Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for August 2009

Chinese Espionage: Britain’s MI5 reports epidemic in spying

leave a comment »

In spite of repeated warnings to businesses, companies in the UK continue to hire Chinese workers without conducting background investigations or verifying previous employment.

Chinese government officials and businessmen are proven aggressive in their attempts to find out everything about how Western companies operate and how they are structured.


It is old-fashioned human intelligence gathering — it’s thousands of years old and it works.
Taking a page out of Sun Tzu’s “The Art of War,” they believe intelligence operations will give them the victory they seek, whether in terms of military prowess or industrial success.

Using stealth tactics such as sending visiting delegations of Chinese businessmen, the spies are able to penetrate what little security companies employ to thwart theft of information.

One British firm eager to develop its business with China recently invited a delegation to visit its UK factory, according to The Guardian. The Chinese authorities sent a delegation, but only a few of them turned up. The rest were believed to have traveled around Britain inviting themselves to defense and research establishments. Again, they were able to penetrate the security measures in place at these facilities.

According to one news story in the UK, if a British company creates a fuss about visitors who fail to turn up, the Chinese threaten to cancel the company’s license to trade.

I’ve said it before on numerous occasions and I will say it again now. “We are under siege” and many of the companies in this country (and evidently the UK) are CLUELESS to this.

The Chinese are very good and very patient. They have taken Tsun Tzu to heart and have been besting us every day because we are comparative simpletons in the public sector where this type of industrial espionage is concerned… Nay, lets go further and actually carry that over to the military and Federal sector too I think.

Tag this to the cyber opertaions that China has developed and our lacking security practices, and you have quite the opportunity for taking much of our intellectual capitol. I think that the counterintelligence director needs to get more sunlight in the public sphere to get companies aware.

Read the full article HERE

Written by Krypt3ia

2009/08/28 at 15:21

Mike Baker: Terrorists and Snowflakes”

leave a comment »

Interior Cave, Breakfast Nook, Daytime

Bin Laden at the table, somewhat disheveled, occasional spoonfuls of Lucky Charms as he absentmindedly scans the North Waziristan Daily Register.

Bin Laden
(Looking up)
Ayman…dude…check this out.

Zawahiri shuffles in from next door, hair all akimbo, wearing a mud mask and halfway through eating a Hot Pocket…

Zawahiri
What’s up, Sheikster?

Bin Laden
Front page… ‘CIA Chief’s Waterboarding Admission Prompts Senate Democrats’ Demand for New Probe’… is that crazy or what?

Ayman leans over to read the headline, dribbling some Hot Pocket on Bin Laden’s shoulder.

Zawahiri
Sorry, dude.
(Mumbles as he reads to himself)
Sen. Dick Durbin (D-Ill.) called on the Justice Department to open a criminal inquiry into whether past use of waterboarding violated any law… yatta yatta yatta….Human Rights Watch called the CIA director’s testimony an explicit admission of criminal activity… blah blah blah… a Justice Department investigation should explore whether waterboarding was authorized and whether those who authorized it violated the law, said Durbin in a letter to the attorney general…

Zawahiri (Cont’d)
Huh…crazy…but I like that Durbin guy.

Bin Laden
(Scanning the story further)
Look here… they waterboarded Khalid Sheikh Mohammed… I would’ve liked to do that one myself. What a tool, giving up all that information… he should be shot.

Zawahiri
Boy, you gotta love America.

Bin Laden turns in his seat as he spits out his cereal, glaring at Ayman.

Zawahiri
I’m speaking sarcastically, of course… seriously. Who hates America more than I do? Really, don’t take everything so literally.

Bin Laden
Six years in a cave, I’m supposed to have a sense of humor?

Zawahiri
Relax. You wanna play some ‘Guitar Hero’? I’ll fire up the PS2.

End Scene.

//BEGIN

A little vignette from Mike Baker, former CIA station chief Vienna 2/2008 on Fox News.. The rest can be found HERE

*note: I am loathe to quote from Fox, but.. Well they had the article**

With all the revelations surrounding the torture thing, I was interested to locate the above article and snippet from an ancillary search. Mike Baker I know from a BBC show called “SPY” and it turns out he really was a CIA spook of some repute.

Anyway, I see his point and I see the other side of the issue too. Where the law is concerned, it may indeed be considered torture and illegal by some, but really, are these tactics really torture? Of course, I am sure people overstepped their bounds, but, if you go by the “guidelines” strictly, is it indeed torture?

Torture for me has always been something along the lines of the Dentist scene in Marathon Man, or perhaps that lovely scene in Lebanon where George Clooney’s Bob Baer has his finger nails pulled out by a rather angry former asset. That was painful to watch…And I would hazard “is” torture.

Aside from this though, I know for a fact that painful coercion does not work as well as rapport building. Case in point “Abu Zubaiddah” who gave up KSM to the FBI after they had built rapport with him over a long convalescence post his capture in Pakistan. Maybe its more succinct to quote from “Ronin”

[discussing interrogation techniques]
Larry: How did they finally get to you?
Sam: They gave me a grasshopper.
Larry: What’s a grasshopper?
Sam: Lessee, two parts gin, one part brandy, one part Creme de Menthe…

Certainly the carrot works better than the stick with people and I have a firm belief in this. However, if that person who is in my custody is disoriented, tired, cold, and has been in stress positions for hours, they may be a little more amenable to me once I give them that “Grasshopper” eh? Its simple good cop bad cop with some physical stress.

