Archive for the ‘Security Theater’ Category
“Strutting and fretting his hour upon the security industry stage, And then being heard no more”
The Frustration And Gnashing of Teeth:
Recently, I have heard others lament the state of the “security industry” as well as have posted about my own adventures into the land of FUD and Security Theater as well as a side trip into the shadow lands of denial. My last post about a call that went awry also got responses from others in the business including Mr. Reiner, who had a post somewhat similar to what I had written about, but took it further. His post mirrors much of what I am hearing and feeling myself now 13 years into it.
- The industry has become just that, an industry that makes cookie cutter security and passes mediocre services as “state of the art”
- The industry is now full of salesman and charlatans like Gregory Evans and Ligatt
- The clients still just don’t get it and often do not want to
- There are too many bells and whistle firms but too few true “holistic” security offerings out there
- The exploits and vulnerabilities are growing at a rate faster than Moores Law and never will there come a time when you can catch up
- Nothing is truly secure
- Regulations are inadequate mechanisms for security best practices inspiration (notice I do not say compliance here)
- Coders and the companies that hire them are coding insecurely and do not wish to change that
- Greed is Good (Gordon Gekko)
Generally, the experience out there is that as everything else that someone loves to do as an avocation which turns into a vocation, becomes not so much fun anymore when business gets involved…. Especially big business. Unfortunately, this is exactly what has happened today with information security/technical security. It has become a pre-packaged, pick your services lunch counter style of operation and you rarely get what you really need and instead get the fatty happy meal instead.
Taking A Step Back:
As professionals in the field we all have different skill sets and personal bents on and in the security theater. I am putting us all into the “theater” because really, we are all like Shakespeare’s players who: “struts and frets his hour upon the stage, And then is heard no more” We are in fact often times the character of “The Fool” The one man who is the outward conscience of the king and the one person in the court who can tell the truth to the monarch that they indeed have no clothes on. Of course this really only works for those who are contractors/consultants and can then leave the site after leaving a report on their vulnerabilities and how to fix them. Unfortunately, if you are a full time employee of said “court” you may indeed find yourself in the oubliette quickly enough. We need to embrace this fool role and then decide just how we will approach our careers as well as the means in which we ply our trade for the betterment of the courts we serve in.
One must remember that we all serve the will of the king… And sometimes the king is an idiot, lout, Luddite, or schmuck.
My Goal Here:
My goal with this post and what I think is shaping up to be a series of them, is to cover the players involved here, the game being played, and the realities of our business. So many of us are running into the same walls and I have been hearing the same things over and over from you all out there as well as in my own head as I deal with clients. All too often we do our best to tell the client that they have things that are vulnerabilities within their organizations as well as their infrastructures all for naught.
Others see the bigger picture of with everything that we do, there still is always a way into the org and their infrastructure and a method to steal their data. All too often this also happens because of simple low hanging fruit attacks such as SE attacks or completely un-secured networks that lack policies and processes that might in fact prevent much of the attacks from happening were they documented and in force.
Still others see the grand scale of not only the snake oil salesmen out there but also the malfeasance of the companies that make the software and hardware systems (might I mention ATM machines Deibold? yeaaahhh I think I will) that are completely insecure and egregiously so! Even in this day and age where hacking/cracking is so prevalent they STILL do not want to take the time and the effort to code securely… And as Weld Pond said today
“YOU SHOULD BE ASHAMED OF YOURSELVES! THESE ARE SYSTEMS THAT PASS OUT MONEY!” *paraphrase likely there*
To that end, I have created the following framework for the posts to come. Some of them are posed as questions and if you like, you can comment answers that you think apply. Overall though, I would like to pull the security industry apart as well as the motivations for not only the vendors, but also the clients. I want to lay out all the players and variables, examine them all, and then come up with a strategy for what I am currently calling “Holistic Security” (I know all scented candle touchy feely new age sounding) A method of looking at the security needs of a client and offering them what they really need as well as methods to bring that client to the troth to drink from the security well.
I know.. This is going to be nearly impossible huh?
It’s either this or just packing it in and walking away though… Really… Once you reach a point where you hate the job and you feel constantly that you are doing nothing to change things you either have to walk away, or make drastic changes happen.
What do you think? Don’t you think that with all our SE and other skills we ought to be able to overcome all this?
Check out the future post framework and let me know… I will work on the players tomorrow.
