Archive for the ‘Economy’ Category
INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.
“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”
(Dante Alighieri; The Inferno)
The current state of the Security “Industry”
It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)
Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.
Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor” It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.
Often its the simple things that allow for complete compromise.. Not just some exotic 0day.
So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”
Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.
“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”
(Shakespeare; MacBeth)
Security Joan of Arc’s and their Security Crusade:
Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”
Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.
Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.
Think Richard Clarke (I heard that chuckle out there)
Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”
The subtle knife wins the battle.
“If the Apocalypse comes, beep me”
(Joss Whedon;Buffy the Vampire Slayer)
What’s the worst that could happen really?
The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.
Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.
The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.
So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..
But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.
“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.“
(John W. Vessey, Jr.)
How do we communicate and manipulate our elephants?
Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.
- The whole Joan of Arc thing above
- The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.
We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;
“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”
So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.
So, how do we communicate with these people and get them on the same page?
I have no answers save this;
“Some get it.. Some don’t”
That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.
“The greater our knowledge increases the more our ignorance unfolds”
(John F. Kennedy)
The Eternal Struggle
There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..
Eventually.
All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.
K.
Anon Analytics: Stock Manipulation Through Information Release & The Slippery Slope
It's all about the information Maaahhty
Cosmo: Posit: People think a bank might be financially shaky.
Martin Bishop: Consequence: People start to withdraw their money.
Cosmo: Result: Pretty soon it is financially shaky.
Martin Bishop: Conclusion: You can make banks fail.
Cosmo: Bzzt. I’ve already done that. Maybe you’ve heard about a few? Think bigger.
Martin Bishop: Stock market?
Cosmo: Yes.
Martin Bishop: Currency market?
Cosmo: Yes.
Martin Bishop: Commodities market?
Cosmo: Yes.
Martin Bishop: Small countries?
In a previous post I wrote about the nascent “Anon Analytics” group that had popped up claiming that they were going to out corruption in corporations by using OSINT and inside leaks/whistle-blowers. On the face of it, I thought this was a good idea and said as much in the post. I had caveats though that they confirm their information and that they be above board. I received a response from Anon Analytics thanking me for the article and that they had found it interesting. I however, had failed to read the disclaimer on the first report by Anon Analytics and as such, this is my mea culpa as well as another warning to Anon that they need to keep things above board here.. Lest they become just as bad as those who they are claiming they are outing for misdeeds.
I was alerted to an article from Finance Asia that called them on the fact that within this disclaimer, they are making the statement that the assumption must be made that the “Partners, Affiliates, Consultants, Clients, and other related parties” hold “short” positions in the securities profiled in the report. Which means that all of the parties named there will profit from shorts due to the data being released and potentially causing the stock to plummet and fail.
Say.. Isn’t that what got us all into this fix today with the markets and the banks in general?
Yes, indeed, that is the case and this statement within their disclaimer alone causes me to pretty much rescind my previous statements about any kind of approval for these efforts by Anon Analytics. Really, this is the pot calling the kettle black and then throwing feces to boot. This is not how you rectify malfeasance! Frankly, this could just then be considered only a machination to make money off of the use of information warfare (disinformation as well) to profit and manipulate the markets.
.. And as far as I know, this is rather illegal…
Look, what I said before about being above board with this effort still stands. If you want to right wrongs then you cannot use this effort as a potential piggy bank as well. At the present time, I cannot confirm all of your data from Chaoda however, if you look at the news following the reports release, you can see how you affected the market and the stock. The cause and effect may or may not have anything to do with your report in fact, but, time will tell if there are any real arrests in the whole affair concerning Chaoda. If there aren’t and nothing can be conclusively proven, then what has really been done to the company? Some losses yes, and, by your statement, those around you will profit.. Potentially.
If you want to make a difference, you cannot be a party to profit from information warfare that you are generating.
K.
Occupy Wall Street & Anonymous: Conflation, Synergy, Diffusion, and Media Spin
Image from the San Francisco Chronicle
It All Started With Anonymous and Wikileaks
The Chinese have an aphorism “May you live in interesting times” It’s a bit more of a curse than it is an aphorism, but, the gist is that they are not wishing you a “good time” It has been feeling pretty “interesting” this last year and I really have to say that it all stems from Anonymous’ and their ignition of the nascent feeling today of powerlessness on the part of many. Whether it be their personal lives, or perhaps by looking at the whole of the world through the instantaneous news cycles that today’s technology has afforded, in general, people are not feeling as though they have much control over their daily lives.