Can it get out of hand? …Yes.

Were the guidelines a little fuzzy? Perhaps on purpose in places?… Yes

Were the interrogators inexperienced and perhaps overzealous? … Yes.

I think in the end, that Dick Cheney, John Yoo, and all the lackeys that listened to herr Goebbels.. uhh Cheney… Were the root of the problem and not so much those in the field. You see, they condoned the behavior if not incited it with their machinations. So, should big O go after the interrogators? No. Should he go after Yoo and the others who “allowed and pulled the strings” all this?

Yes.

Mike is right, these guys we are fighting are different in many ways.. But.. There is no need to become as bad or worse than them to fight them. In the end, Cheney has nothing to say and the reports that have come out do not definitively at all lend any credence to his assertions that these techniques stopped any major attacks.

Cob

//END

Written by Krypt3ia

2009/08/28 at 01:04

The Cult Of Chris McCandless: Don’t Drink The Kool Aid Kids

with 21 comments

bus-mccandless_si

Back in 2006-7 I posted an article and commentary on “The Cult Of Chris McCandless”, an article in Men’s Journal. It was an article in advance of the premiere of “Into The Wild” by Sean Penn and the re-release of “Into The Wild” the book by John Krakauer. Recently, this WordPress blog has seen a lot more traffic on that particular post and it got me wondering as to why now? I mean, it’s been 2 years since the film came out so whats the deal?

Once beginning to look at my traffic here, and Googling a bit, I came across an interesting site: TerraIncognita Films which is the frontpiece for Ron Lamothe and his movie “The Call Of The Wild”, a documentary that retraces the steps of Chris McCandless and offers up some revelations of insight into his death, his life, and the mindset he had when he walked into the Alaskan wild and the Stampede Trail.

The biggest of these revelations is that some of the alleged “facts” that John Krakauer had put into his book, were in fact wrong and perhaps, post his books publishing, were obfuscated as to their existence in the text.

Here are the salient facts that this new (2007 film that will be on PBS in 2009) has brought to light:

1) Chris McCandless did indeed have all his ID, $300.00 in cash, and a map in a backpack that was found by a local resident Will Forsberg in the fall of 1992. These items were returned to the family by the police shortly thereafter. So when Krakauer says he had no money, no map, and no ID because he wanted to be “free” of them to live, he was either mistaken or letting the mystique grow around the “ideal” that he had perpetuated in his book about Chris.

2) The pathologist who performed the autopsy of Chris stated emphatically that there was no chemical evidence from tox-screens that Chris was in any way brought down by Alkaloid poisoning. He in fact stated for the record that he believed McCandless had simply “Starved to death”, no other cause was the harbinger of this other than his lack of food.

3) The note that Chris had left at the bus when he was foraging for food that asked for help stated that he was injured, but no real injury was reported in the pathology report. Nor was this fact covered thoroughly in the book nor the biopic in 2007. Lamothe postulates that perhaps the reasons why Chris could not make it out even to the park road that was only 5 miles away (and not have to cross the Teklanika river) was because he had injured his arm and shoulder. Lamothe goes on to say that perhaps even this injury may have been healing or near healed but painful and thus not something that would have been seen by the pathologist at the time of autopsy.

4) The starvation that was the eventual cause of death was in fact a natural process and nothing to do with fungus growths on food nor the wrong plant being ingested. What Lamothe brings to the table is a BMI (Body Mass Index) assessment of McCandless while he was at the bus. The BMI shows that with his hunter gatherer lifestyle and the amounts of food and types, that he cataloged in his diary, that he consistently lost weight until he reached a BMI of 13. At such a point, a BMI of 13 will be the final point at which an adult male will expire from starvation… Coincidentally, when tracked with the diary, his death and the BMI of 13 coincide. He simply could not get enough nourishment to sustain himself.

So there you have it… Much of the premise of the book by Krakauer has been shown to be incorrect. Motivations, actions, altruism, and final outcome are not what they have been put out as by this book. Just how did all this information not make it out to the public as the movie was released back in 07 I wonder? Was it perhaps that all of this information would dampen the sales of the book and the film? Perhaps lessen the ardor of those “Alexander Supertramp” wannabe’s out there?

Which brings me back to the reason that I wrote the post in the first place. I had been seeing all kinds of articles and postings by people who were in the “Cult Of McCandless”. They spoke of how he lived a life that they wished to emulate, that they saw him as a hero, ballads were being written and sung! And I, I was agitated by it all because I saw McCandless’ death as a silly end to a bright individuals life all because he was too stubborn and foolish to really do the homework and survive.

