Krypt3ia

Cyber-Scare

The exaggerated fears over digital warfare

In part, then, the solution to cyber-insecurity is simple: if you have a lot of classified information on a computer and do not want to become part of another GhostNet-like operation, do not connect it to the Internet. This is by far the safest way to preserve the integrity of your data. Of course, it may be impossible to keep your computer disconnected from all networks. And by connecting to virtually any network—no matter how secure—you relinquish sole control over your computer. In most cases, however, this is a tolerable risk: on average, you are better off connected, and you can guard certain portions of a network, while leaving others exposed. This is Network Security 101, and high-value networks are built by very smart IT experts. Moreover, most really sensitive networks are designed in ways that prevent third-party visitors—even if they manage somehow to penetrate the system—from doing much damage. For example, hackers who invade the email system of a nuclear reactor will not be able to blow up nuclear facilities with a mouse click. Data and security breaches vary in degree, but such subtlety is usually lost on decision-makers and journalists alike.

Full article here:

Cyber War!

The full article above kind of misses the point I think that many of us in the infosec world have been trying to get across to the masses. However, the writer does have some salient points that are bang on that I agree with. Overall though, I think that this guy missed the boat on the cyber security – cyber war issue. It’s not just hype, sure there is some out there, but, think about it in OPSEC terms (OPERATIONAL SECURITY) as well as in the way the Chinese think of warfare shall we?

Sure, a foreign nation state can employ DD0S techniques to knock down operations in a country like Georgia. It’s a nuisance and yes, in the case of some places, could be quite debilitating. However, in our infrastructure here in the states it would not “take us down” It would not be a “Fire Sale” as they likened it to the last Die Hard movie. So, we may have portions of the infrastructure down, but I doubt it would be something that we could not manage.

Taking that scenario off the table, then what do we have? Well, for one, yes, the power grid could be vulnerable and already is so. So, yes, the enemy could potentially take down parts of our power grid with a cyber attack. This could be bad. Just last month there was a threat made to a nuclear facility by an ex employee who STILL HAD ACCESS after he was fired because they were lax in security protocols! He could have reasonably done some damage to a reactor’s systems with the right know how and access. You want to see panic? Then you D0S a nuclear reactors control systems (and yes, I know they are supposed to be redundant) but, it is still a possibility. After all, wasn’t it some “errant tree limbs” that allegedly brought down the northeast years ago? Yeah…

Now picture a concerted and paced effort to creep into systems and leave behind back doors to get in when the enemy wants to. Such implants being put in by agent provocateurs of say China or even some Jihadist group? Scoff all you like, but this is the basis of war. War is waged in many ways and many of them are now “soft” war as the Chinese say. So, a patient enemy could lay the foundations in systems and people to actually effect the types of “cyber war” that the popular press alludes to.

Is it likely to see something on the scale of “Die Hard”? Not so much.. But, perception is key here.

One has to look at the tactical advantages too. No one need create a massive attack to render the odds in favor of anyone, it can be a very small thing that can change the paradigm of winning or losing a battle. All you may need is for the lights to go out at a small targeted area to insert yourselves into a building that a bigger prize resides in no? So, this is not just an all out one way street of warfare here kids. It’s a tactical method to possible greater ends. Just imagine the press and the utter hysteria should something along the lines of the nuclear facility scenario actually play out and get in the press.

People would freak. There and then the enemy has won. The sheeple will be in the streets clamoring to be protected! Money will be spent, fear will reek in the air, and we as a country will live in fear and spinning our wheels. Mission accomplished.

So the biggest problem I have with this article is the guys perception of what the cyber war will be or should be. It’s not all about an all out lights out to the country and the erasure of all financial records… That my friend is passable cinema alone.

OPSEC & The Thousand Grains Of Sand

What really should be considered here are the precepts of OPSEC and soft war that can lead to actual financial loss, damage to infrastructure, and potentially the deaths of people. Without OPSEC, the enemy has an easier time of gathering the intelligence that they desire for a certain outcome. Such outcomes can be in the form of many types of “warfare” China does not necessarily need or want to fire a rocket at us when they can just slowly erode our economy.