I would have to say that much of this has its genesis in 9/11 and the post 9/11 world that we have come to be in. Security has become the operative word for some excesses by government to use its powers (self created) Case in point, the ability to spy on anyone deemed to be a threat without a warrant. The knee jerk reaction to 9/11 has allowed for a fear based response that has set some pretty scary precedents these last 10 years. Add to this the bank scandals, the recession, the fallout from Fanny and Freddy, and waves of greed and misdeeds on the part of corporations that influence the government, and we have quite the picture of how things have gone sideways.
But.. Much of this is not new I’m afraid. Wikileaks just opened the secret flood gates in some ways. Though, had you been paying attention you likely would have already known much of what Wikileaks was trying to say before the big dumps began to show up online.
What is new is that a new generation of youth have been disenfranchised enough to take up arms against it all as they see fit. Anonymous, was the catalyst for this in their early attacks on oppression like “Scientology” a system which really is much more a corporation melded with a religiosity (faux) to create an entity that is not taxed, does not have oversight by anyone, and seems for all intents and purposes, to be a “Corporate Cult”… Which when I think about it now post Steve Jobs departure from this mortal coil, is a lot like the reverb surrounding Apple and the Jobs-ian “passing on to a higher plain” claptrap.. But that is another story…
Either way, the gist of this all is that Anonymous and Wikileaks is the progenitors here I think, and it is the very nature of the collectives technical bent that has lit this fuse that finally reached out of the digital Kabuki theatre and on to the real streets.
Technology, The Great Equalizer
Anonymous’ use of technology only comes naturally as they formed online. It is with the growth of social media and the connectivity that we all have today with smart phones, that the movement went viral. Some may say it was the targeting, but I would say that the targeting was always there, but those who were feeling the miasma weren’t able to express it in the normal ways of yesterday. However, with blogs, micro-blogs, twitter, texting, etc, people coalesced into groups on their own with a collective gravity that eventually, had enough psychic mass to catch on large scale.
It is this very thing that has led to what we see today. From flash mobs to the final outcome of the occupy movement that harkens back actually to the early Tea Party movement in the way the word got out and collected like minds to its cause. All of these people have found each other and inspired one another to react to what they are perceiving as injustice within the systems in which they live. The technology has given the tools to the populace to respond in a way that only the mass media has had the corner of the market on for so long.
Added to this the technical aspects that bred not only the Anonymous “Hactivism” we have a new paradigm for dissent. The recent threat to DoS NYSE by Anonymous is case in point to the technology being used as not only a weapon but also as a means of protest, though the legalities of such attacks is questionable. The law has yet to catch up on much of the technology, so the arguments upcoming over the LOIC arrests for the MasterCard denial of service attacks will likely generate new law either way.
Interesting times indeed.
Occupy Wall Street.. Why Again?
Of late, the “occupation” movement has picked up speed all around the globe. However, it seems that with these demonstrations unlike the ones in the 60’s over Civil Rights, seems rather more diffuse when you go and observe what’s going on. Now, one could say that this is media spin, but, when I look at the aggregate reporting from all sides, I can see how some might categorise the movement as being diffuse. On some fronts, the movement seems to have been co-opted by others with more shall we say, exotic demands? I guess my fear would be that this turns into a Lolapalooza or a Burning Man instead of a protest with specific goals in mind.
Occupy Wall Street has a set of 13 goals that seemed to me pretty straight forward, yet, they seem to be open ended. Perhaps the movement might tighten them down a bit and generate some more concise and workable (demands) for lack of a better term? In the era of the 60’s there was a defined demand for a civil rights bill.. I suggest to you all now that you work something akin out on paper to give to the congress critters that want to work with you. After all, its kinda pointless to ask for things like “stuff” and expect to get something back (including support) that is concrete from the establishment. How about you get some of the luminaries in the economics field to give you ideas for positions?
Unless you direct all this energy, you will all be collectively mocked as a bunch of stinky hippies without jobs or just attributed to be “malcontent’s”
Define the argument… Get the 60’s protesters to show you the way.. After all, they really did change things.. For a while.
The Media, Lapdogs To The Corporations?
Speaking of perceptions, here we have one of the key issues today. For a long time it seemed as though the mainstream media was ignoring the protests. Perhaps they thought it was just going to go away and it wasn’t news. However, as they have come to find out, there seems to be a large disenfranchised populace out there willing to protest. Just who are they protesting and what seems to be the issue both from the perspective I have as well as what the media might want to portray it to be.
