versus per-purchase fees, or usability. Generally, Chase and Amex are great introductory options. For international travel, Kaiku offers a prepaid card with no foreign transaction fees, great for short trips abroad. Keep in mind Know Your Customer laws make it very difficult to access to U.S. banking system and stay anonymous from the U.S. government for very long or while handling large transactions.

plumThe OPM breach, the Target breach, the Home Depot breach have really paid off for me; the past few years of free monitoring have been nice.  LastPass actually bundles free credit monitoring, so that is worth exploring when this is done.

And as Munin mentioned, debit cards are cast from pure evil in a mold of good intentions. Never gamble on a retailer’s security posture with real money. Charge everything.  If you don’t have access to credit, use as much cash as possible and be very judicious in your check writing.  Every check you write says “hi, here’s my full name, here’s where I live, and here’s where I keep all of my money; in fact here’s my account number”.  That’s a lot to hand over to a complete stranger.

Krypt3iaMost banks do this now for you at no charge. I would not trust these companies to protect my data anyway. It is just adding to the complex web of your data being out there for others to abuse. Keep an eye on your accounts regularly and make sure your credit card/bank has your current number to call. Don’t waste money.

Lesley – Cash is your friend. Otherwise, a few people have already correctly noted how very risky bank debit cards are for your privacy and money. Unfortunately, many people are financially unable to get credit (or credit that promotes responsible use). There are a few options out there. Prepaid debit cards are one – although they may not have fraud protection, the amount of money which can be stolen from them is limited by the amount of money the purchaser loads them with. They can also lend some anonymity. Another option is a reputable credit card designed for people with low or no credit, designed to theoretically build credit over time. Legitimate options tend to be low limit, from a reputable creditor, with some security deposit required, and should always be designed to be paid off every month in full. Unfortunately this is a security blog, so I recommend you seek some free financial advice.

CiPHPerCoderThe credit bureaus are not your friend. Do not count on them correcting any mistakes on your credit history. Do as Munin and Viss suggested. Normally, the saying goes, “An ounce of prevention is worth a pound of cure,” but in this case prevention is your only recourse: There is no effective cure.

evacide – When you make online purchases, consider not storing your credit card number as part of your account. The same goes for storing your credit card number in your browser. Use 2FA whenever possible to protect your accounts and a password manager to create strong, unique passwords, so that if one account is compromised, the rest of them are still safe.

Question 5: On the People Still Using Windows XP

Tons of people have computers. Some of those computers are so old they are no longer patched or remotely secure.  While operating system vendors have gotten better at forcing security updates in recent versions, security (especially in the era of the cloud) doesn’t necessarily indicate personal privacy. In terms of fundamentals from operating system, to browser, to antivirus, what are your suggestions to somebody who wants to upgrade their computer in a privacy-friendly way, but can’t afford more than a couple hundred dollars?

Viss – Microsoft gives updates to small businesses and students. Linux is free. Running linux is generally fine for people who simply need “a browser so they can Facebook and Gmail”, and that will keep them from the vast majority of exploits, drive by downloads and other attacks that by and large only target Windows. From the perspective of the operating systems, it tends to get a little hairy because they are designed to spy on people at this point. Github has several examples of an “unfuck script” that one can run on a Windows 10 installation to turn off all that telemetry. Once that’s done, I wager a combination of Windows Defender, EMET, and Malwarebytes for ransomware run all together and cranked all the way up should be a pretty good start. It’s surely more than most consumers would do on their own reconnaissance.

Munin – Most folks will be fine with a Chromebook. They’re kind of stuck in the Google ecosystem, which I don’t like, but they get continual patching and have a vastly lowered threat surface. If you’re OK with the whole “webapps for everything” thing – and let’s get real; that’s 90% of everyone’s usage these days anyway – then a Chromebook will likely meet your needs.

Lloyd – Chromebooks sacrifice some measure of privacy to Google in exchange for affordable computing experience. If you are not concerned what Google knows about you, this is a fine option. It is very difficult to keep operating systems up to date long term without regularly upgrading your computer.

plumBasic, cheap ($200-ish), new systems seem easy enough to find. Certainly my best advice here concerns the disposal of old systems, as the general public is almost entirely in the dark when it comes to sanitizing equipment they don’t want anymore.  I say this a lot – the lifecycle of personal computing is so incomplete.  It’s so easy to get a new system, but we never really talk about how to get rid of the old one.  Getting familiar with a utility like DBAN, which for $0 will wipe any trace of your existence from a hard drive, is a great first step.

Krypt3ia Become more savvy about how  your systems work. Keep them patched and try to keep up with the attacks out there. However, for the average normal person out there these things I just said sound like the teacher on Peanuts. Once again, do not trust any operating system unless you have complete control over it and frankly no one out there can do this. It is thus important that you learn some OPSEC lessons. But again, try getting this through to Gramma, it is not that easy. It takes education and not the once a year kind.

CiPHPerCoderIf you’re still on Windows XP, this probably means one of the following:

  1. You lack the capital to purchase a newer computer.
    • In this case, make the switch to Ubuntu or Linux Mint, which are great and user-friendly GNU/Linux operating systems.
    • If you’d like to get familiar before you commit to a new OS, get Virtualbox (it’s free).
  2. You’re a company that needs to use software that doesn’t work on newer versions of Windows.
    • Consider switching to something like Qubes and running your Windows XP-dependent software inside of an isolated virtual machine to minimize the risk of a full system compromise.

Otherwise, you should just upgrade to a newer version of Windows. Laziness is incompatible with security.

Lesley – Part of this comes down to a distinction between privacy from companies, privacy from governments, or privacy from traditional criminals and the average nosy Joe or Jane.

An updated version of Chrome OS or Windows has a professional security team behind it releasing patches and responding to reports of vulnerabilities. This is really important. Of course, those companies rely heavily on cloud computing and telemetry – that’s how they provide the user experience which their customers expect. We’ve been focusing heavily on solutions for people facing criminal / stalker-type privacy concerns. In those situations, Chrome OS is an affordable option (assuming associated Google accounts are well-secured). Up-to-date Windows (while pricier) can be a good choice, too.

If you’re worried about privacy from companies, commercial options probably aren’t a great choice. This is where more user friendly versions of Linux like Mint or Ubuntu may be feasible. Of course, these distributions of Linux are ostensibly free, but that’s somewhat offset by the amount of time required to learn to configure and secure them.

If you’re worried about sophisticated actors, not only should you keep sensitive data off the internet, but you should restrict sensitive work to full disk encrypted systems without any speakers or network, Bluetooth, or wireless adapters physically installed.

Question 6: Private Digital Communications

There are numerous reasons to use encryption, and communicate and browse the internet privately. Abuse and harassment victims, whistleblowers, celebrities, journalists, and even government and military personnel may have to contend with being targets of surveillance, physical threats, or blackmail. Beyond overt risk, we have a fundamental right to privacy from the massive networks of data collection of advertisers and marketing firms that buy and sell our intimate details. While some services like Signal, Tor, and Protonmail are free, trustworthy VPN often isn’t. What are your suggestions for somebody non-technical who wants to communicate and browse with minimal potential for interception, without paying a lot?

Viss – Wire is free. Signal is free. Tor is free. VPNs are not. I run a small VPN service for exactly this reason. It’s IPSEC not SSL. That’s an important distinction, as well as it’s not “an app”. My VPN service uses Cisco hardware, not just “some cloud instances”. Do some homework on any VPN provider you elect to choose and try to steer clear of SSL based VPNs. They usually collect data about you and where you go, so while it may protect you from the skiddies in the coffee shop, it’s not protecting you from the vendor collecting your data for your $5 VPN account. If you’re a bit more technically inclined you could simply use an SSH tunnel. For that same $5 you could spin up a Digital Ocean host and use that as an SSH tunnel endpoint. Or you could stand up your own VPN. If you’re concerned about a private messenger on your phone being an indicator of you doing something shady, then install a bunch of them and use them for silly things. I have a wire room setup for “only gifs, no talking allowed”. There are nearly 40 people in there and nobody says a word, we just post silly gifs. So while it looks like there may be discussions happening to any outside viewers who can’t see the messages, it’s just noise. If you make lots of noise, it’s super easy to get signal through it. You just have to make sure the patterns of signal to noise aren’t super obvious.

Munin – “Use Tor, Use Signal” is the cliche in our world now, but it’s really going to depend on your specific needs. Harassment victims have different threats than whistleblowers, than celebrities, than journalists – there’s no one-size-fits-all solution. Perhaps talk to one of us, or some other trusted source, to figure out what your threat surface is, and work out what tools you have available that can best be used to manage it?

