Floyd Mayweather and Connor McGregor 6 months from now.
Jeremiah Grossman
@jeremiahg
Black Belt in Jiu-Jitsu. Unemployed, no college degree, drives used cars, and holding out for a management position. Founded WhiteHat Security & Bit Discovery.
Jeremiah Grossman’s posts
Not so long ago there was something called a "telephone book" that published effectively everyone’s name, address, and telephone number — PUBLICLY. Today, when that same data is [mistakely] made available online it’s called a data breach.
Culturally, what changed?
Long ago I wrote a little javascript app that allowed me to edit terms of service in my browser before pressing ‘accept.’ I technically own Yahoo, Hotmail, Excite, and rights to their first born children.
Web 1.0: HTML
Web 2.0: HTML + Javascript
Web 3.0: HTML + Javascript + Ponzi.
h/t:
“You cannot make everybody happy, you are not a taco.”
Added to my list of favorite quotes.
Today would be the perfect day for Sundar Pichai (Google, CEO) to back up Tim Cook (Apple, CEO).
2021:
- Global Information security spending ~$124B
- Global coffee market ~$466B
priorities.
Seeing is believing.
Video or it didn’t happen.
In the very near future, we won’t say or believe those things anymore.
Quote
Another great paper from Samsung AI lab! @egorzakharovdl et al. animate heads using only few shots of target person (or even 1 shot). Keypoints, adaptive instance norms and GANs, no 3D face modelling at all.
youtu.be/p1b5aiTrGzY
arxiv.org/abs/1905.08233
I’ll tell you exactly why many of us in Tech and InfoSec are especially sensitive about complete BS like this and react accordingly.
Aaron Swartz.
Quote
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
Readers added context
The Governor is inferring the journalist hacked information (social security numbers) that is readily available to anyone on an webpage by viewing source code or pressing the F12 button.
InfoSec is ~$127B industry, yet there’s no price tags on any vendor website. For some reason it’s easier to find out what a private plane costs than a ‘next-gen’ security product.
Oh yah, and let’s not forget the lack of warranties.
You know, I kinda like the way we’re kicking off cyber security awareness month.
Replying to
As Bruce Schneier recently explained about IoT-device security, "The market can't fix this because neither the buyer nor the seller cares."
All these gov intelligence dumps, and not a single thing about extraterrestrials, secret advanced technology, chem trails, area 51, etc. Bah
Brian Krebs called, left a message.
Spoke to CISO who said when Merck was impacted by ransomware, his firm also lost $1.5 billion ... even though they themselves weren’t infected. Merck’s ships couldn’t / didn’t deliver goods they need to operate their business.
Perfect example of the impact of 3rd party risk.
InfoSec is a place where vendors don't publish their prices, make outlandish claims, don't warranty their products, don't allow customers to test their products without speaking to a sales person first, and then complain when people don’t want to listen to them.
We live in a world where we need software to protect software from software.
InfoSec Marketing Guide:
Next-Generation = hackable
Military-Grade = hackable
AI/ML = hackable
Compliance = hackable
Hack proof = hackable
$120B+ a year spent on InfoSec, everything still hacked.
If the spend were doubled, would the breaches or their impact be halved? I think no. I think we largely continue to have an alignment of interests and a spending priority issue.
$75 billion is spent annually on computer security.
Russia hacks into us using spearphishing.
Many people attend BlackHat / Defcon solo, and dont really know anyone. For newcomers the conferences can feel a bit overwhelming. If you notice someone standing around alone, looking lost, take a moment to introduce yourself. Ask if they need anything. It’d mean a lot to them.
Welcome to InfoSec, where we try to help people to appreciate everything we do that goes into making nothing happen.
The $124B a year spent on InfoSec is the interest only premium on ~30 years of accumlated IT technical debt.
Generally people prefer an insecure product that works over a secure product that doesn’t. This is why we’re talking about Zoom at all right now.
The trick to longevity in InfoSec is finding ways to keep a positive attitude while our job is to find what’s wrong with everything.
InfoSec: Software will always have bugs, and therefore always have vulnerabilities.
Also InfoSec: Protect your insecure software with our insecure software.
It just became substantially harder for Twitter to recruit top security talent.
I appreciate when people say, “I don’t know” when they don’t know something. It shows confidence in themselves and respect towards others in not trying to waste people's time.
Just another day in InfoSec:
-Facebook leaves millions of user passwords exposed in plain text for years.
-Google fined €1.5bn by EU regulator for blocking competitor’s ads.
-UK's Police Federation infected with ransomware, deleting DBs, email systems, and their backups.
Let me get this straight, a couple old school hackers from w00w00 and the adm crew are now billionaires, and someone who used to be a cDc member is a legit democratic presidential candidate.
