This story is part two into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.
…We have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.
― Shannon Brewster, ISC2 LA President
As part of our ongoing, months long investigation into accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility at ISSA-LA. vBTruth recently observed an upcoming joint holiday party on Eventbrite, allegedly hosted by ISSA-LA, Women’s Society of Cyberjutsu, Open Worldwide Application Security Project (OWASP), Association of Information Technology Professionals – Los Angeles (AITP-LA), the Southern California (SoCal) Chapter of the Cloud Security Alliance and ISC2 Los Angeles.
vBTruth reached out a few of these organizations to confirm their participation and attempted to obtain copies of any agreements.
More than one organization was surprised that they were included in the holiday party because they did not give consent. Even more surprised was the fact that their respective organizations were featured as one of “six” non-profits hosting the holiday party – on both the ticket sales page and separate, sponsorship sales pages. Both ISC2 LA and Cloud Security Alliance stated that the use of their names on were unauthorized.
“ISC2 LA leadership had some informal discussions over email with ISSA-LA’s board regarding a joint holiday party. They reached out a few weeks ago and invited us to participate but we had not made a final decision. We were waiting on a written proposal and an agreement that disclosed the expected costs and responsibilities.
“Given that nothing has been finalized, we have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.” Shannon Brewster, ISC2 LA President wrote to vBTruth.
An anonymous source familiar with the matter at Cloud Security Alliance told vBTruth that “they never agreed to participate at the holiday party and were extremely disappointed in the attempt to obligate the SoCal chapter in(to) participating and the unnecessary deception to the (security) community at large.”
Both Cloud Security Alliance and ISC2 LA have issued demands to have their names removed from any promotional material or website stating their participation in the holiday party. Both have stated they will not be participating in this year’s holiday party. At one point, the sponsorship Eventbrite page stated five non-profit organizations. It was further updated to remove ISC2 LA.
Both Eventbrite pages have been updated since the demands were made by Cloud Security Alliance and ISC2 LA.
Another recent significant update was the keynote speaker at the holiday party. On November 2, 2023, the website featured Bryan Hurd, Chief of Office, Aon Cyber Solutions (Stroz Friedberg). Fast forward to November 10, Bryan Hurd has been removed from the website and replaced with Demetrios Lazarikos (Laz).
The question we have not been able to answer is: “Why was Bryan Hurd replaced one month before the holiday party?” The only two logical conclusions were:
Unauthorized Use of Name/Attempt to Obligate
An analysis of both claims would lead us to believe at vBTruth that it was an attempt to obligate Mr. Hurd as the keynote speaker of the holiday party without his consent.
First, we have not one, but two attempts in a single event to obligate, maybe force, two independent organizations to participate in the ISSA-LA holiday party. Both organizations have issued statements to vBTruth, stating they never agreed to participate.
Next, we can assume it was not a ‘mistake’ per se, but intentional. Two Eventbrite webpages listed all organizations allegedly hosting the holiday party. It also listed the actual names and the actual number count of organizations participating. To list and name a number organizations, including two organizations who did not agree to participate, on two different Eventbrite webpages and with both having a precise count of non-profit organizations participating on both Eventbrite webpages, one must conclude that this was intentional.
Lastly, keynote speakers are typically booked months in advance. To cancel at the last minute usually means a change of schedule, or something personal is occurring. It is highly unlikely a schedule conflict occurred to force Mr. Hurd to withdraw because it is a holiday party and holiday party usually have large turnouts and a keynote speaker would set the necessary time aside and block calendars.
That leaves the last option: Unauthorized use of name and attempt to obligate. There are already two documented instances in this one event to obligate two other organizations. It is certainly not unreasonable to assume that more attempts occurred without the general public’s knowledge.
“There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.”
― President George W. Bush, 43rd President of the United States of America
Regardless of what happened with Mr. Hurd, it does not change the fact that ISSA-LA falsely published two organization’s participation and tried to potentially strongarm and obligate their entire organization and their respective leaders. Marketing this event to both potential attendees and sponsors of participation by organizations who did not agree to participate is duplicitous, dishonest and fraudulent behavior.
Those reasons alone puts ISSA-LA and its leaders on the naughty list and rightfully earning all of them lumps of coal this holiday season.
This story is part one into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.
Sunlight is the best disinfectant. This mantra of transparency still remains true today. After several months of attempting to resolve concerns of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance behind closed doors with no resolution, individuals are finally coming forward and shining a light.
