Microsoft Vulnerability – Never Scramble To Patch Again

On March 2nd, 2021 Microsoft informed the world of a vulnerability in Microsoft Exchange. This vulnerability is active in the wild and has already been exploited by malicious actors from China and beyond. This well documented attack found by the security researchers at Volexity in Reston VA, exploits four different vulnerabilities in Exchange to gain access to emails without authentication.

Fact is, software teams are always under pressure to continuously release new features at breakneck pace. This is driven by the urgent need to keep up with market demands and competitive pressures.

This means that the vulnerability posture of all software continuously deviates with every update and upgrade. Software that at some point was free from vulnerabilities, may be riddled with them after updates. Even if the update includes security patches, the patches themselves along with new features may introduce new vulnerabilities.

So how can you defend against these popup vulnerabilities?

The traditional recommendations have been to implement “defense in depth”  — the layering of multiple security products. However, not only is this model expensive, it also does not address the challenges new exploits introduce. In most cases, it creates complexity that further weakens security.  This is especially true for hybrid infrastructure, where many different tools have to be implemented across offices, clouds, SaaS, data centers and remote users.

So “defense in depth” is not a viable security approach moving forward. It costs a lot of money and burns a lot of resources to actually make security worse. There is more information here: 5 Reasons Security Products Make You Less Secure.

Lots of attention and budget is going to the hip new security model “Detection and Response” (xDR). But what does xDR really buy you? It tells you when something bad has happened and  that you should do something about it — patch all systems, find the compromise and inform customers.

If there was ever a whack-a-mole approach to security, it is xDR. This is often referred to as the “you’re screwed” approach to security. Not particularly proactive, resource efficient or preventative, is it?

The key to prevention is reduction of the attack surface. Today, many applications have to be exposed to the Internet at-large so users can access applications before being authenticated. This is called “Access before Auth”.

Acreto however, uses a very different approach where there is a transparent authentication before users can gain any access to applications. This is called “Auth before Access”.  This approach completely shields the application from exposure to the Internet at-large.

The Acreto approach altogether eliminates the threats and exposures from Internet connected systems. And if authorized users mis-behave, the bad behavior is automatically mitigated.

Limiting access to the attack surface avoids mass exposure. In the case of the Exchange vulnerabilities, it would limit access of the Exchange server to authorized users only, no matter where they are located or what network or networks they operate on.

Reducing your attack surface in this case basically means that the Exchange servers — or any other system, server or application for that matter — will not be exposed on the Internet.

Access is allowed only after authenticating to Acreto and going through a set of controls, as well as ongoing threat and validation checks. This ensures that 1) the user is authorized, 2) the device is authorized, and 3) they never behave maliciously.

This is the default model with Acreto SASE+, where all customer systems benefit from a reduced attack surface — without any special effort, architecture or consideration.

Remote users connect to Acreto, and are transparently authenticated before access to systems,  servers, applications, SaaS, clouds or networks including Exchange or Office365. Acreto protects against Internet or internal attacks, even if the Exchange server or other application is left unpatched.


Get more detail on this best practice approach to reduce your exposure to Internet-born, Ransomware or zero-day attacks.  Contact us at

Top 5 Reasons Security Products Make You Less Secure

So, how can the security technologies we’ve relied on for the last thirty years make you less secure? The answer is simple. Security products were designed to secure offices and data centers of twenty plus years ago. Not today’s distributed hybrid infrastructures.

Today, organizations function beyond offices and data centers to operate in the cloud, on Software-as-a-Service (SaaS) platforms, with third-party vendors and customers, all-the-while using remote and mobile devices. Remote users have become the norm, from the fractional fringe they used to be. And let’s not forget Operationalized Technologies (OT) or Internet-of-Things (IoT) that everyone swears they don’t have, but make up roughly 40% of infrastructures according to Cisco. Examples of OT / IoT are ATMs, smart TVs, surveillance cameras and vending machines.

All of the above technologies collectively are called Hybrid Infrastructure.

Security products produce diminishing value when used for hybrid infrastructure, especially compared to alternatives such as Security-as-a-Utility. Security-as-a-Utility delivers all the functions of security products and more – but without the products. It is cloud-delivered security that works particularly well for hybrid infrastructure and the way organizations work today.

Just connect any component of your hybrid infrastructure to the Security-as-a-Utility and it is immediately protected. This is true for any technology, anywhere in the world, using any network – including the Internet.

