Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for February 2009

NSA may get more cybersecurity duties

leave a comment »

U.S. spy agency may get more cybersecurity duties
Thu Feb 26, 2009 1:20am GMT

By Randall Mikkelsen

WASHINGTON, Feb 25 (Reuters) – The spy agency that ran the Bush administration’s warrantless eavesdropping program may get more responsibility for securing U.S. computer networks, President Barack Obama’s intelligence chief told Congress on Wednesday.

Director of National Intelligence Admiral Dennis Blair said the National Security Agency, which is responsible for codebreaking and electronic spying, should assume a greater role in cybersecurity because of its technological prowess and current role in detecting attacks.

“There are some wizards out there … who can do stuff. I think that capability should be harnessed and built on,” Blair said in testimony to the House of Representatives intelligence committee.

Blair acknowledged that many Americans distrust the agency, which operated former President George W. Bush’s secret program of warrantless electronic spying on some Americans’ overseas phone calls.

“The NSA is both intelligence and military, two strikes out in terms of the way some Americans think about a body that ought to be protecting their privacy and civil liberties,” Blair said.

Government concern over computer network vulnerability has risen as computer hackers become more sophisticated.

“A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure,” Blair said. “Cyber-defense is not a one-time fix; it requires a continual investment.”

Billions of dollars are at stake. Defense contractors Northrop Grumman Corp (NOC.N: Quote, Profile, Research), Lockheed Martin (LMT.N: Quote, Profile, Research) and Boeing Co (BA.N: Quote, Profile, Research) are working on classified cybersecurity projects for the U.S. government.

Software and telecommunications companies also are likely to play a major role, said Democratic Representative Dutch Ruppersberger, whose Maryland district includes the NSA.

Earlier this month, President Barack Obama ordered a 60-day cybersecurity review and named Melissa Hathaway, the top cyber official with the intelligence director’s office, to a White House post overseeing the effort.

Some lawmakers have said the Homeland Security Department, which plays a leading role in U.S. computer security and is incharge of protecting federal civilian networks, is not up to the job.

Blair said he agreed: “The National Security Agency has the greatest repository of cyber talent.”

“They’re the ones who know best about what’s coming back at us, and it is defenses against those sorts of things that we need to be able to build into wider and wider circles.”

I posited this back a while ago and got some angry replies from folks. I agree, the watchers need watching but, we really need the help here.. I am willing to let the NSA (with supervision) do the job

Written by Krypt3ia

2009/02/27 at 15:44

Silver lining for IT security staff?

leave a comment »

Tim Watson, vnunet.com 26 Feb 2009

I’m not a fan of zombie films, or of horror films in general. It’s the waiting I can’t stand, the interminable suspense. Perhaps it’s a professional aversion.

For anyone involved in the computer security industry, waiting for bad things to happen is what we do. We lock the doors, block the windows and keep a careful eye on the open fireplace, while all around, outside, the hordes of zombies mass.

The organisations we work for see us as killjoys, as nerdy Cassandras. While they carry on oblivious, we’re tugging at their sleeves and pointing out the imminent doom. For years we kept telling them, and now they see that we were right.

Well, OK, it wasn’t quite the apocalypse that we were expecting. While we were watching the network logs and applying software patches, some clowns in the banking industry destroyed our economy. Let’s just say that we were right in principle.

So the financial world is in meltdown, companies are shrinking and folding, and security is on everyone’s mind. Is it all going to be over by Christmas? Are we at the beginning of the second Great Depression? And what of the computer security industry? Will it be boom or bust for those charged with manning the barricades? It goes against my better professional judgement but, as far as the future is concerned, I’m reasonably optimistic.

The rest HERE

Ehhh, I am not so much an optimist on this. You see, people as a species are rather poor at determining danger other than the short term “fight or flight” danger it seems from my observations. The whole arena of information security has been a sore point on this issue because so few get it and really try to enforce it. Never mind the fact that many companies and people running them usually cut security right off the bat as a cost center despite the fact it is necessary.

Then we have the problem of lack of understanding, which also breeds laziness and lacksadazical atitudes toward the technology and its protection.. Ya know, like the popularity of “1234” as their master password *shudder* So yeah, I really have very little faith in people, ok, “management” doing the right thing where security is concerned.

