Archive for the ‘Information’ Category
Top Secret America: The Fifth Column, Uncontrolled and Unaccounted For
The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.
These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States, a Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.
The investigation’s other findings include:
* Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.
* An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.
* In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001. Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings – about 17 million square feet of space.
From Secret America in the Washington Post
PBS Frontline report coming this fall
When this article came out there seemed to be just a collective murmur as a response by the masses. I figured that either people just didn’t care, didn’t get it, or were just too stunned to comment about it. Upon reading up some more and seeing the Frontline piece, I have decided that most people just can’t grasp the sheer import of this report. What this all says to me is that the government has no idea of just who is doing what and how much money is being spent. What’s more, the people certainly have no idea (the people as in the voting public) whats really going on either.
Another factor here I think is that many people just have too much faith in the government and in the corporations. When you really look at it though, once you have worked in the sausage factory and have seen how its made, you really never want to eat sausage again. Its like that with working for the government and or corporations really. Having spent all these years in the information security business working for fortune 500 companies as well as the government, I can say I do not want to “Eat the sausage” Of course perhaps the better thing to say is that I do not trust the government nor corporations because they both are comprised of inept people and red tape.
By far though, the concerns that I have are something a bit more ominous in nature. I fear that these machinations will only lead to greater abuses of power by not only the government but also the corporate entities that they have tasked with performing all this secret work. It used to be that there was government oversight on the intelligence community, but you knew that there was some off books things happening. Now, we have post Iraq and still ongoing in Afghanistan, a contractor proxy war that now includes a civilian intelligence element. An element that now seems to be even more “civilian” because it is being operated by corporations and not wings of the government. It gives a new meaning to “black ops”
Another interesting turn in this “secretification” to steal a Bush-ism is the whole issue of just how far the pendulum has swung from the nations not caring so much about HUMINT and intelligence to suddenly being even more fervent about it it seems than they were during the cold war years. I might also hazard a statement to say that since 9/11 it has generally felt more and more like the 50’s again where paranoia is concerned about the “enemy threat to the homeland”
Are we in danger? Yes. Do we need to have to go back to the 50’s mentality of us and them with a McCarthy-esque twist? No.
Of course all or most of this is aimed at Jihadi terrorists and not a governmental body like the Soviet bloc and this is where the disconnect seems to be the largest for me. It’s rather ironic actually that all this effort is being predicated on fighting a group of people who are not generally known for being easily infiltrated nor as easy to get a grasp on as the Sov’s were. People just knee jerked after 9/11 and really, they have only created even more bureaucracy in which the real INTEL will get lost and another attack likely happen because of it.
Welcome to Washington’s dementia…
Spies Among US
First of all, when it comes to espionage, nothing in Russia has changed. After all, the real leader of Russia, Vladimir Putin, was as a career KGB agent who came up through the ranks, and not by exhibiting democratic principles but rather by being a steadfast believer in communist ideology and the especially harsh methods of the Soviet regime with which we are all familiar. In fact, let’s not forget, no one presently in a senior leadershipposition in Russia came up through a nursery of democratic institutions, but rather through the vestiges of Stalin, Kruchev, Andropov, the NKVD and the KGB. Putin, true to his breeding, has surrounded himself with trusted KGB cronies who believe as he does at all levels. So don’t expect anything less from Russia than what they are: not our allies. The KGB had illegals in the United States under the Soviet system and the SVRstill does, according to most experts, under the Russian Federation. How many are here? No one knows, but one thing we can be sure of, this is one of their favored ways to penetrate a nation and have a presence there and they are not giving up on this technique.
But why you ask? After all, the Russians have satellites and they can intercept communications and break codes. Yes and more. However, the one thing that Russian intelligence will always rely on is a backup system to their technical expertise in case of war (hostilities). They always want to have a human in the loop who can have access to information and more importantly to other humans.
