Your Reputation after a Data Breach.

Whether you asked for it, had an active hand in making it, or even acknowledge it, you have a reputation. It can be built up, blown up, and is blended from both fact and fiction. It is a wild beast that is only tamed in the way an adult grizzly plucked from the forest can be tamed. Despite all volatility and fragility you must manage it as best you can, because when your reputation takes a hit the foundations of success begin to shudder.
A company’s reputation is the same. After Target’s data breach one year ago, their customer satisfaction and service reputation stayed in decline for many months after. S&P cut target’s credit rating due to the breach’s bigger than expected impact on traffic and sales. Their profits dropped 46% in Q4 of 2013 and their CEO was ousted five months after the breach went public.
There are plenty of tangible costs when a data breach occurs: lost productivity, forensic investigation, technical support, system availability, compliance and regulatory failure. Much of these costs, while significant, are manageable to an extent when the breach is kept under wraps. When word of a breach crosses over to the consumer side, the final tally of damage and cost is unpredictable.
42% of breached companies lost customers and business partners. 46% of a breached company’s clients would no longer recommend the organization.
Companies like Sony, Home Depot, P.F. Chang’s, Staples, Michaels, K-Mart have all been targets of data theft. Their damaged reputations will recover over time but the repair costs are significant. A Ponemon survey stated the average damage done to a brand ranges from $184 to more than $330 million and, at best, brands lost 12% of their value after a breach.

Every company needs to do more to keep their reputation secure. While some data breaches will be physical blunders, many of them will be malware forcefully or welcomely entering the network.

Defence Intelligence helps their clients keep their data and their reputation secure with their advanced malware protection services. Take a look at what we can do to help.
Don’t be the next victim.

The most interesting DDoS ever?

Those of you outside of Canada may not have been following this
story, but you might want to as this one seems to have it all:
  • Accusations of police ineptitude and overreach
  • Listening devices
  • Claims and counter-claims concerning Anonymous
  • Twitter sparring
  • Social engineering
  • Multiple DDoS attacks
  • Bureaucratic boilerplate statements aplenty

The abbreviated story goes something like this…

  • An Ottawa teenager is charged with 60 offences related to
    ‘swatting’ various targets across North America.
  • Hacker claims to have proof that said teen is innocent – identifies another as the culprit. 
  • Hacker contacts family of the accused and the media.  Listening devices apparently discovered at suspects home. 
  • Hacker takes down city, police and court websites to bring attention to the case. 
  • Officials assure the public that no data has been breached, but that hacker managed to get password from service provider via phone. 
  • Hacker continues to post via social media, promising proof. 
  • Father of the accused now says he is a ‘person of interest’ in the case.
We’ve seen hundreds of ddos attacks in the news over the years,
and thousands of them in the security community.  They usually aren’t all that noteworthy and barely get a second glance.  The attacks in Ottawa and Canada over the past couple of weeks are rather unique, however.  You can catch up on the saga via:

SecuriTea Leaves (Part Three): Future 2

The new Internet is one of openness and perpetual unfiltered documentation, not privacy and selective sharing. What impact will that have on the future of security, when the need for privacy lessens? If our dying generation is the last one concerned over privacy, what motivation is there for security enhancements?

In this series of posts I describe the possible futures of the privacy plate shift we’re riding right now and how it relates to the landscape of security.  See SecuriTea Leaves Part One for more detail.

Future 2. No privacy. Strong persistent security. Teleportation a maybe.

This future shares much with future 1 and is possibly just a stepping stone on the same trail. Like future 1 this world has voluntarily given away its privacy, leaving little of ones life out of public view. What differs here is that individuality is still very important.

People won’t mind if their emails are made public. They just won’t want someone speaking for them using their identity without permission. A person won’t mind being one voice amongst millions, but they will still desire the likes, the lols, the smiles, follows, ratings, and promotion. In this future every picture you take is immediately uploaded to the cloud, (now a shared international database), using facial recognition to automatically tag you and all your friends. Every step you take is logged, every purchase you make is known, each entertainment choice is tracked and it has your name on all over it, but the phrase invasion of privacy never crosses your mind.

This future requires significant security to maintain. To protect the integrity of the data for the individual, identification verification security and general information security becomes very important.

For security of identification there will have to be multiple checks, a verbal password with constant retinal presence. A perpetual presence indicator (PPI) is what maintains validity of the person to the action. If you’re not looking at what you’re creating, or if the eye isn’t yours, then the access is cut off. Security of the information itself will be difficult, keeping it both open but safe from alteration. Security priority here is not to keep it from public view but to keep the relationship of author to text or action valid.

This trust of the person-to-action relationship is most impactful and relevant with banking transactions, and that’s where both the consumer and industry will want to position a mutual fulcrum and where this future has its genesis.

