(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Linkedin’ Category

30 Years of Password FAIL

leave a comment »

It’s not simply that we have empirical evidence suggesting that passwords are easy to crack; neuroscience has indicated that the human brain simply doesn’t perform well at free-associating text that, on its own, has little inherent meaning. As one of the papers cited puts it, “the multiple-password management crisis [can be viewed as] a search and retrieval problem involving human beings’ long-term memory.” And, although our long-term memory for images and words that we’ve assigned meanings to is quite good, we don’t do as well with passwords, which (ideally, at least) should look like a near-random string of characters. It’s another challenge entirely to remember which password to associate with a specific account.

Full Article Here:

Well, there you have it. The human brain just can’t handle complex passwords? Really? Uhhh How about this theory in its place;


… Yeah, now I feel better…

So where were we… Oh yeah, evidently the human brain isn’t so good at linking random strings of data to login data needed to access systems. Interesting.. So this lump of grey matter is generally unable to do this well after thousands and thousands of years of evolution eh? Seems to me that through wrote memory as well as muscle memory I do just fine with complex passwords. Or is it that I am some sort of uber mench?

This only leads me back to the idea that the human condition really is just fat dumb and lazy and this is just a malaise we have created for ourselves. Let the empirical data of this “survey” be damned. What’s worse though comes in another passage later on:

One possibly disturbing development was noted: about seven percent of the respondents had become cynical about computer security, having decided that no amount of adherence to best practices would protect them from hackers. Fortunately, this group seemed to be just as good (or just as bad) about using best practices as the rest of the population.

This bugs me. Mostly because I know its all too true that many people, if they don’t really understand the precepts of infosec, will just not care or give up. They will instead if allowed, become the worst security threats to an environment through their sloth.

I see it every day this nonchalance… And every time I say we need to insure that things are done securely I get the look of:

“There he goes again”


Written by Krypt3ia

2009/10/18 at 17:11

Does Your Company Classify,Protect, and Track Its Data?

leave a comment »

Ex-Ford employee held in data theft

Engineer charged with copying proprietary documents and trying to sell them in China

Bryce G. Hoffman / The Detroit News

The Justice Department charged a former Ford Motor Co. engineer with stealing company secrets and trying to peddle them to Chinese competitors.

Chinese-born Xiang Dong Yu — also known as Mike Yu — was arrested Wednesday at Chicago’s O’Hare International Airport when he tried to re-enter the country from China. The 47-year-old is charged with five counts of theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer.

According to a federal indictment unsealed Wednesday, Yu was a product engineer for Ford from 1997 to 2007 and had access to Ford trade secrets. Law enforcement officials say that, just prior to leaving the Dearborn automaker, Yu copied thousands of confidential documents, including what they described as “sensitive Ford design documents” and “system design specification documents.”

Full Story Here:

Ya know, is it me, or are we seeing more cases of industrial espionage from China lately? Hmmm, guess it’s just my imagination… NOT. So, this begs a question;

“Just how many more cases have there been that just never got caught on to?”

Now, I assume that Ford caught on to his espionage by either one of two scenarios;

  • Yu was sloppy and someone in his group of workmates saw or felt that he was taking large amounts of data or acting strangely
  • Yu was caught with auditing from the file servers that he was accessing the data from
  • Now, I would love to think that they had auditing measures in place and caught on to his taking of mass quantities of data by copying them to an external drive… But… Well, given what I have seen in many companies, this just isn’t as likely a scenario as one might suspect.

    So, ask yourself this question.. Just how many companies out there that make important machines, or hold important data actually are performing the “due diligence” to protect their own IP from being stolen and placed in the hands of the likes of China?

    My last post has insight into the collective mindset at many corporations. security has always been the first budget to be cut in bad times and even today, with all the threats in the environment, still the corps cut off their nose despite their face.

    Now take this idea and apply it to the government. A place where turf wars are preventing proper securing of the space and laws are weak…

    Good god we are screwed…

    No wonder all of the “Cyber Tsars” keep quitting eh?