Is this real life?
For > 99% of everyone, you're far more likely to get hacked via your browser loading online ads than the CIA. Be safe. Install ad blockers.
When security is invisible, it’s useful, but no one values it.
When security is visible, it’s annoying and everyone hates it.
Some days in InfoSec you can’t believe someone is paying you to do this work. Other days you feel like there’s no amount of money that’s worth the job.
Hey Everyone. My son (11yr) could use some get well wishes. He’s going into surgery today to repair a badly broken leg. He’s been holding incredibly strong, but it’s been a rough week.
When InfoSec says "defense-in-depth," what they really mean is having enough layers of swiss cheese so you can’t see through it.
There are generally 3 InfoSec personas…
- Builder of secure systems
- Defender of secure systems
- Breaker of secure systems
… everyone else is in sales, marketing, or a thought-leader. ;)
I’ve worked some amazing security pros whose skills made me feel like an intellectual chimp, but nothing compared to those I’ve seen who have somehow mastered Microsoft Excel.
For months, years actually, I've looked very closely at the external attack surface of every Fortune 500 company and well beyond. I’ve learned that almost none, "moved to the cloud.” That’s a falacy. Instead the added stuff to the cloud and left the legacy where it always was.
Journalists covering InfoSec, when covering breaches, please ask what security control(s) should have prevented the incident but didn’t.
It’s a common question asked in every other comparable area.
IMHO, the cause of InfoSec burnout isn’t so much the long hours … it’s when you grow weary of the endless search for anything that’s wrong with everything. Burnout is when this inherently negative mindset impacts your personal life — perhaps inevitably so.
InfoSec says the first steps of any security program are:
1) Create a list of assets needing protection.
2) Place a value on those assets, to avoid over or under spending.
3) THEN see what those assets are vulnerable to.
In your experience, how many go directly to step 3?
$10B a year spent on anti-virus. $8B a year spent on firewalls. $4B a year spent on IDS/IPS.
Beaten by a vuln patched in March.
Replying to
I almost feel like this is a trick question. Everyone knows InfoSec is the duct tape of IT.
Now that the USGOV has banned Kaspersky software in federal agencies, perhaps now they can go ahead and block the arguably far great computer security threat.
Online ads.
It’ll take a few years before it becomes necessary, but the insider threat of bribing or planting developers in key positions in the software supply chain designed to implant weaknesses will become a thing. And, it’ll be incredibly hard to defend against.
Are we onboard with software manufacturer liability yet, or does the entire internet have to go down or someone die first?
I’ve worked closely with a lot of people in InfoSec, and it appears burnout coincides with when someone finally get really good at it.
What threat actor is most likely to hack you?
- China4%
- Russia6.5%
- CIA13.7%
- Banner Ad75.9%
7,713 votesFinal results
In InfoSec we often hear, “Why don’t organizations just do or fix … X?”
As a thought exercise, ask the opposite. “Why should businesses do or fix… X?”, and do so in dollars and cents terms.
It’s often surprisingly difficult.
All the articles on Russia hacking the US are written with a notion of past tense, which is a bad assumption. The hacking is likely ongoing.
#WannaCry: If infected and do not have backups, DO NOT delete your encrypted files. A decryptor may be possible within a few days.
Stay in InfoSec for any length of time and you’ll probably come across a few jerks. They don’t matter in the least. Fortunately, you’re far more likely to find A LOT of super cool people. People willing and eager to help when asked nicely. My personal experience.
Often organizations are hacked because a machine wasn't patched. What we’re noticing at Bit Discovery is many times the org actually DID properly patch other systems, just NOT the one that was hacked. Turns out the exploited system would've been patched if they knew it existed.
Funny how government isn’t demanding that ransomware groups add golden master keys to their crypto implementations.
Why do people attend InfoSec conferences when so much of the content becomes freely available soon after?
I’m thinking it’s... 1) a large block of time dedicated to learning and NOT be distracted by ‘work.’ 2) peer networking opportunities.
How off am I? What else?
Maui, Hi. 1/11/2019. Snow fall down to ~7,000ft. Reportedly enough for kids to sled.
Cc
InfoSec has something called a “magic” quadrant. Where can I find a “scientific” one? That would seem to make more sense.
Old Way:
1. Select Target
2. Reconnaissance
3. Identify Vulnerability(ies)
4. Exploit
New Way:
1. Reconnaissance
2. Identify Vulnerability(ies)
3. Select Target
4. Exploit
This is the problem for patch management.
Hard lessons that are unfortunately necessary to share with all non-InfoSec people.
• 'Your data' is not your data, and it will be sold for a buck.
• The cloud doesn't have a delete button.
• Ads are dangerous, block them.