Of course, if such principles of warfare actually give you the intelligence data to effectively defeat our “advanced” weapons technology and shoot down another EP3 or a JSF someday, then they have won right? Even if they were detected, like in the case of the recent JSF data stolen from Lockheed Martin, would we have to re-tool the avionics and the weapons systems because China had been copying the data for two years? One would hope so! But, I cannot guarantee that they have. Think though just how much more money and time would have to be spent on re-designing the systems to disallow such attacks. There we go spinning our wheels again while the Chinese sit back and smirk.

And why did they have this access to the data for over 2 years? Because the rules of OPSEC were not being followed. The systems that contained the data were not protected and audited well enough to assure that the data was safe. The APT had easily gained access to not only the data but also to the FAA systems in the US. Such systems were recently found to have over three THOUSAND vulnerabilities in their programs online that lead to direct and overarching compromise within the FAA networks behind. The net effect, the Chinese were watching all of our air traffic surrounding the JSF and its telemetry as well as everything else… And because we were not vigilent, and not following the precepts of OPSEC we failed to detect and deter them.

Now figure into this puzzle just how many private companies out there are making important parts to military systems and how poorly they may be protecting those assets.

Feel that? That pucker down below? Yeah, that’s the feeling you should have right about now. We are so behind the ball on this that even if Obama can effect change at the level of laws and regulations, we are YEARS from actually being able to implement effective technical, never mind LOGICAL security measures for our collective data.

The Chinese and others are really counting on our laxity.. And we are not at all disappointing them. Their plan is to slowly, methodically, nibble at our data and networks until they have the access that they desire… A thousand grains of sand approach.

ELINT & Low Hanging Fruit

So, the cyber war goes on. It’s a slow and quiet war with only sporadic noisy bursts when someone finds that their systems have been compromised and their data stolen. Of course this is when the news gets a hold of that fact and it ends up on the nightly news. Meanwhile fearful C level executives who have no concept of OPSEC, never mind Technology, rock back and forth in a cornder with their thumbs in their collective mouths fearing for their reputations and jobs.

Why is this? Well, because either they were just not cognizant of how things work with computers and technology, or, they were too fat and lazy to actually do something about the problems that no doubt had been pointed out to them by their technical staff’s. Of course in today’s environment, the board of directors and stock holders hold the sway.

“Greed, for lack of a better term.. Is Good”

So damn, it would be way too much money out of our pocket to secure the data!

Hell, why do we need to teach security to the employees! God dammit! We don’t need all that rigamarole! Just make sure we have all that high availability man! I don’t give a shit about security! I need a bigger boat! and your stinkin firewall upgrade is eating into my boat payment!

I have found through the years that its almost always come down to these concerns and not so much about the actual protection of the data (if they have even the concept that the data should be classified and treated accordingly) It’s all about the money.. Not the data… Which, oh gee, IS WHAT MAKES THE GOD DAMNED MONEY!

But I digress…

So, what do we have here? We have much of the data that the APT would like to get readily available through low hanging fruit attacks because the companies that create and hold them, don’t know or want to know how to protect them. Thus, the Chinese don’t have to work hard at ELINT to get what they want. Often its as simple as getting someone to get a job at company A. Once in, they have loose rules and the agent is able to just walk out the door with gigs of data on a USB stick.

What is often found at companies that have been audited by me, is that they have what we call “candy security” Hard on the outside (firewalls etc) but “Chewy” on the inside with lax controls and a completely open environment. So, once the APT is on the inside and has a tunnel out, they have a field day. Why is this so? Because generally, this country is not too progressive about “security” and people are mostly lazy.

“I have too many characters in my password!”

You get the drill…

Cyber WAR: Reality

I would say that the cyber war is already on. It has been being waged by the likes of China and Russia for some time now. No, its not the “Fire Sale”, though, in a way it is. All our data that they can get at is on “fire sale” because we are allowing them to take it so easily. It’s our own failures at securing our own networks and data that will lead to us losing the”cyber war”

From now on, when you see this all brought up in the media, think on this article. Think about how the war is already on and there is no Bruce Willis to save us from ourselves. No uber hax0r Mac guy who will stop the hack by encrypting the data with a super algorhythm! Nope, it will just be the securiy wonks who plead with management to do the right thing as opposed to being fat, stupid, and happy. They often getting told no.

Its then, as the war fighters systems are taken out because the APT have had the diagrams for a year, and have come up with a work around to disable them, that you should think back to all this talk of “cyber war” And then ponder how we just did it to ourselves.