Here are some reasons why product-based security is a failed model for how organizations work today.


1. Fragmented Security

Product-based security requires piecemeal tools for each silo of technology. One set of tools for each office, another for each data center, yet other tools for each cloud, SaaS, remote user — and there still aren’t good security options for OT/IoT.

Each security tool has to be selected, purchased, implemented, integrated, operationalized, monitored, updated and upgraded. Meanwhile, each product functions in its own independent dimension, unaware of the functions any other security product performs.

Each silo of technology that needs to be secured requires a different security product. Often these products are from different vendors and perform their security functions in very different ways. The differences in how they perform their security functions translate into security gaps. It is these gaps that malicious people exploit.

Sometimes certain critical security functions are just not available for some components. For example, OT / IoT like ATMs or ITMs are very unique and don’t have the horsepower or accessible resources to run the necessary security functions like threat prevention (preventing exploits and malware).

All of this adds to disjointed and fragmented security, which translates to security gaps, meaning greater risk and compliance challenges.

Security-as-a-Utility delivers a cohesive, fully integrated platform that does not require any of the legwork or logistics that needy security products demand. Security-as-a-Utility delivers uniform and consistent security across all of your technologies.


2. Triple The Cost

So, why does budget make you less secure? Having to pay for different security tools for each office, cloud, SaaS, data center and device is overwhelming. Moreover, all the products need to be implemented, maintained and managed, which means hiring more experts.

Having to pay for many security products and associated experts means that many organizations just can’t afford to buy all of the products and hire all of the experts they need. Hence, along with managing security they will have to manage an unreasonable amount of risk.

Because Security-as-a-Utility is turned on, not built out, it avoids products, implementations and expensive experts. The efficiencies that Security-as-a-Utility offers reduces hard and soft costs by as much as 75%.


3. Access To The Right Talent

Security products need many experts. Experts that are hard to find, expensive to hire and even harder to keep.

Security professionals are also very much like doctors. You won’t want a dentist to do thoracic surgery, nor would you want a thoracic surgeon to do a root canal. There are many different security skill-sets; however, two very distinct skill-sets are a must for effective cyber-security. The Architect and the Analyst.

The Architect designs, implements and performs the appropriate house-keeping to keep the security infrastructure up-and-running. The Analyst is the security operator.

Most organizations spend near 100% of their resources on implementations and house-keeping and little to nothing on security operations. Most mid-tier and smaller organizations just can’t afford a single full-time security resource, much less two distinct teams.

And even if you could afford the right resources, often, by the time they learn enough about your business to be effective, they’re poached away by another desperate organization who is willing to pay a premium.

This means a long list of different hands with varying expertise and philosophies handling your security infrastructure. Worse yet, if you can’t find or afford the needed resources, there are no hands to manage the tools or operate security.

Security-as-a-Utility altogether eliminates the need for hardware, significantly simplifying security. It eliminates the burdens of product house-keeping, opening up budgets for a security operator role or outsourced Managed Security Service Provider (MSSP).


4. Never-Ending Refresh Cycles

Security products have a 3 – 5 year life-cycle, where every few years they have to be completely replaced. This is because products are static and in order to keep up with the constantly evolving technology and threat landscape, wholesale displacement is required.

Security technology updates and upgrades are never-ending. As soon as one technology is upgraded, refresh cycles for another two are due. It’s not uncommon for an organization to be so far behind on technology refreshes, that the replacement products become outdated before they can be implemented. This is referred to as “Shelf-ware” and is very common in the cyber-security industry.

Buy – Install – Replace – Lather – Rinse – Repeat is not viable or sustainable. Security-as-a-Utility never needs updates, upgrades or refreshes – ever.


5. Complexity

Even if you could afford all the products, had the time to manage all the vendors, had access to and could afford to hire and keep all the needed experts, you would still end up with a complex mess. Just think about how many product management interfaces your team would have to contend with.

Each management interface is people driven – and people-driven-processes are security’s greatest weakness. In one bank, just one product had at least three separate management interfaces that required three different levels of experts. All the security products for all the platforms they protect translate to convoluted interconnections and integrations as well as dozens of management interfaces. It is not realistic to expect a team, much less a part-time resource, to effectively manage security for this many technologies and still be effective.

It’s just too complex. And complexity is the enemy of security.

