Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Linkedin’ Category

Digital Collateral Damage: Cyberwar Blowback

with 2 comments

Weighing risks of civilian harm in cyberwarfare
New York Times
Posted online: Aug 06, 2009 at 2212 hrs

John Markoff & Thom Shanker

It would have been the most far-reaching case of computer sabotage in history. In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the US invaded Iraq. He would have no money for war supplies. No money to pay troops. “We knew we could pull it off—we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.

But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the US.

Fears of such collateral damage are at the heart of the debate as the Obama administration and its Pentagon leadership struggle to develop rules and tactics for carrying out attacks in cyberspace.

While the Bush administration seriously studied computer-network attacks, the Obama administration is the first to elevate cybersecurity—both defending American computer networks and attacking those of adversaries—to the level of a White House director, whose appointment is expected in coming weeks.

But senior White House officials remain so concerned about the risks of unintended harm to civilians and damage to civilian infrastructure in an attack on computer networks that they decline any official comment on the topic. And senior Defence Department officials and military officers directly involved in planning for the Pentagon’s new “cyber command” acknowledge that the risk of collateral damage is one of their chief concerns.

“We are deeply concerned about the second- and third-order effects of certain types of computer network operations, as well as about laws of war that require attacks be proportional to the threat,” said one senior officer. This officer, who like others spoke on the condition of anonymity because of the classified nature of the work, also acknowledged that these concerns had restrained the military from carrying out a number of proposed missions. “In some ways, we are self-deterred today, because we really haven’t answered that yet in the world of cyber,” the officer said.

In interviews over recent weeks, a number of current and retired White House officials, Pentagon civilians and military officers disclosed details of classified missions—some only considered and some put into action—that illustrate why this issue is so difficult.

Although the digital attack on Iraq’s financial system was not carried out, the American military and its partners in the intelligence agencies did receive approval to degrade Iraq’s military and government communications systems in the early hours of the war in 2003. And that attack did produce collateral damage.

Besides blowing up cell-phone towers and communications grids, the offensive included electronic jamming and digital attacks against Iraq’s telephone networks. American officials also contacted international communications companies that provided satellite-phone and cell-phone coverage to Iraq to alert them to possible jamming and ask their assistance in turning off certain channels.

Officials now acknowledge that the communications offensive temporarily disrupted telephone service in countries around Iraq that shared its cell-phone and satellite-telephone systems. That limited damage was deemed acceptable by the Bush administration.

Another such event took place in the late 1990s, according to a former military researcher. The American military attacked a Serbian telecommunications network and accidentally affected the Intelsat satellite communications system, whose service was hampered for several days.

These missions, which remain highly classified, are being scrutinised today as the Obama administration and the Pentagon move into new arenas of cyberoperations. Few details have been reported previously; mention of the proposal for a digital offensive against Iraq’s financial and banking systems appeared with little notice on Newsmax.com, a news Web site, in 2003.

The government concerns evoke those at the dawn of the nuclear era, when questions of military effectiveness, legality and morality were raised about radiation spreading to civilians far beyond any zone of combat.

“If you don’t know the consequences of a counterstrike against innocent third parties, it makes it very difficult to authorise one,” said James Lewis, a cyberwarfare specialist at the Centre for Strategic and International Studies in Washington. But some military strategists argue that these uncertainties have led to excess caution on the part of Pentagon planners.

“Policymakers are tremendously sensitive to collateral damage by virtual weapons, but not nearly sensitive enough to damage by kinetic”—conventional—“weapons,” said John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, California. “The cyberwarriors are held back by extremely restrictive rules of engagement.”

Despite analogies that have been drawn between biological weapons and cyberweapons, Arquilla argues that “cyberweapons are disruptive and not destructive.”

That view is challenged by some legal and technical experts.

“It’s virtually certain that there will be unintended consequences,” said Herbert Lin, a senior scientist at the National Research Council and author of a recent report on offensive cyberwarfare. “If you don’t know what a computer you attack is doing, you could do something bad.”

