Cyber Security's Mass Delusion Effect

Cyber Security's mass delusion effect says that we can protect our data and critical infrastructure from attack as long as we buy the right product, spend the right amount of money, hire the right people and elect the right politicians. This delusion is propagated by journalists, academics, government officials, and the Cyber Industrial Complex; and it's believed by a majority of voters, consumers and vendors.

Why?

I suspect that our cyber security mass delusion, like all delusions, exists because the alternative isn't acceptable, or because there's no money to be made in selling anything less than a cure. The reality, however is that the best anyone can do is find novel ways to (1) make a network increasingly more difficult to attack and (2) find ways to absorb the effects of an attack with minimal damage.

Thanks to our worldwide embrace of all things digital, we are more fragile and vulnerable than ever before in spite of the billions of dollars spent on cyber security "solutions".

We need to accept that in a network-powered world, we will always be at risk.

We need to change our thinking and fund programs which help us become more resilient.

Most of all, we need to stop wasting time and money pursuing an illusion of security that will never, ever manifest.

China's Cyber Security Strategy with the EU is an opportunity for the U.S.

China has released a policy paper on how it intends to work together with the EU in a number of ways for mutually beneficial interests; including in the area of cyber security:

Strengthen cybersecurity dialogue and cooperation and promote the building of a peaceful, secure, open and cooperative cyberspace. Facilitate practical cooperation between China and the EU in fighting cyber-crimes, emergency response to cybersecurity incidents and cyber capacity building through platforms such as the China-EU Cyber Taskforce and work together for the formulation of a code of conduct in cyberspace within the UN framework.

Assuming that the EU cooperates, this is precisely what I've been advocating for since since early 2013 and as late as last week:

A better strategy would be to find ways to encourage China to develop a body of intellectual property law and create MLATs between U.S. and Chinese law enforcement to help them catch hackers who are attacking Chinese government websites. There's a lot of value to be gained in understanding and identifying independent mercenary hacker groups operating within China's IP space because they don't only target Chinese websites. To put it as simply as possible - our current strategy on Chinese cyber espionage activities has not only had ZERO effect, it has made us look ineffective and hypocritical. It's time for a change.

This is the best path forward for the U.S. government in its China policy. International collaboration has proven itself to be the only effective way to identify and arrest cyber criminals, while attempts to strong-arm the Chinese government over acts of cyber espionage have not only failed miserably but have now made us the target of well-deserved criticism thanks to a seemingly never-ending stream of NSA revelations. 

What's the SIGINT value of your hotel to GCHQ and other FIS?

A "007" hotel - Couples Sans Souci hotel (Ocho Rios)

Taia Global's first service offering from 2010-2012 was executive cyber security protective services for corporate VPs and C-types who traveled overseas. One of those services was a cyber security risk assessment of the specific hotel that the executive had booked for his stay. We would assess through interviews in-country and research online how infiltrated any given hotel was by that nation state's security service. Needless to say, it was an expensive service since each report required manual preparation, but the reports were well-received by the few clients we had who were willing to pay for them. Unfortunately, most C-level executives that I had occasion to speak to about this either didn't care about the risk or couldn't justify the cost of our service.

Today, The Intercept has leaked a new classified GCHQ slide presentation from its Snowden archives entitled "Full Spectrum Cyber Effects: SIGINT development as an enabler for GCHQ's "Effects" mission" to support Glenn Greenwald's article about the "Cuban Twitter"; an article which may only make it harder for Cuba's dissidents to utilize social media in that country.

However, one of the non-social media slides in that GCHQ deck was entitled "Royal Concierge"- "a SIGINT-driven hotel reservation tip-off service".  While I would rather have found a Russian or Chinese intelligence service document that supported the need for corporate executives to pay attention to which hotel they stay in, it's safe to say that if GCHQ is doing this, all Foreign Intelligence Services (FIS) world-wide are doing it. Why? Because it's so damn effective against executives who will never sacrifice luxury for security. A 5 star hotel continues to be the world's most effective honey trap for both HUMINT and SIGINT operations.

Contact us if you want to start vetting where your top executives stay when they travel overseas.

