Author Archives: Ashley Nunez

TV5 Monde, Russia and the CyberCaliphate

TV5 Monde, Russia and the CyberCaliphate
By Rik Ferguson

Earlier this year, French magazine L’Express published a report linking an attack against TV5 Monde very firmly to the Russian state. The attack, which knocked 11 of its global channels off air for a period of time and resulted in a compromised website and Facebook page, took place back in April.


At the time when the attack took place, a group calling itself CyberCaliphate immediately took responsibility for the hack and went on to publish details purportedly of serving French military personnel involved in the struggle against Islamic State or ISIS. The attribution at the time seems simple and immediate; Islamic Extremist motivated hacktivism.

L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organizations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28). What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are not related. Attribution in online crime is complex, more so when there may be nation state involvement.

Trend Micro’s assessment of the current possibilities with reference to the facts as they stand leaves us with three possibilities:

1. We could be looking at two entirely unrelated incidents; a Pawn Storm infestation and a separate hacktivist compromise.

2. Perhaps the Pawn Storm group gave attack relevant data to a third party, directly or indirectly to Islamic hacktivists. While possible, this would seem highly unlikely as we have seen Pawn Storm actively targeting Chechen separatists and Islamic extremists in the former Yugoslavia.

3. The Pawn Storm group carried out a highly visible website, Facebook and TV network compromise (which would be extremely out of character) and used it as a false flag operation to lay the blame at the door of Islamic extremists.

While the false flag option is not entirely out of the question, it is at least somewhat out of character of previous operations of the Pawn Storm campaign.

My spider senses right now are tingling on option one. TV5 Monde, a media operation is a target entirely within the remit of the regular Pawn Storm operations and an infestation of Sednit malware. This should perhaps not be a surprise at all. The fact that during the time of this Sednit compromise, they were also targeted by Islamic extremist hacktivists, given the contemporary news and political environment in France, is perhaps also not surprising.

Attribution online is always complex. Sometimes though, things can be entirely as they seem.

Rik Ferguson is actively engaged in research into online threats and the underground economy. He also researches the wider implications of new developments in the Information Technology arena and their impact on security both for consumers and in the enterprise, contributing to product development and marketing plans. Recognized as an industry thought leader and analyst, Rik is regularly quoted by the press on issues surrounding information security, cybercrime and technology futures by trade, national and international media.

The Perils of Selling Strategy to Big Companies

The Perils of Selling Strategy to Big Companies
By Howard Tullman

The big guys have a knack for stringing little guys along. Here are 5 tips to help you hold your own.

In the “been there, done that” category of mistakes that you should only make once, I would award a place of high honor to the idea that startups should spend their scarce capital and limited resources trying to “earn” their way into the hearts and wallets of big customers by selling strategy as a door opener. By “strategy,” I mean various attempts, presentations, mock-ups, etc. designed to show these big guys the disruptive and scary future, and how your company can help them successfully navigate through the coming tough times for their businesses. These attempts at show-and-tell, which are really just some smart guys showing off, almost never ends well for the little guys (that’s you) and worse yet, it deflects your best people and a lot of your focus in the wrong direction.


I realize that there’s an ego component to this stuff and also some bragging rights about who you’re pitching and getting in front of. But egos aside, the bottom line is whether anyone is going to be writing you a check any time soon. The method doesn’t work, the metrics are always muddled at best, and for sure the math is a killer, because you rarely get paid anything for the privilege of spending your time chasing these guys. To be successful, you need to develop, design, and incorporate your strategies and solutions into your own offerings, rather than trying to use them as come ons and commercials for how well you’ll eventually do for the customers.

And of course the biggest and saddest joke in this formulation is the word “selling” because in 99 cases out of 100, startups aren’t selling anything. They’re really giving away their time, knowledge, and insights for free. You end up spending your precious time educating a bunch of folks who often turn out to be indifferent ingrates at the end of the process and politely tell you that (a) they’ve decided to do it themselves (which we all know that they can’t do, even if they steal your ideas); (b) that they’re going to do it elsewhere; or because of fear, inertia, or ignorance that (c) they’re not going to do it at all. And you and your team are that much worse for the wear.

If that wasn’t bad enough, you’ll also learn quickly from your investors, after a couple of these expensive adventures go nowhere, that they thought they were buying into a product or service business and not a consulting firm. They don’t want explorers and educators; they want executors. They don’t want you strategizing; they want you selling. Fully engaged in turning your ideas into invoices, they’re going to tell you that they’d rather see a month of consistent singles and doubles than wait three months hoping for a home run that may never come. As a scrambling startup, you just can’t afford that kind of investment. So forget it. But just in case you can’t resist the temptation, here are a few things to keep in mind to help you avoid a total wipe out.

1. Don’t Get Pushed Around

The biggest bullies in big companies have the least actual power. They can say “no” all day long, but they can’t say “yes,” and they know it. They couldn’t green light a project if their lives depended on it, unless it happened to cost a lot less than a latte. So they spend their time taking their frustrations out on you and tormenting young entrepreneurs who don’t know any better with big empty promises of good things to come down the line. And in the meantime they’re only asking for the sun, moon and stars, all for free because that’s pretty much all they’ve got to spend.