My thoughts:

It’s an interesting thing to ponder just how much havoc could be wreaked by attacking an infrastructure in a cyber war.  Now, if you think about the “homeland”, (yeah, I hate that term since it was apropriated by the previous administration) has most of its infrastructure in private companies hands AND is very interconnected. Attack one, you may have collateral damage that will cause a more far reaching affect.
Lets look at it this way.. The US is very connected… Iraq in 2003 was not “that” connected to really have much collateral damage. Sure, Intelsat had issues, but it was no biggie. So, what would happen if our infrastructure were attacked en masse? I could foresee a lot of “fire sale” images ala Die Hard really, but, the reality is somewhere less grim. We would be inconvenienced really, and that’s about it, unless, the attack in the cyber world were in tandem with physical attacks.

Just as the operations mentioned in the article the real whammy is in the physical destruction of systems and infrastructure, not only from a cyber stance but real ruin. THIS is what the government really fears. Take out the eyes and ears as well as the C&C and we’re fucked. Just as 9/11 was all the more crazy because the towers held key comm’s infrastructure for the city, this type of attack would leave us unable to communicate, control, and give orders.

So, with all the talk of cyber war, just where are we really?
Well, I have said it before and I will say it again. Our security posture as a nation is “teh suck” for the most part. This is why the “Cyber Tsar” (another term I am hating for it’s misuse) is so important as well as their function to get this country to perform the “due diligence” where our network and infrastructure security posture is concerned.

And you can see how well that’s going huh…
Here’s the bottom line:

1) Have supplies ready in case our infrastructure is taken down in spots or as a whole; Food, Water, etc.

2) Prepare for being without power. If I were an aggressor, the first thing I would hit other than COMMS would be power. So, get the genni’s out or have solar

3) Have your own COMM’s systems like HAM or CB that can be SIMPLEX or dare I say it, even have your own repeater

4) Don’t Panic: If there is an attack of this nature, the only time I would really worry is if the bombs start falling or massive amounts of people start coming down with a raging hemorrhagic fever… Or Zombies start banging on the door…

5) If by chance this all is brought on by a nuclear detonation in the atmo… Well, unless you have shielded equipment, you’re pretty much back to stone knives and bear skins… So adapt… There’s nothing you can do.

Lets just hope it doesn’t come to that….

So there you have it… Unless we get our collective shit together, its possible that we could have a real situation on our hands… Those in the know will be better off…. Of course we are all gonna be saved by smart meters and cloud computing! So no worries!

Snort!

MS-13 Trafficking in Qaeda Members?

leave a comment »

MS-13 member with Arabic tattoos (police photograph)

MS-13 Smuggles Muslim Terrorists into U.S.

Paul Williams, PhD

From Family Security Matters via CICENTRE


Al Qaeda and the Latino Gang-Bangers

The situation at the border now poses a grave threat to national security.
Agent Mike Scioli of the U.S. Border Patrol confirms that the Tucson sector of the Border Patrol is facing a worsening problem with Mara Salvatrucha, a Salvadoran street gang that now controls the flow of arms, drugs, and illegal aliens into the U.S.

Two members of the violent gang were collared last week in Tucson and Nogales. Twenty have been brought into custody since President Barack Obama assumed the oath of office on January 20, 2009.

But the Salvadoran gang is bringing more than guns, dope, and Mexican peasant workers over the border.
In the wake of 9/11, Mara Salvatrucha attracted the attention of top al Qaeda officials, who realized that the gang could be used to smuggle operatives and weapons into the United States.[1] An agreement was forged between the terrorists and the gang-bangers. In exchange for safe passage across the border, al Qaeda – through its cells in South America – agreed to pay the Maras from $30,000 to $50,000 for each sleeper agent they managed to smuggle into the country with bogus matricula consulars.[2]
The rest here…
Usually I read things from CICENTRE and have a bit more cred for the sources, however, this articles source kinda worries me. I personally know something about the MS-13 set and I really don’t have much recollection of them being Coyotes for Al Qaeda, nor the types to really want to affiliate with them… However, money is money and they are pretty much in for the money and power, so they might just be doing this very thing.
The infiltration game is theirs though, so who else would you go to to get your agent provocateurs into the country but the Coyote’s who do it daily huh? Given that our border is so porous still, I hardly think its overly hard to get into this country. Now, tag that with an efficient group who smuggles as well as gathers fake papers and you have quite the force to be reckoned with.
Now, just how many of those pesky Al Qaeda look like Mexicans I wonder? Even shaven do they pass for a Mexican on a consular pass? I don’t really think so. My bet would be on proxies that are South American or Mexican who have been drafted into the Qaeda group for the sole purpose of attacking the US. Maybe as couriers to actual sleepers or just cells…
I have to tell you though.. That southern border would sure be an easy way to infiltrate with a nuke or a biological huh?
Yeah…

