Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Economy’ Category

Someone Asked A Question: I Have A Crabby Answer

leave a comment »

Recently I was asked on the Black Hat linkedIn group to provide what I thought would be remediations for the issues over information security where the power grid is concerned. I would like to take a larger approach though to an overall security makeover for this country altogether.

While I agree that the nations grid system needs to be “secured” properly, it is the problem du jour in the mass media that has only recently grasped on to this has “sensational” written all over it. What needs to happen though, is that all quarters of cyber insecurities should be examined and remediated as a whole for this country to be carrying out “Due Diligence”

By all quarters I mean that all companies as well as individuals should be more aware of security issues that stem from their owning a computer that has been hooked up to the internet. Companies should, by their very nature, want to secure their networks and machines in order to not lose money through compromise and the FUD that shakes out afterwards if it hits the media. This is not the case though in my experience as an information security specialist. So here are my thoughts on the causes as well as the fixes that I would recommend to best secure our nation. Much of this though is not of a technical nature. You can have all the technology in the world and still be compromised by human nature.. Just ask any Social Engineer.

The Problem: Poor Danger Perception and Cogitation

The problem as I have seen it comes in two flavors. The first being the fact that humans are unable to effectively judge long term threats. With the advent of computers and networking, much of the populace is not only inured to their use, but also the idea that they are in fact magical boxes. Much of our population might as well be Cro Magnon man looking on at the winking hard drive lights as if they were the gift of fire or the arcane steel secrets of Conan’s God Crom.

All too often people just have no clue about how the systems work nor the basic grasp of what they should NOT do on the internet to stay secure. This is why much of the attack vectors have had a paradigm shift in the recent past from a technical aspect to a “social” aspect. With the advent of “Social Phishing or Spear Phishing” the aggressors have begun to exploit human nature much more with those technical vulnerabilities. Just look at Conficker and see how an old exploit has been leveraged because of the “human nature” toward complacency and lackadaisical patching processes.

So, as humans go, we are really poor (scientifically borne out) at the judgement of long term threats as opposed to “fight or flight” which we evolved a great ability to determine and react to the tiger on the Savannah. Digitally, we are more the frog in the pot of water that has been set to boil really. Eventually we will get cooked but oh we will have such a nice bath up until then huh?

In short, until we as a whole get a firm grip on the nature of security on the internet and information security altogether, we will be poorly able to be proactive about securing ourselves and our country. It’s here that I bring you the next topic to consider. Human nature as regards complacency.

The Second Problem: Humans as a whole are complacent and prone to habit

Complacency, ahh what a nice term for LAZY huh? Every time I hear the whine that a user has to remember “another” password or for that matter “A” password that is more than 4 characters long I feel a blood vessel about to burst in my frontal lobes.

“I am sorry, but yes, you do have to use that 2 lbs of gray matter we call a brain to actually remember things ok?”

Much of the attacks out there today rely on the human proclivity to stick to simplistic thought or the inability to fully carry out the administration of systems that they run. The common password no no’s of using your first name, pets name, kid’s birthday etc have been somewhat mitigated now by systems that, if set up properly, will deny these simple passwords. However, all too many times even these measures are not implemented fully if at all at home, never mind in the corporate setting.

The same goes for patching and updating systems. Either you have the auto update on (which may cause you to blue screen anyway if you get a half baked patch ala M$) or you are supposed to be following protocols that may or may not be written into policy at your local Uber Mega corporation. Often even IF they have been written down are they being followed to the letter or at all. Trust me, I know after six years of audits on fortune 500’s.

In essence, the short and long of it is that we, humans, are lazy too. Its too much work to do all the due diligence! Hell, we’d have to spend all kinds of money and all kinds of time on REALLY doing the security due diligence that is required!

“And, well, we have other things to do ya know… I mean hell, Solitaire is time consuming!”

How do we fix this? Well here we come to the last talking point.

Security as MANDATE: The government needs to develop substantive laws and governance over cyber security

Recently senators have proposed legislation that would mandate the U.S. Governments overarching role in the information security of the nation. This would not only be the government and the military, but also stretch to the private sector. The bill in place needs much more work I agree. The language is way too broad and allows for some power grabbing by the president that hearkens back to the last regime’s idea of “Unitary Presidency” and that my friends should scare the crap out of us all.

However, the idea behind the bill is something that I have been advocating for some time. I believe that the government needs to create laws that apply to all sectors of the US “infrastructure” and that those laws should have some tooth to them. What really comes to play here is the determination of just what is considered “infrastructure” and quite frankly I think every corporation in the US should be considered to be under that nomenclature. After all, if you are plugged into the internet, then you are connected bi-directionally to the “infrastructure” and by default a part of it.

