Friday, June 20, 2014

The Future of NYC Is Up For Grabs...

As many of you know last year at the request of every Law Enforcement entity in NYC I was requested to run for City Council.  Why?  Because then NYC Councilman Mark Weprin of the 23rd District where I live lied to police officers at every rank and put them in personal legal jeopardy.

The pivitol campaign issue was all about something called local law 71, the Community Safety Act of 2013.   Former mayoral candidate Bill DeBlasio and City Councilman Mark Weprin of NYC for nine months hammered NYPD and asserted they were out of control violating the rights of everyone out of hand (stopping and frisking anyone in sight).  The law, the NYS criminal procedure law and case law shapes the circumstances upon which search and seizure may occur and when a police officers common right of inquiry for Stop, Question and Frisk can occur.  Local Law 79 on page two for the first time places NYC Police Officers in defined personal legal jeopardy which today NYS Supreme Court Judge Singh just affirmed.  Police Officers will not be covered by the City Law Department which is the usual case for those city workers carrying out their paid function.  Anyone can just file a law suite against a police officer and out of pocket those officers will be force to defend themselves, their families, reputations, estates, assets and more.

The magnitude of this law is far reaching and has with the strike of the pen "handcuffed" the NYPD from conducting even lawful Stop, Question and Frisks for fear of legal jeopardy coming into play.  Anyone, anywhere can choose to sue them personally.  No wonder why shootings in NYC are up 13% for the first six months of 2014 and up 1800% in the confines of the 75th Precinct for the current 28 day period.  Bad law has consequences and if their ever was a bad law with horrible consequences this law is the poster child. Remember as a result of past NYPD activities in NYC over 7700 people are alive today, not from some affluent community but in the harshest places NYC Police Patrol.

Today, Ed Mullins president of the NYC Sergeants Benevolent Association spoke out as a result of a NYS Supreme Court ruling.  Here's what he had to say:

Some Excellent Advice That Should Definitely Be Heeded           [Applicable to All Ranks]

NYPD members can be SUED! - State Supreme Court Judge Anil Singh
By Ed Mullins — Thursday, June 19th, 2014; 4:42 p.m.  ‘Sergeants Benevolent Association E-mail’

On Wednesday June 18, 2014 State Supreme Court Judge ruled members of the NYPD who engage in Stop, Question and Frisk can now be sued in accordance with the provisions of Local Law 71 as passed by City Council. 

Once again I remind each of you, this law impacts your career, family and overall well-being.

As you go to work each day, your only assignment is to return home to your family. The POLITICIANS and the PEOPLE of this city are NOT SUPPORTING you, make no mistake about it!   

Shootings are on the rise and gun arrests are down.  DO NOT jeopardize your safety, careers and pensions!  We are currently exploring an appeal.

Below is a summary of Judge Singh’s decision.

The court made three rulings. First, it ruled that the SBA and PBA had standing to challenge Local Law 71 and had properly brought suit against the City Council on behalf of their members.  Second, it ruled that Local Law 71 is not preempted (and thus not invalidated) by state law, either because the state occupies the field of criminal procedure or because Local Law 71 conflicts with state law.  Third, the court ruled that Local Law 71 is not unconstitutionally vague.

1-      The court determined that the SBA and the PBA had standing to challenge the law because the availability of lawsuits against police officers, including the potential for police officers to be held individually liable for attorneys’ fees and costs that would not be indemnified, was an immediate threat of harm.

2-      The court therefore rejected the City Council’s argument that the harm to police officers resulting from Local Law 71 was speculative.