CoB
The Players:
Some of us Just Want to Have It Done Right:
Some of Us Just Want to Hack and Do Cool Shit:
Some of us just want to Be Researchers:
Some Are Just LIGATT:
The Playing Field:
Current Approaches to Security Auditing:
Can There Be A Holistic Security Approach?:
Can We Get Companies to Code Securely and Ethically?:
Opposing Forces:
The Government and Compliance:
The Corporation and the Seven Deadly Sins:
Crackers, APT, and Bulgarians Oh My!:
Every Fortress Falls:
Troy
Sparta
Lockheed Martin
Is There A Framework and Methodology For Holistic Security?:
Security Basics:
Security Awareness vs. Human Nature:
Policies, Procedures, Standards, and Compliance:
Penetration Testing:
Social Engineering:
The Information Security Business.. AKA The Cassandra Syndrome
I had an incident today that kind of epitomizes the security business for me… Well, one aspect of it that is. I call it the “Cassandra Effect” and it is more common than one might think. In my case, I am Cassandra and my prophetic insights are often unheeded or misunderstood as the rantings of a paranoid personality.
That is until the prophecies come true.. But by then its too late.
Today it was a manager within the company that I have been working for as a consultant who shrilly pushed back on findings that the company (X) did not have an incident response process in place that was documented and audit-able. Nevermind that my finding stemmed not only from asking for the documentation and them telling me they had none, but also by the fact that an incident had recently occurred and I watched as their incident response was muddled and likely would not have happened at all had I not been there to alert them to the malware causing the incident.
But… According to this manager, there was no need to document a process for incident response because they would not be audited by anyone like say for a SOX audit and be required to show their audit-able incident response documentation/processes.
Of course the SOX regs might say different huh?
Thankfully, I stopped myself from arguing this any further and trying to explain that this was indeed the case and that even if the SOX folks did not ask because they often suck at auditing, the PCI folks certainly would… I could hear the name whispered as the incident response post mortem call went on however.
“Cassandra”
Am I the only one who feels this way or is treated as such by clients who ask for security services? I mean, you go in, you do your job and document all the deficiencies, state the gaps and map them to regulations and still you get pushback saying
“Well, we don’t need to fix that”
Hell, this even happens after you exploit systems and steal their data and show them. They still look at you and say;
“Well, you do this professionally, this won’t ever happen in the real world”
Why? What is it that causes these cases of self delusion in certain C level execs? I really don’t understand their reasoning here. I certainly did not understand this person’s need for their responses being so confrontational. I mean, is it just that they feel that their job is on the line? Is it that they are not willing to spend more time and money? Because really, the only investment here would be time. Time to write the incident response plans and have them published.
So whats the deal here?
I attribute much of it to the fact that security, much like the appearance of a UFO to Neanderthal man instills fear into their hearts and minds. Simply, they see it all as magic and beyond their comprehension moving some to disbelief of what they see before them.
It could never happen here!
This is just too arcane!
Who’d want our data anyway?
Well, I have news for you, this is the future and the future is security my friends and we.. We are doomed.
I wonder what will happen tomorrow when I send them the links to the SOX requirements on documented processes such as incident response….
CoB
Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept
So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.
The Robin Sage Affair:
Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.
The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.
In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.
Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.
Hardwired:
It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.
As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.
Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”
See where I am going with that?
So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.
We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.
Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;
“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”
Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.
“The Swallow” or “Honeytrap”
How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.
The Community:
So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.
Use this experience to teach others.
Object lesson learned.
Full CSO article HERE
CoB
#LIGATT A Cautionary Tale of Cyber-Security Snake Oil
The Charlatan of the Intertubes:
Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;
1) Plagiarism is just wrong.
2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.
Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.
Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;
- His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
- None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
- His site nationalcybersecurity.com is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
- None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
- He immediately played the race card in response to the allegations of his plagiarism and fraud
- In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)
Here are some more examples via Twitter:
#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts http://tinyurl.com/29yvjuo
#LIGATT Mark Wilkerson author. Anyone know this guy?http://tinyurl.com/33zlrwc http://tinyurl.com/33zlrwc
#LIGATT Meet Rex Frank (cyber sec expert)http://tinyurl.com/2dghu33 http://tinyurl.com/2a5mh9j and “author” Funny, I see no creds there..