The same case could be made to individual users too. After all, where do you think all those Conficker bots come from other than corporations worldwide? Many of them are home users with persistent connection to high speed lines aren’t they? So at the beck and call of the bot herder, all of these users who have no clue about security or administration of their systems are de facto an integral part of the botnet vectors out there. Both corporate and private have become “The Infrastructure” by their connectivity and access to the internet.

Simply, I feel that it is the governments job at this point in time to create laws that have real negative impacts on corporations that do not follow the “best practices” approach to information security. Sure we have had HIPAA and other legislation, but those to date, have had no tooth to them. Nor did the government carry through in actual enforcement of those laws with due diligence. For that I blame the US Government for their inability to enforce their own laws. So where do we go from there? It can be projected out that the Senate and House make the laws and then fail yet again to enforce the new mandates over security. It’s an unfortunately likely scenario given human nature and the ossification of our governance today.

Lets say they pass this set of new laws.. What then?

Well, what then indeed. What I would like to see is a series of laws that are backed up by a special branch of government and corporate entities, a commission, or a department, that would oversee this process. Such a branch would have to have a cabinet post as well as a set series of legal mandates that clearly give it power to create and enforce the information security policies of this nation. Insofar though, we have not seen such an entity. To date, we have a mish mash of groups that are vying for the right to be the top dog on cyber security, including a Czar who recently quit because he could get nothing done. Why couldn’t he get things done? Because too many other entities (DHS/NSA/FBI/DOJ etc) all were too busy infighting to make a cogent decision and implement anything substantive.

The paradigm has to change or nothing will be done to secure our infrastructure. Will that have to be in the form of a “unitary president” laying down the law? It may just have to be so unfortunately. Will it have to be something akin to giving the whole kit and kaboodle to the NSA to run the show? It just might too and that scares a lot of people.

So, the short answers are these for me:

1. Create the laws over cyber security and create an agency to enforce them

2.Define what “infrastructure” really means and just who might be a part of that

3.Enforce the laws with negative impacts to those corporations/entities that do not follow the laws

4.Institute recurring and substantive re-validations of the security at corporations deemed to be “infrastructure”

5. Fine those who are non compliant after an audit unless otherwise agreed upon changes are in progress

6.Raise awareness to all about the risks of information security failures and educate the masses

Without negative impacts aka “law and punishment” we will not have any change with regard to our “cyber” security as a whole I am afraid. After all, we have laws to keep people in line. We have laws for those who buy guns about their use, why not over how corporations, the government, and the people use the “infrastructure” of the telco industry? Let me put it this way.. How many of you out there download MP3’s on BitTorrent even though it is technically against the law?

Yeah, and the law has been wishy washy hasn’t it? Sure a few people have been fined but really, has that stopped anyone? Now just think about if masses of the populace were being severely fined and perhaps imprisoned for MP3 downloads? You’d see a bit of a decline in downloading wouldn’t you? The same thing applies here.

But will it happen?

I have my doubts… We as a people are too lazy, complacent, and perhaps unable to see the bigger security picture as a whole to really do anything about it. If laws are made and agencies created I am sure that the corporate lobbyists will kill them in infancy because it will hurt their bottom line to really be compliant. It will be too much work and money and be seen as a pain in the ass to Joe user who will have to have a 9 character complex password.

Written by Krypt3ia

2009/04/13 at 22:04

Just How Important Is IT Security?

with one comment

Cited from article HERE

Well, interesting little graph huh? Can you see the trending here? It seems that the corporate world STILL does not really “get” the whole idea of “Information Security” and its importance in this day and age. I still cannot fathom these numbers! How in the hell with all the hacking, industrial espionage, and outright theft going on out there today do they NOT get it and see INFOSEC as a real important commodity?

Sure, having information security can be costly especially if you have done NOTHING to secure your data, your clients data, your IP, whatever you hold dear and MAKES YOUR MONEY FOR YOU! But, uhh, if you LOSE that data, you lose your REVENUE STREAM you morons! Why? Why do you NOT get it out there corporate America?

What’s that?… You say it’s too hard? You’re too fat and lazy?

Oh… Yeah… I forgot for a second there.

I have said it before but I will say it again. Human beings are incapable of really sensing and avoiding long term tangential ideas of danger. It would seem a concept clear enough that there are people and state actors out there who want to steal your data for their benefit. Why then is this such an arcane concept when any of us in contracting as infosec warriors try to get this across to the “C” levels on down in any random corporate entity?

Is it because they just can’t get the concepts of computing? Sure, there are some luddites (ok, many really) so sure, they get that glassy eyed look and tune out. However, if you boil it down to;

“I just stole 20 million dollars from your bank! This is how and why.. I can help you fix it this way.. Please do these things”

and they don’t want to fix the issues or claim they are too “costly” to implement, well then, you have a recipe for another economic melt down on the macro scale. I have personally seen this in action many times, but the quote above actually happened. To the credit of the CEO though, he told the nay sayers in the board room to pay attention because he truly saw the implications of what I had done.

