Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Infopocalypse’ Category

THE DEFENDER’S DILEMMA: CISO’s and Execs to the right of me… APT’s and Hackers to the left… Here I am stuck in the middle with you.

with one comment

tumblr_m54evg82j61rtr1jto1_400

 The Defender’s Dilemma:

This week I came across a tweet from @violetblue about an article she wrote for ZDnet on a RAND study that had recently been published. The report; “The Defenders Dilemma: Charting A Course Toward Cyber Security” The report ostensibly showed that the end game for information security was as predicted by 99.9999 percent of the information security workers in the world today. Simply put, there is no winning the game and you should really just listen to the WOPR and not play at all. How about a nice game of chess?

WOPR

All kidding aside though, many in the game know that there is no winning the cyber war. All you can do is perhaps win battles. Endless battles. The war will never end unless by some miracle someone uses the Nash Equilibrium Theorem to bring all the game players to the table and stop the game with wins all around. I somehow doubt that this will happen, just as much as I doubt that the same model can be used against Da’esh but that is a story for another day.

What this report is telling us though is pretty much common knowledge within the community and I have to wonder just how many execs, which come out of this report not too well as to their cognizance on the issues, will actually you know, read the report in the first place. It would seem that this reports 169 pages is another echo within the INFOSEC echo chamber that once again the executives will not see, hear, or understand because there are too many words to read. Honestly RAND, after you say all these things you really even expect them to read the executive summary and understand it all?

Sampling Problems and Conclusions:

Eh.. Still, even if someone like me were to try to synthesize this report into a comestible for the exec set, I would still have to deal with the fact that I dislike your sampling data and some of your conclusions up to and including your heuristic model ten years into the cyber future. Honestly, what the ever living fuck RAND? Let me start with your sampling of CISO’s out there in the wide wide cyber world.

  As a result of interviewing 18 CISOs, we drew three sets of conclu- sions: those we expected, those that confirmed our suppositions, and those that came as surprises.

Eighteen CISO’s? EIGHTEEN? Holy what the bad statistics Batman! How do you even think you can conclude much of anything from such a small sample of the pool out there RAND? I read that and I literally felt like I had just re-heard one of those old ad’s where “Nine out of ten dentists approve!” What bullshit is this? Ok, let’s forget the whole thing about sampling and statistics, ya know, math and just go with the logic here of talking to only 18 guys. How do you know that these guys aren’t idiots? How engaged are these people? How efficacious is their leadership? I mean all of these things matter when you are asking people for their considered opinions for some kind of study! This number reminded me of a quote from “Back To School” with the late Rodney Dangerfield.

Thornton Melon: [in college bookstore] Hey, you guys get everything you need?

Jason Melon: Oh, yeah, we got it.

Thornton Melon: Good… Hey! What’s with the used books?

Jason Melon: Well, what’s wrong with used books?

Thornton Melon: They’ve already been read!

Jason Melon: Yeah, and they already been UNDER-LINED, too. Get it?

Thornton Melon: That’s the problem. The last guy who under-lined them, he could have been a maniac! Hey, get these guys some new books. Huh? Get some new books, will ya?

The sample is important kids and RAND just screwed the pooch on that one. Which brings me to another interlude they had in the report that shows you just how important this is.

Screenshot from 2015-06-12 08:39:34WHAAAAAAAAAT? What kind of CISO doesn’t even know where the firewalls are?

Oh.. Wait… What am I thinking? I mean how many CISO’s are or were actual practitioners with real world technical experience out there huh? Now that would  a statistic that is rather important to the comprehension of the issue in the first place right? Evidently RAND doesn’t think that this is an important data point in this study though. So yeah, we have “CISO’s GONE WILD” here as well as some seemingly tuned in responses from the whopping sample of 18 respondents that finished an average 15 out of 20 questions on their questionnaire. With these stats these guys may as well be Ponemon for fucks sake!

Conclusions:

In the executive summary they lay out their conclusions from this study and surprisingly I agree with many of them but from long experience in the field not from 18 CISO’s answering nearly twenty questions. Most of these are just common sense really and logical conclusions and there was no need for a survey however poorly constructed to get to the answers. However there are some gems in there.

The conclusions we expected were as follows:

•Security postures are highly specific to company type, size, etc.,
and there often are not good solutions for smaller businesses.

•The importance of intellectual property varies with the individual
firms’ missions.

Cybersecurity is a hard sell, especially to chief executives. ….Yes, yes it is.

•Although CISOs generally lack a way to know whether they are
spending enough on cybersecurity, they split between those who
think spending is sufficient and those who feel more is needed.

….. So 50/50? Uhhh Clue please?

•Air-gapping, wherein networks are electronically isolated from
the Internet, can be a useful option. (In a softer form, it is com-
patible with tunneling through the Internet but otherwise not
interacting with it).

……. NO. WAY. How long have we been saying this?

•Responding to the desire of employees to bring their own devices
(BYOD) and connect them to the network creates growing
dilemmas.

…… WORST fucking idea EVER.

•CISOs feel that attackers have the upper hand, and will continue
to have it.

…… Well duh, they do. It’s asymmetric warfare you idiots!

The conclusions that confirmed our suspicions were these:

•Customers look to extant tools for solutions even though they do
not necessarily know what they need and are certain no magic
wand exists.

……..But Mandiant and others are more than willing to sell you a “wand”

•When given more money for cybersecurity, a majority of CISOs
choose human-centric solutions.

……..What? Where? WHO?!?! FO FUCK SAKES SHOW ME! Oh yeah.. 18 CISO’s DERP.

•CISOs want information on the motives and methods of spe-
cific attackers, but there is no consensus on how such information
could be used.

.…What have I been saying? They want it but really it’s USELESS hear that TI firms?