    Just sayin…

    Anyway, one has to wonder just how much of our data is in the Chinese hands by the likes of Mr. Yu and others like him… Perhaps we will never know because companies are just not able to, or willing to implement the right proactive remediations to stop them if not just track their data leaving their domains…

    ** EDIT ** Well in looking through some Google searches it seems that they caught Yu getting OFF the plane from Mainland China.. So.. OOPSIES, I guess Ford was not too proactive were they… Damage done.

    E-Waste: Pollution, Security Risks, Epic Greed, Epic FAIL

    with one comment


    Through the years working in the information security game I often saw the upgrades that happened rather frequently. Such upgrades seemed to happen almost bi-monthly in some cases, but overall it was always about the speed of systems.

    We need the speed to work faster faster faster!

    Well, where did all that old equipment go that actually still worked? For that matter what about the stuff that actually broke? I had been living in the dream world that said:

    Don’t worry, we will re-cycle your pc and pass it on to bridge the digital divide! Soon, second and third world countries will also have the beginnings of digital infrastructures using our old systems and the economy will grow.

    Wrong…  It rarely really happened. Whats worse, the systems in question would go out of the country to Ghana, China, Pakistan, etc including hard drives that had not been wiped or cleaned of data. Is it any wonder why then Ghana is a capitol of cyber crime?

    Gee, I wonder if Nigeria and Ghana work together, ya know, rival gangs trading in our data from e-waste that unscrupulous dumpers have just sent over for a quick buck. Of course that is only one part of the problem, but I will be getting to that in a bit. For now though, I would like to look at the PII and Digital dumping ground angle where our data is concerned.

    Exactly what are companies thinking just getting rid of hard drives full of data by selling them wholesale to just anyone? Working hard drives filled with corporate, personal, and other data that perhaps could be the next transwarp drive plans from Rocketdyne? WTF? Are we just stupid? Are we collectively brain damaged? We do this, then we get robbed digitally and we moan and wail about it all the while not comprehending that we did it to ourselves?

    Do we just inherently lack the capabilities to comprehend that we save shit to hard drives that can be easily plugged into another machine and just pulled up on a screen? Are we just too busy playing with our digital navels to care? It would seem so.

    I guess we deserve to be p0wn3d….

    Now on to the pollution:

    I just don’t get it rationally… I can only really understand this: We are greedy, fat, and stupid as a country. We don’t care about other countries peoples, we don’t care about the environment as a whole, and really, what it comes down to is this:

    Not in my back yard… But meh, its fine for the Chinese or the Ghanians to poison the water and air in “their” country.. I mean hell, its not “MY” back yard…

    Well fucktard, it is YOUR back yard. You see, we live on a globe suspended in space. What poisons the Chinese will eventually make it here by wind or water… Trust me.

    I am just flabbergasted by it all… I really have no idea what to do either. I tend to keep my equipment and recycle things that are still running. There have been more than a few donations I have made to individuals who had no systems to use that now can get on the internet with some older machines.

    But this.. the proportions of it.. What can one person do? Hell MIT tried to help people with one laptop per child and M$ and others pretty much killed that one… M$, yeah… fuckers… Talk about greed. Of course Bill now is trying to use his money to patent “alleged” technology to stop hurricanes..

    Think on that a minute.. He is PATENTING the anti hurricane technique! It’s like saying I am patenting the cure for cancer! How about doing something for humanity Bill?

    Ugh… My heads exploding.

    See the videos:

    Frontline report:

    60 minutes:

    Manufactured Landscapes:

    Written by Krypt3ia

    2009/09/04 at 13:13

    Chinese Espionage: Britain’s MI5 reports epidemic in spying

    leave a comment »

    In spite of repeated warnings to businesses, companies in the UK continue to hire Chinese workers without conducting background investigations or verifying previous employment.

    Chinese government officials and businessmen are proven aggressive in their attempts to find out everything about how Western companies operate and how they are structured.

    It is old-fashioned human intelligence gathering — it’s thousands of years old and it works.
    Taking a page out of Sun Tzu’s “The Art of War,” they believe intelligence operations will give them the victory they seek, whether in terms of military prowess or industrial success.