Here’s the straight dope: You don’t have to give away or prove anything to these guys because they don’t matter. Find the folks who can actually sign a check and get in front of them. They’re a lot easier to deal with and they can make a real deal happen. They’re also a lot nicer too, because they don’t have a big chip on their shoulders. And they know that if you want something of real value, you have to pay for it. If you pay peanuts, you get monkeys.

2. Get Profitable First

Too many complimentary pitches and big bunches of brainstorming freebies will mean too little inbound cash flow and that means trouble for any startup. You need to be sure that your sales team isn’t taking the easy way out by selling air and getting paid nothing for it. It’s not a “win” when all the commitments and all the costs are on your side of the table. The real focus needs to be on making sure that you are identifying and signing up paying customers. The size of the individual deals is nowhere near as critical as the cash. Another important bonus is that these deals don’t take as long to launch or as long to complete as many of the bigger ones might.

The truth is that you simply can’t afford to pass up the small fish while you’re waiting for the whales. Big companies are one of the last refuges of the slow “no” and there’s just about nothing worse for a startup than that. A fast rejection is always better than being stroked and strung out by a guy who gets paid to have meetings rather than to make decisions and progress. Once you’re making more money, you can consider whether to roll the dice on some bigger proposals. Don’t be in a hurry.

3. Get a Pilot Project

Once you’re in the room, don’t leave the conversation without something. A trial, a pilot, a prototype: these are all good ways to get the ball rolling, but not for nothing. And equally important you must make sure that there’s a clear and express agreement on just what you’re committing to do and what exactly will constitute success, and the steps to follow afterwards. If the metrics and measurements aren’t properly aligned and apparent, you’re as likely as not to get to the end of the project and have nothing to show for it, because you didn’t get the right rules established at the outset. And don’t think that any agreement is better than no agreement. A bad beginning agreement can set the wrong tone for the whole relationship. And don’t think that only newbies make these kinds of mistakes. YouTube and plenty of celebrities made $300 million worth of these mistakes just a little while ago. So get something, but make sure you know what you’re getting yourself into.

4. Get Paid

If you don’t ask, you don’t get. You know what your stuff is worth, or you should, and you shouldn’t be embarrassed to say that you stopped giving it away for free a while ago. We have all heard the stories about what great reference clients some of these companies will make for your business and these tales are basically BS because everyone in the industry who matters knows that the very same guys make a habit of never paying new companies anything for the chance to test their products or services. They never pick up the check and, after a little while, they start to lose respect for the companies that keep working for free. Just like the patsy in the poker game; if you don’t know who it is after 30 minutes of playing (or too many free trials), it’s you.

5. Get Partners Who Are Already in the Door

There are a lot of big companies scared to death these days of everything digital and under tremendous pressure from their own customers and clients to figure things out in a hurry. This kind of demand would be encouraging except that these companies simply aren’t built for speed, and that’s where the opportunities are being created for clever young companies with the chops and the technology to get these kinds of jobs done quickly, relatively cheaply and, most importantly, quietly. Think of the big guys as today’s Trojan Horses. They’re already inside the walls, they have the relationships that would take you years to build with the biggest brands and players around, and they’re hurting for help. They can make good partners and you can make them look good as long as you’re careful to make sure that your IP and financial interests are protected and that they aren’t selling you the same bill of goods about future fortunes.

Howard A. Tullman is an American serial entrepreneur, venture capitalist, educator, writer, lecturer, and art collector. He currently serves as CEO of 1871 Chicago, Managing Partner of G2T3V, LLC, and the Managing Partner of Chicago High Tech Investment Partners LLC.

2015: The Year of mCrime

2015: The Year of mCrime
By Mark Laich

Cybercrime Goes Mobile Thanks To Insecure 
Mobile Banking, mCommerce and mWallet Apps

Millions of consumers no longer visit a bank to deposit checks or conduct financial transactions. Instead they rely on the convenience of using their mobile devices to send money, view account balances and bank online.

The same is true for how they spend their money. The shift from brick and mortar to e-commerce to m-commerce is already well underway. Think about it, how many times do you use your smartphone to research a product or purchase one?

Maybe you’re going out to dinner tonight and you’ve already filled your Apple Pay, Google Wallet or other wallet technology with all of your credit card information. Ever wonder if you could be pickpocketed wirelessly? Could an app you trust already be stealing your personally identifiable information (PII)? Sadly, the answer is yes.


Many financial institutions and retailers have launched mobile apps in the past 18 months to respond to demands from their customers who want the convenience of 24-hour, anytime/anywhere banking and shopping. Mobile banking apps help build customer loyalty, and mobile banking transactions are significantly cheaper for banks compared with transactions that require employee interaction.

