An Unpatchable Nightmare Is Developing.

I remember October 21, 2016, reasonably well, because as I sat down at my computer in order to catch up with friends on Twitter, read the latest news from my favorite blogs (Krebs on Security, Rapid7, and Radware) find some good tunes on Spotify, then begin a new project for a new client. It was not long before it was readily apparent there was something terribly wrong.

There was an attack underway.


Later, I learned about the attack which targeted IoT enabled networked devices. Particularly those running Linux and using default credentials including the notorious ‘admin/admin’ and ‘username/password’ and turning them into remotely controlled bots that were used as part of a botnet in a large-scale coordinated Distributed Denial of Service or DDoS network attack.


A malware named the Mirai botnet infected and took control of an estimated 100,000 IoT connected devices in order to flood the Domain Name Service (DNS) DYN with multitudes of malicious lookup requests, thus disrupting well-known and heavily trafficked websites across North America and Western Europe including (Partial List)

  • Airnb
  • Amazon
  • CNN
  • Github
  • Grubhub
  • HBO
  • Netflix
  • Paypal
  • Spotify
  • Starbucks
  • The Swedish Government
  • Twitter
  • Verizon
  • Visa
  • XBOX


An attack on the DNS infrastructure can be devastating.

simple dnsThe DNS infrastructure is the backbone of the internet, and it is irreplaceable. Fundamentally, DNS serves as the internet’s phone book. To simplify it even further: No DNS? No web, email, video, VoIP or any other online services.


An unpatchable nightmare is developing.




A startlingly amount of IoT devices come into the market furnished with pre-set default passwords that are very well-known to criminals, difficult to change and nearly impossible to patch.

Although industry titans take steps to send out regular patches in order to prevent their products from vulnerabilities; Many start-ups and smaller companies fall short on this crucial follow through.

As more and more sensors become embedded in every part of our society, this problematic issue is only going to intensify. Security can no longer be an afterthought. Instead, it must be introduced as early in the development process as possible.

In the case of the Mirai botnet, once the device is infected, it immediately begins to uninhibitedly scan the internet for the IP address of other vulnerable devices.

Moreover, the Mirai botnet will ‘detect rival’ malware, remove it from memory and block remote administration ports. Then the device will monitor a C2 or command and control server which designates the target of the attack.

Unfortunately, the only telltale signs of the infection are occasional slowness and an increased bandwidth use. Otherwise, the infected devices continue to function normally.


Then just before the Mirai botnet Anniversary.

Checkpoint Software researchers disclosed the existence of an even more advanced IoT botnet dubbed ‘IOTroop.’

Moreover, Checkpoint disclosed that this ‘malware is increasing at a quicker pace than its predecessor the Mirai botnet, which could potentially cause even more considerable damage.’

Finally, Radware’s security evangelist Ron Winward in his latest blog, detailed that even after the Mirai botnet attack ’68 of the top 100 US websites still only have a single DNS provider for their domain.’ (Apparently, they never heard of redundancy?)

Winward stressed that ‘the next attack could be worse if the culprits target the entire global DNS infrastructure by taking down the top DNS providers.’

What Is Really At Stake With The People Part Of The Cyber Equation?

images (15)

In 2016, the world experienced an enormous uptick in data breaches; numerous ransomware attacks and devastating DDOS attacks. In 2017, the attacks are increasing in number and scope with no slowdown in sight including the WanaCry Ransomware attack that targeted 74 countries, spread by a phishing email. According to a recent PhishMe study, 91 percent of all cyberattacks begin as phishing emails.

In today’s world of technology, human error can be the difference between success and ruination. Nowhere is this truer than in the workplace, where humans are the weakest link.

Case and point being, last week I was sitting on the tarmac, my flight had been delayed due to an unruly passenger, which is nothing new these days. However, what happened next was mind-boggling.

The man sitting next me was talking to his office; he explained that his flight was being delayed upwards of an hour and wanted to make use of the time by calling his list of ‘cold calls,’ the only thing is, the list was on a word file on his computer. Apparently, he never heard of the cloud.

He instructed his assistant Julia, whom he mentioned by name several times to turn on his computer, gave her his username and the password- three times, very slowly – at a decibel so loud, it was heard by more than half of the 100+ passengers on the plane.

He then told her that his username/password in the future could be found on a blue sticky note in his top left-hand drawer and that it is never locked.

When he hung up with his assistant, he made several cold calls which he proceeded to tell each one the same nauseating scripted story. Adding insult to injury, on one call he explained to the prospective client how to avoid the security desk. I was trying not to stare, but that was ultimately futile at this point.

