Monday, October 31, 2011

Cyber Profiteering: Profits Over Ethics

Profiteering is what happens when a business takes advantage of an emergency or a shortage to boost their prices. The Iraq war had its war profiteers like Haliburton/KBR and many others. The same thing is happening today during the "cyberwar" gold rush. Two recent examples are Gunter Ollman's article "Sinkholing for Profit" and Brian Krebs' article "Chasing APT: Persistance Pays Off". Krebs should have underscored the word "Pays" in the title because the article describes something akin to ambulance chasing. A cybersecurity firm Cyber ESI uses proprietary techniques (perhaps similar to what Ollman describes in his article) to identify corporate victims, then contacts them and tries to sell them remediation services at a high price. Unlike Krebs' article, Ollman didn't provide any names but thanks to Anonymous and the AntiSec movement, at least two companies' profiteering activities have come to light: Unveilance and Endgame Systems.

It's no secret that corporations and governments are overwhelmed, confused, and desperately looking for solutions that will allow them to defend themselves in cyberspace. That's a perfectly understandable state for them to be in. What isn't understandable, at least to me, is the behavior of some companies seeking to make a quick buck at the expense of the very people that they're purportedly trying to help. For example, I'll never understand how Symantec can sell services to protect their customers against IP theft from China while at the same time be profiting from a joint venture with Huawei, a Chinese company with clear ties to the Chinese government.

Profit with no ethics is what brought us to the point that we're at today; the Occupy movement being just the beginning. If things don't change in the "Cyber Industrial Complex"(CIC) soon, there will almost certainly be a backlash. Fortunately, this level of greed hasn't infected the entire industry. I personally know dozens of infosec companies that profit by putting their customer first; by providing a fair service at a fair price and getting paid for results. If CIC CEO's don't adopt an ethical pricing model and business practices on their own, then their customers should do it for them. C-level executives at victim corporations need to educate themselves about the realities of information security and network defense because cyber profiteers count on two things to win a customer: ignorance and fear. Becoming smarter about information security will save you money and improve your company's profitability instead of the other guy's.

Sunday, October 30, 2011

An Open Source Analysis of the Anonymous - Los Zetas Op

Defaced website of Mexican politician Gustavo Rosario
@YourAnonNews: Starting today #OpCartel begins. Heads up #Zetas!
In order to gauge the potential impact of Anonymous' threat against Los Zetas (or any target), you need to assess the size of the attack surface. The larger the online footprint of the target, the greater the potential impact of the attack. Stratfor's Oct 28 analysis underestimates the Cartel's digital footprint and ignores Mexicos' indigenous hacker population: "The online media frequently used to organize Anonymous-labeled activities are far removed from the violent world of Mexican criminal cartels. This distance — along with the likely physical distance of many Anonymous members from Mexico — could limit the activists’ understanding of cartel activities."

For my analysis, I've examined two data sets: the size of the South American hacker population and the use of online tools by the Zetas and other Mexican crime syndicates and cartels. The asymmetrical nature of cyber conflict doesn't require large numbers of Anonymous members to be involved to be effective but there are certain parameters that will impact the measure of success of their op; one - the number of Anonymous members who speak the language and know the terrain and two - whether the Zetas or their associates use social networks enough for them to be vulnerable.

Mexican Hackers
Assuming that some of Anonymous members are hackers rather than script kiddies, might be a good starting point. is a large, popular South American hacker forum that has doubled in size since Taia Global analysts first reviewed it in April 2010. It now has 4524 members of which 1351 are from Mexico, 1201 from Argentina, 461 from Peru, 443 from Spain, 227 from Columbia, and 219 from Venezuela. There hasn't been any mention yet of OpCartel in their public postings but with over 1300 members who self-identify as Mexican, even a ten percent participation rate could have a significant impact on the Zetas' organization.