Of course, this point of view is rather unliked by the “Kool Aide” set and I got some hate mail as well as posts like a recent one saying “You just don’t get it” Well, enlighten me moonflower please? I mean, this all has become a transcendant experience to you all.. Please explain to me how it was so fantastic that McCandless ran away from home to wander and end up starving to death alone in a bus about 5 miles from possible rescue? If he had “really” gone “Into The Wild” he would have really gone out somewhere that required a 6 hour helo flight to get there or back would he not? He didn’t, he lived alone on a dirt road in a bus… That’s it.

It was foolish and not something that you make a central part of your life to emulate kids.

So let me channel Red Foreman a moment and say “Don’t be a dumbass! Dumbass” All of this adulation has literally made the Alaskans consider destroying the bus or dragging it out of the Stampede to stop you fools from going up there and trying to re-live the McCandless tragedy. Something you can hear in an Alaska Radio show that I downloaded and listened to today. In general, Alaskans have a very poor opinion of this whole story and now, all of its attendant use by the powers that be, to make money off of the tale. Hell, they even found certain travel agents trying to sell “McCandless Magic Bus” tours! Ironically, if McCandless’ actually had  half the ideals that Krakauer put into the book, he would be sickened himself by it all.

So, in the end, all you who find yourselves linked to this new article by google, think upon what I have said. Perhaps catch the documentary by Laomothe, and think twice before you too set out with a 10lb bag of rice to “live off the land” and you too end up starving to death, which, is a rather slow and painful process.. Dumbass.

CoB

Written by Krypt3ia

2009/08/18 at 02:15

EMP/HERF/HEMP: What.. Me Worry?

with 4 comments

Recently I have been hearing more and more in the news how the senate and house have been having hearings on EMP threats to this nation. As I began to hear more of this, I inevitable came to the question of “Why now?” I mean, this has always been a threat as far as I am concerned. Of course now its even more pressing an issue as we are so “interconnected” today with the internet and communications infrastructure in general… But, just what was it that was making them get all hot for this now I wondered. Had they heard something from some intelligence body and were all freaked out?

I had thought on this a while and really had kinda just forgotten about it until this last Friday when I was headed home from work and listening to NPR’s Science Friday show. As if on qeue, I turned on the radio and there was Congressman Roscoe Bartlett railing on the dangers that we face should a terrorist or a nation state decide to use an EMP/HEMP device on the US’ infrastructure.

I sat in the car at the end of my trip still listening to the end of his interview, when it was over I knew I had to really take a deeper look into why these people had suddenly had a fire lit under their collective do nothing asses. Come to find out that perhaps that fire was lit 9.12.01 and has been steadily becoming a blaze as the eggheads began to show the congress-critters just how fucked we would be if someone used an HEMP on us.. Only now, something had changed in their collectively lazy minds.. We had been attacked on our own soil and SHIT WE’RE FREAKED OUT!

So, today I sat down and Googled the dhs.gov, .gov, .mil, and other domain spaces with key words of EMP/HEMP/HERF etc. What I found is a plethora of documents that began to spring up around 2003/2004 concerning the threatcon of a terrorist or nation state EMP attack… Funny thing too.. Gee, 2003, that was the year of the great blackout of the northeast.

Ya know.. the one that “trees” allegedly caused? Yeah…

The primary document that I came up with that was the most recent is: The Report of the Commission to Assess theThreat to the United States from Electromagnetic Pulse (EMP) Attack which, in 208 pages covers all of the problems this nation (and I assume other places) has regarding our infrastructure where an attack of this type is concerned. Suffice to say, that this document has some rather dire things to say. Including the following passage on the magnatude of weapon that could cause a major failure of our infrastructure;

The magnitude of an EMP event varies with the type, design and yield of the weapon,
as well as its placement. The Commission has concluded that even a relatively modest-to small yield weapon of particular characteristics, using design and fabrication informationalready disseminated through licit and illicit means, can produce a potentially devastating E1 field strength over very large geographical regions. This followed by E2 impacts, and in some cases serious E3 impacts operating on electrical components left relatively unprotected by E1, can be extremely damaging. (E3 requires a greater yield to produce major effects.) Indeed, the Commission determined that such weapon devices not only
could be readily built and delivered, but also the specifics of these devices have been
illicitly trafficked for the past quarter-century. The field strengths of such weapons may
be much higher than those used by the Commission for testing threshold failure levels of
electrical system components and subsystems.

Laymans terms, even a small device placed in the right place or even an HEMP (High Altitude) of moderate size, would likely bring this nations infrastructure to a grinding halt and it would stay down for some time. You see, our infrastructure is very much dependent on itself to feed itself. If the power goes out, then there is no power after the reserves run out to keep the other systems running. In fact, even the power generation, and its getting to you requires the very power that is generated to get it TO you and regulate it so that things don’t implode in on themselves! In essence, the grid goes down, then everything goes too soon afterward. No cell phones, no emergency services because you cant call them because the phones and cell phones don’t work.. because there’s no power… You see where I am going. The system, and by system, I mean the utilities infrastructure, is not only antiquated in many ways and stretched, but also, that which is not antiquated, is EXCEEDINGLY susceptible to this and other E1-E3 attacks. How do we know? Because the commission actually set up tests as best they could, and they could crash systems with low end EMP devices, thats how.