So, just what did I learn? (All names have been changed.)

  • His name is Paul XXXXXXX.
  • He is a Senior Vice President.
  • Paul works for a Financial Services Company.
  • His company specifically works with high-net-worth clients.
  • His office is located at xxx Wacker Drive, Chicago.
  • His office is on the XXth floor, on the west side of the building.
  • Sensitive information in his office is not secured.
  • Username is first and last name.
  • His Password for all his accounts is ‘654321′ <= Clever…
  • His Business email is
  • Office Phone number is 872-xxx-xxxx
  • Cell Phone number is 312-xxx-xxxx
  • His personal email is
  • His assistant’s name is Julia, who just had a baby boy 3 months ago
  • He has 4 kids (3 boys, 1 girl), all in Ivy League Universities, that is costing him an arm and a leg.
  • His 3rd wife, Natalie, who cannot cook a meal to save her life, rents high-end Jewelry for a variety of events.
  • This is my favorite => If you do not want to deal with the ‘hassle’ of going through the security desk, there is a side entrance that is always opened and will not alert the alarm system because the smokers in the building use it for a smoking area and the elevators are located at the end of the hall
  • Come up to the XXth floor, knock on the window, and ‘someone will always let you in.’

I thought for sure this has to be a joke and at any minute someone probably dressed in a killer clown suit, was going to jump out and yell ‘Never, ever do this.’ No one jumped out.

The bottom line on how does this happen? Employees know far too little about the cyber security threats today and organizations are not doing enough to educate their employees or protecting their clients’ critical data.

 It is time for all organizations to act.

It is estimated that the majority of incidents globally involve human error. Cyber imagescriminals know this is an area of weakness and they target it, and more often than not, very successfully.

Cyber security awareness is a process that needs to concern the entire organization. All employees must understand both their roles and responsibilities as employees.

Moreover, all organizations whether small, medium or large, need to understand where their weaknesses are. A good first step is by conducting cyber-risk assessments through a holistic review of their policies and education for all employees from the C-suite to the third party relationships.

Suggested training activities

  • Educate employees on the need for resource protection including protecting passwords, locking computers and locking up sensitive information.
    • Never leave your password on a sticky note where it can be stolen. Once it is out of your control, so is your security.
    • Never share your password with another co-worker. NEVER.
    • Create different passwords for different accounts and applications.
  • Educate employees on why using strong passwords is essential, not a hassle.
    • A strong password should be at least eight characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
    • Adding just one capital letter, and one special character changes the processing time for a cybercriminal to crack an eight character password from 2.4 days to 2.10 centuries. Think about that!
  • Train employees on strategies used by cybercriminals to compromise networks including Phishing and fake websites; and how malicious software is installed by clicking on the links within the emails and downloading attachments from compromised websites.

Frequently conduct unannounced tests.  Engage your IT department or use outside experts to test employees both in person and on the computer using social engineering strategies.  Moreover, employees who routinely fail the tests need to be held responsible for their actions.

Cybersecurity is an enormous problem to address. Training and testing require planning and resources, but the process of preparation is far better than dealing with the aftermath.

A single vulnerability can lead to data breaches; it can also result in the theft of Personally identifiable information (PII) which often proves the most costly and detrimental to organizations. Negative headlines, financial and reputational penalties, while legal and regulatory sanctions can quickly escalate into the millions of dollars.


What’s in a password?


So, why would we need to learn about password cracking techniques and the very cool tools used to do so? Password cracking plays a major role in cybersecurity. It is the processes of recovering passwords in order to breach the security of a computer system as both as a preventive measure and to locate weak links that may be vulnerable to an attack.

Brute-force attacks involve trying all possible keys including dictionary words and non-dictionary words too. Brute-force attacks can crack any password, once given the time to do so.

However, how long are you willing to wait for that password? For example, 128-bit key running at a billion keys per second equals 340,283,366,970,938,463,463,374… possible key combinations. In years, that’s just shy of 100,000,000,000,000. Brute-force can often be the last resort with the upside being that brute-force will always find the password. The downside is will you still be around when brute-force reveals the password.

Dictionary attacks use possibilities that are most likely to succeed derived from a dictionary software program. Dictionary attacks may not crack every key, but it is often faster than brute-force. However, although dictionary attacks remove the time-factor, the program will not be successful if the password is not in your dictionary file. For example, if your password is B#h$7yt, the simple addition of symbols and numbers can thwart the success of the attack.