Multiple individuals, including several current and past members of the ISSA-LA Chapter, have accused the current sitting ISSA-LA Chapter President and now the former OWASP-LA Chapter President Richard Greenberg and the current sitting ISSA-LA Chapter Vice President and now former OWASP-LA Chapter Vice President David Wettenstein of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance. The accusations of malfeasance and breach of fiduciary responsibility are starting to extend to the current sitting ISSA-LA chapter board for turning a blind eye to conflicts of interests by the current Chapter President and Vice President, failure to enforce the bylaws of the chapter, and failure to remove the Chapter President and Vice President. The number of individuals making accusations appears to be growing more and louder by the day. The number of victims continues to grow with each passing moment, and the number of causalities in this journey towards finding a resolution continue to rise.
On March 25, 2021, ISSA-LA Chapter President Richard Greenberg filed articles of organization with the Wyoming Secretary of State’s office, forming a new limited liability company: Layer 8 Masters. Legal business filings were obtained from both the Wyoming Secretary of State’s Office and California Secretary of State’s Office. Listed in these business filings were Richard Greenberg, Haral Tsitsivas, David Wettenstein, and Alexander Braehler – members of the limited liability company. The purpose of the business is to host cyber security educational events under the brand “Planet Cyber Sec Conference”.
Since September 2021, Planet Cyber Sec has held 11 cyber security conferences throughout Southern California, including CIO/CISO Forums, AppSec SoCal, and other security conferences and events.
ISSA-LA, a 501(c)(3) nonprofit charity, is operated by a volunteer group of individuals who make up the leadership and board of ISSA-LA. These same volunteers have a primary place of employment in which they derive income from for expenses.
While it is not unethical to hold a primary place of employment and serve concurrently on a 501(c)(3) nonprofit board, nor is it unethical to directly compete against the nonprofit, it is questionable to start a brand new business that competes in the same industry, the same vertical, the same geographic area, and space (security conferences) that offers nearly identical services, and where the same for profit company and nonprofit obtains the vast majority of its income – while concurrently led by identical sitting leaders of both the for profit organization and nonprofit organization.
It is clearly unethical, and a clear conflict of interest to be using the ISSA-LA member’s money, the ISSA-LA’s non-profit resources, and to be profiting from their position as leaders in the non-profit for a for-profit organization, especially one directly owned by the ISSA-LA Chapter President and Chapter Vice President. The Chapter President and Chapter Vice-President has been using member’s money, using member owned resources, have a conflict of interests, and are potentially profiting from sponsorships and revenue from ticket sales at their for-profit enterprise while potentially leaving ISSA-LA members holding the bill on indirect expenses. Multiple individuals have raised these concerns privately and quietly, often having lengthy conversations and sharing their concerns.
Multiple newsletters sent by ISSA-LA share a consistent repeating theme of offering an ISSA-LA member discount to attend Planet Cyber Sec events. Each email lacks any notification and disclosure to anyone reading the newsletter that the current Chapter President and Vice President were owners of Planet Cyber Sec and had an equity and financial stake in the success of Planet Cyber Sec. Effectively the lack of transparency, how each email is phrased, could be perceived, and interpreted by any reasonable individual “Planet Cyber Sec” is an ISSA-LA organized event. vBTruth was able to obtain copies of newsletters and verify their authenticity.
One individual interviewed by vBTruth, on condition of anonymity, because this individual had concerns about a reoccurrence of being harassed, defamed, and slandered by the Chapter President, witnessed firsthand at the brand confusion, promoting, and selling Planet Cyber Sec at other local events. Representatives from ISSA-LA gave away tickets, selling it as “ISSA-LA is giving away two tickets to Planet Cyber Sec”. There was no disclosure to potential speakers, and potential sponsors that Planet Cyber Sec is directly owned by the ISSA-LA Chapter President and Vice President.
The list of concerns continues, ranging from inappropriate use of chapter resources such as mailing lists, chapter intellectual property, multiple social media accounts across multiple platforms owned by ISSA-LA. vBTruth has independently verified that select social media owned by ISSA-LA does indeed promote Planet Cyber Sec. In all instances, there are no disclosures the Chapter President or Vice President are owners of Planet Cyber Sec.
This individual further alleges there was never any chapter board approvals given to Planet Cyber Sec or its owners to promote Planet Cyber Sec, to use chapter social media, and other chapter assets in the manner it was used for Planet Cyber Sec. The same individual alleged that Richard Greenberg sent Planet Cyber Sec information across all multiple marketing channels – all done without permission and a vote by the chapter boards, effectively bypassing chapter board approval not once, but multiple times.