So now we are in the recession of a century and this guy thinks that security won’t take the hit? The only way I see that happening is if the regulation happens that I hope will come from the Obama administration. So do I think this is likely to happen? Well, I say it’s about a 40% chance of happening… Heh, maybe I am being too optimistic there huh? We shall see.

Anyway, with all the experience I have had in the infosec sphere, I have very little hope that the right thing will be done. Meanwhile the economy will collapse around us, data will be lost and or stolen in even greater quantities, and Rome will burn as the people fiddle with their iPhones…. Yay!
I could be wrong though…

Written by Krypt3ia

2009/02/27 at 01:01

Two disturbing stories from the current world of INFOSEC

leave a comment »

Story 1

From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan?

“Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they’ve gone out of business and left those offices,” says Jacqueline Klosek, a senior counsel in Goodwin Procter’s Business Law Department and a member of its Intellectual Property Group.

“In addition, company computers, often containing personal data, will find their ways to the auction block,” she adds. “All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver’s licenses numbers. This is the just the kind of data that can be used to commit identity theft.”

Ok, so to start off let me say this.. HIPPA and SOX are NOT regulations with real teeth to them. I know the regs and both are paper tigers. In the case of SOX, there is only one page that really barely touches on real “network” security and as such, it is useless where the infosec rubber meets the legislative road.

That said, lets look at the articles thrust on “your” data being left on the front steps or in the dumpster. Umm, there’s nothing new here kids. In fact, this has been the mainstay of many a hacker from time imemorial. Dumpster diving, buying old hard drives etc, have always been used to harvest data from companies that are too stupid to really care for their client data. All too often drives are found with data on them even before the big bust of our economy. The real difference now is that companies are doing this perhaps en masse because they are failing. Overall though, this is nothing new. So, Network World is a little chicken shit on this one…

The rest of this article can be found HERE

The second article is a bit more scary for me…

Story 2

The U.S. government’s H-1B visa usage data for fiscal 2008 shows that offshore outsourcing firms based in India are employing a growing number of H-1B workers — a hiring trend that is affecting the IT workforces in communities such as Oldsmar, Fla.

Oldsmar is the home of a technology center operated by The Nielsen Co., which measures TV audiences, consumer trends and other metrics for its clients. Nielsen last year began laying off workers at the facility after announcing in October 2007 a 10-year global outsourcing agreement valued at US$1.2 billion with Tata Consultancy Services Ltd.

And while Nielsen cut employees, Mumbai, India-based Tata was increasing its hiring of H-1B workers. Tata received approval for a total of 1,539 H-1B visas during the federal fiscal year that ended last September, according to government data released this week. That was nearly double the 797 visas that the outsourcing and IT services vendor received in fiscal 2007.

In Oldsmar, “they are still bringing in Indians,” said Janice Miller, a city councilwoman who lives about a mile from the Nielsen facility. “And there are a lot of [local] people out of work.”

Yeah, so as they decrease and lay off people in this country they are still raising the H1B visa numbers? What? You would think that after all the problems lately too with foreign industrial espionage this might be thought about twice before plodding ahead. One has to wonder about this especially too after the whole Fannie Mae Logic Bomb fiasco too huh?

Look, I am not being protectionist here, but, it kind of is endemic whats going on.. Shouldn’t we re-think this a bit? Just how are we vetting these people anyway? A porous border with Pakistan, all kinds of tribal ties…. Meh.. As this economy goes up in flames I am sure I will see more shitty silliness…

Written by Krypt3ia

2009/02/26 at 02:22

Well, glad I bought the Bersa Thunder instead…

leave a comment »

Smith & Wesson has identified a condition that may exist in certain PPK and PPK/S pistols which may permit a round to be discharged without the trigger being pulled. When the manual safety is disengaged, Smith & Wesson’s Product Engineering Group has determined that the possibility exists in certain firearms that lowering the hammer may cause a chambered round to fire.

The Notice

Well, the Bersa Thunder (see pic below) was less money and had a great rating out on the interwebs so I bought it. I must say, it has been a great carry gun in either shoulder holster or on the hip. Shoots exceedingly well, and to date, has had only a couple misfires (duds) from bad reloads. How the hell could they have missed something this big for so long?