Yes.. That’s right, I am not a fan of the media today. It is my opinion frankly that Cronkite’s demise only saved him further pain and anguish over the career that he loved so much. The mainstream media as it’s called, is pretty much a corporate run “profit” centre as opposed to what it used to be “a cost centre” That’s right kids, as soon as news became a “for profit” business as a whole, its efficacy in providing true reporting became much diminished. Now, this is not to say that this wasn’t the case before. In the 19th century all you had to do was look at the newspapers of the day and you could see it was all about “if it bleeds it leads!” and just how much money could be made with a lurid headline. Of course today we get the same treatment from a fire-hose of sources online and off, all of which is now pretty much solely being run for profit.
When people talk about the media being the lapdogs of corporations, they need only look as far as FOX *cough* News, who really came down to the point in a court case claiming that they aren’t really news, but instead “entertainment” Enough said really huh? So, when I see the stories not only about things like Occupy Wall Street, but also anything I have a pretty good knowledge of, I see their spin to get headlines and attract viewers.. Viewers who in turn are the targets of marketing and advertising between segments. Follow the money…
Of course speaking of Fox, you only have to read a bit more and see how Mr. Kane.. Uhh, I mean Mr. Hearst… Uhh, I mean Mr. Murdoch uses his papers and other media operations to sway the public and the government. Even his machinations involving phone hacking is a telling piece of the puzzle no? Yes Virginia, Mr. Murdoch does underhanded things to get what he wants…
So, while we are protesting the other injustices, one might suggest that you all pay attention to the media that you are being interviewed by and made into sound bytes…
They can control the story.. Catch them at it… Stop it when they do.
The Governmental Response and New Backlash
Meanwhile, another faction that is being used by the media (hand in glove) is the government and the players within it who would use these tools. The recent coverage of the Occupy Wall Street movement on CNN for instance shows how the media can be used to portray the movement as nothing but unwashed stupid hippies (the falor Newt gave to the debate) Perhaps Newt was misquoted? Maybe it’s out of context? I think not. I find it really funny that the Republicans have latched onto this issue by saying that it is a symptom of “Class Warfare” and generally acting like the old man yelling at the kids to get off his lawn. Well, come to think about it, I guess that is pretty much on the mark, Wall Street is their lawn ain’t it?
The Democrats are only a little better on this issue as well. Sure, they support what is happening or what’s being said, but really, do any of us really think they are feeling so moved by their own ethos? Or might it be that it’s election season and they are seeing potential voters? Yeah, I think its the latter too. Frankly both parties are useless in my book and as for the Tea Party, well, they are pretty much tinfoil hat wearing reactionaries to me. However, this is not to say that they don’t have a core idea that is right.
Change needs to happen.
It’s just how and by whom is the real question.
So, when all of the Congress critters get in on talking about this I take it all with a pillar of salt, not just a grain. Meanwhile, we have the police responses to the protesters. For the most part, I can take no issue with the arrests that have happened on the face of them “legally” however, when violence is involved, then I begin to wonder just what the Hell is going on. Of course tensions will run high and there will be morons like Bologna (mace boy) but on the whole, I think the response thus far has been pretty even handed on the part of law enforcement. I know others will likely take issue with this, but, this is just my opinion of what I have seen thus far.
However.. Just how long will it be before the anti-occupy Wall Street folks start showing up fueled by the likes of the Tea Party whacknuts or worse?
Time will tell…
A Return of the Sixties and Socio-Economic Upheaval?
I have written at least a couple of times in the past year that I was beginning to feel as though the 60’s were coming back. With the Occupy Wall Street movement gathering strength and more voices being added, the spectre is back isn’t it? We still have many of the issues from the 60’s that haunt us all, but I would have to say that I am going to amend this statement with a time shift as well as political bent. I would have to say that this movement has much more akin with the 70’s than the 60’s.
In the 70’s we had the Vietnam war still ongoing. We had Nixon and the excesses of his grab at illegal wiretapping and wet-work in the US as well as outside. When it all came to light with the publishing of the Pentagon Papers as well as the exposure of the “Plumbers” by Woodward and Bernstein we got a peek into executive malfeasance. Compare that to today post GWB and two wars post 9/11… No wonder we all don’t trust our government huh? Now though, we have the elephant in the room added to the mix of business and money seeking to control the government through lobbying and other chicanery.
Frankly, it took an economic apocalypse to wake people up to it all..
My Conclusions On All of This
I foresee “interesting times” ahead. This movement will continue and likely will have no real effect in the short term on how our government is being run (primarily meaning going to the highest bidder) However, I think that this movement may in fact spawn the youth of today to action. Action meaning that they will take an interest in the system and perhaps seek ways to improve it. My hope is that they do and that someday things get a bit more cleaned up but, that may not be for some time. The sad truth of it though, is that for every Mr. Smith going to Washington, there is another who goes without the wide eyed wonder and sense of honesty who just seeks to puff themselves up and line their pockets.
