Three Suits and Spooks Courses taught by 3 World-Renowned Experts: Limited Enrollment and Savings!

At Suits and Spooks events, we always have world-class speakers. But for 2014, I wanted to offer world-class training as well. For example, in January we're featuring:

CARMEN MEDINA: Specialist leader at Deloitte Consulting LLP after retiring from an almost 32 years-career at the Central Intelligence Agency where her roles included Director of the Center for the Study of Intelligence (CSI); the Deputy Director for Intelligence, and Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

Course title: "Analytic Methodology and Critical Thinking for Cyber Intelligence and Information Security"

LANCE COTTRELL: Chief Scientist at Ntrepid Corp. and the founder and principle at Obscura Security. He founded Anonymizer Inc. in 1995, and is an internationally recognized expert in cryptography‚ online privacy‚ and Internet security.

Course title: "Tools, Techniques, and Pitfalls in Internet Anonymity and Pseudonymity"

ROB DUBOIS: Security advisor, smart power authority and retired U.S. Navy SEAL with experience in more than thirty nations. He recently served as the operations manager for the Department of Defense Red Team where his innovative tactics earned him the reputation of the U.S.’s “top terrorist”. Rob has provided his “Think like the Adversary” workshop to elite military units in combat zones, Fortune 500 companies, and agencies including the National Counterterrorism Center.

Course title: "Better Red than Dead: Learn to build your own full-spectrum Red Team with a veteran Red Team leader"

Originally, in order to attend a workshop you needed to also register for the conference. I've changed that policy so now you can take the training without having to register for Suits and Spooks DC, or you can register for both. Basically, it's now your choice.

Finally, in order to help us fill up these courses so as to have a more effective test on whether this is something that we continue to offer at Suits and Spooks events, I've lowered the tuition by 33% on all 3 courses until December 20th.

You can get complete details on each course by clicking on the course title, or call us with any questions you may have. Please help spread the word about this unique opportunity to learn from these highly esteemed professionals. Depending on our enrollment numbers, it may be the only time that we offer it.

What Does Huawei's Announcement of Exiting the U.S. Market Really Mean?

Last night, my Google Alert for Huawei captured an intriguing headline: "Huawei exiting US market: CEO". The article appeared in Global Times, a Chinese paper that's part of Peoples Daily. Here's the opening paragraph:

Chinese telecommunications equipment maker Huawei Technologies Co Ltd has exited the US market in order not to affect Sino-US relations, Ren Zhengfei, founder and CEO of Huawei, said in an interview in Paris, news portal 163.com reported Sunday.

Upon first reading, this raised a lot of questions in my mind regarding Huawei's current U.S. operations. It has offices in a number of U.S. cities and has already sold quite a bit of equipment to both U.S. corporations and the U.S. government. What would happen there, I wondered?

Fortunately, I was able to reach Bill Plummer, Huawei's VP of External Affairs by email and received the following clarification:

Huawei has prioritized markets that welcome competition and investment, such as Europe.  

That said, we remain committed to our customers, employees, investments and operations and more than $1 billion in sales in the U.S., and we stand ready to deliver additional competition and innovative solutions as desired by customers and allowed by authorities.

So basically what seemed like a radical change of strategy is actually something very practical. Huawei isn't pulling out of the U.S. physically nor is it abandoning its current U.S. customers. It is simply re-allocating its resources to increase sales in those parts of the world where it is welcome to compete.

Personally, as someone who has been a frequent critic of Huawei, I think it's a smart strategy. They're already the world's largest telecommunications hardware manufacturer. Why should they risk engendering more controversy by continuing to battle against U.S. government resistance when it will do nothing to improve their bottom line? In my opinion, Huawei's combination of low prices and quality manufacturing will eventually force adoption by U.S. corporations and government agencies. It might take years but I think that will be the inevitable outcome.

In the meantime, instead of hoping that the U.S. government will keep potential adversary states from selling them risky devices, U.S. companies should incentivize cyber security researchers to find ways to automatically test firmware updates for exploits. Currently, whether the hardware is made by Huawei, ZTE, or Dell, firmware updates are loaded automatically with no testing. If, down the road, a foreign intelligence agency (Chinese or otherwise) wants to compromise a strategically placed router made by a company that it has legal authorities over by adding a bit of malicious code, a firmware update is one of the easiest ways to do it.

As a side note I'm happy to say that both Bill Plummer and Andy Purdy (Huawei's CSO) will be at Suits and Spooks DC. Andy will be speaking on a panel that I'm moderating which will explore cyber security risks in the supply chain. We still have about 28 seats available if you'd like an opportunity to discuss Huawei and related cyber security issues with a couple of the company's executives face-to-face.