Yet, the commission also admits the following thing in this passage;

Additionally, analyses available from foreign sources suggest that amplitudes and frequency
content of EMP fields from bomb blasts calculated by U.S. analysts may be too
low. While this matter is a highly technical issue that awaits further investigation by U.S.
scientific experts, it raises the specter of increased uncertainty about the adequacy of
current U.S. EMP mitigation approaches.

Even our testing and our data is suspect and we may even be in a worse state of affairs than we think from bad data!

Yay!

So lets break it down shall we? What’s vulnerable and just how much?

The Power Grid:

Fear not only the terrorist though my friends.. Did you know that nature too has actually D0S’d our power grid in the past? Yep, its true.. From lightning to the more fearsome EMP bursts from the sun. We live in a world where our very society hinges on the power being available to keep our lights on, our food cold, and our MTV on the tube and it could all be taken out by an EMP burst from the sun. Now that’s one hell of an EMP.


A key issue for the Commission in assessing the impact of such a disruption to the
Nation’s electrical system was not only the unprecedented widespread nature of the outage
(e.g., the cascading effects from even one or two relatively small weapons exploded
in optimum location in space at present would almost certainly shut down an entire interconnected
electrical power system, perhaps affecting as much as 70 percent or possibly
more of the United States, all in an instant) but more significantly widespread damage
may well adversely impact the time to recover and thus have a potentially catastrophic
impact.

High-value assets (assets that are critical to the production and delivery of large volumes
of electrical power and those critical for service to key loads) in the system are vulnerable
to EMP through the loss of protection equipment due to E1 and even if E3 levels
were not large enough to cause damage. The largest and most critical of these are
transformers. Transformers are the critical link (1) between generation and transmission,
(2) within the transmission network, (3) between the transmission and distribution
systems, and (4) from the distribution to the load.

Wait though, it gets better… Did I mention that much of the equipment, like transformers, actually is not something we can get “COTS” ? Did you know that it would take a year or more in some instances to get a new one? Now imagine that more than one.. More than three… Have been taken out permanently by an E1-E3 event?


The transformers that handle electrical power within the transmission system and its
interfaces with the generation and distribution systems are large, expensive, and to a considerable
extent, custom built. The transmission system is far less standardized than the
power plants are, which themselves are somewhat unique from one to another. All production
for these large transformers used in the United States is currently offshore.

Delivery time for these items under benign circumstances is typically one to two years.
There are about 2,000 such transformers rated at or above 345 kV in the United States
with about 1 percent per year being replaced due to failure or by the addition of new
ones. Worldwide production capacity is less than 100 units per year and serves a world
market, one that is growing at a rapid rate in such countries as China and India. Delivery
of a new large transformer ordered today is nearly 3 years, including both manufacturing
and transportation. An event damaging several of these transformers at once means it
may extend the delivery times to well beyond current time frames as production is taxed.
The resulting impact on timing for restoration can be devastating. Lack of high voltage
equipment manufacturing capacity represents a glaring weakness in our survival and
recovery to the extent these transformers are vulnerable

There you have it. The grid, the very SAME grid that the government now wants to make more “computerized” is insanely vulnerable to this type of attack. Come to find out too, that its actually pretty much vulnerable to many other types of attacks or accidents too. It’s just that an EMP would be large scale and or, would have a feedback loop associated with it that would systemically kill great swaths of the grid. Much like what we saw in 2003, August when the *cough* trees, caused the northeast to go down.

Oh, and by the way, think on this too. A cyber attack on these same systems, if carried out properly, could have the same effect. If you kill or futz with the SCADA you can kill the system and have that same feedback loop occur. So, if you are thinking well, whew! I really don’t foresee a nuke detonation at altitude you might want to consider our current security posture too and feel your sphincter tighten a bit. All it would take is a concerted effort and something along the lines of a BOTnet and BOOM, we could have deep power outages that could take protracted times to repair.

So where does that leave us? If the power is out, then nothing can really run unless you have backup power. However, backup power requires that you get more fuel, unless you have a Mr. Fusion handy, then you could just dump your compost into it. Nope, you will need a truck to bring you oil or diesel.. Of course you will need to call them.. But your cell phone is fried, and so are the towers, and the towers that may have escaped the full blast? They are overloaded just like the day of 9/11. You are not getting through.

So lets break it down by service.

TELCO/COMMS:

  • Cell phones and towers are highly susceptible
  • Landlines are not so much, but the switching stations that are more modern and thus will be inoperable

GAS/OIL:

  • Just one word SCADA Its been tested and is highly vulnerable to EMP even to the point of having problems with radar causing systems to fail
  • Gas and oil production would be at a standstill or worse, the plants could actually catch fire from pressure etc

RAIL:

  • Switching systems on rail have gone to the computer and as we have seen recently, can get hosed up and cause large scale accidents
  • The systems are basically SCADA/DC systems that are vulnerable to this type of attack
  • Most of these systems reside in small metal boxes near the rail.. Open to attack

SHIPS/TRUCKS/PLANES/NAVIGATION SYSTEMS:

