Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Financial Armageddon’ Category

Book Review: An Introduction to Cyber-Warfare: A Multidisciplinary Approach

with one comment

cyberwarprimer

IJPFRH CPAGP EIIL!

CYBER CYBER CYBER!

CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)

The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.

I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.

As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”

I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?

IW (INFORMATION WARFARE) RUSSIA

The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.

In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.

OUR CHINESE OVERLORDS

Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.

The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.

ANONYMOUS/SEA/LULZSEC

Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?

Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?

THE GRID

OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.

It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.

WHAT’S MISSING?

All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?

I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.

OVERALL TAKE

Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.

We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..

Put it in the syllabus!

K.

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

Occupy Wall Street & Anonymous: Conflation, Synergy, Diffusion, and Media Spin

with 2 comments

Image from the San Francisco Chronicle

It All Started With Anonymous and Wikileaks

The Chinese have an aphorism “May you live in interesting times” It’s a bit more of a curse than it is an aphorism, but, the gist is that they are not wishing you a “good time” It has been feeling pretty “interesting” this last year and I really have to say that it all stems from Anonymous’ and their ignition of the nascent feeling today of powerlessness on the part of many. Whether it be their personal lives, or perhaps by looking at the whole of the world through the instantaneous news cycles that today’s technology has afforded, in general, people are not feeling as though they have much control over their daily lives.

I would have to say that much of this has its genesis in 9/11 and the post 9/11 world that we have come to be in. Security has become the operative word for some excesses by government to use its powers (self created) Case in point, the ability to spy on anyone deemed to be a threat without a warrant. The knee jerk reaction to 9/11 has allowed for a fear based response that has set some pretty scary precedents these last 10 years. Add to this the bank scandals, the recession, the fallout from Fanny and Freddy, and waves of greed and misdeeds on the part of corporations that influence the government, and we have quite the picture of how things have gone sideways.

But.. Much of this is not new I’m afraid. Wikileaks just opened the secret flood gates in some ways. Though, had you been paying attention you likely would have already known much of what Wikileaks was trying to say before the big dumps began to show up online.

What is new is that a new generation of youth have been disenfranchised enough to take up arms against it all as they see fit. Anonymous, was the catalyst for this in their early attacks on oppression like “Scientology” a system which really is much more a corporation melded with a religiosity (faux) to create an entity that is not taxed, does not have oversight by anyone, and seems for all intents and purposes, to be a “Corporate Cult”… Which when I think about it now post Steve Jobs departure from this mortal coil, is a lot like the reverb surrounding Apple and the Jobs-ian “passing on to a higher plain” claptrap.. But that is another story…

Either way, the gist of this all is that Anonymous and Wikileaks is the progenitors here I think, and it is the very nature of the collectives technical bent that has lit this fuse that finally reached out of the digital Kabuki theatre and on to the real streets.

Technology, The Great Equalizer

Anonymous’ use of technology only comes naturally as they formed online. It is with the growth of social media and the connectivity that we all have today with smart phones, that the movement went viral. Some may say it was the targeting, but I would say that the targeting was always there, but those who were feeling the miasma weren’t able to express it in the normal ways of yesterday. However, with blogs, micro-blogs, twitter, texting, etc, people coalesced into groups on their own with a collective gravity that eventually, had enough psychic mass to catch on large scale.

It is this very thing that has led to what we see today. From flash mobs to the final outcome of the occupy movement that harkens back actually to the early Tea Party movement in the way the word got out and collected like minds to its cause. All of these people have found each other and inspired one another to react to what they are perceiving as injustice within the systems in which they live. The technology has given the tools to the populace to respond in a way that only the mass media has had the corner of the market on for so long.

Added to this the technical aspects that bred not only the Anonymous “Hactivism” we have a new paradigm for dissent. The recent threat to DoS NYSE by Anonymous is case in point to the technology being used as not only a weapon but also as a means of protest, though the legalities of such attacks is questionable. The law has yet to catch up on much of the technology, so the arguments upcoming over the LOIC arrests for the MasterCard denial of service attacks will likely generate new law either way.

Interesting times indeed.

Occupy Wall Street.. Why Again?