You see, an illegal that passes as an average American, can have access to things no satellite, phone intercept or diplomat can have access to—every day things, such as a car, a home, a library, neighborhood events, air shows on military bases, location of fiber cables, access to gasoline storage facilities, a basement to hide an accomplice, a neighbor’s son serving in the military, and so on. If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.
Full article HERE
The above is a snippet from a Psychology Today article by a former FBI spycatcher. I bring it to you to perhaps clarify some of the news out there and maybe give some ancillary corroboration to the things I have been saying all along about the 11, now 12 “illegals” that were caught and so quickly deported recently.
It was surprising to see just how many people thought that since the Sov Bloc was gone that the new Russia would be spying on little ol’ us. I guess this says more about our culture than it does about theirs really. Just as the author says above, the Russians still have the “strong man” mentality inculcated within their culture and they are led by none other than Vladimir Putin, KGB down to his boxers… And still in charge. So why would it be so inconceivable that the Russians would have such illegals programs as well as other NOC operatives in country? Its certainly the case and always has been. It’s just that the people of the US are too busy thinking about the latest episode of the Hills instead of perhaps geopolitics huh.
Geopolitics and history aside, the article brings out a key point that I have made on more than a few occasions. HUMINT is ery important. This is something that we learned post 9/11 and have been trying to fix since we fucked it all up back in the 90’s (Sorry Bill Clinton) by reducing the HUMINT capabilities of the likes of the CIA in favor of technological means of spying (ala the NSA) We went too far in the other direction and got caught with our pants around our ankles because we did not have a man on the ground to give us good intel on the 19.
Then we have the 12 illegals pop up… and everyone is surprised that the Russians are spying on us as well as amazed at the old school tradecraft that they are using.
How antiquated…
Antiquated and still quite functional boys and girls.
Expanding it further out though, you can see in the passage that I like the most that;
If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.
THIS is a key thing to pay attention to. Once you are in, you have so much access that you really don’t need all of the arcane spy vs spy stuff to get what you really want here. The illegals were a foothold group sent to burrow in and make lives so they could gather data and make friends. They would be, in states of serious distress between the countries, “inside men” the fifth column to attack the enemy from the inside… Say, does this remind you of anything going on recently? Say, oh Jihadi’s recruiting US citizens for Jihad?
Yep.
Situational Awareness is key.
#LIGATT A Cautionary Tale of Cyber-Security Snake Oil
The Charlatan of the Intertubes:
Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;
1) Plagiarism is just wrong.
2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.
Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.
Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;
- His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
- None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
- His site nationalcybersecurity.com is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
- None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
- He immediately played the race card in response to the allegations of his plagiarism and fraud
- In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)
Here are some more examples via Twitter:
#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts http://tinyurl.com/29yvjuo
#LIGATT Mark Wilkerson author. Anyone know this guy?http://tinyurl.com/33zlrwc http://tinyurl.com/33zlrwc
#LIGATT Meet Rex Frank (cyber sec expert)http://tinyurl.com/2dghu33 http://tinyurl.com/2a5mh9j and “author” Funny, I see no creds there..
#LGTT Meet Avery Mitchell Ligatt flunky http://tinyurl.com/35hz6bohttp://tinyurl.com/35a8fjo http://tinyurl.com/27csy7r He’s their top guy
#LIGATT None of these “authors” actually write anything on nationalcybersecurity.com http://tinyurl.com/258jd5x they just add their names
♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actorhttp://tinyurl.com/3xus8ey http://bit.ly/dh0hw5 NICE
Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.
Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.
This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!
The “Industry”
The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.
Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.
The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…
I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.
Security is a voyage… Not a destination:
This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.
I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.