  • GPS and other NAV systems on ships/trucks etc today are all micro circuit based and have proven to be vulnerable to attack by E1-E3 events
  • Most cars and trucks now have microchip systems within them that regulate the operation of the car. No chip, no run.. so the car becomes a large paperweight
  • Motorcycles not so much, unless you have a goldwing or something along those lines
  • Air travel will be down. Not only the planes systems will be fried but also the towers will be without power and their computer aided radar will be offline

FINANCIAL:

  • The financial system is a bit more resiliant to the power loss potential of an attack. However, their computer systems are still not shielded for an EMP event and thus, even redundant systems would be fried.. and without power after the generators ran out of diesel

What does this tell you all? It tells you that even though we have known about this type of attack since, oh, 1962, we have done nothing to really shield any of our systems that we have put in place. No Faraday cages, no shielding on the circuits, nada. It would have been too costly and no one could concieve of such an attack on us!

Right…

I vote more on the saving money thing and being generally lazy, but, I am jaded.

So where do we go from here?

The commission has made recommendations and even put in the monetary figures that would be necessary to take care of the issues. Will they happen? Will they happen especially since we are going to have a “smart grid” now that is going to likely be just as, if not MORE vulnerable to attacks both EMP and cyber?

My answer.. nope.

Why? Because inevitably people will say that the congress-critters are over reacting and that this attack is not likely to happen. If the Qaeda boys get their hands on a nuke, they aren’t going to get this kind of nuke! No! They are going to get a suitcase nuke and blow the fuck out of some poor city like Boston!

Whats that? The Russian navy just had TWO subs that avoided our SOSUS nets off the East Coast last week? Meh, Pooty Poot said not to worry! They were just here to listen to our “rock and roll” before heading down to Cuba for a good time! It’s not like they could carry a small yield ICBM style nuke that would make a damn fine HEMP! C’mon!! Don’t be crazy!

Never mind the idea that the Chinese have their hands on technology for E1-E3 devices that need not be high altitude. Did you know for instance that those BIG ASS transformers that take a YEAR to get are pretty much made only by them? Yeah, uh, the Chinese make our transformers that are the linchpin to our grid.. Ya know, the ones that are really really vulnerable?

Lets postulate here a bit too.. We’ve been worried about the Chinese market in fake chip sets getting into our military hardware.. Gee, how about them being in our big ass transformers? Hell of an exploit were they to hide chips or features in those transformers..

Click.. ZZZZZ POP! There goes the grid, and there goes our dominance in the world. Sure, you can say the Chinese would be only shooting themselves in the head being our biggest lender and trading partner… But, if you were them and you really didn’t care because you would WIN the war simply, wouldn’t you do the same thing?

So back to where do we go from here… For me I think its going to be looking into a faraday cage for the basement.. More power generation tools like solar etc for the house, and stocking up on non perishables. That’s about all one can do really. You see, your government is too big and too ossified to really effectively remedy the situation. While they argue with each other over who’s sleeping with who’s wife and what it means to be a “Real American” the enemies are collecting the armaments necessary to take us down.. At least for a while.

All YOU can do is prepare and take care of yourself and yours.

Lets hope this doesn’t happen.. But if it does.. Be ready.

For more reading go HERE

Listen to Roscoe Bartlett HERE:

Twitter As Command and Control for BotNETS

with one comment

Hackers Use Twitter to Control Botnet

Hackers are now using Twitter to send coded update messages to computers they’ve previously infected with rogue code, according to a report from net-monitoring firm Arbor Networks.

This looks to be the first reported case of hackers using the popular micro-messaging company to control botnets, which are assemblages of infected PCs that can be directed to spy on their users, send spam, or attack web sites with fake traffic.

The rest here:

Hell of an idea to use the RSS feed from 140 character postings to command and control botnets. I have seen some of these coded posts before and wondered what they were up to. Anyway, now lets look forward from here.. How about the idea of using the RSS feeds of common and popular blogs and such in the same way? Perhaps embedding code within the sites themselves either in the html or even the text?

How about a little steganography to have that C&C channel…. It would be harder to detect no?

Interesting…

Written by Krypt3ia

2009/08/14 at 12:21

General Chilton: STRATCOM On CYBERWAR

leave a comment »

Gen Chilton

Gen Chilton

//BEGIN

General Kevin P Chilton: Commander of STRATCOM was on NPR the other day and I happen to catch only part of it. I went on down to the “Google” and came up with the audio at the npr.org site of course. Anyway, Chilton is rather frank in this interview about how we are lacking in many respects when it comes to the issue of “Cyberwar” In one particular question he answers the larger issues as they stand today;

BOWMAN: And increasingly so. This is from a speech you made back in February: In a cyberspace domain, here are some obvious things. We are under attack. We are behind. We are reactive. We are not proactive. How do you become proactive here?

Gen. CHILTON: Well, there’s three things that we’re trying to change in the military – under STRATCOM leadership writ large. In all our services and the way we think about cyberspace, we’re trying to change the culture, the conduct and our capabilities.

Culture, of course, is probably one of the more difficult ones. You can’t just fix that with investment, but we’ve grown up with a culture, and I think it’s probably true in our personal lives, that cyberspace and our computers are just a convenience. They make life easier.