Security-as-a-Utility consolidates all security functions into a single, simple platform – with only one interface to manage security for offices, data centers, remote users, clouds, SaaS, 3rd parties and OT / IoT.



Compute has moved to clouds, SaaS, OT / IoT and remote users, yet the security industry in a large part has not adapted. Thus, if you use a product-based approach to security you are at a distinct disadvantage. This means complexity, higher cost, dependence on hard-to-find expertise, absence of any agility and finally, greater risk and exposure.

The most viable path forward is security delivered as a utility. A single, fully integrated platform to connect and secure all offices, data centers, clouds, SaaS, remote users, mobile devices, OT / IoT under one umbrella. Security delivered as a utility provides better, in fact much better, efficacy, is more agile, costs less and you never, ever have to worry about updates, upgrades or refresh cycles.

Security-as-a-Utility eliminates the hassles and head-aches of security products to give organizations a fighting chance against hackers, malware and ransomware.


About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform, with one interface, from one provider for all of your technologies around the world.

The VPN Provider Scam



VPN providers are investing significantly in wall-to-wall advertisements with a singular purpose: instill fear.

Their mantra is simple — without us, you won’t have security and privacy. And people are buying into this hype. ExpressVPN, IPVanish, Surfshark, CyberGhost and NordVPN are all touting the same message: Be secure and keep your data private with our VPN Service!

As consumers clamor for security tools simple enough for the masses, the VPN industry has latched onto consumer fear. The VPN industry has even evolved to have dedicated media outlets and research organizations that actively evaluate and rank the providers. The number one metric at the top of the ranking criteria – Security.  

VPN list

The problem is that none of these VPN providers offer any level of security. On average, not only do these providers not offer security, but even the privacy story they push falls apart very quickly.

First, some foundations — security and privacy are mutually exclusive. Privacy is not security and security by its very nature undermines privacy. In fact, privacy and security override and neutralize each other. Security identifies intent and mitigates breaches of integrity. Privacy, on the other hand, is exclusively about data confidentiality even if that data is malicious.

Keeping data private impacts the visibility security requires to determine integrity. Integrity checking often requires visibility for security functions that operate beyond the two communicating end-points. Here are a couple of examples of how security and privacy counter each other:

  1. For some time, New York City Police relied on “Stop and Frisk” as a tool to help improve security. Opponents said that this infringed on the privacy rights of the individuals being searched. Proponents said that the invasion of privacy was necessary to improve security.
  2. Another example is an issue that arose after 9/11. The administration was conducting warrantless wiretapping on American citizens.  The administration was emphatic that without it the country would be at risk, while many were up in arms claiming that this infringed on the American people’s constitutional right to privacy. *Full disclosure, I was the whistleblower that identified and reported to congress the then-current administration’s warrantless wiretapping mechanism.

By default, the VPN providers’ focus on privacy means that security is sacrificed. So they can not claim to offer security while they offer privacy — and vice versa. However, even the privacy capabilities they offer is at best anemic. In reality, their privacy services are limited to anonymity and nothing more.

There is a very important place for anonymity in today’s world for those in oppressed societies such as Iran, Russia, China and North Korea. Anonymity is invaluable for those that are isolated and need to communicate with the outside world. Many believe they are getting security and privacy when using VPNs. However, they are not getting anywhere near the services they were sold on.

After all these years it’s still not clear to me if the cybersecurity industry itself understands the difference between security and privacy, much less clarifying the difference for the market. A persistent and inappropriately placed “S” continues to mislead the market. HTTPS, TLS, SSL and even IPSec are not secure nor are they security. They exclusively provide privacy! The VPN providers have leveraged the cybersecurity industry’s confusion to generate fear and uncertainty that sells a security service that has no security component to it.  This is simply marketing departments-gone-wild deception.

What’s worse is that recently it has come to light that many VPN providers are unable to meet the fundamentals of their privacy commitments either. Several VPN providers, including NordVPN, recently disclosed that their systems were hacked. The details that followed highlighted out-of-control organizations that are at best “winging it”.

Either through carelessness, immaturity or rapid growth many VPN providers lack the processes and controls that are expected of organizations that sell privacy and security capabilities. Many just can’t stand up to even basic scrutiny of their many advertised claims – especially their privacy claims.

