Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Linkedin’ Category

The Presidential Cyberspace Policy Review.. Or, “shrug”

leave a comment »

On Friday last, President Obama and Melissa Hathaway released their 60 day review of the state of cyberspace security in the U.S. Well, that is to say what our posture is as a country and a government really. After having read the report over the weekend, I have come to the conclusion that even after a 60 day review, the president and staff (including perhaps Hathaway) have not one clue as to how they really can make a difference in the countries cyber security levels.

There are platitudes and half thought out postulates on having more “investigation” into how to handle many of the issues at hand where the security of the country via the internet and computing are concerned. But, the big answers are just not there folks. Just how much more investigation are we going to need before the government actually makes a decision on how to mandate secure practices, enforce them, and secure the nations infrastructure properly.

Of course I understand that this is a complex issue and surely it just cannot be fixed right away with a clap of the hands. However, I do expect there to be more substance and direction here in this document. All in all, I was unimpressed really and hope that perhaps this was just a slow start for the administration. It remains to be seen I guess.

What would I recommend?

1) The carrot and stick program for contractors and private sector should have more stick and less carrot. I firmly believe that if the private sector is not forced to change their lax security ways with mandates from the government, then they will not change at all.

2) The position of presidential liaison for cyber security initiatives needs to be more than just an assistant position. Which basically is what it is now per the speech and release of the report. This position needs to be cabinet level, have more solid mandates and certainly have essential empowerment to help shape the security of the countries infrastructure. As it stands now, this position will just be the middleman between government bodies that likely will feel more like a yo yo than a position that can effect real change.

3) A separate agency should be created that is autonomous to DHS, CIA, NSA, etc and it should have a primary goal of enforcement of secure processes, implementations, and oversight within the arena of cyber security. The infighting between agencies now would only be a detriment and we have all seen just how well DHS has been handling our data, nevermind keeping us “secure” Giving DHS anything to do with cyber security would only serve to hasten the utter defeat that the likes of the Chinese would love to inflict upon us.

4) Said agency will have to have a direct and solid mandate with backing from the highest authorities to not only educate the nation on security, but also to enforce any laws and or policies that the government creates covering infosec and cybersec. Red teaming and audits that occur on a regular but “unplanned” (spot checks) basis should be the norm. These types of audits will keep the private sector on their toes and allow for less cheating the system.

As it stands now, this document only vaguely points toward an idea of what the government “wants to maybe” do concerning the security of our infrastructure. This is a step in the right direction admittedly, but it is just not enough.

Cyberspace Policy Review 2009

What was it I was saying about the insider threat being the company or management itself?

leave a comment »

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records. But the company failed to immediately shut off his VPN access. That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by Dallas FBI agent Robert Smith.

The Comanche Peak nuclear power plant in Texas.

Company logs showed that the VPN connection originated at Shin’s home IP address, Smith writes.

Oh yeah, that they were “the” inside threat. Well, case in point. These jokers walked him off premises but did not kill all his access. Gee, go figure that a disgruntled employee with intimate knowledge of the network would actually use their access to do something bad! Even more of a surprise that a company would not kill all their access right away.

Yeah.. Sorry to say that this is more prevalent than one might think. Good thing this guy didn’t do more damage.

Written by Krypt3ia

2009/05/31 at 01:25

The “Insider Threat” aka Your Companies Management

with one comment

Two stories on the internet today piqued my interest in the actual facts of this this issue of the “insider threat” as opposed to hack attacks from external sources. I would say that perhaps aside from “security theatre” that the real insider threat is the inaction and incompetence in some cases on the part of the companies out there who are insecure from basic lack of secure practices. This I would think is the larger issue that allows both insider attacks as well as outsider to be so successful.

Basic things like default settings on systems, printers, network appliances, applications, etc really make the work of the insider or outsider very easy. Once those low hanging fruit attacks are performed, the foothold actually can be in fact root on many systems because of these issues not being remediated at the time of install on many systems.