Of late, the “occupation” movement has picked up speed all around the globe. However, it seems that with these demonstrations unlike the ones in the 60’s over Civil Rights, seems rather more diffuse when you go and observe what’s going on. Now, one could say that this is media spin, but, when I look at the aggregate reporting from all sides, I can see how some might categorise the movement as being diffuse. On some fronts, the movement seems to have been co-opted by others with more shall we say, exotic demands? I guess my fear would be that this turns into a Lolapalooza  or a Burning Man instead of a protest with specific goals in mind.

Occupy Wall Street has a set of 13 goals that seemed to me pretty straight forward, yet, they seem to be open ended. Perhaps the movement might tighten them down a bit and generate some more concise and workable (demands) for lack of a better term? In the era of the 60’s there was a defined demand for a civil rights bill.. I suggest to you all now that you work something akin out on paper to give to the congress critters that want to work with you. After all, its kinda pointless to ask for things like “stuff” and expect to get something back (including support) that is concrete from the establishment. How about you get some of the luminaries in the economics field to give you ideas for positions?

Unless you direct all this energy, you will all be collectively mocked as a bunch of stinky hippies without jobs or just attributed to be “malcontent’s”

Define the argument… Get the 60’s protesters to show you the way.. After all, they really did change things..  For a while.

The Media, Lapdogs To The Corporations?

Speaking of perceptions, here we have one of the key issues today. For a long time it seemed as though the mainstream media was ignoring the protests. Perhaps they thought it was just going to go away and it wasn’t news. However, as they have come to find out, there seems to be a large disenfranchised populace out there willing to protest. Just who are they protesting and what seems to be the issue both from the perspective I have as well as what the media might want to portray it to be.

Yes.. That’s right, I am not a fan of the media today. It is my opinion frankly that Cronkite’s demise only saved him further pain and anguish over the career that he loved so much. The mainstream media as it’s called, is pretty much a corporate run “profit” centre as opposed to what it used to be “a cost centre” That’s right kids, as soon as news became a “for profit” business as a whole, its efficacy in providing true reporting became much diminished. Now, this is not to say that this wasn’t the case before. In the 19th century all you had to do was look at the newspapers of the day and you could see it was all about “if it bleeds it leads!” and just how much money could be made with a lurid headline. Of course today we get the same treatment from a fire-hose of sources online and off, all of which is now pretty much solely being run for profit.

When people talk about the media being the lapdogs of corporations, they need only look as far as FOX *cough* News, who really came down to the point in a court case claiming that they aren’t really news, but instead “entertainment” Enough said really huh? So, when I see the stories not only about things like Occupy Wall Street, but also anything I have a pretty good knowledge of, I see their spin to get headlines and attract viewers.. Viewers who in turn are the targets of marketing and advertising between segments. Follow the money…

Of course speaking of Fox, you only have to read a bit more and see how Mr. Kane.. Uhh, I mean Mr. Hearst… Uhh, I mean Mr. Murdoch uses his papers and other media operations to sway the public and the government. Even his machinations involving phone hacking is a telling piece of the puzzle no? Yes Virginia, Mr. Murdoch does underhanded things to get what he wants…

So, while we are protesting the other injustices, one might suggest that you all pay attention to the media that you are being interviewed by and made into sound bytes…

They can control the story.. Catch them at it… Stop it when they do.

The Governmental Response and New Backlash

Meanwhile, another faction that is being used by the media (hand in glove) is the government and the players within it who would use these tools. The recent coverage of the Occupy Wall Street movement on CNN for instance shows how the media can be used to portray the movement as nothing but unwashed stupid hippies (the falor Newt gave to the debate) Perhaps Newt was misquoted? Maybe it’s out of context? I think not. I find it really funny that the Republicans have latched onto this issue by saying that it is a symptom of “Class Warfare” and generally acting like the old man yelling at the kids to get off his lawn. Well, come to think about it, I guess that is pretty much on the mark, Wall Street is their lawn ain’t it?

The Democrats are only a little better on this issue as well. Sure, they support what is happening or what’s being said, but really, do any of us really think they are feeling so moved by their own ethos? Or might it be that it’s election season and they are seeing potential voters? Yeah, I think its the latter too. Frankly both parties are useless in my book and as for the Tea Party, well, they are pretty much tinfoil hat wearing reactionaries to me. However, this is not to say that they don’t have a core idea that is right.