•Current cyberinsurance offerings are often seen as more hassle
than benefit, useful in only specific scenarios, and providing little
return.

…..But they are all the rage in making sure your ass is covered.

•The concept of active defense has multiple meanings, no standard
definition, and evokes little enthusiasm.

….Yes, well they have not met Dave Aitel or any of the other boys who cry CYBER PEARL HARBOR!

•CISOs lack a clear vision on incentives

… Um not being fired?

•Information-sharing tends to live within a web of trust.

….And next to the land of the unicorns with gumdrop kids

•CISOs tend to be optimistic about the cloud, but, apart from
those who sell cloud services, most are willing to be only cautious
fast followers.

…CLOUD IS THE NEW CYBER VIAGRA! But it isn’t the CISO’s choice remember that CEO guy?

•CISOs are likely to assign lower priority to security-as-a-service
offerings.

…Well, yeah, I mean you wanna outsource everything and have nothing to control?

•CISOs, in general, are not ready to concentrate their purchases
from a single vendor (but also are not sure that heterogeneity is
the best solution, either).

…Meh, I have seen a lot of eggs in one place lately.

The conclusions that came as surprises were the following:

•A cyberattack’s effect on reputation (rather than more-direct
costs) is the biggest cause of concern for CISOs. The actual intel-
lectual property or data that might be affected matters less than
the fact that any intellectual property or data are at risk.

…Ummm yeah, if you have no CUSTOMERS then you don’t have REVENUE right? WTF.

•In general, loss estimation processes are not particularly compre-
hensive.

… Loss estimation of future events.. Say heard of the Cat in box paradox?

•The ability to understand and articulate an organization’s risk
arising from network penetrations in a standard and consistent
matter does not exist and will not exist for a long time.

…Uhh what? WTF? If you are pwn3d and your shit stolen you are fucked. Simple.

God.. What a wankery waste of time having to read all that drivel. It gets worse though as they philosophize on future events with heuristics. WOOOOOO! Now that’s a read! I had to extra coffee up for that nonsense. Look, if you want to study this shit great, but unless you have a solution to the problem why waste my time? Oh, and yeah, I will be the only one reading it all because I have taken a poll of my own that shows EXECS DON’T FUCKING READ THIS SHIT NOR MUCH ELSE THAT SECURITY PUTS OUT!

Just sayin.

I have linked the document above so go ahead if you like pain and read the whole 169 pages. I did and look how well adjusted I am!

K.

Written by Krypt3ia

2015/06/12 at 15:11

Posted in Infopocalypse, Infosec

The DARKNET: Operation Legitimacy?

leave a comment »

strongbox

gaiuaim ioi dui pln!

The DARKNETS…

The “Darknets” You’ve all heard of them. Some of you out there may have traversed their labyrinthine back alleys. However, have you ever thought that someday the darknet would be just as legitimate as the “clearnet” is today? With the recent bust of DPR and the Silk Road there has once again been great interest in the “Deep Web” and this interest was sparked once again for me too. It seems that the darknet is the new black once again and people are flocking to it just like onlookers at a traffic accident. Others though seem to be aiming to use the darknet technology (TOR and hidden services) to support free speech and to pass information as a legitimate whistle blower.

Still Mos Eisley but….

I loaded up TOR & Tails and took a trip once again into the digital Mos Eisley. It is still dark and full of crazy things and if you go there you too will see black market items, services like Assassinations for Bitcoins, and run of the mill blogs. You can (allegedly) buy just about any kind of drug in quantity just as easily as buying/mining bitcoins and paying for your drugs with them. All anonymously (once again allegedly as you can see from the DPR fiasco) via the Onion hidden services and backed by other services from anonymous email on TOR to bitcoin exchanges. However one can now see other sites out there that aren’t so black market oriented as well.

One such site is pictured above. The New Yorker decided post Ed Snowden’s revelations, that it was a good idea to put their new “secure dropbox” on the hidden services. This is a legit site that has been talked about on the clearnet as well as in the media a couple months ago. This is one of the first more legit sites I have seen out there that is offering a secure means to talk to reporters using the security that others on the darknets are using to carry out illegal activities. I have yet to really look at the site’s security but overall I see this one site being the key to showing others out there how the darknet can be used for something other than crime. Of course then again, if you ask the Obama Administration even this site could be considered illegal or an accessory to illegal leaking I guess. It’s really a matter of perspective.

Gentrification?

So what about other sites? What would you out there use the darknet for that is not “illicit” but requires some security and anonymity? I can foresee other sites popping up perhaps in the arena of free speech or even political movements that might like this model to pass their ideals on. I honestly think this is a turning point for the darknet. Of course this is all predicated on the darknet being “secure” after the revelations from the Snowden Archive of late. It seems the NSA is really trying pretty hard to de-anonymize anyone they want to and would love to have it just not anonymous at all. Well, let me re-phrase that.. Have them THINK it’s anonymous while it is not so much to the NSA.

Other sites out there include an online Koran as well as all kinds of other non criminal sites that are.. Well.. Kinda goofy or fringe. I think that perhaps now things might shift as the technology becomes easier to manage making it easier with global connectivity for us all to hang up a shingle in the darknet.

Time will tell though I guess…

K.