The first story I saw today had the headline of: Security Experts Raise Alarm Over Insider Threat and it espoused the common thread of late that all the layoffs today are making turncoats out of many and thus, those with the insider access are the biggest threat. On the one hand I agree with that assessment. However, if the company in question is actually following procedure, they should be able to mitigate the issue by closing accounts and changing passwords etc on key systems. This is of course to say that you actually lay this person off, and walk them out at that moment.

If instead your insider thinks that they are about to be laid off, well, they may use their access to steal data or perhaps even damage it before they get the ax. So sure, they may actually be a threat in this way, but, I think there is  a larger threat by their ethics being lax and someone coming along with some quick cash or a threat of blackmail. You see, I think that the insider threat must be approached from a HUMINT (aka spying) angle instead in this day and age.

The average disgruntled employee is the one that I would approach with quick cash after some time getting to know them and egg them on. Once you have them in the bag you just ask them to do the deed with the promise of money. Access can be bought these day if not easily tricked out of a worker with some low end social engineering. On the other hand, were I looking for some more long term and higher access I would go for the longer approach of coercion of an asset.

All this aside, either way you do it you, the company, make it easier for a non technical person or a technical APT to root your networks when you don’t follow the most basic of security principles of CIA. Which brings me back to the larger of the inside threats… Management.

In all my years of assessment, I have seen all too many places where the management just does not get security, does not care about security, and does not want to spend the time and money doing the due diligence for secure operations. Without a proper buy in from the top, then security becomes a non issue with the masses and thus nothing is carried out securely at company X. Default passwords, no passwords, poor passwords, sharing passwords etc all are very common in places without any security insight. Often too, these companies have no insight into what is happening on their networks to tell if indeed someone is attacking or exfiltrating data out of their networks through their own firewall… Never mind the guy with the 4 gig USB stick who just downloaded the “secret sauce” recipe and is walking out the front door as he smiles at the guard.

So, my take, the insider threat is a big one indeed and so easy to exploit.

And that brings me to the second article today: Simple information security mistakes can cause data loss, says expert wherein an eminent forensics investigator from Verizon has found through his assessments that the outsider attacks have been far greater. He does however in a backhanded way, have my opinion as to who that insider threat really is: Management.

However, as the article does not really cover this overtly nor the real insight I think about “who” these attackers are I will add to this a bit. I think that those spear phishing attacks that rely on very specific individuals being targeted also has an insider portion to it. After all, just where does all that data come from to target these individuals? The inside of course.

Intranet/internet websites are a rich data mining arena for the APT or the industrial spy. All too often the companies themselves give up all the details an attacker could ever need or want. Most of the time too no hacking need be done to get the information and often much more data than should be available is due to misconfiguration as any good Google hacker can attest. Add this to the whole lack of security posture and you have a deadly mix.

So, to bring it all together, I think that as a general rule “we” are our own worst enemy and the de facto “insider” threat when security is not applied.

When naming something you should really do your research…

leave a comment »

Marls (ziug. Say, assv chlsek Glnji lvcp oy, mvrl aycoapchlsy, Sates) deye hnjilna Rvmhn keptpet prvtlcaiug ahl hvuze hnk toe gamplf, toef wlrl a moym vf oobsfhosd noks.

Sayez wlrl pyezutee sous vf Teycbrf aud Saya, hnk dfepsy ceueyaaek bf aucpeut Yonanz torvunh zmhls saaauls, bsvalsy wua iu hpgoey psajez om tie hvuze, may fyot toe mlvoy, oy ewen vn ahl rvom (bbt zote zthtbet weye hlzo vn zote jrvsziugz og rohdz). Om toe Sayez pyowey, toese aye vnsy awv, aud ahly oak iuffrivr wodey. Ocey tpml, toepr woxer daz eetlnkek ocey hvuzez, cpunarf, sla, jiails, ltj., az toe Sases iejate joufsaaek wpto oahfr Rvmhn keptpez aud wrvtlcaiwe swiyias.