In the case of NordVPN, they have had not one but two critical compromises that undermined their service. Though they were hacked in March of 2018, they did not disclose the compromises until late 2019. Nord admitted that they were not aware of the compromises until a few months before their disclosure. They were operating compromised servers for 1.5 years. This clearly highlights that Nord does not have adequate processes and systems to manage their infrastructure.

Here is a breakdown of the two ways Nord was compromised. First, a remote management server used by their vendor who manages some of their servers was compromised. This breach gave the attackers access to the Nord servers used by customers. Second, Nord’s cryptographic keys were found to be on sale in the darknet. These keys could be used to unlock any of their customer’s private communications. These keys go beyond unlocking user confidential information to physically geo-locating them. It is uncertain if the cryptographic keys were stolen as a byproduct of the remote server compromise or as part of a separate incident.

On their part, NordVPN blamed their vendor for the compromise. However, it is unheard of for a provider, especially one who purports to be in security and privacy, to blindly outsource complete control of their systems to third-parties. This defies any logic whatsoever.

Could you imagine if your bank operated this way? For some people, the privacy these VPN providers offer is more valuable than money. In oppressed countries, people bet their lives on the promises that these providers have made. How many times did the secret police smash down a door in the middle of the night to drag somebody’s loved one away, never to be seen again because a VPN provider’s system sat compromised due to neglect? And if you believe that this is a stretch, I remind you of Willy Sutton’s famous words when asked why he robbed banks — “because that’s where the money is.” Where else would an oppressive and militant regime go to uncover dissenters?

The VPN service providers are operating in the Wild-Wild West. Nord is but one of multiple VPN providers that have been compromised – and that’s just what has been disclosed. It would be interesting to see what a thorough examination would uncover. These providers are writing checks that they do not have the technology, nor the competence, to cash. Yet, it does not preclude them from continuing to prey on the fears and concerns of the masses despite knowingly making false promises.

In their continued quest for sales and customers, it is also widely believed that the various VPN providers are waging war on one another in an effort to embarrass and undermine each other. This is very much in the same fashion as another wild-wild west industry of crypto-exchanges and mining entities that were constantly compromising and D/DoSing one another. They did this to make their competitors unavailable so they can steal the business or create reputational damage.

Ultimately, VPN providers are promoting services they just don’t have – Security. And they are overselling the benefits of the limited capability they do have – Anonymity. Along the way, they have shown a lack of the control necessary to ensure the integrity and privacy of their systems, much less their customers. And finally, many VPN providers are engaged in a back-channel civil war to defame one-another at the customers’ expense.

The concept the VPN providers sell gives hope to the people who need and sometimes bet their lives (such as dissidents) on the providers’ false claims. Yet, they unknowingly live under threat because their desperation forces them to believe the misleading marketing.

Following in the footsteps of anti-virus packages, VPNs could have been the next generation of consumer security. Security is complex and most people have a tough time understanding all of the nuanced bits and pieces. Consumers have bought into their concept because they are desperate for the benefits VPN providers are selling. Instead, VPN providers have opted to act like used-car dealers of the cybersecurity industry, pushing fear-mongering, marketing fluff, recklessness and in-fighting that victimizes customers every bit as much as any hacker.


About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at or @acretoio.

Undercutting the IT/OT Collaboration Delusion

Lately, I have seen two common themes whenever IoT security is brought up; 1) complete acceptance that IoTs pose unique security challenges, and 2) how they have an IT/OT collaboration process to address them. Everybody knows what IT is, but as a reminder, OT, or operationalized technologies, are network/Internet-connected technologies whose primary function is not IT related. Think network connected HVAC units, vending machines, elevator control systems, and the like.

I recently attended a Smart Building conference, and one of the stalwart technology companies was making a big deal about the addition of their fourth intelligent building. One of their talking points was how much they have learned from their last three smart building operations. With lessons learned, they continued, this fourth building incorporates an IT and OT collaboration process. This process is intended to ensure that their IoTs do not pose a risk to the organization.

Let’s get real. A people-driven process for cybersecurity has never, ever, ever worked– not even once. Perhaps a few got lucky, but last time I checked, luck is not a reliable component of security.