The Global Cyber Game

with one comment

globalcybergame

bqrebnbtsinmpvcdro

The Global Cyber Game:

I had been meaning to write about this before when I had originally read the text but things got in the way as usual (work, more work, some more work after that, Defcon/Bsides) Now though I am in a space where I can reflect back on this paper and write about it here for you all to see. The Defence Academy (UK) put this together to describe how we might approach “cyberwar” on the level of game play or game theory. They constructed a board and began to set to the task of creating game play and tactics given certain scenarios in the cyber world. (see image of game board below) You can actually play this game if you create a board from this design and work within the rules of game theory but this is not why I find this treatise so important.

globalcybergame1

What I find most interesting is the actual scenario’s that play out within the game play as well as the end game status that the paper puts it all down to in the end of N-Utopia and N-Dystopia. As one can gather from the inherent meaning of the words, N-Utopia means that we all work out our problems globally and work on bettering society (which in the Nash equations is the best play) or we end up with N-Dystopia, a Balkanization of the net, and warfare that scales all levels up to kinetic and will be the death of us all. Can you guess where I think we are right now on the N-scale? Yes, you’d be right to lean toward the N-Dystopia area. In fact I would even like to see that idea rendered in a new way with an older iconography, that being the Doomsday Clock analogy. Perhaps someone can take that up online and create one for the cyebrwarz eh?

Power Dimensions:

What must be taken into account in the great cyber game is that all of this is centered around power plays. The use of information as power, the use of information to effect actions vis a vis “power” and the varying types of power that are being wielded by the players. This paper covers this idea pretty well and should be required reading for anyone looking to study cyber-warfare along side Clausewitz and other more well known pieces of doctrine. Some however may already be familiar with the ideas of hard and soft power but let’s take that into the electronic warfare arena which is a bit harder to scope today.

  • Hard power
    • Overt threats and rewards
    • Kinetic action
    • Coercion
  • Soft power
    • Cooperation
    • Co-Option

Both of these types of dynamic play off of one another and work in tandem. There actually is a whole spectrum of power plays that can be derived from these basic premises but I will not go into all that here. To date I have seen an abundance of hard power tactics being employed on the game board and I fear that that seems to be what the governments of the world have locked on to as their aegis. I would love for more to try the soft power tactics and methods but I am too much of a realist to hope that it will ever really happen.

The game play today that we are all seeing unfold before us is the hard power of Stuxnet or the ramping up of every piece of malware and 0day conceivable being purchased by the US government or others in an effort to be superior when the battle comes. That is though when they are not using those said same exploits in the darker games of realpolitik that they are prosecuting now. As I see it now we are hurtling towards a massive cyberfail of our own making and the real cost of the bad play will be economies around the world and other collateral damage that may not be an apocalypse as we currently understand them to be.

The power dimensions portion of this paper is quite enlightening and you should broaden the scope of how those plays are made with information and the internet. One must understand the playing field as well as the weapon you wield. This is the main problem I have of late is that all too many people and governments are not understanding the game play, the field of play, nor the tools they are using (pieces) well enough to play the game well. This makes not only for bad play, but in this game there are real world consequences for us all when some government or actor does something immensely stupid.

Cyber Games Today:

So what are we seeing today that has me worried? Well, we have the cybergames with Stuxnet and other malware to start. I liken the release of Stuxnet as skin to the release of a biotoxin or virus that eventually will be re-worked or manipulated into a more fearsome weapon. These are not one use tools, they are in fact re-usable and re-tune-able. Once these things are out there is no controlling them and with the idea of Stuxnet you have something that was used against one target but could affect hundreds more in friendly countries if they had the same configuration.

Another cybergame being played today is the new surveillance state that we find ourselves in. It seems in the case of the US we have people who are interpreting our Constitution to suit their needs under the rubric of protecting the homeland. This cybergame is all about information and the power dimension of controlling it. I have been watching this Snowden affair unfold and frankly I am frightened of the capabilities that the NSA has but I am much more scared that they claim that they are protecting us while a Snowden subverts the very systems they are saying cannot be misused. This particular cybergame when looked at, show’s all of the hard and soft power dimensions at play with the media and the law. This should also be brought into the cyber game play as well.

Yet another cybergame going on is within the public/private sector and I call the “Patriot Games” What I mean by this is that we have non state actors playing rolls of asymmetric warriors online to effect whatever change they see fit. A certain un-named clown for one is a primary actor in this space and really started the trend in my opinion. The cybergamers here are vigilantes nothing more and nothing less and may or may not have an effect on the grander scheme of things on the net and in public policy. For the most part however, these players are on the hard power end of the spectrum and thus just mostly come off as thugs.

Lastly, the cybergame that seems to be the one with the most chance of playing in the larger space is that of Anonymous. Anonymous has been able to leverage many players into semi cogent action and could in the future have a real effect on policy and other dimensions within the cybergame play. The only reason that I place Anon into this game is because of that mobilizing force that they seem to carry. If motivated and able to be cohesive enough this group could affect the greater games being played and have on a microcosmic scale thus far in recent history.

In all, the games that are being played, and they are games, all serve as a means to an end for those paying attention to understand and perhaps help those in the seat of power how not to play the game at all. Our petty squabbling on the internet is just that. The reality is that the net is important and much of our lives today require it to run smoothly but if the net were to go down permanently our society would not utterly collapse. We would survive and we would re-build. The question then becomes would we have learned from it and do things better the next time around?

Cyber-Utopia and Cyber-Dystopia:

The idea of Cyber-Utopia is a far fetched one in my mind and probably many others out there. This would be a great thing if we could make it happen but given the petty nature of our.. well nature.. We will only see this ideal wash up on the rocks and sink into the ocean rather quickly. In the Cyber-Utopia we all work together, we cooperate, and we work towards a better day. … And I just don’t see this happening barring some kind of alien intervention frankly.

Cyber-Dystopia though I am afraid is already the case in many respects. We are seeing an almost Balkanization of the internet today as it is never mind the games being played in reality with Stuxnet and cyberwar. If the N-Dystopia comes to pass we will find ourselves at war with each other constantly in a “cyberworld” much like the episode of STOS “A Taste of Armageddon”  where all warfare is carried out via computer simulations and only the casualties report to be disintegrated as a means to balance it all out. Today though we will see attacks on economies as well as infrastructures to effect “war” (economic, political, or other) on our enemies and the real world costs will have to be measured in profit loss or perhaps even actual loss of human life.