    Using stealth tactics such as sending visiting delegations of Chinese businessmen, the spies are able to penetrate what little security companies employ to thwart theft of information.

    One British firm eager to develop its business with China recently invited a delegation to visit its UK factory, according to The Guardian. The Chinese authorities sent a delegation, but only a few of them turned up. The rest were believed to have traveled around Britain inviting themselves to defense and research establishments. Again, they were able to penetrate the security measures in place at these facilities.

    According to one news story in the UK, if a British company creates a fuss about visitors who fail to turn up, the Chinese threaten to cancel the company’s license to trade.

    I’ve said it before on numerous occasions and I will say it again now. “We are under siege” and many of the companies in this country (and evidently the UK) are CLUELESS to this.

    The Chinese are very good and very patient. They have taken Tsun Tzu to heart and have been besting us every day because we are comparative simpletons in the public sector where this type of industrial espionage is concerned… Nay, lets go further and actually carry that over to the military and Federal sector too I think.

    Tag this to the cyber opertaions that China has developed and our lacking security practices, and you have quite the opportunity for taking much of our intellectual capitol. I think that the counterintelligence director needs to get more sunlight in the public sphere to get companies aware.

    Read the full article HERE

    Written by Krypt3ia

    2009/08/28 at 15:21

    EMP/HERF/HEMP: What.. Me Worry?

    with 4 comments

    Recently I have been hearing more and more in the news how the senate and house have been having hearings on EMP threats to this nation. As I began to hear more of this, I inevitable came to the question of “Why now?” I mean, this has always been a threat as far as I am concerned. Of course now its even more pressing an issue as we are so “interconnected” today with the internet and communications infrastructure in general… But, just what was it that was making them get all hot for this now I wondered. Had they heard something from some intelligence body and were all freaked out?

    I had thought on this a while and really had kinda just forgotten about it until this last Friday when I was headed home from work and listening to NPR’s Science Friday show. As if on qeue, I turned on the radio and there was Congressman Roscoe Bartlett railing on the dangers that we face should a terrorist or a nation state decide to use an EMP/HEMP device on the US’ infrastructure.

    I sat in the car at the end of my trip still listening to the end of his interview, when it was over I knew I had to really take a deeper look into why these people had suddenly had a fire lit under their collective do nothing asses. Come to find out that perhaps that fire was lit 9.12.01 and has been steadily becoming a blaze as the eggheads began to show the congress-critters just how fucked we would be if someone used an HEMP on us.. Only now, something had changed in their collectively lazy minds.. We had been attacked on our own soil and SHIT WE’RE FREAKED OUT!

    So, today I sat down and Googled the, .gov, .mil, and other domain spaces with key words of EMP/HEMP/HERF etc. What I found is a plethora of documents that began to spring up around 2003/2004 concerning the threatcon of a terrorist or nation state EMP attack… Funny thing too.. Gee, 2003, that was the year of the great blackout of the northeast.

    Ya know.. the one that “trees” allegedly caused? Yeah…

    The primary document that I came up with that was the most recent is: The Report of the Commission to Assess theThreat to the United States from Electromagnetic Pulse (EMP) Attack which, in 208 pages covers all of the problems this nation (and I assume other places) has regarding our infrastructure where an attack of this type is concerned. Suffice to say, that this document has some rather dire things to say. Including the following passage on the magnatude of weapon that could cause a major failure of our infrastructure;

    The magnitude of an EMP event varies with the type, design and yield of the weapon,
    as well as its placement. The Commission has concluded that even a relatively modest-to small yield weapon of particular characteristics, using design and fabrication informationalready disseminated through licit and illicit means, can produce a potentially devastating E1 field strength over very large geographical regions. This followed by E2 impacts, and in some cases serious E3 impacts operating on electrical components left relatively unprotected by E1, can be extremely damaging. (E3 requires a greater yield to produce major effects.) Indeed, the Commission determined that such weapon devices not only
    could be readily built and delivered, but also the specifics of these devices have been
    illicitly trafficked for the past quarter-century. The field strengths of such weapons may
    be much higher than those used by the Commission for testing threshold failure levels of
    electrical system components and subsystems.