In OSINT, All Sources Aren't Created Equal

"In evaluating open-source documents, collectors and analysts must be careful to determine the origin of the document and the possibilities of inherent biases contained within the document."
- FM2-22.3: Human Intelligence Collector Operations, p. I-10

"Source and information evaluation is identified as being a critical element of the analytical process and production of intelligence products. However there is concern that in reality evaluation is being carried out in a cursory fashion involving limited intellectual rigour. Poor evaluation is also thought to be a causal factor in the failure of intelligence."
- John Joseph and Jeff Corkill "Information Evaluation: How one group of Intelligence Analysts go about the Task"

These two quotes illustrate the long-running problem that has plagued commercial cyber security reporting for many years. There are very few unclassified OSINT standards of source evaluation and even less for cyber threat intelligence; at least that I could find while doing research for this article. 

The field of cyber intelligence is fairly new and fortunately, thanks to the Software Engineering Institute at Carnegie Mellon and the work of Jay McAllister and Troy Townsend, we can take a credible look at the state of the practice of this field:

"Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
- McAllister and Townsend, The Cyber Intelligence Tradecraft Project

The one thing that isn't covered in their report is the issue of source validation and how that contributes to the validity or value of the intelligence data received. However they did write a follow-up white paper with Troy Mattern entitled "Implementation Framework - Collection Management (.pdf)" 

Please take some time to study the framework and read the white paper. It's an ambitious and very thorough approach to helping companies understand how to get the most value from their cyber intelligence products. Unfortunately, while it specifies data evaluation and source validation, it doesn't provide any specific guidelines on how to implement those two processes.

Fortunately, there has been some great work done on source analysis for Human Intelligence (HUMINT) that I believe can be applied to Cyber intelligence and OSINT in general. It's a paper written by Pat Noble, an FBI intel analyst who did his Masters work at Mercyhurst University's Institute for Intelligence Studies: "Diagnosing Distortion In Source Reporting: Lessons For HUMINT Reliability From Other Fields"

A PowerPoint version of Noble's paper is also available. Here are a few of the slides from that presentation:

We recognize these failings when it comes to human intelligence collection but for some reason we don't recognize them or watch for them when it comes to OSINT. The crossover application seems obvious to me and could probably be easily implemented. 

I started this article with a quote from the Army Field Manual FM2-22.3: Human Intelligence Collector Operations (.pdf). Appendix B in that manual contains a Source and Information Reliability Matrix which I think is also applicable to Cyber intelligence or any analytic work that relies upon open sources.

I think a graph like this could be applied with very little customization to sources referenced in cyber intelligence reports or security assessments produced by cyber security companies. 

The West Australian Police Force study by John Joseph and Jeff Corkill "Information Evaluation: How one group of Intelligence Analysts go about the Task" recommended the use of the Admiralty Scale which is identical to the Army's matrix shown above:

Again, these scales were developed to evaluate human sources, not published content, but they certainly seem applicable with some minor tweaking. 

It's important to note that only part of the problem lies in the lack of source evaluation methods. Another very large contributing problem is the lack of standardized cyber intelligence tradecraft pointed out by McAllister and Townsend in their Cyber Intelligence Tradecraft paper:

"Tradecraft: Many government organizations have adopted the intelligence community standard of consistently caveating threat analysis with estimative language and source validation based on the quality of the sources, reporting history, and independent verification of corroborating sources. Numerous individuals with varying levels of this skillset have transitioned to cyber intelligence roles in industry and academia, but the practice of assessing credibility remains largely absent. The numerous analytical products reviewed for the CITP either did not contain estimative or source validation language, or relied on the third-party intelligence service providing the information to do the necessary credibility assessment." (p.11)

And of course due to the newness of the field there's no standard yet for Cyber Intelligence training (McAllister and Townsend, p. 13). 

IN SUMMARY

There are numerous examples of cyber security reports produced by commercial and government agencies where conclusions were drawn based upon less than hard data, including ones that I or my company wrote. Unless you're working in a scientific laboratory, source material related to cyber threats is rarely 100% reliable. Since no one is above criticism when it comes to this problem, it won't be hard for you to find a report to critique. In fact, it seems like a different information security company is issuing a new report at least once a month if not once a week so feel free to pick one at random and validate the sources using any of the resources that I compiled for this article. 

If you know of other source evaluation resources, please reference them in the comments section. 

If you're a consumer of cyber intelligence reports or threat intelligence feeds, please ask your vendor how his company validates the data that he's selling you, and then run it through your own validation process using one of the tools provided above. 

I'd love to hear from any readers who implement these suggestions and have experiences to share, either in confidence via email or in the comments section below.