It’s really all about the basics…
So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…
CoB
Auditing Career: Dealing with Mentally Unstable Managers
My Psychologist friend jokingly suggested that auditors receive training on how to interact with people suffering with Attention Deficit Disorders, bipolar disorders and in group dynamics in the corporate environment. A company’s culture is a very complex organism. Even the smallest places have complicated political and social layers (silos) that have nothing to do with the official roles and functions performed by individuals and shown in organizational charts. Decisions in organizations, anyone who is observant will confirm, are not always made based on logic, business reasoning, policies, controls, and/or the need to comply with external regulations. They are often made based on fear, anger, sexual attraction, insecurity, jealousy, greed, hate, prejudices and confusion. Because of these things, it is easy for mentally unstable people to “hide” in the open. In many organizations these behaviors are sheltered because those at the top benefit from that sort of culture.
I love this line that I have highlighted, because really, its the basis of 99% of the decisions made in corporations. Much of that decision making process on the lower levels (operations) are made for the more base desires founded within the daily sloth of individuals that comprise the management set.
Really.
The thrust of this article is predicated on the idea that many people in positions of management are in fact potentially mentally ill, or show signs of such behavior. I can see some of that, but that is not the case all of the time. This article does not take into account the sloth and greed factors as much as they should be I think on a gross product level within American corporations. Sure there is a lot of greed, but, the closer assessment I have made has been that no one wants to be responsible and would rather just have a “good day” and go home after a solid 7.5 hours of internet surfing.
Other areas of concern would be ineptitude, negligence, lack of capacity for comprehension, and general lacksadazical attitudes on the parts of many where these matters (security/audit) are concerned. These are also backed by the near absolute lack of real follow through by entities to fine and or censure companies that do not comply with regulations and really audit companies well to assure they are doing their part.
So, lacking any real negative re-enforcements, the masses fall into a complacency that allows for such behaviors and feelings of entitlement on the part of managers etc. Also, because of the varying morays of corporations, it is also possible to maximize the behavior because the “manager” is God in the org and can do nothing wrong. If they want that open pipe to the internet to surf YouTube and have a sub standard (and against written corporate policy) password as well as no hard drive encryption to boot, then BY GOD they should have it because they are “management”
In a word, I would say that much of corporate America is “dysfunctional” and needs a good spanking as well as be sent to bed without supper! Or maybe, just maybe some more and REAL oversight in how they do their business should be carried out. Much like we are now seeing with the whole issues with Goldman Sachs and their cavalier attitudes on selling “pure intellectual masturbation” to the masses, thus crashing the economy.
Meh….
On the other hand, were you to take these features into account when you are auditing a company (more to the point penetrating one) then you could use all of these features in your attack. So, remember, always look at not only the threatscape, but also the psy-scape for your openings. Open your ears and take mental notes, because that sub standard password and other breaking of the rules could get you in much further much faster than by having to gain a toehold elsewhere kids.
CoB
William Gibson’s Future is Here: Keiretsu’s, Phramacom’s, Kombinats, and Private Intelligence
World View Change:
I just finished reading “Broker, Trader, Lawyer, Spy” by Eamon Javers moments ago and it has had me thinking for some time now about the private intelligence business. Of course I believe that in many ways, the last 10 years or so of my career has been in an analogous business, that of “Information Security”, a euphemism that covers a portion of what I do on a regular basis for clients by checking their security and trying to circumvent it to steal their data.
Of course in my case and others, we are asked to do so by the targets themselves and to recommend fixes for anything that we find.
However, it seems that since at least the 2000’s a boutique business model for “Private Intelligence” has burgeoned around the globe and now it seems to be at its height in this current economic climate. After all, if you as company A can get an edge on company B by hiring some old intelligence warhorses to spy on B, then all the better eh? I mean, in today’s ethically “gray” world, what’s to stop you? Governmental regulation? HA!
Once, long ago, I was an altruistic sort and believed not only in my government but also in business’ and people’s desire to do the “right thing” Now, 13 years later, I have come to the conclusion that there are no companies, nor people out there who are genuinely looking to do the right thing. After working for fortune 500 companies as well as smaller ones, I am now aware that the only motivation that they all have is to “get ahead” or to “have a good day and not rock the boat” as my last employer proved out in spades.