Written by Krypt3ia

2009/08/04 at 18:41

Cybersecurity Director’s IP Address Not Renewed

leave a comment »

Cybersecurity Director’s IP Address Not Renewed

by Marc Ambinder

The administration announced yesterday that acting National Security Council senior director Melissa Hathaway would be leaving her job as of mid-August, saying that she had resigned. But Hathway, in reality, is completing a task and will not be around to oversee it. She was detailed to the NSC from the Office of the Director of National Intelligence for two periods, the last of which ends next week. She will stay on through 8/21, by which point the administration hopes to have appointed a new director for the cybsersecurity staff at the NSC.

Nick Shapiro, a White House spokesman, sent along this update about the progress of the search:

Cyber security is a major priority for the President which is why shortly after taking office he directed his National Security Council and Homeland Security Council to conduct a top-to-bottom review of the federal government’s efforts to defend our information and communications infrastructure and to recommend the best way to secure these networks and our prosperity. The White House released the report and announced the creation of a cyber security coordinator who will have direct access to the President and that the Obama administration is pursuing a new comprehensive approach to securing America’s digital infrastructure. The President is personally committed to finding the right person for this job, and a rigorous selection process is well underway.

Hathaway’s review was not well recieved, but it was hardly her fault: she had 60 days and fewer than 10 staff members to complete a task that should have been given more resources and time to complete.

Considering the lackluster names put forward thus far for this position, I had hoped that at the very least Melissa would be the front runner for this posting. Unfortunately now, I think that this is not at all possible and perhaps the messenger has been shot here.

Frankly, even with the 60 days time frame, it is clear that the punches were pulled a bit in the report and certainly the recommendations were sparse due to time as well as brevity in reporting. This effort, the one to “secure” our infrastructure is no simple task and is fraught with “EPIC FAIL STUPID” in everyone we will have to deal with to fix things. There is no easy way to secure the nations infrastructure, especially because much of that said infrastructure is in the hands of private corporations.

So, I predict much time wasting, useless candidates who are ill equipped to handle the job, and an EPIC amount of FAIL to overcome to make the smallest of changes on how things are done.
I said it once and I will say it again now.. The only ones really equipped to handle this would be the NSA.. But, given all the things that have been discovered.. No, wait, HALF discovered or disclosed lately, I think that perhaps;

A) Hell they already 0wn the networks so they are the ones exploiting the systems

B) Cannot be trusted.. For who is watching the watchers? Turns out no one is…

C) Even if they had an affiliation with the security of the nations infrastructure, the pall of abuse still lingers
So, I don’t think it feasible to have them involved at all.. This leaves us with  having the buffoons at DHS in charge…

Or the Senate sticking their computer illiterate fingers in the digital pie…

The net effect, we are screwed.


Cyber WAR! A Polemic On The Hoo HA and Reality

leave a comment »

Cyber-Scare

The exaggerated fears over digital warfare

In part, then, the solution to cyber-insecurity is simple: if you have a lot of classified information on a computer and do not want to become part of another GhostNet-like operation, do not connect it to the Internet. This is by far the safest way to preserve the integrity of your data. Of course, it may be impossible to keep your computer disconnected from all networks. And by connecting to virtually any network—no matter how secure—you relinquish sole control over your computer. In most cases, however, this is a tolerable risk: on average, you are better off connected, and you can guard certain portions of a network, while leaving others exposed. This is Network Security 101, and high-value networks are built by very smart IT experts. Moreover, most really sensitive networks are designed in ways that prevent third-party visitors—even if they manage somehow to penetrate the system—from doing much damage. For example, hackers who invade the email system of a nuclear reactor will not be able to blow up nuclear facilities with a mouse click. Data and security breaches vary in degree, but such subtlety is usually lost on decision-makers and journalists alike.


Full article here:

Cyber War!

The full article above kind of misses the point I think that many of us in the infosec world have been trying to get across to the masses. However, the writer does have some salient points that are bang on that I agree with. Overall though, I think that this guy missed the boat on the cyber security – cyber war issue. It’s not just hype, sure there is some out there, but, think about it in OPSEC terms (OPERATIONAL SECURITY) as well as in the way the Chinese think of warfare shall we?

