Archive for November 2011
The Hezbullah Cyber Army: War In HYPERSPACE!
WAR! in HYPERSPACE: The Cyber Jihad!
A day or so ago, a story came out and made the rounds on the INFOSEC-O-Sphere about the Hezbullah Cyber Army The story, which was cub titled “Iranian Terror” was titled “Iranian Cyber-Jihadi Cells in America plot Destruction on the Net and in Reality” Which, would get all our collective attentions right? The story goes on to tell about the newly formed Cyber Army that will be waging all out war on the US and others in “Hyperspace”
Yes, that’s right, you read that correctly.. This guy Abbasi is either trying to be clever, or, this is some bad translation. Sooo… Hyperspace it is! Well, I have a new tag line for him…
“In hyperspace.. No one can hear you giggle”
At any rate, the whole idea of a Cyber Jihad or a Cyber Hizbullah is a notion that should not just be sloughed off as rhetoric. I do think that if the VEVAK are involved (and they would want a hand in this I am sure) they could in fact get some real talent and reign in the ranks to do some real damage down the road a piece I think. So, while I may be a little tongue in cheek here at the start of this post, I want you all to consider our current threatscape (*cough* SCADA etc) and consider the amount of nuisance they could be if they made a concerted effort with the likes of the HCARMY.
So, yeah, this could be an interesting development and it is surely one to keep our eyes on collectively… But.. Don’t exactly fear for your lives here ok? After all, my opinion still applies that the bugaboo of scada does not easily fit into the so called cyberwar unless it is effectively carried out with kinetic attacks and a lot of effort. Nope, if the HCA is going to do anything at all, it will be on the playing field of the following special warfare fronts;
- PSYOPS
- DISINFORMATION (PSYOPS)
- Support of terrorism (Hezbullah and others)
- INTEL OPS
Interview by IRNA with HCA
More than anything else though at the moment, the whole revealing of the HCA is more a publicity stunt than much else I think. For all of the talk in the US and other countries about mounting their own “Cyber Militia’s” it seems that Iran and Hezbullah wanted to get in on the ground floor..
Oh… Wait..
They forgot about the PLA and the Water Army!
DOH!
Oh well, sorry guys… Guess you will have to keep playing on that whole “HYPERSPACE WAR” angle to get your headlines huh? Besides, really, how much street cred is an organization like this anyway? So far I have been poking around all of their sites and find nothing (links or files) that would he helpful in teaching their “army” how to hack.
My guess.. This is kinda like putting out the inflatable tanks and planes for the Germans to bomb in place of the real ones.
The "About" Statement on HCA
Now.. Before You All Go Off Half Cocked (That means you Mass Media)
Meanwhile, I have seen the story that I linked up top scrawled all over the digital wall that is Twitter these last couple days. I am sure with everything that has been going on in Iran of late (i.e. the tendency for their bases to explode lately as well as their pulling another takeover of a consulate as well as spy roll ups) the media is salivating on this story because its juicy. It has it all really…
Cyberwar (hate that term)
HYPERSPACE!
Espionage
BOOGA BOOGA BOOGA We’re gonna activate our hackers inside your borders and attack your SCADA’s!
What’s the media not to love there?
HCA's YouTube Page Started in September
Well, let me set you all straight. This is piffle. This is Iran posturing and the proof thus far has been they have defaced a couple of sites with their logo.
THE HORROR!
This group has not even reached Anonymous standards yet! So relax.. Sit back… Watch the show. I am sure it will quickly devolve into an episode of the keystone cops really. They will make more propaganda videos for their YouTube, create a new Twitter account, and post more of their escapades on their two Facebook pages to let us all know when they have defaced another page!
… Because no one will notice unless they let us know…
Just The Persian Facts Ma’am
The real aegis here seems to be shown within the “about” statement for the group. Their primary goals seem to be to attack everyone who does not believe in their moral and religious doctrine. A translation of the statement rattles on about how the West are all foul non believers and that we are “pompous” Which really, kinda makes me think that the Iranian people, or at least this particular group, has a real inferiority complex going. More so though, it seems from the statement that they intend more of a propaganda and moral war against the west and anyone else they see fit than any kind of real threatening militant movement.
You know.. Like AQAP or AQ proper.. Or Jamaa Islamiya.
This is an ideological war and a weak rallying cry by a group funded by a government in its waning years trying to hold on to the digital snake that they cannot control forever. Frankly, I think that they are just going to run around defacing sites, claiming small victories, and trying to win over the real hackers within their country to their side of the issue.
Which… Well, I don’t think will play well. You see, for the most part, the younger set who know how to hack, already bypass the governments machinations and are a fair bit more cosmopolitan. Sorry Mamhoud, but the digital cat is already out of the bag and your recognition of this is too late. How long til the Arab Spring reaches into the heart of Tehran and all those would be hackers decide to work against you and your moral jihad?
Be afraid Mamhoud… khomeini…
All you really have is control temporarily.. You just have yet to realize it.
Tensions In The Region: Spooks & The Holiday Known as KABOOM
Now, back to the region and its current travails. I can see why this group was formed and rolled out in IRNA etc. Seems to me even with the roll up of the CIA operations there in Iran you guys still are being besot with problems that tend to explode.
- Wayward Trojan drones filled with plastique
- Nuclear scientists who are either being blown up or shot in the streets
- Nuclear facilities becoming riddled with malware that eats your centrifuges.
What You Should Really Worry About From All of This
My real fear though in all of this hoo ha out of the HCA is that VEVAK and Hezbullah will see fit to work with the other terrorist groups out there to make a reality of this whole “Cyber Jihad” thing. One of these factors might in fact be the embracing of AQ a bit more and egging them on in their own cyber jihad. So far the AQ kids have been behind on this but if you give them ideas AND support, then we have a problem I think. The ideal of hit and run terror attacks on infrastructure that the government and those in the INFOSEC community who have been wringing their hands over might come to pass.