#LGTT Meet Avery Mitchell Ligatt flunky http://tinyurl.com/35hz6bohttp://tinyurl.com/35a8fjo http://tinyurl.com/27csy7r He’s their top guy
#LIGATT None of these “authors” actually write anything on nationalcybersecurity.com http://tinyurl.com/258jd5x they just add their names
♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actorhttp://tinyurl.com/3xus8ey http://bit.ly/dh0hw5 NICE
Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.
Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.
This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!
The “Industry”
The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.
Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.
The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…
I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.
Security is a voyage… Not a destination:
This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.
I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.
It’s really all about the basics…
So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…
CoB
Auditing Career: Dealing with Mentally Unstable Managers
My Psychologist friend jokingly suggested that auditors receive training on how to interact with people suffering with Attention Deficit Disorders, bipolar disorders and in group dynamics in the corporate environment. A company’s culture is a very complex organism. Even the smallest places have complicated political and social layers (silos) that have nothing to do with the official roles and functions performed by individuals and shown in organizational charts. Decisions in organizations, anyone who is observant will confirm, are not always made based on logic, business reasoning, policies, controls, and/or the need to comply with external regulations. They are often made based on fear, anger, sexual attraction, insecurity, jealousy, greed, hate, prejudices and confusion. Because of these things, it is easy for mentally unstable people to “hide” in the open. In many organizations these behaviors are sheltered because those at the top benefit from that sort of culture.
I love this line that I have highlighted, because really, its the basis of 99% of the decisions made in corporations. Much of that decision making process on the lower levels (operations) are made for the more base desires founded within the daily sloth of individuals that comprise the management set.
Really.
The thrust of this article is predicated on the idea that many people in positions of management are in fact potentially mentally ill, or show signs of such behavior. I can see some of that, but that is not the case all of the time. This article does not take into account the sloth and greed factors as much as they should be I think on a gross product level within American corporations. Sure there is a lot of greed, but, the closer assessment I have made has been that no one wants to be responsible and would rather just have a “good day” and go home after a solid 7.5 hours of internet surfing.
Other areas of concern would be ineptitude, negligence, lack of capacity for comprehension, and general lacksadazical attitudes on the parts of many where these matters (security/audit) are concerned. These are also backed by the near absolute lack of real follow through by entities to fine and or censure companies that do not comply with regulations and really audit companies well to assure they are doing their part.
So, lacking any real negative re-enforcements, the masses fall into a complacency that allows for such behaviors and feelings of entitlement on the part of managers etc. Also, because of the varying morays of corporations, it is also possible to maximize the behavior because the “manager” is God in the org and can do nothing wrong. If they want that open pipe to the internet to surf YouTube and have a sub standard (and against written corporate policy) password as well as no hard drive encryption to boot, then BY GOD they should have it because they are “management”
In a word, I would say that much of corporate America is “dysfunctional” and needs a good spanking as well as be sent to bed without supper! Or maybe, just maybe some more and REAL oversight in how they do their business should be carried out. Much like we are now seeing with the whole issues with Goldman Sachs and their cavalier attitudes on selling “pure intellectual masturbation” to the masses, thus crashing the economy.
Meh….
On the other hand, were you to take these features into account when you are auditing a company (more to the point penetrating one) then you could use all of these features in your attack. So, remember, always look at not only the threatscape, but also the psy-scape for your openings. Open your ears and take mental notes, because that sub standard password and other breaking of the rules could get you in much further much faster than by having to gain a toehold elsewhere kids.
CoB
Weapons Of Mass Disruption: Cyberpocalypse-a-palooza
To avoid a digital doomsday, Clarke and co-author Robert Knake argue that America needs to treat cyberattack capabilities as nothing less than weapons of mass destruction that can “skip over the battlefield” to target civilian life. That sort of threat, like nuclear weapons, calls for a multi-tiered response: treaties, transparency, beefed-up defenses and a focused concern on rogue states.
Cyberwar treaties face a problem that traditional ones don’t. An enemy could easily hide the source of attacks by routing them through hijacked computers in another country or attributing them to independent criminals.
But Clarke contends that a government could be held accountable for helping to track down any cyberattack originating within its borders, just as the Taliban was held responsible for harboring Osama bin Laden. Although attribution on the Internet isn’t as simple as in traditional warfare, cyberattacks can be traced. Clarke says forensic hackers can follow the trail of bits when they’re given time and leave to breach enemy computers.