Now not all of these security issues just stem from “ninja’s” hacking the “Gibson” and this is where I really pop a blood vessel with corporate America. MUCH of the issues that need to be addressed for securities sake are low level and should be SOP for any company. It’s called “Best Practices” and you can get them in the ISO 7799 documentation. These involve the basics of “classifying data” and having “Policies and Procedures” in place and enforced. This is not rocket science! Why do they so often fail at even implementing these?

Laziness.

That’s how I see it. Not only are humans poor at determining long term threats, but they are often mentally lazy today. As a whole the picture portrayed by the movie “Office Space” is a true one. How many of you out there have “Ass Clown’s” running the show at your office? Many I am sure. Of all my years of consulting, rarely did I see a place with their shit together. All too often also I got called a “Bob” because I came around asking questions about what they do and how they do it. You could smell the fear.. Hell, I made an HR lady cry once! The Irony of it? I wasn’t even trying to be SCARY!

So, here we are… The economy is melting like a thermite grenade has been placed on the engine block. The state actors are getting more and more adept at hacking our systems and insinuating “industrial spies” in record numbers at our firms, and the government can’t even keep a “Cyber Czar” for more than a month as they keep quitting!

(As an aside, please read Why The Hell Was Secret White House Helicopter Data Found On A Computer In Iran? too. This is an excellent article on the MARINE ONE escape that ties back to my screed on security basics that government as well as government contractors who should be spanked for not following basic security processes.. Leading to an escape of epic proportions)

I give up.. I can only cry out in the howling storm so long before I just get too hoarse and clam up.

Ladies and gents.. Start digging bunkers and loading up the ammo, MRE’s, and other necessities. Cuz, I expect “Thunderdome” any day now.

CoB

Hey Rube: Fear And Loathing In America 9/12/2001

leave a comment »

By Hunter S. Thompson
Page 2 columnist
It was just after dawn in Woody Creek, Colo., when the first plane hit the World Trade Center in New York City on Tuesday morning, and as usual I was writing about sports. But not for long. Football suddenly seemed irrelevant, compared to the scenes of destruction and utter devastation coming out of New York on TV.

Even ESPN was broadcasting war news. It was the worst disaster in the history of the United States, including Pearl Harbor, the San Francisco earthquake and probably the Battle of Antietam in 1862, when 23,000 were slaughtered in one day. The Battle of the World Trade Center lasted about 99 minutes and cost 20,000 lives in two hours (according to unofficial estimates as of midnight Tuesday). The final numbers, including those from the supposedly impregnable Pentagon, across the Potomac River from Washington, likely will be higher. Anything that kills 300 trained firefighters in two hours is a world-class disaster. And it was not even Bombs that caused this massive damage. No nuclear missiles were launched from any foreign soil, no enemy bombers flew over New York and Washington to rain death on innocent Americans. No. It was four commercial jetliners.

Comment on tragedy
Page 2 recognizes the need to entertain a variety of viepoints at this difficult time. If you’ve got something to say about any of the columns on the page today or if you’d like to comment on sports’ role in the tragedy, click here to send us your thoughts. We’ll run the best letters later in the week.

They were the first flights of the day from American and United Airlines, piloted by skilled and loyal U.S. citizens, and there was nothing suspicious about them when they took off from Newark, N.J., and Dulles in D.C. and Logan in Boston on routine cross-country flights to the West Coast with fully-loaded fuel tanks — which would soon explode on impact and utterly destroy the world-famous Twin Towers of downtown Manhattan’s World Trade Center. Boom! Boom! Just like that.

The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now — with somebody — and we will stay At War with that mysterious Enemy for the rest of our lives.

It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive “figurehead” — or even dead, for all we know — but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper.

Nothing — even George Bush’s $350 billion “Star Wars” missile defense system — could have prevented Tuesday’s attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying.

We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them.

This is going to be a very expensive war, and Victory is not guaranteed — for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won’t hold up their hands and confess, he and the Generals will ferret them out by force.

Good luck. He is in for a profoundly difficult job — armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.

OK. It is 24 hours later now, and we are not getting much information about the Five Ws of this thing. The numbers out of the Pentagon are baffling, as if Military Censorship has already been imposed on the media. It is ominous. The only news on TV comes from weeping victims and ignorant speculators.

The lid is on. Loose Lips Sink Ships. Don’t say anything that might give aid to The Enemy.

Absorb what Hunter had to say 9.12.01 with the perspective of time… My commentary later today.