Lloyd – Depending on who you’re concerned about watching you, Signal, Wickr, and WhatsApp are fine for communication. I’m also a big fan of a pen and a piece of paper, and old fashioned face-to-face meetings. And never use a free VPN.

Krypt3ia Use Signal, Use TOR Browser, and understand that everything you do on the net, everything you put out there is a threat to that privacy. For that matter, every device is giving up your private data and giving the companies and governments a portrait of “you” that can be used against you. How would I obfuscate this data? There are some means such as add-ons to FireFox (TrackMeNot and uBlock) You may also want to read Obfuscation: A User’s Guide for Privacy and Protest (MIT Press), which had some good ideas on how to use digital chaff to try and limit the real data these corporations have on us. If you have an adversary though that is directly in opposition, then use encryption (GPG, Protonmail, etc) but always know that the endpoints are always suspect (those you email with and the company serving you the service) so really, own the end point, forget the secrecy.

plumGreat points have already been made.  I’ll add that it is critically important to remember to assess all of your online activity and electronic communication through the lens of litigation. If it exist(s)(ed), it can be subpoenaed.  If this presents an unacceptable operational risk for you, hash things out face-to-face.  If the logistics are not practical, follow Lloyd’s golden rule above: never use a free VPN.  Tor is a go-to. While a little different, I would also keep an eye on Brave.

CiPHPerCoder – The only VPN you can trust is the one you’ve setup and administer. Most users aren’t technical enough to do this, and therefore shouldn’t use VPNs.

That said, there isn’t a winning concoction here that doesn’t require some user education to provide robust security against sophisticated threats.

Tor is great, but only if you understand its limitations. Tor + unencrypted HTTP means the exit node can sniff or alter your traffic.

Signal is great, but only if the person you’re talking with also uses it; otherwise, you’re communicating over unencrypted SMS. (You can turn the SMS fallback off.)

Whatever technology you choose, take 5 minutes to read through the documentation. The better you know your tools, the less likely you’ll make a fatal mistake when using them.

evacide – Before you choose a secure or private communications tool, think about your threat model: are you trying to protect your communications from criminals? From the government or law enforcement? From your parents or your spouse? These are all very different models. How important is it to you that the message should be secure? How important is it that the message actually gets to you in a timely fashion? (I’ve lost track of the number of arguments I’ve gotten into with my friends and family because a Signal message didn’t go through).  Are you OK with giving out your phone number for this communication?  Seriously, and I cannot emphasize this enough, Signal is not always the answer.

Lesley – A lot of differing opinions and options have been provided with regards to this problem – hopefully providing a starting point for consideration and discussion about private communications. I want to stress again that no matter what options you choose, noise is critical. Most of the private communications methods listed above hide the message, not the fact that you’re hiding a message. If you use VPN or encrypted messaging only for sensitive conversations or browsing you’re trying to hide, anybody watching will immediately start to look at that specific communication in more detail. For this reason, one of the first things I check in a computer under forensic investigation is the private / incognito browsing history. It usually contains only activity the user wanted to hide.

Whether want to prevent an angry ex or a multinational criminal organization from intercepting your sensitive communications, make sure they are lost in a sea of everyday benign private traffic. That’s why Tor usage is so highly encouraged by privacy advocates for everyday communication – if only foreign journalists under death threat by rogue dictators used it, their traffic would be easy to spot and target.

Question 7: Authentication

Online accounts are always a target, and passwords are generally easy to guess by casual criminals and advanced actors alike. So, we frequently advise people to enable two-factor authentication on their accounts through an app or (less desirably) SMS. The problem is, not everybody has a smartphone of their own – particularly one that works everywhere reliably. What are your suggestions to somebody who uses online accounts, but doesn’t own their own phone?

Viss get a Google voice number, and set up hangouts to accept SMS messages. DO NOT SHARE THIS NUMBER WITH ANYBODY. You can set up 2FA SMS for everything that uses it, and those texts will hit Google hangouts. You can get them on a desktop/laptop, or through hangouts on your phone. The connection between your phone and Google is cert-pinned SSL, and the ‘secure texts’ will come through over data not SMS. It’s not a silver bullet, but it defeats Stingray attacks and mobile phone “man in the middle” attacks. You can also configure Google voice to either forward those SMS messages to another number, or email them to you, or another email account. There are many options.

Lesley – An alternative option is a physical two-factor security key, a tiny object which is inserted into the USB port of the computer you are using while you log into a wide range of web services. U2F keys are well under 20 dollars, easily purchased from many online retailers, and should theoretically last far longer than many electronic devices. The downsides are that if you lose the key you may be in trouble, it won’t be usable in places which block the use of USB ports, and it could potentially be seized.

Lloyd – U2F keys aren’t a cheaper option than what Viss recommends. I like physical keys but they have weaknesses: your key can be stolen, there is still limited support for physical keys, and they cost money. If you’re someone who forgets things, leaving your key at home or in the wrong bag can cost you a day of work if you aren’t careful.

plumWithout a true “something you have”, 2FA starts down a road of compromise.  Like Viss, I have not completely criminalized the use of SMS, and he presents a creative solution.  Burner phones can serve this purpose well.  For five bucks, a refill card for a thousand text messages could last a while.

CiPHPerCoderThis came up a lot in the discussion of the Guardian’s terribly misleading WhatsApp article. In the real world, a lot of users share phones and swap out SIM cards rapidly. In the WhatsApp case, this makes public keys change rapidly, which could create a UX nightmare for people who have used WhatsApp for years and never even heard of encryption. Many of the 2FA assumptions break down in a shared-device scenario.

If you’re in dire straits here, Viss’ Google Voice number suggestion is probably your best bet. I’ve not heard any other realistic solutions for folks who share phones and don’t own security keys. If 2FA isn’t available, outright, consider making it more of a point to use a password manager (KeePassX, LastPass, 1Password, etc.) than if you had 2FA.

Munin – This particular question’s been giving me problems for a few days now. The long and short of it is that, as far as 2FA is concerned, the users are entirely at the mercy of the vendors as to what nature of 2FA solutions the vendors support – for instance, though I really, -really- want to use a yubikey with twitter, twitter declines to support this option and only allows SMS based second-factor auth.

Unlike the other questions here, this is one in which the user has very little control over whether or not they can effectively follow the advice given.

The ‘correct’ solution would be to only use services from vendors that support proper 2FA – but when those services won’t “do the job” – e.g. all your contacts are on a service that doesn’t do this correctly – you’re inherently limited in what you can do.

So my ultimate advice here would be – if you -can- follow the solutions given above, do so; if you’re not able to, then do the absolute best you can with what you have available. If you don’t have a unique device available for a second factor, it’s best not to push for a compromised second factor over a non-compromised single factor. Control what you can, and look for opportunities to make it better; and pay special attention to those things you cannot control – monitoring is a kind of mitigation.

Question 8: You, in the Real World

We’ve discussed our online lives in detail, but what we do every day in the physical world leaves a huge digital footprint as well. This includes all kinds of activities, like shopping, banking, and our hobbies and work. Let’s think in terms of our introductory example of a victim of stalking and abuse (this time, in 2017). What are feasible actions he or she can take in day-to-day life, with a small budget, to reduce the digital footprint left by his or her activities (while still remaining a part of modern society)?

Viss – Use a combination of personal travel and ridesharing applications or public transit to mask surface travel. Combine using different credit cards with paying in cash. Change travel routes to not consistently use the same path to get to destination. Make random stops (at shops, for coffee, etc, whatever) to make it harder to determine where you are going. Turn off your phone from time to time (yank the battery if you can). Don’t spend a lot of time walking on the street in the open. Travel in a vehicle or on public transit as often as you can. Do not dress to impress. Do not stand out. Plain shoes, jeans, t-shirt. If you want to blend in, then blend in. You can look spectacular later. Pay attention to your surroundings. See if people are pointing cameras at you. Take detours and see if you see the same people over and over again. If you think you are being followed, validate that feeling by taking more detours and seeing if the same people are there. If you are confident you are being followed, let the people following you see you taking their photo or recording them. It helps if you have more than a phone – like a GoPro or a camera of some kind. Usually in that scenario they’ll have no idea WTF to do. The easiest way to not be a victim is to not simply lie down and take it. If you feel you’re being victimized, complaining about it on Facebook or writing a longwinded gif-riddled post on imgur will solve nothing. Get evidence of stalking or abuse. As much as you can. Confront the problem head on. If your abuser is physically abusing you get a restraining order and back that up with video evidence. http://www.wikihow.com/Be-More-Perceptive This is a good start.

