Wednesday, June 29, 2011

7 Reasons Why China Isn't The World's Biggest Cyber Threat (And Who Is)

When it comes to threats in cyberspace, conventional wisdom and expert commentary assign the number one slot to the country with the most failed operations. A failed operation is defined within the intelligence agencies of most countries as a compromised operation; i.e., one whose existence was discovered. It's important to note that the attribution of any specific country to any specific attack is an untrustworthy mix of art and science based upon IP address, who was victimized, technical evidence in the code, and what "feels right" to the person or team investigating. Based upon this formula, China has been ceded the top position as the number 1 cyber threat in the world.

Monday, June 27, 2011

Thomas Wright Falsely Claims U.S. Double Standard In Cyber Warfare

Thomas Wright is the Executive Director of Studies at the Chicago Council on Global Affairs. His OpEd in the Financial Times today "America has double standards in fighting cyberwar" attempts to make the case that the U.S. is hypocritical in its approach to building an international consensus on cybersecurity.

While Wright's academic credentials are impressive, he loses a lot of credibility with his opening sentence which claims that the CIA website was hacked, and that it, plus the IMF and Citibank attacks have pushed us to the brink of "cyberwar". Frankly, anyone who thinks that a website that suffered a Denial of Service attack has been "hacked" has no business writing about cyber-anything let alone something as emotionally charged and least understood as "cyberwar".

Huawei, Ryan Cleary, and Why The UK Is Headed For A Cyber Disaster

While the British government is busy prosecuting a teenager for the DDOS attack against SOCA, they are embracing China's national champion firm Huawei with open arms. Last year, Huawei opened a Cyber Security Evaluation Centre in Oxfordshire where its source code and presumably the source code of other companies could be examined for  backdoors by representatives of Britain's Communications-Electronics Security Group (CESG). This is the same strategy that has worked to Huawei's benefit in India just a few days ago where it has been given the green light to set up a similar lab in Bangalore, much to the chagrin of members of India's cybersecurity community with whom I've spoken privately.

Not only is the British government contracting with Huawei for significant work such as providing mobile phone service for London's subway system for the 2012 Olympics, but they do so in spite of warning by their own intelligence services. While other nations like the U.S. worry about China's plans to launch a pre-emptive strike against the power grid in the event of an impending attack, Britain has sold over 50% of its power grid to a Chinese company, which pretty much makes concern about an attack against CI a moot point. But by God, they're going to prosecute anyone who dares take a government website off-line because they're SERIOUS about cybersecurity in the U.K.

Related Posts:
Huawei's Chairwoman Worked For China's Ministry of Public Security
The Cyprus-Vienna Connection In Huawei Bribery Case
Does Huawei Support China's Monitoring Laws?

Saturday, June 25, 2011

Who's Who in the AntiSec Movement

The following is a summary of known entities in the Anti-Security movement as of 1800 Pacific 25 June 2011. I'll be maintaining it with updates on a regular basis and invite readers to add to this information through the comments section or via email. My contact information and public key is available here. This page will load slowly due to the screenshots so please be patient.

You can check for the latest announcements of compromised data by AntiSec hackers in the ZeroPaid feed along the sidebar of his blog.

Latest update:  1418Z 01JUL2011

Tuesday, June 21, 2011

The Rapid Rise and Fall of LulzSec

This is more of a prediction than a statement of fact but I feel pretty confident in saying that LulzSec won't be around for much longer. Anonymous may still avoid LulzSec's fate depending on whether they decide to abandon the AntiSec movement and stay focused on battling repressive regimes like they did with Tunisia, but they only have a small window of time to make that decision.

The reason why I'm making this prediction is because of today's New York Times article on the take-down of by the FBI. That's bad enough but it's not why LulzSec is screwed. They're screwed because the U.S. Intelligence Community has learned how to collaborate. It's taken them years but the historical animosity between CIA, FBI, and NSA has just recently diminished to the point where they are now able to work together better than ever before. And lucky LulzSec, they're all focused on you right now.