Sure, a foreign nation state can employ DD0S techniques to knock down operations in a country like Georgia. It’s a nuisance and yes, in the case of some places, could be quite debilitating. However, in our infrastructure here in the states it would not “take us down” It would not be a “Fire Sale” as they likened it to the last Die Hard movie. So, we may have portions of the infrastructure down, but I doubt it would be something that we could not manage.

Taking that scenario off the table, then what do we have? Well, for one, yes, the power grid could be vulnerable and already is so. So, yes, the enemy could potentially take down parts of our power grid with a cyber attack. This could be bad. Just last month there was a threat made to a nuclear facility by an ex employee who STILL HAD ACCESS after he was fired because they were lax in security protocols! He could have reasonably done some damage to a reactor’s systems with the right know how and access. You want to see panic? Then you D0S a nuclear reactors control systems (and yes, I know they are supposed to be redundant) but, it is still a possibility. After all, wasn’t it some “errant tree limbs” that allegedly brought down the northeast years ago? Yeah…

Now picture a concerted and paced effort to creep into systems and leave behind back doors to get in when the enemy wants to. Such implants being put in by agent provocateurs of say China or even some Jihadist group? Scoff all you like, but this is the basis of war. War is waged in many ways and many of them are now “soft” war as the Chinese say. So, a patient enemy could lay the foundations in systems and people to actually effect the types of “cyber war” that the popular press alludes to.

Is it likely to see something on the scale of “Die Hard”? Not so much.. But, perception is key here.

One has to look at the tactical advantages too. No one need create a massive attack to render the odds in favor of anyone, it can be a very small thing that can change the paradigm of winning or losing a battle. All you may need is for the lights to go out at a small targeted area to insert yourselves into a building that a bigger prize resides in no? So, this is not just an all out one way street of warfare here kids. It’s a tactical method to possible greater ends. Just imagine the press and the utter hysteria should something along the lines of the nuclear facility scenario actually play out and get in the press.

People would freak. There and then the enemy has won. The sheeple will be in the streets clamoring to be protected! Money will be spent, fear will reek in the air, and we as a country will live in fear and spinning our wheels. Mission accomplished.

So the biggest problem I have with this article is the guys perception of what the cyber war will be or should be. It’s not all about an all out lights out to the country and the erasure of all financial records… That my friend is passable cinema alone.

OPSEC & The Thousand Grains Of Sand

What really should be considered here are the precepts of OPSEC and soft war that can lead to actual financial loss, damage to infrastructure, and potentially the deaths of people. Without OPSEC, the enemy has an easier time of gathering the intelligence that they desire for a certain outcome. Such outcomes can be in the form of many types of “warfare” China does not necessarily need or want to fire a rocket at us when they can just slowly erode our economy.

Of course, if such principles of warfare actually give you the intelligence data to effectively defeat our “advanced” weapons technology and shoot down another EP3 or a JSF someday, then they have won right? Even if they were detected, like in the case of the recent JSF data stolen from Lockheed Martin, would we have to re-tool the avionics and the weapons systems because China had been copying the data for two years? One would hope so! But, I cannot guarantee that they have. Think though just how much more money and time would have to be spent on re-designing the systems to disallow such attacks. There we go spinning our wheels again while the Chinese sit back and smirk.

And why did they have this access to the data for over 2 years? Because the rules of OPSEC were not being followed. The systems that contained the data were not protected and audited well enough to assure that the data was safe. The APT had easily gained access to not only the data but also to the FAA systems in the US. Such systems were recently found to have over three THOUSAND vulnerabilities in their programs online that lead to direct and overarching compromise within the FAA networks behind. The net effect, the Chinese were watching all of our air traffic surrounding the JSF and its telemetry as well as everything else… And because we were not vigilent, and not following the precepts of OPSEC we failed to detect and deter them.

Now figure into this puzzle just how many private companies out there are making important parts to military systems and how poorly they may be protecting those assets.

Feel that? That pucker down below? Yeah, that’s the feeling you should have right about now. We are so behind the ball on this that even if Obama can effect change at the level of laws and regulations, we are YEARS from actually being able to implement effective technical, never mind LOGICAL security measures for our collective data.