Mexican Drug Gangs
The use of online tools by drug gangs has been escalating. YouTube has been a popular medium to generate fear and recruit new members for several years. Facebook and Twitter were added to their toolkit in April, 2010, when a drug gang shuttered the Mexican town of Cuernavaca by spreading threats of violence via social networks to anyone who broke their curfew. The streets of Cuernavaca stayed empty for the designated period. In August, 2011 Mexican drug gangs learned how useful social networks can be for targeting victims. Also last summer, the head of the Beltran Leyva gang hired a computer technician to assist him in becoming "virtual". The specific degree of the Zetas online presence isn't known but they're clearly building a digital fingerprint if the history of their peers is any indication; a fingerprint that could be uncovered and exploited by a group like Anonymous.

If Anonymous makes good on their threat to release information on the Zetas' businesses and associates on November 5, their rivals and hopefully law enforcement would almost certainly exploit that information to hurt the Zetas. More importantly, if the OpCartel movement attracts broad Mexican and South American support, it could be the beginning of a movement that would lead to the overthrow the drug cartel's power and influence in Mexico. The fact that Mexico is about to begin one of its most important holidays - Dia de los Muertos (the Day of the Dead) - is highly significant. The combination of religion and patriotism is a potent mix, and the Anonymous movement is riding on a wave of successes that connect social media to revolutionary change in the Middle East, North Africa, and the global Occupy movement. Why not Mexico as well?

UPDATE: As of late Sunday night (Oct 30th), Anonymous cancelled #OpCartel after weighing the risks that leaking information about the Zetas posed to its members. The following is a machine translation of the announcement:

In an interview with MILLENNIUM, two members of Anonymous, and Skill3r GlynissParoubek be contacted to explain the circumstances:
Why was decided to cancel the operation?
We can not be a reckless administrators to condemn to death those who participate, we have talked and discussed extensively by all and it was decided to remove it.
So why issue threats?
"It's very easy to make a video on behalf of Anonymous and launch air threats, but to think, plan and evaluate the pros and cons is another story," they said.
What's next?
"They continue other operations, but for now we hope to make clear that the cartel operation is false."
The Milenio article goes on to state that other Anonymous members like AnonymousSabu, the former head of LulzSec, who aren't part of Anonymous Mexico, will continue #OpCartel anyway.

UPDATE 2 (01 NOV 2011): The Global Voices blog features an excellent review of OpCartel including whether the alleged kidnapping of an Anonymous member was faked or not.

Friday, October 28, 2011

U.K. Man Arrested for his Facebook Postings

This is a dangerous precedent for a Western nation to set. One of the key differences between the West and states like the Russian Federation and the Peoples Republic of China is the right to free speech. I don't see how the British government can now complain about China or any other country's censorship or persecution practices after an outrageous act like this.

The article didn't mention if Facebook cooperated with the British government or was in any way involved. It would be interesting to know if they were.

Tuesday, October 25, 2011

Akamai: U.S. Ranks Third As World's Source Of Attack Traffic; China ranks 4th

Akamai just released its 2Q 2011 State of the Internet report. For those of you who think that China is the end-all and be-all of cyber attacks, you'll want to get a copy of this report right away. Akamai serves up to 30% of the world's Internet traffic with its Akamai Intelligent Platform; more than 604 million unique IP addresses from 238 countries and regions to be precise. In addition, Akamai runs a dark net of unadvertised honey pot systems. Since they aren't part of Akamai's production platform and aren't utilized in any way, any attempt to connect to those honeypots is interpreted as an attack. Here's the attack data from Akamai's latest report:

The geolocation of IP address isn't proof that any given nation's government is responsible for attacks emanating from servers on its soil, otherwise the Chinese government would be demanding that Secretary of State Clinton explain why the U.S. is generating so much attack traffic (instead of vice versa  which is equally wrong). What these statistics do suggest is that the U.S. government needs to start regulating the Internet Service Provider industry in this country. We have WAY too many bad ISPs operating on U.S. soil that are being used to conduct criminal acts around the world. Host Exploit's latest report shows that the U.S. hosts 5 of the 10 worst ISPs in the world, including the #1 position. 
Note that SoftLayer and The Planet are at the #11 and #12 positions. Both are located in Plano, TX whose Governor (Rick Perry) is hoping to be the Republican nominee for President. Perry has also been courting Huawei to open its North American headquarters in Texas. It seems to me like the Governor of Texas has a great opportunity to demonstrate that cybersecurity should become a priority for this country by making it a priority for the State of Texas first.