    Laymans terms, even a small device placed in the right place or even an HEMP (High Altitude) of moderate size, would likely bring this nations infrastructure to a grinding halt and it would stay down for some time. You see, our infrastructure is very much dependent on itself to feed itself. If the power goes out, then there is no power after the reserves run out to keep the other systems running. In fact, even the power generation, and its getting to you requires the very power that is generated to get it TO you and regulate it so that things don’t implode in on themselves! In essence, the grid goes down, then everything goes too soon afterward. No cell phones, no emergency services because you cant call them because the phones and cell phones don’t work.. because there’s no power… You see where I am going. The system, and by system, I mean the utilities infrastructure, is not only antiquated in many ways and stretched, but also, that which is not antiquated, is EXCEEDINGLY susceptible to this and other E1-E3 attacks. How do we know? Because the commission actually set up tests as best they could, and they could crash systems with low end EMP devices, thats how.

    Yet, the commission also admits the following thing in this passage;

    Additionally, analyses available from foreign sources suggest that amplitudes and frequency
    content of EMP fields from bomb blasts calculated by U.S. analysts may be too
    low. While this matter is a highly technical issue that awaits further investigation by U.S.
    scientific experts, it raises the specter of increased uncertainty about the adequacy of
    current U.S. EMP mitigation approaches.

    Even our testing and our data is suspect and we may even be in a worse state of affairs than we think from bad data!


    So lets break it down shall we? What’s vulnerable and just how much?

    The Power Grid:

    Fear not only the terrorist though my friends.. Did you know that nature too has actually D0S’d our power grid in the past? Yep, its true.. From lightning to the more fearsome EMP bursts from the sun. We live in a world where our very society hinges on the power being available to keep our lights on, our food cold, and our MTV on the tube and it could all be taken out by an EMP burst from the sun. Now that’s one hell of an EMP.

    A key issue for the Commission in assessing the impact of such a disruption to the
    Nation’s electrical system was not only the unprecedented widespread nature of the outage
    (e.g., the cascading effects from even one or two relatively small weapons exploded
    in optimum location in space at present would almost certainly shut down an entire interconnected
    electrical power system, perhaps affecting as much as 70 percent or possibly
    more of the United States, all in an instant) but more significantly widespread damage
    may well adversely impact the time to recover and thus have a potentially catastrophic

    High-value assets (assets that are critical to the production and delivery of large volumes
    of electrical power and those critical for service to key loads) in the system are vulnerable
    to EMP through the loss of protection equipment due to E1 and even if E3 levels
    were not large enough to cause damage. The largest and most critical of these are
    transformers. Transformers are the critical link (1) between generation and transmission,
    (2) within the transmission network, (3) between the transmission and distribution
    systems, and (4) from the distribution to the load.

    Wait though, it gets better… Did I mention that much of the equipment, like transformers, actually is not something we can get “COTS” ? Did you know that it would take a year or more in some instances to get a new one? Now imagine that more than one.. More than three… Have been taken out permanently by an E1-E3 event?

    The transformers that handle electrical power within the transmission system and its
    interfaces with the generation and distribution systems are large, expensive, and to a considerable
    extent, custom built. The transmission system is far less standardized than the
    power plants are, which themselves are somewhat unique from one to another. All production
    for these large transformers used in the United States is currently offshore.