The Chinese and others are really counting on our laxity.. And we are not at all disappointing them. Their plan is to slowly, methodically, nibble at our data and networks until they have the access that they desire… A thousand grains of sand approach.

ELINT & Low Hanging Fruit

So, the cyber war goes on. It’s a slow and quiet war with only sporadic noisy bursts when someone finds that their systems have been compromised and their data stolen. Of course this is when the news gets a hold of that fact and it ends up on the nightly news. Meanwhile fearful C level executives who have no concept of OPSEC, never mind Technology, rock back and forth in a cornder with their thumbs in their collective mouths fearing for their reputations and jobs.

Why is this? Well, because either they were just not cognizant of how things work with computers and technology, or, they were too fat and lazy to actually do something about the problems that no doubt had been pointed out to them by their technical staff’s. Of course in today’s environment, the board of directors and stock holders hold the sway.

“Greed, for lack of a better term.. Is Good”

So damn, it would be way too much money out of our pocket to secure the data!

Hell, why do we need to teach security to the employees! God dammit! We don’t need all that rigamarole! Just make sure we have all that high availability man! I don’t give a shit about security! I need a bigger boat! and your stinkin firewall upgrade is eating into my boat payment!

I have found through the years that its almost always come down to these concerns and not so much about the actual protection of the data (if they have even the concept that the data should be classified and treated accordingly) It’s all about the money.. Not the data… Which, oh gee, IS WHAT MAKES THE GOD DAMNED MONEY!

But I digress…

So, what do we have here? We have much of the data that the APT would like to get readily available through low hanging fruit attacks because the companies that create and hold them, don’t know or want to know how to protect them. Thus, the Chinese don’t have to work hard at ELINT to get what they want. Often its as simple as getting someone to get a job at company A. Once in, they have loose rules and the agent is able to just walk out the door with gigs of data on a USB stick.

What is often found at companies that have been audited by me, is that they have what we call “candy security” Hard on the outside (firewalls etc) but “Chewy” on the inside with lax controls and a completely open environment. So, once the APT is on the inside and has a tunnel out, they have a field day. Why is this so? Because generally, this country is not too progressive about “security” and people are mostly lazy.

“I have too many characters in my password!”

You get the drill…

Cyber WAR: Reality

I would say that the cyber war is already on. It has been being waged by the likes of China and Russia for some time now. No, its not the “Fire Sale”, though, in a way it is. All our data that they can get at is on “fire sale” because we are allowing them to take it so easily. It’s our own failures at securing our own networks and data that will lead to us losing the”cyber war”

From now on, when you see this all brought up in the media, think on this article. Think about how the war is already on and there is no Bruce Willis to save us from ourselves. No uber hax0r Mac guy who will stop the hack by encrypting the data with a super algorhythm! Nope, it will just be the securiy wonks who plead with management to do the right thing as opposed to being fat, stupid, and happy. They often getting told no.

Its then, as the war fighters systems are taken out because the APT have had the diagrams for a year, and have come up with a work around to disable them, that you should think back to all this talk of “cyber war” And then ponder how we just did it to ourselves.

SIGINT/ELINT/HUMINT/Disinformation via Twitter

leave a comment »

Over the past week there has been a lot of media coverage of the relationship between Twitter, the hybrid online/mobile communication service, and its impact on post election events in Iran. The argument that Twitter service in Iran is a critical opposition activist tool is already over-hyped so I won’t rehash them here. Rather, I think its worth shedding some light on how Twitter is being used to spread disinformation and who is doing it.

Twitspam has a continually updated list of suspected fake accounts that may have connections with Iranian security. I used some of these account names as a starting point for a quick and dirty analysis of their networks.

Suspected AlJazeera English producer impersonator “AJE_Producer” appears to be trying to lure Twitter users in Iran into communicating with him directly through email or telephone with the intent of entrapping them. The diagram below illustrates how easily the suspected impostor was able to disseminate his requests for contacts. It shows only recent ‘active’ direct connections between AJE_Producer and twenty Twitter users and the recent active connections between those twenty users and their contacts. It does not show retweets nor does it reflect how many people may have simply read a message from AJE_Producer.

Although some of the connections are from people trying to challenge AJE_Producer’s methods there were a surprising number of people who took AJE_Producer at face value including some who actually appeared to be residing in Iran. Given the current level of violence in Iran this is alarming to say the least.