Written by Krypt3ia

2009/05/12 at 18:45

Speaking of DHS and Bad Cyber Security…

leave a comment »

OK: Personal Data Of 1M On Stolen DHS Laptop

April 23, 2009 by admin
Filed under: Government Sector, Theft, U.S.

Well, here’s a laptop theft that will probably cost more than $50,000….. KOCO reports that a laptop stolen from an employee’s vehicle on April 3 contained personal information of up to 1 million people. According to the Oklahoma Department of Human Services, the computer had names, Social Security numbers and birthdates of people who receive state assistance. NewsOK has a bit more on the incident.

Update 1: OKDHS has a notice on its web site about the incident that says “The personal information included names, Social Security numbers, dates of birth and home addresses of clients who receive Medicaid; Child Care assistance; Temporary Assistance to Needy Families (TANF); Aid to the Aged, Blind and Disabled; and Supplemental Nutrition Assistance (SNAP or Food Stamps). The data did not contain driver’s license numbers, credit card or banking information. The potential breach did not affect Child Welfare services.”

So, here’s my thing…

1) Why in the holy hell did DHS did have 1 Million users data for MEDICAID on a DHS asset?

2) What you say? No ENCRYPTION? WTF!

3) Just when will we learn?

Written by Krypt3ia

2009/04/24 at 18:05

Hmmm DHS, I really think they are not in the game anymore…

leave a comment »

DHS Recruiting Ethical Hackers

DHS Seal

News, yesterday, of significant recruiting efforts being brought to bear by the United States Department of Homeland Security. This time, they are on the prowl of ethical hackers to join the Department’s ranks. More information, including a snippet of the original article appears after the jump.

From The Register’s John Leyden: “DHS hunts for white-hat hackers

“The Department of Homeland Security is looking to recruit white-hat hackers to help defend the US’s critical internet infrastructure…” “An ad by General Dynamics Information Technology on behalf of of the DHS seeks applicants who can “think like the bad guy”, understand hacking tools and tactics, analyse net traffic and identify vulnerabilities in federal systems. In a budget request, Defense Secretary Robert Gates requested funds to increase the number of experts it trained each year from 80 to 250 by 2011…”

Gee, last I checked DHS Sucked ass at Cybersec AND the Obama Administration was considering moving all of the issues to a new “autonomous” cyber security agency to be named later.

I wouldn’t take a job at DHS anyway… So far they have not been so swift and I am sure will continue to be mired in “stupid”

Speaking Of “Fire Sale”

leave a comment »

A Cyber-Attack on an American City

Bruce Perens

Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported.

That attack demonstrated a severe fault in American infrastructure: its centralization. The city of Morgan Hill and parts of three counties lost 911 service, cellular mobile telephone communications, land-line telephone, DSL internet and private networks, central station fire and burglar alarms, ATMs, credit card terminals, and monitoring of critical utilities. In addition, resources that should not have failed, like the local hospital’s internal computer network, proved to be dependent on external resources, leaving the hospital with a “paper system” for the day.

In technical terms, the area was partitioned from the surrounding internet. What was the attackers goal? Nothing has been revealed. Robbery? With wires cut, silent alarms were useless. Manipulation of the stock market? Companies, brokerages, and investors in the very wealthy community were cut off. Mayhem, murder, terrorism? But nothing like that seems to have happened. Some theorize unhappy communications workers, given the apparent knowledge of the community’s infrastructure necessary for this attack. Or did the attackers simply want to teach us a lesson?

The rest HERE

Just last night I was thinking about this as I sat watching Die Hard. Anyway, yeah this is not getting much press and certainly may in fact be kept quiet a bit by design… Maybe we (when I say we, I mean the media really) just don’t care? Don’t understand? I mean, think about it.. With China hacking JSF, Air Force, etc and this incident doesn’t it kinda say “Gee, we really aren’t that secure are we?”

Personally I think that this particular incident was a decoy for a bigger criminal undertaking. I doubt it was a test run on a thought experiment. So, we will see what shakes out when the details (if ever) come to light on this little cable cutting foray.