“The NSA can do that. And the NSA tells me that attribution isn’t actually a problem,” he says bluntly.
Full article HERE
Dick, Dick, Dick, I am with you in so many ways.. BUT, when you start talking about DPI of the WHOLE INTERNET, then you lose me pal.
Sorry *shrug*
I personally don’t want the whole of the internet being siphoned even MORE than it already is by DPI at every providers NOC with a NARUS STA6400 system installed.
Nope, no thank you.
Now, on the other things likes accountability for nations with server on their soil I am with you. If a server is public/private and is on your soil, there should be “some” responsibility there. At least there should be enough to enforce security practices be carried out to prevent it from becoming the botnet slave in the first place no? Of course Obama wussed out on that one here didn’t he? No rules will be created to enforce that type of accountability here in the private sector.. No sir! It would put an undue strain on the private sector!
*tap tap* Uhh sir, most of the infrastructure is in “private” hands… Umm without making them do some due diligence we are fucked mmmkay?
Yeah…
Meanwhile, lets talk to the italicized and BOLD text. Back in the days of yore, when pirates roamed the seas, there was a thing called a “Letter of Marque” basically, government would give a pirate hunter the letter and say “go git em” This is what we need today I think. Of course this is touchy, but, this is pretty much what Dick is alluding to. He says that he “knows” that were the NSA given a letter of marque, they could not only penetrate the systems involved, but also run the forensics to attribute where the perp really is.
“Whoa” to quote Neo…
Yes, it’s quite true. Not only the NSA could do this though. Go to the BlackHat or Defcon and you would have a plethora of people to choose from really. So this is no mysterious mojo here. Its just that this type of action could cause much more ire than the original attack maybe and lead us into that physical war with the nukes. Who knows.
I guess though, that what has been seen as the model for the future “internet” with cyber-geographic demarcations might just be the real future state we need. At least that is what Dick’s advocating here and I can sorta see that as a way to handle certain problems. If we break up cyberspace so to speak, into regions (like the whole .XXX debacle) then we can have set rules of governance. At present the internet is just a giant wild west stage complete with digital tumbleweeds and an old whore house.
*pictures the dual swinging doors and spurs jangling*
The one thing that rings true though, is that there needs to be some accountability.. Just what form that will take is anyone’s guess. For now though, we will continue on with the lame government jabbering and frothing with the lapdog that is the so called “press” lapping it all up and parroting it back to the masses.
Smoke em if ya got em…
CoB
Security experts: Don’t blame Internet for JihadJane and other recent terror scares
By Michael Booth, The Denver Post
Published: Saturday, March 13, 2010 11:15 PM ESTIt’s not the Internet. It’s the unstable surfer at the keyboard that constitutes the threat.
Internet terrorism and crime experts hedged their outrage when reacting to the arrest of Leadville’s Jamie Paulin-Ramirez, who was released Saturday without charges. Yes, they said, the Internet provides ample opportunity for disgruntled, lonely or violent people to meet up for criminal ends.
But social media, from chat rooms to Facebook, have become so widespread they are no more or less dangerous than society as a whole, these Internet observers said. And the technology cuts both ways: If alleged plotters like Paulin-Ramirez and “Jihad Jane” are using the Internet to plan crimes, rest assured law enforcement and watchdog groups successfully employ the same tools to foil them.
“Anyone who is trying to use the Internet for crime is falsely under the illusion that they are anonymous and won’t get busted,” said Steve Jones, author of “Virtual Culture” and a professor of communication and technology at the University of Illinois-Chicago. “Consider it an Internet-based `neighborhood watch.’ I’m not more concerned about the Internet than I am about the rest of the world.”
Internet connections can make for notorious nicknames and chilling chat-room transcripts, but the method of communication may not have that much impact on terrorism, said Jeremy Lipschultz, an expert in communications law and culture at the University of Nebraska-Omaha.
The rest HERE
Ummm yeah, Steve, you seem to be misunderstanding the problems faced here. Sure, there are people like me and others out there cruising the boards, but, the “authorities” are kinda behind the curve on this stuff.
Believe me Steve, I know. I have had dealings with the authorities.
So, yes, if you are on the internet and looking to do bad things AND you don’t know how to be stealthy, sure, eventually, you will be caught. However, if you are careful and you know what you are doing, then it may take some time if at all to be caught.