The rest

An interesting use of trending data to track real time (near real time) disinformation techniques in the Iran debacle ongoing today. Of course in tandem with the reports of DPI technology being used in Iran, this makes for a real foothold by the Clerics in controling their society completely. Of course they have pretty far ranging control now, but this last bit of technology will really give them the iron hand they want to have.

I am still finding it interesting not only to see this happen in real time, but also to see the reactions of countries that also monitor their internet connected populace only to condemn what the Iranian’s are doing…  Now ponder out there all you iPhone 3G and 3Gs users and your tethering of everything you say and do to not only the internet but also to GPS locking within feet of your location at all times.

Yeah… Welcome to the panopticon.

Written by Krypt3ia

2009/06/24 at 16:12

WSJ: Nokia, Siemens Help Iran Spy on Internet Users OH NOH’s

leave a comment »

How do you say “Operation Pinwale” in Farsi?

According to a somewhat confusing Wall Street Journal story, Iran has adopted NSA-like techniques and installed equipment on its national telecommunication network last year that allows it to spy on the online activities and correspondence — including the content of e-mail and VoIP phone calls — of its internet users.

Nokia Siemens Networks, a joint venture between Germany’s Siemens and Finland’s Nokia, installed the monitoring equipment late last year in Iran’s government-controlled telecom network, Telecommunication Infrastructure Co., but authorities only recently engaged its full capabilities in response to recent protests that have broken out in the country over its presidential election.

The equipment allows the state to conduct deep-packet inspection, which sifts through data as it flows through a network searching for keywords in the content of e-mail and voice transmissions. According to the Journal, Iran seems to be doing this for the entire country from a single choke point. “Seems,” because although the Journal states that Nokia Siemens installed the equipment and that signs indicate the country is conducting deep-packet inspection, the paper also says “it couldn’t be determined whether the equipment from Nokia Siemens Networks is used specifically for deep packet inspection.”

Although the Journal has published questionable “spying” stories in the past, we’re willing to go with them on this one.

It’s previously been reported that Iran was blocking access to some web sites for people inside the country as protesters took to the streets and the internet to dispute the results of the country’s recent presidential election.

But sources told the Journal that the government’s activities have gone beyond censorship to massive spying. They say the deep-packet inspection, which deconstructs data in transit then reconstructs it, could be responsible for network activity in Iran having recently slowed to less than a tenth of its regular speed. The slowdown could be caused by the inspection at a single point, rather than at numerous network points, as China reportedly does it.

A brochure promoting the equipment sold to Iran says the technology allows for “the monitoring and interception of all types of voice and data communication on all networks.”

A spokesman for Nokia Siemens Networks defended the sale of the equipment to Iran suggesting that the company provided the technology with the idea that it would be used for “lawful intercept,” such as combating terrorism, child pornography, drug trafficking and other criminal activity. Equipment installed for law enforcement purposes, however, can easily be used for spying as well.

“If you sell networks, you also, intrinsically, sell the capability to intercept any communication that runs over them,” the spokesman told the Journal.

He added that the company “does have a choice about whether to do business in any country” but said, “We believe providing people, wherever they are, with the ability to communicate is preferable to leaving them without the choice to be heard.”

In March, the company sold off its monitoring technology to a German investment firm.

First: ‌عمل‌، ‌عملکرد، بهره‌برد‌ار‌ى‌ سنجاق‌، پايه‌ سنجاقى و‌ال‌، نهنگ‌، ‌عظيم‌ ‌الجثه‌، نهنگ‌ صيد کردن‌، قيطس

Give or take…
Second, well, no shit huh? Since they could not actually kill the internet access there in Iran, nor actually keep up with the flood of twitters going to numerous proxy sites, I guess the next best thing would be to “NARUS STA 6400” the masses huh? Ok, sure, they may be doing this but I don’t see this as being the real extent of the efforts long term goal. Just wait til people start disappearing in the intervening days and weeks.

Now, last night I heard this story also on NPR, the “All Tech Considered” piece went on to infer (ok actually stated) that the Iranians are “injecting” disinformation using DPI… really now? I just don’t think that’s the case. It would be easier to set up a series of agent provocateurs with cell access and acl’s to allow “them” to carry out disinformation campaigns?