3-      The court also agreed with the SBA and PBA that the reputational harm that would result from such lawsuits was an injury that could be protected in courts as a matter of law.  The court found that the SBA and PBA as organizations had properly brought suit on behalf of their members, because their mission and core function is to protect the rights and interests of law enforcement officers.
4-      On the issue of whether Local Law 71 is preempted by the New York Criminal Procedure Law (the “CPL”) as an impermissible intrusion into the field of criminal procedure, the court concluded that the two laws exist in two different fields, because Local Law 71 is not a criminal procedure law, but rather a civil rights law.  Noting that other municipalities have similarly enacted laws regarding civil rights, including racial profiling laws, the court observed that Local Law 71 does not prevent police officers from making stops, and that it simply creates consequences for police officers who engage in bias-based activities.
5-      The CPL, according to the court, applies only to criminal prosecutions and procedural rights of defendants.  In effect, the court agreed with the City Council that the CPL governs only matters that occur in criminal court, and found that, because investigative stops occur outside of court, they are not covered by the CPL.
6-      The court further found that Local Law 71 does not conflict with the CPL because it does not place any restrictions on a police officer’s ability to stop, question, and frisk an individual beyond those established by the Supreme Court in Terry v. Ohio and by subsequent related cases.  Instead, the court found, it requires only that a police officer consider an individual’s behavior or other circumstances linking the individual to criminal activity.
7-      According to the court, prohibiting the use of race or another protected characteristic as the “determinative factor” in making a stop is consistent with state and federal law, and a stop that was based on such a characteristic would not satisfy the Terry standard in any event.  Because Local Law 71 does not set a higher standard for stops than what is already required, the court reasoned, it is not inconsistent with state law. Nor, the court found, does Local Law 71’s use of a subjective standard result in a conflict, because, regardless of whether the stop is viewed objectively or subjectively, the same factual basis must exist before the stop can lawfully occur.
8-      The court disagreed with the SBA and PBA that Local Law 71 is unconstitutionally vague.  While the court acknowledged that in some circumstances Local Law 71 operates in a “grey area” because of the lack of definitions of its terms, it concluded that courts and administrative bodies could develop meanings for those terms over time, as cases come before them.  The court also emphasized that the phrase “determinative factor” originates from the NYPD’s own internal anti-profiling policy, and asserted that the NYPD had acknowledged in a FINEST message that Local Law 71 is consistent with NYPD policy and training concerning investigative stops.

 / s /

Ed Mullins

Elections have consequences and NYC just spent twenty years cleaning up the streets of NY.  Police Officers are humanbeings and as such with guidance from supervisors and Union leadership will find themselves hard pressed to aggressively fight crime in our city especially as case after case winds its way though the courts.  Which NYC Police Officer wants to be the test case to see if he or she acted within the scope of this new law.  We say, few will opt in to make themselves an example for all others to follow.  As such, the NYPD is pulling back and today we can begin to see the results starting to crystallize.  The 75th precinct is notibly one of the toughest places in the City to work.  Crime and violence now are returning to the streets, the City Council is demanding more police officers to patrol the street (the cost of this bad law is already showing), children are stabbed during daylight in elevators, people shot openly in the streets as crime, disorder and fear once again return to NYC.

This is a sad day for the City of NY.

Thursday, June 12, 2014

Careful What You Wish for

Trust is at the core of
Integris Security LLC
Have you ever wondered where to start in securing your computer operations?  Its natural to be concerned and to suffer from some anxiety. Careful what you wish for because when some people apply for CSO, CISO jobs they may suddenly find that they got what they wished for.  Now what?  Where do I start, what comes first, yikes I need priorities, but where?

Integris Security LLC with the help of some of our friends from the NY InfraGard Thursday Conference Call came up with some great resources which you should become familiar with.  We also discussed at some length ISO 27001.  It was the conclusion of the of the callers that the ISO standards are written to be very broad and do not focus the security professional on what needs to be done with any given priority.  The ISO standard could lead you down a road unfocused and without clear priorities of what's really important for your organization.

Here are some focused security and risk management resources:

Security professionals need to have a full understanding of the environment which they are securing.  These men and women need to be able to explain to others why we need this control, that defensive tool, etc...  The security professional needs to be intimately involved with the infrastructure and provide a solid understanding of every facet of the operation.  This work takes dedication - endless time and energy that becomes the life and work product of a CSO/CISO.

CSO's and CISO's would do well to build a set of books which would consist of the environment that they have been hired to protect.  In these books should be the SANS twenty controls.  Each control should be explained in detail and record of examination clearly maintained so that each fresh security face  looking at the systems will not have to hunt for the documentation.  This is part of your audit trail.