UPDATE (11/24/13): A reader just recommended another excellent resource: Army Techniques Publication 2.22-9 "Open Source Intelligence". It discusses deception bias and content credibility, both of which must be accounted for in source validation.

U.S. Gov Employee Responds to TrustedSec's Review of Healthcare.gov

After I wrote yesterday's article "The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website", I received an email from a well-respected employee of a large government agency who had read TrustedSec's report on the Healthcare.gov website. This employee has asked me if I would publish the content of that email on my blog. Here it is with some minor formatting changes.

-------------------

So let's put aside the isc2 ethics violation by TrustedSec that this "report" is and instead focus upon its content."

The report is split into two parts, one based upon public open source intel gathering, and on upon actual "analysis". Contrary to what Goebbels might say, repeating a lie does not make it true. The first half of the "analysis" consists of misquotes and out of context statements about news reports, blog postings and the Heritage foundation (an anti-Affordable Care Act org). 

They extrapolate from news articles and jump to conclusions that would be laughed out of a Bsides conference, let alone a court of law. Most of the "observations" are generic in nature with no supporting detail. Everything is anecdotal. Everything is hearsay. There is no direct observation of any vulnerability, and only "potential risks". 

Many of the articles highlight pre-launch issues that have since been resolved, and others are issues common to most web application (hello, user enumeration? Seriously? Any site with a unique user account has this issue).

This lack of substance extends to the second part of the "analysis" which shows a lack of understanding of both what healthcare.gov is and what security is. 

In the professional world of cyber security there are two concept at the heart of computer forensics; peer review and reproducibility. Professionals understand that their word is not enough and they actually have to show something that the community and their peers can reproduce. None of their findings are "reproducible" vulnerabilities. They are all vague possible-maybe-there-could-be risks, or worse yet, a gross misunderstanding of what they are "analyzing."

They raise issues with things like the Terms of Service (TOS).

They raise issues with data.healthcare.gov.

Healthcare.gov is not just a website, it is a complex node in a web of Federal, State, and private systems that interconnect to produce the healthcare.gov site. The data in it comes from state exchanges, medicare, the IRS, SSA, and other Federal/state agencies, plus private insurers. It's not just a webserver/webapp with a back end database like something circa 2003.

They raise an issue that data will be shared with outside agencies which shows they don't understand what healthcare.gov is. Then they raise another issue about public profiles on the data.healthcare.gov site. The fact is that Data.healthcare.gov is an open data initiative based on the data gathered from insurers. Public profiles are a feature, not a bug, of that SEPARATE platform.

These two examples show the lack of due care conducted on this analysis. Please take a moment to read the "results" [CARR: A link to TrustedSec's report is provided below]. The level of writing and actual deliverable are so laughable that if a contractor had produced this for my agency I would have terminated their contract on the spot. (The report shows) no due diligence, sloppy work, and worst of all it is wrong in its "conclusions". 

Determinations need proof beyond media quotes and theoretical issues. They need to be based in fact.

------------------------

Here's a link to TrustedSec's public report (.pdf) for those readers who wish to review it and assess the above criticism for themselves. Comments are open.

The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website

Yesterday, Rep. Lamar Smith, the Republican Chairman of the House Committee on Space, Science and Technology had four cyber security experts testify about the poor security of healthcare.gov's website. Of the four experts, at least two were ardent critics of the Obama Administration in general and the Affordable Care Act specifically: David Kennedy, the CEO of TrustedSec and Morgan Wright, the CEO of Crowd Sourced Investigations. And of those two, only one - David Kennedy - could accurately be called a cyber security "expert".

While it's not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy's company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform any type of security testing on Healthcare.gov. If they were, he'd be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.

Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a "sniffer" to inspect the traffic between the website and the proxy server. Kennedy hasn't disclosed exactly how he conducted his passive vulnerability assessment but it wouldn't have revealed enough data to warrant an opinion that the site "had already been hacked", as Mr. Kennedy told the committee:

“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”

In my opinion, this raises serious ethical questions. Vulnerability assessments including penetration testing are hugely sensitive operations that rely upon confidentiality and discretion on the part of the testing company. In fact, it would be professional suicide for any pen tester to "out" the vulnerabilities found on a client's website. Obviously, neither Kennedy nor TrustedSec had that relationship with HHS. Instead, Kennedy ran an unauthorized and non-defined "passive" vulnerability assessment which by its nature could not provide any kind of thoroughness in its findings and then announced those findings publicly to support a Right-wing political agenda. If he had done that against a private company, he'd be sued.

In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:

“I would need to know whether there are inherent flaws vs. superficial problems that can be fixed,” Rubin says. “If they can be fixed, that’s better than shutting it down.”

