Saturday, October 22, 2016

Sécurité - Sécurité - Sécurité

Sécurité is a safety signal used as a preface to announce a navigation safety message. It could be an approaching storm, a navigation light failure, a submerged log in a harbor entrance or military gunnery practice in the area. 

There's a digital transformation the shipping industry,  just as there have been in many others as the internet continues to connect industries and people who've performed even the most manual of jobs and functions.
The principal aim is to integrate all the shipbuilding functions “so they work in harmony and are properly aligned to build complex vessels”, Tim Nichols, marine division marketing director for Siemens’ PLM software, told a round table in Hamburg.
Yesterday we witnessed a global denial of service attack, resulting from a denial of service, apparently targeting Dyn, a Manchester, NH based DNS provider.  The attacks lasted roughly eleven hours and denied popular websites like Spotify, Twitter and others the proper name resolution needed to allow their names to be converted to their actual IP address. For the uninitiated reading my blog, DNS is the Internet's telephone book.  Wapack Labs => 603-606-1246. DNS translates into our actual numeric IP address. It allows your computer to remember your speed dial name instead of the actual number.

So why am I talking about maritime at the same time as the massive DDoS attack of yesterday? 

Because just this week, we published a report on a Maritime Internet Service Provider who allowed thousands of shipboard border IP addresses to be resolved outside of their network.  Over the course of the last two years, we've reported on key loggers and bad guys logging into vessel traffic systems, embedded and integration points, terminal operations, security systems, logistics, and shipboard connections. And about six months ago, a maritime CISO reported to us that satellite communications had undergone a denial of service, rendering ship-to-shore communications neutered. The result? Ships couldn't talk to the ports -- they were kept at sea.  While many of us would say "who cares?" --if a ship runs out of fuel it becomes a navigation hazard. Onboard medical issues, ordering of supplies, delivery of supplies, all become tricky, but as importantly, when a ship leaves Port A for Port B, their cargo might be bought and sold several times. In this case, because the ships kept at sea contained cargoes like crude oil, there was a very real chance that hackers were manipulating markets --yes, far fetched, but you just can't make this stuff up.

As well, Wapack Labs has been collecting key logger outputs from roughly 1250 caches of malware outputs. When a user logs onto their email, the key logger captures the user name/password pair, and then sends images of the clipboard to the external repository. We've performed hundreds of thousands of victim notifications from this data, and made it searchable for free through our api ( 

Here's why I'm concerned.  Massive attacks like yesterday are going to become commonplace. This will become the new normal as the Internet of Things puts autonomous internet-enabled dumb tools in the hands of hackers as new weapons.  On land, we simply wait it out.  Neither Spotify nor Twitter are mission critical, but what if I told you that industrial controls, GPS (navigation at sea), fuel monitoring, and new ships carrying highly dangerous cargos like liquid natural gas and crude are FILLED with these same devices that are creating opportunities of massive attacks like the one we witnessed yesterday.

The picture shown above is a vessel tracking system ( taken just moments ago (9:15 Saturday morning).  The VTS shows the ports and maritime traffic in southern New England --Connecticut, Cape Cod and the Islands --and even with the crap weather going on in New England right now, you can see, there's a TON of maritime traffic. This view is essentially the air traffic control system of the sea.  Imagine you're the master of one of these at sea vessels and losing confidence in your VTS's ability to show you where other ships are? Or running dry and adrift? Or losing navigation, pumps or communication?

Yesterday's demonstration was just that folks... a demonstration. When this hits the maritime, air, train, and trucking industries who are relying more and more on automation via the internet, non-mission critical internet sites like Spotify and Twitter will quickly become safety at sea, safety in the air, and safety on the road issues. You heard it here first folks. The sky isn't falling just yet, but unless we get a handle on the need to balance security with interconnectedness, you'd better get ready.  As we see more and more autonomous vehicles --cars, ships, airplanes, etc., this scares the hell out of me. This internet was never meant to be secure, and there aren't enough layers of security that can be bolted onto one of these maritime systems that will make them safe --or the people who man them. 