Case in point, look at our whole APT and cyber security debacle ongoing in the US. The CyberShockwave CNN mess is just the tip of the digital iceberg when talking about how inept our government and its minions are in dealing with the problems in cyberspace.
Better yet, lets look at the 559 million dollar haul recently cited by the FBI taken by cyber criminals. Any clues? Suspects? Not like they can round up the usual crew huh? It’s just not that easy with our current infrastructure to capture traffic and catch those who were committing the crime. Nor are the cops, even the Feds up to the task of trying to capture these offenders.
Here’s a quote for you from a recent exchange I had with the FBI:
“I don’t know anything about this stuff.. I do drug cases”
This from a field agent tasked with looking into a cyber oriented incident. What I am saying here is there is a big gap and the criminals and jihadi’s are using that to the most.
So Steve, you obviously don’t have a clue about cyber security issues. The real ones to worry about surely aren’t the guys and gals just using chat groups to talk to Jihadists, these “Jihobbyists” but let me remind you, it was a group of guys who were NOT cops or feds, that caught on to Jane and then reported her. Of course all of this AFTER she had activated and tried to whack a cartoonist. An act in which she failed mind you.
Oh, and Steve, did you know she was doing all this on YouTube? I mean really, just how friggin sooper sekret is that huh?
Duh.
Were Jane and others out there tech savvy or trained to be, they could be much more dangerous. In fact, the moniker “jihobbyist” has taken a turn in meaning. You see, the feds thought of Jane and others as “mostly harmless” but, as you can see they were wrong.
No, worry about the Jihadi’s who are technically savvy and trained in computer skills who know how to use a TOR router, encryption, email dead drops, etc. Those are the ones to worry about because even if one of us non cops are watching, we may not catch on. Never mind the cops/feds who are playing catch up.
CoB
The Real Meaning Of Cyberwarfare
Andy Greenberg, 03.03.10, 06:00 PM EST
Author Jeffrey Carr says we need to take a more measured approach to a new age of digital combat.
Jeffrey Carr
Connect the dots between reports of Chinese cyberspying, crippling network attacks in South Korea and Estonia and the U.S. military’s ramping up of cyber capabilities, and it would seem that a third World War is underway on the Internet.
Not so fast, says Jeffrey Carr, author of Inside Cyberwarfare, a plainspoken guide to cyber threats that was published by O’Reilly Media earlier this year. Carr, the chief executive of cybersecurity consultancy Grey Logic, takes a more measured approach to the new age of digital defense, starting with the definition of so-called “cyberwar.” In Carr’s view a war hasn’t begun until metal is flying through the air. That means the real threat to U.S. networks comes not from sleeper software planted by state-sponsored cyberspies, but from a combined attack of atoms and bits, or from cyber-enabled radical groups or criminals engaged in what’s more properly called “cyberterrorism.”
The rest HERE
I disagree with Mr. Carr. It’s exactly those sleeper software pieces and other cyberterror events that ARE cyberwar. War, as Sun Tzu framed it, is not only outright battle, but also the use of spies, understanding yourself and your enemy, and the terrain.
Mr. Carr lacks this perspective. I suggest he read The Art of War sometime.
The Chinese have been using the “Thousand Grains of Sand” approach to cyber affairs for some time now. They are patient, and they are methodical. Thus, we will be seeing the day perhaps that all of these precepts culminate in a battle won without “metal flying through the air” as Mr. Carr puts it. This is the essence of Sun Tzu.
So Mr. Carr, just wanted to say; “You’re doing it wrong”
CoB
How prepared are you for Cyber Attacks?
The AFCOM association, whose members include 4,500 administrators from 3,900 data centers around the world surveyed 436 data center sites last year. Some of the findings of the survey indicated that cyberterrorism is an increasing concern, mainframe deployment is on the decline, storage deployment is on the rise, and “green” technologies are definitely happening.
It was found that there is a shift in data centers away from mainframe computers and toward other types of servers.Just less than 40 percent of data centers run two or more mainframes, with 45.7 percent of such data centers planning to replace at least one of their mainframes in the next year. However 33 percent of those replacing mainframes plan to replace them with other types of servers.
