Thursday, July 28, 2011

EMC and AmCham-China: A Perfect Recipe For A Network Breach

Here is a classic scenario for how critical technology gets stolen. Take a C-level executive of a company whose focus is high value technology (like Cloud computing) and send him to a country who is spending millions of their currency to acquire that technology (like China) to speak at an event organized by an association that has itself been compromised (like the American Chamber of Commerce in China). 

The event I'm writing about is coming up on August 9 in Beijing: USITO/AmCham-China's ICT Breakfast Series: Cloud Meets Big Data

China is heavily investing in Cloud Computing, having set up its own Cloud Valley located in the Beijing Economic Technological Development Area for RMB 500 million.

One of AmCham-China's employees was sending out email messages with malicious attachments in January, 2011. These were not spoofed emails, which means that the entire organization's network had been compromised and probably still is.

The speaker for the event is the CTO of EMC Jeffrey Nick, whose RSA security division suffered a massive breach last March and whose company offers Cloud computing solutions.

This is a textbook case for how executives may be targeted and compromised by a nation state who's interested in their technology. And if this year has taught us anything, it's that everyone is vulnerable - even a top executive at one of the world's largest information security companies. 

Wednesday, July 27, 2011

Why the U.S. Will Lose A War In Cyberspace

There's not another nation in the world that can wage kinetic warfare as effectively as the United States, and that is probably at the heart of the reason why the U.S. will lose a war fought in cyberspace. It's not because we don't have skilled cyber warriors, because we do. It's because present leadership in the Department of Defense is trying to fit the round peg of cyberspace into the square hole of meat space. A perfect example of this mindset is found in the Spring 2011 edition of Strategic Studies Quarterly "Rise of a Cybered Westphalian Age" wherein the authors write [1]:
First, the technology of cyberspace is man-made. It is not, as described by the early “cyber prophets” of the 1990s, an entirely new environment which operates outside human control, like tides or gravity. Rather, as its base, the grid is a vast complex system of machines, software code and services, cables, accepted protocols for compatibility, graphical pictures for human eyes, input/output connections, and electrical supports. It operates precisely across narrow electronic bands but with such an amalgamation of redundancies, substitutions, workarounds, and quick go-to fixes that disruptions can be handled relatively well as long as everyone wants the system to work as planned.
In the earliest days of the Internet, otherwise known as Web 1.0 (the Read-only Web), the above was certainly true. As we moved to Web 2.0 (the Read-Write Web), it became less true. The more integrated our physical and virtual lives become (Web 3.0), the farther away from that definition we land. The fact that the authors of the paper still believe that cyberspace is nothing more than a man-made piece of hardware says volumes about how the domain is misunderstood at the highest levels of the DoD, which is obvious with the miscategorization of cyberspace as a 5th domain [2]:
Though the networks and systems that make up cyberspace are man-made, often privately owned, and primarily civilian in use, treating cyberspace as a domain is a critical organizing concept for DoD’s national security missions. This allows DoD to organize, train, and equip for cyberspace as we do in air, land, maritime, and space to support national security interests.
I've touched upon the concept of n-dimensional conflict here, and I'm writing a chapter on it for the 2nd edition of "Inside Cyber Warfare" (O'Reilly, 2009). In the course of my research, I've come across the work of theoretical physicist Basarab Nicolescu who argues that cyber-space-time (a more accurate name than "cyberspace") is both artificial and natural at the same time [3]:
The information that circulates in CST is every bit as material as a chair, a car, or a quantum particle. Electromagnetic waves are just as material as the earth from which the calculi were made: it is simply that their degrees of materiality are different. In modern physics matter is associated with the complex relationship: substance-energy-information-space-time. The semantic shift from material to immaterial is not merely naive, for it can lead to dangerous fantasies.
One of Nicolescu's influences was nobel laureate Wolfgang Pauli and Pauli, in turn, was fascinated by Carl Jung's theory of Synchronicity. In fact, Pauli and Jung spent a great deal of time together because Pauli believed that there was a relationship between Jung's acausal connecting principle and quantum physics; specifically a conundrum known as "quantum indeterminacy"[4]. In a kind of ironic twist, Carl Jung's theory of synchronicity has its genesis in his fascination with an ancient Chinese oracle called "The Book of Changes" or Yijing. It is a divinatory oracle that dates back to the Qin dynasty and teaches that the universe is composed of parts that are interconnected. The yarrow stalks used in the Yijing symbolize those parts while the casting of them symbolizes the mystery of how the universe works (Pauli's quantum inderterminancy). Chinese emperors and generals have used this oracle since approximately 300 BC and it may still provide a glimmer of insight into the mysterious nature of this new age of cyber-space-time and how cyber battles may be fought and won.