In short, I have come to the conclusion that there is no black and white.. Only gray areas in which we can choose to hide and learn to live with ourselves.
In the business of “Corporate or Private Intelligence” one can make a good living as long as they don’t suddenly grow a conscience about exactly who they are surveilling or gathering intel on as well as to whom they are providing it to. Though, often these entities who are paying the bill have a middle man (aka a law firm) hiring you out to do the work so as to have a blind spot vis a vis “confidentiality” agreements. So you may never really know what you are up to in the grand scheme. However, in my new world view, I should feel indifferent I think about the whole thing because the base truth is that each of the parties involved (being watched and paying for the service) both likely subscribe to the morays of our current corporate and governmental environment…
“What’s in it for me?”
Stepping Into the Forest of Mirrors:
So it has come that in today’s world, the intelligence agents MUST be technically savvy in order to work. I have seen the articles online about how the CIA and MI5/MI6 have begun large recruitment drives for individuals with technical backgrounds in computing. The problem though that they have is this, their pay grades suck and in today’s world too few are true believers in God and Country. So the private sector seems to be the most logical choice for anyone who wants to make a living and have enough to actually retire when they are too old to work any more.
Of course in the book a chapter is devoted to the idea that many of the agents out there today at the CIA are now “allowed” to moonlight as long as they tell the agency and get approval to do so. I guess in order to keep talent, the CIA decided it was best to allow these activities as long as they were not compromising any operations… Makes sense, after all the largest GS salary one can really get tops out at just over $100,000.00… Not much in today’s salary base huh? So it would seem that many are getting the training from the CIA and other agencies then moving on to the private sector.
Meanwhile, that private sector is not sipping at the private intelligence spigot, they are gulping it down. It seems that not only nation states are the main recipient of corporate intelligence any more. Instead, its the idea of conglomerates and corporations practicing business as war in the best of traditions that harken back to the “Keiretsu” and Sun Tzu. Perhaps my assessment of American business was slightly off in one of my last posts?
Nah, I think instead that they are all practicing this means of corporate warfare, but lack the stability nor forward thinking of the Japanese Keiretsu model. It’s corporate spy vs. spy and the only ones to really profit are the spies themselves. In this I find a certain comfort really, because frankly, the corporations that I have been inside of, do not deserve to get ahead due to their sloth and lack of forward thinking. A certain intransigence and laziness pervades most companies where it comes to being able to fend off such attacks as those used in corporate digital warfare and frankly, its their own fault.
So, where does that leave me? It leaves me thinking that to really make a living and to maximize my talent use, it would be better to walk away from trying to teach these companies anything about securing their data and instead use their weaknesses against them working for such a firm as the Trident Group or any number of others out there. Perhaps to even just start my own agency. After all, who’s job in corporate America is safe today? By being a good soldier and doing your all do you really get any consideration from the company you work for?
Think about it.
Final Analysis:
In the end, I found this book to be quite enlightening. I was rather surprised by the last pages where the author tried to put forth the idea that all corporate intelligence firms should register with the government (ala the SEC) to work. I think he was smoking the proverbial crack pipe when he put that to paper, but I understand his altruistic thrust there. Eamon, that will never happen and it won’t because if you register these places their cover is blown. How would an agency of that type ever really work if the government has them and their employees registered in an ever so safe SQL database on an insecure server somewhere huh?
*Snort*
If you get the chance, read the book. You too will be enlightened as to what is going on out there in the world today. You will not see things in black and white any more, that’s for sure. Oh, and if you are a William Gibson fan, you will undoubtedly have to stop yourselves and think “Shit, he predicted things to the T again!”
CoB
Maltegoing Our New Tsar
So I decided after the article this morning I found about Howies defunct site to do some searches with Maltego. By using this I came up with all kinds of fun information..