One individual vBTruth interviewed, on condition of anonymity because they feared retaliation and physical harm from the Chapter President, stated they had serious misgivings and concerns not just over the use of chapter resources, but chapter member’s money. According to the individual, the Chapter President spent member’s money on himself on lavish, all-expense paid trips to RSA Conference, in San Francisco, CA, and BlackHat USA in Las Vegas, NV. These trips were completely paid for by ISSA-LA members. These trips are not cheap. Hotels can easily run over a thousand dollars a night during RSA Conference and BlackHat USA, according to this individual. These board approved trips were intended to raise the profile of ISSA-LA and build relationships with potential speakers and sponsors.
However, this individual alleged that the Chapter President was no where to be found during RSA Conference and BlackHat USA. This individual never ran into the Chapter President at the RSA Conference or BlackHat USA exhibit halls. Several other individuals with ties to the Chapter President never encountered the Chapter President on the exhibit hall floor. vBTruth was unable to verify the claim, however the individual was able to provide multiple receipts and credit card bills showing their presence at RSA Conference and BlackHat USA. vBTruth was also able to find photos on social media indicative and aligning to what this individual alleges, including one photo where the Planet Cyber Sec logo is clearly visible on a polo shirt worn by the ISSA-LA Chapter President while on ISSA-LA member’s money.
At the same time, there were serious questions whether the time and money spent on these trips or utilization of LinkedIn was for the Chapter President’s personal gain, his personal business, or for the Chapter. As one individual pointed out, “It is very hard to distinguish whether Richard was doing things to build his business or for ISSA-LA as they are all comingled together.” This pattern mixing utilization of chapter funded resources for personal gain extends to LinkedIn as well, as ISSA-LA is paying for the Chapter President’s LinkedIn Premium account.
The concerns of unethical behavior, using member’s money, using chapter resources, creating brand confusion, self-dealing, and the lack of transparency and reasonable disclosure have created various degrees of confusion. It is believed that more than one exhibitor thought they were sponsoring and giving money to ISSA-LA and not Richard’s Planet Cyber Sec. There has been at least one accusation that the President and Vice President was redirecting and diverting potential sponsors, money (through sponsorships and ticket sales) and speakers away from ISSA-LA events and towards Planet Cyber Sec while lining the Chapter President’s and Vice President’s own pockets.
The concerns have triggered a wave of resignations at ISSA-LA, with at least one confirmed resignation was in protest to the unethical behavior by the Chapter President and Vice President. Based on information that vBTruth has been able to assemble, the board turnover at ISSA-LA has been extreme. Since May 2022, at least eight ISSA-LA chapter board members have resigned or have chosen to not continue on the board. Their roles range from Chapter Secretaries, Chapter Treasurers, and multiple Directors. That is at least an 80% board turnover in 18 months on a ten-seat chapter board, or a 67% board turnover on a twelve seat chapter board. Several individuals appear to have held board positions multiple years and abruptly quit with no public reason given. Additionally, starting August 2023, six advisory board members also abruptly resigned over a short period of two months. Yet the President and Vice President continues to remain in power ten plus years later.
At least two board positions remain vacant to this day, in violation of the ISSA-LA bylaws: the Executive Director and Social Media Director positions. In the upcoming 2024 board elections for ISSA-LA being held December 2023, the position of Technology Director is unfilled, and the Executive Director and Social Media Director are mysteriously not on the ballot nor being advertised as vacant.
Citing these concerns, multiple individuals have privately raised numerous questions, concerns, and complaints to numerous organizations including, ISSA-LA, ISSA International, OWASP International, International Information System Security Certification Consortium, and other organizations regarding the founders of Layer 8 Masters and Planet Cyber Sec.
At least one individual has expressed their concerns to one organization’s general counsel because they fear potential physical harm by the Chapter President, as well as slander as they have been the confirmed victims of slander by the Chapter President.
They also expressed no confidence or independence in the ISSA-LA board. They firmly believed that any action brought by the members would not lead to any action because not enough victims or individuals would be willing to come forward and confront and challenge the Chapter President and Vice President in a meeting as written in the ISSA-LA bylaws. They have concerns that those frustrated members and victims have chosen not to renew their memberships, refuse to get involve and have tried to move on, or transferred as members to another chapter as to keep distance between themselves and the current Chapter President and Vice President. They also firmly believed that the board lacks independence because Richard Greenberg, Chapter President of ISSA-LA and face of Planet Cyber Sec can appoint and fill vacant ISSA-LA board positions, per the ISSA-LA bylaws. They reasonably believe the board is now filled with the Chapter President’s cronies.