Oh well… Maybe someday I will get the PPK (James Bond fan here) but for now, this will remain the primary carry…

Written by Krypt3ia

2009/02/26 at 01:30

Our Chinese Overlords, Or how China is pwning the US

with one comment

Recently there have been a spate of malware infections and outright attacks on the US infrastructure that have been attributed to the Chinese. According to the site “Darkisitor” much of this attribution is actually the case. I would also hasten to add that I am pretty damn sure that this is the truth of the matter too. The Chinese stated back in the 90’s that they were going to develop cyberspace capabilities and that they would dominate… And here we are today.

Today, the US is in grave danger of having our collective asses handed to us on a platter by the Chinese, as well as the Eastern Europeans (i.e. Russia and all her former satelite countries) as well where cyber attacks are concerned. The attacks differ in types and subtleties, but, by sheer volume and noise, it’s the Chinese who win out. In short, they are the most prolific but not the most sneaky or effective as a whole.

China as a state entitiy has applied the most persistent and large scale attacks against the US not only in a “cyberwar” fashion but also using standard “Espionage” tactics to gain access to assets both of the human as well as computer nature. Spying has become the locus of the Chinese attacks because ultimately, they have realised that the real power to use against the US is not raw firepower, but instead the soft power of economics.

China has long been looking to re-create the old days of what was once Japan’s economic power. A strength to dominate the world with wealth and economic juice that tanslates also into the capabilities to wage “soft war” on all who seek to oppose them. With the advent of the computer and then the internet (the network revolution en toto) they realized that it was possible to usurp the powerful (US) with the very technology that we had created and in fact had been lax at securing. For that matter, even as I write this, we still have a poor grasp on the security needs of our collective computer systems as a nation.

So, back in the 90’s China set out to hone it’s skills in cyber war, all the while it also applied it’s “Thousand Grains Of Sand” approach to it as well as their industrial espionage capabilities. The “Thousand Grains Of Sand” approach is simply this; blanket the adversary with attacks and wait. Some will fail, but some will succeed. Those small successes will, taken as a whole, give a picture of what is going on. So, one asset gets a small piece of the puzzle while another asset may fill in the gap and show you the whole picture. In short, they are patient while being frenetic in the amount of concurrent attacks… Signal to noise.

Fast forward to today and the mess we are in globally economically. Can you imagine the needs that China is feeling post losing 70K plants closing? Their economy is drying up too as ours falters and we buy less and less of their melamine laden crap. So, I am sure that we will see more attrition in the economic and espionage war between our country and theirs. It’s time that the US pay the attention needed to this, and not just the military.

For more check out The DarkVisitor it’s a wealth of fun facts.

Written by Krypt3ia

2009/02/25 at 01:48

An Evening With Kevin Smith: NJ 2009

with one comment

A while back we got some tickets to the NJ show of “An Evening With Kevin Smith” and the time finally came yesterday night. We began the day by driving down to NJ from CT and made a leisurely line to “Jay and Silent Bob’s Secret Stash” where I found a nice signed copy of “Green Arrow: Quiver” for a very nice price. Evidently Kevin had been at the store just before we arrived dammit and signed a buch of stuff.

After seeing the wonders at the “Secret Stash” we then headed off to Baumgart’s, a Chinese, Japanese, and 50’s Ice Cream parlor. I had the sushi but certainly could not have any ice cream because I was just too full. Quite the experience though. As luck would have it too, we could just walk to the theatre where we were seated in tiny tiny seats.

The night progressed with Kevin starting the show at 8pm by telling an  uproarious story of how he broke a toilet at the second “Stash” locale in LA that closed. I haven’t laughed so much in quite a while and the show went on from there to be very informative as to Kevin’s mind and ramblings, but also how Hollywood works as well as the travails of Jason Mewes drug addiction and getting clean.

However, by midnight even I could take no more of the seats and the heat in the theatre. Kevin though was STILL going strong and the line to ask questions did not seem to have diminished. Reluctantly we had to go and head home on the 2+ hour drive.

Hey Kevin… If you do the show in Hartford again lemme know… I will stay this time til you walk off stage if I don’t have to drive a couple hours to get home.