Sunday, October 23, 2011

Clausewitz and Cyber War

Thomas Rid's paper for The Journal of Strategic Studies has the provocative title "Cyber War Will Not Take Place". Rid's argument is relatively straightforward. He uses Clausewitz to define the three characteristics of war: "Any act of war has to have the potential to be lethal; it has to be instrumental; and it has to be political." To be instrumental, according to Rid, there has to be a means and an end. "Physical violence or the threat of force is the means. The end is to force the enemy to accept the offender’s will." Then he uses published sources to list examples of cyber war (thankfully he avoids using the more common and in my opinion erroneous term "cyberwar") and shows how none of those examples meet each of the three criteria. In brief, Professor Rid concludes that there has never been an act of cyber war and that there probably will never be one (his final sentence leaves room for an "act of Cassandra").

Personally, I'm not a fan of the term "cyberwar" as evidenced by a recent article that I wrote for Slate, however it is apparent to me as someone who specializes in nation state activities in this area and as the CEO of a company who's clients are on the receiving end of some of those activities, that traditional thinking about warfare has been made obsolete by our dependence upon cyber-space-time. The environment within which war is conducted has been permanently altered since Clausewitz' time. Sun Tzu would have been a better choice because he at least considers the superior option of winning a war without fighting. But even within the parameters that Professor Rid has established, here are three examples that fit the Clausewitz test of being lethal, instrumental and political:

  1. Kyrgyz Intelligence assassinates Gennady Pavlyuk. Kyrgyz intelligence cracked Pavlyuk's email account and used the information they obtained to lure him out of the country under false pretenses resulting in his murder.
  2. Mossad assassinates Mahmoud Al-Mabhouh. Israel's Mossad mounts an operation to assassinate Hamas leader Mahmoud Al-Mabhouh which includes infecting Al-Mabhouh's computer with a trojan horse virus. 
  3. Iran's IRGC arrests 30 dissidents after cracking U.S. hosted webservers. 

None of these are isolated incidents. The government of Iran continues to mine social networks to identify and arrest dissidents. Israel is one of the few nation states that openly admits to conducting cyber operations; some of which have lethal consequences. Pavlyuk's murder preceded the latest revolution in Kyrgyzstan by just a few months. And these are just the operations that we know about. There are many more examples that we'll never hear about but need to bear the probability of their existence in mind when weighing arguments by cyber skeptics like Martin Libicki, Marcus Ranum, Gary McGraw and Thomas Rid. Instead, I refer you to the "Classic of Weiqi in 13 chapters" (.pdf):
Ever since ancient times, no player has ever happened to place the pieces on the board in exactly the same way as he did during a preceding game. Therefore, reasoning must go deep and analysis must be perfect, and an attempt must be made to understand the processes that lead to victory and defeat: only in this way is it possible to attain that which is still unattained.
OECD's Cyber Report Misses Key Facts

Friday, October 21, 2011

My Top 5 Tips for "Cyber" Startups

1. Pick a hard problem and throw yourself into solving it. In 2005 I was inspired by the InfoSec Research Council's Hard Problems List (.pdf) while I was at Microsoft even though it had little to do with my actual job there. You need to find a problem that you can get passionate about or you'll never survive the difficult road ahead of you.

2. Start a blog about the problem that you've selected. Once I found what I thought would be a solution for one of the problems on that list, I presented it to Microsoft's Greenhouse. When they rejected it, I started a blog ( - no longer active) as a way of continuing my research and building a network of like-minded folks who were interested in the same sorts of things that I was.

3. Get Published. You don't have to write a book, although that's a great experience to have but you do need to create a body of work that can be reviewed and critiqued by your peers. Submitting papers for conferences is one of the best ways to do this. Go to as many conferences as a presenter as you can. That's key. Go as a presenter, not as an attendee. As a presenter, you'll get your expenses covered while meeting decision makers who may become customers, mentors, employees, or partners later on.

4. Build a Network. There's a reason why predators thrive in pack environments rather than on their own. You won't make it as a one-man show. In fact, if you've done the first three things on this list, you'll already have a collection of business cards and LinkedIn contacts for people who either want to help you or use you. You'll figure out which is which soon enough.