People-driven processes are what a lot of organizations fall back on when there are no meaningful legitimate security options and an issue is too center-stage to be brushed under the proverbial rug. People-driven processes work for business, not cybersecurity because an inevitable byproduct is exceptions. Managing exceptions in a business model is not only acceptable but a feature that can deliver good results. With cybersecurity, exceptions are a bug and can have a catastrophic impact. Why? Because exceptions add up quickly and require manual intervention. These exceptions can easily overwhelm teams and often wind up unaddressed.

IT/OT collaboration translated to practical terms means that OT needs to get approval from IT for whatever they need to purchase. This interaction results in one of three responses. “We can secure your IoTs right away!”, “We can secure your IoTs, but there’s a backlog and there will be some delay,” or “No, you can’t use this technology.”

Anything other than the first response will result in the user immediately focusing their attention on bypassing IT. So, the collaboration has now turned into a cat and mouse game where the user tries to circumvent IT, and IT tries to implement restrictive controls to prevent being bypassed.

Have we not learned our lesson from the use of Cloud and SaaS in business? The users beat IT and executive management so overwhelmingly that there was no option other than complete and utter surrender.

The learning lesson is, don’t turn your users against you because you will not win. Any delay in facilitating the requirements of OT will result in scorn from the user community. And to further exacerbate the issue, there are far more IoTs that tend to be unique.

So, what’s the answer? The right answer requires re-imagining how we secure. Our current model for security dates back to medieval times. How is the industry standard of securing networks any different than securing a castle with a moat and drawbridge? The right answer needs innovation — and not just innovative technology, but also a whole new innovative model for cybersecurity. This model must accomplish two major tasks:

The first major task is to Simplify Security:

Today’s security tools demand well over 90% of the security team’s attention. Simply put, eliminating security tools eliminates distractions. Buying and stringing together a bunch of different products to fulfill various security functions creates complexity and is overwhelming to any size organization. In fact, security tools should be so simple to use that even quasi-technology people could operate them with ease.

Moreover, what if you had one security across all those technology silos like offices, data centers, clouds, SaaS, mobile devices, and yes, even the IoTs. This single security non-tool will not be network sensitive. It should not matter which type of network technologies use. Eliminating complexity not only improves security but offers agility and cost savings.

Takeaway #1: Implement a common security platform that delivers uniform and consistent security across all technology silos in the form of a security utility.

The second major task is to achieve User Empowerment:

With security simplified, everyone is empowered to self-serve. This puts the power of security in the hands of users. Now users are contributing positively and in the best interest of the company rather than fighting to bypass the security edicts. User empowerment drives much more collaboration than the IT overlord model that has been dubbed “collaboration.”

Takeaway #2: Empower users to self-serve so they are aligned with the best interest of all rather than fighting IT in their own interest. 

Today, more so than innovative technologies, we need a sound, well-thought-out security model. After hundreds of years in practice, we need to retire the medieval model for cybersecurity– especially in areas that depend on people-driven processes. Aside from simply not working, people-driven cybersecurity actually increases workloads and has inherent gaps in the form of exceptions. How can this possibly contribute to better security? Ultimately, there are no well-known cybersecurity technologies or models that can claim to be simple or sustainable. Perhaps the cybersecurity industry just needs to dream bigger or stop playing it unreasonably safe — or both. I am announcing that Acreto is making a play for both simple and sustainable security that empowers people. The above rules are fundamental to the foundation of Acreto’s platform, which is intended to take on and overcome the challenges of generation IoT.

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at or @acretoio.

IT vs. OT – The Cybersecurity Supernova

The universally accepted rule is that the Information Technology (IT) team has the final say on all things technology — right? Not so fast! Every day new technologies are introduced and connected to organizational networks without the permission, or even notification, of the IT team. These same electronic components surround us all, yet they remain hidden in plain sight.

So, what exactly are these miraculously hidden technologies that bypass the IT organization? They are called Internet-of-Things or simply IoT. These IoT devices fall into the Operationalized Technologies (OT) category. They are “tag-along” technologies embedded into tools that aren’t typically selected by, or even involve, the IT team.

One of the many reasons that IoTs are invisible in plain sight is due to the sheer number and broad spectrum of assets that they’re embedded in. Many people do not see IoTs; they see a smart TV, surveillance camera, key card access sensor, vending machine, or HVAC system. However, all of these, and more, are IoT devices. And chances are someone other than the IT team made the decision to connect said device to the organization’s network.

Perhaps the facilities team ordered a new HVAC system, which they may or may not know is Internet-Connected. There could also be an office manager who ordered brand new desks with embedded IoTs, or even the cafeteria manager who selected food and drink vending machines.