At some point, in the not too distant future, banks will no longer foot the bill for every purchase on a stolen credit card or money transfer made with stolen login credentials. They will turn the responsibility back to the consumer.

“Protect yourself, because we won’t.”

People might then be a little more cautious when using their cc online or they might embrace encryption or additional personal security options, but it is more likely people won’t voluntarily change their habits at all. Security changes will have to be forced on them.

Banks will effectively pass the buck, requiring a user of their online services pass several security requirements in addition to the PPI (AV, non public wifi use) before being allowed access to their own accounts. If you don’t qualify, you don’t get in. Retailers won’t rush to join this security revolution but it will be forced on them as well. The banks will require new security regulations of payment processing groups to guarantee the validity of the end user which will then trickle changes into the entire online shopping experience.

With so much awareness of you and your actions, this future world is incredibly personalized. What lives now as targeted ads and improved directions to your home will be mood based music selection, automatic grocery list creation, calendar planning (including television viewing, exercise schedule, and party attendance responses). Decisions will be made for you and they’ll be the same ones that you would have made. Doctors send prescribed medicine to you without you visiting them or even knowing you have a problem. Spending habits are so guided that budgets don’t factor into the purchases. Each day is laid out before you. Life becomes a big to do list.

Do you think this is a possible future? Thinking about this future as a complete world, what doesn’t fit or what did I miss? Could this idea of a PPI provide enough assurance that an action or data transfer/creation was made by a certain user? Can data sharing ever be really secure, especially when databases are linked? Does taking away choice make life easier or happier, or do we need the chaos and uncertainty to be people of substance?

Other posts in this series: SecuriTea Leaves

Part One: The introduction
Part Two: Possible Future 1

SecuriTea Leaves (Part Two): Privacy, Security, and Their Possible Futures

The new Internet is one of openness and perpetual unfiltered documentation, not privacy and selective sharing. What impact will that have on the future of security, when the need for privacy lessens? If our dying generation is the last one concerned over privacy, what motivation is there for security enhancements?

In this series of posts I will describe the possible futures of the privacy plate shift we’re riding right now and how it relates to the landscape of security. (I will post each future separately so there may be comments on each.)

See SecuriTea Leaves Part One for more detail.

Future 1. No privacy. No security. Flying cars optional. (This future feels far away, but just how far I don’t know.)

 We have spent years sharing everything and voluntarily broadcasting our lives to the point where nothing is private. Who we know, how we feel, what we eat, our daily routine, are all available to the public. And if privacy is only a concern for the singular person, then a collective needs no privacy. Individuality is practically gone, lost amongst the vastness of so many people with so much data.

  Twitter (whatever repackaged variant it comes as) wouldn’t have a login. You would just tweet as a generic entry, possibly with demographic info tied to it, all performed automatically as you live. Whatever listening device you carry or is nearby, which is always on, will post your statement and question streams to join the river of worldwide conversation. Email won’t exist because there are only public forums for communication. Facebook and Linkedin (whatever face they wear) will auto update with every action and career move, complete with pictures you didn’t even initiate. 

 All data about you, including financial, medical, and family details are accessible by anyone, and you’re fine with that because community and government services to support needs or problems with any of these categories proactively extend their reach to your doorstep. You won’t care that every mistake you made or slur you’ve spoken is accessible as both an audio file and in transcript, or that everyone knows where you are at all times, because that is the way it is. 

 The upside of so much exposure is that it may provide more security. It will be more difficult to pull off financial fraud when every purchase by every person is documented publicly in multiple ways, matching shopping habits, visually recording the transaction, tracking an item in its full life cycle, not just shipment. Even clothes may require some ultimate biometric union with its intended owner, where no other person could successfully wear them. Financial spending could be restricted anyway, every dollar of yours so heavily tracked and tied to you personally that the initial fraudulent purchase could never happen. 

 In this future your health is constantly monitored, and with no delay in medical history or current condition, medical response and effectiveness could be vastly improved. Small changes in your health can inform your doctor while immediate changes can alert the hospitals. The likelihood of one person to harm another may be much lower when the whereabouts of every person, especially in proximity to everyone else, is well known.

 Sure, like any sci-fi movie tells us about dystopian totalitarian worlds, there will be a resistance. However, with everything public there is no need for login credentials. Everything and everyone knows who you are at all times so access is wide open. With little privacy and little security needed for that privacy, the ability of that resistance to be disruptive to the status quo may be incredibly easy, but ultimately pointless.

 Apart from a destructive “reset” of civilization, even a disruption of the system won’t change it. It only sounds like a dystopia from our current point of view. The people are happy to live in the world they’ve helped create. It wasn’t forced on them by the government or even put to a vote, other than the tiny “allow” vote made every time you accept the terms and conditions of the services and software you use. A building wave of “allows” created this new shoreline and the seaside residents moved closer together preventing any possible outliers. They even take comfort in the lack of privacy. Like confessing your sins, there is a cleansing effect to revealing your secrets, and in this future you’ll never have any.