Mobile retail apps capture consumers’ buying impulse at the moment they occur, and allow for easy comparison-shopping; the potential for finding an item cheaper is a quick tap away. Because more and more banks and retailers are making the investment to develop a mobile app, having one has gone from being a competitive differentiator to a “must have” to compete for consumers’ business.

And once a bank has made that investment, there is a concerted effort to encourage customers to use their mobile banking platform. The same holds true for retail. Amazon and others will do anything to get you to shop online from your smartphone or your tablet.

But the growth of mobile banking and retail apps also means that more people are at risk for identity theft and the hacking of sensitive personal and transaction data by cyber criminals who plan to commit fraud. These apps are used on devices that often aren’t safeguarded from security holes. Most people have between 30 and 75 apps on their mobile device, and of course, when apps are installed on a device, users must grant multiple permissions for accessing a device’s location, SMS capabilities, Wi-Fi, Bluetooth, camera and other device resources.

Some of these resources are used for the apps to do their intended task, but often apps demand resources that can open up a device to security vulnerabilities.  Unfortunately, when consumers install an app on their mobile devices, few of them read all the permissions the app requests to make sure it isn’t asking to use device resources that might be suspicious.

This issue is highlighted by a report from Gartner Inc., the technology research company, which concluded 75 percent of apps in the major app stores fail basic security tests. Gartner defines this as an app using mobile device resources that have nothing to do with the intended function of the app. Rather they can be used to eavesdrop on other apps that are running concurrently to collect data about the consumer. The rationale is that the collected information can be used for data analytics to help with targeted mobile advertising.

However, this has given cyber criminals a rather large attack vector to commit ID fraud by using malware that looks like trustworthy apps to steal PII and financial transaction data from mobile banking apps, or to steal your credit card information from your retail apps that reside on the same mobile device.  This type of malware disguised as “trusted” apps has hundreds of millions of downloads from the major app stores.

Worse yet, this new form of malware is undetected by anti-virus and able to circumvent encryption, biometrics, tokenization, sandboxes and authentication. The result is that using mobile banking apps to conduct transactions is similar to using an ATM to withdraw cash in a dangerous area with criminals lurking around, or handing your credit card to a stranger, in public, who is using the old fashioned carbon copy credit card imprinter to take your order.

Another popular technique for cyber criminals is spear phishing attacks, which take the form of email and text messages that appear to be from an official source or someone you know, usually garnered via a social networking site. These messages can then install monitoring software covertly on the mobile device. Monitoring software can access most mobile device activity and resources, thereby stealing consumer data just like the malware downloaded from an app store.

Most consumers are unaware of these types of threats, and even when they are aware, they don’t take actions to protect their security and privacy until it is too late. On the other hand, financial institutions carry the liability associated with the fraud that results from data stolen from mobile banking and retail apps. In a U.S. landscape where almost 1 billion PII records have been compromised and there is identity fraud totaling $24.7 billion in losses, according to statistics from and the Department of Justice, greater safeguards are needed to protect consumers’ financial data.

At the same time, it is important not to intrude or detract from consumers’ mobile banking or retail experiences. Financial institutions and retailers can’t solely depend on consumer awareness and training, nor can they make it complicated for consumers to protect themselves.

For better or worse, the modern day consumer has become enamored with using their mobile devices for apps such as social networks, location based services, and games on the same device on which they want to do mobile banking and mobile commerce, thereby compromising their security and privacy. What financial institutions and retailers need is new, innovative security technologies that deliver an optimal balance between protecting consumer data and being unintrusive to consumers’ total mobile device experience.

In this way, their mobile banking and mCommerce apps can operate in a safe and trusted environment even when multiple applications are running concurrently. By working with companies that specialize in these types of new security technologies designed to thwart zero-day threats and malicious eavesdropping apps, financial institutions and retailers will not only protect themselves from liabilities, they will also be successful at convincing more of their customers to use mobile banking and mobile commerce, thereby increasing the ROI of their mobile app investment and their operating efficiency.

Finally, as we look forward to what many believe will be the rapid adoption of mWallets in 2015, you must understand that they are inherently insecure because they operate on already infected devices. It’s time to take a completely radical, proactive approach to securing consumers’ data as the financial, transaction based world shifts onto our smartphones and tablets.

This year marks the beginning of a new wave of enablement, opportunity and mCrime.  Where there is mobile banking, mCommerce and mWallet, there will be mCrime.  Assume it comes in the apps as innocent as that flashlight app you recently installed, because if you don’t, you’ll be left in the dark missing your identity and your wallet.

Mark Laich, VP of Security Solutions, SnoopWall, Inc. joined with a 30-year track record of successful sales in the high-tech industry, generating over a half billion dollars in revenues. His expertise includes successful customer and market development in the mobile, CE, and telecommunications market sectors. He has a long track record of leading successful sales campaigns and developing business at major accounts like Samsung, Microsoft, Philips, Canon, Nikon, Thomson, Cisco, Alcatel, Siemens, and Compaq.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!