Written by Krypt3ia

2009/02/23 at 01:49

Posted in Hollywood, Movies

“Bills S.436 and H.R. 1076, Their to protect the children!” No, it’s not and we know it fucktard

with 4 comments

Two bills have been introduced so far–S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act.

Each contains the same language:

“A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.

” Translated, the Internet Safety Act applies not just to AT&T, Comcast, Verizon, and so on–but also to the tens of millions of homes with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses. (That method is called Dynamic Host Configuration Protocol, or DHCP.) “Everyone has to keep such information,” says Albert Gidari, a partner at the Perkins Coie law firm in Seattle who specializes in this area of electronic privacy law.

The full story here

How many times must they try to pass this type of bill and language in it before they realize that it just won’t work? When also, will they really admit the truth about this as being not a method to prevent or prosecute “child porn” surfers, but to clamp down on EVERYONE’s privacy? This is just bogus and again shows just how little the Senate and House understands the technology and the processes around it.

First, lets talk about the fallacy of “protecting the children” This bill will not affect the saving of children from predators online whatsoever. Why?

1) Logging is reactive and not proactive.. You are just taking notes. Unless the system warns you that a child crime is being committed, then it’s too late and it’s already happened. Looking at a log only “may” help you in finding them, that is IF the user is not using a spoofed address or on a TOR router etc.

2) Logging must be audited.. Anyone in the senate going to sit and audit all those logs?… Didn’t think so.

3) The logging is only as good as the security of the AP or the internet provider. If the security processes and implementations are the suck, then the data from any logging is suspect. A log can be turned off, futzed with, or outright deleted by an attacker. This is not a foolproof solution.

4) The VAST majority of child porn cases that I have seen do not rely on router logs from home AP’s to track their targets. As well, if there is a DHCP pool that they are tracking, they get a warrant and the providers work with them to trap and trace the IP address. THAT is how they track these pervs and lock it down to a physical address.

5) I have only heard of ONE case where a perv had driven along in his car and performed “War Driving” to get on unencypted AP’s to surf his child porn needs

6) The WIFI encryption protocols are all subject to attack and compromise. To force all home users to save 2 years of log files is just ridiculous. WIFI is ephemeral and not the main point of ingress for the “child predator” You can today, knock off a mac address on an AP and assume that IP (mac spoof) and unless you find that physical wireless card, you have no fucking idea who the perp was and I doubt that we will have teams of feds out there DF’ing perps as they surf my WIFI sig.

7) Recently there have been a spate of AP vulnerabilities, unless you make the routers completely secure, any logs are suspect and not admissible in court. It’s a fallacy to think that this is a real fix to the issue of child porn or predatory behavior.

So, you also gonna try and enforce this on TOR routers? Seems to me a way to try and knock down the security and privacy of this type of system eh? Someone else perhaps involved in this bill? Putting the bug in their ears? Ya know, a three letter agency perhaps? This law would pretty much put the TOR routers in the US into an “illegal” space right? I mean after all the TOR routers deliberately don’t capture logs… Interesting no? You start making the world log their traffic, those pesky TOR routers will break that whole theory huh?

This is total NANNY STATE mentality to attack a problem that they really should try to attack in a smarter fashion rather than use the usual lazy drifnet approach. Just how do they intend on enforcing this too? Roving bands of newly minted federal employees with NETSTUMBLER? Or perhaps something more 1984? Say a system that ties into the internet providers that seeks out the end point routers and checks their security and logging? Perhaps a nice back door into the routers?

No, just fucking no.

I am so sick and tired of the gubment trying to get a lock on the technology problems without actually consulting the security folks out in the world. I am also tired of them thinking that they can just create bills that will “protect” us and it’ll all be good through legislation. It’s not and it never will be. You can’t protect us you shitheads, at least not without destroying our personal privacy altogether. So just stop now. You are wasting my money and your time.

Oh, and by the way, you can also give up any thoughts of taxing downloads or emails like you also have been talking about. Take the crack pipe out of your mouths and start really working on the problems that you can. Not this bullshit, you collectively aren’t qualified.


Written by Krypt3ia

2009/02/21 at 13:20