The cyber-dystopia though is more than just an outcome of war. It is the outcome from our own inabilities to work with each other and our ability to rationalize warfare through a non apocalyptic destruction of life. It will be a tit for tat war of attrition that will not lead to any clear victories and certainly not elevate our societies in any way and that is the sad truth of it. Ladies and gents we are already in the dystopia. We just may not understand that yet.

Understand the game:

So, I leave you with the paper: The Global Cyber Game pull it down and read it. Learn from it, play the game if you like, and spend some time thinking about it all. We are on the cusp of another evolution in our society that we have seen repeated in every other evolution we have had. We create something, then we weaponize it. Perhaps if more of us understand it and the pitfalls we can prevent the N-Dystopia from becoming any worse.

K.

Creating Your Own Privacy & ROI

leave a comment »

img courtesy of XKCD http://xkcd.com/

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Preamble

With all the alleged revelations over the drift net surveillance happening to us all by the government I and others have been pondering the processes needed to protect one’s communications online and over the phone. Wired and other venues have put out reasonably ok articles on this but generally I think they have lacked on the ROI factor for the varying degree’s of surveillance that has been carried out for some time now, not just the NSA with PRISM. The immensity of it all I think can put one off on the idea of being able to keep their privacy especially given the pains that one must take to keep it on the nation state scale. However, there is much that could be done to have a modicum of privacy but one just has to understand the idea of OPSEC and have some technical base to work from in order to use the technologies such as TOR or CRYPTO in the first place. It is another thing altogether to keep that mindset every day and to understand the import of their use and the cause and effect that comes from failing to use them.

PRISM and NATION STATE SURVEILLANCE

As Ali (@packetknife) alluded to on the “Loopcast” recently with me, the idea that someone can completely deny the nation state program of surveillance is a tough one to swallow today. We all are connected to the net in some way whether it be your smartphone or some other connected device that we carry with us 24/7. In the case of the smart phone the utter and total pwn that goes on there is spectacular to think about. There is no need for tinfoil hat conspiracies about barcode tattoo’s on one’s neck here, all you really need is an iPhone and connectivity to know quite a bit about a person. This is why the metadata issue is a big one and people are seemingly unable to comprehend it. Let me clarify this for you all by also saying that not only are the calls to and from being easily monitored and mined (stored later for perusal when needed) by the NSA it seems, but also the GPS data as well. Remember the hubbub over the Apple collection of GPS data on the phones a couple years back? Remember the outrage on some parts over this? Well, now look at that in relations to how much of that data is accessible by the government too in this program. More to the point and this has not really been talked about, but are they correlating that data as well in the phone surveillance being carried out? My assumption is yes but like I said that seems to have been dwarfed and drowned out by the PRISM revelations.

Ok so now we are being data mined and correlated on the phone calls we make (metadata). Of who we are calling, how long we are talking, and when as well as  the GPS (location) as well?  All of that data is very informational about the habits of a person alone but start to analyze it from a personal and psychological perspective and you can build quite the dossier on someone without even having to listen to their conversations. Which I hasten to add that there are rumors of the caching of conversations generally not just under warrant from FISA. At this level, the nation state level of surveillance, one cannot hope to really be secure in their communications using technologies as they are because of the access the government has built for themselves post 9/11 with the Patriot Act as it’s fulcrum. Access mind you that we are giving them by proxy of the devices we buy and the services that provide the connection because without them we have no way to communicate other than in person or pen to paper with the post offices help right?

All of this though does not mean that the government is spying on you now. What it means though is that the legalities have been created or bent to the will of the government to have the illusion that the wholesale collection of all kinds of data for later use of anyone using these systems is legal. It also means that no matter the protestation of the government and the law enforcement bodies that they take all due care not to collect/use/surveill you vis a vis your data that there is a chance that someone within the system “could” and “might” do so outside of the rules and that is the problem here … Well other than the Constitutional, moral, and ethical issues that is. Just because it is against the rules does not mean someone won’t do it if they have the access. You know.. Like EJ Snowden having access to highly classified data that perhaps he shouldn’t have? Or furthermore the availability of Mr. Snowden being able to insert a USB drive into systems and siphon off said data to give to the press or anyone who’d listen right?

PRIVATE SECTOR or THE LITTLE SISTERS

Another issue that seems to be taking a back seat here is the notion of the Little Sisters to Big Brother. This idea springs from something I alluded to above in that the corporations that offer you the services (Gmail/ATT/Facebook etc) all collect data on you every minute of every day. They use this data for advertising, data mining, selling that data to other companies to form synergies on how to sell you on things etc. It is this practice of collecting all this data on us and our complicity in it that has given rise to the drift net approach that the government has taken with the surveillance programs like PRISM. The government is simply leveraging the capacities that are already there in the first place! You want to blame someone for this mess? Look in the mirror as you have allowed your data to be collected in the first place. YOU have placed your minute details out there on the internet to start with in email or posts to Twitter and Facebook for example. YOU are the culprit because you fail to understand OPSEC (Operational Security) and just scattered it on the net for anyone to see.

Of course other bits are more arcane. Cookies, tracking data within browsers and the like also give away much data on who you are, what you like, and allow the marketers to tailor ads for you when you go to sites that pay for the services. The aggregate of all of this data makes a digital portrait of you that unless you take pains to disallow the collection, will be sold and used by the corporations to package YOU as the commodity. I mean, how do you think Facebook works? It’s a social contract to connect to others and allow Facebook to make money off of your habits. Zucky is not in this to win a Nobel Peace Prize here ya know.