    Delivery time for these items under benign circumstances is typically one to two years.
    There are about 2,000 such transformers rated at or above 345 kV in the United States
    with about 1 percent per year being replaced due to failure or by the addition of new
    ones. Worldwide production capacity is less than 100 units per year and serves a world
    market, one that is growing at a rapid rate in such countries as China and India. Delivery
    of a new large transformer ordered today is nearly 3 years, including both manufacturing
    and transportation. An event damaging several of these transformers at once means it
    may extend the delivery times to well beyond current time frames as production is taxed.
    The resulting impact on timing for restoration can be devastating. Lack of high voltage
    equipment manufacturing capacity represents a glaring weakness in our survival and
    recovery to the extent these transformers are vulnerable

    There you have it. The grid, the very SAME grid that the government now wants to make more “computerized” is insanely vulnerable to this type of attack. Come to find out too, that its actually pretty much vulnerable to many other types of attacks or accidents too. It’s just that an EMP would be large scale and or, would have a feedback loop associated with it that would systemically kill great swaths of the grid. Much like what we saw in 2003, August when the *cough* trees, caused the northeast to go down.

    Oh, and by the way, think on this too. A cyber attack on these same systems, if carried out properly, could have the same effect. If you kill or futz with the SCADA you can kill the system and have that same feedback loop occur. So, if you are thinking well, whew! I really don’t foresee a nuke detonation at altitude you might want to consider our current security posture too and feel your sphincter tighten a bit. All it would take is a concerted effort and something along the lines of a BOTnet and BOOM, we could have deep power outages that could take protracted times to repair.

    So where does that leave us? If the power is out, then nothing can really run unless you have backup power. However, backup power requires that you get more fuel, unless you have a Mr. Fusion handy, then you could just dump your compost into it. Nope, you will need a truck to bring you oil or diesel.. Of course you will need to call them.. But your cell phone is fried, and so are the towers, and the towers that may have escaped the full blast? They are overloaded just like the day of 9/11. You are not getting through.

    So lets break it down by service.


    • Cell phones and towers are highly susceptible
    • Landlines are not so much, but the switching stations that are more modern and thus will be inoperable


    • Just one word SCADA Its been tested and is highly vulnerable to EMP even to the point of having problems with radar causing systems to fail
    • Gas and oil production would be at a standstill or worse, the plants could actually catch fire from pressure etc


    • Switching systems on rail have gone to the computer and as we have seen recently, can get hosed up and cause large scale accidents
    • The systems are basically SCADA/DC systems that are vulnerable to this type of attack
    • Most of these systems reside in small metal boxes near the rail.. Open to attack


    • GPS and other NAV systems on ships/trucks etc today are all micro circuit based and have proven to be vulnerable to attack by E1-E3 events
    • Most cars and trucks now have microchip systems within them that regulate the operation of the car. No chip, no run.. so the car becomes a large paperweight
    • Motorcycles not so much, unless you have a goldwing or something along those lines
    • Air travel will be down. Not only the planes systems will be fried but also the towers will be without power and their computer aided radar will be offline


    • The financial system is a bit more resiliant to the power loss potential of an attack. However, their computer systems are still not shielded for an EMP event and thus, even redundant systems would be fried.. and without power after the generators ran out of diesel

    What does this tell you all? It tells you that even though we have known about this type of attack since, oh, 1962, we have done nothing to really shield any of our systems that we have put in place. No Faraday cages, no shielding on the circuits, nada. It would have been too costly and no one could concieve of such an attack on us!


    I vote more on the saving money thing and being generally lazy, but, I am jaded.

    So where do we go from here?

    The commission has made recommendations and even put in the monetary figures that would be necessary to take care of the issues. Will they happen? Will they happen especially since we are going to have a “smart grid” now that is going to likely be just as, if not MORE vulnerable to attacks both EMP and cyber?

    My answer.. nope.

    Why? Because inevitably people will say that the congress-critters are over reacting and that this attack is not likely to happen. If the Qaeda boys get their hands on a nuke, they aren’t going to get this kind of nuke! No! They are going to get a suitcase nuke and blow the fuck out of some poor city like Boston!

    Whats that? The Russian navy just had TWO subs that avoided our SOSUS nets off the East Coast last week? Meh, Pooty Poot said not to worry! They were just here to listen to our “rock and roll” before heading down to Cuba for a good time! It’s not like they could carry a small yield ICBM style nuke that would make a damn fine HEMP! C’mon!! Don’t be crazy!