Another sad fact is that there may even be some altruists who go there with good intentions and then find themselves following the lead of the Mr. Potter’s of the world.
One hopes that is not the case..
K.
Inspire Magazine Analysis: Going Green for College Age Recruits
Now that the file has been around a while, I have gotten around to reading all 61 pages of it and have the following analysis to blog about. After thinking about it a bit and doing some research from data culled from the file and the prose I have to say that yes, this is a slick attempt at recruitment for the teen-twenty somethings in the West. However, when I say slick, I only mean that it has some interesting graphics and methods to get kids to join their cause. On the whole though, it is an uneven piece of propaganda that does harbor some serious portents about things that I have mentioned here before.
- They are adopting espionage tradecraft
- They are splintering further down, advocating small independent action cells
- They are using encrypted communications and advocating for more secure operations online
- They have begun marketing to the “youth culture”
- That same “youth culture” that idealists inhabit includes the “green movement” arguments
- They have begun to adopt the more mainstream propaganda tools of major governments
I have to say, these guys are learning and they I swear that they have begun to read psyops texts as well as advertising age to get to where they think they need to be to win. This is something different, however, this is not as much of a threat to the nation as “they” would have you think it is per their posts and chatter after its release and subsequent hacking/infection by malware.
All they really need to do next is watch “Cool Hunters” on PBS and then apply some more of these tactics.. Then they could maybe sell.. Well, would any Western teen buy into the 72 virgins idea? I think not. So, they try to be slick and all Mad Men, but they fail because of what they are trying to sell…
Religious zealotry and a culture of loving death.
Which, I should think is quite the opposite of the Western mindset. Of course they are trying to get the whole “It’s an adventure” thing going with all the talk of going on site and fighting the good fight, but, it just will not ring true with the majority here in the US. Of course, there are always those who are willing to follow along. I think though, that most will have to be deranged or brain washed by the local Imam and cell mosque in order to really buy a ticket and bring a friend along for the ride. These folks also more than likely will be originally from other countries that they feel ties to which are re-enforced by this type of rhetoric.
So, here are some observations:
First article attempts to make a “green” argument for jihad and the removal of the US from the area. This is an alleged piece by OBL and claims that all of our problems with the world are oil based and this can be remedied by Jihad. In other words Allah will be loving it if you get the khafir out of the Muslim lands. Once that happens its all good.
This was quite interesting to see OBL getting all green. Somehow I doubt it was actually him doing the writing here. I just don’t see OBL wearing a Greenpeace shirt and protecting a baby harp seal.. Do you?
The articles vacillate between saying if you leave there will be peace to “all khafir must die” There are some wild mood swings in this pdf. Its almost like you were talking to someone under anger management therapy and you have to talk them off the ledge.
Mukhtar’s piece is oriented toward college age males with media board bandito imagery. He also advocates brining a friend and learning the language. This is the very “college” looking piece and is aimed at the twenty somethings. I would hazard a guess too, that the handwritten look is not just a type font, but in fact someone’s actual handwriting. Let the graphologists loose!
Abu Musab Al Suri’s piece advocates small cell/single jihadi terrorism. There is a long section of history and philosophy on their war thus far. They have learned that the agile force is the one that is hard to catch, hard to destroy, and has the most bang for their buck. Thus they are advocating making small bombs at home that could kill 10 people as a process to learning how to make bigger ones. All the while they are using guerrilla warfare tactics and philosophy to sell jihad everywhere. What it boils down to is this: Do this at home and breed fear. This is a dangerous idea because inevitably there will be people who buy into this. The bomb making section has been removed from the document for your and my protection.
Technologically, they are getting more savvy. The writers have given the would be jihadi’s pointers in internet security that include the use of encryption technologies (Al Majahden 2) which I have written about before and have a copy that has been pulled apart. They even go as far as to show how to authenticate that the program is official with hashing sigs. They also are advocating the use of proxies as well as being in internet cafes. Another surprise was a section on cell phone safety too AND the use of live distro’s on USB. It was inevitable as all this is out there on the hacking sites anyway.
In the final analysis, they also put in their pulic key as well as a series of emails to contact with with. Ironically, the actual posting o the pubkey gave me something to use in Maltego and it turned up some very interesting results! I will be chasing those down in the near future as well as more on the email addresses.