HCA Propaganda Fixating on OWS
If the propaganda war heats up and gains traction, this could embolden others and with the support of Hezbullah (Iran) they could “try” to make another Anonymous style movement. Albeit I don’t think that they will be motivated as much by the moral and religious aspects that HCA puts out there as dictum. Maybe though, they will have the gravitational force enough to spin all of this off into the other jihadist movements.
“The enemy of my enemy is my friend”
If the HCA does pull off any real hacks though (say on infrastructure) then indeed they will get the attention they seek and more than likely give the idea to other movements out there to do the same.
AND that is what worries me.
Cinch Up That Seatbelt… It’s Gonna Be A Bumpy Ride
Finally, I think that things are just getting started in Iran and its about to get interesting. With all of the operations that seem to be going on in spook world (please don’t use PIZZA as a code word again mmkay?) and the Israeli’s feeling pressured by Tehran’s nuclear ambitions and rhetoric, I suspect something is about to give way. Add to this the chicken-hawks who want to be president (Herman I wanna touch your monkey) Caine and the others who have so recently been posturing like prima donna models on a runway over Iran and we have a disaster to come.
Oh.. and Bachmann.. *Shudder* Please remove her from the Intelligence committe!! That whole Pakistani nuclear AQ attacks thing was sooo not right!
PSSSSST BACHMANN they’re called SECRETS! (or, for your impaired and illiterate self SEKRETS) STFU ok?
OH.. Too late, now NATO is attacking into Pakistan…
It looks to me like the whole middle east is about to erupt like a pregnant festering boil and we are the nurse with the needs who has to pop it and duck.
So.. Uh yeah, sorry, got carried away there… I guess the take away is this; When you look at all the other stuff going on there, this alleged cyber army is laughable.
Yuk yuk yuk… You’re killin me Ahmed!
K.
The F.U.D. Files: CASE 010110101 Cyber Attacks On Our Water!
OMG! The Russians Are Attacking Illinois Water!
This last week we heard that a pump in a water system in Illinois ate itself and fried up. The reason for the pump doing so was soon discovered to be that someone from a Russian IP address had been messing with it remotely. Something that should not be readily possible, but it was available online remotely. Yes, that’s right, the vulnerable system was online for anyone with an IP address to hit up AND it was in such an un-secured state that pretty much anyone with a pulse could have messed with it. However, this isn’t the story that you get from the press and the talking heads in infosec. Instead you get…
The SCADA boogey man was out and had attacked our vital infrastructure!
Terrorism? Really? Messing about a podunk water system is now terrorism? Seems to me that this system was already having problems since it was put in by the Curran-Gardner people (Problems with the Curran-Gardener SCADA systems can be found here) from their own accounts of what they had to fix since 2008 or so including the wiring being set up wrong to start with on the system in one case as noted.
It turns out that the supervisory passwords were alleged to have come from a password database from the maker of the supervisory system that the Curran people decided to use. Now, given the poor system setup and all of the issues here so far seen in their own documents, I am hopeful that this was not a main supplier of systems to major corporations and governments.
Once again, this all seems rather opportunity based than targeted to me. Someone popped a dbase at a maker who likely had their systems hanging in the lowest of the low hanging fruit state and the skiddies went on to locate another low hanging fruit target.. You guessed it… Curran-Gardner. The fact that they used a Russian IP address is as telling as a Don Rumsfeld news conference on “known unknowns” as well. So all this hand wringing by DHS and others over this little flap need to just calm down and speak to the country soothingly…
Instead we get OMFG RUSSIA IS ATTACKING THE ILLINOIS WATER SYSTEMS! and the papers run with it.
THIS WAS NOT TERRORISM! THIS WAS SOMEONE MESSING AROUND!
How did the pump finally eat itself? Someone basically was flipping the digital light switch on and off.. That’s how. It could not take being turned on and off.
Wow, what resiliency!
OMG! Some Kid Learned How To Use Shodan!
I have news for you… This is no big secret. In fact, I was talking about these systems a while back after my fracas with Ol’ Craig “The END IS NIGH” Wright. A simple Shodan search turned up many a water system online and open to being poked at. In fact, as I remember it, the other system that has been talked about lately in Nevada, yeah, that one too was online and found on Shodan. Their systems were so horrid in fact that you could easily make a reservation to show up at Hoover dam as a VIP/Government visitor!
So, what’s the takeaway here? Well, that someone was messing around with SCADA because of two factors:
- It’s been in the news hyped ad nauseum as the panacea of the modern world and its final inescapable doom
- It’s been shown to be easy and the fools running these systems have made them even more insecure by putting the ICS online!
What have you all been thinking? Yes, you guys putting this shit online AND all of you out there SHOCKED that someone started messing with these systems that are so easily found and exploited online in bugsville Idaho!
Come on people wake up! This is just the start here.. Expect more… AND NO, THEY WILL NOT BE ATTACKS COMING FROM AL-QAEDA There’s just no real interest there on their part, these types of attacks on small water systems will not sow the mayhem and fear that they desire.
Get over it.. Deal with the real problems please.
OMFG! SOME SCADA SYSTEMS ARE ONLINE!
Next, let me step into the wayback machine and once again talk about the SCADA systems being online. I had an.. “argument” with Dr. wright about the dire circumstances of SCADA systems being online. I had said that not all of them were online and Wright pretty much said;
“WE’RE DOOMED! HIDE YOUR WOMEN AND CHILDREN!”
To which I had a small aneurysm and went off on him.. Lets just say that the whole thing got out of hand and Dr. Wright was shown by his own hand to be a chicken little with a tendency to spill secrets about previous engagements he had had. The net net here is this;
“Yes Mr. Wright, there are SCADA/ICS systems online, I have seen them.. BUT not ALL systems are and the important ones that I dealt with, were at least nominally protected behind firewalls and v-lans”
Hey, at least they tried huh? Unlike our water works friends in the news of late right? What’s more, I actually saw one system that was air gapped from the network proper. You would have to actually be on site to get at it.
INCONCEIVABLE!