Unfortunately for Western nations, synchronicity has its origins in the East. Western nations have a tradition in causality, not synchronicity. And the U.S. Department of Defense is deeply grounded in traditional western thinking and practicality. The decision to call cyberspace a domain was based on organizational necessity. That's how DoD is set up. Its how budgets are created and funds distributed. Its how contracts get assigned. Simply put, its how things get done at the Pentagon. This is why the U.S. will lose a war fought in cyberspace. A strategic doctrine built upon a flawed vision cannot yield a victory against an adversary whose knowledge of the battlespace is superior to our own.
* Even though Pauli's lifetime preceded the Internet age, he wrote extensively about a unifying connecting principle which bridged mind and matter. Nicolescu references Pauli's work and calls that connecting principle Cyber-Space-Time.

[1] Chris C. Demchak and Peter Dombrowski, "Rise of a Cybered Westphalian Age", Strategic Studies Quarterly Spring 2011
[2] Department of Defense Strategy For Operating In Cyberspace, July 2011
[3] Basarab Nicolescu "The Manifesto of Transdisciplinarity", SUNY Press 2002
[4] The Information Philospher  web page (

Sunday, July 24, 2011

If Your Data Lives In Moscow, Are You At Risk In The U.S.?

Google's new data center - Finland
Even though I'm a U.S. citizen residing in the U.S., my Gmail messages, attached files, Google documents, and Google chat logs may reside in one of 17 different nation states, and may be accessed through differing legal standards in each. Those states are the U.S., Canada, Brazil, Germany, Switzerland, The Netherlands, Belgium, France, U.K., Ireland, Italy, Russian Federation, Japan, Peoples Republic of China, Malaysia, Austria, and Finland. If the foreign government of a state where Google does business issues an order for Google to provide information on parties of interest who represent a threat, have committed a crime, or whatever is required under that state's security laws, then Google is frequently obligated to comply. This also applies in states where Google has established a sales office but not a data center.

Friday, July 22, 2011

Is It In China's Interest To Breach IMF Servers? No.

Yesterday, Bloomberg News ran a story announcing "China-Based Spies Said To Be Behind Hacking In Investigators' View":
Investigators probing the recent ransacking of International Monetary Fund computers have concluded the attack was carried out by cyber spies connected to China, according to two people close to the investigation.
The article goes on to provide general details about why:
Evidence pointing to China includes an analysis of the attack methods, as well as the electronic trail left by hackers as they removed large quantities of documents from the IMF’s computers. The multistaged attack, which used U.S.-based servers as part of their equipment, ended on May 31, people involved in the investigation said on the condition they not be identified because they aren’t authorized to speak about it.
The article goes on to further specify that the analysis includes "analyzing the code left behind in networks and tracing patterns in multiple attacks that may use the same infrastructure." This sounds to me like the automated analysis performed by something like HB Gary's "Digital DNA". The problem with that solution and others like it is that while it can analyze commonalities in the tools used as well as the malware code, it cannot discern the nationality of the hackers responsible and certainly not the nation state that may have engaged them. A Remote Access Tool that was created by a Chinese-speaking person doesn't mean that it was used by a Chinese hacker working on behalf of the State Council or a Chinese Intelligence agency. Those tools are broadly available and used by black hats all over the world.

The more important thing to look at is motivation. Why should China be interested in hacking into an organization that it's one of the most powerful members of? On October 28, 2010, the IMF approved the G20 Agreement on Quotas and Governance which amended the list of its top ten largest shareholders to be the "United States, Japan, the BRICs (Brazil, China, India and Russia), and the four largest European countries (France, Germany, Italy, and United Kingdom)." Canada and Saudi Arabia lost their former top ten positions. In fact, according to this IMF fact sheet on Quotas, China is now the third most powerful member in the IMF. Unless someone can come up with a strong motivation for China wanting to hack an organization that it is the third largest contributor to, I think the blame lies elsewhere.