I wonder if there will be an issue #2….
I have to say though, that their market of young and impressionable individuals may be swayed by some of their arguments. They do lay them out logically (well their logic) and try to use the tools of the west on itself, but then you hit the sections of “kill all kafir!” and you have to go
“whoa, where was I?”
As a psy-op they have gotten off to an interesting start…
The full file sans bomb making plans can be downloaded HERE The sections omitted have graven images of Muhammad so YAY fatwa’s on me! Take a long swig of something and sit down to read the drivel.
CoB
Losing the War with Japan… Or was it Losing The War With China…Maybe Ourselves…
A keiretsu (系列?, lit. system, series, grouping of enterprises, order of succession) is a set of companies with interlocking business relationships and shareholdings. It is a type of business group.
Recently, I came across an old episode of PBS’ Frontline that was titled “Losing The War With Japan” (click link to see it on YouTube) In this 1991 report we see how the country was concerned with the rise of Japanese business and their “unfair” practices of Keiretsu and Zaibatsu. Of course the report calls it “Predatory Capitalism” but I would just say that they were being smart. I guess one man’s smart is another losers 1-800-WAAA, but we are a country of laws are we not? So sure, I can see my way clear on some of the charges in unfair practices. However, now that nearly twenty years have passed what have we learned?
Obviously not much…
Lets run down whats happened since the Frontline piece.
1) Japan took over the car market and the US Auto industry learned nothing. They remained bloated and making poorly thought out, bloated, gas guzzlers and are now in bankruptcy or near to it.
2) Japan got too close to America and took on too many of her ways. Soon there was a meltdown in their economy and a slew of admissions of malfeasance by corporate entities.
3) America had a boom and bust over “internet stocks” basically vaporware Greed was indeed good and the Ivan Boesky set began to plan for even bigger schemes that would come to roost in our current “credit default swaps” fiasco and near depression. The net effect, we began to not make anything here except maybe “intellectual capital” that is currently being stolen and reverse engineered in China.
4) America began the great outsourcing of all the things we no longer “make” in order to have better bottom lines on balance sheets from cheaper labor in third world countries.
5) China buys great quantities of our debt.. They now effectively “own” us.
6) The “Great Recession” comes post 3 front wars for many years and an abdication of any kind of regulation on business, banking, stocks, etc. Even though, we were warned that the big banks were playing fast and loose with our money and selling us magic beans.
7) Now China looms as a new kind of super power that deems to attack us on cyber and economic fronts in order to become the pre-eminent super power. Basically, they have us by the short and curlies economically as well as technically (e.g. cyber warfare)
So, how did we not learn from history? How is it that this country just went on its merry way and learned not one thing from its near miss with Japan? Did greed and self absorption just blind us to it all?
In a word.. Yes.
We have failed ourselves by not paying attention and our government has failed us for not being able to comprehend what was going on. We elected the morons in office and they let go of the tiller that controlled the business world’s ethical rudder. Of course, we the people didn’t help either as we were rolling in the new money that was rolling in from tech stocks, or ponzi schemes that had been all the rage.
There’s a line from “Rising Sun” that always struck me as true and now that I look back it is absolutely so.
John Connor: We’re playing that most American of games.
Web Smith: Which is what?
John Connor: Catch-up.
Lets face it, we are playing catch up because we have been too intellectually incurious to see what has been happening all these years. Can we catch up now I wonder? Or will we continue down the same path of blind faith in the system and personal greed?
Of course one would have to also hope that the “system” i.e. our government would not let themselves be led down the primrose path again like they have with all of this credit default swaps and “too big to fail” banks falderall… I hold out little hope.
Take as look at the Frontline stories and ponder…
CoB
The Oil Factor
Looking at this with the 6 years of history one cannot but see some validity.Take note of the debate now about pulling out of Afghanistan as opposed to the lack of talk in removing forces from Iraq. The difference is of course that there are no petrodollars to be made there. Poppy dollars sure…
Digital Collateral Damage: Cyberwar Blowback
Weighing risks of civilian harm in cyberwarfare
New York Times
Posted online: Aug 06, 2009 at 2212 hrs
John Markoff & Thom Shanker
It would have been the most far-reaching case of computer sabotage in history. In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the US invaded Iraq. He would have no money for war supplies. No money to pay troops. “We knew we could pull it off—we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.
But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the US.
Fears of such collateral damage are at the heart of the debate as the Obama administration and its Pentagon leadership struggle to develop rules and tactics for carrying out attacks in cyberspace.