So, yes, we are learning through Shodan searches as well as unfortunately, in the news, that there are many stupid people running those systems. However, in all the searches of ICS/SCADA systems I did on Shodan, I really only found a couple places that made me say “crap” The others were places like the podunk water supply..
And I am not worried that these will cause mass casualty events.. What it said to me is if stuff went down, some people would be buying bottled water for a while.
SCARY!… not.
If They Attack Our Pumps They Will Then Escalate To Our Nuclear Missiles!
Moving on, one of the things that really peeved me off here about this little story on Illinois was that some were alluding that this could be the clarion bell that the end is nigh. The thought process goes something like this;
“If they can hack this place, then they can escalate through their network to uber important systems!”
Uhh what?
Ok, yes, the Curran-Gardner systems were located within a company that covered both water and power, so yes, they could have jumped to the local grid for the area. They could have hopped over (mostly because these guys have already proven themselves to be clueless about security) and messed maybe with some power regulation to home customers in the area.
No big explosions.. No watershed event.. Other than once again pointing out that the emperor has no clothes and is functionally retarded really. This is an object lesson and one hopes that the local nuclear plant is not online for the Joey Pardell’s of the world to access via the internet. However, such systems that could cause mass casualties may also be in the same state, and this is worrisome.
So far though, I haven’t seen them.
Make No Mistakes.. There Will Be Deaths…
Once again, there is always the possibility that there could be a mass casualty event with regard to SCADA systems controlling pipelines etc. However, I do not see this as a prelude to war nor really an effective means of terrorism just yet. IF someone does exploit a system to cause a pipeline explosion it would be just to sow fear, and that is pretty much it. Sure, you take out a big enough system such as the ones in the Gulf, you “could” have a cascade effect on the supply chain as well as roll over to the financial base of the country.
C’mon, you have all seen this in the movies right? You know what I am talking about.
However, we have not seen this yet and if these systems are so piss poor, then why haven’t we? I mean SCADA issues have been around for a long time now. Why haven’t our enemies used this yet to their advantage? No, I say that the likelihood is that someone will be messing around and accidentally cause an explosion or cascade failure.
The FUD response from this by the government and the media will be the real disaster that will cause the most damage.
Nope, I place the probability of the dark nightmares that the Dick Clarkes of the world are predicting up there with the probability that Bigfoot will walk up to my door, ring the bell, and offer to sell me “Bigfoot Cookies”
Yeah, really…
Sanity Anyone?
So, whatever happened to sanity? I surely think our collective sanity has been eroded by the likes of the media and our overly risk averse government. Since 9/11 they have been hyping (press) and pussyfooting (gov) around the problems we have. In the case of the digital landscape of hacking and security, neither has a solid grip on reality. This is really disappointing as they are the ones feeding the fear to the masses. Never mind those in the security industry who seek to make money as well as those who have no qualifications to speak on subjects but feel they must to get the headlines.
It’s a Mobius loop of stupidity and fear mongering.
We need to get our collective heads out of our collective asses here…
- Yes, there are SCADA systems online and yes, they can be made to eat themselves
- Yes, this is a problem, but it is NOT the end of the world
- No, the terrorists are not using this as a vector of attack.. trust me.
- NO, the Russians and the Chinese are not attacking here.. Those guys have been in and out of our systems without us knowing (ni hao!)
- NO, no one will be launching nukes from SCADA/ICS attacks
- NO, no one will be causing a China Syndrome from SCADA
- Yes, you may see more pumps eating themselves and you may have to buy some potable water
- Yes, once the smart *giggle* grid is online you might find yourself without power or unexpected large bills (bad hackers!)
- Yes, this is all a problem… But more a nuisance than the apocalypse
So, lets all sit back and breathe a bit ok? Yes, there are problems here, but, in the scheme of things, this is not worth all of the attention it is getting from everyone. Never mind the worries that many seem to have.. and are using to their advantage perhaps to sell you services?
Yeah, I went there…. Better watch out, LIGATT soon will have offerings in SCADA security I am sure.
The Teachable Moment
This is all what they call a “Teachable Moment” as someone on my Twitter F-list said the other day. The lessons to be learned are simple ones and you have to step back, take a breath, and think a bit here.
- Don’t place inherently insecure systems (as we know SCADA to be) online for access to the internet and anyone on the globe
- Don’t believe everything you read in the news.. Often times the reporters have no clue
- Don’t listen to every doomsayer or alleged “expert” online or on the media as to the dire straights we are in due to this
- Research the problems… compare and contrast.. Use your brains people!
- Ok, so we found this one out there and it failed because it was messed with… Now take it and every other one offline (connectivity to the net)
- Force the SCADA manufacturers to securely code their systems
- Force the government to perform DUE DILIGENCE on critical infrastructure (i.e. audit them all for this and other security problems)
- THEN FORCE THEM TO FIX THEM!
- DO NOT PROCLAIM THIS THE END OF THE WORLD
- DO NOT INTONE IT IS TERRORISM WITHOUT EVIDENCE
- DON’T LISTEN TO THE CHICKEN LITTLE’S OF THE WORLD (Craiggy)
This is my take away from this little incident. Like I said, there are problems, but we know they are out there now..
GO FIX THEM AND CUT THE FUD!
K.
Neuromancing The Cyberwars
The Great Cyberwar to Come
Every day lately I open up the newsfeed and see more and more dire predictions of cyber doom and cyber war. Each time I read this stuff I just have to hang my head and curse under my breath all of the morons out there both reporting on it as well as those purveyors spinning the cyberwar to come. In fact, I really loathe the term “Cyberwar” as do I think, many of my compatriots in the infosec industrial complex (ooh coined a new one there huh?) Every time these people open their mouths I have to just borrow a line from Seinfeld and bellow;
“SERENITY NOW!”