Change needs to happen.

It’s just how and by whom is the real question.

So, when all of the Congress critters get in on talking about this I take it all with a pillar of salt, not just a grain. Meanwhile, we have the police responses to the protesters. For the most part, I can take no issue with the arrests that have happened on the face of them “legally” however, when violence is involved, then I begin to wonder just what the Hell is going on. Of course tensions will run high and there will be morons like Bologna (mace boy) but on the whole, I think the response thus far has been pretty even handed on the part of law enforcement. I know others will likely take issue with this, but, this is just my opinion of what I have seen thus far.

However.. Just how long will it be before the anti-occupy Wall Street folks start showing up fueled by the likes of the Tea Party whacknuts or worse?

Time will tell…

A Return of the Sixties and Socio-Economic Upheaval?

I have written at least a couple of times in the past year that I was beginning to feel as though the 60’s were coming back. With the Occupy Wall Street movement gathering strength and more voices being added, the spectre is back isn’t it? We still have many of the issues from the 60’s that haunt us all, but I would have to say that I am going to amend this statement with a time shift as well as political bent. I would have to say that this movement has much more akin with the 70’s than the 60’s.

In the 70’s we had the Vietnam war still ongoing. We had Nixon and the excesses of his grab at illegal wiretapping and wet-work in the US as well as outside. When it all came to light with the publishing of the Pentagon Papers as well as the exposure of the “Plumbers” by Woodward and Bernstein we got a peek into executive malfeasance. Compare that to today post GWB and two wars post 9/11… No wonder we all don’t trust our government huh? Now though, we have the elephant in the room added to the mix of business and money seeking to control the government through lobbying and other chicanery.

Frankly, it took an economic apocalypse to wake people up to it all..

My Conclusions On All of This

I foresee “interesting times” ahead. This movement will continue and likely will have no real effect in the short term on how our government is being run (primarily meaning going to the highest bidder) However, I think that this movement may in fact spawn the youth of today to action. Action meaning that they will take an interest in the system and perhaps seek ways to improve it. My hope is that they do and that someday things get a bit more cleaned up but, that may not be for some time. The sad truth of it though, is that for every Mr. Smith going to Washington, there is another who goes without the wide eyed wonder and sense of honesty who just seeks to puff themselves up and line their pockets.

Another sad fact is that there may even be some altruists who go there with good intentions and then find themselves following the lead of the Mr. Potter’s of the world.

One hopes that is not the case..

K.

Hedge Fund Manager Predicts Cyber Attack Will Shut Down NYSE in 2011: Oh? Do Tell…

with 4 comments

EDIT: 8/18/2011

Recently the ideas of HFT trading (High Frequency Trading) being a vector for attacks on the stock market in tandem with an actual DDOS/Hack attempt on the Hong Kong stock market got me thinking about all of this again. The original post was back in November of 2010, but it seems even more prescient today after we have been in a recession for so long and may in fact be up for a double dip. Added to this we now also have the debt crisis and an onslaught of cyber espionage that could easily turn to offensive cyber warfare (i.e. an attack on the financial system as the coup de gras of our economy) as the Chinese even are trying to divest themselves of our debt. This would mean that the Chinese would have much less to lose now if they were less monetarily invested in us and thus, they would become the larger economy and super power by taking us out of the running.

And all of this could be done by the simple (well not really in practice) act of taking down the markets here. The cascade effect of mistrust by the investors and other countries in our systems of trade could be devastating to us. This is why I am re-hashing this post and thought it important today to re-iterate.

Enjoy…

The Internet becomes the tactical nuke of the digital age. I believe that cybercrime is going explode exponentially next year as the Web is invaded by hackers. And My surprise is that we will see a specific attack on the New York Stock Exchange which has a profound impact, causes a week long hiatus in trading which will cause abrupt slowdown in travel and domestic business.Hedge Fund Manager Douglas Kass

Some time ago I posted a story about how by using tools like FOCA, Maltego, and Google, one could gain enough intel on NYSE (New York Stock Exchange) to mount an attack. Well, it would seem that others might have the same idea, but the above gent may have more in mind than just an attack on America’s financial machine. This guy is already positioning his funds for a “short sell” on the system.

