Loose Tweets Destroy Fleets – a lesson for professionals and personal safety

The US military learned the hard way how destructive a social media slip-up can be. In 2007, four AH-64 Apache helicopters were destroyed in Iraq after US soldiers uploaded photos to social media. The photos’ geotags showed insurgents exactly where to strike, according to an Army press release quoted on Defense Tech.

The warning is “a reminder that OPSEC [operations security, military speak for the protection of mission-critical information] must remain in the forefront of actions,” Osburn.

Source: Loose Tweets Destroy Fleets | Motherboard

As mentioned in How Not To Be Hacked, personal and professional safety, same as with safeguarding those in harms way, sharing location data and information loosely in public can be very harmful to everyone. In order to protect yourself:

  1. Never post Geo-Tag photos when traveling alone
  2. Use Groups to share updates about travel to prevent accidental sharing with the public

Businesses need to be careful beyond personal safety (still, obviously, important) to consider references to projects and activities in the market:

  1. Never mention Clients + Type of Work (one or the other .. never both..)
  2. Take care with photos (geo-tag) to not include prototypes or passcodes in the background

So much more can be said here, but focus on incremental improvements and limit the threat to yourself, your family, and your business.



Welcome to The Internet of Compromised Things – How not to be hacked, routers

squid eating a router!!!

A good write-up by Jeff addresses a problem that has existed for several years, but only recently is starting to get malicious. A few hackers demonstrated how the software running common internet modems and routers were vulnerable to attack. A few good-minded-souls even wrote code to scan the internet; find them; and exploit them to install the update.

Of course, there were those who used those same routers to mine for crypto-currency and others who created attack bot networks. The article highlights how these unprotected devices are hacked and allow for anyone passing traffic through them to be infected with malware on their machine.

A good article with rather excellent tips for mitigation at the end. Very much inline with several tips I drafted for How Not To Be Hacked, the book, and some tips that didn’t make it due to complexity. If you only skim it … be sure to make it to the end where the tips are listed!!!

For security professionals Jeff raised one point that I thought was a challenge to our industry, and highlighted it below:

Buy a new, quality router. You don’t want a router that’s years old and hasn’t been updated. But on the other hand you also don’t want something too new that hasn’t been vetted for firmware and/or security issues

via Welcome to The Internet of Compromised Things.

How ridiculous our world is sometimes … buy a new router, but not too new … but also not too old. HAH… That fails the How not to be hacked, Can you explain it to your grandma test (something I learned in the Head Game). It is valid though … and reflects the challenge of security professionals.

Good write-up,



Blackmail .. espionage .. emotional responses» Ashley Madison Leak Reveals Thousands of Government Email Addresses

The Ashley Madison breach is highly publicized because of the type of site … and who doesn’t love a good juicy story with their morning cup of joe. From a cybersecurity advisor point of view I fear this breach will have a higher success rate of follow-up attacks. Here is some of the intelligence shared with peers and clients:

  • The named names (which may have just been tossed in their by pranksters) will be subject to a strong amount of email and social media attacks given the exposed personal data
  • Individuals listed will do anything to clean up the mess, and honestly click on just about anything at this moment claiming to clear their name or about details of it being listed
  • All of these “media” reports and exposures with people being called out on twitter, in blogs, and more will only result in the ability to hide malicious links within the fray

This goes beyond wanting those who go against your moral code and lands squarely in the hands of those who are tasked with protecting our lives and freedom. Immediate advice:

  1. Be careful with this information
  2. Do not click on any links claiming to save your information, and
  3. Recognize that others will try to leverage these details against you … be armed, please!

While I didn’t consider this scenario in the book, How Not To Be Hacked, the last chapters speak on how to lock down your identity and recover from such an exposure and I couldn’t recommend it more strongly today.

More than 15,000 emails revealed by the leak are hosted on US government and military servers, as well as numerous emails associated with individuals who work for the British government.

Controversial blogger Andrew Auernheimer has been busy naming names of powerful people exposed by the leak, including individuals from Naval Intelligence, the TSA, and the Attorney General’s office.

via » Ashley Madison Leak Reveals Thousands of Government Email Addresses Alex Jones’ Infowars: There’s a war on for your mind!.

Paranoia Made Me a Better Computer User, at Defcon – a reporters perspective

Defcon hacked elevator image

Having awareness of fraud, scams, and mischief is generally enough to raise the bar of safety for all consumers of technology. Certainly there are attacks and actions that criminals can take against technology that an end consumer has little protection against, but this is the proverbial “higher hanging fruit”. These days all the hacks, breaches, and news headlines are basically the low hanging fruit – common error, poor development practices, and misconfiguration. Imagine when the consumer is armed the required effort for criminals to succeed.

An entertaining and honest article on Gizmodo (honest for all the feelings he shares, and if you have ever been in a hostile environment, you’ll be able to relate) on a reporter touring the best hacker convention in the world – DefCon.

He takes most things in stride until…

The hacked elevator bothered me quite a bit actually

Preparation had made the idea of having the phone and computer hacked beyond reasonable, but expected … the concept of hacking a physical machine, like an elevator, was not. Cars hacked don’t receive the same paranoia, while I bet if you were in that car when it was electronically shut down … the feeling of trappedness of an elevator will translate to the car quite easily.