While the Bush administration seriously studied computer-network attacks, the Obama administration is the first to elevate cybersecurity—both defending American computer networks and attacking those of adversaries—to the level of a White House director, whose appointment is expected in coming weeks.
But senior White House officials remain so concerned about the risks of unintended harm to civilians and damage to civilian infrastructure in an attack on computer networks that they decline any official comment on the topic. And senior Defence Department officials and military officers directly involved in planning for the Pentagon’s new “cyber command” acknowledge that the risk of collateral damage is one of their chief concerns.
“We are deeply concerned about the second- and third-order effects of certain types of computer network operations, as well as about laws of war that require attacks be proportional to the threat,” said one senior officer. This officer, who like others spoke on the condition of anonymity because of the classified nature of the work, also acknowledged that these concerns had restrained the military from carrying out a number of proposed missions. “In some ways, we are self-deterred today, because we really haven’t answered that yet in the world of cyber,” the officer said.
In interviews over recent weeks, a number of current and retired White House officials, Pentagon civilians and military officers disclosed details of classified missions—some only considered and some put into action—that illustrate why this issue is so difficult.
Although the digital attack on Iraq’s financial system was not carried out, the American military and its partners in the intelligence agencies did receive approval to degrade Iraq’s military and government communications systems in the early hours of the war in 2003. And that attack did produce collateral damage.
Besides blowing up cell-phone towers and communications grids, the offensive included electronic jamming and digital attacks against Iraq’s telephone networks. American officials also contacted international communications companies that provided satellite-phone and cell-phone coverage to Iraq to alert them to possible jamming and ask their assistance in turning off certain channels.
Officials now acknowledge that the communications offensive temporarily disrupted telephone service in countries around Iraq that shared its cell-phone and satellite-telephone systems. That limited damage was deemed acceptable by the Bush administration.
Another such event took place in the late 1990s, according to a former military researcher. The American military attacked a Serbian telecommunications network and accidentally affected the Intelsat satellite communications system, whose service was hampered for several days.
These missions, which remain highly classified, are being scrutinised today as the Obama administration and the Pentagon move into new arenas of cyberoperations. Few details have been reported previously; mention of the proposal for a digital offensive against Iraq’s financial and banking systems appeared with little notice on Newsmax.com, a news Web site, in 2003.
The government concerns evoke those at the dawn of the nuclear era, when questions of military effectiveness, legality and morality were raised about radiation spreading to civilians far beyond any zone of combat.
“If you don’t know the consequences of a counterstrike against innocent third parties, it makes it very difficult to authorise one,” said James Lewis, a cyberwarfare specialist at the Centre for Strategic and International Studies in Washington. But some military strategists argue that these uncertainties have led to excess caution on the part of Pentagon planners.
“Policymakers are tremendously sensitive to collateral damage by virtual weapons, but not nearly sensitive enough to damage by kinetic”—conventional—“weapons,” said John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, California. “The cyberwarriors are held back by extremely restrictive rules of engagement.”
Despite analogies that have been drawn between biological weapons and cyberweapons, Arquilla argues that “cyberweapons are disruptive and not destructive.”
That view is challenged by some legal and technical experts.
“It’s virtually certain that there will be unintended consequences,” said Herbert Lin, a senior scientist at the National Research Council and author of a recent report on offensive cyberwarfare. “If you don’t know what a computer you attack is doing, you could do something bad.”
My thoughts:
It’s an interesting thing to ponder just how much havoc could be wreaked by attacking an infrastructure in a cyber war. Now, if you think about the “homeland”, (yeah, I hate that term since it was apropriated by the previous administration) has most of its infrastructure in private companies hands AND is very interconnected. Attack one, you may have collateral damage that will cause a more far reaching affect.
Lets look at it this way.. The US is very connected… Iraq in 2003 was not “that” connected to really have much collateral damage. Sure, Intelsat had issues, but it was no biggie. So, what would happen if our infrastructure were attacked en masse? I could foresee a lot of “fire sale” images ala Die Hard really, but, the reality is somewhere less grim. We would be inconvenienced really, and that’s about it, unless, the attack in the cyber world were in tandem with physical attacks.
Just as the operations mentioned in the article the real whammy is in the physical destruction of systems and infrastructure, not only from a cyber stance but real ruin. THIS is what the government really fears. Take out the eyes and ears as well as the C&C and we’re fucked. Just as 9/11 was all the more crazy because the towers held key comm’s infrastructure for the city, this type of attack would leave us unable to communicate, control, and give orders.
So, with all the talk of cyber war, just where are we really?