Foreign INTEL Focus

leave a comment »

In the United States, the FBI is suspicious of Russia, Iran, and North Korea but have focused mostly on the Chinese. The feds estimate that the are over 2,600 Chinese front companies in the US.

The foreign intelligence threat within the United States is far more complex than it has ever been historically. The threat is increasingly asymmetrical insofar as it comes not only from traditional foreign intelligence services but also from nontraditional, non-state actors who operate from decentralized organizations.

Intelligence collection is no longer limited to classified national defense information but now includes targeting of the elements of national power, including our national economic interests. Moreover, foreign intelligence tradecraft is increasingly sophisticated and takes full advantage of advances in communications security and the general openness of US society.

In short, the foreign intelligence threat is more challenging than ever. In the fall of 2003, the Foreign Counterintelligence Program had investigations involving dozens of countries that focused on hundreds of known or suspected intelligence officers who were assigned to enter or travel within the United States. These investigations spanned all 56 field offices.

In order to meet these challenges, the Foreign Counterintelligence Program is being redesigned to become more nationally focused and directed. Through a more centralized program, the FBI will ensure its ability to establish priorities, be more proactive, and better engage other intelligence community agencies so that cooperation in important cases is immediate and seamless.

Full Article

Just when they thought it was all about the SIGINT and let the CIA slack and cut its funding (short sighted as all get out) 9/11 happens to teach us a lesson. What do they do though? They loosen the laws on surveillance and hope that the SIGINT does the job. They were wrong again. So, now with the increase in traditional spying they have to play catch up… Go figure eh?

Written by Krypt3ia

2009/03/04 at 01:26

Economic Warfare: The New World Threat Via Cyberspace

with one comment

//START

With the onset of the global economic meltdown I would like to take a bit of time to ponder the possible problems we are going to run into as a country in the near future. I have spouted off before about the issues we are already facing with the rising of the Dragon in the East, but, I would also like to add a few other nation states to that list. Those states are as follows:

The Baltic States: (Russia and Ukraine for now)

Russia: With the re-awakening of the Bear in Russia to their “Cold War” aims the Baltics have figured quietly but prominently in the geopolitical warfare in cyberspace. With the advent of a rather open cyber attack against Georgia by Russia, the Russians have come further our of the digital closet since the old “Moonlight Maze” days of the 90’s. The taking down of the infrastructure in Georgia in coordination of boots on the ground was the first real “application” of full on cyberwar while fighting a ground war. By taking out some of the infrastructure it was harder for Georgia to respond properly to the attack, but, by fuller measures, this attack was but a first try that did not altogether do the job.

However, this incident shows just how much Russia has invested in the idea of cyberwar to augment the usual propaganda and other types of warfare in their arsenal. Now, this new application comes only after they have honed their skills in the spook world of SIGINT and MASINT all the while adding the technological know how to gather more and more INTEL. The bear is armed now with hackers, cyber warriors lets say, who have cut their teeth on not only the US, but also the internet as a whole.

Ukraine:

With the spate of new malware packages coming out of the Ukraine, I am suspecting that this satellite of Russia is one of the larger incubators for the Russian cyberwar forces now being used and yet to come. Conficker and it’s progeny (B++ being the latest as of last week) are morphing and gobbling up machines in huge numbers creating a potential competitor to “Storm Worm” for zombie network of the year.

These trojans are getting swifter and swifter at stealing data and beaconing it out to dynamic DNS addresses out there in the interstitial internet sphere. For all the black holing that a company can do, it is increasingly harder to deal with a bot that randomly generates site URL’s to beacon to. For that matter, the latest iteration of Conficker actually does not need to beacon at all, instead it opens up a port and receives a push from its master, in other words a harder target to stop.

Expect to see more out of Ukraine.. More than just another spate of ATM heists too…

The Asiatic States:

India:

Ahh India, the wonderland of the Asiatic digital frontier. A wondrous place where the US has dumped way too much outsource of our important digital work and are only now beginning to wonder if that is a “good thing”… But it’s so CHEAP!

Yeah, cheap and increasingly turning out to be insecure as all get out. If the Satyam incidents don’t set off alarm bells for company’s in the US, I have no clue what will actually wake their dead asses up to the risks they are allowing with their company and client data. Never mind that it’s a country with a border to Pakistan, has some of the same issues of religious extremism, and happens to have a healthy dose of poverty that will enable theft and espionage.. Pay no never mind to that. Oh, and maybe perhaps the whole Mumbai attack thing might be a clue? Yeah..

India lately has become less palatable to the US as an outsource area because of the economic downturn, but only a small bit as the Indians are still so dang cheap! Also, given the recent story that I posted, they are still flavor of the day as H1B visas go. We are still importing many Indian workers like our friend (insert name) who did such a fine job with Fannie Mae’s network.