The more worrying fact that this study conducted in July2009 has brought to light is that 60.9 percent of data centers worldwide officially recognize cyberterrorism as a real threat but ironically only about one-third of respondents included cyber terrorism in their disaster-recovery plans. The survey has unveiled a major void in data centers in terms of securing its critical data against a very real possibility of cyber attacks.The report goes on to note that currently only about one of every four data centers addresses cyberterrorism, and one in five has procedures in place to prevent an attack. That means the remaining 4 out of five data centers are left dangerously vulnerable . The problem becomes more critical as several data centers expect massive expansion due to dramatic increase in storage demands and aggressive business plans in the next five years. The study finds that 22.0% will utilize a
The rest HERE
I find it funny that in most of the movies that have a “hacker” content, there is usually a heavy reference to the “Mainframe” as being the target of attacks. Of course in real life, the mainframe is not much more employed by companies to store data or perform functions, instead it’s all distributed or now “cloud” computing based on servers.
What’s even more laughable is that when I worked for IBM and they needed someone to do audits on mainframes they made me the “mainframe guy” by handing me some manuals and saying read up. I ended up performing assessments on Z and 360 systems on the fly really. Once I had done some AS400 as well I was the go to guy by everyone else. Me? Really? I am now an SME? HA!
In time I got more acquainted with the AS400 but man, being thrown into something on site is a pain in the ass.
Anyway, now we are talking about mainframes and cyberterror huh? Hmm, well I can see how this might be appealing. How many of the kiddies out there know Z systems or 360? For that matter AS400? So maybe there is a little security by obscurity there, but, not really. Nope, in the end, I only see the advantage in being that there aren’t too many people programming malware for these operating systems.
On average, when I looked at mainframes out there as an auditor I found them to be lacking utterly in security being turned on. Most of the time you had maybe one or two people who knew how to run them, but not at all securely. So, do I have hope that a mainframe is more “secure” in the case of a cyberwar?
No.
Of course, just how many Z systems are out there now with the security module added on?
No idea.
How many of these “clouds” I keep hearing about actually use mainframe technology and LPARS?
Well, look at the numbers above. Nearly 50% of the data centers are offing their mainframes. This means that they will be running servers with either *NIX or, more likely, Microsoft.
*Shudder*
One would hope its the *NIX, but I can’t say for sure that will be the case.
Hmmm So IBM, did you maybe pay for this article?
Heh.
CoB
CyberShockwave = CyberFAIL Difference of Opinons
From TaoSecurity
I just finished watching Cyber Shockwave, in the form of a two hour CNN rendition of the 16 February 2010 simulation organized by the Bipartisan Policy Center (BPC). The event simulated, in real time, a meeting of the US National Security Council, with former government, military, and security officials role-playing various NSC participants. The simulation was created by former CIA Director General Michael Hayden and the BPC’s National Security Preparedness Group, led by the co-chairs of the 9/11 Commission, Governor Thomas Kean and Congressman Lee Hamilton.
The fake NSC meeting was held in response to a fictitious “cyber attack” against US mobile phones, primarily caused by a malicious program called “March Madness.” For more details, read the press releases here, or tune into CNN at 1 am, 8 pm, or 11 pm EST on Sunday, or 1 am EST on Monday.
The Rest HERE
So, I already see lots of comments on Twitter and elsewhere claiming Cyber Shockwave was lame or a waste of time. As you can see it raised a lot of issues that I consider very important. I’m glad BPC organized this event and that CNN televised it. At the very least people are talking about digital security. Posted by Richard Bejtlich at 22:11 7 comments
Bejtlich and I differ in opinions on a few things but I think he has some good points. I was reactive that night at the superciliousness of the exercise as presented by CNN. Now that I have had time to think a bit, let me put some more words around what I spewed out on Saturday in hopefully a more cogent way.
Tao’s thoughts will be followed by my own.
- Others have already criticized the technical realism of this exercise. I think that is short-sighted. If you have a problem with the scenario, insert your own version of a major technical problem that affects millions of people.
I still feel that this was no real exercise. One would hope that in such meetings today, we would have technically savvy people there on hand to talk to the technical aspects of what was happening and what course to take. If we do not have someone technical in the SITROOM then we are hosed from the get go. You need to have SME’s there to explain the situation technically.
- I think the real value of the exercise was revealing the planning deficiencies when cyber events are involved. Since this exercise supposedly occurred in the future, I was disappointed to not hear mention of the National Cyber Incident Response Plan, currently in draft.