TL;DR: everything on the internet leaves some kind of log. Don’t post stuff online then try to remove it. Just don’t post it in the first place. Don’t openly volunteer information for the sake of small talk. If someone asks how your day was, tell them – but don’t feel obligated to explain that it’s going poorly because your car insurance carrier dropped you because you were unable to make your last payment, and that was because trouble at work led to you being fired. That’s a lot to unpack and gives random people WAY WAY MORE INFORMATION than they need to just chat you up. It takes a bit of practice, but you can usually turn those kinds of conversations around onto them, and have them tell you a life story while not saying a word.

Krypt3ia

Physical:

  1. Enhance your situational awareness
  2. Understand where the cameras are and seek places with less of them to do business
  3. Understand where the cameras are and seek to obfuscate their seeing you (hat, glasses, scarf etc and look down, not into them.
  4. Randomize your routine, in fact do not have a routine
  5. Read up and practice counter-surveillance techniques (I can recommend books) but really having real practical experience and mentorship is key

Digital:

  1. Take all of the advice above in this document and use it.
  2. Leave your digital equipment behind or put them in Faraday bags
  3. Understand the precepts of OPSEC with regard to the internet
  4. Be vigilant

plumEndeavor to use more cash.  Every time you use a credit card, you’re generating data about where you are and what you’re doing.

Don’t allow mobile apps to use your location automatically, or at all.  Don’t check in.  The world doesn’t need to know you’re going for a run on your lunch break *right now*.  Tell them later about how you had a great run today, without mentioning where and when.  Small things like this. You’re not hiding your habits, you’re just removing the unnecessary precision in describing them.

Augment your digital protection strategy with self-defense skills.  You may never need to use them, but you’ll feel a hell of a lot more confident.  And when you’re confident, you carry yourself better, you’re more aware of your surroundings, and you turn the tables on being vulnerable.

Lloyd – Privacy and security are practice, and can’t be done alone. Your information, even your home address, is known and stored in devices and on paper by your friends, family, and coworkers. Most “hacks” occur via social engineering, where unsophisticated people are exploited for the information they keep. Educating the people around you should always be a part of any physical security practice.

Lesley – Pseudonyms and fake backgrounds aren’t just for criminals, people on the run, or spies. Sometimes, a little white lie is legal and okay, and even recommended. There are lots of places in your daily life where you can operate outside your real identity without even violating terms of use agreements. Countless examples include the fact that you don’t have to ship or receive packages at your house, you don’t have to provide real answers to your security questions, and you rarely are required to register for incentive or loyalty programs under your real name or address. Consider what information you are providing third parties out of naive, good-hearted honesty, versus what information you are providing out of legally-obligated honesty. Data collection and marketing firms don’t have your interests in mind. Why are you treating them like you have an honest, confidential relationship?

CiPHPerCoderIf you can, turn your phone off and take the battery out when traveling or discussing anything sensitive with your friends or family. Try to practice common sense at all times. Don’t, for example, take needless selfies and then share them publicly on social media if you’re trying to attain better privacy. Simply put: They don’t need to know, so don’t tell them.

Paying with cash has two benefits: It’s not directly linked to your bank account, and it promotes better money management discipline than debit/credit cards (which in turn will allow you to save money toward some of the solutions discussed above that might be out of your budget).

evacideA lot of the advice above means making major changes to the way you live. Think about how much you’re willing to change in order to avoid your stalker/abuser. A lot of victims are trying to balance their desire for privacy and distance from their abuser with a desire to continue living their lives in a normal fashion. Some simple steps such a person can take include using a pseudonym on social media accounts, locking down one’s social media accounts so that content can only be viewed by trusted friends, and making one’s trusted friends aware of the situation so that they can alter you if they are contacted by your stalker/abuser trying to get information out of them.

Munin – The advice above is all good, but ultimately, the real problem is in balancing proper paranoia with the ability to function as a person. This is very difficult.

Balancing the need to stay hidden with the very real psychological dangers of isolation is difficult even for trained professionals – so maintaining such a cover will necessarily cause stress and strain. If you have anyone that you can trust, make sure you can stay in contact with them to keep an even keel. That will help with balance, and help you remember how to use the other advice appropriately.

★ ★ ★

(Additional credit on this article goes to Bill Sempf, who contributed extensive expertise on skiptrace investigative methodology.)

All opinions in this article are that of the individual contributors, and do not necessarily reflect the views of their employers, past, present, or future.

Ask Lesley InfoSec Advice Column: 2017-01-30

Thanks for another wonderful week of submissions to my “Ask Lesley” advice form. Today, we’ll discuss digital forensics methodology, security awareness, career paths, and hostile workplaces.


 

Dear Lesley,

I’m a recent female college graduate that didn’t study computer science but is working in technical support at a software company. The more I learn about infosec, the more curious and interested I get about if this is the field for me. What do you resources/videos/courses/ANYTHING you recommend for people who want to make a serious stab at learning infosec?

– Curious Noob

Dear Curious,

I’m really glad to hear you’re discovering a passion for infosec, because curiosity is really the most fundamental requirement for becoming a good hacker. I wrote a long blog series about information security careers which I hope you may find helpful in discovering niches and planning self-study. For brevity’s sake, here are some options for you.

  • Study up on any fundamental computer science area you’re underexposed to in your current work – that means Windows administration, Linux administration, TCP/IP, or system architecture. You need to have a good base understanding of each.
  • Get involved in your local CitySec, DEF CON local, or 2600 meet up group. They are great networking opportunities and a fabulous place to find a mentor or people to study with. There are meet ups all over the world in surprising places.
  • Consider attending an infosec / hacking conference. The BSides security conference in the nearest major city to you is a great option and should be very affordable (if not free). Attend some talks and see what speaks to you. Consider playing in the CTFs or other security challenges offered there, or at least observing.
  • Security Tube and Irongeek.com are your friends, with massive repositories of conference talk videos you can watch for free. Nearly any security topic that piques your interest has probably been spoken about at some point. I would favor those sites over random YouTube hacking tutorials which really vary in quality (and legality).
  • Consider building your own home lab to practice with basic tools and techniques. Networked VMs are adequate as long as you keep them segregated: Kali Linux and a Windows XP VM are a great place to start. You need to take stuff apart to learn about hacking.

These are only some brief suggestions – there’s no streamlined approach to becoming a great hacker. Get involved, ask questions, and don’t be afraid to break stuff (legally)!



Dear Lesley,

What do you do when you provide security awareness training to your employees, but they still click on phishing links!

– Mr. Phrustrated

Dear Phrustrated,

Beyond generally poor quality “death by PowerPoint” training, one of the biggest problems I see in corporate security awareness programs is poor, unsustainable measures of success. For instance, it’s become really trendy to conduct internal phishing tests to identify how many people click on a phish. It’s incredibly tempting to show off to executives that this number is trending down, but that metric is really pretty worthless.

No matter how ruthlessly trained, somebody (and anybody) will click on a well-enough crafted phish, and it only takes one compromise to breach a network’s defenses. What we should be measuring is the reporting of phishing messages and good communication between employees and the security team. The faster we know an attack is underway, the faster we can respond and mitigate the threat.

In conclusion, you should be less concerned if “somebody is still clicking” phishing messages than if nobody is telling you they clicked, and they resist or lie in embarrassment when asked.


Dear Lesley,

Is there a mental checklist while doing digital forensics to not make your evidence point to your quick conclusions, even if you think you have seen a similar case?

– Jack Reacher Jr.

Dear Jack,

Identifying that this is a problem is a great first step. While intuition is an important part of being a good investigator, sound methodology is even more important. The checklist you use to collect evidence and perform an investigation is going to vary by where you work and what types of things you investigate, but you should always have and follow a checklist – and I recommend it be a paper checklist, not mental.

Don’t ever shortcut or skip steps, even when you’re in a high pressure situation. Shortcuts and assumptions are incredibly dangerous to the legal and technical validity of investigations. Gather all the facts available to you at the time, and document ever step you take so that a colleague (or a legal professional) can follow your work even far in the future.

Finally, always remember that in a digital forensic investigation we are generally providing evidence to reach conclusions about “what, when and how”. “Who” is shaky ground, because in most cases it involves context outside the digital device. “Why” is almost never the business of a forensic analyst (and is indeed often not within the capacity of a company to responsibly answer). If you find yourself looking for evidence to fit a presumed “why” scenario, you have a big problem and you need to step back.