    Never mind the idea that the Chinese have their hands on technology for E1-E3 devices that need not be high altitude. Did you know for instance that those BIG ASS transformers that take a YEAR to get are pretty much made only by them? Yeah, uh, the Chinese make our transformers that are the linchpin to our grid.. Ya know, the ones that are really really vulnerable?

    Lets postulate here a bit too.. We’ve been worried about the Chinese market in fake chip sets getting into our military hardware.. Gee, how about them being in our big ass transformers? Hell of an exploit were they to hide chips or features in those transformers..

    Click.. ZZZZZ POP! There goes the grid, and there goes our dominance in the world. Sure, you can say the Chinese would be only shooting themselves in the head being our biggest lender and trading partner… But, if you were them and you really didn’t care because you would WIN the war simply, wouldn’t you do the same thing?

    So back to where do we go from here… For me I think its going to be looking into a faraday cage for the basement.. More power generation tools like solar etc for the house, and stocking up on non perishables. That’s about all one can do really. You see, your government is too big and too ossified to really effectively remedy the situation. While they argue with each other over who’s sleeping with who’s wife and what it means to be a “Real American” the enemies are collecting the armaments necessary to take us down.. At least for a while.

    All YOU can do is prepare and take care of yourself and yours.

    Lets hope this doesn’t happen.. But if it does.. Be ready.

    For more reading go HERE

    Listen to Roscoe Bartlett HERE:

    Twitter As Command and Control for BotNETS

    with one comment

    Hackers Use Twitter to Control Botnet

    Hackers are now using Twitter to send coded update messages to computers they’ve previously infected with rogue code, according to a report from net-monitoring firm Arbor Networks.

    This looks to be the first reported case of hackers using the popular micro-messaging company to control botnets, which are assemblages of infected PCs that can be directed to spy on their users, send spam, or attack web sites with fake traffic.

    The rest here:

    Hell of an idea to use the RSS feed from 140 character postings to command and control botnets. I have seen some of these coded posts before and wondered what they were up to. Anyway, now lets look forward from here.. How about the idea of using the RSS feeds of common and popular blogs and such in the same way? Perhaps embedding code within the sites themselves either in the html or even the text?

    How about a little steganography to have that C&C channel…. It would be harder to detect no?


    Written by Krypt3ia

    2009/08/14 at 12:21

    General Chilton: STRATCOM On CYBERWAR

    leave a comment »

    Gen Chilton

    Gen Chilton


    General Kevin P Chilton: Commander of STRATCOM was on NPR the other day and I happen to catch only part of it. I went on down to the “Google” and came up with the audio at the site of course. Anyway, Chilton is rather frank in this interview about how we are lacking in many respects when it comes to the issue of “Cyberwar” In one particular question he answers the larger issues as they stand today;

    BOWMAN: And increasingly so. This is from a speech you made back in February: In a cyberspace domain, here are some obvious things. We are under attack. We are behind. We are reactive. We are not proactive. How do you become proactive here?

    Gen. CHILTON: Well, there’s three things that we’re trying to change in the military – under STRATCOM leadership writ large. In all our services and the way we think about cyberspace, we’re trying to change the culture, the conduct and our capabilities.

    Culture, of course, is probably one of the more difficult ones. You can’t just fix that with investment, but we’ve grown up with a culture, and I think it’s probably true in our personal lives, that cyberspace and our computers are just a convenience. They make life easier.

    What the switch we have to make in the military is the realization that we’re dependent on cyberspace for military operations on air, land and sea and in space, and we cannot effectively conduct out operations in those areas without the cyberspace domain and our military networks.

    So they’re not just a convenience, they’re a necessity, and that means when you have a problem there, the commander in charge of forces ought to be, whether he’s in charge of air, land or sea forces, ought to be very worried about his networks and paying attention to their health, are they defended properly, etcetera.

    In the conduct area, we need to do a better job of training people to point out that anybody in the military who’s using a computer plugged into a military network is the same as a gate guard standing in front of a base, protecting the gate. And if they don’t do their job correctly, they can allow someone to intrude on those networks and steal information or interrupt operations.