So, a smart bet or perhaps some inside knowledge? Maybe he’s just a realist? Why is he betting that it will come during 2011? What’s more, and is questioned in the article, perhaps he is injecting fear into the market to drive it….

Interesting no?

The article goes on…

What could happen if Mr. Kass’ prediction is correct and a cyber attack effectively takes the New York Stock Exchange “offline” for a week? As far as historical events to compare to, after the terrorist attacks on September 11th, the New York Stock Exchange, the American Stock Exchange and NASDAQ didn’t open on September 11th and remained shut down until September 17, the longest shut down since the Great Depression in 1933. After the markets opened on September 17th, the Dow Jones Industrial Average fell 684 points, or a 7.1% loss.

The NYSE’s Web site (NYSE.com) has been targeted in the past with denial of service’ attacks but without success, according to NYSE reports. Importantly, the NYSE.Com Web site is not connected to any of the trading operations and even if such attack took NYSE.com offline it wouldn’t affect trading operations, of which most of the infrastructure is over private networks and not the public Internet.

So, the market has been offline before and then there was that “fat finger” event, but, what is really troubling is the lack of understanding on the part of the writers to comprehend that the NYSE.com site’s being “online” has nothing to do with a real and substantive attack on NYSE itself on that level. What is really important is that the NYSE.com site as well as NYXDATA.com are leaky as all Hell and giving out the crown jewels by simple Google searches of their domains. So sure, take their site down all you want with a DoS, but, if you use the data they are handing out, you can get into their systems potentially and manipulate the actual trading.

How?

Well, lets see.. Before I showed how they were serving our docs with intel on the protocols they are using, the programs used for trading, the collocation facilities location and pertinent data on their infrastructure etc etc. This time around, the searches turned up much more, including a document that shows their entire internal IP structure. Passwords and logons to their “FTP’s” (yes that is FTP, not SFTP) to access programs and data. I also located documents on their API’s prgramming standards, and everything one would need to reverse R&D their software to do some damage.

So, the possibilities of an attack on the system as Mr. Kass has bloviated on are somewhat more possible than the articles writer would make of it.

Lets look at the next level of this too. By doing the searches with Google and Maltego, there were enough email addresses out there to show that it would be easy to attempt a phishing attack. I found at least 150+ addresses out there on the internet already, just by extending that logic that is 150 chances to root internal machines and pivot into their internal network, which, you already have a pretty good map of by the Google searches previously carried out. Then, you move on to your FOCA searches.

Oh yeah.

FOCA turned up a SHITLOAD of data on NYSE and NYXDATA, So much so that it crashed several times just trying to analyze the data! I had to do it in parcels of documents. NYSE and NYXDATA have a lot of documents out there to parse through and all of it had a TON of metadata in them.

  • Usernames
  • Machine names
  • Folders saved to (directory structures)
  • Machine OS levels
  • Server Names

What struck me most was the number of machines polling as NT4.0 machines *shiver* as well as Win2K

Ok, on that account the docs may be older and these machines may have been decomm’d… but.. If you look at the usual trading systems out there, they are often based off of a DOS prompt environment, so….Yeah, I can see these systems being still in play at NYSE.

So, back to Mr. Kass… I am with him on the side of being prepared for a short sell on the market as a whole. I think it’s just a matter of time before something happens either by design, or perhaps by accident. Say you had a stuxnet variant that got out of control and infected the old and creaky systems at NYSE, what would happen with the market if they were taken down for a time because of this? What’s more, what would happen to the market if the “perception” was that these events happened because the NYSE was not doing the “due diligence” to take care of the security issues that would allow for such things to happen?

Trading would go down, money would be lost, and generally the market would be pretty shaky wouldn’t it? Let me go back to my favorite movie quote to illustrate:

Cosmo: Posit: People think a bank might be financially shaky.
Martin Bishop: Consequence: People start to withdraw their money.
Cosmo: Result: Pretty soon it is financially shaky.
Martin Bishop: Conclusion: You can make banks fail.
Cosmo: Bzzt. I’ve already done that. Maybe you’ve heard about a few? Think bigger.
Martin Bishop: Stock market?
Cosmo: Yes.
Martin Bishop: Currency market?
Cosmo: Yes.
Martin Bishop: Commodities market?
Cosmo: Yes.
Martin Bishop: Small countries?