Where am I going here? Well, lets just ask this question: “How do you know that Pahud is actually Pahud from India and a good guy?“ Are we that trusting of their means of documenting their residents? Given the Mumbai thing, I think not so much. Of course the same case could be made for the US too.. How do I know that Jimmy is really Jimmy and not Bobby Rae, the southern Bible Belt anti abortion, right wing Christian whackadoo bent on destroying our data?

In essence, taking data out of the country that is deemed “sensitive” like personal data, or the creation of programs that handle sensitive data and giving it to places like India is a bad idea period. Alas, we have so many call centers out there don’t we….

Viet Nam:

Long a wild west of copyright infringement, Viet Nam is becoming more of a powerhouse in the area of cyber operations as well as economic warfare in both cyberspace as well as import/export. Even as I write, there are thousands upon thousands of stealth shops with farms of DVD burners cloning movies and software for consumption in the newly digital world.

Since the opening of Viet Nam to trade by the Clinton administration, they have been more and more on the rise economically. We are exporting some fabrication to them as well, bringing in new technologies for them to integrate and use to innovate their own. That’s a good thing, but also perhaps a bad one too. Definitely on the issue of the piracy, they are learning not only from us, but also Russia. Russia used to be the largest piracy spot… They still are, but only just…

China:

An oldie but a goodie. Ni Hao overlords!

Ahh China, what can one say that one hasn’t already in many sundry ways huh? China is a hungry beast that has a plan. Economically they have been a powerhouse for so long. Slowly selling us all of our crap all the while buying our debt. Face it, we are a wholly owned subsidiary of the Chinese government kids.

Add to this that the whole time we have been suckling at the Chinese tit, they have been working toward infiltrating all of our networks and infrastructure. Why? Well, to 0wn us more of course! To be able to pull that plug and have us laying on the ground as they dictate what they desire from us. You see, they want our trade, but they want our trade their way.. Kinda like Walmart!

So, they have honed their cyber skills, built the great Chinese firewall, and taken up the economic and cyber swords to increase their global status. They are a force to be reckoned with but are only recently being noted by the US government and the corporate world here. Of course the corporate world here takes little notice of much because they are usually feeling their own navel instead of paying attention.. But that’s another tirade for another day.

In short, China has a billion people to feed and clothe.. They will do just about anything to compete…

Conclusions:

So, what does it all mean? Why did I drag all these disparate countries together here? Because, they are all players in the great game of economics and world domination of course! Well, domination really only applies to China and Russia in this context, but then again, so does the USA huh? Given our last 8 years of empire building I can’t really discount us as a causal factor too.

All of these countries are emerging out of the third world category and into second with aspirations to first. They also have large swaths of populations that are rising. They are hungry, hungry for food, wealth, power, and just the things that we in the west take for granted. As they grow, so too do their needs and wants. All needs and wants that they will try to fulfill in any way they can.

It used to be just a two dimensional picture to many. That picture really consisted of “oil” like the premise of “Three Days Of The Condor” and of course that is a big player still. However, as the tipping point comes on the whole globe for so many types of natural resources, so too will the way wars are waged. No longer can we see one or two dimensionally.

As the economies globally slide further into failure as ours melts down, you will see a spike in cyber warfare, Intelligence Gathering, Industrial Espionage, and general crime from all of these countries and many more. We’ve gone global kids. We laid out the phiber between the continents. We are making inroads even further into new territories with the advent of WAP and One Laptop per Child and as we do so, the more countries will start to gain the technological abilities to wage economic, as well as real “cyber” war against us in a real way.

Yeah, so what? You say…

Well, just how tethered is our economy to our computing capacities? Ummm like two dogs unable to seperate during copulation, thats how…

Lets look at it this way.. How prepared are we? The answer can be found in the hiring on of Melissa Hathaway and her 6 month review of the state of the “Cyber Readiness” of the USA en toto. Not only the governments stance, but also our whole infrastructure. Take it from one on the inside of the trenches for so long..

“We aren’t so healthy”

So far much “Security Theater” has been in the news and played out on the stages of many companies in the states. However, after the theater tent comes down and the wonks have all left the building, the lackadaisical corporate behemoths go back to feeling their navels and taking ever bigger bonus’ home for being absolute failures at security.

We are ripe for the taking and no one is at the helm. No one has been at the helm for some time now in fact… I mean, can you name a cyber tsar that lasted in the position longer than just scant months? I can’t and I doubt many of you can. So, why did they all cut and run? Because they could not affect change. The government up until now has been unable to focus their attention never mind ours collectively on the dangers involved. Humans I have found, are generally unable to detect and deter long range danger so well. Fight or flight yes… Long term Chinese or Russian plans.. Not so much. Just look at all the machinations provided to us post 9/11 and you will see what I mean…

“What do you mean I can’t have a couple ounces of liquid or gel in my carry on!?”