Dan Geer's Nightmare Scenario: An Internet Killer That Can't Be Fixed

Dan Geer is a friend and mentor whose writings have continually inspired my work in the area of data-driven security (versus network-driven security) since 2009. He has recently shared with me his latest talk given at the NSA on March 26, 2014 "APT in a World of Rising Interdependence" and has now given me the OK to share it with you. 

Amongst many insightful points, Dan describes a scenario which would knock most off the world off-line, and for which there would be no no near-term recovery as of today or the near-future unless a dedicated, expensive effort is made to fix this problem.

Lest some of you think this is all so much picayune, tendentious, academic perfectionist posturing, here is how to deny the Internet to a large fraction of its users.  There are better methods, there are more insidious methods, there are darker paths.   

My apologies to those of you who are aware of what I am about to describe, but this one example of many is known to several of us, known in the here and now:  Home routers have drivers and operating systems that are binary blobs amounting to snapshots of the state of Linux plus the lowest end commodity chips that were extant at the time of the router's design.  Linux has moved on.  Device drivers have moved on.  Samba has moved on.  Chipsets have moved on.  But what is sold at Best Buy or the like is remarkably cheap and remarkably old.   

At the chip level, there are only three major manufacturers, so Gorman's 43% threshold is surpassed.  With certainty born of long engineering experience, I assert that those manufacturers can no longer build their deployed software blobs from source.  If, as my colleague Jim Gettys has laboriously measured, the average age of the code base on those ubiquitous low-end routers is 4-5 years,[JG] then you can be assured that the CVE catalog lists numerous methods of attacking those operating systems and device drivers remotely.[CV]   

If I can commandeer them remotely, then I can build a botnet that is on the *outside* of the home network.  It need not ever put a single packet through the firewall, it need never be detectible by any means whatsoever from the interior of the network it serves, but it is most assuredly a latent weapon, one that can be staged to whatever level of prevalence I desire before I ask it to do more. 

All I need is to include in my exploit a way to signal that device to do three things:

• stop processing anything it henceforth receives, 
• start flooding the network with a broadcast signal that causes other peers to do the same, 
• and zero the on-board firmware thus preventing reboot for all time.  

Now the only way to recover is to unplug all the devices, throw them in the dumpster, and install new ones -- but aren't the new ones likely to have the same kind of vulnerability spectrum in CVE that made this possible in the first place?  Of course they do, so this is not a quick trip to the big box store but rather flushing the entire design space and pipeline inventory of every maker of home routers.

I won't quote anything else from his talk because you should read it in its entirety, and can do so here. I will however mention that although Dan used the word "APT" in his talk's title, it had nothing to do with China (for those of you who still think that APT is a "who" and not a "what").

Thanks, Dan! 

Can You Spot The Fake SWIFT Transaction Document?

UPDATE (4/6/14): I've just updated this post with how I determined which SWIFT document was a fake. Scroll down to find the answer.

----------

We've been working our way through almost 1GB of documents that were part of the Russian Industrial Investment Fund leak last month by Russian Cyber Command (@Rucyborg on Twitter). Most of the documents have to do with business projects and project proposals by a wide variety of companies ranging from South African mining concerns to a shell company set up by a convicted former Romanian government official. It has been and continues to be a very interesting process of discovery and investigation. So much so that we'll be including some of the financial data, companies, and actors involved in our REDACT database as part of a financial intelligence offering.

I mentioned a South African mining project which was legitimate and one involving a former official of the Romanian government that was fraudulent. The only way that we could tell which was which was by closely examining the SWIFT transaction documents. It wasn't easy, especially since neither myself nor my Russian researchers have a background in international money transfers. So I'm posting both documents for interested readers to look at and see if you can tell what's wrong. I've made it easy by telling you which is authentic and which is fraudulent. Feel free to post your ideas in the comments. I'll follow up in a few days with some guidelines on what to watch out for.

Fraudulent

Authentic

--------------------

UPDATE (4/6/14): Here's the process that I used (as a non-banker) to identify the fake SWIFT transaction purportedly sent by Softworks Corporation (HSBC) to Best Global Publishing Ltd (Barclay's Bank) in the amount of one billion Euro. 