What the switch we have to make in the military is the realization that we’re dependent on cyberspace for military operations on air, land and sea and in space, and we cannot effectively conduct out operations in those areas without the cyberspace domain and our military networks.

So they’re not just a convenience, they’re a necessity, and that means when you have a problem there, the commander in charge of forces ought to be, whether he’s in charge of air, land or sea forces, ought to be very worried about his networks and paying attention to their health, are they defended properly, etcetera.

In the conduct area, we need to do a better job of training people to point out that anybody in the military who’s using a computer plugged into a military network is the same as a gate guard standing in front of a base, protecting the gate. And if they don’t do their job correctly, they can allow someone to intrude on those networks and steal information or interrupt operations.

So training is part of the conduct change, and then we have to hold people accountable. We haven’t done a very good job of that, in my view, for people who don’t follow the rules, because we haven’t seen it as being that big a deal. It is a big deal, and we know it will be in the future.

And then in a capability area, that’s investment in the technologies to make sure our military men and women have the same kind of technologies available that you can invest in to defend and protect your home computer, to include automatic connections to your Internet service provider that can push antivirus software to you as soon as it’s made available electronically, so you don’t have to go, as we often do in the military, machine to machine with a disk and upgrade the defenses on the computer.

So we need those capability and technology investments, as well.

So, there you have it.. We are not prepared and we are really quite dependant on the infrastructure and have plugged it into just about everything. In essence, all our eggs are in one privately held basket that could be attacked and used against us. Never mind that, the intelligence gathering that goes on today as well as theft is staggering because the ideals of security have not been an important thing to us as a nation or economy.

Additionally, he said one thing that really kinda freaked me out. They are still using SNEAKER NET! I am assuming that he is referring to the SCI areas, but, geez..  I guess that this should be a real wake up to those of you who read me and perhaps take what I say with a grain of salt, that I am telling it as it is kids. We are behind in a big way and we need to catch up quickly. Imagine if indeed we as a nation focused on the problem with the same technological knowhow and mandate from the powers that be that the NSA had in placing the NARUS systems into the internet backbone eh? We might have a chance…

Meanwhile, Chilton also makes it more accessible to the masses (with a question from the phone listeners) just how fragmented and likely not too easily fixable the whole cyber security initiative is. Remember all the stove piping being a key finding as to why 9/11 happened unbeknownst to our intelligence agencies? Yes, that same problem is what any “Cyber Tsar” will face once they take the job. A scrabbling for all the marbles or pieces of the pie will ensue and we, the people, will be left holding the digital bag.

Working in the defense industry, I see this every day when it comes to intrusions and issues of reporting intel back and forth. It’s gotten a little bit better of late, but it’s still a real pain in the ass and often, the reports come to us in a mostly useless form… That is unless you have SCI clearance and a “need to know” So really, they are mostly useless to someone actually doing forensics or incident response on systems perhaps infected with a 0-day worm from China.

Finally, Chilton does some talking about nuclear options and EMP attacks. He says that he would not remove any option from the President’s purview. Of course I kinda agree with that assessment, but, nuking a country over a cyber attack for me is a little excessive. However, the real use for all out cyber warfare would be to have them in tandem with physical, conventional attacks on the targets too. So in reality, if we can “attribute” the attacks to a certain country and are attacked physically, sure, the nuke option is a possible one. However, as the general says, attribution is near impossible… So really, it’s not going to happen that way. Certainly though, a combined cyber attack followed by an EMP to finish the job would be one hell of a digital apocalypse.

Imagine one day being sent back to the 19th century style of living. No cell phones, no internet, no TV, no power, no water….

Can you say pandemonium?

Sure there’s shielding, but that is only for the C&C.. What about the rest of the country huh?

So, in the end, we have another report, another bubbling of the idea that a cyber war is possible and we are not up to the challenge…

If you’re not a little freaked… Well, enjoy the apathy. So when I write about all of the issues about securing networks and having policies, this is the sum of what could happen if the country does not take all those little bits of security to heart.

EPIC FAIL

NPR Talk Of The Nation

//END

ALL ARE COOKIES BELONG TO US!

leave a comment »

A proposal to loosen restrictions on the use of tracking cookies by federal government websites should be carefully scrutinized so they don’t jeopardize the privacy of people who visit them, groups advocating civil liberties warned Monday.

The American Civil Liberties Union said the proposal (http://blog.ostp.gov/2009/07/24/cookiepolicy/), floated July 24 by the White House OMB, or Office of Management and Budget, was a “sea change” that could erode protections that for the past nine years have safeguarded the personal information of millions of people who visit federal websites.

“Without explaining this reversal of policy, the OMB is seeking to allow the mass collection of personal information of every user of a federal government website,” Michael Macleod-Ball, the acting director of the ACLU’s Washington legislative office, said in a statement. “Until the OMB answers the multitude of questions surrounding this policy shift, we will continue to raise our strenuous objections.”