Well, I have said it before and I will say it again. Our security posture as a nation is “teh suck” for the most part. This is why the “Cyber Tsar” (another term I am hating for it’s misuse) is so important as well as their function to get this country to perform the “due diligence” where our network and infrastructure security posture is concerned.
And you can see how well that’s going huh…
Here’s the bottom line:
1) Have supplies ready in case our infrastructure is taken down in spots or as a whole; Food, Water, etc.
2) Prepare for being without power. If I were an aggressor, the first thing I would hit other than COMMS would be power. So, get the genni’s out or have solar
3) Have your own COMM’s systems like HAM or CB that can be SIMPLEX or dare I say it, even have your own repeater
4) Don’t Panic: If there is an attack of this nature, the only time I would really worry is if the bombs start falling or massive amounts of people start coming down with a raging hemorrhagic fever… Or Zombies start banging on the door…
5) If by chance this all is brought on by a nuclear detonation in the atmo… Well, unless you have shielded equipment, you’re pretty much back to stone knives and bear skins… So adapt… There’s nothing you can do.
Lets just hope it doesn’t come to that….
So there you have it… Unless we get our collective shit together, its possible that we could have a real situation on our hands… Those in the know will be better off…. Of course we are all gonna be saved by smart meters and cloud computing! So no worries!
Snort!
The “Insider Threat” aka Your Companies Management
Two stories on the internet today piqued my interest in the actual facts of this this issue of the “insider threat” as opposed to hack attacks from external sources. I would say that perhaps aside from “security theatre” that the real insider threat is the inaction and incompetence in some cases on the part of the companies out there who are insecure from basic lack of secure practices. This I would think is the larger issue that allows both insider attacks as well as outsider to be so successful.
Basic things like default settings on systems, printers, network appliances, applications, etc really make the work of the insider or outsider very easy. Once those low hanging fruit attacks are performed, the foothold actually can be in fact root on many systems because of these issues not being remediated at the time of install on many systems.
The first story I saw today had the headline of: Security Experts Raise Alarm Over Insider Threat and it espoused the common thread of late that all the layoffs today are making turncoats out of many and thus, those with the insider access are the biggest threat. On the one hand I agree with that assessment. However, if the company in question is actually following procedure, they should be able to mitigate the issue by closing accounts and changing passwords etc on key systems. This is of course to say that you actually lay this person off, and walk them out at that moment.
If instead your insider thinks that they are about to be laid off, well, they may use their access to steal data or perhaps even damage it before they get the ax. So sure, they may actually be a threat in this way, but, I think there is a larger threat by their ethics being lax and someone coming along with some quick cash or a threat of blackmail. You see, I think that the insider threat must be approached from a HUMINT (aka spying) angle instead in this day and age.
The average disgruntled employee is the one that I would approach with quick cash after some time getting to know them and egg them on. Once you have them in the bag you just ask them to do the deed with the promise of money. Access can be bought these day if not easily tricked out of a worker with some low end social engineering. On the other hand, were I looking for some more long term and higher access I would go for the longer approach of coercion of an asset.
All this aside, either way you do it you, the company, make it easier for a non technical person or a technical APT to root your networks when you don’t follow the most basic of security principles of CIA. Which brings me back to the larger of the inside threats… Management.
In all my years of assessment, I have seen all too many places where the management just does not get security, does not care about security, and does not want to spend the time and money doing the due diligence for secure operations. Without a proper buy in from the top, then security becomes a non issue with the masses and thus nothing is carried out securely at company X. Default passwords, no passwords, poor passwords, sharing passwords etc all are very common in places without any security insight. Often too, these companies have no insight into what is happening on their networks to tell if indeed someone is attacking or exfiltrating data out of their networks through their own firewall… Never mind the guy with the 4 gig USB stick who just downloaded the “secret sauce” recipe and is walking out the front door as he smiles at the guard.
So, my take, the insider threat is a big one indeed and so easy to exploit.
And that brings me to the second article today: Simple information security mistakes can cause data loss, says expert wherein an eminent forensics investigator from Verizon has found through his assessments that the outsider attacks have been far greater. He does however in a backhanded way, have my opinion as to who that insider threat really is: Management.
However, as the article does not really cover this overtly nor the real insight I think about “who” these attackers are I will add to this a bit. I think that those spear phishing attacks that rely on very specific individuals being targeted also has an insider portion to it. After all, just where does all that data come from to target these individuals? The inside of course.
Intranet/internet websites are a rich data mining arena for the APT or the industrial spy. All too often the companies themselves give up all the details an attacker could ever need or want. Most of the time too no hacking need be done to get the information and often much more data than should be available is due to misconfiguration as any good Google hacker can attest. Add this to the whole lack of security posture and you have a deadly mix.