I agree here. It would have been nice if they had talked about this response plan, but I am not so sure that this will get off the ground. Never mind the fact that were this type of attack to happen within say, the next 5 years, I am sure we would still not have the infrastructure to handle it properly as a country.
The turf wars that have started now likely will still be being fought and there will likely be no clear direction to follow. I really think that this country has yet to really hit by an attack from which it will learn and change. Until then, we will have talking heads in bunkers making bad decisions while the outside world goes to shit.
I was disturbed but not surprised to see the tension between preserving the Constitution, individual liberties, and property rights, vs “aggressive” action which is “ratified” following Presidential order. I was impressed by the simulated Attorney General’s defense of the law despite intimations by some of her colleagues that the President could pretty much do whatever he wanted.
This is classic talking head NSC blather. It was exacerbated by the fact that there were no technical SME’s on the panel to help the talking heads understand the complexities of the problem. When they started talking about the constitutionality of pulling cell phones offline as well as taking over telcos, I was just beyond rational thought.
Were they to start doing these things it would only lend to the pandemonium that this attack and the press chatter about it would have caused. This would only amp it up and make the nation go into panic mode.
Additionally, you could see as is pointed out above, that they seem to think that the president has carte blanche here to “protect the nation” but in doing these things, or even advocating them, they are doing this country a dis-service.
To complicate the situation, after the first hour news came of a bomb attack on two power stations, leading to or aggravating electrical grid failures on the east coast. I thought this was unnecessary. In the scenario wrap-up, the participants focused mainly on the cyber elements. I thought the exercise could have stayed focused on 100% cyber without bringing in a traditional terrorism angle.
Here I diverge again from Tao’s opinion. The cyber attack in question was a part of a larger attack that culminated with the explosion and taking down of the grid. Of course in the future this may not be necessary because the grid will be “smart” technology that is likely to be easily hacked and taken down in a massively larger plot. This would work even better because of the connectivity planned for these systems.
In this case though, if this were a nation state actor they likely would take out the northeast grid at a sensitive location to make things worse. Of course the NE has the economic center of NY, so you can see where I am going here. Tao seems to miss that point. It’s not all about the cyber. In fact, I am more worried about a blended attack than I am a straight cyber one simply because, as the panel said, the systems are disparate and segregated. You couldn’t take them all down at once. Unless that is, you have invested a lot of time hacking and back door-ing them all before the attack goes live.
This is another thing that was not talked about on the panel and may not have been apparent to many in the audience.
I thought the role of the simulated Cyber Coordinator revealed the weakness of the position. Most of the other participants relied on one, two, or three forms of authority when providing advice. They 1) offered specific expertise, e.g., the AG talking about the law; and/or 2) specific news, e.g., word from the Intel Community, and/or 3) explanations of what their agencies were doing, e.g., State describing interactions with other governments. The simulated Cyber Coordinator didn’t do much of those, and when he tried to apply expertise, he was wrong or wrong-headed. I cringed when he mentioned having ISPs require user PCs to be “secure” or to force them to apply patches. Just how would that happen? I could see a useful Cyber Coordinator be the person who knows the technology and its limitations, but outside of that role I have a lot of doubts.
Yes, there is no authority nor was there comprehension of the issues at hand by the one in charge. I think that we have much more to learn from episodes like this and yes, this was a learning experience, however, it need not have been on CNN. Unless this little event was a chance for the counterintel folks to pass out a healthy helping of “disinformation” we just let the world know pretty well how fubar we are where this attack type is concerned.
On the issue of Tao’s cringing at the desire for ISP’s etc to enforce secure practices online, I don’t agree fully. I think that we need to get educated, but do stop at forcing people to be secure. However, I do agree that forcing corporations, military, contractors, etc that interface with the “infrastructure” should be forced to practice security. By law we already have rules about securing credit card and personal data, why not go further and audit companies to such standards around INFOSEC in general?
After all, its all of these places that are the weak spots and getting hacked lately by the likes of China right? How about more legislation, oversight, and action here?
In closing, I just want to re-iterate that this CNN show was poorly thought out. The whole “War of the Worlds This is a simulation” crap was almost not necessary because it was so patently useless. So yes, it may have brought up some questions that may be usefull to those in power, but mostly, it just led to more FUD for the public.
CoB
Krypt3ia 