In the end I have located his email addresses, correspondences that have been encrypted with PGP, and a couple of his phone numbers. I also used Google to locate some of his presentations on INFOSEC that he gave via ISC. Amazingly there are no notes with that particular Powerpoint.
Anyway, I am still digging on all of this but let me just make my mind known about this choice for Tsar….
1) He worked for two companies that have not been known for stellar security
a) Microsoft
b) Ebay
2) He comes from a military/governmental background also. So he knows the DC Two step and is likely to play by those rules. Meaning he is just another insider who will not get anywhere nor be able to think outside the box
3) The Tsar position has been neutered as far as I have read and thus is just another “captain dunsel” in Star Trek parlance.
In the end, I have little hope that anything will change for the better with regard to our information security posture as a nation both governmentally and privately. In other words, get the rations stored, the water tanked, and the ammo stockpiled.
CoB
An IT security pro’s personal tale of a long and bloody job hunt and what it says about the industry’s current state of affairs.
Why is it that when a serious breach occurs, the executives panic and find the budget to spend extraordinary amounts of money to remediate the breach? Why is it that they seem to degrade a vital component in any business — the security of their data? Don’t they know that one serious breach can jeopardize the existence of their business and perhaps lead to criminal investigations? Why is it that many organizations just have one security executive with no staff and hardly any budget to work with as just a figurehead in the organization? Several states and the federal government, have enacted or are now enacting tough laws, some of which carry severe penalties should a serious breach occur, including requirements of complete public disclosure to all the victims associated with the breach.
Never mind the mountains of lawsuits that can put a company out of business. This is what’s going on — many companies are revolting, but the laws are being enacted, and ignorance is not bliss. Doing more for less is not the answer. It is not good business to put an organization’s assets at risk — particularly in this economy where security staffs are depleted and not valued. This is not an area where businesses should be doing more with less. They should be doing the opposite to ensure their survival.
At the federal level, top information security specialists have been saying for years that our current infrastructure is at grave risk. Serious breaches have since occurred, and the government is now scrambling. Most of the agencies have been mobilized, and at least four of the national laboratories are in an all-out effort to combat breaches and prevent future ones. Billions of dollars were budgeted to upgrade and secure the nation’s infrastructure, and why was this? Because the same pattern keeps repeating itself. Security is ignored or pushed lower in priority until a crisis erupts and then there is a scramble to correct the problem.
While I am still gainfully employed, I also can say I have seen first hand this “effect” in many places over my time in the field of information security. I can also attest that in this climate companies are still very much trying to do more with less including security. Though much of the time they instead choose “security through obscurity” or outright ignorance as their way ahead.
Frankly, unless the government creates and imposes laws and large fines for data loss all too many companies are willing to sign off on the risks of compromise even if they are high and just hope for the best. At worst, there are companies with CIO’s who are just not cognizant at all about information security and instead focus all their attention on the financial bottom line and “customer satisfaction” instead.
Still worse, imagine the CIO or the CSO who knows the dangers and is forced to or chooses to ignore them to save the company money. In the end though, they all are likely to feel the sting of the hackers’ keyboard as they steal their data and perhaps their reputations.
So why is it that these companies and C level execs just fail to see or blind themselves to the dangers and work toward remediate them?
Greed?
Sloth?
Inability to grasp subtle concepts like hacking?
I really wonder…
Spot The FED Goes HI-TECH
Feds at DefCon Alarmed After RFIDs Scanned
LAS VEGAS — It’s one of the most hostile hacker environments in the country –- the DefCon hacker conference held every summer in Las Vegas.
But despite the fact that attendees know they should take precautions to protect their data, federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.
The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.
Nice! Now, just how stupid is it that all these folks had their ID’s on them in the first? Really, you go to a con you lose all your ID man! You would think too that these guys would get the whole “match face to data” thing because this is the trend in much of the surveillance world now. So many systems are tied together and audit comings and goings in the very places that they need the ID for in the first place…
I guess its just this time the tables were turned and the watchers were the watched eh?