Picture this real-life scenario: a financial organization is moving into a new office location. Among the many responsibilities that fall on the office manager, one task happens to be evaluating and selecting the office furniture. After assessing all requirements, the manager evaluates several different desks and finally picks one that’s able to convert from a sitting desk to a standing desk with the push of a button. Six hundred desks are then ordered and delivered on-site.

Some seven months later, the IT team finds out, by chance, that these desks are connected to a remote application and have been delivering ongoing “productivity” data on each user. Apparently, it turns out that the furniture people had asked someone for the WiFi password and connected to the network. The rest is history.

Also, there is the now infamous case where a casino got compromised through a water heater in a fish tank. You see, IoTs have introduced a completely new compute model called “Dependency Compute”. With this model, IoT devices share a common network, but each IoT is connected to a different remote application, and more often than not these applications are owned and controlled by a third-party.

What does this mean exactly?

It means that a third-party now has privileged access to a device on your “protected” network, but that’s not even the worst of it. Imagine all types of devices sharing a common network which offers privileged access to all types of remote applications that are controlled by a variety of third-parties.

This interconnected web creates a scenario that is untenable for security, meaning that the traditional “securing-the-network” model is short-lived. Just calculate the risk stats for a few hundred different IoT technologies that are each connected to a different remote application that you don’t control.

One comment I always hear is: “What’s the big deal – we can segment them!” Well, good luck with that. You’d typically get this response from someone without much practical experience, with a whole lot of wishful thinking, or with an overly simple network. Most organizations can barely keep track of what’s on their network, much less go through a process of adding hundreds of network segments, where each one requires VLANs, netblocks, routing, and ACLs.

It isn’t necessary to impose many complex tasks and processes which can make a whole security team rethink their life choices. A superior approach relies on an entirely new security model that takes “Dependency Compute” into consideration.


About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at or @acretoio.

Hacking A $Trillion Fund – Why HTTPS is Not Secure

Some years back, a trillion dollar financial fund hired me as an Ethical Hacker to test their security system. They had just spent millions with Cisco to implement a brand new security infrastructure. We started the project and within a day had compromised them 139 different ways. Of the 139 compromises, 138 of them were over HTTPS encrypted connections.

When we reported this to the client, they were miffed. Their director of security asked “How could that be? We just spent millions with Cisco. Their engineers approved the design!” And as soon as he got his bearings, he snapped, “You have to write in your report that there was no data exposed or accessed.”

“No data was taken because we chose not to take any data,” I replied.

Instead, we had successfully planted a flag on their systems. This is a practice used by white hat hackers of installing a file at some deep point on a compromised system to demonstrate privileged access. The ensuing three months involved a ton of back and forth in educating the customer on precisely why we were able to compromise them, and the wording of the final report. However, over that same time they had successfully managed to fix only one of the 139 vulnerabilities — the non-HTTPS exploit.

So, why were we able to compromise them, and how did HTTPS play into this?

Contrary to the implications in its name, Hypertext Transfer Protocol Secure (HTTPS) does not offer security. It is privacy. That means it purely serves to ensure that 1) the communications destined to the application server is validated against DNS, and 2) the communication is encrypted. Because this encryption was between the client and the server, their gateway security tools were bypassed. The only visibility and enforcement their tools could provide was access control allowing network protocol TCP using network port 443 to communicate to the appropriate server. Because of the encryption, their intrusion detection system (IPS) could not look inside the payload to identify the content’s intention — well or mal intended.

We found multiple systems on their network that were accessible externally via HTTPS and then, we had at them. One advantage for the hacker / disadvantage for the company is that HTTPS-based attacks do not need to be tempered. We could be as aggressive as we wanted to be because their security tools had no sense that any of the communications were malicious. Once we identified vulnerabilities, we exploited them and compromised the first system.

Another limitation in their security was that it was a thin hard shell on the outside with a soft gooey mess inside. Because they used gateway security, once we were in, we had access to cross-contaminate everything. And that is precisely what we did, until we gained access to some pretty critical systems.

So, what did the customer learn from this experience?

Well, he was successful in lawyering the report to not look bad, yet not lie. But what you should learn from their experience is that when HTTPS makes a connection private, it makes it private to everyone — including you and your security tools. This applies to communications you originate and communications destined to you.