 Do you think this is a possible future? Thinking about this future as a complete world, what doesn’t fit or what did I miss? Could complete lack of privacy provide total security?

Posts in this series will continue with other possible futures. See SecuriTea Leaves Part One: The Introduction.

-Matt Sully

SecuriTea Leaves : A Series on Privacy, Security, and Their Possible Futures

Privacy and security are intertwined elements, each fuel for the other’s fire. What you want kept to yourself isn’t always a dirty secret but is sometimes best left hidden away from others. My grandmother kept every personal document and bill under lock and key.  She wouldn’t give anyone her SSN or even her middle name unless they showed her a government ID, and even then it was after much resistance. When I see these companies providing identity theft protection services, I think of my grandmother. It is her generation that maintains that level of commitment to privacy, not ours.

Our generation still respects the idea of privacy. We’re just not as steadfast. We invest in curtains and aren’t too gabby with our neighbors. We still have a few secrets, but we have become more than comfortable putting most details of our lives online. We email, share pics and status updates, file our taxes, fill out government forms, enter our email address everywhere, and blindly agree to dozens of contracts each year (SLAs). We look through the details of what the new app we downloaded will access, huff and puff for a bit about why it needs what it needs, and then reluctantly agree to its demands because desire wins over caution.

When we read about breaches that result in thousands of emails and passwords being stolen, we still care, but we don’t rush to change our passwords. Our online behavior goes unchanged. Our level of sharing goes unaltered. We might not shop at Target for a few months, but we will return again, with our credit cards in hand. It is this awareness of risk with little personal effort to combat it that proves the fight for privacy and security is dying. We are connected. We are plugged in. There is no turning back. The idea of reverting to offline banking and consumerism is laughable. A want for knowledge and access combined with forfeiture of privacy is diluting security.

Interest in data breaches will wane, to the point where they are no longer big news, and what seemed of upmost importance will be forgotten history. Now when we see data breach stories we feel saddened by the state of data security but assume things will get better. We think, “New security measures will surely be put in place. Existing ones will be made stronger. It will get better.”  But, like generations before us, our generation is giving way to new thinking and new ideas of privacy. The new Internet is one of openness and perpetual unfiltered documentation, not privacy and selective sharing. What impact will that have on the future of security, when the need for privacy lessens? If our dying generation is the last one concerned over privacy, what motivation is there for these security enhancements?

In this series of posts I will describe the possible futures of the privacy plate shift we’re riding right now and how it relates to the landscape of security. (I will post each future separately so there may be comments on each.)

Next post: Future 1. Individuality is practically gone. If privacy is only a concern for the singular person then a collective needs no privacy.

Do you have examples of privacy perspective changes you’ve made over time? Have you resisted personal data sharing or online activities out of concern for security or privacy?

How to survive Apple’s big day.

 If you’re like me, you are at best mildly curious to see what Apple unveils in Flint, MI, tomorrow.  At worst, you’re dreading the onslaught of Apple news, commentary, and reactions.  If the rumours about the iWatch and iPhone 6 are true, tomorrow could be the most annoying launch day in Apple’s history. 
It won’t be easy, but it is possible to get through tomorrow without being bombarded.
  • Don’t turn on the TV.  There will be speculation about what will be revealed, what effect it will have and why we should care.  I can assure you that it won’t be all that interesting.
  • Do not turn on your radio on the way to work.  If you still listen to traditional radio in your car, now might be a good time to look into streaming services, satellite radio, mix tapes, audio books, meditation, anything.
  • When you get to work, avoid anyone wearing an Apple shirt.  Just skirt around them a la  Office Space.  If they’ve chosen today to show their undying support for a brand, you don’t want to talk to them.  Trust me.
  • Turn off all updates on your phone.  Twitter, LinkedIn, Instagram, vine, Facebook, flipboard, all of them  Do the same on your computer. Uninstall your browsers if need be. Filter all emails with Apple in the subject line to your junk mail.  You may not think that certain feeds will be filled with Apple gushing, but you’ll be wrong.

At some point during the day, someone will probably want to talk to you about an iSomething.  I have two surefire strategies for this scenario.  For the more casual conversation partner, I suggest a quick change of topics.  Ignore the question completely and ask them about something else they care about.  How’s your kid doing in softball this year? or You look great, are you exercising?  The key here is to sound really excited to talk to them.  I’ll leave it to you to decide whether hearing about little Billy’s last home run is better than hearing about how “revolutionary”, “game changing”, or “disruptive” the iWatch will be.