Enough already of this Cyberwar lunacy! Let me tell you something, we have been in an information war for a long long time and a component of that is EW (Electronic Warfare) For years we have been manipulating warfare through information whether it be planting fake stories in the press (newspapers, tv, radio etc) to manipulating data within systems as part of disinformation campaigns. The only real difference today, and I think is the crux of the cyberwar craze are two factors:
- Everything seems to be connected by computers today
- We can now manipulate not only data, but the machines that process actual physical processes (ICS/SCADA)
So yes, there is more that potentially can be done to an enemy target electronically, but, the hoopla and hype around cyberwarfare has gotten WAY out of hand today and someone needs to bust that bubble before the morons in charge get their trigger fingers on the button. Perhaps though, its too late for that as I am looking around today and see that the military is saying they have the potential right to launch attacks after cyber attacks…
Good God… It makes one root for Skynet thinking about the great cyberwar to come.
Trust Us… We’re the Government!
What is most frightening to me is that the government and the military seem to be under many misapprehensions over “cyberwar” In the case of the government, more to the point, Congress and the House, we have two august bodies that are filled with some of the most misinformed and Luddite oriented groups of people I have ever seen… And these are the people we are going to entrust to make policy on such topics? The said same people who would have the likes of Gregory Evans speak to them about digital security?
We are doomed.
So, what do we have here? We have the people making laws led by the blind and the chicken little’s of the world. All of this over the overhyped and overblown idea that the great cyber war is a commin and no one is safe! Our power will go out because hackers will shut it all down! The gas pipelines will explode because John McClane won’t be able to get the Apple kid to the right terminal during the fire sale! The financial system will collapse because Thomas Gabriel will have jacked into the feeds and slurped ALL of our digital records on to his terabyte drives!
OH NO!
Yeah, you might be asking yourself right about now;
“Do they really believe that shit?”
Well, take a look at some of their laws lately concerning digital matters and privacy.. Then tell me they really know anything about the internet nor digital security. So, yes, I firmly believe they believe it. In fact, there is an old trope in the movies about hackers. You know the one, where the hacker just sits down and 5 seconds later they are root on the Gibson… Yeah, I really think that is how they percieve hacking and how easy it would be to hack the planet.. So to speak.
So, are you comfortable with these people deciding whether or not we actually physically (or digitally) attack another country after we get a little pwn3d?
I am not.
Attribution… We Don’t Need No Stinkin Attribution!
Back to the DoD and their recent proclamation about physical and other attacks against those who attack us with a cyber attack. I just have one word for them to chew on and contemplate;
ATTRIBUTION
You know, that pesky word meaning we actually KNOW who attacked us? Yeah, well as far as I have seen today, it’s pretty damned hard to determine most of the time who did what and where on the net. Digital forensics only get you so far, compromised machines can be tampered with in so many ways to make it look like someone did something and these guys want to launch cruise missiles against nation states over a DDoS?
Mmmm yeah… This will not end well.
Ok, so the next great cyberwar will take place pretty much like the whole premise of the Terminator films then? Will Skynet become sentient or will we just have a military and government that says “THEY DID IT” and fire off some missiles? Frankly, what I see here is a lot of posturing and hope that the reality is that people will realise that they cannot attribute anything and not fire one missile due to the lack of concrete proof.
But.. That assumes that cooler heads prevail and there are not too many hawks in the room….
Dark Prognostications of DOOM… Trust Me, I Write Blogs!
Meanwhile, we have the blogosphere and the pundits out there with slit eyed prognostications about how many more times 9/11 it would be, this cyberwar to come that McClane is not there to save us from.
“THERE ARE NO AIR GAPS TO SCADA! WE ARE DOOMED!”
“THE COLLATERAL DAMAGE WILL BE HUGE!”
“OUR WAY OF LIFE WILL BE DESTROYED!”
Blech. Look, sure, a cyber attack on key infrastructure would be bad. It could cause a real ruckus and we could have pockets of the country/world where power may be down a while, gas lines could blow, and there would be collateral damage. However, this would not be an all out war. In fact, I think it would be far worse if someone took out the core routers to the internet… I mean, at least that is doable if you do it right with kinetic attacks at key points (MAE’s etc) However, I just don’t see it as a likely scenario.
Frankly, you know what keeps me worried?
- Biological warfare or accidents with the materials
- A dirty bomb or a nuclear bomb cobbled together from illicit materials from the likes of Russia or Pakistan
- Mass coronal ejections causing a large EMP
Cyberwar.. Not so much.
The problem is that there are too many pundits and too many crazy opinions out there that are getting ear time with the Luddites in charge. Hell, for that matter, I am a blogger too, so I could be part of the problem as well huh? Maybe I am all wet and tomorrow China will attack at dawn… It’ll be just like Red Dawn.. Except they will hit us first with cyber attacks and then drop thousands of troops on us (Wait a minute! What a movie idea!)
CRAP! Someone beat me to it!
Oh I know! instead the Chinese will just release all our prisoners from cell blocks by using Metasploit against their ICS systems that lock the doors!!!
Heh.
Remember you heard it here first!
Reality? Nah, Just Pass Me The SymStim and Goggles!
I guess in the end, I just have to resign myself to the fact that sanity will not prevail. We will have a military with putative attribution and a Congress unqualified to rule on such things to pass the vote to attack those who attacked us with their packets and malware.
We’re screwed…
Oh well, I will just have to put in the REM and listen to the end of the world and we know it…
*Sits back…puts on shades…Hacks the Gibson*
YEEEHA!
K.
INFOSEC: The Worlds Largest Rube Goldberg Device
Image by Falkor
The Best Laid Plans of Mice and Men
Lately, I have been thinking… I know, bad sign huh? What has been on my mind? Well, other than using a chainsaw to remove numerous limbs and detritus from my property, I have been thinking about the state of information security today. It seems every minute I am online (Twitter, blogs, news sites etc etc) All I hear and see is a cacophony of competing headlines and cries in the night about this issue or that that could be the end of us all!
But.. if you just listen to me, or buy my product! You will be safe!