5. Find a Mentor. Or hopefully, more than one, to help get you past some of the hurdles you'll encounter in starting a new business. For example, I used to think that I could start a company which offered a product or service that the government needed and which no one else offered and I'd be in business! After a year of failing, it took a mentor to educate me about the fact that it takes a startup company 3 years on average to win its first government contract. I also used to think that I could go after an Army or Air Force SBIR grant and that my application would stand an equal chance at getting selected. After three rejections, it took a mentor to tell me that the Army already knows the company that it plans to award the SBIR grant to beforehand. Both of those experiences, among others, helped me understand that I don't want the government as a customer; that I should focus instead on providing a product or service needed by corporations.

These 5 things helped me leave Microsoft and start my own company (Taia Global, Inc.) with no money at the height of the financial crisis in 2009. It was and remains an arduous journey but it has been the best experience of my life and my company is doing better than ever. I'm confident that if you can find your passion in trying to solve some of the hard challenges that governments and companies face today, that you'll have the same end result that I've had - experiencing daily joy in building a company that makes a difference in peoples' lives. It doesn't get any better than that.

Wednesday, October 19, 2011

Et Tu, DuQu?

If Symantec and F-Secure are correct and DuQu was written by the same people who created Stuxnet, then that means that the U.S. government is behind it. But Idaho National Lab, who some people think created the Stuxnet virus and which hosts ICS-CERT's Security Operations Center didn't have a copy of the malware. They had to ask Symantec and McAfee to share their sample. The key question to ask in this puzzle is who has access to the Stuxnet source code? This post claims that Anonymous released the Stuxnet source code back in February however according to Mikko Hyponnen's latest post on DuQu that's not correct. Binaries were released into the wild but not the source code. Ralph Langner, who has done some of the best work on Stuxnet to date, has also told me privately that the source code has never been released. At best, some work has been done in reverse-engineering it. Knowing Ralph's singular focus on Stuxnet, if the source code was in the wild, he'd be the first person to grab a copy.

So if you believe the party line (which I don't) that the U.S. with the help of Israel created Stuxnet, then the U.S. is also the creator of DuQu. If we stay with that chain of reasoning, then as we learn more about DuQu and its use, an entirely different conclusion may be reached which points to an actor other than the U.S. DuQu was apparently involved in stealing information from an ICS manufacturer. Why would the U.S. use the Stuxnet source code to create a RAT to steal information from Industrial Control System (ICS) manufacturers? It already has access to most of the corporations who develop these systems through the National SCADA Testbed Project run by 3 U.S. national labs, including INL. At least one Command & Control server was hosted in India. Why would the U.S. pick India and not China, our favorite cyber adversary?

It's too early to know what DuQu is for, and no one knows where it came from, but facts are facts. The source code for Stuxnet isn't available in the wild, and if the same group is responsible for both pieces of malware, and you believe that the U.S. is behind Stuxnet, then you need to own the logical conclusion of that belief. If the facts around DuQu, now or in the future, point away from the U.S. then you need to re-consider whether the U.S. was ever involved in Stuxnet at all. After all, take a look at the part of the world that McAfee has identified as being DuQu's target area.

There are lots of nation states for whom this part of the world has significant appeal and who would benefit from a sophisticated info-stealing virus; in some cases much more than the U.S.

Tuesday, October 18, 2011

Britain Has Already Lost A Future Cyberwar

Britain's Foreign Secretary William Hague decided it was a good idea to announce in The Sun that Britain 1) will strike first against an adversary planning to attack Britain and 2) doesn't have the money to adequately defend itself from a future act of cyber warfare.  He also said that he couldn't guarantee the safety of Britain's critical infrastructure "including water works, power plants, and air traffic control systems". For some reason Secretary Hague thought these pronouncements would be a good idea in light of an upcoming conference that he's hosting in London on Nov 1-2.