Preparing to head off to the FS-ISAC Summit tomorrow. Nashville here I come. Next week, it's the National Defense Transportation Association where I'll be speaking and sitting a panel on --you guessed it, the intersection of cyber and physical in the maritime and logistics space. 

I look forward to seeing many of you! 

So until next time,
Have a great weekend!

Saturday, October 15, 2016

A Stutzman Public Service Announcement - Skin Cancer

Yesterday I had to fly home to have short notice surgery.

In January I noticed what looked like a black pin prick mark on my left shoulder.   By March it'd grown slightly to maybe the size of a ball point pen mark. Over vacation this year, I noticed that it'd grown into what looked like a small mishapen kidney bean.

I'd been to my Primary Care Provider (an awesome Nurse Practitioner) in March; I use the VA in Manchester, NH. She told me she didn't think it would be anything to worry about but if it changed, she'd refer me to dermatology.  At the end of August, I requested that referral.  I'd made an appointment for September.  For whatever reason, that appointment changed to the first week in October.

I underwent a biopsy --the doc numbs the site and within two minutes, the entire procedure is over --and a sample of the black skin from my left shoulder was headed for the lab.

Exactly one week later, while sitting in my office in NH, I received the call -Malignant, and Melanoma... skin cancer... the most aggressive kind.

On Thursday, while on-boarding a new engineer,  I received another call. "We have a surgeon with a cancellation.  We'd like to get you in to perform the extrusion." So I booked SWA to Manchester, headed to the VA, and had the thing removed.

The entire procedure took about an hour, but the melanoma was roughly 6 cm long, shaped like a kidney bean, and fortunately for me, had not yet grown deep enough to pass through the skin. I'd caught it early.  I thought for sure I'd be in and out in 15 minutes... I'd booked a return flight only three hours later.

I thought I was going to end up losing a 'quarter sized' piece of flesh. What I really lost was about five inches long, two inches wide, and about 3/4 of an inch deep --a 5" canoe shaped hunk of meat was taken from my shoulder.  I asked the doc --"when my daughter asks me how many stitches, what do I tell her?" He responded, way to many to count. The incision was deep.  Four layers of 24+ stitches were used to sew me up, before the green caterpillar of thread on the surface.

At this point, the doc says the pathology results will be back in about 10 days, but he fully expects that we caught it early enough, and he's fairly certain it's all gone ...but had I waited, even another month, and it grew through the skin, I'd have been really screwed.

So I'm sitting in my MD apartment with bandages covering a sewn-up 5" straight line incision, not yet writhing in pain but expecting it to come as the pain meds fully wear off.

Here's the deal... I grew up working on a farm down the road, bailing hay and mowing lawns in the summer. I NEVER had a shirt on. I tan quickly, and it's these color-generating cells that like to turn into cancer.  My upper body is covered with spots, but I happened to see this one in the mirror one morning while shaving.

I'm ok now, and didn't write this for sympathy. There are many others who can't simply have a small steak cut out of their skin and move on.  I'm writing this to let you know that for every time you've thought to yourself "I'll never get skin cancer", well,  I had that same thought many times too, until this year when I wore a shirt in the pool on vacation and my friend Chris reminded me that I had health insurance and should make it a point to get checked.

So do me a favor. Spend a few extra minutes in front of the mirror. If you see anything strange, don't screw around. Get checked. If you don't know what it might look like, have a look at Google Images.

As an aside, My VA surgeon went to medical school at Dartmouth and then worked surgery --oncology at Michigan.  If you think you can't get smart docs at the VA, come to Manchester.  These guys are smart, polite, and professional.

OK folks..  I knew you were expecting the Stutzman wit, but I'm hanging out today resting, healing. And I know you hear it a lot, but GET CHECKED.

Stutzman wit again next week ;)

Until then, have a great weekend.

Saturday, October 08, 2016

Wapack Labs, VAMC, Southern NH University and Digimind Re-Train Returning Veterans

Press Release - New Boston, New Hampshire, October 10, 2016 - Wapack Labs, Digimind, Southern New Hampshire University and the Veterans Administration Medical Center (VAMC) in Manchester, NH team up to turn returning veterans into qualified cyber professionals.