The other side of that coin is the constant flood of new vulnerabilities being located, released, and exploited while the software companies try to keep up with patches and fixes. I feel like I am in a 1930’s street set for a information security slanted version of “Newsies” Only without the step ball change and jazz hands. All of this stuff just has everyone on a constant infosec overload.. If you are paying attention, as many people with the titles of “security” should be doing. This all causes a general malaise I think though, much of which is because it is hard to divine who to believe and what.
“IF” you are a cognisant, and dedicated security worker at your average corporation, you must I think, or be be feeling overwhelmed by it all. It seems no matter what you do, you will always have some chink in the armour that will allow for compromise. If though, you are sleeping well at night because you have the policies and the magical shiny machines that protect your whole environment from compromise, you must be living in Narnia at the right hand of Aslan.
*Wave Security Unicorn!*
For the most part though, I am sure there are many of you out there who feel like you are being branded the “Security Cassandra” You come to them with dark prognostications of compromise to which they look upon you as either a paranoid delusional individual or, someone to just be patted on the head and told to go back to your dark cubical. To you, Cassandra’s out there, I say you are the most sane…
Though, one might want to consider a career change.
Anyway, back to the task at hand here. I am writing this post to lay out the single idea that no matter the solutions, no matter the rules and check boxes filled out, you will always be compromised. Embrace this idea, love it, hold it dear and keep it kindled like the guys from “Quest for Fire” because it is the ultimate truism today. No matter how many fancy machines, no matter how much you teach the end users and the C level execs about security, you will always have failures that will lead to compromise.
Always.
“The best-laid plans of mice and men often go awry” As the saying goes…
General Prophylaxis and “Penetration Testing”
Pentesting, who’da thought it would be a full time job back in the early 90’s huh? It has become a general term now often confused with security assessments or vulnerability scans and boy, how fubar it has all become. There is a movement out there now (PTES) but really, how often are the scopes of pentests so confined that they are generally useless? I have heard it many times that you can hack the shit out of the stuff given to you, but there is a TON more outside the scope that would be trivial but is left untouched because the client said “no”
One of the more fun facts is that after every pentest one could just (and often it was made clear in documents from IBM) that even after looking at a general architecture, someone could just come in the day after and plug in a new piece of hardware or misconfig something that would void all of the work done previously. It’s a wave form really, and once you look inside you collapse it.
So, pentesting is fun and can be very helpful in specific situations… IF people re mediate their issues… But. you and I and the lamp post know just how many places really re-mediate their problems right? So pentesting is no general prophylaxis to security problems.
Never has.. Never will be.
Oh, and it is all greatly dependant on who you hire and how good they are. That is a simple fact that when companies are shopping for pentesters often do not take into account. It’s a crap shoot.
Impossible! That Can’t Happen! We Checked All of the Check Boxes!
Ah yes, the inevitable security through compliance and check boxes! Wow, yeah, like no one will ever just check things off because they think no one’s gonna check right?
Yeah…
Even if you check all your boxes off and you have auditors come in to look at your logs of your log reviewing activities, you still can and will be compromised!
Yes, it’s true.
Yet again, this is no guarantee of security, but all too many places think that this is the end all be all. They carry on with their SOX audits to be in compliance with the law, but, it’s a law that has as much relevance on information security and technical security as it does to being epic literature. So, any audit firms who tell you that you are going to be just fine as long as they audit you (with their non technical auditors) on your computer security, you are being lied to.
.. And robbed.
Meanwhile, there has been a lot of talk lately about compliance and security.. I have news for you all.. Compliance does not mean secure. Compliance does not mean agile, and compliance just gives middle managers something to do with their days.
It has no inherent security.
The Shiny Machine That Goes PING!
Ok, on to the shiny machines that so many resellers want to get into your networks. All too many times I have sat in meetings with vendors who offer solutions that will stop the APT! Stop the MALWARE! Monitor your network flow and tell you who’s being naughty!
POPPYCOCK!
What was it about the walls of Troy and it never falling that a simple wooden horse defeated? Yeah, the aptly named Trojan of today still applies in the shiny modern world. Look at it this way, for every machine, there will always be a weakness that someone out there will find and exploit. Just as well, for all those machines and programs that are to stop people from exploiting hardware and software, there will always be the guy who is exploiting the wetware.
That’s right, people are the weak link.. Both the attackers and the sales people know this.
Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.
Now re read that with the word “security” in there. No matter the hardware, you still are not safe.
The Digerati, A Cacophony of Competing Blather and Snake Oil
I have been blogging now for some time and only recently have I become more aware of the flimflam going on with so many faux experts. My run in’s with the likes of Greg Evans and Craig Wright have shown me the great variation within the community and how they can and are listened to by too many people. The internet is still like the wild west and it is easy for any travelling salesman in a Conestoga wagon to show up and put out his snake oil shingle.
“Come on down and get Mr. Wright’s miracle cure! I can see you there! YOU ma’am are sick aren’t ya! I can cure that security lumbego with this here tonic! Just two bits!”
There are too many competing opinions in the mass media and the community at large and no coherent stable, rational sources I think for security guidance. Well, there is NIST and other places so maybe that isn’t quite correct a statement, but, it seems that these shylocks get more air than NIST and others because they are so flamboyant.
And you know the more dire and scary the prognostications (Dick Clarke) the more air play they get.
So, what do we do about it? Nothing… Just know that no matter what you do.. You will be compromised. No need to go all Doctor Strangelove.. Just accept it.
Inevitability and Jelly Donuts
“Time has little to do with infinity and jelly donuts” Lt. MacReynolds Magnum P.I.
Speaking of acceptance, I have heard the use before of the idea that it should all be approached in a 12 step way. I can agree with that, but, the key point is the inevitability of compromise.
Remember, you will be compromised… Get used to the idea.. Embrace it.. It is inevitable.
Once you have come to terms with this, you can work toward the real work of dealing with it on a daily basis. There’s defence and there’s offence, but the reality is that both are at work every day and every day one of the two wins the day. It’s how you deal with it that is key. Do your best, teach all that you can and know that in the end, no matter how much you try and try and try, the defences will be beaten and your data stolen.