Replying to
And furthermore, what every security researcher will tell you… if view-source: was enough to comprormise data on the website, you know there’s likely to be many other ACTUAL vulnerabilities.
Replying to
Google blog post didn’t say how they found the infected website(s) using the iOS zero-days. But I’m sitting here thinking, again, that after $127B in annual InfoSec spending, it was an advertising platform that found it... and not a security vendor. Threat intel or otherwise.
Told ya! The National Cyber Security Month kicked off with a bang. 50M Facebook users hacked, Chinese spies reportedly hacked 30 U.S. by compromising their hardware supply chain, and US DoJ filed charges against Russian GRU officers for hacking. And week 1 ain’t even over.
"hidden voice commands that are unintelligible to human listeners but interpreted as commands by devices.” so cool!
Many InfoSec industry reports state that exposed Remote Desktop Protocol (RDP) ports are a leading cause of breaches. One cyber-insurance carrier told me they will not write policies for those with open RDP. So, I was curious how prevalent RDP is across top U.S. companies. /1
For many companies, the first time the Execs sat down and had to put a hard monetary value on their data and infrastructure is when they get ransomware’d.
“it doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.” -Steve Jobs
'The World's Biggest Data Breaches, In One Incredible Infographic’ businessinsider.com/data-breaches-
A $25M cyber-insurance pay out, which probably cost Marriott ~$500K annually in premiums.
Now, think about how much $500K in InfoSec spend would have bought them, or not bought, in terms of providing true risk reduction. twitter.com/ekiledjian/sta
This Tweet is unavailable.
I always thought it odd that Silicon Valley, the center of the hi-tech world, has such an awful traffic problem. You drive 1hr+ from home to sit behind a computer screen and sometimes meet with people in little rooms.
This is how we know telepresence is not yet a thing.
Google’s ReCaptcha is a free service w/ no support and heavily relied upon by basically the entire internet. They [temporarily] went down, impacting critical flows like auth, account reg, purchasing, etc for a lot of people. Weird how little coverage there has been.
I’ve spent last year creating asset inventories of the world's largest organizations (via Bit Discovery). It’s absolutely crazy to see just how many assets they have connected to the Internet — many have hundreds of thousands.
You can’t secure what you don’t know you own.
~23 years of CVEs. Tens of thousands of new vulns published each year. Anyone ever analyze the characteristics of the vulnerabilities that are never exploited?
If no one listened the warnings about IoT-device security, perhaps our industry’s social engineering skills are not as good as we think.
I’ve learned that if someone is being unusually nice, for long periods of time, it means they are likely Canadian. There’s no other explanation.
$120 billion a year in InfoSec spend:
Someone’s corp email is compromised, which leads to an adversary planting a backdoor on a build server of an IT management software product. Leads to a breach of ~18,000 companies, including large swaths of the US Federal GOV.
This GameStop stock market thing is like someone figured out how to beat the house at a casino — so they’re pulling the machines.
All I want to Christmas is exclusive intellectual property rights over my personally identifiable information.
If auto insurance worked like cyber insurance:
Agent: How many cars?
Customer: 🤷
Agent: What kind of cars?
Customer: 🤷
Agent: Where are they?
Customer: 🤷
Agent: What are they worth?
Customer: 🤷
Agent: Who drives them?
Customer: 🤷
Agent: Great! Here’s policy quote. 📝
A high functioning team following a good-enough plan will easily outperform a low functioning team following the best plan.
Every. Single. Time.
Sep 7 2017, Equifax (EFX) announced a major breach impacting the personal information of 143M people. Within days their stock crashed from $141 to $92. 13mo later, it’s up to $129 and just slightly off a 52-week high. I think just about everyone can learn a lesson here.
The most visible effect of GDPR has been the increased level of spam.
If a reality tv star has the qualifications to be President of the U.S., I know 2 perfect candidates for FBI Dir.
Quote
James Comey will be replaced by someone who will do a far better job, bringing back the spirit and prestige of the FBI.
Passing thought: Current ransomware locks you out of your files, but what if it randomly leaked your files / email publicly until you pay.
When interviewed by mainstream media, generally following a large breach, I’m often asked … “why do these hacks keeping happening?”
At this point, what would your best answer be?
A security researcher informed USPS of the vuln a year ago, but they never responded. reaches out and they fix it in under 48 hours.
Idea: Start disclosing vulns as a ‘journalist’ instead of a ‘security researcher’ and let’s see what happens.
Quote
Exclusive: USPS fixes flaw that exposed data on 60 million usps.com users krebsonsecurity.com/2018/11/usps-s
New InfoSec Rule: If a company claims to have a ‘hacker’ culture or similar, they must supply rollerblades to all employees.