There are roughly 290,000 currently advertised information security jobs today and while the number of training programs is growing, Wapack Labs believes that not everyone needs a four-year degree to fill the void. So we offer paid internships through Manchester’s VAMC Occupational Therapy office for honorably discharged or medically retired returning veterans, and experiential learning internships for Southern NH University veteran students. We begin their program by teaching them to use Digimind social media tools to spot physical threats in cyberspace.  The vets are taught to be cyber analysts through a series of increasingly more complex cyber skills reinforced through work. The entire program takes approximately a year.

When the veteran interns meet Cyber Analyst requirements, Wapack Labs has several Fortune 500 companies and government organizations who have agreed to interview them for available positions.  Veteran interns used Digimind tools to support the Cleveland Police Department’s efforts before, and during the Republican National Convention, major sponsor’s onsite at the Rio Olympics and the team “Team Jeagar” has authored roughly 150 intelligence reports since inception in May.

Wapack Labs is using Digimind’s services to train cyber analysts with real time sourced data. 

Jeff Stutzman, CEO and a U.S. Navy and Coast Guard veteran stated, “At Wapack Labs, we are proud to help these guys learn cyber skills that will place them in an ever growing industry. The majority of our employees are US Military veterans and National Guard members.  We feel it is of the upmost importance to help our veterans.”

"Digimind is proud to be a part of this effort by Wapack Labs to train and employ veterans. Beyond the clear benefit to the veterans as individuals, the fact that this software is being to used to keep citizens of multiple countries more secure is an additional boon. Digimind hopes to continue to partner with Wapack Labs, contribute to this program, and be a part of similar programs in the future." said Paul Vivant, CEO of Digimind.

The common sense approach and wide array of metrics regarding social media collection offered by Digimind has proven very valuable to Wapack Lab’s collection mission. Digimind was instrumental in Wapack Lab’s support of law enforcement collection efforts during the 2016 Republican National Convention in Cleveland OH.  Following the RNC, Digimind services were used in a collection program in support of the 2016 Summer Olympics in Rio de Janeiro, Brazil.  Training new analysts using Digimind’s “Influencer” metrics has helped Wapack Lab’s interns identify social media individuals in active support of event security planning and with targeting potential bad actors and their attacks against Wapack Labs clients.

About Wapack Labs: Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs' engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs' information reporting to the cyber-security teams of its customers and industry partners located around the world.

About Digimind: Digimind is the global social media monitoring and competitive intelligence company that provides businesses with unrivaled insights into their true standing in the market. Digimind's proven intelligence technology has provided Fortune 500 brands around the world with critical information for their business for more than 17 years. Profitable since its founding, Digimind has a 92 percent customer retention rate and serves its clients out of its offices in North America, Europe, Asia and Africa. For more information, please visit Digimind at

For questions or comments regarding this news release, please contact Jim McKee, CFO at 314-422-8185 or 


Wonder why we do this? VA Occupational Transition assistance is an amazing service. These guys really bend over backwards to help our vets. They are awesome!  However, they can only provide work in positions not related in any way to patient care --the vets are patents. What's that leave?  Food service, facilities, landscaping, etc.  Great jobs?  No, but for those who need it, it's something. And while some may enjoy food service, others have other interests.

I want to train the next generation of cyber professional.... So we figured, let's take them on ourselves... these guys know a threat when the see it, know how to write (for the most part), are eager to learn, have our work ethic. and honestly, I can be a bit of an HR nightmare.. these guys don't flinch at some of my salty language. 

We take as many as we can... we have three from the VA with one more coming, and four of them on internship from Southern NH University (the vets get three college credits toward their degree for working with us).  We take on as many as we can afford. 

Below is one job description for a returning vet who needs Occupational Transition assistance... I think we can do better.

1. SCOPE AND OBJECTIVES:   TSES will perform the following duties including, but not limited to: 


  • Clean and sanitize work areas, equipment, utensils, dishes, or silverware
  • Store food in designated containers and storage areas to prevent spoilage.
  • Prepare a variety of foods, such as meats, vegetables, or deserts, according to customers’ orders or supervisors’ instructions, following approved procedures.
  • Take and record temperature of food and food storage areas, such as refrigerators and freezers.
  • Wash, peel, and cut various foods, such as fruits and vegetables, to prepare for cooking or serving.
  • Attend staff and training sessions as appropriate.