So when you think about all this surveillance going on please remember that you are complicit in it every time you surf the web, make a facebook post, a tweet, or send an email unencrypted (Google analytics kids) because they are all sifting that data to “get to know you better” *cough* It’s just a friends with benefits thing as the government see’s it being able to just hit them with an NSL and plant a server in the infrastructure to cull the data they want. As long as it doesn’t effect the bottom line (money) for them I suspect their worries about privacy are, well, pretty low on average. I mean after all you have already signed away your rights have you not? The little sisters are insidious and subtle and I am afraid they have already become metasticized within the society body.

The Only Privacy You Can Have Is That Which You Make Yourselves

“The only privacy that you have today  is that which you make for yourself” is something I said a while back on a blog post or podcast and I still stand by it. It seems all the more relevant in the post Snowden world today. By creating privacy I mean leveraging technologies like encryption to keep your communications private and OPSEC to consider how you transmit information over the internet and telco. There are inherent problems though with all of these things as you can always make a mistake and end up leaking information either technically (an instance would be logging online with your own IP address to something) or process wise like putting your current location on Facebook and saying you’re on vacation for two weeks. It is all a matter of degree though and even if you are practicing OPSEC there are things outside of your control when the nation state is looking to spy on you. There are just no two ways about it, you can only fight the nation state so much with technology as they have more resources to defeat your measures eventually by end run or by brute force.

On the level of defeating the little sisters, well the same applies but with limitations. You can in fact surf the net on TOR with NOSCRIPT, cookies disallowed and on an inherently anonymized OS on a USB stick right? The little sisters can only do so much and they only interact when they see a profit in it. They after all are not looking to be voyeurs just for the fun of it. They want to sell you something or sell you as metadata right? However, if you start to anonymize yourself as much as you can and you are diligent about it you can stop the Little Sisters which in turn may minimize what the Big Brother can use too. The caveat is that you have to take pains to do this and you have to know what you are doing. There are no magic easy button offerings on the shelf that will hide you from them all and if you care then you will take the time to learn how to perform these measures.

ROI On Privacy

Finally, I would like to take stock of the fight here that you need to take on and what the ROI is for each adversary involved. In reality unless you go off the grid, change your identity and never touch another piece of technology ever again there is a high likelihood that your information will be tracked. One may in fact create a separate identity to pay bills with and use that one to surf online as well as other things but that is an extreme just like the idea of becoming a Luddite. There must be a middle road where you can feel that you are protecting a certain portion of your lives from the unblinking eye of the companies and governments that own or access the technologies that we use every day. You have to though, understand all of this and accept that in the end you may fail at keeping your privacy yours and yours alone. Come to grips with this and be smart and you can have a modicum of success if you are diligent.

A for instance of this ROI would be on the phones. If you TRULY want to be private then you have to lose your smartphone that you have billed to you and buy a burn phone. Cash is king and there is no information taken if you do it right. The unfortunate thing is that you then have to call only others who have the same burn phones out there without any metdata that ties it back to their real identities. You just try getting mom and dad to buy burn phones to talk to them on… It’s not that easy. So really, some of the ROI is minimized by the nuisance factor. The same can be said for the lay individual who is not going to go buy encryption products nor are they capable of installing a Linux system and running something like GPG. This is not going to work for everyone as well as not everyone is going to care about their privacy as the recent Pew poll showed where 56% of polled ok with surveillance program by NSA.

In the end it all comes back to the idea that you create your own privacy by your own actions. Do not trust that the government is going to protect your privacy and certainly don’t believe that the corporations will either. I mean, just look at how many spectacular fails there were on passwords that weren’t hashed or encrypted in any way by companies hacked by LulzSec. As well you should not trust the government, no matter how well intended, that they will be ABLE to protect your privacy as we have seen with recent events like Brad Manning’s theft of (S) data as well as now Snowden (TS/SCI) The actions of one person can be the downfall of every carefully crafted system.

So what is the ROI here? Well….

NATION STATE:

Crypto and anonymized traffic online will minimize your footprint but eventually they will break you if they want to. You have to be exceptional to fight the nation state level of surveillance. As for the driftnet out there well, unless you go luddite they have a lot of data to sift and commingle. They have a pretty good picture of who you are and much of that comes from the little sisters. Your ROI here is minimal because they have the power and the thing you MUST remember is that CRYPTO IS YOUR FRIEND!! Encrypt sessions for chat and emails and you will leave them with the task of either having to break that crypto or hack your endpoint to see the plain text. Make them work for it. Otherwise you may as well just BCC the NSA.GOV on each and every email today it seems.

LITTLE SISTERS:

The little sisters though are another thing. You can in fact obscure a lot of what you do online and through telco but you have to be diligent. It means time and sometimes money (burn phones or laptops in some cases) to obfuscate as much as you can. The ROI here is that IF you take these pains you are then able to deny them easy access to your habits and patterns. If you start using crypto in sessions and in communications like emails then you will be also geometrically heightening your privacy status. But you have to do it.. AND that seems to be the hard part for many whether it is laziness or apathy I am not sure.

Privacy is what you make of it… He says as he hits enter on a public blog post!

K.