Why SANS? The SANS organization has distinguished itself as an expensive but outstanding security organization from which excellence is derived from.  The SANS top 20 security controls are maintained and updated so that security professionals can be assured they are addressing the top known threats.

How can a true security professional even begin to contemplate securing an organizations assets without knowing the environment inside / out?  It is impossible.  If your organization needs assistance in understanding these and other security issues, give Integris Security a call and let's get started today.

Trust is at the core of Integris Security. We can be counted upon to provide you with the services and intelligence to keep your information, systems and institution secure. Call us and let's get to work on improving your security/risk posture.

Monday, June 9, 2014

What's Your Risk Tolerance?

                 Where's your army?

At  Integris Security we're asking the question who do you have protecting  your data and your information?  What's your risk tolerance?

Do you have an army of security professionals that are well trained and well informed?  If you are new to your environment have you conducted a full audit and/or do you have a full audit program in place?  Are you truly ready for a Red Team to come in and test your defenses?

If you're not scanning, testing and performing a critical analysis of your systems, people and workplace, then you just aren't testing and might as well leave the front doors open, leave the userid's and  passwords on the desk all day long and don't purchase another defensive tool. 

At Integris Security we perform system scanning as a good low level way to reveal vulnerabilities and to create of punch list to work on.  We conduct penetration testing because it takes testing several steps deeper and provides a full analysis on what's going on inside your environment.  But while all of these things are good they are really not good enough.  A network topology and architecture review would also be a great start but still not good enough.  You need to understand your risk tolerance.  In order to do this you need to understand your total environment.

An ISO 27001 certification is a top/down inside look at your environment. 

ISO/IEC 27001:2005, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

If you're sitting on a board of a company it should be something you have in your binder and it needs to be maintained annually with weekly, monthly, quarterly, semi annual and annual updates.  This is a fact driven file that all discussions emanate from.  This certification is something every new CEO should be given once the keys to the kingdom are in his/her hands.  Every single discussion concerning future enhanced functions coming into a company need to flow from this certification.

Consider if you would driving a car without knowlege of how much gas you have left, whether or not you know if your signals or headlights are working.  You would effectively be driving blind.  Don't drive blind, know what's going on around you and respect the incredible complexity which is driving your companies profit center.  Become informed, challenge operators on both the security team as well as those on the business team to bring all the facts to the table.  Make an informed Risk Tolerance decision.  

How can you even begin to know your risk tolerance if you don't know what's in your wheel house?  Call Integris Security and let's get informed together. 

Trust is at the core of Integris Security. We can be counted upon to provide you with the services and intelligence to keep your information, systems and institution secure. Call us and let's get to work on improving your security/risk posture.

Friday, June 6, 2014

Blackshades - an international hazard

It is important to note that as I start this discussion readers are reminded that while malware today is portrayed as dangerous, destructive and part of a criminal enterprise viruses, worms and trojans were and sometimes continue to be little pieces of code which help automate things.

The very first virus written wasn't an assault on a major banking institution, rather is enabled a programer to automate repetitive or tedious tasks.

With that said, The FBI has recently reported in a sterilized press release that International Blackshades - has been taken down.  What we don't read in the release is perhaps as instructive as what is placed on paper.  Thus a good reason to dig a bit deeper and try to wrap a little context around all the fanfare.  This isn't about using limited FBI resources on taking down just any cyber criminals.

For those of you who followed me at InfraGard we produced a weekly IGtv program wherein I spoke with security professionals from the world over.  In this weekly Internet show I interviewed a number of professionals from RSA Security's Israel lab.  During these reports and discussions we learned that the world of malware had developed from a freakish once and while mad scientist type of thing to a very purposeful blackmarket type of business operation.  Blackshade is not some backroom mad scientist, rather they are business people selling software and as we will learn much more.  They are careful to insist that those buying their software signoff on a statement of use and legal disclaimers carefully avoiding international and in country laws.  Because they are in fact a software company and a very good one at that, right?