There you have it. The basis for the markets is perception. How often do you see stocks fall because the perception is that company (A) is on shaky ground and about to stumble. Hell, just look at what was happening back in 08 with AIG and Lehman with the monies that they owed and were trying to borrow daily to keep the system afloat. Banks and insurance companies mind you, that were declared “To Big To Fail” as the perception if they did just fail would be financial cataclysm right?

Just as well, how many brokers and company’s have been investigated or charged in manipulation through insider trading or perception jiggering? That’s what the market is really all about. It’s all about betting on a company and if you make that company or for that matter, “country” look “shaky” then you can manipulate the outcome to your desired effect. I would have to say that Al Qaeda has already done that to some extent already with America. So, it is not an inconceivable notion. Lets go back to that precipitous market “bubble” as Kass called it with the “fat finger” event. Did you see how much effort there was to calm everyone? Spin the situation and downplay it when it happened?  Pay no attention to the man behind the curtain.

Look, if the system were that easily manipulated by a single set of lightning trades, then what does it say about the system’s security and integrity?

That’s the key question. So, where are the reports to congress about the security of the systems at NYSE? Does the SEC have some reports that we can all look at and see that they are doing their due diligence? I guess I will have to trawl the SEC domains to see. This is what I found through a quick search:

Information Technology Security

Finally, GAO’s audit confirmed weaknesses in the SEC’s information technology security that have been reported in prior years through our FMFIA program. These weaknesses include insufficient access controls, network security, and monitoring of security-related events. However, I should also note that the GAO found we had taken the right set of initial steps to address the weaknesses, including hiring a new Chief Information Security Officer and establishing a centralized security management program. In response, the SEC has developed a detailed inventory and timeline for correcting each of the specific weaknesses identified, such as through a certification and accreditation project and revisions to the agency’s policies and procedures in this area. We have continued to build out our information security program and address specific issues over the several months since the conclusion of the audit, and while our timeline is ambitious, we plan to complete the remediation efforts by June 2006.

This is all I could find at present.. 2006… Hmmm…

In the end, all I am saying as a security professional is that I know human nature. Human nature usually consists of the path of least resistance especially where business is concerned. I am willing to bet that not much has changed within the security environment at the NYSE even post 9/11 and their being targeted as a primary target of Al Qaeda never-mind the usual criminal elements looking to manipulate the system. This means that yes, the system is potentially vulnerable to attacks that would have great consequences to the financial system within the US as well as potentially the world. Perhaps Mr. Kass is just looking to leverage the fear, perhaps he is trying to fire off the “Bat Signal” that something is wrong or inevitable..

Either way, we need to assure that these things aren’t so easily done.. Don’t we?

K


Written by Krypt3ia

2011/08/18 at 14:27

FOCA: A New Recon Tool

with 3 comments

I recently got a text from a former co-worker saying that I should take a look at FOCA, a tool that I had not heard of before. The text said that this tool had a good deal of forensics potential in that it would search a group of documents and extract the metadata from them. My friend got it half right from what I have experienced so far.

The tool does indeed cull metadata, but, it is from directed web searches with engines like Google and Bing that it does so. This however is a fantastic thing! Even if you cannot just point it at a directory on a hard drive locally, this tool is a great resource for OSINT/RECON online. I decided to give it a try first on some Jihadist sites *post to follow* but then decided to use it against a “known domain” NYSE.com

The tool gives you a simple front end that allows you to search a domain/website and saves the whole process in a proprietary project based format. So, you can go looking for a specific domain and create a whole project to save all the collected data. The only flaw I have seen so far is that this tool does not output your search/project into any kind of use able report format.

The tool goes out to Google, begins searching for numerous filetypes such as .doc or .pdf. Once located, the URL’s show up in the tools window to show you if you do indeed have good hits. After the initial search, you can then download all of the documents for the next step of pulling the metadata. This is where it gets interesting…

Once the docs are downloaded, you can analyze the metadata and then FOCA gives you a series of pull downs that show you all of the user data that the docs offer up… And boy can it provide a plethora of data! From the NYSE searches I was able to not only see the user names, email addresses, software being used to create the documents, but also folders that they were stored in!