[Jmhhw Kutdegc ohl Vmgi Uizvsr pspmspw avuzyiw ypicl Qephcv Tmwfcj’a yere. Kutdegc plqfkw sd Vqklsn vcukipd.]
Polvc Ayzfiui: Elr npwr, xfslm’k Qephcv Tmwfcj…[tgsoq on i xspbsl ezmpc Auzlmr fom i tpely mbsvi. Uoftsgi rilvk xlc titviv rc mpga mr vua fs tydyzk] Li bcyaf’x wcsg bg lets u xswx.
Zwmpgt: [Ayzea saew] W’g agvvw, pob A hsl’h qwjo jmf npw kstslveirr.
Rckc Kspriv: Oi hm. [Gbwow e aoll] Fexgchid Wiailqlc Eeshkq.
Fmqvix: Sl. Cmi’lm lli eisa A liyf vzwexfwho gr xfs ibziv cbx wx qc nvivw.
Hmay Awjhsl: Bi, bzex’q hbm XFM. Us’lm fsx avuzlivcr zwj hsksmbag wsfpmappybwm.
Tmwfcj: Wz, M wcs. Swm nyqh idwvxffie yszcfhuwrxq. Gyb mt jpwyvvpc bwwbsxspg.
Xquo Kmfxwf: Rs, rvub’k xlc QCI. Oi tpcnmux ssf awnivlayvl’w gmagcfmgyhcwfw, ac hlg ls fpsus lli mhbmj jijzu’a ushcg. Qm’ji xfs awgh ksmm, Usvxw.
Pcazst: Esy, Q uer’r hytd css kbil e vczcmx xlyh ca…Vmgi.
Rckc Kspriv: Uleluy ggyv kwhl, uepj im il xlgg hcefip… [ucdww Fggbwh e jmzxmv tmcqy wx tensl] Uj. Fvgqy.

“THREAT INTELLIGENCE” Sure, there’s plenty out there but, are you an analyst?

with 2 comments

Sfy fdh uua ldy lbrld nswgbbm obrkdvq C phmkmye, utn obnm mify ptm mwy vl sbw mgkznwal htn gz jahwz pvvsijs vl dpgfixc.
Lwuq fnlw ug

 

From Dell’s CTU page

Threat Intelligence

Time is of the essence when protecting your organization’s critical information assets against cyberthreats. However, finding the security intelligence that matters most to your organization consumes precious time and adds strains to in-house resources already stretched too thin. At times, days or even months can pass before vulnerabilities in your environment are patched, increasing business risk and expanding the window of exposure.

Leveraging Dell SecureWorks’ global threat visibility across thousands of customer networks, proprietary toolsets and unmatched expertise, the Dell SecureWorks Counter Threat Unit (CTU) security research team performs in-depth analysis of emerging threats and zero-day vulnerabilities.

Powered by CTU research, the Dell SecureWorks Threat Intelligence service delivers early warnings and actionable security intelligence tailored specifically to your environment, enabling you to quickly protect against threats and vulnerabilities before they impact your organization. The Threat Intelligence service enables you to reduce considerable risk by closing the window of exposure more quickly, and also enables you to spend more time devoted to quickly remediating the risks most pertinent to your organization.

Threat Intelligence services provide:

  • Proactive, actionable intelligence tailored to your environment
  • Clear, concise threat & vulnerability analyses
  • Detailed remediation information & recommendations
  • Consultation with our threat experts
  • On-demand access to extensive threat & vulnerability databases
  • Malware analysis upon request
  • XML intelligence feeds
  • Integration with other Dell SecureWorks services for correlation and unified reporting

ACRONYM SOUP

Threat Intelligence: THREATINTEL another acronym or name of something we in the INFOSEC world are now hearing as a mantra of what we need. Vendors are pimping this idea as they “cloud-ify” their solutions (SOPHOS etc) to give you the proper “Threat Intelligence” for your org. Plug in threat intelligence into Google and you will get zillions of hits that are sales pitches right off the bat. However, recently on the LiquidMatrix podcast the question was posed of “just what is the meaning of threat intelligence?”

I think that is a very important question and perhaps there are more of you out there who may not know. Certainly there are C levels out there I am sure who haven’t a clue what it means as well. A basic understanding of English will tell you that this activity involves threats and their detection, but as a company what are the threats that they would be looking for? A person with a military background may have another idea altogether of “Threat Intelligence” as they may not be so much focused on network or computer issues. Instead they may focus on physical security and the threat of individuals. Still others with a mind toward the world of intelligence, may see a more nuanced picture of the same term with bigger pictures and more subtle ideas.

The upshot here is that for each person or group that takes up the idea of monitoring threat intelligence, they first have to know what they are particularly interested in keeping an eye on, and how their organizations need that intelligence to work for them.

Threat Intelligence Takes Many Forms

In today’s world and from where I am seeing (or actually hearing it used most) is in the world of information security. In this instance, and for the thrust of this article I would like to define the types of threat intelligence that we should be paying attention to in no specific order as all are an equal part of the larger picture:

  • Malware types and propagation
  • Phishing exploits in the wild and their modus operandi
  • Vulnerabilities out in the open (new and old)
  • Your AV and IDS/HIDS/NIDS capabilities (stratified? Not? Multiple types?)
  • SIEM and Network Monitoring of health/traffic
  • Network centric asset management (a good network diagram that is updated frequently)
  • Hardware asset management (knowing what you have and where it is)
  • Software asset management (knowing what you use and what should and should not be there)
  • Network landscapes (yours and others connected to you)
  • Potential Aggressors or bad actors and their types
  • News Cycles on hackers and hacks
  • Political and social “net” movements
  • Your social media posture (PR etc) in the world at large (i.e. social media monitoring of your org being talked about)
  • The state of morale at your organization
  • Industrial espionage potentials for your org (what you hold and why it might be of interest to a nation state or other)
  • Patching and your network landscape
  • The security posture of the orgs that work with you and have connection to you
  • The threat to any orgs that you are affiliated with and connected to (i.e. higher threat and poorer security posture make for a higher threat overall to you)
  • Actionable intelligence from IDS/IPS as well as trending data from a SOC (Security Operations Center)

As you can see from the above, it’s not just getting your hands on an IDS/IPS or a SOC service and looking at the attacks currently being aimed at you. You have to know the environment, know the players both inside and outside of your organization and be able to extrapolate a big picture view that you can then drill down into and have a deep understanding of.