Move on.
The Zero Sum Game
Finally, back to the title of this piece. I see infosec as an industry as a giant Rube Goldberg device because all too many times we have way too many steps and kluges in play that are supposed to “secure” us. My point to this whole article is that NOTHING will ever be the cure all. You can only do your best and sometimes, that means the simpler the better.
We currently have so many layers and levels that only are panacea to the real truth…
“Security is a Zero Sum Game”
What was it Whopper said? It was better not to play the game? Well, I am not going there, but, unless every single one of you, whether you are a consultant, a pentester, or a CSO accept the fact that you will be compromised no matter what toys or compliance strategy you have bought into, you will ultimately fail at your jobs.
Not because you got compromised… Because you were foolhardy to believe that you wouldn’t.
All of you out there who are getting bent or fomenting ulcers over all of this.. Breathe…
K
INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.
“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”
(Dante Alighieri; The Inferno)
The current state of the Security “Industry”
It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)
Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.
Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor” It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.
Often its the simple things that allow for complete compromise.. Not just some exotic 0day.
So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”
Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.
“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”
(Shakespeare; MacBeth)
Security Joan of Arc’s and their Security Crusade:
Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”
Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.
Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.
Think Richard Clarke (I heard that chuckle out there)
Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”
The subtle knife wins the battle.
“If the Apocalypse comes, beep me”
(Joss Whedon;Buffy the Vampire Slayer)
What’s the worst that could happen really?
The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.
Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.
The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.
So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..
But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.
“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.“
(John W. Vessey, Jr.)
How do we communicate and manipulate our elephants?
Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.
- The whole Joan of Arc thing above
- The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.
We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;
“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”
So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.
So, how do we communicate with these people and get them on the same page?
I have no answers save this;
“Some get it.. Some don’t”
That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.
“The greater our knowledge increases the more our ignorance unfolds”
(John F. Kennedy)
The Eternal Struggle
There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..
Eventually.
All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.
K.
#OpCARTEL: Hubris & Blood
HUBRIS:
Yesterday I wrote about how I had thought it was rather ill concieved of Anonymous to attempt to mess with an organization like the Zetas. Last night I hear that Barrett Brown, ersatz former spokesperson has decided to get back into the action with this particular Op. A tweet from his acct had a link to the following pastebin:
Barrett, all I have to say is this…
“Way to go moron! What the fuck are you thinking? Are you that vainglorious or are you just mentally challenged?”
Let me break this down for you all once again.
- Any data you have will serve no purpose. The cartel owns the government there.
- The US may be interested in the data only in that they want to see who reacts. They already know this information in all likelihood
- The release of the hostage… You ever consider that it was not an appeasement? That they are using this person or persons to get to others within the Mexican Anon org?
- All your bravado will leave you once you find an MS13 gangbanger over you with their pistol against your head.
- You will not be a hero or a martyr.. You will have been just stupid.
BLOOD:
Let me once again talk about Pablo Escobar it took some serious special operators from the US to go down to Columbia and hunt him down. Not geeks behind computers with little bits of data, no, it took guys with guns who were battle seasoned to get Pablo, and he was just as fucknuts as these guys in Zeta. The difference here? The Zetas core 30 members are TRAINED SPECOPS! WE TRAINED THEM IN THE US!! They are deserters from the Mexican Special Forces!!!
And look at you.. all puffed up and thinking with your gun…
AND you do it so publicly like they are going to be afraid to whack you?
Ugh.
I tried telling you all that if you wanted to do this shit, you had better be smart about it and completely protected with SECOP’s protocols and you go and hang it all out there?
Patently stupid.
So, now its all on you Barrett. You and your council of core anon’s you speak of. I just hope that when they do get you (Zeta, MS13 etc) that you really don’t know who the others are in real life.. Because I am sure you will give them up before they whack you.
Stupid.
K.
OpCARTEL: Kids, Trust Me… YOU ARE NOT Up To This Operation
Killing Pablo:
Ok kids, before you were old enough to understand, there was a guy named Pablo Escobar. He was a bad guy who pretty much single handedly provided the US with cocaine that powered the 80’s debauchery. Pablo was the progenitor of the Zeta model of narco-trafficking that you guys are claiming to have data on and want to tangle with. Let me tell you now in no uncertain terms how I feel about #OpCartel…
YOU ARE NOT READY
Plain and simple, these guys are not just some namby pamby government following laws who will try to arrest you. No, these guys will hire blackhats of their own, find you, and KILL you in the most horrific ways. Need I remind you of the bloggers who got whacked recently? I don’t think you all want to be the next to be swinging under an overpass with a Mexican Necktie do you?
It took major government and military operations to kill Pablo and his cartel. You guys dropping information on the low end mules and lackeys will do nothing but interrupt operations currently ongoing as well as put yourselves into the cross-hairs of the Zeta killing machine. At the very least, you need to do your homework on these guys and NOT announce things on the internet before you do anything, this is just asking for a whacking.
Have you not been listening?
INTELOPS:
First off, if you want to gather intel on these guys or you have it, then make sure you vet it out and insure its the real deal. If you have sources, you need to protect them and if you have hacked access, you need to insure that you can’t be traced back. The big thing though, is to KNOW YOUR TARGET! How much do you really know about the Zetas? How much do you know about the politics of the area? The players both inside and outside the cartel? This group just doesn’t have low level people, they also have high ranking political connections as well. You mess with them, then you have governmental assets and pressure as well to deal with.
So.. What do you know about Los Zetas?
Los Zetas:
Los Zetas and La Familia Michoacana are a narco ring comprised of about 30 ex Mexican Special Forces deserters who decided that narco trafficking was a much better choice than just being ordinary special operators. This group has been one of the bloodiest and boldest in their massacres of opposing groups or individuals. In short, they are not people to tangle with unless you are a government with a special operations group of your own. Much of their infrastructure is already known (see pdf file at the top here) so, dropping some of the data you propose might just serve to get others killed and not damage the organization much at all.