Under current rules, federal agencies are prohibited from using cookies and similar tracking technologies unless there is a “compelling need” and the agency head has approved their use. Under the new rules, the OMB would adopt a three-tier approach that would permit tracking under different circumstances. They include:

  • Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits;
  • Multi-session technologies for use in analytics, which track users over multiple sessions purely to gather data to analyze web traffic statistics; and
  • Multi-session technologies for use as persistent identifiers, which track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor for purposes beyond what is needed for web analytics.

“The goal of this review is to develop a new policy that allows the Federal Government to continue to protect the privacy of people who visit Federal websites while, at the same time, making these websites more user-friendly, providing better customer service, and allowing for enhanced web analytics,” federal CIO Vivek Kundra and Michael Fitzpatrick, associate administrator of the OMB Office of Information and Regulatory Affairs, wrote.

Full Article:

My take:

Riiight, it’s just a means to an end to “serve” you better. Somehow I am somewhat incredulous about this little paradigm shift on the Feds part. Add this to DPI (Deep Packet Inspection) that they would like carried out more often (please remember those NARUS STA 6400’s in those closets at ATT and other networks) and you have quite the hoover capabilities to see not only what, but where the average user is going using those cookies.

All the better to serve you!

Given that Big O’ doesn’t want to shed light on those little projects that the last admin set up with regards to all the surveillance, I see this only as a furthering of it…

The only security one has is that which they make themselves…

Hey, I have an idea.. How about all you Fed guys look into not publishing data that should not be available on those servers so people don’t Gooogle it? Hmm? Might be a good idea yeah?

Meh.

//

Written by Krypt3ia

2009/08/11 at 12:42

Spot The FED Goes HI-TECH

with 2 comments

Feds at DefCon Alarmed After RFIDs Scanned

LAS VEGAS — It’s one of the most hostile hacker environments in the country –- the DefCon hacker conference held every summer in Las Vegas.

But despite the fact that attendees know they should take precautions to protect their data, federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.

The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.

The Rest

Nice! Now, just how stupid is it that all these folks had their ID’s on them in the first? Really, you go to a con you lose all your ID man! You would think too that these guys would get the whole “match face to data” thing because this is the trend in much of the surveillance world now. So many systems are tied together and audit comings and goings in the very places that they need the ID for in the first place…

I guess its just this time the tables were turned and the watchers were the watched eh?

Written by Krypt3ia

2009/08/10 at 14:03

And The Power Grab Begins….

with 2 comments

Napolitano says Secret Service is lead cybersecurity agency

Wednesday, August 5, 2009

Speaking at the Global Cyber Security Conference in Washington yesterday, Department of Homeland Security Secretary Janet Napolitano said the Secret Service is the lead civilian agency fighting cybercrime in the U.S.

In the wake of the resignation of Melissa Hathaway, the top White House advisor on cybersecurity, Napolitano remarked that it is DHS, which includes the Secret Service, that has jurisdiction over cybersecurity for civilian agencies and the private sector, rather than the military.

Without a cybersecurity czar, a high-level post recommended in the 60-day cybersecurity review led by Hathaway, Napolitano’s speech underscored the lack of coordination and other challenges facing the government as it tries to more fully secure the nation from online threats.

“When I came into the department I think it’s fair to say we were not organized sufficiently where cybersecurity is concerned,” Napolitano said.

How the government will recruit and retain top talent and make the Secret Service “the repository for cybersecurity” knowledge within the government is a leading challenge, she said.

Other challenges include a lack of significant research and development capacity in civilian agencies, the difficulties of sharing intelligence and involving the private sector in promoting online security.

Napolitano announced the creation of a quadrennial Homeland Security Review process to outline strategic goals and a new website, homelandsecuritydialogue.org, to encourage input from academic and private sector experts.

DHS in charge scares the batshit out of me….

Written by Krypt3ia

2009/08/07 at 14:25

Digital Collateral Damage: Cyberwar Blowback

with 2 comments

Weighing risks of civilian harm in cyberwarfare
New York Times
Posted online: Aug 06, 2009 at 2212 hrs

John Markoff & Thom Shanker

It would have been the most far-reaching case of computer sabotage in history. In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the US invaded Iraq. He would have no money for war supplies. No money to pay troops. “We knew we could pull it off—we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.

But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the US.

Fears of such collateral damage are at the heart of the debate as the Obama administration and its Pentagon leadership struggle to develop rules and tactics for carrying out attacks in cyberspace.

While the Bush administration seriously studied computer-network attacks, the Obama administration is the first to elevate cybersecurity—both defending American computer networks and attacking those of adversaries—to the level of a White House director, whose appointment is expected in coming weeks.

But senior White House officials remain so concerned about the risks of unintended harm to civilians and damage to civilian infrastructure in an attack on computer networks that they decline any official comment on the topic. And senior Defence Department officials and military officers directly involved in planning for the Pentagon’s new “cyber command” acknowledge that the risk of collateral damage is one of their chief concerns.

“We are deeply concerned about the second- and third-order effects of certain types of computer network operations, as well as about laws of war that require attacks be proportional to the threat,” said one senior officer. This officer, who like others spoke on the condition of anonymity because of the classified nature of the work, also acknowledged that these concerns had restrained the military from carrying out a number of proposed missions. “In some ways, we are self-deterred today, because we really haven’t answered that yet in the world of cyber,” the officer said.