Oh well, I am sure that ATT will soon be asked to help out.. Maybe NARUS too. Once they get the buttplugs into the back door ol’ Mahmouhd will be very happy. I mean, isn’t this just the pot calling the kettle black a bit?

CoB




Written by Krypt3ia

2009/06/23 at 14:26

Xerox’s Are Impervious To Attack! My Ass…

leave a comment »

Me: Xerox printers can be vulnerable to certain exploits, their web servers can be vulnerable and often they are installed without security protocols set up on intranets

Xerox Security Guy: Actually, Xerox tests all their systems and our systems are not vulnerable to any attacks like this, no one can install any malware on them or use them as a launch point. Nor can you get images or files off of our MFD systems. So really, you need not worry about such things.

Me: Uhh how about when Brendan O’Conner did his presentation of exploit injection at Black Hat?

Xerox Security Guy: That was four years ago, its old news!

Me: It’s proof of concept and YOU should never claim that your systems are impervious to hacking.

This exchange happened today and it REALLY burned my ass. I got rather heated over this becasuse this guy really tried to just downplay the vulnerabilities and potential for vulnerabilities on printers (especially Xerox) and in reality, Printers are the new vogue item on the APT’s list of “easy targets”

Such low hanging fruit not too often provides such rich bounty as a printer who’s cache you can plunder boyz… God I hate sales wankers…

Written by Krypt3ia

2009/06/18 at 23:49

That’s Weapons Grade Stupid Son…

leave a comment »

By Diane Bartz

WASHINGTON, June 11 (Reuters) – Microsoft’s security chief and a veteran of Clinton’s and Bush’s national security teams are leading candidates for cybersecurity czar, a job that needs White House access and clout to protect networks that underpin the U.S. economy.

President Barack Obama promised last month that he would personally decide who would lead the fight against an epidemic of cybercrime and organize a response to any major cyber attack.

A leading candidate for the post is Scott Charney, head of Microsoft’s cybersecurity division, who has said he won’t take the job, according to a source who had direct knowledge of the matter but was not authorized to discuss it. The source said, however, that Charney would change his mind if pressed.

Charney also led PricewaterhouseCoopers’ [PWC.UL] cybercrime unit and headed the Justice Department’s computer crime section.

His main competitor is likely Paul Kurtz, who led Obama’s cybersecurity transition team and who worked on the National Security Council under both Bush and Clinton, the source said.

Others under consideration include former Rep. Tom Davis, a moderate Virginia Republican; Sun Microsystems (JAVA.O) executive Susan Landau; Maureen Baginski, a veteran of the National Security Agency and Federal Bureau of Investigation, and Frank Kramer, an assistant defense secretary under Clinton, the source told Reuters.

Also in the running but less likely to be picked are Melissa Hathaway, who led a cybersecurity review for the president, and James Lewis of the Center for Strategic and International Studies think tank, the source said.

John Thompson, chairman of the board of Symantec Corp (SYMC.O), had been under consideration but turned it down, the source said.

UNDEFINED

The exact responsibilities of the new job remain largely undefined, although the position described in a report by Hathaway’s team describes a coordinator who reports to both the National Security Council and the National Economic Council.

Holes in U.S. cybersecurity defenses have allowed major incidents of thefts of identity, money, intellectual property and corporate secrets. In one incident, a bank lost $10 million in cash in a day.

There have also been thefts of sensitive military information and a penetration of the U.S. electrical grid.

Susan Landau, who declined to discuss if she has been short-listed for the job, said she would urge Obama to make it a top-level position, as he promised.

“The job is very important,” said Landau. “We have all sorts of different kinds of threats. … What you want is ubiquitous security.”

Landau is a Sun Microsystems engineer who has worked on digital rights, privacy and export control.

Lewis, who also declined to discuss on the record whether he was being considered, said the White House must emphasize national security expertise in picking a cybersecurity czar.

“Some guy from industry is going to write a national security strategy? No, they aren’t. You don’t just pick this up,” said Lewis. “You need somebody who knows the national security game, who knows government and who knows about the technology.”

Before becoming a senior fellow at CSIS on technology and national security, Lewis worked for the federal government as a foreign service officer with assignments on such disparate topics as global arms sales, encryption and and high-tech trade with China.

Lawmakers on Capitol Hill shared Lewis’ and Landau’s views, said a senate staffer who has been briefed on the issue.