Dear Lesley,

I’m this girl like I said, who just started working in the field, and for the past 4 months, I worked at this huge corporation, who has, among other services, an information security related one, offering technical security (pen testing, …) and non-technical security services. At that time, I had little information about advanced hacking techniques as well as the good practices that should be followed to secure our systems.

During the first weeks I got hacked by someone who’s working with me, and I was harassed and shamed by them since then. I knew it because this person would talk about their findings to everyone, even to non-technical people, in the corporation. People would look at me and laugh, smile, smirk, or look at me pathetically, in addition of other situations.

Knowing that this person is an expert (12 or more years working in information security) and that I don’t have any proofs on their actions, what should I do in your opinion ? What kind of advice would you give to girls and women like me, who want to work in the field but get harassed by their experienced co-workers instead of being encouraged by them ?

– I

Dear I,

Your story gave me pause enough to discuss it substantially with several colleagues in information technology who have also worked in extremely hostile environments.

This is a horrific situation. I want to make it crystal clear that this is utterly shameful on the part of your employer, your infosec colleagues, and your organizations’ corporate culture. I truly hope it does not drive you from our field. The most important thing I can tell you is that this is not your fault. and this is not normal.

The first thing I recommend you do is document everything that’s happening in as much detail as possible, even if you don’t feel you have evidence right now. The activity you’re talking about may not only be harassment, but violate hacking laws. Since device compromise is a concern, please maintain this documentation offline.

What you do next depends on factors you don’t mention in your note. First of all, if you have a trusted supervisor, manager outside your team, or senior mentor in your organization, please turn to them for assistance and ensure they are corroborating what has been happening to you on paper. It’s their responsibility to assist you in resolving the issue at a work center or corporate level, even if they’re not directly in your reporting chain.

If there’s nobody at all you can go to in confidence, the situation becomes substantially more unpleasant. Your options are to ignore the behavior to stick out the requisite ~2 years of entry level security at the organization(obviously the worst option), seek employment elsewhere, or contact an HR representative (with the risk of retribution and legal battles that can bring). Obviously, my personal recommendation is taking you and your computer straight to HR. As a wise colleague of mine pointed out, this is most likely not an isolated incident – the behavior and dismal culture will continue for you and others. Sadly, in some places in the world with less employment protections, this can carry the risk of termination. Keep in mind that it is okay to confidentially consult a lawyer within the terms of your employment contract, and pro bono options may be available.

If HR / legal action is not an option, you can’t find employment elsewhere, and you’re toughing it out to build entry level experience, please network and find a local mentor and support structure outside of your company as soon as possible. As well as much needed emotional support, these people could help you study, network, bite back, and explore other recourse against the employer. Feel free to reach out to me anonymously and we’ll try to connect you with somebody in your area.

Best,
Lesley

Thwart my OSINT Efforts while Binging TV!

There’s been a bit of a social media uproar recently about the data collection practices of people search service FamilyTreeNow. However, it’s certainly not the first, only, (or last) service to provide potentially uncomfortable private information about people on the internet without their knowledge or consent. Even the most technologically disconnected people are frequently searchable.

In conducting OSINT research on people, services like FamilyTreeNow are often a gold mine, and are one of my first stops when I’m searching out useful facts to pivot into more intimate details about a target. Do you really want any casual stranger to know your home address, phone numbers, email addresses, and the names and ages of your kids? While disappearing from the internet completely can be nigh impossible, spending a little time removing easily accessible data can cause frustration and extra work for a nefarious (or nosy) person investigating you. I speak from experience. So, it’s worth taking some time to do, as we always want to make bad guys and gals’ lives harder.

So, grab a snack and a beverage, queue up a TV show to binge watch, and let’s make some quick and easy wins in helping you disappear from the malfeasant public eye. I’ll only ask you do five quick tasks per episode. You can do them during the boring parts.

Before we start, I highly recommend setting up a new webmail account to perform these removals. Almost all of the services require an email to opt out, and many require account registration. Since we’re dealing with firms that collect information about people, it’s sensible to avoid using your day to day or work email.

One last thing! It’s important to remember these services are not always accurate. You may have more than one entry for yourself at any of these services. Make sure to check!

Let’s begin!

  • Let’s get the aforementioned FamilyTreeNow out of the way. Their opt-out form is here: https://www.familytreenow.com/optout. They’ll require you to search for yourself through the opt-out page then click a red “opt out this record” at the top of your entry. (You must repeat this process from the start for every profile you wish to remove.)
  • Next, let’s head over to Instant Checkmate. Their Opt Out form is here: https://www.instantcheckmate.com/optout/ and requires you enter a name, birth date, and a contact email address.
  • We’ll head over to PeekYou, next, which requires you search their database first and provide the numeric profile ID in your page(s) URL, as well as an email address. Their opt out page is: http://www.peekyou.com/about/contact/optout/
  • Next up is Spokeo. You’ll once again need to search for yourself, but this time all you need to do is copy the full URL of your page(s). Then, head here: http://www.spokeo.com/opt_out/new, paste that link and enter your email address.
  • Let’s head to BeenVerified’s opt out page at https://www.beenverified.com/f/optout/search. Simply enter your name and location, select your entry or entries, enter your email, and click the verification link that is immediately sent to you.

SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • So, Whitepages has two different types of profiles – free and paid, and they seem to have little to do with one another in terms of removal. For the free side, you’ll have to sign up for their service to remove entries, (which includes email verification). Once logged in, you simply need to paste the link to your entry here: https://secure.whitepages.com/me/suppressions.
  • For Whitepages Premium, you must open a quick support ticket with their help desk. Full details and the Help interface are here: https://premium.whitepages.com/help#about. You will need to copy and paste the link to your premium profile in the ticket (not the free Whitepages entry).
  • Let’s head over to PeopleFinders, http://www.peoplefinders.com/manage/. This one’s super easy; just use the search box to find your profile, and then click the opt-out button.
  • PeopleSmart is also relatively simple. Search for yourself at https://www.peoplesmart.com/optout-go. You will need to enter an email address and click a verification link.
  • USA People Search’s opt out page is here: https://www.usa-people-search.com/manage/ and simply requires clicking your profile and entering a captcha.

 SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • Let’s head to Radaris, at https://radaris.com/. Search for yourself. Click “full profile”, then click on the down arrow to see the full menu of options. There is one that states “Control Information”. This will prompt you to register for an account with their service and claim your profile as yourself. Once you have done so, you will have the option to “Remove Information” or take your aggregated profile private, at any time.
  • The last information service we’ll tackle today is Peoplelooker, at https://www.peoplelooker.com/f/optout/search. Once again, a relatively easy opt-out process using a verification email.
  • Finally, let’s do a little social media cleanup!
    • If you have a Facebook account, perform a Privacy Checkup. It won’t take too long. Ensure your posts and likes are as private as possible.
    • If you use Google or YouTube services, perform their Privacy Checkup. Once again, ensure nobody but the right friends and family can see your activity.
    • Head to LinkedIn. On the header menu, select Privacy & Settings, then select the “Privacy” tab. Consider how much sensitive detail you are providing about your workplace, their tools and processes, and yourself. Consider restricting certain data on your profile to only connections and members.

Good work! Enjoy the rest of your snack and your show! Be proud that you’ve done some good work cleaning up your public presence, today.

***

It’s important to note that I’ve left a couple services out of this guide that are referenced in other comprehensive lists, (like this one), due to the complexity and frustration of removing data from their services. Notable examples, Intelius (and their many subsidiaries) and US Search unfortunately require a form and photo ID for information removal – the latter by fax or snail mail(!) So, while we won’t tackle these removals while we watch TV and enjoy a nice cold beverage, they are something to consider addressing with a little time and during business hours.

If you are in a sensitive situation and need a clean slate as soon as possible, I do recommend considering a paid data removal service like Abine.

 

Ask Lesley InfoSec Advice Column: 2017-01-19

Thanks for your interesting question submissions to “Ask Lesley”! This column will repeat, on no specific schedule, when I receive interesting questions that are applicable to multiple people. See further details or submit a question, here. Without further ado, today we have OS debates, management communication issues, nation state actors, and career questions galore!



Dear Lesley,

So last year’s Anthem breach was from a nation state – why would a nation state want to hack health insurance info? I understand the identity theft motivation of a criminal, but why do you think a nation state would want this type of data?