Then you can move on to more obscure searches using the metadata. FOCA has a feature to search those same engines that it just pulled the files from to go further and look into the domain structures, server names, users, printers, suffice to say it pretty much will map out a whole infrastructure for you using Google/Bing and the metadata you already have.

Now, depending on the security levels that the systems being searched against have, it is possible to cull quite a bit of intel on your target. So much data that in fact one could make a real network map as well as a full plan of attack on users, networks, file systems, etc.

It’s kinda scary really as you may be able to see from the pictures here….

All in all, this tool is quite the find. I would only like to ask the creator to allow for a local feature to just access metadata for files that have been downloaded already… But that’s for another post to follow on those whacky jihadist sites…

FOCA

CoB

The SKYNET of Wall Street… How About CyberWar by Russia or Joe the Hacker?

leave a comment »

Given the recent events with the stock markets sudden and sharp dip, many people have been pondering whether or not there was some computer trickery involved. One might even dare to say “hack” or, unfortunately, the moniker of “CyberWar” has been thrown out there about the incident.

From what I have heard on the news, the systems just seemed to go off on their own, the words used were “took off” and there were even references in the news to “Skynet” Oh my… Now that is scary, these people are looking at this as the next SkyNet out to whack us with giant Schwarzenegger’s!  I think though, that the reality lies more along the lines of perhaps a test. Perhaps a pre-test to something more akin to the cyberwar scenarios.

What’s bothering me though is the eerie silence on the part of the government, the police/feds, and Wall Street itself on this. Of course I am sure they would all love to minimize any fears that the public may have here because surely, if the word went out that this was an attack or a hack, then the market would crash further and for longer than it did last week. People would just not have any faith in the system and there would be the equivalent of a bank run on Wall Street.

So the news media and the talking heads tried to pawn this off to a “fat finger” trade, but then, as time went on, it came to light that it couldn’t be that. So, what was it then? Are they investigating? Are there Secret Service folks on site performing forensics on digital assets?

Like I said.. “eerie silence”

This all got me thinking about the potential for a hack on the NYSE and the stock markets in general. My first task as any good security specialist was to footprint the target. So, I went to “The Google” and did some foot printing at www.nyse.com what I found rather flabbergasted me. If you look in the right way, you can gather a LOT of intel on the network makeup, protocols, processes, clients, and vendors for the stock market. All of this just coming from one domain mind you…

I was able to not only obtain documents marked “CONFIDENTIAL” but those same documents described networks, processes for DR, Backup, and daily operations. I was also able to get manuals on their systems that interface to make trades from both inside and from outside of the exchange. Some of these documents actually described actions that the network operations folks are yet to actually carry out for 2010.

Oh yes, our theoretical money on Wall Street is safe… Not.

In one case, I actually was able to gather IP addresses for failover in NJ and Chicago as well as when they were planning on running a failover test. So, yeah, these documents are all, as a whole, a hell of a start to begin planning for an attack on the monetary engine of our country. Many of these documents I assume have just been put in the wrong directories on the web facing servers even with the markings on them, but, really, c’mon guys where’s your OPSEC?

Even better, the uber document with much data on how the systems work and includes network diagrams goes further to show you cabinet details in collocation areas as well as has actual blueprints to the trading floor in NYC.

DOH!

So, perhaps there is a reason for the quiet huh? Imagine the panic that would ensue if indeed the market was attacked by someone with a computer and a set of pdf’s on how to operate trading software? Imagine the fear right now to those of you in the security field who are about to learn that in one case, a system used to trade carries out its actions on a TELNET session over the internet…

No… Really… I saw it. Perhaps they have a VPN or maybe I misread it but….

Check whether you can telnet://XXX.XXX.XXX.224:1723. If not, try to telnet://XXX.XXX.XXX.224:1838. If you can reach 1838 but not 1723, you must create a new line in the [TALIPC] section of the TAL.INI. The line reads: UseNewPort=

Oh yeah.. there you have it… Needless to say, I stopped there. Google had given me enough to really mount a plan…

Its time to start hiding your money in mattresses folks… Or maybe just buy all the gold jewelery you can and head to “Good ol’ Tom” when the shit hits the fan. So Wall Street, What’s the story here?

K