Sunday, June 19, 2011

AnonOps, LulzSec, & The Modalities Of nth Dimensional Conflict

Credit: Perceivin da multi dimensions
This post contains the beginning of my work to develop a new model with accompanying strategies for defending against anarchist clusters like LulzSec and Anonymous as well as more traditional opponents in cyberspace. I've named it the Principles of nth Dimensional Conflict. Since this is a work in progress and because I intend to flesh the principles and modalities out in more detail in the 2nd edition of Inside Cyber Warfare, I hope that interested parties will feel free to leave a comment with their thoughts and suggestions.

The genesis of this idea began with my first book in which I used the science fiction metaphor of a parallel universe to describe cyberspace: "a mysterious, invisible realm existing in parallel to the physical world, yet able to influence it in countless ways" (p.xiii). It's also why I've opposed the classification of cyberspace as a fifth warfighting domain. The Department of Defense as well as national and international law enforcement agencies have been relying upon traditional models to combat offensive cyber operations of all types with only marginal success. The information security community whose mission is to build software that protects private and government networks has failed miserably in executing that mission. In fact, some of their core principles such as publicizing vulnerability research may be causing more harm than good. The latest innovation is the rise of anarchist clusters like Anonymous and LulzSec who seemingly breach government and corporate websites at will. It has become clear to me that false assumptions about the battlespace have produced ineffective, possibly harmful defensive strategies and that we have to start fresh.

I've laid out some baseline principles that underlie recommended modalities or modes of action. In addition to my own interest in Complexity theory and Quantum physics, my thinking in this area has been greatly influenced by a research paper published by JASON in November, 2010: "Science of Cyber Security".

The Principles:

  • Cyberspace is an artificially constructed environment that is only loosely tied to the physical universe and is not constrained by three dimensional space, therefore there are few apriori constraints on either the attackers or the defenders.
  • It is not possible to definitively measure a level of security as it applies to the general operation of information systems (JASON).

The Modalities:

  • Uncertainty and randomness favor the adversary, therefore defenders must implement components of randomness and uncertainty as part of a network defense strategy
  • Since it isn't possible to anticipate every type of attack, the defender must become a competitor to the adversary and continually attack his own system "in the hopes of finding heretofore undiscovered attacks" before the adversary does.
  • Transparency such as commercial anti-virus systems and InfoSec research favors the adversary. Secrecy favors the defender.
  • For the adversary, trust is more important than identity. Since the Internet favors anonymity by design, defenders may achieve more success by breaching an adversary's trust loop than identifying who the adversary is.

I intend for this project to evolve into something more tangible in relatively short order but I don't expect it to be well-received. There's a lot of money invested (and being made) in the current flawed model and there's no scientific method that can be applied to the field of cybersecurity to help persuade skeptics. Absent scientific evidence, the best reason for corporate executives, military planners, and government policy makers to force themselves to explore and consider alternate paradigms like this one is the rapidly growing popularity of anarchistic hacker crews like LulzSec who will continue to thrive in the antiquated security environment that we've created up until this point. It's time to not only change the game, but the dimensional universe that the game is played in. Yes, we can do that in cyberspace.

Wednesday, June 15, 2011

Richard Clarke Should Get His Facts Straight On Cybersecurity and China

Richard Clarke's inflammatory article for the Wall Street Journal "China's Cyberassault On America" overflows with incorrect facts, logical inconsistencies and a serious lack of understanding of how targeted cyber attacks work at a granular level.

Clarke tries to draw a parallel between Obama's protection of Libyan dissidents from Gaddafi and his lack of protection for U.S. citizens from cyber attacks from China when he knows perfectly well that the President's authority over military actions as Commander-in-Chief is completely different from his authority over U.S. corporations, which is ZERO; that would be the totalitarian governments of the world, not the U.S. government, Mr. Clarke.