– Inquisitive

Dear Inquisitive,

First off, I can’t confirm the details of the Anthem breach – I wasn’t involved in the investigation and haven’t had the privilege of reviewing all the evidence. However, when generally talking about why a state-sponsored actor might want to acquire data, you have to look at a bigger picture than data sets. Nation states usually view hacking as a means to an end. They (ab)use data with a firm political or military objective in mind. Whether a nation state intended to steal 80 million records, or the theft was a crime of opportunity when looking for something more specific, what they stole may unfortunately be useful to them for years to come.

You can obviously already see how the data stolen in a healthcare breach is a treasure trove for general identity theft. The piece I believe you might be missing considers how the data could be combined with other public domain and stolen information to facilitate political objectives. If you already have a target in mind, healthcare data could be a great boon to social engineering, blackmail, and surveillance efforts. For example, consider how much leverage knowing that a target’s child is ill could provide. Or that a target family is hundreds of thousands of dollars in medical debt. These are attractive attack vectors. I can only speculate on potential scenarios, but based on my experience in OSINT, the data stolen from Anthem adds attractive private information about many millions of people.

 


Dear Lesley,

The ‘researcher’ portion of ‘security researcher’ implies graduate school – is PhD study in cybersecurity worth it? There doesn’t seem to be many programs that are worthwhile (except on paper only)

– Not in Debt, Yet


Dear Not in Debt, Yet,

That’s an interesting implication – not one I necessarily agree with based on empirical evidence. I know full time, professional security researchers studying everything from exploits to governance who have every level of formal education, from GEDs to PhDs.  I do see certain fields of security research represented in higher education more than others – a couple examples are high level cryptography and electronic engineering.

I have always been an advocate for higher education and I see little harm and many benefits in getting a good education in a field you enjoy (particularly, a well-rounded education) if you can afford it. However, at the present, there are very few information security careers or communities of research which require a degree, and fewer good quality degree programs. You should see few credential-related barriers to participating in or publishing security research if your work and presentation is good quality.

In some ways, existing exclusively in academia can also make it harder to work in practical security research, as the security field changes more quickly than university curricula can keep up. As a result, some academic security research ends up impractical and theoretical to a fault. (See my yearly rants on steganography papers.) If you go the academic route, choose your field of study carefully, and be careful not to lose touch with the working world.


Dear Lesley,

While working on my 5 BILLION dollar data breach, I wanted some blue cheese dip and chips (The Spice House in Chicago has the best mix btw), a co-worker looked at me with disgust. Am I wrong? Also what’s a good resource to learn about file carving?

– Epicurean EnCE

Dear Epicurean,

Clearly, your coworker is a Ranch dressing fan and should therefore be looked upon with disdain. In regards to file carving, your mission, (should you choose to accept it), is to review how files are physically and logically stored on a hard drive. Next, you’ll want to start familiarizing yourself with typical file headers and footers. Gary Kessler has a pretty killer list, here. Some file types will be more relevant to your specific work in forensics than others; I can’t tell you which those will be.  Your best bet is to pick a couple file types you look at a lot and look at them in a hex editor, then start searching for them in a forensic image.

Brian Carrier’s File System Forensics book, while a bit older, is still a stellar resource for understanding How Disk Stuff Works. SANS SIFT kit includes the tools you will need to get started carving files from disk, and the associated cheat sheets will help with the commands.

If you want to carve files from packet captures, similar header/footer knowledge is required, along with a different tool set. Wireshark’s export alone will often suffice; if it fails, look at Network Miner.


Dear Lesley,

What was the silliest / dumbest thing you’ve googled this week?

– Curious in Cincinnati


Dear Curious,

“The shirt, 2017”

I still don’t get what’s up with that.

 


Dear Lesley,

I teach high school computer science courses and many students biggest interest is infoSec stuff. What should they do to prepare at that age? Any recommendations on software or skills I can teach them? I’m willing to put in the time and effort to learn things to teach and we have class time, but this isn’t what my tech career focused on so I need some help. Thank you, you’re the best!

– Mentor in Michigan

Dear Mentor,

Being a crummy hacker requires learning to use a few tools by following YouTube. Being a good hacker requires a great deal of foundational knowledge about other, less entertaining computer stuff.

The better one knows how computer hardware, operating systems, and networks work, the better he or she will be at hacking. If kids come out of your classes unafraid of taking their own software and hardware apart, you did your job right. That means a lot of thinking about how Windows and Linux function, how computer programs work all the way down to Assembly, and how data gets from point A to point B. If you are going to encourage kids to take stuff apart, make sure they also understand that law and ethics are involved. Provide them a safe and legal sandbox to explore, and explain why it’s important to know how to break things in order to fix them.

As an aside – by high school, kids are more than old enough to be actively participating in the infosec community if they wish. Numerous kids and teens attend and even present at hacker events, these days; in fact, many conferences have educational events and sponsorships specifically for youth.

 


Dear Lesley,

 I normally use a Chromebook, but I also have to use Windows 10 so that I can use Cisco packet tracer (I’m studying CCNA). I really trust the security of my Chromebook, but Windows 10 – not so much. I have antivirus, anti-exploit and anti-ransomware software on my Windows laptop. But my question to you is: Is there a resource that you know of that can help lock down Windows 10 for the home user? Most of what I find is for enterprises and Enterprise versions of Windows 10 and if I do find something for the home user it invariably talks about privacy rather than security.

–  Kerneled Out


Dear Kerneled Out,

The OS wars, while somewhat befuddled by 2016, are alive and well. There are dogmatic Linux fans, and dogmatic Windows fans, and so on and so forth. My opinion is that every OS has its place when used correctly by the right person. Many serious security people I know use every major OS on a daily basis – I sure do.

Swift On Security has a nice guide here on securing Windows 10 that should suit your needs.

As for Chrome over Windows – please don’t fall into the “security by obscurity” trap that MacOS and Chrome can encourage. They are both solid OSes with interesting ideas on security, and viable choices for home and business use cases. However, modern versions are not inherently more or less secure than modern Windows. MacOS, Windows, Chrome, and major Linux distros are as secure as they are configured and used by human beings. Of course, the complexity of configuring them can vary based on user experience and training.

 


Dear Lesley,

How come everyone wants 5 years experience for an entry level infosec job? I’ve been trying to get gainful employment in an offensive role for more than 6 months and no one wants anyone with less than 5 years of pentesting/red teaming experience. Can’t exactly do pen tests until you’re a pentester, so what do I do?

– Frustrated

Dear Frustrated,

I’m sorry to hear you’re having so much trouble finding a position. I have written quite a lot about infosec career paths and job hunting in previous blogs, and I hope that they can assist you a little. Red teaming is unfortunately much harder and more competitive to find work in than Blue teaming, so my suggestions here are not going to be particularly pleasant:

  • Consider your willingness to move. There are simply more red team jobs in places like DC and the west coast.
  • Consider if you can take a lower-paid internship. It sucks, but it’s an in, and pen testing firms do offer them.
  • Consider doing blue team SOC work for a couple years. It’s not exactly your cup of tea, but it will give you solid security experience.
  • Network like crazy. Get to the cons and the meet-ups in person. Talk to people and build relationships.
  • Do research and speak about it. Pick something that intrigues you, even if you have no professional experience, and do a few months work, and submit to a CFP. It will get you name recognition.

Dear Lesley,

Many infosec professionals feel that signature-based antivirus is dead. If that is the case… What do you recommend we replace it with to protect our most vulnerable endpoints (end users) with?

– Sigs Uneasy

Dear Sigs,

That’s the kind of black and white statement that makes a good headline, but exaggerates the truth a bit. Yes, there are a couple companies who have been able to ditch antivirus because of their topology and operations. The vast majority still use it. While signatures alone don’t cut it against quickly replaced and polymorphic threats, other antivirus features, such as HIPS and heuristics, still provide a benefit. (So, if you’re still using some kind of antivirus that can’t do those things, it’s time to upgrade.)

Antivirus today is useful as part of a “defense in depth” solution. It is not a silver bullet, and it’s certainly defeatable. However, it still catches mass malware and the occasional targeted threat. The threats AV misses should be caught by your network IPS, your firewall, your web filters, your application whitelisting solution, and so forth. None of those solutions is bulletproof alone, and even the efficacy of trendy solutions like whitelisting is limited if you don’t architect and administer your network securely.


Dear Lesley,

I was testing a network and found some major flaws. The management doesn’t seem too bothered but I feel the issues are huge. I want to out them because these flaws could impact many innocent people. But if I do, I won’t be hired again. I look forward to your response.