Today, every SaaS company is in a mad dash to roll out HTTPS. The term they keep using is that it’s “for your security!” And I get pissed off every time I hear this. It is not for your security, it is to ensure that your communication to their systems remains private.  They continue to tout this even though many of these same SaaS companies have learned from the experience to decrypt before a communication hits their threat management tools. This protects them – but not their users.

For the user of these applications, the HTTPS communications initiated outbound to third-party sites are significantly harder to protect. The result is that any site that uses HTTPS can behave maliciously toward the user, and it is very difficult for the user to identify and mitigate the attack. Yes, perhaps we could learn to trust some companies, but would you trust Google, or worst yet, Facebook? Would you trust some small unknown arbitrary site you may find yourself on?

A monster security hole.

Considering that over 60% of all Internet communications are encrypted, an investment in robust security tools without an effective means of decrypting all the HTTPS connections in and out of your network leaves a monster security hole.

The tunnel-visioned focus on preventing man-in-the-middle attacks has created a much greater security challenge for many organizations.

In another instance, at an IoT event, I asked the CTO of a IoT system integrator who builds large-scale “smart city” platforms, how he secures his technologies. His response: “We use HTTPS.” I waited for the rest, but it never came. This issue is not clearly understood even by technology, even some security, professionals.

As an industry we have done a piss-poor job of building clear and concise awareness that security is not any one of six things, but a harmonious combination of control, threat management, identity and yes, privacy. So the next time someone tells you they use HTTPS for security, nudge them to this article before they commit security suicide.


About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at or @acretoio.

Russian Hacker Caught and Convicted: From US With Love

A little while ago, a client called me in to do a security operations ‘best practices’ education session. They were a dot com site that had recently spun off from one of the major financials. They had not yet laid down their sec ops roots and were still engaged in establishing the fundamentals. They wanted an informal education session to get the entire team on the same page.

Their conference room was packed with their security team as well as several people from their operations center, which I had requested. In many instances, the ops team is on the front line and often identifies and conducts the initial steps in handling security incidents.

At some point during the session, I started to talk about scammers. One trick that malicious people use is to acquire domain names that are similar to the site they are targeting. Since the client was a financial and their site contained personal information for hundreds of thousands of consumers, and was an attractive target. I first recommended they acquire or actively monitor all sound-alike and similar domains. For example, if their domain name is, they should acquire or monitor and

Second, I recommended that all permutations of domains that could be mis-typed by users should be acquired or monitored as well; specifically, any combination of surrounding characters on the keyboard for each letter that makes up their domain name. For example, if their domain name is, they should monitor domains where the ‘A’ in is replaced with S, X, Z, W, and Q. If a company wanted to take it a step further, they would cover the immediate two surrounding characters on the keyboard as well. Should users mistype, which they often do, they should not be directed to a look-alike site that they would innocently offer their credentials.

Third, I suggested that the plural version of the words included in their domain name should be acquired and monitored. As I was making this third point, I typed in the plural of their domain name – and their site showed up. I thought I had made a typo, that through muscle memory I had entered in their correct domain name. I double checked, and I had typed exactly what I intended to type – the incorrect, plural variant.

I was impressed. I thought to myself that they were ahead of me and had already acquired the plural domain and redirected it to their site. “Smart! You guys already got this?” I said to the group. I looked around the room and saw confused expressions all around. Finally, someone said, “I don’t think that we did – I’m pretty sure we didn’t.”

After a Dig on the Fully Qualified Domain Name (FQDN) and an MTR (a better traceroute) it became clear that the site was not theirs. It looked exactly like their site including the login page. However, it was not using their IP block nor any of their ISPs. It traced back to Las Vegas, Nevada.

Needless to say, the training session abruptly ended and became a real-life incident response. The organization’s executives, their general counsel, all security team members, and all IT managers and above joined an emergency meeting in the conference room. Anyone not on-site joined via conference bridge.

During the meeting, their sharp help-desk manager offered that he had seen an increase in the number of calls for password reset requests in the past two weeks. We started connecting the dots.