The Presidential Cyberspace Policy Review.. Or, “shrug”
On Friday last, President Obama and Melissa Hathaway released their 60 day review of the state of cyberspace security in the U.S. Well, that is to say what our posture is as a country and a government really. After having read the report over the weekend, I have come to the conclusion that even after a 60 day review, the president and staff (including perhaps Hathaway) have not one clue as to how they really can make a difference in the countries cyber security levels.
There are platitudes and half thought out postulates on having more “investigation” into how to handle many of the issues at hand where the security of the country via the internet and computing are concerned. But, the big answers are just not there folks. Just how much more investigation are we going to need before the government actually makes a decision on how to mandate secure practices, enforce them, and secure the nations infrastructure properly.
Of course I understand that this is a complex issue and surely it just cannot be fixed right away with a clap of the hands. However, I do expect there to be more substance and direction here in this document. All in all, I was unimpressed really and hope that perhaps this was just a slow start for the administration. It remains to be seen I guess.
What would I recommend?
1) The carrot and stick program for contractors and private sector should have more stick and less carrot. I firmly believe that if the private sector is not forced to change their lax security ways with mandates from the government, then they will not change at all.
2) The position of presidential liaison for cyber security initiatives needs to be more than just an assistant position. Which basically is what it is now per the speech and release of the report. This position needs to be cabinet level, have more solid mandates and certainly have essential empowerment to help shape the security of the countries infrastructure. As it stands now, this position will just be the middleman between government bodies that likely will feel more like a yo yo than a position that can effect real change.
3) A separate agency should be created that is autonomous to DHS, CIA, NSA, etc and it should have a primary goal of enforcement of secure processes, implementations, and oversight within the arena of cyber security. The infighting between agencies now would only be a detriment and we have all seen just how well DHS has been handling our data, nevermind keeping us “secure” Giving DHS anything to do with cyber security would only serve to hasten the utter defeat that the likes of the Chinese would love to inflict upon us.
4) Said agency will have to have a direct and solid mandate with backing from the highest authorities to not only educate the nation on security, but also to enforce any laws and or policies that the government creates covering infosec and cybersec. Red teaming and audits that occur on a regular but “unplanned” (spot checks) basis should be the norm. These types of audits will keep the private sector on their toes and allow for less cheating the system.
As it stands now, this document only vaguely points toward an idea of what the government “wants to maybe” do concerning the security of our infrastructure. This is a step in the right direction admittedly, but it is just not enough.
Conficker Object Lesson: Due Diligence Is Key
In my view, the Conficker worm provides a microcosm of the complexity of IT security and the pressing need for security best practices. Here are a few examples:
- Conficker reinforces the link between IT security and operations. Organizations with strong asset, configuration, and patch management processes were probably able to patch vulnerable systems before Conficker first appeared in November 2008.
- Conficker demonstrates the need for device authentication and port blocking. Conficker uses USB flash drives as a means for propagation. This should serve as a wake-up call to security professionals that USB drives can act as a modern-day “sneakernet” for spreading malicious code or stealing confidential data. Addressing these threats means limiting USB access to authorized drives (through means like the IEEE 1667 standard) while filtering all traffic that flows to or from USB drives.
- Conficker contains a password-cracking program that can break simple passwords like “1234” or “password.” This demonstrates the need for strong password enforcement, password management, and even multifactor authentication.
- Finally, Conficker is an extremely aggressive worm that looks for open file shares on the network to create yet another propagation method. Detecting this activity demands network traffic analysis and an understanding of normal versus anomalous behavior.
The rest HERE
This guy hit it right on the head! The poor security practices of many a company out there will be their undoing should Conficker actually do anything of merit. Why is it so many places do so little to really secure their environments? Why, when they are told how to secure and why they need to, do they do nothing or just a half assed job at “Due Diligence” Well, lets see what tomorrow brings.. Well nothing likely tomorrow, but give it a few days….
Krypt3ia 