– Vaguely Disturbed

Dear Disturbed,

Before whistle-blowing and potentially getting in legal trouble, I highly recommend you approach this argument from a solid risk management perspective. Sometimes, “it could be hacked” means a lot less to management than, “9 companies in our industry were breached in 2016, and if we are, it will probably cost us over 70 million dollars in lost revenue”. If you have access to anybody with a risk analysis background you can reach out to under the relevant NDA, I highly recommend you have a chat with them and put together a quantified, evidenced argument, ASAP. The more dollar signs and legal cases, the better your chances of winning this.

At the very least, win or lose, ensure you’ve covered your butt. This means written statements and acknowledgements stating you clearly explained the potential risk and also that they willfully chose to ignore it. Not only does requiring a notarized signature make the appearance of threat go up, but it will be helpful in case they decide to blame you or your employer two years from now.

I would suggest you consult a lawyer before breaking NDA or employment contract by whistle blowing, no matter how noble your intentions. I am not a lawyer, nor do I play one on TV.


Dear Lesley,

I make software and web applications that connect to software and services from other companies. Sometimes those companies disable or cripple some features due to possible security exploits. When I’ve met with security people from those companies and asked them about the features they nerfed (disabled or crippled), I’m met with an awkward silence similar to the vague errors I get from their servers. As a developer, I’m so used to the open-source community that wants to help that this feels weird. Is there some certification, secret handshake, or specific brand of white fedora I need to have conversations with security people about their products security issues? Just trying to learn and grow, and not cause a mess for anybody.

– Snubbed

Dear Snubbed,

No secret handshake. Here are a couple suggestions from the receiving end of these types of concerns:

  • Set up a security lab with your applications and a client on it. Install a Snort or Suricata sensor(s) with the free Emerging Threats ruleset in the midst of them to intercept their communication. (Security Onion is a nice, relatively easy to install option.) Send normal application traffic back and forth and see what security signatures are firing on the network.  That will give you some idea of what might be getting blocked before you even start the discussion (and help you reduce false positives).
  • Ensure your applications are getting proper vulnerability testing before release. Again, even if you’re coding securely and responsibly, this can help reduce false positive detection by vulnerability scanners or sensors.
  • Ask the security people what security products or appliances they are using on the hosts and on the network, and what signatures are firing. You might not have access to a 20,000 dollar security appliance to test, but their sensor might have full packet capture functionality or verbose logs that will help you troubleshoot.
  • Try to build a better professional relationship with these teams if you can. If they’re involved in a local security group, perhaps drop by and have a drink with them.

 


Dear Lesley,

I’m feeling it is time to move on from Windows XP, but only because many things no longer support it, and 3Gb is a bit limiting when running VMs and the like. I’ve tried Windows 10, and it is completely alien, and I worry about security – it streams things back to Microsoft, and is less secure than my hardened XP install. I’ve tried Mint Linux, and that was quite good, but underneath it is even more alien than Windows 10. I’ve heard of BSD, but I’m worried that my political career could be over if word about that got out, so I’ve not tried it. What do you suggest?

– Unsupported in UK

Dear Unsupported,

It is indeed high time to move off XP.

Windows XP is unsupported, highly vulnerable, and trivially exploitable by hackers. It is not in the same league as Windows 10 in terms of security. Even application whitelisting (which is considered a bit a last resort silver bullet in industry) isn’t a reliable means of securing XP against attacks anymore.

Yes, there are some IT professionals who dislike Windows 10. Those concerns usually have to do with things like UI, embedded ads and system telemetry, not the underlying security (which is quite well engineered).

If those are your specific concerns, a current version of Mint (which you tried), Ubuntu, or MacOS are all okay options. They would all need to be thoughtfully configured for security just as much as Windows. BSD will feel just as unfamiliar if you were uncomfortable operating in Mint, but I certainly don’t discourage you from giving it a try. Even MacOS is *nix based under the hood.

Unfortunately, it seems to me that you’re stuck with two options if you want to maintain any semblance of security: cope with your dislike of Windows 10, or dedicate some time to learning the inner workings of a new operating system. Either way, please get off XP as soon as possible.


Dear Lesley,

My friend, since birth – who I’ll call M. E., has had a 23-year, jack-of-most-trades career in IT. ME is currently serving as the IT Decider (and Doer) at an SMB financial firm. Over the last five years, ME has enjoyed focusing on security. Technology, security in particular, is still near the top of his hobby list. However, compared to when he started his IT career, ME places a greater value on having a work-life balance. ME wonders if it’s too late for a change to the cyberz – without “starting over.” In your experience, is there a reasonable way for ME to jump from the “IT rail” to the “security rail” without touching the third rail and returning to Go, without collecting $200?

– ME’s Friend

Dear ME’s Friend,

Your ‘friend’ sounds like a great candidate for many security positions, but he or she might have to take a pay cut. 23 years of experience in systems administration and networking is 23 years of experience in how to take things apart, which is really mostly what security is behind the neat hats and the techno music.

ME is going to need to figure out two important things. Firstly, ME will need to gain some security-specific vocabulary to tie things together – a course or certification might be a nice feather in the cap. Then, ME is going to have to carefully plan out how to present him or herself as an Awesome Security Candidate in interviews and resumes. That will involve taking those 23 years of generalized experience, as well as security hobby work, and selling them as 23 years of Awesome Security Experience. For example, it takes a lot of understanding of Windows administration and scripting to be a good Windows pen tester. Or, it takes a lot of TCP/IP knowledge to do packet analysis of an IPS signature fire. Every niche of security requires deep knowledge of one or more areas of general IT.

All that being said, there are some security skills that need to be learned on the job. I wouldn’t push ME towards an entry level gig, but it may not be an easy lateral move to any senior technical position, either. A good segue if seniority is critical might be security engineering (IPS / SIEM / log aggregation administration, etc).


Dear Lesley,

How does an organization go about starting a patch testing program? Ours seems to be stuck in a “don’t update it, you’ll break the application” mindset. –

– TarPitted in Texas

Dear TarPitted,

As I noted to a reader above, sometimes this type of impasse with management can only be solved through presenting things as quantifiable risk. If you are telling management that your application is vulnerable, and they are saying it will cost too much if it breaks when you patch it, somebody else is quantifying risk better than you. You’d best believe that team saying, “the application might break” is also saying, “if this application breaks, it will cost us n dollars a day”. So, play that game. Tell management specifically how much money and time they stand to lose if a security incident occurs. Present this risk clearly – get help if you need to from all of the impacted teams, your disaster recovery and risk management professionals, and even your finance team.

Your managers should be making a decision based on monetary and other quantifiable business impact of the application going down for patching, vs. the monetary and other quantifiable business impacts of a potential security incident at x likelihood. Once they do that on paper, you’ve done due diligence.

 

How do security professionals study threat actors, & why do we do it?

I receive a lot of great questions about my work in Digital Forensics and Incident Response (DFIR), and while I’ve written a bit on the topic of threat actors and attribution, I’ve been repeatedly asked some interesting questions about this in specific. In the interest of not answering the same question 101 more times, today I will attempt to tackle some of the most popular, difficult, and ambiguous ones.

Before we begin, there are a couple things that are really important to understand before we deep dive into a conversation about modern computer hacking:

  1. Digital attacks are often launched through hacked or infected computers which belong to innocent people or companies. Those computers might not even be in the same country as the bad guy. The bottom line is: gone is the notion of “just trace the IP address back”.
  2. There are often computers in many countries used in the same digital attack, whether as part of a big DDoS attack, or something more complex like exfiltrating some stolen data through a bunch of computers. The bottom line is: It’s not uncommon to see computers in 10 countries used in the same criminal operation, online.

With that in mind, let’s have a short chat about the strange world of attack attribution, the secret sauce that goes into making it happen, and why it sometimes appears like we as computer security professionals really, really suck at catching bad guys.

Why would anybody care who is hacking them?

I’ve noted before that for the average commercial company, it’s usually not terribly relevant to discuss the specific national origin of attacks at an executive level.  That energy is better spent in understanding why a breach occurred, and preventing it from happening again. Companies are rarely going to cease business operations in a country because of attacks sourced there.

That being said, it can potentially be helpful for the right operational security staff to have an understanding of the actors who are attempting to breach their defenses. Once a team knows that actor CRAZY HAMSTER is attacking their company, they can read reports on attacks by CRAZY HAMSTER against other companies. Reports often document tools, tactics, and procedures used by the attacker, and the security team can use this information to ensure they have appropriate mitigation and detection in place. It might also give the security team an idea of what ends CRAZY HAMSTER is trying to accomplish through their campaign of digital villainy.