OWASP International appears to be the only organization who has conducted any investigation of the complaints and examination of the evidence to date on the unethical behavior of Planet Cyber Sec founders. It appears that OWASP International found the complaints valid as Richard Greenberg, Haral Tsitsivas, and David Wettenstein are no longer listed as leaders of OWASP-LA and OWASP-OC. vBTruth did not reach out to OWASP International to verify because their website cites confidentiality related to these types of issues.
Tensions, frustrations, and anger have reached a breaking point with multiple victims and individuals. Many are suffering from emotional exhaustion. They want to close the chapter on this saga.
Other than OWASP, these victims and individuals believe more than one organization has turned a blind eye. These organizations are refusing to take any actions and refusing to move forward due to procedural semantics because their policies do not allow whistleblower and anonymous submissions. Often these victims find themselves having to defend their positions to remain anonymous because of a deep fear of retribution. Multiple individuals have expressed similar concerns, including potentially physical altercation, physical intimidation, defamation, slander, harassment, or libel between themselves and Richard Greenberg.
One question remains: Who actually cares about these ethics violations and will take action to stand up to these clear infractions and violations? An individual lamented that this has been a frustrating, disheartening, and discouraging multiyear process.
These victims feel abandoned. Alone. Exhausted. The very ethics, and the upstanding principals spoken throughout the security industry ring hollow. These organizations are no where to be found when confronted with overwhelming evidence that something is amiss.
What lies ahead for each remains to be seen. And yet there are those who continue to champion the ethics, the morals, and the principals that so many have seem to have conveniently forgotten.
vBTruth will be continuing its investigation into this story. Stay tuned for additional updates, including a Part 2 to this story.
Capital One, one of the nation’s largest financial institutions announced that one of its employees has gone rogue and was responsible for stealing information from consumers, and small businesses.
This information included personal information Capital One collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were also compromised as part of the theft. 1 million Canadian Social Insurance Numbers were compromised as well.
Capital One stored consumer and small business information on S3, a cloud storage offered by Amazon.com.The court complaints detail the investigation conducted by the FBI that enabled an attacker to access download data from Amazon S3 from up to 700 different S3 Buckets.
There have been a number of different data breaches related to improper security controls at various organizations using Amazon S3.
Something as simple as a misconfiguration can have huge consequences to an organization’s reputation. With a growing number of data breaches from medical records to how one purchases, it is starting to paint a comprehensive picture on the average individual. With any technology implementation, due diligence must be performed to reduce the likelihood of a cyber breach.
Cloud Computing does not outsource risk and security
Cloud computing is simply borrowing someone’s computer. By no means does it equate to transferring the risk and security responsibilities to that entity. Risk and threat models need to reflect the change of ownership of computers, and where data lives on a day to day basis. At the end of the day, it is on executive management and senior management to understand and accept that risks and security burdens are still on the organization but appears differently operationally. Cloud is not the silver bullet to your security challenges.
We are all human. We make mistakes. No one is perfect. It is the reality of being mortal. It is important that assessments, audits, penetration tests, and red team engagements are performed on a regular basis. It is even more important that the mantra of trying to “pass” these engagements by any means possible be put behind us. Achieving a passing score is an important metric but achieving it by any means possible sets an entire organization back because it does not allow the necessary resources to be allocated to address gaps identified during these reviews. When sick, we do not get better unless we disclose all the symptoms to a doctor can assess and prescribe the correct medicine.
Technologists, practitioners, subject matter expects, and management need better soft skills. The days of assume that management understands everything is long gone. The days in which technologists and practitioners staying in their cubicles or digital walled gardens is no longer possible. Technical experts need to improve their abilities in communicating risks of adopting technology. Management needs to press upon their technical experts to due proper due diligence to identify risks.
Audit, Logging, Monitoring, and Acting Upon Them
A huge saving grace for Capital One was the level of detail the logs enabled them to reconstruct the series of unfortunate events. Organizations should have robust logging and controls in place to protect those logs. However, despite Capital One having these logs, the data breach went undetected for close to four months. Consistent active monitoring and knowing what to look for is essential to identifying anomalies quickly and rapidly. Your threat hunters are looking for needles in ever growing haystacks.
This data breach joins the long line of many. We can not accept that data breaches are the new norm. As we learn more from this insider attack, more lessons we should learn to minimize the likelihood of another data breach of this magnitude. We must be vigilant to protect our stakeholders who entrust us to protect our data, our identity, and our livelihood at all times.