If they have the glazed eyes and sweaty palms of a rabid fan boy, they will need something a little more…jarring.  If you can feign a good cry, do it now.  Clutch your mouth and start sobbing. Maintain eye contact for a few seconds before running away while flailing your arms.  If you can’t cry on demand, I’d substitute an urgent bathroom trip. Key here is a sudden look of surprise mixed with sheer terror.  Exit the area immediately with one hand on your stomach and the other on the seat of your pants.
If you can make it through the work day, you should be home free.  Just remember to stay away from any sort of live news or comments.  It’s not easy, but it can be done.  Things should be back to normal in a couple of days.  Of course, it may just be easier to call in sick and cocoon yourself in bed until the hysteria subsides.  Good luck.

Photos courtesy of

Blackshades Breakdown

The last couple of weeks has been dominated by talk of Blackshades and the FBI crackdown on those using it.  We did a number of media interviews around Blackshades and here’s what we think people should really be focusing on:
The price:  At $40.00, Blackshades was a bargain.  Such a low entry point is great for mass adoption and a quick payday.  Mass adoption however, stirs up attention from law enforcement.  While the FBI managed to make almost 100 arrests, I doubt that any of those are what we would consider high value targets.  
The Response:  The FBI has made a lot of noise about this operation, and rightly so.  The scale of the operation was huge, involving 300 searches in 19 countries.  With almost 100 arrests, it’s clear that the FBI has gotten better at working with their counterparts around the world.
Sadly, while the FBI is bringing justice to those using the Blackshades malware, the NSA is busy doing the exact same thing that the people arrested were.  I think it’s safe to say that their software cost a lot more than $40 though.
Blackshades gives people something to be scared of:  
Let’s face it, the general public just doesn’t care about their privacy as much as we might like them to.  If their credit card info is stolen, the bank picks up the tab.  Someone might read their emails or gain access to their social media accounts?  They’re already posting most of their personal lives for all to see anyway.

What people are scared of is someone posting naked pictures of them online.  The webcam functionality of malware is usually of little concern to security folk.  It is, however, a big concern for the average citizen.  Having to replace your credit card is an annoyance.  Naked pics of you being passed around your school or workplace is something that might actually elicit a change in behaviour.

Heartbleed: What Do I Do?

The KeePass Password Safe icon.
The KeePass Password Safe icon. (Photo credit: Wikipedia)

You’ve probably read a little about Heartbleed by now and you either understand the details or not. For some additional reading you can visit Either way, you are, and should be, worried if this is going to affect you directly. The answer, probably. Not all sites and software rely on the security torn open by Heartbleed but many do. For these locations which are currently vulnerable you will need to confirm that they, the site owners, have fixed the issue BEFORE changing your passwords.

How do you do that? Go to Heartbleed Test or Heartbleed Checker and type in the site you’re worried about, such as your banking site.

If it comes back green it was either fixed or never had a problem. I recommend a password change anyway. You are probably overdue for one.

If it comes back red, check back again later until it comes back green. Then change your password.

I think you’ll find at this point that many sites have fixed the issue, but it can’t hurt to check.

For those who are interested in the related CRA website shutdown from Heartbleed, read this story as well:

Enhanced by Zemanta

Congratulations to our big winners at RSAC 2014!

The Defence Intelligence road crew has arrived back from RSA Conference 2014 and wanted to take a moment to thank everyone who came out to to visit our little piece of Canada at the event.  It was great to see so many current and future clients and to talk to them about what makes us unique in the space.

We gave out thousands of maple syrup candies, hundreds of DI hockey pucks and got to gloat a little about the Olympic hockey wins.  We are also proud to announce the big winners of our draw:

1st Prize:  1 year FREE Nemesis Advanced Malware Protection Service (up to $25,000.00) and a signed Jean Beliveau NHL jersey

Winner:   Patrick Russ – Wells Fargo

2nd Prize:  Free Harbinger Network Risk Assessment and a Canadian olympic hockey jersey

Winner: George Ribeiro – RingCentral

3rd Prize:  Free Harbinger Network Risk Assessment (20 units)

Winners: Contacted via email

Thanks again to everyone who stopped by to see what the hockey jerseys were all about, we’re looking forward to next year already.

A big thank you must also go out to Travis and Julie from Owly Design for tolerating our constant stream of edits and to our Taqueria Angel for keeping us fed.

Next week, the RSA® Conference 2014, one of the largest security conferences in the U.S. will take place at the Moscone Center in San Francisco. We’ll be crossing the border and bringing Canada to the US.
Come meet our staff, we will be wearing the very latest in Canadian fashion and giving out our official puck. You can enter to win one of our three prizes, eh. 
First prize: 1 year free Nemesis security service (up to $25,000.00) and a signed Jean Beliveau hockey jersey
Second prize: Free Harbinger network risk assessment and a Canadian Olympic hockey jersey

Third prize: Free Harbinger network risk assessment
Come see us at South Expo booth 2528, just follow the smell of maple syrup….you won’t be sorry.

We’re putting the Eh in RSA.