There is a good takeaway in the article and I wanted to highlight it below … check out the top “hacks” of this reporter to really understand the challenge of being in such environments:

the weird glitches that had defined my day at DEF CON — the fake wifi network, the iPhone error, the weird TV channels, the scary elevator, the garbled headphones — weren’t as bizarre and terrifying as they’d seemed.

In fact, on any other day and in any other place, I’d take the glitches in stride. I’ve joined fake wifi networks before. My iPhone does weird stuff pretty often. Hotel TV is weird in general. All elevators are scary. And Bluetooth sucks on most headphones.

A realization flooded over me in the hot Las Vegas night. Despite my mounting paranoia and in spite of my own faults, I probably hadn’t been hacked at all. If anything I was a little bit safer at DEF CON, because I was paying closer attention to my security. Much more so than in my daily life in New York City, I was aware that I could be hacked at any moment at DEF CON. At that moment I saw these wily hackers as optimists, knights in nerd armor who believe that we can be safer — if only we truly understand the dangers out there, inside our machines. They’re the ones paying attention when you’re not.

via Paranoia Made Me a Better Computer User, Gizmodo

Good luck out there!


U.S. Identifies Insider Trading Ring With Ukraine Hackers – Bloomberg Business

Good reporting on Bloomberg about a criminal enterprise that had hackers break into the news wire services and then share those details for trading ahead of their release. See the links below for the full details, but I want to highlight two areas of prevention that could/should have mitigated/prevented/discovered this attack:

  1. Mandatory system refreshes within the environment – It is very common these days for end-user and server support systems to be refreshed periodically (I see in some organizations end user systems are refreshed annually up to 3 years and server support systems refreshed as frequent as every 15 minutes up to a year). For the attackers to have remained so entrenched in such a cycle there would have to been other ‘tells’ that the environment was compromised.
  2. Vendor / Third party security requirements – If you are a business and rely upon a third party, you must establish and ensure sufficient security practices are in place. If you do business with Amazon Web Services you can dive into tremendous detail on what they are doing to protect you, and what is your duty. For providers, such as news wires, the same vigilance and attention is required. This is not simple, and it is work to get this level of detail. If you are trusting your sensitive information though – it must be worth it.

There are many other actions that could be taken and I’d love to grab a coffee with friends to discuss … but in the meantime, check out the highlighted quote below and article:

Ukraine hackers…allegedly infiltrated the computer servers of PRNewswire Association LLC, Marketwired and Business Wire, a unit of Warren Buffett’s Berkshire Hathaway Inc.

Over several years, they siphoned 150,000 press releases including corporate data on earnings that could be used to anticipate stock market moves and make profitable trades. The hackers passed the information to their associates in the U.S., who allegedly used it to buy and sell shares of dozens of companies, including Panera Bread Co., Boeing Co., Hewlett-Packard Co., Caterpillar Inc. and Oracle Corp., through their retail brokerage accounts.

via U.S. Identifies Insider Trading Ring With Ukraine Hackers – Bloomberg Business.

GPS implementation flaw allows hackers to “intercept, spoof, or jam”

Interesting article about how GPS has been applied as a communication mechanism beyond transport to monitoring / management of SCADA and regions w/o internet connectivity. The researchers highlight that the implementation by integrators have not deployed any kind of security that would prevent creative attackers to manipulate the data flows:

the Simplex data network that Globalstar uses for its satellites doesn’t encrypt communication between the tracking devices, orbiting satellites, and ground stations, nor does it require the communication be authenticated so that only legitimate data gets sent. As a result, someone can intercept the communication, spoof it or jam it.

“The integrity of the whole system is relying on a hacker not being able to clone or tamper with a device,” says Moore. “The way Globalstar engineered the platform leaves security up to the end integrator, and so far, no one has implemented security.”

via This security flaw allows hackers to “intercept, spoof, or jam” GPS tracking communication..

Given the amount of unsecured communication platforms from Drones to IoT, this problem is probably easily repeated across a broad number of consumer and commercial situations.



Author of How Not To Be Hacked

How Not To Be Hacked: The Definitive Guide for Regular People | RSA Conference

Live review



Ben Rothke, author of Computer Security: 20 Things Every Employee Should Know and a valuable contributor to the information security profession through sharing of research on Security Reading Room reviewed How Not To Be Hacked today. As in any moment when a person you respect reviews your work, I was struck with emotional anxiety and excitement when I saw the notification of the review. Ben’s review was honest, accurate, and I thought extremely helpful to anyone trying to uncover answers that will help their friends/family who do not hold 5+ certifications navigate the online world safely!

A snippet from his full review at RSA Conference Blog:

In How Not To Be Hacked: The Definitive Guide for Regular People, author James DeLuccia has written an extremely useful guide that offers 63 valuable tips on how and what users can do to avoid being hacked.

When the author says the book is written for regular people, he means those folks who don’t know a device driver from a digital certificate. The book is written with no techno-babble or jargon, which makes it an enjoyable read for the novice.

Posted again at How Not To Be Hacked: The Definitive Guide for Regular People | RSA Conference.

Thank you to Ben for taking the time to share his thoughts on the book!

Humbled and thankful,

James DeLuccia