Tuesday, June 14, 2011

Turkey's Arrest Of Anonymous Members More Political Than Legal

Turkey is one of those countries like China, Russia, Ukraine, and many others where the government has a "useful" relationship with its indigenous hacker population. The recent news that 32 alleged members of Anonymous have been arrested in Turkey is a perfect example of what not to do if you're a hacker and you want to be tolerated by the Turkish government. I doubt that anyone would claim with a straight face that Ankara has a zero tolerance policy when it comes to prosecuting hackers. Remember what happened last year with Sweden?

When the Swedish parliament passed a resolution recognizing the deaths of hundreds of thousands of Armenians by the Ottoman Empire (now the nation state of Turkey) in 1915 and 1916, the Turkish government protested the action with official protests and by calling off the 2010 meeting of the American-Turkish Council. Additionally, on March 17, 2010, Turkey's Prime Minister threatened to deport 100,000 Armenians back to their homeland. Coinciding with their government's protests, Turkish hackers defaced over 600 Swedish websites. No arrests were made in Turkey.

In July 2009 Turkish hackers defaced Chinese government websites after the Turkish government expressed concern over the treatment of the Uighur people in the Xinjiang region of China. No arrests were made then either.

Then there's the case of Agd_Scorp, an infamous Turkish hacker who was arrested by Turkish authorities only after Microsoft teamed up with NASA and pushed Ankara to do something about his perpetual targeting and defacing of both their organizations websites. Turkish authorities made an arrest, prosecuted him and he was released after spending about 30 days in jail but that never would have happened had outside pressure not been applied.

The lesson for hackers in Turkey is clear. Don't "f" with us and we'll leave you alone. And that's probably solid advice for hackers in most states.

Monday, June 13, 2011

The IMF Attack: When a State and its Hackers' Interests Coincide

The recent discovery that the International Monetary Fund had its network breached and mined for sensitive data over a period of several months is the latest in a non-stop round of significant cyber attacks dating back almost to the beginning of the year.

Here's what has been reported by the New York Times [1] and Bloomberg [2] through unconfirmed sources:

  • It preceded the arrest of former IMF director Dominique Strauss-Kahn (DSK) on May 14, 2011 [3]
  • It occurred over the last several months before being discovered [1]
  • It didn't involve the use of a duplicate RSA SecurID token [1]
  • A large quantity of data was taken including e-mail messages and documents [2]
  • It was reportedly state-based [2]
  • A staff memo issued on June 1 warned of phishing activity and urged IMF employees to not open any e-mail messages or click on video links without authenticating the source [2]

Friday, June 10, 2011

EMC's Anti-Security Culture: Business First, Security Second

(Updated with additional copy and links - 1920 EST 10 Jun 2011): NetWitness' Chief Security Officer Eddie Schwartz has apparently become the first CSO that EMC's RSA Security division has ever had, which I thought was pretty amazing for a world leader in security technology. In the course of looking into who holds the position at RSA's parent company, EMC, I ran across an EMC Leadership and Innovation article written by former EMC CSO Roland Cloutier that expressed a corporate philosophy which, in my opinion, contributed to the success of the RSA attack earlier this year:
Security must be a business enabler 
Cloutier is adamant that security must be deployed in the service of business goals, enabling the innovation and responsiveness that create competitive advantage. "As security practitioners, our aim is to create an environment for our executives, engineers, and sales folks to build, deliver, and service the absolute best technologies without any impedance or concern about security in our environment," he says. "We want them to understand that security is not a business inhibitor."

Wednesday, June 8, 2011

Breach of Trust: 3 Major Problems With RSA's Public Statements

When a high profile attack occurs and becomes public knowledge, such as the one successfully mounted against EMC's RSA Security division, the company's preparation of its public statement(s) is a critical process. The goal is to start rebuilding customer and stock holder confidence in the company. If it's done right, it may work. If not, it can multiply the effect of the breach far beyond whatever harm the original attack caused. The reason why is because when damage control is done right, product replacement is a relatively easy fix. However when a company issues contradictory statements or when essential facts are missing or obfuscated, then customers may feel a breach of trust. And trust, once broken, can almost never be restored.