Is this always possible in every org? Certainly not…

However, all of these factors above could lead to a technical compromise as well as perhaps an insider leak of information that could cause you great damage. You see, this has to be a more holistic picture and not just a network centric approach in order to have a better chance at protecting yourself. The focus for many of us in the information security sphere all too often just takes the form of technical means of security when the picture is much more complex. Unfortunately though, this is where many of the companies out there looking to sell appliances and cloud services lead companies and C levels astray.

Threat Intelligence Snake Oil

Sure, a SOC and an IDS/IPS is always a good thing. I am not saying that going without one is a super fantastic idea. What I am saying is first, you have to know your appliance. Know how it works as well as what the alerts mean yourselves, not just let the service dictate to you what an alert means. Now this means that you should have technically capable people who can read an alert, know the environment well, and determine “if” an alert is indeed valid.

Remember the old axiom “A fool with a tool… Is still a fool”

SOC services today often also say they offer you threat intelligence reports. These often are regurgitation’s of news stories on current hacks that have happened as well as patches being put out for various systems. No doubt these are good, but, they don’t always have everything you need to understand the threats. This is if you even get this feature, some places may in fact only offer the IDS/IPS and it will alert you alone without real context other than a CVE and some technical details. It is important when you decide to get a threat intelligence piece in addition to an IDS/IPS service, that you look at their alerts and get a good working picture of just how much information they are collecting, it’s relevance to your org, and its timeliness. After all, if you get an important piece of data the day after an attack, its already too late right?

This is all predicated though on the idea that you have someone or group of people who understand threat intelligence principles and how to apply them to your particular environment. This is where you need “Analysts” Even with a good SOC service that has good threat intelligence for you, it’s useless unless YOU have an analyst who can interpret the data.

Threat Intelligence Requires Analysis

A common issue in the intelligence game is having analysts who understand not only the data, the complexities of environments, and the big picture view of things, but also the ability to “analyze” data and extrapolate from it in a cogent way. Recently Jeffery Carr posted a blog on Infosec Island that was particularly prescient about the need to have the right psychology when performing analysis. He is absolutely right and in his article it was specifically around the intelligence collected by agencies like the CIA. You however are likely not the CIA but, you still need to have an approach to your threat intelligence in the same vein.

The technical side of the threat intelligence needs to be married with the social and psychological as well to have the big picture view of your threats. As I mentioned above, you need to know who might have it in for you, who might target you, why would they target you, and other motivations to have a better grasp of your threat matrix. For this, you need an analyst, or analysts, not just a report from the SOC. The same can be said just for the technical side of the house as well. If you have technical alerts but no real insight into how they work as well as what you presently have in your environment, then it’s game over really. The same can be said if you don’t have an analyst who can then extrapolate all of this into a cogent means of getting it across to the C levels that there is an issue(s) and the urgency or not of remediating them.

Analyses and analysts then, are the linchpin to the whole process. Without good analysis, then the service is useless really.

Graphic from: dmrattner.com

It is paramount to have a working program of threat intelligence as opposed to just getting a service and thinking you are all set. This to me, would be the next level of “Candy Security” in that you are laying all your eggs in the basket of some service like so many still today think that they have a firewall and their all good. As we have seen in the last few years alone, the threatscape of the online world has grown from just malware that steals bank data to malware and attacks that have much broader scope and end goals as well as aggressors that are thinking much more laterally in their approaches.

So once again, analysis is key.

Final Analysis

As the complexity of attacks grow at a rate outstripping the pace of “Moores Law” the defenders have to take up a more nuanced approach to protecting their environments and their data. Reliance on technical solutions alone is not tenable, and as I have said in the past, you have to look at the creature behind the keyboard to get a better picture of the attack much of the time. A better understanding of all of the areas mentioned above will give you a higher chance of at least keeping some pace with the attacks out there against you.

Without analysis and insight, you are in an oubliet.. And you will want to “forget” because if you really think about the threats just from not knowing what goes on in your environment, you won’t be sleeping much. Consider your threat intelligence program if you have one, and if you don’t consider starting one.

K.

Written by Krypt3ia

2012/08/26 at 12:41

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments

X

Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

  • PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
  • Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
  • Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?

K.

Fear and Loathing In INFOSEC: A Savage Journey Through The Security Wet Dream

with one comment

Preface: 

Recent tweets on twitter regarding conferences being attended and the “epic-ness” thereof once again stirred the bile within me and the urge to spew my vile sarcasm upon you all. I have written in the past about the “INFOSEC Deadhead” cycle but it seems once again to be back in swing and is the grain of sand in my brains gullet bringing you this little gem. I also wanted to write a piece in the style of Hunter S. Thompson as an homage to him as well as to bring the psyche back again to the people that he once gave to a generation of swine. We have a new generation of swine that need to pay attention to what “Uncle Hunter” was trying to say and take heed.

As they say, past is prologue right?

As I look around today at our situation where our digital rights are concerned as well as the oppressive culture of fear that has been eroding what America’s “Dream” was supposed to be, (what Hunter actually went looking for all those years ago) I oft times feel like I need to rip his carcass out of the ground and let him rail against us all for not heeding his words. He was ultimately decrying the fear and loathing, the dark desires and the petty crimes that people in power tend to perpetrate because they have the power. Today, that power extends to everything we do because we do it online.

This is the dark and bloody ground, as he would say, that we all have to live on today. The INFOSEC community and it’s corporate masters (or lackeys) are the new Nixon’s and Muskie’s of a latter day passion play equal to the 72 election that Hunter covered for Rolling Stone. The players may have different names, but the outcomes are the same when you look at them from the larger picture of oppression and dirty dealings (Nixon) and those in the community who wish to fight against them (Muskie) but in the end, we too have to come to the conclusion, as Hunter did, that the system itself is corrupt and those who gravitate to it are either already corrupt, or corrupted by it in the end.

