- The Weekend Byte
- Posts
- How Harry Houdini Really Died is a Master Class in Cybersecurity
How Harry Houdini Really Died is a Master Class in Cybersecurity
Who else didn't know that Houdini didn't die from drowning during one of his tricks? I have the real story.
I just learned that my life has been a complete lie. I’ve lived my entire life thinking Harry Houdini drowned while attempting one of his famous escape tricks. It’s not true. WHAT!? I can’t be the only one…
Of course, I had to dig into how he died. And what I found surprised me. Of course, I found some cybersecurity parallels. So today, we’re covering:
Another exit scam on the dark web
What Harry Houdini’s real death teaches us about cybersecurity
An Google update that keeps you safe
-Jason
Spotlight
A Dark Web Betrayal
I’m starting to get the sense you can’t trust cybercriminals. A few weeks ago, ALPHV pulled a $22M exit scam, leaving the affiliate who attacked Change Healthcare without a cut of the proceeds. Around the same time, another cybercriminal made that exit scam look like amateur hour.
A dark web market brings shady vendors and buyers together to exchange goods and services. Instead of buying soaps or fruits, customers who frequent these bazaars seek items of the more illicit variety: drugs, stolen data, fraud tools, weapons, and a slew of services you won’t find with a Yelp review.
These dark web markets provide escrow services to reduce the chances of scams, which shockingly happen quite often on the dark web.
The Incognito Darknet Market launched in early 2021 and specialized in narcotics. As one does, I suppose They specifically banned the sales of weapons, tactical gear, malware, and fraud. I sensed a soft spot because they also banned the sale of fentanyl (too dangerous, I suppose), live or dead animals (amazing they had to stipulate this), and also the “advertising or sale of services related to harm of another human being or animal, whether real or fake.”
Source: Darknetlive
While they may like animals, they’re still terrible humans. In early March, customers complained that they could no longer withdraw Bitcoin (BTC) or Monero (XMR) from their accounts. The opening move of the exit scam had begun.
Source: DarkWebInformer X Post
Pharoah, the marketplace’s admin, tried to play it cool, stating that they were working through technical issues. In reality, they were shutting customers and vendors out and stealing their crypto. This was possible because of the escrow services they provided where they held deposited funds waiting to purchase contraband.
For many exit scams, the story stops there. But not this time. Phaoroah took things one step further by extorting their vendors and customers, demanding payments ranging from $100 to $20K. They threatened to publish private messages and transaction details for users who didn’t pay. They claim that included 557K orders and 862K crypto transactions.
Source: Brian Krebs
So, just in case you weren’t aware, you can’t trust criminals on markets specifically designed to sell illegal goods…
Deep Dive
Cybersecurity Risk Magic Management
I was today years old when I learned that the famed escape artist Harry Houdini did not die by drowning. I will give you a minute to process this…I know I needed it.
The urban legend originated in Hollywood, starting with the 1953 movie Houdini, which depicted Houdini drowning in his famous water torture cell.
I will do two things for you today because I want to work through this with you. First, I will give you the real story behind Houdini’s death so you can fill the void. Second, I will show you what this has to do with cybersecurity because this is a cybersecurity newsletter after all.
The Real Story of Houdini’s Death
Harry Houdini died on October 31, 1926, at the age of 52. The events that led to his death started three weeks prior when a series of unfortunate events started to compound.
October 11, 1926: Houdini was in Albany, New York, for a performance. He had an unfortunate accident while performing his water torture cell trick. This is the trick that Hollywood had us all (hopefully not just me) believe he actually died during! That accident left him with a broken ankle.
For most people, this would put them out of commission. But Houdini was a stubborn mofo who ignored doctors’ orders to get some rest. The show must go on, as do we into the next issue.
October 22, 1926: By now, Houdini was in Montreal, eh, for more shows. He was kicking his feet up in his dressing room when some students came in to meet him. Now, here’s another fun fact about Houdini. He was an avid boxer and a pretty damn good one.
He often claimed to have an iron stomach and challenged anyone to punch him in the gut. He was a total beast and wouldn’t flinch.
This was too much for one of those students to handle. As he asked Houdini about the trick, he sucker punched him in the gut at least four times. Injured and caught off guard, Houdini didn’t have time to tighten his abdomen. Every blow landed with excruciating pain. That evening, Houdini was in significant pain. But he ignored advice to go to the doctor. The show must go on!
October 24, 1926: Houdini was now in Detroit, where he finally let a doctor examine him. The doctor diagnosed him with acute appendicitis. Even in 1926, you could still survive that surgery if you caught it early. But Houdini was a showman. He just had to perform, even with a 104-degree fever.
As tough as he was, he only lasted two acts until he had to cancel the show. It wasn’t until later that evening that his wife forced him to go to the hospital in the early morning hours the following day.