OOOH that’s making me feel sooo secure!

So how do we fix it?

Well, really I don’t know that we can unless we have a “Cyber Pearl Harbor” really. Say those blackouts we had back in 03 were actually the doing of China, or for that matter a “home grown” threat, we would see some quick action! Ok upon reflection it would likely be a Chinese Fire Drill instead of substantive corrective action I think. Ya know, like taking off your shoes at the airport post one noodnick trying to light his shoe on fire. Yeah, that did a lot to make us safer DHS and TSA!

I think what I am trying to say here is this; We need to be able to admit we have a problem like we are at a collective AA meeting.

“Hi, I am America and I am terrible at information security”

“Hi America…”

They say it is the first step to a cure that admission. Well, we need to really have a mea culpa as a society and then start to work on fixing that issue. I believe that Melissa’s first job is to assess, and then she will need to impart in a most forceful way, that we are rather fucked where our infrastructure is concerned. Then, she needs to give Big O’ the marching orders to sign PDD’s to FORCE corporations, and the government to protect their data “with due diligence” AND to audit them with consequences for failure.

I have said it before at client sites and I will say it here. Security procedures and policies will only be effective and instituted when there is “buy in” from the top down. Unless we get some real direction and orders from the Prez, there will be no change. China and others will keep stealing us blind, and our economy will falter even further. Unless we take the necessary steps to protect our data we can expect to lose the economic Stratego game with or without the “stimulus”.

//END

Silver lining for IT security staff?

leave a comment »

Tim Watson, vnunet.com 26 Feb 2009

I’m not a fan of zombie films, or of horror films in general. It’s the waiting I can’t stand, the interminable suspense. Perhaps it’s a professional aversion.

For anyone involved in the computer security industry, waiting for bad things to happen is what we do. We lock the doors, block the windows and keep a careful eye on the open fireplace, while all around, outside, the hordes of zombies mass.

The organisations we work for see us as killjoys, as nerdy Cassandras. While they carry on oblivious, we’re tugging at their sleeves and pointing out the imminent doom. For years we kept telling them, and now they see that we were right.

Well, OK, it wasn’t quite the apocalypse that we were expecting. While we were watching the network logs and applying software patches, some clowns in the banking industry destroyed our economy. Let’s just say that we were right in principle.

So the financial world is in meltdown, companies are shrinking and folding, and security is on everyone’s mind. Is it all going to be over by Christmas? Are we at the beginning of the second Great Depression? And what of the computer security industry? Will it be boom or bust for those charged with manning the barricades? It goes against my better professional judgement but, as far as the future is concerned, I’m reasonably optimistic.

The rest HERE

Ehhh, I am not so much an optimist on this. You see, people as a species are rather poor at determining danger other than the short term “fight or flight” danger it seems from my observations. The whole arena of information security has been a sore point on this issue because so few get it and really try to enforce it. Never mind the fact that many companies and people running them usually cut security right off the bat as a cost center despite the fact it is necessary.

Then we have the problem of lack of understanding, which also breeds laziness and lacksadazical atitudes toward the technology and its protection.. Ya know, like the popularity of “1234” as their master password *shudder* So yeah, I really have very little faith in people, ok, “management” doing the right thing where security is concerned.

So now we are in the recession of a century and this guy thinks that security won’t take the hit? The only way I see that happening is if the regulation happens that I hope will come from the Obama administration. So do I think this is likely to happen? Well, I say it’s about a 40% chance of happening… Heh, maybe I am being too optimistic there huh? We shall see.

Anyway, with all the experience I have had in the infosec sphere, I have very little hope that the right thing will be done. Meanwhile the economy will collapse around us, data will be lost and or stolen in even greater quantities, and Rome will burn as the people fiddle with their iPhones…. Yay!
I could be wrong though…

Written by Krypt3ia

2009/02/27 at 01:01

Our Chinese Overlords, Or how China is pwning the US

with one comment

Recently there have been a spate of malware infections and outright attacks on the US infrastructure that have been attributed to the Chinese. According to the site “Darkisitor” much of this attribution is actually the case. I would also hasten to add that I am pretty damn sure that this is the truth of the matter too. The Chinese stated back in the 90’s that they were going to develop cyberspace capabilities and that they would dominate… And here we are today.

Today, the US is in grave danger of having our collective asses handed to us on a platter by the Chinese, as well as the Eastern Europeans (i.e. Russia and all her former satelite countries) as well where cyber attacks are concerned. The attacks differ in types and subtleties, but, by sheer volume and noise, it’s the Chinese who win out. In short, they are the most prolific but not the most sneaky or effective as a whole.