Work Context:

  • Spend Time Standing: 97%
  • Contact with Others: 66%
  • Physical Proximity: 67% 
  • Indoors, Environmentally Controlled
  • Responsible for Others’ Health and Safety: 48%


  • Food Production: Knowledge of techniques for proper cooking, handling, and storage techniques
  • English Language: Knowledge of the structure and content of the English language including the meaning and spelling of words, rules of composition, and grammar. 
TSES will provide as necessary:  

  • TSES workers to assist facility personnel.  Workers are available, seven days per week.  A copy of the time and attendance sheets will be provided to Facility Service Administrative Officer for documentation.
Wapack Labs offers paid and unpaid internships to vets and former Police/First Responders. Today, our junior cyber analysts include two Marines --one heavy equipment mechanic; the other, counterintelligence; one newly discharged Army sniper, one Navy Aviation Structural Mechanic, one police officer from St. Petersburg, FL. We've had one Marine LAR complete the program, recently had an Army MP leave the program, being replaced on Monday by another.  We start our program roughly every 10 weeks and internal training begins with classes in OPSEC and 'Operating Safely in Cyberspace', and progress gradually through roughly 30 modules including lessons in writing for intelligence, GEOPOL, cyber threats, scripting, TCP/IP, malware analysis, and more.

Southern NH University and Digimind were kind enough to pitch in.  Interested in pitching in?  Sponsoring a vet?  Call me or shoot me a note.  The investment is small but the payoff is amazing.

Until next time,
Have a great weekend!

Saturday, September 24, 2016

The Cybersecurity Triad

In the never ending argument over which source of data is more important to the defense of your
enterprise – the endpoint or the network – it’s important we don’t forget that external sources can be just as valuable in detecting compromises and combating threats.

A key construct of the Cold War was the “nuclear triad.” That is to say: our ability to deliver nuclear weapons via missiles, airplanes, and submarines. It was important that all three legs of this metaphorical atomic stool were equally strong because from both an offensive and defensive perspective, a one-two-three punch was better than a one-two punch, though we are talking about nuclear weapons here, so just one (from both sides) is more than enough.

There are many arguments in cybersecurity, not the least of which is whether you should focus more on endpoints or network traffic to better defend your enterprise. Both sides have strong arguments and powerful personalities serving as proponents. On the one hand, evil has to ask a system for cycles in order to work. If you can monitor those cycles you have a good chance of detecting evil. On the other hand, unless your attacker’s goal is destruction (rare) evil has to move through the network to exfiltrate what they’re after, which means if you can sort out good traffic from bad you also have a chance of detecting evil.

But both approaches have shortcomings. If either were perfect the market for the other would disappear overnight. When the things you cannot control fall short it pays to look to external sources. Yahoo recently found this out. In the fog-shrouded chaos that is the online underground, there is threat-related gold. As the story relates, there is also iron pyrite amongst the gems so you have to do your due diligence, but the presence of legitimate data of yours ‘in the wild’ that you didn’t know about is a sound indicator that you are sitting on a two-legged stool.

The buzz phrase for external sources is “threat intelligence,” but if you asked 10 threat intelligence vendors what they offered you’d probably get 11 different answers. The other commonality in this thread is that if you ask 10 different threat intelligence vendors, you’ll likely be overwhelmed with the vastness of information scraped from the open internet, with an opinion rendered on what the individuality of the 50 mil tea leaves collected that day actually mean.

That’s not intelligence. 

That’s data. Sometimes it’s big data. Most time just aggregation.

We do this for a living, and some of us have done it for decades, so consider this as you evaluate how to build your third leg:

Is the source credible? Data on 500M users is a pretty amazing set of data. You would be right to be skeptical if someone you didn’t know from out of the blue offered to provide you with such data.

Does the source have access? The tip that triggered the Yahoo investigation was reportedly not legitimate, which means the source didn’t have the access claimed (or implied).