Though, if you did have tasty information, perhaps you could pass it along to the authorities? If not, then maybe Mata Zetas?
Mata Zeta:
Los Matas Zetas is another paramilitary group (Zeta Killers) that has sprung up recently and in fact could be governmentally sponsored. Either way, this group is out to whack the Zetas. Now, were you in posession of data that could be used by them to combat the Zeta’s maybe you could find a conduit to get that to them… Secretly. I am pretty sure though, that these guys, if not sponsored by the government (Mexico and the US) would then just become the next narco trafficking group in line to stop the power vacuum once the Zeta’s have been taken out of the equation.
The basic idea though is this: Use the enemy of your enemy as your friend to destroy your enemy. Get it?
OPSEC:
Ok, so, here we are and you guys have laid claim to the idea of the operation. Then, once people started threatening, you dropped it. Then others like Sabu said it was all a PSYOP and there are things going on in the background still.
Oy vey…
Look, overall you have to follow OPSEC on any operation like this and so far you have been a big FAIL on that account. It’s akin to saying to your enemy;
“I’m attacking at dawn.. From the East… With planes.. Vintage WWI planes…”
What were you thinking?
Obviously you weren’t thinking about OPSEC. You have seen me write about this in the past and you surely have heard Jester talk about it too. It is a key precept to special warfare and you guys just are not ready for prime time here. Unless you follow some basic security measures you will end up dead. So pay attention.. If there was any merit to this operation in the first place.
This Isn’t An Episode of Miami Vice:
Finally, I would like to say that this is not an episode of Miami Vice kids. YOU do not have a nickel plate .45, slip on shoes, and pastel shirts. This is reality and you are more than likely to run up against blackhats who will find you and one by one, these guys will hunt you down.
I know.. You’re an idea… No one can stop an idea…
I’m sorry, but your Idea will also not stop bullets and bad men with knives from cutting you to ribbons when they locate you. Unless you learn some tradecraft, go back to taking on corrupt corporations and paedophiles…
Though.. They too could also hire a hacker huh?
You guys are not ready for this…
K.
The Apocalypse Cycle: Confronting and Being Prepared For Infrastructure Failure
Recent events where I live have made me once again ponder my own readiness with regard to how to handle infrastructure failures that affect our technologies and society. These same events have shown my just how clueless all too many people are about how to survive when their infrastructure goes down for any extended period of time. The snow storm in October that brought down so many trees in the North-east created a situation cascade that devolved quickly for the populace and by listening to the news, and the police scanner I was able to see just how quickly society began to break down… With just a snowstorm that brought down the grid.
Now 5 days into it post the snow, much of the infrastructure is still down and things are only starting to gain a semblance of normalcy in pockets of the region. There has been a lot of angst and anger concerning the power companies and the local and state government reactions to this storm and its fallout, but, the object lesson is larger than just one snow storm in one region of the country. Since this all began, I have seen people fighting at gas stations, heard about looting at another in a more remote area, and generally, hearing about people who were caught flat footed without any kind of backup plan for when the heat, power, and water go out.
People have become too dependant on the infrastructure (power/water/telco) and unable or unwilling to perceive the threats to it and its precarious position with regard to failure. The recent storm and the fallout from it here in the North was bad, but, this was nothing compared to what “could” happen with a large failure to the infrastructure within the country given the right circumstances.
We were lucky… Someday we may not be.
The Apocalypse:
The scenario that happened to the Northeast is as follows:
- An early winter storm hit the region dropping anywhere from 6-20″ of snow in a short period of time
- The snow was heavy and wet and in combination with leaves still being on trees, caused massive tree damage
- The tree’s lost limbs or broke completely apart, falling on power lines, telco lines, cable line, roads, houses, etc.
- Power lines began to fall and surges/failures caused cascade effects including complete circuit failures
- Telco towers were also damaged as well as forced to run on backup power (batteries and generators)
From these events the infrastructure eventually failed for the bulk of the state I live in. The fallout from this then cascaded for each and every person out there who rely on the services that they provided.
Infrastructure FAIL:
Once the infrastructure had failed for large areas the following services failed for communities and individuals.
- Water: No power means for many with wells, no water. No flush toilets, no showers, etc.
- Heat: No power for many also means no heat. In the case of natural gas or oil, it can depend on electricity as well. Not everyone lost heat.
- Light: Obviously, no power, no electric light
- Communications: No electricity on both ends can mean that all communications go down. In this case hard lines went down as well as cell towers
- Supply Chain: The lack of electricity also affected the gas station industry as many of them do not have backup generators. No gas, no mobility. The same applies for shopping outlets (grocery stores etc) as well.
- Mobility: Tree’s being down as well as potentially live power lines reduced mobility greatly. In some cases, people were boxed in to their homes from downed lines/trees as well as many roads were impassable.
All of these systems people take for granted today were directly affected by this particular storm and caused great consternation and fear for many. What made it worse was that there were no set time tables for repairs that could be expressed by the state nor the companies who’s infrastructure was damaged. Some estimates though proclaimed it could be in excess of two weeks and given that the nights were getting cold, that many could be in danger for lack of heat. Basically, the infrastructure was in a FAIL state and the cascade effects from it being down began to snowball.
Human Nature:
Once the failures had occurred, many who were without power, heat, water, etc were ok for a short time. However, once the cold really began to set in and the days until restoration became longer, people began to freak out. Those with generators began to ran out of gas, but could not get any more gas because the stations in the area failed to have generators and those who did, ran out of gas quickly. With the supply chains beginning to fail by being taxed because of demand, it became compounded with the fact that roads and highways were also blocked due to storm damage.
This is where the human nature began to show its ugly side. Because there was little gas to be had, and people were waiting in long lines, frustration began to set in. Tempers flared and in some cases, looting and fights occurred. The human gene is a selfish one, and with that said, people began to roll back the evolutionary clock, fighting for their lives (perceived) in this situation. Most of this though, could have been easily avoided had the people taken the time to prepare themselves for such occurrences as well as have a mindset that the government and the infrastructure may not always be there when they need it.