So, to bring it all together, I think that as a general rule “we” are our own worst enemy and the de facto “insider” threat when security is not applied.
DoD 2009 PLA Cyber Warfare Capabilities Assessment
US DoD Estimates of Chinese Information Warfare Capabilities and Commitment 2002-2009
2009
“PRC military writings highlight the seizure of electromagnetic dominance in the early
phases of a campaign as among the foremost tasks to ensure battlefield success. PLA
theorists have coined the term “integrated network electronic warfare” (wangdian yitizhan –
网电一体战) to describe the use of electronic warfare, computer network operations, and
kinetic strikes to disrupt battlefield network information systems that support an adversary’s
warfighting and power projection capabilities. PLA writings on future models of joint
operations identify “integrated network electronic warfare” as one of the basic forms of
“integrated joint operations,” suggesting the centrality of seizing and dominating the
electromagnetic spectrum in PLA campaign theory.”
“In 2003, the CCP Central Committee and the CMC approved the concept of “Three
Warfares” (san zhong zhanfa – 三种战法), a PLA information warfare concept aimed at
influencing the psychological dimensions of military activity:
o Psychological Warfare seeks to undermine an enemy’s ability to conduct combat
operations through psychological operations aimed at deterring, shocking, and
demoralizing enemy military personnel and supporting civilian populations.
o Media Warfare is aimed at influencing domestic and international public opinion to
build public and international support for China’s military actions and to dissuade an
adversary from pursuing policies perceived to be adverse to China’s interests.
o Legal Warfare uses international and domestic laws to gain international support
and manage possible political repercussions of China’s military actions.”
“The PLA is investing in electronic countermeasures, defenses against electronic attack (e.g.,
electronic and infrared decoys, angle reflectors, and false target generators), and Computer
Network Operations (CNO). China’s CNO concepts include computer network attack
(CNA), computer network exploitation (CNE), and computer network defense (CND). The
PLA has established information warfare units to develop viruses to attack enemy computer
systems and networks, and tactics and measures to protect friendly computer systems and
networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily
in first strikes against enemy networks.”
“According to a 2008 Federal Bureau of Investigation (FBI) statement, PRC intelligence
services “pose a significant threat both to the national security and to the compromise of
U.S. critical national assets,” and concluded that these services “will remain a significant
threat for a long time.” The U.S. intelligence community has noted that, of all foreign
intelligence organizations attempting to penetrate U.S. agencies, China’s are the most
aggressive.”
“China has also identified 16 “major special items” for which it plans to develop or expand
indigenous capabilities. These include core electronic components, high-end universal chips
and operating system software, very large-scale integrated circuit manufacturing, next-
generation broadband wireless mobile communications, high-grade numerically controlled
machine tools, large aircraft, high-resolution satellites, manned spaceflight, and lunar
exploration.”
“Shu Quansheng, a naturalized U.S. citizen • who worked as a physicist in the United States,
pleaded guilty to violating the Arms Export Control Act by providing the PRC with
information on the design and development of a fueling system for space launch vehicles.
US DoD Estimates of Chinese Information Warfare Capabilities and Commitment 2002-2009
Chi Mak, a PRC national, acknowledged being • placed in the United States for more than 20
years to conduct espionage against the United States, providing sensitive plans for U.S. Navy
ships, submarines, and weapons to the PRC. In March 2008, he was sentenced to twenty-
four and a half years in prison by a federal judge.
In April 2008, Indian Government officials confirmed that its Ministry of External Affairs’
computer network and servers were the victims of intrusions that appeared to originate in
China.
In May 2008, the Belgian Government reported that it had been targeted by PRC hackers
multiple times.
In May 2008, U.S. authorities investigated whether PRC officials secretly copied contents of
a U.S. Government laptop during a visit to China by the U.S. Commerce Secretary and used
the information to try to penetrate into Commerce computers. The investigation is
ongoing.”
Well, looks like the Chinese Overlords have high plans for those back doors they are alleged to have left in our Grid networks. I find it rather amusing that “WE” invented the internets and “WE” first took the lessons of Sun Tsu to the likes of VMI and yet “WE” failed so miserably at determining the cyber warfare capabilities of the technologies we unleashed on the world. Even less so did we actually make any attempts at SECURING that technology that “WE” created and disseminated out of sheer laziness or stupidity… Or both…
Now we are behind the 8 ball and everyone is beginning to panic….
Such hubris…
Krypt3ia 