This is for you Doc.

Fear and Loathing In INFOSEC Part One: “The Industry is akin to two dogs fucking… Not even a hose can stop them”

I have written before about the “Industry” as have many others in the business. Many of those writers lament the sleaziness of it all now and how they feel sickened by it. Go to any “con” today and you are besot by a bevy of scantily clad booth babes  hawking the warez of this or that instant security solution by XYZ vendor. For those vendors who have caught up with the times though, they instead have the usual grease man with the clipboard at the ready to take your email address to spam the fuck out of you while offering you a spectacular chance to win a new iPad!!

But, this is just one level of the multiplex of INFOSEC Hell, that not even Dante could envision today were he alive….

You see, the real business is done outside the cons, in the boardrooms and the bedrooms, the bars and the back bathroom stalls, anyplace that the corporate greedheads and charlatans can ply their trade… It happens all over the country, but more so than ever today, within the Beltway of this lands capitol. All of these players mime their passion plays to obtain the almighty dollars to sate their needs for more things and to make their daily bread. Grimy hands slither over every inch of the client while pouring soothing words, cooing in their ears about how their solutions will cure their ills and make them more virile than the next guy in line.

It’s Sodom all over again….

Today, we are seeing the works of Hieronymous Bosch coming to life before our eyes, the dull eyes of the damned being clawed and molested by the demons but we are unable to do anything about it. The surging mass of corporatized security snake oil is oozing over every aspect of our lives as the corporate set makes the beast with two backs with the government today in this overly fearful and loathing time post 9/11 and Anonymous. The fear levels of the Bush administration have been supplanted by just one color, the color of fear, and it’s the blackest of black lines covering up the narratives of our lives because it’s been determined to be in the national interest to “classify” it.

It’s all for your protection… Trust us…

But, as we have seen in the last year or so, the security companies and the agencies that employ them, are powerless to stop skiddies from popping shells on their shit and raping and pillaging their and potentially our data in a festival of stupid the likes of which I have only seen in the cheapest of geek shows in a roadside carney just shy of the dustbowl. The barkers in their seersucker suits tell us that they have a show for us like no other on earth. The shill in the audience says “Holy fuck! I saw it and it was fucking great! I am going to see it again” so we go along for the ride thinking that we will be seeing amazing things.

“Trust us, we can protect you! We just bought this here new firewall with DLP protection, it’ll protect your data that we are taking from you.. Err.. We mean, holding for you”

Soon though, you realize that neither the barker nor the shill exhorting you about the wonders, it’s all a scam and you are the rube in the end holding your pockets inside out with your sad hobo clown face drooping as they walk away holding the burlap sack with the dollar signs on it. Hey rube, how are you feeling about the business now? See? There are no sure things in life nor are there any sure fire solutions to your security needs and you have to come to realize that, but then again, now it’s probably too late as you watch that charlatan’s shadow slink into the night huh?

“But… But… You promised me security” slips from your tongue to an empty dirt floored big top and you realize that the carnival of security has taken you for quite the ride. It’s then that the revenuer comes out of the shadows and say’s “Don’t worry, I am from the government, and I am here to help you” This is where you should flee the scene, but you can’t because you have nowhere left to go, the emperor who usually has no clothes on actually stole yours, so naked you stand sheepishly lowering your eyes…

You’ve been screwed.

The moral here kids, is that the corporations, all of them, are not seeking to protect your data. They are seeking to make money. The corporations set up to sell the “security” to protect that data of yours are just as bad, they are just looking to hawk their warez and to make money. Sure there may be some within them trying to do good, but the all encompassing drive for revenue, the almighty deity of all business no longer is to do a good job, or make a great and sturdy product, instead the ethos has been replaced with “make money now as quick as you can and then exit stage right” This is the real drive behind every business today and if anyone tells you anything different they are either fooling you, themselves, or both of you if you really believe it.

Every day there’s a new “Veg-O-Matic” for security and every day a new bypass is found for it by some crackerjack security researcher out there noodling around, or perhaps they aren’t just noodling huh? Perhaps they are actually a cog in the large wheel of the security machine huh? Perhaps they are just a pawn in the great game of security chess, move and counter move and the ultimate goal is the almighty sack of money in the non extradition country bank? What’s the point really anymore other than the congress of conjugal visits with material wealth huh?

Seriously, this is the ultimate corporate and charlatan’s wet dream, a never ending revenue stream from vague ideas that are easy to bamboozle and flim flam people and companies easily with.

“See, you’re gonna have to rip out that root kernel because you are back-boning on my internet”

“Yes yes! Oh my fucking God YES! Say mister how much? How can I get in on the ground floor here?”

A generation of blind and significantly mentally deficient swine are buying the swill of the security industry, charlatans, barons, and hucksters all. Now, you can add to this the government and their need to suckle the security tit as well. Good God are these guys also the biggest bunch of rubes and con men as well. Never a more incestuous bed has been laid in as the one we are seeing now between the government and the whores of business bedding them. Truly, there is fear and loathing kids, and the fear is being fed to you and the loathing has only just begun.

Open your eyes…. See the horrors….

EPILOGUE:

The whiskey is gone now and the sun is setting blood red into the west… I have expended my bolus of bile and bones from having ingested this diatribe only to spit it out in your faces. Take heed dear reader, there will be more… And the next time I will be delving into the government oubliet where they had hoped to hide their collective dirty sins…

But they cannot hide them.. It’s all so Freudian….

Take from this diatribe that in the end, no one is looking out for us corporations or companies. It’s all about profit and sleaze, ego and fame….

Til next time…

“Fear and Loathing in INFOSEC The Community: Ego, Boredom, and Empty Hipserism” coming soon.

K.

 

Written by Krypt3ia

2012/04/17 at 23:03