Is the source reliable? People think that just because someone operates in the underground that they don’t have to deliver. Things like ransomware work because the bad guys, while being bad guys, are also professionals. The profits from ransomware dry up if the bad guys don’t provide decryption keys when they’re paid. Likewise the first time someone rips you off is the last time they have to make money off of you. Shady or not, this is how some people make a living. They live well and they want to keep it that way.

Good sources of threat intelligence must be vetted and it will take time for you to determine who you can trust. You will get ripped off, and you will be overwhelmed with meaningless information that you’ll have to wade through to find the real nuggets. That’s the price of admission to the underground. Not everyone in this business provides something worth paying for, but for those reliable, credible, trustworthy few, you have a makings of a beautiful (if wary) friendship.

Saturday, September 17, 2016

What do a Securities Regulator, an Investment Banker, and a Fulbright Board member have in common?

They all loved Cyberwatch.

I know. I don't normally like to market on this blog ;) but I can't help it. I'm so excited.  Between the ASIS/ISC2 conference in Orlando and the talks downtown Manhattan this week, I demoed Cyberwatch on my iPad at least 50 times.

This morning is a bit different. I came back from NY with a WHALE of a cold. My head's full and I feel like a train wreck, so I'm going to post the video that shows the basic premise of Cyberwatch, and then once again, I'll give you the URLs.

Here's the video. It's 2 minutes long.

There are two applications on this. The GUI is shown at we realized a few weeks ago that we weren't UX builders... I'm going to hire some talent for v2. 

However... the API is awesome. The API feeds the Cyberwatch app, and can be reached at So far, we've had several companies call us, wanting to know if the results are real. Feedback has been amazing. We've fixed many of those issues in our code that needed fixing, and have a roadmap of features that we've also already started working.

OK, enough for now. Watch the video. Try the API. Plug it into whatever front end you use.


We've been pounding the pavement getting ready for this weeks Threat Day. If you've not RSVP'd please contact Pam. Cigars in a private room at JR's the night before, and the meeting on Tuesday in the "Major Telecom" conference center with a tour of the Global NOC.  

Keeping it short. Keep an eye on announcements of products...

Have a great weekend!

Saturday, September 10, 2016

Voter manipulation no big deal? Hey Cowboy, you may want to read this...


"Department of Homeland Security (DHS) Secretary Jeh Johnson on Thursday downplayed concerns about malicious hackers influencing U.S. elections amid rising fears about foreign actors trying to wreak havoc on Election Day." (

I'd like to comment... Just because DHS can't see it, doesn't make it true. That's not a knock on DHS but neither the US-CERT nor the NCCIC are equipped to handle the multi-disciplinary analysis required to see and read all of the tea leaves. 

Let me explain... here are a few things you may not have known. We tracked in near real time, the manipulation of the Ukrainian Presidential Election by hackers, military, and commandos. This multi-facted, asynchronous information operation followed what we believe to be an updated version of the Ivanov Doctrine --Putin's asynchronous warfare plan taken from lessons learned by watching the US operate against Iraq. We published reporting on this in 2014 and into 2015. Since the Crimean conflict, Wapack Labs has actively tracked cyber activities between Russia and their neighbors -but most specifically Ukraine.  The ability of DHS's NCCIC to have known about this would have meant they would have had more intelligence than just cyber coming into the center. I'm not sure if they do. 

The high level story goes like this:

(Russian) hackers trojaned the Ukrainian Central Election Computer systems.  When the Ukrainians find out, they take it offline. Telephony denials of service, computer attacks, and manipulation of election reporting on Russian State-owed Television station on the eastern border of Ukraine reported false outputs through the night of the election. The full report tells the full story, properly sourced, but the last time we mentioned this, it was reported by the Christian Science Monitor. We preferred to stay low-key in the article, but this story was originally tipped off by my original blog post. I remember having a discussion with Mark Clayton (the journalist) as he was pulling the piece together. He was aghast that the story of a Presidential Election manipulation hadn't received more attention here in the US.  My only thinking is, my team is small and nimble.. we operate very much in a multi-disciplinary fusion center approach.  I'm guessing that gathering lessons learned wasn't the priority at the time, and neither the press, nor our IC apparently connected the dots... or maybe Jeh just hadn't been made privy??  I don't know. I can't speculate on that, but I can make our original reporting available. 