    So training is part of the conduct change, and then we have to hold people accountable. We haven’t done a very good job of that, in my view, for people who don’t follow the rules, because we haven’t seen it as being that big a deal. It is a big deal, and we know it will be in the future.

    And then in a capability area, that’s investment in the technologies to make sure our military men and women have the same kind of technologies available that you can invest in to defend and protect your home computer, to include automatic connections to your Internet service provider that can push antivirus software to you as soon as it’s made available electronically, so you don’t have to go, as we often do in the military, machine to machine with a disk and upgrade the defenses on the computer.

    So we need those capability and technology investments, as well.

    So, there you have it.. We are not prepared and we are really quite dependant on the infrastructure and have plugged it into just about everything. In essence, all our eggs are in one privately held basket that could be attacked and used against us. Never mind that, the intelligence gathering that goes on today as well as theft is staggering because the ideals of security have not been an important thing to us as a nation or economy.

    Additionally, he said one thing that really kinda freaked me out. They are still using SNEAKER NET! I am assuming that he is referring to the SCI areas, but, geez..  I guess that this should be a real wake up to those of you who read me and perhaps take what I say with a grain of salt, that I am telling it as it is kids. We are behind in a big way and we need to catch up quickly. Imagine if indeed we as a nation focused on the problem with the same technological knowhow and mandate from the powers that be that the NSA had in placing the NARUS systems into the internet backbone eh? We might have a chance…

    Meanwhile, Chilton also makes it more accessible to the masses (with a question from the phone listeners) just how fragmented and likely not too easily fixable the whole cyber security initiative is. Remember all the stove piping being a key finding as to why 9/11 happened unbeknownst to our intelligence agencies? Yes, that same problem is what any “Cyber Tsar” will face once they take the job. A scrabbling for all the marbles or pieces of the pie will ensue and we, the people, will be left holding the digital bag.

    Working in the defense industry, I see this every day when it comes to intrusions and issues of reporting intel back and forth. It’s gotten a little bit better of late, but it’s still a real pain in the ass and often, the reports come to us in a mostly useless form… That is unless you have SCI clearance and a “need to know” So really, they are mostly useless to someone actually doing forensics or incident response on systems perhaps infected with a 0-day worm from China.

    Finally, Chilton does some talking about nuclear options and EMP attacks. He says that he would not remove any option from the President’s purview. Of course I kinda agree with that assessment, but, nuking a country over a cyber attack for me is a little excessive. However, the real use for all out cyber warfare would be to have them in tandem with physical, conventional attacks on the targets too. So in reality, if we can “attribute” the attacks to a certain country and are attacked physically, sure, the nuke option is a possible one. However, as the general says, attribution is near impossible… So really, it’s not going to happen that way. Certainly though, a combined cyber attack followed by an EMP to finish the job would be one hell of a digital apocalypse.

    Imagine one day being sent back to the 19th century style of living. No cell phones, no internet, no TV, no power, no water….

    Can you say pandemonium?

    Sure there’s shielding, but that is only for the C&C.. What about the rest of the country huh?

    So, in the end, we have another report, another bubbling of the idea that a cyber war is possible and we are not up to the challenge…

    If you’re not a little freaked… Well, enjoy the apathy. So when I write about all of the issues about securing networks and having policies, this is the sum of what could happen if the country does not take all those little bits of security to heart.


    NPR Talk Of The Nation



    leave a comment »

    A proposal to loosen restrictions on the use of tracking cookies by federal government websites should be carefully scrutinized so they don’t jeopardize the privacy of people who visit them, groups advocating civil liberties warned Monday.

    The American Civil Liberties Union said the proposal (, floated July 24 by the White House OMB, or Office of Management and Budget, was a “sea change” that could erode protections that for the past nine years have safeguarded the personal information of millions of people who visit federal websites.

    “Without explaining this reversal of policy, the OMB is seeking to allow the mass collection of personal information of every user of a federal government website,” Michael Macleod-Ball, the acting director of the ACLU’s Washington legislative office, said in a statement. “Until the OMB answers the multitude of questions surrounding this policy shift, we will continue to raise our strenuous objections.”