In interviews over recent weeks, a number of current and retired White House officials, Pentagon civilians and military officers disclosed details of classified missions—some only considered and some put into action—that illustrate why this issue is so difficult.

Although the digital attack on Iraq’s financial system was not carried out, the American military and its partners in the intelligence agencies did receive approval to degrade Iraq’s military and government communications systems in the early hours of the war in 2003. And that attack did produce collateral damage.

Besides blowing up cell-phone towers and communications grids, the offensive included electronic jamming and digital attacks against Iraq’s telephone networks. American officials also contacted international communications companies that provided satellite-phone and cell-phone coverage to Iraq to alert them to possible jamming and ask their assistance in turning off certain channels.

Officials now acknowledge that the communications offensive temporarily disrupted telephone service in countries around Iraq that shared its cell-phone and satellite-telephone systems. That limited damage was deemed acceptable by the Bush administration.

Another such event took place in the late 1990s, according to a former military researcher. The American military attacked a Serbian telecommunications network and accidentally affected the Intelsat satellite communications system, whose service was hampered for several days.

These missions, which remain highly classified, are being scrutinised today as the Obama administration and the Pentagon move into new arenas of cyberoperations. Few details have been reported previously; mention of the proposal for a digital offensive against Iraq’s financial and banking systems appeared with little notice on Newsmax.com, a news Web site, in 2003.

The government concerns evoke those at the dawn of the nuclear era, when questions of military effectiveness, legality and morality were raised about radiation spreading to civilians far beyond any zone of combat.

“If you don’t know the consequences of a counterstrike against innocent third parties, it makes it very difficult to authorise one,” said James Lewis, a cyberwarfare specialist at the Centre for Strategic and International Studies in Washington. But some military strategists argue that these uncertainties have led to excess caution on the part of Pentagon planners.

“Policymakers are tremendously sensitive to collateral damage by virtual weapons, but not nearly sensitive enough to damage by kinetic”—conventional—“weapons,” said John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, California. “The cyberwarriors are held back by extremely restrictive rules of engagement.”

Despite analogies that have been drawn between biological weapons and cyberweapons, Arquilla argues that “cyberweapons are disruptive and not destructive.”

That view is challenged by some legal and technical experts.

“It’s virtually certain that there will be unintended consequences,” said Herbert Lin, a senior scientist at the National Research Council and author of a recent report on offensive cyberwarfare. “If you don’t know what a computer you attack is doing, you could do something bad.”

My thoughts:

It’s an interesting thing to ponder just how much havoc could be wreaked by attacking an infrastructure in a cyber war.  Now, if you think about the “homeland”, (yeah, I hate that term since it was apropriated by the previous administration) has most of its infrastructure in private companies hands AND is very interconnected. Attack one, you may have collateral damage that will cause a more far reaching affect.
Lets look at it this way.. The US is very connected… Iraq in 2003 was not “that” connected to really have much collateral damage. Sure, Intelsat had issues, but it was no biggie. So, what would happen if our infrastructure were attacked en masse? I could foresee a lot of “fire sale” images ala Die Hard really, but, the reality is somewhere less grim. We would be inconvenienced really, and that’s about it, unless, the attack in the cyber world were in tandem with physical attacks.

Just as the operations mentioned in the article the real whammy is in the physical destruction of systems and infrastructure, not only from a cyber stance but real ruin. THIS is what the government really fears. Take out the eyes and ears as well as the C&C and we’re fucked. Just as 9/11 was all the more crazy because the towers held key comm’s infrastructure for the city, this type of attack would leave us unable to communicate, control, and give orders.

So, with all the talk of cyber war, just where are we really?
Well, I have said it before and I will say it again. Our security posture as a nation is “teh suck” for the most part. This is why the “Cyber Tsar” (another term I am hating for it’s misuse) is so important as well as their function to get this country to perform the “due diligence” where our network and infrastructure security posture is concerned.

And you can see how well that’s going huh…
Here’s the bottom line:

1) Have supplies ready in case our infrastructure is taken down in spots or as a whole; Food, Water, etc.

2) Prepare for being without power. If I were an aggressor, the first thing I would hit other than COMMS would be power. So, get the genni’s out or have solar

3) Have your own COMM’s systems like HAM or CB that can be SIMPLEX or dare I say it, even have your own repeater

4) Don’t Panic: If there is an attack of this nature, the only time I would really worry is if the bombs start falling or massive amounts of people start coming down with a raging hemorrhagic fever… Or Zombies start banging on the door…

5) If by chance this all is brought on by a nuclear detonation in the atmo… Well, unless you have shielded equipment, you’re pretty much back to stone knives and bear skins… So adapt… There’s nothing you can do.

Lets just hope it doesn’t come to that….

So there you have it… Unless we get our collective shit together, its possible that we could have a real situation on our hands… Those in the know will be better off…. Of course we are all gonna be saved by smart meters and cloud computing! So no worries!

Snort!