China as a state entitiy has applied the most persistent and large scale attacks against the US not only in a “cyberwar” fashion but also using standard “Espionage” tactics to gain access to assets both of the human as well as computer nature. Spying has become the locus of the Chinese attacks because ultimately, they have realised that the real power to use against the US is not raw firepower, but instead the soft power of economics.

China has long been looking to re-create the old days of what was once Japan’s economic power. A strength to dominate the world with wealth and economic juice that tanslates also into the capabilities to wage “soft war” on all who seek to oppose them. With the advent of the computer and then the internet (the network revolution en toto) they realized that it was possible to usurp the powerful (US) with the very technology that we had created and in fact had been lax at securing. For that matter, even as I write this, we still have a poor grasp on the security needs of our collective computer systems as a nation.

So, back in the 90’s China set out to hone it’s skills in cyber war, all the while it also applied it’s “Thousand Grains Of Sand” approach to it as well as their industrial espionage capabilities. The “Thousand Grains Of Sand” approach is simply this; blanket the adversary with attacks and wait. Some will fail, but some will succeed. Those small successes will, taken as a whole, give a picture of what is going on. So, one asset gets a small piece of the puzzle while another asset may fill in the gap and show you the whole picture. In short, they are patient while being frenetic in the amount of concurrent attacks… Signal to noise.

Fast forward to today and the mess we are in globally economically. Can you imagine the needs that China is feeling post losing 70K plants closing? Their economy is drying up too as ours falters and we buy less and less of their melamine laden crap. So, I am sure that we will see more attrition in the economic and espionage war between our country and theirs. It’s time that the US pay the attention needed to this, and not just the military.

For more check out The DarkVisitor it’s a wealth of fun facts.

Written by Krypt3ia

2009/02/25 at 01:48

M$ Lay’s off 5K Employees… Blames sagging PC sales *cough*

with one comment

Decline in PC Orders Leads to Microsoft Layoffs

MOUNTAIN VIEW, Calif. — Spooked by a rapid decline in orders for personal computers, Microsoft, the world’s largest software company, initiated the first broad layoffs in the company’s history on Thursday and warned of waning technology spending in the months and even years to come.

Microsoft, based in Redmond, Wash., plans to lay off 5,000 of its 94,000 employees over the next 18 months, including 1,400 people on Thursday. The company disclosed the cuts as it released second-quarter results, which reflected an 11 percent drop in net income, to $4.17 billion, from $4.71 billion in the period a year ago. A sharp drop in sales of its Windows operating system that took hold in December led to the lackluster results, which missed analysts’ expectations.

Revenue for the quarter rose 2 percent, to $16.63 billion. Earnings of 47 cents in the quarter missed the forecast from Thomson Reuters by 2 cents.

“We are certainly in the midst of a once-in-a-lifetime set of economic conditions,” Microsoft’s chief executive, Steven A. Ballmer, said during a conference call. “The economy is resetting to a lower level of business and consumer spending.”

Microsoft’s shares dropped $2.27, or close to 11.7 percent, to $17.11 during Thursday’s trading.

The falling sales of PC software dovetailed with broader problems across the computer industry. Earlier this week, Intel, the world’s largest chip maker, said it would lay off at least 5,000 people and close some test and manufacturing plants to deal with vanishing demand for its products. The hard-drive maker Seagate and the chip makers Advanced Micro Devices and Nvidia have watched sales dry up as well, while also going through layoffs. And Sony, the electronics equipment maker, will also lay off about 5,000.

Microsoft has survived past downturns because of its dominant position, high margins and near relentless growth in the PC industry, but it is now bracing for a different set of circumstances.

“Our model is not for a quick rebound,” Mr. Ballmer said, during the call. “Our basic view is that things go down and stay down for awhile — a year or two years, I don’t know what it will be — and then start building back again.”

The layoffs will affect workers in several Microsoft businesses, and the company is considering the dismissal of more than 5,000 contractors. Still, Microsoft intends to hire in some parts of its business.

“Even as we take out 5,000 jobs, we will also add a few thousand jobs back into areas like search where we continue to see incredible opportunity to do good work,” Mr. Ballmer said.

Some analysts questioned whether Microsoft took quick enough and broad enough actions to deal with such a severe decline in technology spending. In addition, Wall Street continued to push Microsoft to address its trailing position in the search market dominated by Google. The company remains open to a search partnership with Yahoo, Mr. Ballmer said.

The direct impact of falling personal computer sales were evident in Microsoft’s second-quarter results, as sales of its PC operating-system software dove 8 percent, to $3.98 billion, from $4.33 billion last year.