    Under current rules, federal agencies are prohibited from using cookies and similar tracking technologies unless there is a “compelling need” and the agency head has approved their use. Under the new rules, the OMB would adopt a three-tier approach that would permit tracking under different circumstances. They include:

    • Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits;
    • Multi-session technologies for use in analytics, which track users over multiple sessions purely to gather data to analyze web traffic statistics; and
    • Multi-session technologies for use as persistent identifiers, which track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor for purposes beyond what is needed for web analytics.

    “The goal of this review is to develop a new policy that allows the Federal Government to continue to protect the privacy of people who visit Federal websites while, at the same time, making these websites more user-friendly, providing better customer service, and allowing for enhanced web analytics,” federal CIO Vivek Kundra and Michael Fitzpatrick, associate administrator of the OMB Office of Information and Regulatory Affairs, wrote.

    Full Article:

    My take:

    Riiight, it’s just a means to an end to “serve” you better. Somehow I am somewhat incredulous about this little paradigm shift on the Feds part. Add this to DPI (Deep Packet Inspection) that they would like carried out more often (please remember those NARUS STA 6400’s in those closets at ATT and other networks) and you have quite the hoover capabilities to see not only what, but where the average user is going using those cookies.

    All the better to serve you!

    Given that Big O’ doesn’t want to shed light on those little projects that the last admin set up with regards to all the surveillance, I see this only as a furthering of it…

    The only security one has is that which they make themselves…

    Hey, I have an idea.. How about all you Fed guys look into not publishing data that should not be available on those servers so people don’t Gooogle it? Hmm? Might be a good idea yeah?



    Written by Krypt3ia

    2009/08/11 at 12:42

    Spot The FED Goes HI-TECH

    with 2 comments

    Feds at DefCon Alarmed After RFIDs Scanned

    LAS VEGAS — It’s one of the most hostile hacker environments in the country –- the DefCon hacker conference held every summer in Las Vegas.

    But despite the fact that attendees know they should take precautions to protect their data, federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.

    The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.

    The Rest

    Nice! Now, just how stupid is it that all these folks had their ID’s on them in the first? Really, you go to a con you lose all your ID man! You would think too that these guys would get the whole “match face to data” thing because this is the trend in much of the surveillance world now. So many systems are tied together and audit comings and goings in the very places that they need the ID for in the first place…

    I guess its just this time the tables were turned and the watchers were the watched eh?

    Written by Krypt3ia

    2009/08/10 at 14:03

    And The Power Grab Begins….

    with 2 comments

    Napolitano says Secret Service is lead cybersecurity agency

    Wednesday, August 5, 2009

    Speaking at the Global Cyber Security Conference in Washington yesterday, Department of Homeland Security Secretary Janet Napolitano said the Secret Service is the lead civilian agency fighting cybercrime in the U.S.

    In the wake of the resignation of Melissa Hathaway, the top White House advisor on cybersecurity, Napolitano remarked that it is DHS, which includes the Secret Service, that has jurisdiction over cybersecurity for civilian agencies and the private sector, rather than the military.

    Without a cybersecurity czar, a high-level post recommended in the 60-day cybersecurity review led by Hathaway, Napolitano’s speech underscored the lack of coordination and other challenges facing the government as it tries to more fully secure the nation from online threats.

    “When I came into the department I think it’s fair to say we were not organized sufficiently where cybersecurity is concerned,” Napolitano said.

    How the government will recruit and retain top talent and make the Secret Service “the repository for cybersecurity” knowledge within the government is a leading challenge, she said.

    Other challenges include a lack of significant research and development capacity in civilian agencies, the difficulties of sharing intelligence and involving the private sector in promoting online security.

    Napolitano announced the creation of a quadrennial Homeland Security Review process to outline strategic goals and a new website,, to encourage input from academic and private sector experts.

    DHS in charge scares the batshit out of me….

    Written by Krypt3ia

    2009/08/07 at 14:25