“The president’s vision is a heavyweight,” said a Senate staffer. “I’m concerned that he or she will get sort of tied up, like Gulliver, tied down by a million different reporting requirements.” (Editing by Brian Moss)

This would be the BIGGEST bag of STUPID I have ever seen, no, wait, it would be “Weapons Grade Stupid” to employ Charney as the security head for the country. I don’t care if he is saying no now.. This scares me. Microsoft has the WORST record for security initiaitves and coding!

*head desk*

Written by Krypt3ia

2009/06/15 at 14:09

Destabilize An Economy Much?

with one comment

Japan Probes Report Two Seized With Undeclared Bonds

By Shunichi Ozasa and Makiko Kitamura

June 12 (Bloomberg) — Japan is investigating reports two of its citizens were detained in Italy after allegedly attempting to take $134 billion worth of U.S. bonds over the border into Switzerland.

“Italian authorities are in the midst of the investigation, and haven’t yet confirmed the details, including whether they are Japanese citizens or not,” Takeshi Akamatsu, a spokesman for the Ministry of Foreign Affairs, said by telephone today in Tokyo. “Our consulate in Milan is continuing efforts to confirm the reports.”

An official at the Consulate General of Japan in Milan, who only gave his name as Ikeda, said it still hasn’t been confirmed that the individuals are Japanese. “We are in contact with the Italian Financial Police and the Italian Public Prosecutor’s Office,” Ikeda said by phone today.

The Asahi newspaper reported today Italian police found bond certificates concealed in the bottom of luggage the two individuals were carrying on a train that stopped in Chiasso, near the Swiss border, on June 3.

The undeclared bonds included 249 certificates worth $500 million each, the Asahi said, citing Italian authorities. The case was reported earlier in Italian newspapers Il Giornale and La Repubblica and by the Ansa news agency.

If the securities are found to be genuine, the individuals could be fined 40 percent of the total value for attempting to take them out of the country without declaring them, the Asahi said.

The Italian embassy in Tokyo was unable to confirm the Asahi report

Real bonds or forged I wonder….

Written by Krypt3ia

2009/06/14 at 01:33

7 Key Elements for Fed Cybersecurity

leave a comment »

Below are 7 key points to a Gartner report on the future of Federal Cyber Security and it’s failures thus far. I agree with these points en toto and would add this. Make the CISO office have some power to affect change and enforce the requirements for information security as well as technical security.

I would also add that this CISO position should also be attended by an agency solely devoted to infosec and all its aspects.

Like mom used to say: “If you aren’t going to do it right, don’t do it at all”

Full article here

  1. Stop Studying and Start Acting – There have been plenty of existing efforts to define and measure the shortcomings of cybersecurity, so there is no need to reinvent the wheel.
  2. Harmonize Federal Security Standards with Commercial Equivalents – Although there will always be a need for higher levels of security than commercial standards allow, harmonizing the base level will eliminate duplication and waste and enable the government to drive suppliers to higher levels of security more easily. Similar harmonization at the federal level of data privacy and disclosure rules is needed, as well.
  3. Use Purchasing Power to Drive Security to be Built-In – Because the key to increasing cybersecurity lies in reducing vulnerabilities, all government software procurements should require application vulnerability testing as part of the acceptance criteria.
  4. Evaluate Existing Regulations and Rejuvenate Enforcement – There are areas where federal legislation is needed to harmonize conflicting state laws, but the biggest bang for the federal buck will be in the actual enforcement of existing rules and regulations.
  5. Keep Offense and Defense Separate – The primary goal of a cybersecurity strategy must be to make attacks ineffective through prevention rather than detect successful attacks by enabling surveillance. Combining the two functions will inevitably result in lower levels of security and possibly increased privacy violations.
  • Reward Best Practices – Most of the publicity tends to go toward the government agencies with low Federal Information Security Management Act scores in annual audits, and currently there seems to be little or no effort to spread best practices across agencies.
  • Establish a Federal Chief Information Security Office, Not a Cybersecurity Czar – The bottom line is that increasing the national cybersecurity is an operations issue. The problems are well-understood, solutions are known, and gaps have been identified. Organizations with high security in private industry and government almost invariably have a strong security office and a chief information security officer, and that should be the model that the U.S. government follows.
  • Written by Krypt3ia

    2009/06/04 at 13:21