Outside of the commercial space, things become a lot more complex. I’ve noted previously that espionage and sabotage are as old as human civilization – and they are still just as relevant to politics and warfare, today. It is very important to not think of “cyber war” as a domain entirely independent of the other realms of warfare, political maneuvering, and espionage. No matter how tempting it is to worry about catastrophic digital attacks on critical infrastructure or the internet, precedent and rhetoric support hacking mostly being used as one component of more complex global conflicts. So, hacking really has to be analyzed as one part of a whole, but it certainly shouldn’t be ignored.

 How can anybody know with any certainty who is hacking whom?

I’ve talked about the complexities of digital attribution in the past, and I always take the time to note that attribution is a complex, time-consuming process. That does not make it impossible, (with the right resources and substantial work hours), for qualified experts to make some determination beyond a reasonable doubt.

I already told you that IP addresses alone aren’t very useful for figuring out the source of attacks, anymore. That’s okay – that doesn’t mean that hackers and their tools don’t leave lots of digital evidence. In essence, the entire field of Digital Forensics and Incident Response (DFIR) centers around responding to and analyzing compromised networks, systems, and their logs, then providing detailed reports on what occurred. DFIR tends to focus on hard evidence like recovering deleted tools, files, and malware, retrieving command history and even tiny changes made to the computer, identifying communication with other systems, and then building a very comprehensive timeline of an attackers’ activity.

In plain English – an unencrypted computer hard drive is an archaeological treasure trove of information, containing stuff like what has been typed in a search bar, which sites were viewed in private browsing mode, what’s been plugged in to it, to what process started exactly five months and 16 days ago. Computer memory contains even more juicy details about use and abuse of computers. It’s very hard to hide every artifact of an attack on a computer that is not encrypted or hasn’t been powered down. Reliable evidence can persist for months, or even years.

Where DFIR tends to answer the “how”, “when”, and the “what” of a hacking incident, cyber threat intelligence strives to grow our understanding into “who” and “why”. Much like traditional Intelligence, good threat intel professionals take a more holistic approach in looking at attackers: taking hard evidence found by DFIR analysis and combining it with softer evidence like typical attacker behavior, linguistics, favored tools, target selection, previous attacker activities and indicators, and global events.

A balance of good quality evidence that DFIR discovers with the comprehensive view that good quality intelligence provides is the secret sauce that can allow agencies and researchers to point towards the source of an attack.

But what if reports on an attack or threat actor conflict?

It happens. Two good investigators can look at similar evidence and come to slightly different conclusions. Our recourse is to carefully read all available reports, then look hard at the quality of the expertise, reasoning, and access to evidence within each. Again, good detective work doesn’t lead to absolute certainty. The goal is to reach the most reasonable and supported conclusion possible. Some assembly is required.

But what about those “false flag” operations?

There’s certainly lots of precedent for false flag operations in the (very, very) long and storied history of espionage and counterespionage.  Digital attacks are no exception. Bad guys can try to pretend to be other bad guys, and people can claim credit for other peoples’ activities for a multitude of reasons.

This is why good intelligence, as opposed to merely digital forensics alone, is crucial to any attribution. It is rare to see a human computer compromise occur without any attacker mistakes (or evidence of those mistakes), and those small errors in syntax, language, or exploitation can be quite telling to a keen and attentive analyst.

Who are these commercial threat intelligence companies?

It takes a lot of resources for a company to build a large-scale threat intelligence program. So, a number of successful companies have popped up which hire intelligence specialists, linguists, security researchers, and political scientists to provide detailed threat intelligence to organizations, for profit. A small word of caution: keep in mind that while it is certainly in these companies’ best interests to be technically correct when they release reports and findings, they are still businesses and their objectives are to sell a product. They will probably not give everything away for free.

So if you know who’s hacking an organization, why aren’t they getting arrested?

Unfortunately, even if we know who is hacking who, there’s often not a lot we can do about the perpetrators. Hacking the attacker back in retaliation is extremely murky legal water, especially since we already noted that hackers like to use innocent people’s computers to launch their attacks. One misstep and we could end up sued or prosecuted ourselves. Government action could have even more severe repercussions.

We can certainly go to the appropriate law enforcement agencies and report theft, intrusion, or damage – indeed, I highly recommend it. However, LEOs don’t have it easy, either. Not only are their computer crimes groups often overtaxed by the surge in ransomware and phishing, but as we noted earlier, computer crimes often cross many international borders. Taking down a big criminal hacking operation usually takes coordination between private firms and several countries’ law enforcement agencies. That means each one has to approve and fund the takedown. It happens fairly regularly, but it’s a big effort.

Then, there’s the issue of state-sponsored attacks, which are a matter of politics above most law enforcement organizations’ ability to pursue. If one country conducts espionage or sabotage against a public or private institution in another, politicians must weigh retaliation for what was done versus the potential of souring international relations (or worse).

So, sometimes we really do know who is attacking, but there’s no feasible way to pursue them ourselves, right at the moment.

I want to see evidence of CRAZY HAMSTER attacking companies first hand. Why can’t I?

First of all, make sure you really can’t. Not every threat intelligence company uses the same nomenclature for the same actors – a sore spot for many security professionals. When in doubt, please check first, and ask if needed.

Many commercial intelligence companies and research firms produce reports for the public that contain an executive summary that is easily readable at any technical skill level. A good report should also contain substantial technical detail including indicators of compromise – specific evidence found in the analysis of the attack which can potentially be used to identify the same actor elsewhere.

Unfortunately, in any breach or attack, there will very likely be a lot of evidence unavailable to the general public. The first problem with releasing it all is that raw digital forensic evidence almost always contains proprietary and confidential data. That’s just the nature of raw network traffic and system drives. Even attacker activity alone usually contains passwords, account lists, and sensitive network configuration and vulnerability data. Some of this information may be made available to information sharing partners and colleagues through NDA/TLP, while some is kept strictly confidential.

The second problem is that any data provided to the general public is by its nature also being made available to the attackers. If they are still operating, showing all cards could really hurt efforts to bring them to justice.

Why aren’t you security professionals and researchers doing anything about these threat actors?

We are. While we might not be able to get every perpetrator arrested today, there are concerted efforts to share data on attackers and malware between commercial companies, law enforcement, and government agencies. The ISAC program is a great example of this. Many threat researchers and non-profit organizations release and share threat intelligence data and malware research for free.

Information sharing not only helps in law enforcement efforts, but it mutually improves detection of attackers and preventative security with their behaviors in mind. If we can’t stop the attackers right now, we can work together to hinder them at every turn.

Health and Wellness in InfoSec

Most of us know that being a hacker isn’t exactly the lowest stress gig out there. With the holiday season fast approaching, thinking about taking care of our well-being and that of our colleagues, family, and friends becomes even more important than usual. I’d like to have a quick chat about ways I personally have approached health and self-care, some lessons I’ve learned after nearly two decades in IT, and some suggestions for caring for yourself and those around us. Of course, I’m not a doctor. I don’t even play one on TV.  I can only speak to my own personal experiences coping with extreme and long-term stress. I hope they provide some food for thought.


Nutrition

Eating a portioned, balanced diet is an oft forgotten but very important element of our overall physical and mental health and longevity. How we eat is also very important. Let’s start with some really easy changes.

I’ve personally found great value in (whenever possible) ensuring I eat on a regular schedule. I also try force myself to eat a minimum of a couple meals a week at a table (not in front of my computers or my TV), from an actual plate. This forces me to eat more slowly, control portions, and gets my focus away from work and news during the meal.

It’s no secret that I’m a pretty incompetent chef, which sometimes hurts my eating habits. I’ve worked hard to balance this out a bit by eating more steamed and raw vegetables and fresh fruit, carefully reading nutrition, preservative, and preparation facts on microwave meals, and occasionally utilizing delivery services with semi-prepared or pre-prepared healthy meals. I also try to get together for shared meals with friends or family on a regular basis (they cook, I bake, everybody lives 😉 ) Check out MealSharing if you don’t live near friends or family, or arrange something with your local hacking group. I saw a lot of Hacker Family holiday meals out there this year.

I’ve never seen a ‘fad diet’ or non-FDA-approved weight loss pill that worked long term – I’m not even terribly keen on excessive meal replacements. Be cautious about anything that seems too good to be true. We’re hackers, and we are some of the best out there at uncovering bad science and scams. Never forget to research while looking for a quick fix. Unless your doctor says otherwise, start with simple things like portion control, balanced nutrition, fresh foods, and avoiding too much added sugar and sodium. Eating sensibly and reducing portions is a lot easier to stick with than drastic dietary changes and lack of variety, in the long term.