Keep your wits about you…

JSF Data: All are data belong to us!

leave a comment »

Hackers break into Pentagon’s fighter jet project

Hackers allegedly downloaded terabytes of data before they were discovered
By Sumner Lemon , IDG News Service , 04/21/2009

Hackers broke into U.S. Department of Defense computers and downloaded terabytes of data containing design information about the Joint Strike Fighter, a $300 billion stealth fighter currently under development, according to The Wall Street Journal.

The stolen files all relate to the design of the Joint Strike Fighter and its electronic systems, The Wall Street Journal reported, saying they could be used to help defend against the jet.

However, the most sensitive files were not compromised since they are stored on computers that are not connected to the Internet, the report said.

The reported attack raised more questions than it answered.

For example, the report did not say how attackers managed to download terabytes of data before being discovered. A single terabyte can take up to several weeks to download over a relatively fast data connection, such as a DSL or cable modem.

The report also suggested China could be behind the stolen data, noting that investigators believe the attack originated in China. However, it said the exact identities of the people behind the attack had not been established.

DOH! So, are we so sure that those “other” systems weren’t connected to the intranet at the very least? C’mon, you know you wanna admit that they were! Ugh, oddly enough I had a conversation with someone in the rings who complained that things were not being done right… Gee…

Of course do you have any idea how long it would have taken to exfiltrate a terabyte of data? A couple weeks at least! So, who was at the switch here? I mean, no one had an IDS or any other monitoring tool network wise to see massive amounts of data being pumped out of their network?

I think that GD and SECDEF Gates need to really step up the hiring process for “Hackers” to protect our networks….

Counterintelligence Non Chalance

leave a comment »

Counterintelligence expert not worried about Chinese hacking

Published 20 April 2009

Joel Brenner, national counterintelligence executive, says is less worried about Chinese hacking of U.S. banking system and somewhat more worried about such hacking of U.S. critical infrastructure;

The U.S. intelligence community has uncovered evidence of Chinese penetration of U.S. banking networks, but Joel Brenner, national counterintelligence executive, said he is not worried “that the Chinese government wants to bring down our banking system.” Why not? The answer is simple, he said in a transcript of a 3 April speech released last week. The Chinese will not hack the U.S. banking system, Brenner said, because “they have too much money invested here.”

NextGov‘s Bob Brewin writes that, in his speech, which he gave at the Applied Research Laboratories at the University of Texas in Austin, Brenner also acknowledged news reports that China has poked around in the networks that control the U.S. electric power grid, as well as air traffic control systems’ water supply. He said he worries about penetration of those systems, but doubts that today China would take any action. If there was a “dust-up over Taiwan, the answer might be different,” Brenner said.

He said Chinese probes of U.S. federal and commercial networks are so relentless and obvious “they don’t seem to care about getting caught.”

Brenner said he was more concerned about “attacks we don’t see” and delivered a backhanded compliment to Russia, which he said is “very good” at sneakier cyber probes than China.

Agreed with a caveat:

As soon as it is in their best interest to do so, they will likely use that leverage. Simply, the fact that they have the ABILITY to do these things in the first place should WORRY Joel just a bit don’t you think?

Yeah, so as counterintel goes, perhaps it isn’t completely his bag, but, it should be somewhat more an urgency in his mind than “somewhat” worried about these scenarios. I would also hasten to add that Russia too also it at play here and as Joel points out, they are sneakier and more subtle.

Worry about both my friends…

U.S. looks to hackers to protect cyber network

leave a comment »

David Powner, director of technology issues for the Government Accountability Office, told Congress last month that the U.S. has no recovery plan for a digital disaster.

The irony of that name is just too precious…

Evidently the government is finally seeing the light that they need to think like the enemy to defeat the enemy… I am sure we will all be seeing emails from recruiters starting to flow soon.

The rest of the story can be found HERE

Written by Krypt3ia

2009/04/20 at 14:18