Blackshades develops many different types of software and one that focuses our attention is RAT (remote application tool).  Their are many variations of the RAT and the focus of our post here is the Blackshades NET.  In reseaching Blackshades we found it useful to also take a look at DarkComet, another RAT with some pretty good potential but not nearly as powerful as Blackshades.  However, DarkComent has a history in international affairs which would be useful in reading as we move forward to learn more about Blackshades.  We can see how the development of software has worked its way into State Sponsored Actors.  Recall how Russia used technology to kill communication lines prior to the invasion of Georgia and now the Ukraine.  DarkComet has played a role in Syria.  So pay close attention when we talk about functionality of Blackshades in comparison to DarkComet, it becomes increasing important why the FBI would get involved and purposefully release a sterile press release on the takedown.

Blackshades is distributed through some common social media channels as well as phishing attacks, P2P channels and much more.  All very common and known to the industry.  Its functionality dwarfs DarkComet in comparasion.  As Malwarebytes states:

"The BlackShades web site mentions a lot of the functionality the RAT is capable of, from various system administration functions to surveillance functions and computer security.  It doesn’t actually mention ALL of its functionality, as we will discuss, and I think that they might have a hard time explaining on their website the purpose of some of the following functions."
This software toolkit is explosive and is used to hijack websites with its Ramsomeware which basically locks you out of your site or maybe encrypts everything (no key provided) until such time as you pay the fee.   Another interesting aspect of Blackshades is the Facebook Controller which basically takes over your account and posts for you.  Remember, it is said that one in fourteen people in the world are on FB.  Most FB users aren't aware that "always on" means that if the software is exposed to you even if you are logged off the web and you're still on FB Blackshades will for sure takeover.  Logging in and out is a pain, but in today security environment is a MUST do.  So when a nation state is acting, it uses many channels to build or tare down a point of view, a surveillance, etc.. This tool has built in DDOS and other attack capabilities as well as java exploits.  But more importantly as Brian Krebbs, reported:
“Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag,” wrote Brian Krebs of Krebs on Security. “The product was sold via well-traveled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool.”

As stated in Symantec, the Blackshades tools (rats) are popular with cyber criminals and state actors like Libya and Syria.  For forty to fifty dollars one can aquire a very effective software product which can be very destructive, but a product which has helped underground elements to extract millions of dollars from companies the world over as well as some governments.

In summary, Blackshades is a more nefarious piece of software then its predecessors that infected over 500,000 computers world wide then anyone is letting on and in hindsight the FBI takedown is a signal to those "business people" lookout we're watching and we're on top of it.  Ninety arrests in 19 different counties is telling about the scope and depth.  Uncertain is whether this is nipping at the edges or taking out the C/C capabilities and principles involved.  Most likely the FBI is both happy for the case and noticeably reluctant to say game-over.  This snake will continue to sliver in and out and pick up again under another name with more willing players looking to strike it rich quick.  Malware is no longer the mad scientist, its hit Main Street and the profit center.  Malware is making millions for some of those willing to take the risk of getting caught.  Malware has also made the center stage as a component of state actors.  International cyberwarfare is our now reality and has been for some time now.  If you weren't aware you'd do well to read up.


More Info:

In the Bureau's custom of sharing the most accurate, vetted information, they updated others today with the latest figures:

Arrests: 103
Searches: 375
Interviews: 163
18 countries involved
Approximate victim computers globally: 700,000

Wednesday, June 4, 2014

Intolerant NYC Council Successfully Handcuffs NYPD - resulting in the return of Crime, Disorder and Fear to the streets of NYC

What's surprising is the NYC Council members don't want to own the result of their actions in passing the NYC Community Safety Act of 2013. In our Queens District, City Council Member Mark Weprin needs to take ownership for a law he personally shepherded into NYC. He and others have now reintroduced Crime, Disorder and Fear on the streets of NYC. The City Council passed this law against the advice and experience of every level of Law Enforcement in NYC - 500 years of experience. But Mark Weprin and the City Council knew better and now they own the results.

Members of the police department have heard him and others in the City Council loud and clear. Police Officers in NYC will be sued personally, their families, homes and incomes placed in legal jeopardy should someone "feel" their rights have been violated.

As we stated in our campaign for City Council with historic low voter turnout and we'll state again here for the record: those least capable of representing themselves, protecting themselves would be hurt first, the poorest of NYC. It pains me greatly to see the crime stats and headlines come true. But it was a predictable reality.