Monday, June 6, 2011

The Chinese IP Address Fallacy In Cyber Attribution

Google recently announced a spear phishing campaign that had been going on for over a year and "which appears to originate from Jinan, China" that targeted the personal Gmail accounts of hundreds of various persons of interest presumably to the Chinese government.  The proof to support the headline was that Chinese IP addresses were involved. What both Google and Siobhan Gorman who reported on the story for the Wall Street Journal failed to disclose was that other countries IP addresses were used as well including South Korea and the United States. Copies of the spoofed emails along with the originating IPs were disclosed back in February on the Contagio blog. Of the six IP addresses used in the military and government employee phishing scheme, 2 were from Hong Kong, 2 were from Beijing, 1 was from Seoul, and 1 was from New York:
  • Hong Kong (PCCW Business Internet Access)
  • Hong Kong (Wharf TT Ltd)
  •  Beijing (China Unicom)
  • Beijing (China Unicom)
  • Seoul (Korea NIC)
  • New York (Nobis Technology Group LLC)

Was The RSA-Lockheed-L-3 Breach Over A $2.6B DHS Contract?

Site Plan New DHS Building
Since my original post on the Lockheed Martin / Prime contractors breach which I and other security researchers connected to the EMC RSA breach (a fact that EMC has now conceded to), I've been investigating possible motives for this multi-faceted attack. Its always been my belief that RSA's technology was not the primary target but a means to an end. And that "end" apparently involved breaching the networks of multiple Department of Defense contractors: Lockheed Martin, L-3 Communications, and allegedly Northrop Grumman. Other primes mentioned as possibilities by Reuters included General Dynamics, Boeing, and Raytheon.

If RSA was stage one of a multi-stage operation, that would suggest that Lockheed, L-3, and Northrup Grumman as the targets would have something else in common besides just being DOD contractors. Since it's my belief that the EMC RSA attack started earlier than March, 2011 and took some planning prior to its launch, I began looking for contract awards in mid to late 2010 that involved the three victim companies. I found a couple of possibilities that warranted further consideration but then I came across this news item from November 8, 2010: 4 competitors protest award of $2.6 billion IT contract to Northrop Grumman

Friday, June 3, 2011

The Google-Clinton-China Martini With A Cyberwar Twist

There has recently been a lot of media attention focused on a relatively unsophisticated and even mundane act of information exploitation against high level Gmail users and, not surprisingly, a Chinese IP address. There’s absolutely nothing new or sophisticated about the attacks which have been going on for a year or more and which essentially add a forwarding instruction so that others can read copies of everything coming to your Gmail account or even be allowed access to your account - all without you knowing about it. In fact, a Washington D.C.-based security researcher published samples on her blog last February and I recall giving it a quick read back then and thinking how the simple strategies are still the best when it comes to hostile or criminal acts in cyberspace. Spear phishing attacks are simple, elegant things that cost almost nothing to develop except a bit of homework on the potential targets, and they continue to work regardless of millions of dollars being spent to stop or intercept them.

Thursday, June 2, 2011

18 Days From 0day to 8K - An RSA Attack Timeline Analysis

There was a lot that bothered me about the official statements surrounding the RSA SecurID breach. For example, they claimed to be victims of an Advanced Persistant Threat that was neither advanced nor persistant.  Then there was news of a related attack against L3 Communications prior to 6 April, less than three weeks after the Coviello letter was made public on 17 Mar 2011. I decided to construct a timeline out of the available facts and see if it supports or conflicts with RSA President Art Coviello [3] and Mr. Uri Rivner's [10] versions of what happened. Either the attack was short-lived, as Mr. Rivner claims, or it was of much longer duration which would put RSA Security division products at greater risk for compromise along with EMC's customers who use them, such as Lockheed Martin [6], L3 Communications [5], and possibly Northrup Grumman [11], among others.