The IMF Attack: When A State And Its Hackers Interests Coincide
7 Reasons Why China Isn't The World's Biggest Cyber Threat (And Who Is)
Richard Clarke Should Get His Facts Straight On Cybersecurity And China

Thursday, July 21, 2011

Huawei Symantec Hardware Powers U.S. Critical Technology Research

Huawei Symantec, a joint venture between China's national champion firm Huawei Technologies and U.S. security giant Symantec, has secured its first high performance storage cluster win - the University of Tennessee's National Center for Computational Engineering. Huawei Symantec is 51% owned by Huawei and they defeated U.S. firms NetApp, EMC, and BlueArc among others for the UT sale. Well, not exactly Huawei Symantec directly. It was their channel partner MPAK Technology out of San Diego who made the sale. This has been Huawei's strategy ever since it became clear that the U.S. government wasn't going to cave in on its security concerns as easily as the U.K. government did. Rather than trying to sell direct, it has established partnerships with U.S. companies like MPAK and Force 10 Networks to do it for them. What will their equipment be used for? This is from UT's website:
The SimCenter: National Center for Computational Engineering is a center for integrated research and education whose primary goals are to establish next-generation technologies in computational modeling, simulation and design, to educate a new breed of interdisciplinary computational engineer who can solve a broad range of real-world engineering problems, and to provide consequent leadership and national impact in critical technology areas affecting defense, sustainable energy, environment, and health.
Huawei priced themselves far below their competition and the University went with the lowest bidder. Did national security concerns factor in to the decision? I've sent the university an email with that very question. If they respond, I'll post it here. My guess is that security wasn't a factor at all.

Related Posts:
China's Silent Cyber Takeover
Symantec CEO Salem Needs To Get His Priorities Straight

Monday, July 18, 2011

DST Global, Social Media, and Favors For The Kremlin

Dvorkovich & Milner*
My company has been advising government and corporate interests about Russian investment in social media in general and DST Global in particular since 2009. I've had the unique "privilege" of having an article about the CEO of DST Global pulled from with nothing more than a phone call from Mr. Milner to Forbes followed by a threatening letter from his attorney. Now I see that DST Global II has finally succeeded in convincing Twitter to take its money - $400 million for a 5% stake in the company.

Two Predictions
If Milner's pattern with past investments holds true, two things will happen in the months following this Twitter investment:
  1. DST Global II will increase its holdings in Twitter one way or another. With Facebook it was through the purchase of employee shares. Time will tell how it happens with Twitter, but rest assured, it will happen.
  2. Yuri Milner will perform some high profile service for the Russian government most likely having to do with the security of Runet (the Russian Internet).
These predictions are based upon the following historical record:
These tables were created for a paper that I wrote entitled "The Geopolitical Strategy Of Russian Investment In Facebook And Other Social Networks" for the Georgetown Journal of International Affairs. The issue is entitled International Engagement On Cyber: Establishing International Norms & Improved Cyber Security, and will be available by August, 2011.

*The above photo was taken for Kommersant on 30.03.2011 in Russia, Chelyabinsk region, Magnitogorsk. Russian presidential aide Arkady Dvorkovich (left) and CEO of the Digital Sky Technologies (DST) Yuri Milner (right) during a meeting of the Commission under the President of Russia on modernization and technological development of economy of Russia.

Tuesday, July 12, 2011

"Suits and Spooks": Why I'm Inviting The IC To Palo Alto in September

Update 7/16/11: We now have more companies interested in sponsoring this event than there are sponsor slots available. Sponsors will be accepted based upon who completes their registration requirements first. Thank you all for your support.

The Suits and Spooks Conference that I'm launching this fall in Palo Alto is the culmination of 6 years of enjoyable yet frustrating work spent studying problems and experimenting with solutions in the national security space.  Looking back, I was incredibly naive about how things worked when it came to selling any product or service to the U.S. government. The conventional wisdom for startup or young firms selling to the government is to find a Prime contractor and become a sub on one of their contracts. The downside is that your innovative R&D will get absorbed by "the Borg" who's driven not by innovation but by catering to the traditional thinking of their government program manager.

The bottom line is that the U.S. government is locked into a broken acquisition system** that more often than not delivers sub-par results that are vastly over-priced; i.e., the FBI's Sentinel program - a $450 million dollar piece of shit created by the country's largest government contractor Lockheed Martin. I told a friend of mine at the FBI that they should have gone to Palo Alto with their application specs and they would have had a better, faster version built in a matter of months by some under-grads at Stanford for a tiny fraction of the cost. We agreed on that point but unfortunately things are never that easy inside the Beltway. But it kick-started what has now become the first Suits and Spooks conference in Palo Alto on Sept 23-24.