Rainbow table attacks are by far the fastest method of password cracking, mainly because they come along with pre-computed hashes. For a basic example of hashing, say your password is Apple; After it is hashed it is transformed into 865948plpogh76542187629bd1. Woo Hoo, it is secure.

Not so fast, although hashing is a one-way function, meaning that you can never decrypt the hash unveiling the underlying clear text. That’s not the end of the story; basically, rainbow tables are humongous sets of pre-computed tables chock-full with hash values that are pre-matched to potential plaintext passwords.

Essentially, these tables allow anyone to reverse the hashing function in order to determine what the plaintext password might be. Additionally, it is possible for multiple different passwords to result in the same hash, pointing out that it is not important to find out what the original password was, just as long as it has the same hash. As long as the hash is matched, then it does not matter what the original password was.

The Very Cool Tools 

(There are other tools available. However, these are my favorites. I have included the links and descriptions so you can visit the sites, download the tools, explore them and learn.)

Cain and Abel

Cain and Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms.

John the Ripper

John the Ripper is a well known and popular free and Open Source software. Ripper supports fifteen different platforms including Unix, Windows, DOS, BeOS, and OpenVMS. You can use this either to identify weak passwords or to crack passwords for breaking authentication. Including performs brute-force attack with all possible passwords by combining text and numbers. Additionally, you can also use it with a dictionary of passwords to perform dictionary attacks

Additionally, Ripper can be used to identify weak passwords or to crack passwords for breaking authentication; perform brute-force attacks with all possible passwords by combining text and numbers and/or use it with a dictionary of passwords to perform dictionary attacks


Rainbow Crack is also a popular brute-forcing tool used for password cracking. It generates rainbow tables for using while performing the attack. In this way, it is different from other conventional brute-forcing tools. Rainbow tables are pre-computed. It helps in reducing the time in performing the attack.

Various organizations published the pre-computer rainbow tables for all Internet users. To save time, you can download those rainbow tables and use in your attacks.

This tool is still in active development. It is available for both Windows and Linux and supports all latest versions of these platforms.


Aircrack-ng is a complete suite of tools to assess WiFi network security.  Aircrack-ng (the ng, refers to next generation) focuses on different areas of WiFi security including Monitoring: Packet capture and export of data to text files for further processing by third party tools;  Attacking: Replay attacks, deauthentication, fake access points and others via packet injection; Testing: Checking WiFi cards and driver capabilities (capture and injection) and Cracking: WEP and WPA-PSK (WPA 1 and 2).

The tools are command line which allows for heavy scripting.  It supports Linux primarily but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

THC Hydra

THC Hydra is often the tool of choice when you need to brute-force crack a remote authentication service. THC Hydra can perform rapid dictionary attacks against more than 50 protocols, including Telnet, FTP, HTTP, HTTPS, SMB, several databases, and much more.

This free-to-use tool allows pen testers, security analysts and others to learn how easy or difficult it would be to gain remote access to a system. This tool also lets you add new modules to increase the functionality. Via its GitHub page, you can also participate in the development process of THC Hydra. TCH Hydra supports Windows, Linux, Solaris, FreeBSD, and OS X platforms.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

InfoSecurity vs. CyberSecurity

Over the past several years enterprises across all industries have fallen victim to cyber attacks including theft of sensitive data, disruption of information systems and even damage to critical infrastructure. In reading about these attacks both Information Security (InfoSec) and CyberSecurity (CyberSec) roles seem to be synonymous. However, although there are some similarities, there are also some important distinctions between them.

cia_triadInformation security principally means ‘data security’ and at the core of information security efforts is the CIA triad-Confidentiality, Integrity, and Availability. The CIA triad is comprised of the objectives needed to achieve its sole purpose of safeguarding data from unauthorized access, disclosure, modification, inspection, recording or destruction of data.  Infomation security coverage includes both electronic and paper.

CyberSecurity is broader and includes ‘Information cybersecurity-100635851-primary-idgeSecurity’ with respect to the protection of any digital data. Additionally, CyberSecurity protects the integrity of computing assets belonging to or connecting to a network; with its sole purpose to defend all assets against all threat actors throughout the entire life cycle of a cyber attack.

In summary, things are never black and white. As cyber attacks become more sophisticated, persistent and destructive; There seems to be a developing interconnectedness and a significant amount of overlap regarding functions and competencies as it relates to understanding what data is most critical and what controls should be put in place to protect the data. cyber-infosec


Cybersecurity is a shared responsibility. Stop. Think. Connect.