1. Confirm the names of the bank officers listed in the transaction. 
2. Confirm the address of the banks who conducted the transaction. 
3. Use a SWIFT guide to check the codes used.

The Receiver's bank officer is listed as "Mr. Murry" who works at Barclay's Bank, 1 Windborne Rd., Poole Dorset, UK. I searched online but couldn't find a Barclay's Bank employee named "Murry", although I did find a Jack Murray who worked for Barclay's bank as a foreign exchange trader until he was suspended in November 2013 for alleged rigging of the foreign exchange market. And while "Murray" isn't the same as "Murry", it could have just been a typo, right? 

So I tried to confirm the street address of Barclay's Bank where Mr. Murry supposedly worked. The address on the SWIFT form says 1 Windborne Rd in Poole Dorset, UK. When I looked it up online, the address of Barclay's Bank in Poole Dorset was on "Wimborne Road", not "Windborne Road". Another typo, I thought? So I called Barclay's headquarters just to make sure. There's no Barclay's Bank on 1 Windborne Rd, Poole Dorset, UK.

Would a cursory inspection have caught those two typos? Probably not. Even the Barclay's employee that I reached by phone first confirmed "Windborne" as correct until I asked her a second time to confirm Windborne with a "d" instead of Wimborne with a "b". Then she said - Oh, sorry! There's no Barclay's bank on Windborne road, only Wimborne Rd.

Whoever came up with this scam was careful to use person and street names that were almost identical to the real ones. Ironically, the real Mr. Murray at Barclay's was suspended for alleged wrong-doing a year later but I have no idea if that person had anything to do with this SWIFT document or if it was just a coincidence. 

However, I wanted to find additional clues to establish that the document was a fake, so I checked an online copy of a Luxembourg bank's SWIFT user guide (.pdf) for 2013 and verified the line codes for an MT103 credit transaction. Notice on the above image for the HSBC SWIFT document that there's a bunch of text next to line 79? Not only is it out of order on the form, but according to the guide I found, MT103 forms only have line numbers as high as 72. The only document that has a line 79 is a MTn92 cancellation request. 

The above findings were intriguing enough to keep me digging and as it turns out both parties to the above fake transaction have questionable backgrounds, but those details as well as whether they have anything to do with the Russian Industrial Investment Fund will have to wait for a later post.

The Security Startup Speed Lunch: Something to Chew On

In the course of running Suits and Spooks, I've had numerous requests from executives of various-sized companies regarding whether I've seen any exciting new security startups that look promising. I do from time to time, and I make those introductions whenever possible.

Then just last week, a colleague suggested that I consider hosting a security start-up happy hour for a future Suits and Spooks event. I considered it for about a week and then realized that rather than a happy hour, a speed "dating" lunch format might be the perfect way to bring a dozen or more promising security startups in front of directors, VPs, and CISOs in short 5 minute bursts.

A Speed Lunch, But Not For Dating

We'll use a selection process to identify startups who fall into various buckets (threat intelligence, data analytics, malware detection, etc.) and invite the top 20 to a private luncheon with decision-makers from mid-size and enterprise-level companies.

As a potential customer, you'll know before hand who the startups are and what they do, as well as their "vitals" (Management team, product description, date of formation, etc.) and then select up to 6 startups to meet with over a 60 minute lunch in 8 minute speed rounds.

As a selected startup, you'll have an opportunity to meet 1:1 with those people most important to your success: interested potential customers who have a need for your product.

Our inaugural event will happen soon at an exclusive venue in New York City or Washington DC. If you have a security startup company and want to participate, contact me today for more information.

Follow Security Speed Lunch on Twitter (@S3Lunch).

Assume That Your Network Is Already Breached. What's Next?

Assumption of Breach is the only realistic network defense strategy that governments and corporations should have today. If you agree, then the next question you should ask is - what data can I not afford to lose?

In order to help you answer that question, I've written a paper that was published this month in the Georgetown Journal of International Affairs (International Engagement on Cyber edition).

You can read my article here, although I recommend that you order the journal for its many excellent articles.