Friday, July 8, 2011

China's R&D Priorities and US National Lab Issues

From 2004 Argonne Labs presentation "
In the course of researching yesterday's post, I found this gem of a presentation (download .ppt) given in 2004 by the CIO of Argonne National Laboratory. The above image is slide #23 and aptly demonstrates  the security insanity that is still present in many if not all of the 39 Federally Funded Research and Development Centers (FFRDC) operating today. If you're a present or former employee at one of those labs, you know exactly what I mean. If you don't, just look at the history of security breaches that date back to the 80's. For example, slide #5 provides some stats for Argonne: 23 reported intrusions in 1998;  17 in 1999; 13 in 2000. And that's just for one lab.

Thursday, July 7, 2011

Russian Federation Sets New Science Priorities As 5 US Labs Are Breached

image of accelerator at Large Hadron Collidor
2011 may be the worst year on record for cybersecurity breaches at U.S. national labs and related facilities: 5 breaches in 6 months:
April 11:
- Oak Ridge National Laboratory (managed by Battelle)
- Method of attack - spear phishing w/ 0day payload
June 11:
- Y-12 National Security Complex (managed by BWX, a member of the Battelle Energy Alliance)
- Method of attack: SQL injection
July 1:
- Battelle Memorial Institute
- Pacific Northwest National Laboratory (managed by Battelle)
- Thomas Jefferson National Accelerator Facility (managed by CSC via Jefferson Science Associates)
- Method of attack: un-specified but spokespersons referred to it as "sophisticated" and all three labs stopped email and internet services for several days.

Tuesday, July 5, 2011

Announcing the 2011 Russian Federation InfoSec Reference Book


This book is a collection of special reports prepared by my company on the information security framework, training, techniques, and procedures of the Russian Federation Federal Security Service (FSB), as well as key labs and elite universities. We also provide coverage on key provisions of the FSB law and how it may be interpreted. The information was acquired through open sources on the Russian Internet (Runet) over a period of 12 months. Analysis was conducted by Taia Global’s veteran intelligence analysts who’ve recently retired from the U.S. intelligence community. This book is the culmination of many hundreds of hours of work. It contains findings that will be of use to corporate executives and their boards, law enforcement, intelligence agencies, and the military. It is unique in the marketplace and has been priced accordingly.

The APT Logical Fallacy: More Harm Than Good

A preferred attack vector in 2011 is the precisely targeted spear phishing email which delivers a malicious payload to the victim's computer and soon compromises the company's network for the purpose of finding and extracting valuable intellectual property (IP). This attack vector has compromised numerous high profile organizations in 2011 including EMC's RSA SecurID division (March), the International Monetary Fund (June), and Battelle Memorial Institute (July). McAfee "Night Dragon" report identified 5 energy companies that were attacked in the same way. In fact, a July 1st report by Cisco [1] announced that spam is decreasing in favor of this attack vector because it's more efficient and the return on investment is greater for the actors who engage in it.

The problem arises when the a decision is made by the company executives or government officials to label such an attack an "Advanced Persistent Threat". First, the name itself is an oxymoron if it's used to describe what happened. Once an attack occurs, you can't call it a "threat". Someone "acted" against you. They didn't "threaten" to act. And a spear phishing attack isn't "advanced".  It's rather mundane, albeit effective. Granted the payload may be advanced, but it doesn't have to be.

Saturday, July 2, 2011

Three U.S. National Labs Attacked on July 1: Same Mode As RSA

On July 1, 2011, Battelle Memorial Institute suffered a "sophisticated" attack against its network which also impacted Pacific Northwest National Lab and one other lab which wasn't named. Both PNNL and Battelle shut down their email servers and their Internet access as a precaution. As of 0200 03JUL2011, Battelle's website was still down ( while was functioning normally.

Friday, July 1, 2011

LulzSec Snitch Claims To Be TeaMp0isoN Member. Oops.

Mike Major Jr of Halethorpe, MD claims to be a greyhat hacker who "does whatever feels right at the time". Major and his friend m_nerva leaked LulzSec chatroom logs which have helped authorities identify some of LulzSec's key members. Major (aka hann) told his story to Bruce Goldfarb and according to the article claimed to be part of Team Poison (TeaMp0ison); a hacker crew who attacked LulzSec for being nothing more than script kiddies. Major's comments in the article didn't ring true to me, particularly after I had read a June 25th article in  The Independent which featured an interview with a disguised member of the TeaMp0isoN hacker crew named TriCk.

TriCk is a practicing Muslim who "don't (sic) fear MI5, the FBI, or the CIA." "I class them as thugs and criminals", said TriCk. "I only fear God." TriCk said that TeaMp0isoN had a total of 3 members who only knew each other online for the past 5 years. Last December, according to TriCk they dumped the web servers of the English Defence League and published its membership list and defaced the website of Indian politician Rahul Gandhi.