Now the NYC Council needs to take ownership for a VERY BAD law who only lawyers could draw up under a crafty title of Community Safety Act. Very crafty, very tricky, but it is now a loss leader for all who live in NYC.

Stop, Question and Frisk was not a legal problem in NYC, it was very much a management issue. Now the City Council and Mark Weprin own the result. Yes, I'm pushing it because kids just don't deserve the harshness which City Council members just don't seem to get. I take no pleasure in being right, I am sick over the headlines and predictable results.

Shame on the NYC Council for failing to do the hard work in the first instance and that's hold NYPD to account for training and discipline in oversight and hearings. For failing to talk it out with borough and precinct level commanders. For failing to properly educate the public on the real issues.  For the poorer communities of NYC its not about the quality of life, its about surrivial.  

The next time you send the kids out to get ice cream remember the little boy in East New York.  Think hard about who you vote for, elections have consequences.  The security of the people is job one of any elected official.  Failure to provide that blanket of security not withstanding all of the problems should be a basis for forfeiture of office.

Sad, very, very sad, I am distressed for the parents who now have to bury their children. Just incredible....and yes very preventable.  This isn't a Police Department problem, its a failure of leadership by our elected officials right here in NYC.  Hell bent on doing anything they can to get re-elected.


Patrol Borough Brooklyn North

75th Precinct

Tuesday, June 3, 2014

Uncertainty, risky first half of 2014...the year of the hack?

Pushing the buttons of millions of individual Americans is the fact that their accounts have been hacked according to Larry Ponemon at the Ponemon Institute in a study conducted for CNN Money.  Ponemon's study gaged that 47% of adults had their accounts hacked during 2014, which may soon become known as "the year of the hack".  That's just about half of all adults in the United States.

The facinating numbers come at the heals of the Target breach which we have been discussing on this blog and doesn't include the millions in the latest eBay Breach.  Its raining on the American Public as millions of  (PII) records are exposed.  Here are the facts and figures Ponemon and Jose Pagliery of CNN have dug up for CNN Money:

"Cyber attacks are growing so numerous that we're becoming numb to them. Researchers at IT company Unisys (UIS) say we're now experiencing "data-breach fatigue." Even the most recent numbers make for a dizzying list:

More numbing then the facts and figures presented by Ponemon Institute for CNN MONEY is the fact that the industry has not adopted better and well known security practices as a whole.  Need I go on?  For ten years industry has been digging a hole deep in the sand and sticking their preverbal heads in the hole.  See my blog post on accountability.

Let's not blame it on companies looking at profits after all isn't that why companies are in business to begin with.  However we too pause, when companies select tactical gains to satisfy quarterly earnings statements and maybe making themselves look good as opposed to the overall strategic growth and health of a company or corporation.  Read responsibility to share holders, and company employees. To some extent the risk Vs reward discussion will come up and when presented executives will nervously select profits.  Until boards reflect the knowledge, skills and abilities necessary to make both tactical and strategic management decisions we will continue to see the deep decline and clearly the never ending "year of the breach".  Operational executives will respond in kind when Boards of Directors begin to ask the thorny questions which should focus on the strategic growth of the company.  Employees will then be motivated and hear the clarion call from mount high when the CEO comes back from the board meeting and says they want more security and assurance before we can bring that function on board, who certified that code, who tested it and who is taken ownership of the relationship with the software team?

Here's hoping that the second half of 2014 is the year of Board of Directors active and attuned to what is going on not only in the front office but every office.  That function continues to thrive and work closely if not right next to the security team.  That multi-factor authentication is used not just for outsiders, but insiders as well.  That outside relationships are clearly defined and SLA's (service level agreements) are scoped out to protect both the vendor and the company.  That data which can be held in a planet sized computer terminal or a tiny smart phone is protected and preserved because we should all enjoy a level of privacy.   That when we buy the state of the art upstream gadget that detects attacks and when alarms go off and people start screaming at the top of their lungs someone will listen and will have been properly trained on the use of the gadget and that it is properly configured. All very hopeful that the year end will be better than the start.  The future is now before us.  Let's see how we do!

Good luck everyone!