What a concept. Do a proper investigation and then provide an informed opinion based upon facts.

UPDATE: David Kennedy has posted his response to this article in the comments section. I encourage readers to read the comments in their entirety and join in the debate if you so choose.

UPDATE #2 (11/21/13): David Kennedy has maintained that neither he nor his company did anything unethical. I'm not saying that they did. I'm arguing that what was done by Kennedy and his firm raises questions in my mind about what is currently considered to be ethical in the security field, and that those standards need to be challenged, discussed and debated. That's what I'm trying to do with this article.

Navy SEAL Charity Fraud Graham Ware's Latest Scam

UPDATED 11/24/13 with more evidence of Ware's misconduct.

In addition to my original findings below this update, I just discovered that Ware used photo-editing software to create the impression that he's part of a legitimate company.

Here's a screenshot taken from the OptZona web page which features a smiling Graham Ware (circled in red):

I ran a search in Google Images and found the original which, not surprisingly, doesn't feature Ware at all. It's a stock photo used by this company, among others.

 He pulled the same stunt with his conference photo. Here's is the one on his website which features an OptZona slide, and just below it is a stock photo that you can buy a license to use, like Kreativ Tours probably did.

This is simply more evidence that consumers in the State of Arizona and elsewhere in the U.S. need to beware of Graham Ware. I'm happy to say that his former @OptZona Twitter account is gone replaced with a new one that says "LLC pending" and has very few followers. 

---------------

(November 18, 2013) Graham Ware, a Scottsdale, AZ native who was outed (here and here) for running a fake Navy SEAL charity website has moved on to the Search Engine Optimization game. His new scam is complete with a fake Google Certification logo, a fake Arizona LLC, and operates out of a UPS mail drop.

The above screen capture shows all three red flags.

Lower part of OptZona.com website

GOOGLE ANALYTICS CERTIFIED (NOT)

I checked with Google Analytics Professional Services and Google Analytics Partner Services. Neither one lists Optzona LLC as a certified organization. This isn't surprising when you read the requirements for a company to become a GACP (Google Analytics Certified Partner). For one thing, "you have to be legally incorporated to do business in your locality." So Ware obviously cut and pasted a fake Google Analytics logo to add credibility to his non-existent company.

OPTZONA's LLC STATUS (NOT)

The State of Arizona maintains a Division of Corporations website where anyone can run a business entity search. If you plug "Optzona" into the search window, you'll see two hits. One is a name reservation for Optzona LLC filed by Graham Ware on July 18, 2013 which expired on 11/16/13 (File Number: N-1860916-0). The other is a Pending File Inquiry (File Number: L-1884805-8) filed on 11/8/13 and returned to Ware on 11/12/13 for what appears to be a potential name conflict. As of today, 11/18/13, Optzona LLC does not legally exist. 

OPTZONA's BUSINESS ADDRESS

The contact address on Optzona's web page is 15279 N. Scottsdale Rd., Scottsdale, AZ which turns out to be a UPS mail drop.

Slide used in a Optzona promotional video on YouTube

Ware's YouTube channel features a 20 minute slide presentation with Ware providing voice-over. In it he describes OptZona LLC as a Search Engine Optimization company that was founded in 2012 and that has grown to become "one of the major industry leaders in their field" (minute 0:54-1:03). Notice the reference in the above slide to "grossly misleading & unethical businesses". Unbelievably, Ware is pitching viewers to avoid unethical companies just like OptZona; companies which aren't legally incorporated, who invent their own history, and who advertise certifications that they never qualified for.

INVESTORS BE WARNED

OptZona's Twitter account made this disturbing announcement about two weeks ago:

If this tweet is accurate, Ware intends to expand his fraudulent enterprise with other peoples money. I encourage anyone reading this article to report Ware to the Arizona Attorney General's office. Between his un-registered Navy SEAL charity scam and this fake SEO company, the guy is a malicious serial con artist.

Russian Venture Capital (RVC): A Report on Funding Priorities and RF Government Affiliations

Taia Global regularly produces custom reports on foreign research and development activities in Russia and China. Our most recent report examines Russian Venture Capital (RVC), an Open Joint Stock company (OAO RVC) with initial funding from the Investment Fund of Russia through the Federal Agency for STate Property Management (Rosimuschestvo). It's charter allows RVC to invest both domestically and overseas. RVC's Board of Directors limited investments by RVC to companies with products on the Russian government's critical technologies list.

This report is 17 pages long with graphics and two appendices, including the above-mentioned critical technologies list. We examined the background of RVC's executives as well as the firm's investments and its U.S. affiliations.

We are offering this report for a limited time to non-subscribers for $225. Interested parties may order via this link or by calling (855) 877-8242.