If you wish to purchase the report, I've priced the short form Priority Intelligence Report at $1.  The 25 page document is priced slightly higher. Both are available for purchase at our digital storefront


I'm preparing for my trip to Orlando tomorrow. I've never been to an ISC2 Annual Summit, and the fact that it's being hosted with ASIS makes this attractive to my cashflow operated marketing budget. I've got a great little announcement that'll be hitting the press while I'm there, and if you see me, ask me! I'm planning on having my laptop, running demos to anyone that'll want to see them. We'd built an early version that I demo'd all over RSA, gathering a great crowd, running demos on my phone until the battery finally died. I can't wait to show off the upgrade! 

On Wednesday we're presenting at the FS Consortium in NYC, and next week? Cigars with Red Sky Alliance members on Monday night with Threat Day at the Global NOC of one of the major telecom companies on Tuesday. We've got a great lineup. I'm running hard. It's awesome! Didn't get the invite? Shoot a note to Pam, our marketing guru. She'll hook you up!

So, until next time, 
Have a GREAT weekend. Maybe I'll see you in Orlando!

Saturday, September 03, 2016

Ending summer. Kicking off Fall with a Bang (and a cigar!).

I'm not going to spend a lot of time on my post this morning. It's the last official weekend of summer and after I go to the dump, we're heading for our last outing to the beach for the season, and then driving to MD tomorrow preparing for three weeks of hard travel and the official kickoff of the fall surge. We always get busy in the fall. Founded on 8/29/2011, we just passed Red Sky Alliance's 5th birthday, and every year is pretty much the same. In fact, we built Wapack Labs to start pushing intelligence into the Red Sky portal after our first summer, hoping, making sure, that after summer, our members would come back. It got so slow doing the first year that I thought we'd been abandon... we needed to find a way to add value to make sure they came back --and they did.

We kicked off operations in Feb '12 with two guys, three members, and a monster American Express bill, waiting, waiting, waiting, for that first check so that we could pay the Amex... and when it finally came in, we both (Jim and I) sighed a huge sigh of relief.

Since then, the Red Sky group has grown to roughly 35 companies participating, and even today, we maintain about 40% of our members checking in at least monthly. We've lost four companies in five years, and although we've shifted our stance just a bit --some companies still prefer to share privately --and do, others just don't care. The portal remains fully attributional.

How do we build trust? One of the ways we do it is by hosting quarterly get togethers --cocktails first, followed by a day of meetings where we share ideas and threat information. Our next will be held in New Jersey... cocktails at JR's. If you're a geek and want to stop by for a few minutes, please, by all means.

Threat Day will be held the next morning at the conference center at the (ahem) Large Telecom in the area... with a tour of the Global Network Operations Center. For those of you who remember doing this a couple of years ago --this is our second visit, this is one of the coolest locations for a conference that I've ever been to... I'd even have to say this is cooler than the underground conference center at the Pentagon... that's cool, but this place? It's a Geek's dream!

So here's the logistics: If you'd like to attend, please RSVP to our event coordinator. Not a member? RSVP anyway. If we run out of space, we'll let you know!

Join Us For Cocktails, Conversation & Cigars The Evening Before Threat Day!

The Red Sky Alliance & The Wapack Labs team invite you for cocktails, appetizers, conversation and yes, a cigar [if you would like :)] the evening prior to Threat Day. Join us at the Montecristo Lounge September 19th at JR Cigar. We will be in the Churchill room! Listen for raucous laughter and tall tales. Check out the link below. Looking forward to seeing everyone!

JR Cigars - The Churchill Room

301 Route 10 East
Whippany, NJ 07981
*Dress Code -- Business Casual[]/3/
The summer's always slow but we try to use it to build something insanely cool for release after Labor Day, and this hear is no different. Look for one of the coolest new tools you've ever seen to hit the streets next week. We've been working hard, beta testing in the membership, and loading context all in preparation for one of the absolute coolest tools. I'm not going to say any more --you'll just have to wait for it... but trust me... it'll be worth the wait! 
I've got a dump run and a beach waiting... so until next time,
Have a great weekend!