A recent survey conducted by the research firm Forrester revealed that half of the consumers in the United States who intended to buy new PCs would put off their purchases, and many of those that did buy new machines intended to spend less.

In addition to falling PC sales, Microsoft blamed the rise of netbooks — increasingly popular cheap, compact laptops — for flagging Windows operating system revenue. Microsoft offers the lower-priced Windows XP rather than Vista for use on netbooks.

There were a couple of bright spots for Microsoft in the second quarter, including a 3 percent rise in its entertainment business, which includes the Xbox gaming console. Microsoft sold a record six million Xbox systems during the quarter, which included the holiday shopping season.

Microsoft also remained bullish about its business software group, although it noted that layoffs and lower capital spending could hurt its long-term sales.

Over the next year, Microsoft said it intended to keep trying to cut costs and would keep a tighter hold on its cash. The company looks to moderate its share repurchase program. In addition, it will remain more tentative toward acquisitions, in the belief that valuations of potential targets will be lowered even further in the months to come.

“I don’t think the market has yet to lower its expectations to the levels we are talking about,” Christopher P. Liddell, the company’s chief financial officer, said during the call.

Blaming economic uncertainty, Microsoft declined to provide a revenue or earnings forecast for the coming quarter or year.

Still, Mr. Ballmer tried to issue an optimistic long-term view for the technology industry.

“I don’t think there is any stopping the forward march of this industry or of Microsoft,” Mr. Ballmer said. “It is a pause, and there will be renewed strong growth in the technology industry over all and certainly at Microsoft.”

Ok, one thing I don’t really see mentioned here is how much of the market is now being taken by OpenSource like Ubuntu as well as what is taken by Mac OSX. Sure, the economy sucks and netbooks are the rage, but is that really it? I personally think it’s because people finally have a viable choice in operating systems other than Microflaccid. M$ is just finally realizing that they are a dead carcas that has begun to decompose.

Or perhaps they should also take a look at their price models and how they treat their customers?

Or maybe we should just say the word “hubris”
Yeah, that’s it… Hubris.

I am sure they will still be around though, putting out more security lacking, multi patching, blue screening, crap.


Written by Krypt3ia

2009/01/23 at 01:33

Posted in Cyber, Economy, Hacking, Infosec

Am I gonna have to bust a cap in someone’s ass?

leave a comment »

Woman Hospitalized After Scissors Attack

Police Say Man Also Tried To Attack Witnesses

POSTED: 8:30 am EST January 17, 2009
UPDATED: 11:11 am EST January 18, 2009

Attempted Murderer

Attempted Murderer

Police in Manchester are investigating a weekend stabbing that sent a woman to an area hospital.

Lt. Christopher Davis with the Manchester Police Department said the incident occurred at 8:30 p.m. Friday at an apartment at 158 Forrest St.Davis said initial reports indicated that the domestic disturbance started in apartment 716, where it is believed that a woman sustained an undetermined number of stab wounds before she fled into the lobby area of the apartment building.Davis said 29-year-old Edward Leonard chased her out of the apartment and was able to attack her again, stabbing her numerous times with a pair of scissors.Several people witnessed the attack and at least one person attempted to intervene, but was unsuccessful as Leonard attempted to attack the witness when he approached, police said.According to a police report, Leonard released the woman and dropped the scissors once confronted by officers.The victim was transported to Hartford Hospital where she is listed in critical condition.Davis said Leonard had injuries to his hand and was transported to Manchester Memorial Hospital for treatment and psychological evaluation.Upon his release Leonard is expected to be charged with criminal attempt to commit murder, first- and second- degree assault and unlawful restraint, according to a police report.His bond has been set at $1 million.

Well, recently the place I live in (a part of the chain of renovated mills in Manchester) has been seeing more and more crime happen. Manchester as it is, is almost a suburb of Hartford to start, but, of late there has been a creep of criminality including cases of assaults, break ins, purse snatchings, and destruction of property.

This escalation has roughly timed to the evolving issues with the economy as well as the rental company evidently leasing apartments (and these are not cheap) to more and more miscreants. This latest incident occurred just as another domestic happened within my adjoinning building where threats of murder were made on a female apartment dweller here. It wasn’t that long ago that a sexual predator/wanker was breaking into (with a master key) apartments and stealing womens underwear etc, in an escalation I am sure, to rape or other sexual criminal acts.

It has become clearer that we need to leave this place and have begun looking at houses. In the meantime, I am comforted in the knowledge that Semiotic has a nice Beretta in her pocket/holster/bag/ankle as well as I too have a 9mm and a 380 either on me or near my person in the apartment and out.

“The times.. They are a changin”

Written by Krypt3ia

2009/01/18 at 22:45

Posted in Economy, Guns, Safety