We came away from the meeting with several action items:

  • We needed to determine if there was a compromise, and if so, how many users it impacted and its duration.
  • The help-desk team set out to cross correlate password reset support calls and the date/time of failed authentication logins in their logs.
  • They would identify any users who called for a password reset whom had no corresponding failed login attempts in the logs. There was roughly a dozen dating back only two weeks.
  • The help-desk team contacted these users and established completely new identities for them.
  • My team was to implement an emergency infrastructure should the malicious person attempt to use the stolen identities.
  • I reached out to my contacts in the FBI cyber-crime team and reported the issue, and Agent Brown from the New York cybercrimes team was assigned to our case.
  • We contacted a law firm with experience in cyber crimes along with the organization’s retained counsel.
  • The legal team started to outline a notice as was required by compliance in preparation, should notifications be necessary.


After this, my team members and I set out to execute on a plan to identify and catch the person.

First, a honeypot. The compromised user credentials correlated by the helpdesk were redirected to a training system that looked and functioned just like their application, but contained dummy data. With this in place, the risk that any (more?) data theft, manipulation or deletion was mitigated.

Then, we implemented a high performance packet capture system using a powerful server, hardware offloading network interface and several open-source tools to collect all communications from the malicious person/people. We made sure that the packet capture system was implemented and processed with proper evidentiary chain of custody standards.

Finally, we configured the units to send us text messages as soon as any of the compromised accounts were accessed.

We were finally ready to track the malicious people.

In less than forty-eight hours we architected, acquired the highly specialized equipment required, and configured and tested the infrastructure. I then set out to document everything, including the operations runbook for these new systems, which included evidentiary chain of custody handling of any evidence collected.

I personally spent near seventy-two hours straight at the customer’s data center hopped up on adrenaline and coffee. It’s rare to catch hackers and scammers, and I felt strongly that we had a good chance of doing so in this case.

In the meantime, the FBI requested and received a subpoena for the IP address of the server as well as the domain name registrar. Fortunately, the ISP provided the physical address associated with the identified IP address quickly.

Agent Brown called the FBI field office in Nevada and requested agents drive by and visualize the address location. A few hours later we received information that the address was actually a car dealership. The FBI agents in Nevada managed to trace the ISP connection to the basement of the dealership. When they inquired about the Internet connection, the dealership informed them that the basement was rented to another party who was hardly ever there.

Technically, the malicious people had not done anything substantially criminal. So between the customer, the FBI and my team we decided to hang back and wait for the malicious people to attempt access to the customer system, and more importantly, to download personal identity information. There was no risk to any of the site users since the data the malicious people would access was made up training data.

We didn’t have to wait long. At 3:00am early morning the following day my phone started buzzing with alerts. I quickly logged on to see what had transpired. Jackpot! The malicious people had logged on under three different accounts and had systematically accessed multiple identifies before generating a report that can only be identified as an identity theft starter kit.

A quick check showed a Canadian IP address as the source. Every packet of the communications was collected and logged. We had all that was required to completely recreate and replay the malicious people’s entire effort.

The session was short. It had only lasted 15 minutes. But it was all that was necessary. There were no other attempts that day.

Early the following morning, we contacted Agent Brown and the cybercrime task force supervisor and arranged for collection of the evidence. During the call we also determined our next course of action.

The FBI could have reached out to the Canadian authorities, but thought it best to try to lure the person to the US.

The plan was that the FBI would get a court order to confiscate the computer in Las Vegas. If they spotted cameras they would simply disconnect the Internet connection at the Network Terminal outside the building.

And then – the FBI surprised us. They had a person of interest in the case. They did not share many details about how they found this person of interest. Our best guess is that the person had been on the FBI’s radar, and had somehow been associated with the stolen identity which was used to fraudulently pay for the acquired domain name and the Las Vegas basement housing the computer.

If all was to go as planned, the malicious person would think there is a technical issue and come to fix it.

Later that morning the FBI Agent Brown came to our offices and we held an evidence hand-off ceremony. The next day we noticed that the scam site had gone down. Now there was not much else for us to do but wait.

All was quiet for a while and life started to resume normalcy. Two weeks later we got word that there had been an arrest!

It was a Russian whom a few days after the site had gone down had flown to Canada and from Canada to Las Vegas. He was arrested at the airport port of entry. Apparently, when presented with the evidence he made a plea bargain and soon after plead guilty at the hearing.

The team’s dedication, professionalism and expertise drove this incident’s success. Both the customer and my team operated flawlessly together, and the FBI came through in a big way. At a time when hackers attack indiscriminately, it felt great to catch one and snag a win for the good guys.


About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.