Finally, try to drink more water. There are tons of reasons to avoid the added sugars of soda and the sugar substitutes in calorie-free drinks, as well as excessive caffeine and alcohol consumption. Drinking more water can make a huge physical and mental impact on our health. Using reusable water bottles instead of plastic soda bottles or cans is also great for the environment.

Exercise

Many people in information security work long hours and travel extensively. This makes getting regular exercise difficult. So, let’s have a little chat about the exercise that wiser experts than I say you should be doing at a minimum.

The American Heart Association currently recommends the following for healthy adults:

For Overall Cardiovascular Health:

  • At least 30 minutes of moderate-intensity aerobic activity at least 5 days per week for a total of 150

OR

  • At least 25 minutes of vigorous aerobic activity at least 3 days per week for a total of 75 minutes; or a combination of moderate- and vigorous-intensity aerobic activity

AND

  • Moderate- to high-intensity muscle-strengthening activity at least 2 days per week for additional health benefits.

For Lowering Blood Pressure and Cholesterol

  • An average 40 minutes of moderate- to vigorous-intensity aerobic activity 3 or 4 times per week

Obviously, 75 – 150 minutes of exercise can be pretty hard to get when we’re working long nights and sleeping at airports. Hotel gyms get really old. That doesn’t mean we shouldn’t still make an effort, because not only does exercise provide physical benefits, but it can get our minds off troubles as well.

In my personal experience, getting involved in group exercise classes in which missed attendance is noticed and checked on was a great help. I chose martial arts and yoga. Martial arts gave me a structured, moderate to vigorous intensity activity with concrete goals to achieve, and strict attendance and coaching requirements. Even if I’m exhausted and flying out the same night, I have to make my classes or provide a valid excuse.

Yoga provides me a low-medium intensity stress-relieving exercise activity I can do almost anywhere I travel. Finding yoga schools wherever I go for work has become an exciting adventure – I always meet new instructors with new ideas and perspectives. There’s no reason national or international exercise programs like crossfit, BJJ, or aerobics can’t provide the same for you. Find an exercise routine you find fun and captivating, not something that’s a chore you try to get out of. (Always consult a doctor and research the routine before starting a new exercise program – we’ll talk about this shortly.)

Community & Friendship

Introversion is pretty common in hackers; I’m no exception. As unappealing as it can feel, there are good reasons for us to have a community of support and a little regular interaction with other humans. We’re very fortunate as hackers to have a tremendous community of practice with many local, regional, and international events, which we all should try to attend if able. However, those don’t ensure that we aren’t isolated on a day-to-day basis. Folks who work from home are especially vulnerable to the trap of staying home surrounded by hobbies, games, and gadgets, frustrated with other people.

Ask yourself, “Have I spoken out loud to another human today?”.

There will be Really Bad Days in your life where the escapism of books, games, and the toys, and what box you popped aren’t enough. You will eventually need some support to dig out of a dark, overwhelming place. The best way to ensure that safety net is there is to build it right now, even as watching Netflix or con videos might seem a lot more fun and less stressful. Be part of the hacker community, your local community, and your communities of interest.

Yes, the internet is a great resource for friendships, especially when we’re geographically isolated from folks with similar interests. If possible, don’t rely on the internet alone. Make sure you have a couple real phone numbers to call on the Really Bad Day. Make sure somebody relatively local can pick you up at the hospital, or bring you a can of gas, or bail you out of jail on that Really Bad Day. Be that person for your friend’s Very Bad Day, too.  It can be very wearing to put yourself out there, but it’s easier to meet people with common interests and hobbies than ever before in human history. Join your local 2600, CitySec, or DEF CON local group.  I also highly recommend Meetup.com for finding or starting low-key hobby and geekdom groups in your area.

Remember that we have family that we are born with, but we can also have family that we choose – and sometimes those bring us much more compassion and care on the Bad Days.

Sleep

I promise, no matter what you think, you really, really do need it. Even if your 3 energy drinks tell you that you don’t. If you start crashing hard on your days off, repeatedly, you are probably pushing yourself too hard. The National Sleep Foundation recommends between 7-9 hours of sleep for adults. Below 6 hours isn’t even considered healthy on their scale. I know a lot of people in infosec talk about living on 4 or 5 hours of sleep routinely as a matter of pride, but you’re only hurting yourself (or your employees, if you promote this). You will very likely notice a physical and mental performance improvement when you get enough rest.

Humanitarianism

Kindness, service, and volunteer work not only help those around us, but they improve our personal well-being as well, and get us involved in local and global communities. A small act of kindness, like showing honest appreciation to people around us, or showing compassion to somebody in need, can make endless difference in another person’s life.

Quite a few of you might be surprised that I (a humanist and an atheist) go to church on a regular basis. Let me endeavor to answer the immediate questions raised by this. Firstly, I attend a humanist church that doesn’t promote any specific religious ideology (Unitarian Universalist). Secondly, it forces me to listen to people with varied philosophies about their concerns and their perspectives, which gives me a more nuanced and human view of worldviews that are different than mine. Thirdly, it allows me to be part of a supportive community of humanitarians who are also interested in helping less fortunate people in organized ways. Some problems are too big to tackle alone.

No matter your philosophical and spiritual views (or lack thereof), the idea of the golden rule is pretty universal. I personally ascribe to the concept of leaving the world a little better than I came into it, for future humans. Others did it for me, and we all benefit from random acts of kindness. Find a way to give back to the communities you are a part of by choice or by chance.

Seeing That Doctor

I honestly can’t count the number of friends in infosec, including myself, who have ended up in the hospital after ignoring health problems due to high pressure, fast-paced lifestyles. Nobody likes going to to the doctor, and health insurance can be a nightmare in the US. I can’t stress enough – learn from our mistakes, or suffer the consequences.

Even if you’re in your 20’s or 30’s, go to your yearly physical. Make sure you have routine blood work done to check for stuff like vitamin deficiencies. Vitamin D deficiency is super common in IT and shift work, and as many can attest it can have a huge impact on your physical and mental well-being. Get screened for cancer and hereditary conditions appropriately for your age, gender, and risk factors. No job is ever worth your life.

I’m Still Really Stressed, What Now?

Here are some thoughts for you.

  • Try to reduce excessive caffeine intake. It raises your heart rate, and artificially reduces your desire to get (needed) rest.
  • Have a cup of herbal tea. Take the time to put in some honey or lemon, and try to relax for a few minutes while drinking it.
  • Remove your social media apps from your phone if your feeds are stressing you out. Social media vacations are okay.
  • Actual vacations are okay, too. They are not a mark of shame. The things you did out of the routine are the things you will remember in a decade.
  • Call a friend, and chat for a while. Even better, chat with a friend in person.
  • Try a new hobby. Groupon Local is great for this. It doesn’t have to be something intense like skydiving. Try something low-pressure that you’ve always wanted to learn more about, like photography, painting, sushi making, or home brewing. It’s a big world out there, full of endless things.
  • Meditate. This doesn’t necessarily mean sit still on the floor, cross-legged. Moving meditation is a thing, too. Sweeping can be meditation. Lockpicking can be meditation. So can music or art. For something more traditional, Tai Chi, Hatha Yoga, and Qi Gong are organized moving meditation. We’re just talking about calm, repetitive motion activity that allows you to focus your thoughts and breathe without getting frustrated.
  • ASMR videos, however silly-seeming, help some folks relax.
  • For the “Type-A” hackers: find something to plan out that doesn’t stress you out. It can be a totally mental, pretend exercise. For example, plan out a vacation, a CFP submission, a research project, a business you’d like to start, or a job change. Have fun working out the logistics or details, and don’t worry about the real life roadblocks or requirements. If you get inspired, that’s great. If not, move on to something else.
  • Read an actual, physical book that you enjoy. Or replay an old game that you enjoy, that won’t stress you out. Something you equate to happy memories.
  • Finally, and most importantly,

Professional Help

There is no shame in seeking professional help when you’re in a dark place. While I’ve offered a few suggestions of possible ways to improve the quality of your life, health, and support structures, there are truly long term and short term conditions that can best be worked through with a licensed professional. Depression and substance abuse are sadly huge problems in the hacker family, and they call for proper care. We don’t want to lose anybody else. Please do not hesitate to seek out professional resources when you need them. You are valued. You are important. You can do good in the world.

The National Suicide Hotline: 1-800-273-8255
SAMHSA Substance Abuse Hotline: 1-800-662-HELP