We are all on our own in many ways…
Of course, if human nature were a bit more fluid in the area of cooperation, perhaps people would have to freak out less and come together, but unfortunately, this is just not the case with many.
Preparedness:
So, with all of the above said, I would like to remind people to take some time and actually PLAN a bit for these incidents. As our lives become more and more dependant on the state and the infrastructure, we need to take a step back and say “What if” a bit more and plan accordingly for our own welfare. Here are some factors to take into account.
Sheltering In Place:
When disasters occur, we may not be able to escape them. If there is a tsunami or hurricane coming at us, we just may not be able to leave at all. Everyone else will be doing the same thing and you have all seen it I am sure in movies where the roads are blocked and there is no way out. If this is the case, well, all you can do is hunker down and hope to survive.
The same can be said about situations like the one the Northeast just had. If you did not HAVE to be out on the roads during the storm and just after, then stay home! It’s called “sheltering in place” You have your provisions, you have your house/apartment/bunker and you stay put! It is safer to be in place and prepared than it is to be out like a chicken in a rain storm looking straight up and drowning. Never mind you getting hurt, but you may also be placing the lives of others (EMS/FIRE/POLICE) at risk because of your stupidity.
So, have provisions in your home for at least a week if not more. I would suggest enough for at least two really, just in case
- Non perishable food (MRE’s)
- Batteries
- Potable Water
- Firewood if you have a stove/fireplace
- Gas stoves (camp stoves) and fuel
- A radio
- Candles
- Medical supplies (including any meds you take)
- Matches/Fire-steel
- Flash lights and LED lanterns
- Two way communications (HAM radio)
- A generator and hook-ups for the house
All of these things you can just store and have in place when you need them should the time arise. Batteries, food, and the like can go bad after some time, so insure that you rotate them if they are out of date. A little diligence can make life easier when the time comes.
Bugging Out:
IF the zombie apocalypse comes, then you will likely eventually have to “bug out” This means to leave the shelter and seek out other locations. This also means that you will need to have a “bug out bag” The would entail the same items above but with some twists:
- Non perishable food (MRE’s)
- Batteries or Solar charger
- Potable Water & Filtration kit
- Firewood if you have a stove/fireplace
- Gas stoves (camp stoves) and fuel
- A radio
- Meds (including any meds you take regularly)
- Matches/Fire-steel
- Flash lights and LED lanterns
- Knives/Axe (A survival knife would be ideal)
- Two way communications (HAM radio)
- Clothes
- A weapon (guns)
- Tent/shelter materials
- Portable med kit (EMS style complete)
- Binoculars
I am sure there are many more things that people can think of, but, this is a basics list for extreme emergencies that require you to be mobile quickly and prepared to live rough. The key here is also that you need to be travelling light. Ounces = pounds and pounds equal slowing you down. Keep it simple and you will be more able to be mobile even on two feet. All of these things should be prepared and loaded into a bag (backpack/rucksack/etc) and in place for emergencies. Some people actually have redundant bags (one in the car, one in the house) should they be away from home when things go down.
It never hurts to be prepared.. Think Boy Scouts.
Mental and Physical Concerns:
Ok, so you have the supplies in place for either staying put or bugging out but, you need to be thinking about how you and others handle the stress of situations like these. From what I have seen of the reaction to this latest storm and fallout, I have to say that way too many people were just unprepared. Of course, if you are not prepared (with supplies) then you certainly are going to be placing much more stress mentally on yourselves and your family. By not having things in place, you basically stress yourselves out trying to get the things you need. However, if you have the supplies and a little know how, you can easily weather things out.
Situations like these also cause physical stress on people. The clean up and upkeep alone in some cases here have caused people to have heart attacks. In other instances, the people’s inability to comprehend the nature of Co2 has lead to at least 4 deaths in my state. It can be tough to be sheltering either in place or bugging out and you have to be ready to handle the stress both mentally and physically. It is best to keep yourself in the best shape you can as well as perform mental checks on yourself and others while sheltering to insure you don’t have a breakdown in either respect.
The Long Haul:
Overall, this incident in the Northeast was not the “big one” that some predict. It was inconvenient really, but, if you had supplies you could deal with it easily enough. However, what if something like an EMP burst took out the grid and the infrastructure? How would you handle that? The potential for societal collapse would be high in a short amount of time.. What then?
What I’m saying is this.. Prepare for the small events but keep an eye toward the what if’s of a long term one. If you can handle the short term, there is more likelihood that you will be able to come through a longer stint without completely melting down…
Meanwhile… Just watch all of the others who don’t have a plan or supplies run rabid in the streets.. Kinda like zombies.. but looking for a can of gas instead of brains.
K.
Krypt3ia 
China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?
with 5 comments
Oh Desmond…
Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;
“Well, because there’s no real proof of their actually having done anything, they are unable to do so”
*blink blink*
Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?
Rudimentary? Really?
I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..
How about you?
Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.
Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.
PSSST… Guess What?
So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:
網絡戰 !!!
Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.
ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…
Yeah.. Soft power once again.. It could turn hard though with the right circumstances.
Once again Desmond, you think too one dimension-ally.
The Sad Truth…
Now, with all of that said, lets turn it around a bit. The saddest truth is this;
“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”
The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.
*sadface*
Once again, you fail to look at the problem from a more multidimensional angle.
Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.
K.
Rate this:
Written by Krypt3ia
2011/11/06 at 23:10
Posted in Chairman Meow!, Chinese Overlords, CodeWars, Commentary, CyberFAIL, DarkVisitor, Digital Pearl Harbor, Duh, Espionage, Fucktards, Geopolitics, Industrial Espionage, Infopocalypse, Infosec, Infowar, Infrastructure, Ni Hao Chairman Meow!, OPSEC, Our Chinese Overlords, SECOPS, The Eternal Struggle, The Industry, The Stupid It Burns!, The Thousand Grains of Sand, What the???