October 25, 1926: Surgeons acted quickly to remove Houdini’s appendix. Bad news, though. It had already ruptured, and the lining of his stomach was now inflamed, and an infection started to spread through his body. While you would think this man lived on luck, there was one thing he couldn’t control. Time. This was, unfortunately, three years before antibiotics were discovered. The doctors tried an additional surgery and an experimental treatment, but Houdini ultimately succumbed to his injuries and died six days later on October 31, 1926.
While there is a lot of speculation that the punch is what ultimately burst Houdini’s appendix, there’s just as much evidence that says he likely was suffering from appendicitis weeks before that punch landed. All the way back to when he broke his ankle. The combination of a broken ankle, traveling, a punch to the gut, and taking almost no rest compounded until it was too late to recover.
Cool Magic Story, Bro. WTF About Cybersecurity?
How does this apply to cybersecurity? The answer is everything. The full story of Houdini’s death is all about risk management.
Lesson #1: Don’t let the punches you don’t expect kill you: Cybersecurity is about assessing risk. Security leaders spend a lot of time looking at their environments and determining the most likely failure points. Then they work to mitigate the risks surrounding those.
Bad security programs try to protect against no risks or every risk. It’s a failure of focus and proper execution on both ends.
Good security programs find the most likely risks and defend against them. But reality quickly shows you can’t predict and protect against every risk. There is always something you won’t think about, and those are the things that lead to headlines in the news. It doesn’t mean it was a bad security program, it just means that there was a risk they weren’t aware of and could not fully defend against.
Great security programs build resilience against unexpected risks. These security leaders know there will be gaps or that a motivated attacker will find a way through their defenses. To prepare, they focus on mitigating the known risks and building an environment resilient enough to limit the damage from the punches they don’t expect.
Lesson #2: Ego is the enemy: I recall a conversation in which a company's IT leader was so confident in his ability to block attacks that he called it bulletproof. No attacker was getting in. Of course, this is a fairy tale.
When you believe your environment is unhackable, you have already lost. While your security may be great, your ego takes it to a level no longer grounded in reality, and you start to coast. It takes one misstep, and a single punch slips past your defenses to take you down.
Like Houdini, he was so confident in his position because he was overly focused on his own capabilities. I’m sure they had great controls, but I’m equally sure that no security program can prevent every attack because of the next lesson.
Lesson #3: Risk compounds quickly. The biggest gap in security is what we know we should do and what we actually do. Even if you know the risks, it isn’t easy to understand how they string together. Many attacks start like a small snowball rolling down a snow-covered hill. If you look at any spot on the hill with snow, it doesn’t look so bad. But let a tiny snowball roll down from high enough on the hill, and you’re dealing with a massive snowball that can cause heavy damage.
Security leaders: Identify what matters most to mitigate your risk. Then, execute a roadmap to remediate that risk with relentless focus. Guess what? You don’t need that fancy new tool. You don’t need to double your budget and headcount every year. You don’t need a quarterly presentation to the board, either.
You need to build relationships in your organization that work across the business to implement your plan. Pick the highest-yielding security investments and implement them in your organization. These can be low-cost and low-effort things that give a greater return on security than buying a new tool and, let’s be honest with ourselves, never getting it fully operational in your environment.
Business leaders: If you’ve hired the right security leadership, they will know something about security. Trust them. If you didn’t hire the right security leadership, then maybe it’s time you did.
Security is a cost center—let’s call it what it is—but it is essential in today's world. Just as you wouldn’t invest in a front door without a lock, you can’t operate in an environment where security isn’t baked into the technology you rely on to run your business.
It’s your job to keep your security leaders grounded in reality with their wishlists, but they also can’t be expected to defend a castle with a wooden sword. Ask the tough questions and stretch the technical leaders to better communicate with the business. Be willing to listen and compromise where appropriate.
You don’t want a sucker punch from an attacker to put your business in an early grave. That’s why security exists.
News
What Else is Happening?
📱 An insider at a mobile telecom company pled guilty to using their company access to conduct SIM-swap attacks on behalf of cybercriminals. This is a common playbook for attackers who need to bypass SMS MFA. There are many more of these insider threats that operate every day.
⏲️ Google Chrome is updating its Safe Browsing feature to provide real-time access to threats, huzzah! Previously, Chrome would check for the latest threats every 30 - 60 minutes. With this update, that list is updated in real-time, which Google found will block 25% more phishing attempts.
🚨A Russian-Canadian man was sentenced to four years in prison and ordered to pay $860K in restitution to his victims. His crime? Hacking into companies under the LockBit affiliate flag.
💰️The International Monetary Fund (IMF) announced a cybersecurity incident that found 11 IMF email accounts were compromised. Details are sparse, but given their international role, it wouldn’t be surprising if this was a nation-state looking for some inside details.
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week!
Reply