I haven't been invited to participate in that conference but if I were, here's the guidance that I'd provide to the Foreign Secretary - in brief:

Two Things You Don't Want To Do:
1. Don't threaten retaliation or preemption when you have no way of knowing who the attacker is. It gives away the fact that you don't have a clue about the environment which means that in any given war in that environment - you lose.
2. Don't acknowledge that you can't afford to defend your networks; even if it's true. It makes you a more attractive target and reveals a key vulnerability that's sure to be exploited.

Two Things You Do Want To Do:
1. Stop spending your limited funds on offensive cyber weapons and spend it on resilience.
2. Buy back your critical infrastructure from the foreign companies who currently own it; especially the Chinese. You can't defend what you don't own.

I have a few friends in Britian's intelligence community so I don't mean for this post to sound snarky or cruel. The fact is that you have some serious internal conflicts in your government and Ministry of Defense about how to allocate resources and identify threats in cyber-space-time. If you're seriously looking to defend Britain from a future act of cyber-war, please take my above guidance to heart.

Why the U.S. Will Lose A War In Cyberspace

Monday, October 17, 2011

Venture Opportunities in Cybersecurity - Repairing a Broken InfoSec Model

I'm really looking forward to acting as moderator for the MIT/Stanford Venture Lab - "Cybersecurity - Protecting Against The Unseen Enemy" - to be held at Stanford University on the evening of November 15, 2011. Here's a brief description from the website:
As the cyberspace grows beyond the personal computer to mobile devices, sensors, cloud applications, networked-devices, where are the opportunities and what are the next generation of cyber security start-ups doing to protect our data and systems?  Meet the brilliant entrepreneurs ushering in a new era of digital security.  
The old model of providing cybersecurity to both corporations and governments is broken and has been for a long time. Big InfoSec is struggling to not only provide protection that works but to be agile and responsive to the critical needs of their customers who may soon find themselves having to comply with SEC regulations on reporting network breaches and the risk of those breaches occurring. There's a huge opportunity for new ventures built upon new business models and I'm hopeful that this VLab will spawn some exciting outside-the-box innovations in that area. 

Thoughts on the SEC's New Guidance on Reporting Cyber Risk

The new guidance by the Security and Exchange Commission (SEC)'s Division of Corporation Finance (CF) is a very well-written and welcome development in the world of corporate cyber-security. Although these are not rules nor regulations, the CF has published them to "provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances."

One of the key take-aways for me is that it's not just about reporting a breach although that's obviously a part of it. Companies also need to assess and report the risk of a breach occurring. Here's the exact language:
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.[2] Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.[3] Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
This obviously doesn't apply to all companies; only the ones who are in high risk sectors or perhaps ones that have already been the victim of a major breach or repeated breaches (i.e., RSA, Lockheed Martin, Sony). Again quoting from the SEC document under "Risk Factors":
In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.
The existing regulations on reporting risk are contained in Regulation S-K, Item 503 (c) "Prospectus Summary, Risk Factors, and Ratio of Earnings to Fixed Charges". Basically, you need to discuss what makes investment in the offering speculative or risky. For example:
  • Your lack of an operating history;
  • Your lack of profitable operations in recent periods;
  • Your financial position;
  • Your business or proposed business; or
  • The lack of a market for your common equity securities or securities convertible into or exercisable for common equity securities.
Some of the factors spelled out in the SEC brief which could trigger the reporting of cyber risks for registrants include:
  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; 
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; 
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.
While there's a lot more work ahead before this guidance becomes anything more than voluntary, it's an important first step. C-suite executies who want to stay ahead of the regulatory curve should be paying attention to this announcement.

Friday, October 14, 2011

Huawei's Chairwoman Worked For Chinese Intelligence Before Joining Huawei

Much has been made of the fact that Ren Zhengfei, Huawei's founder and CEO used to work as an engineer in the Peoples Liberation Army before he founded Huawei in 1988. However, lots of CEOs around the world are military veterans including me. What's much more significant is the little-known fact that Huawei's Chairwoman Sun Yafang used to work for China's equivalent of the CIA; known as the Ministry of State Security (MSS). The MSS was formed in 1983, about 4 years before Ren founded Huawei (1987). According to the U.S. China Business Council:
MSS conducts covert intelligence gathering operations overseas. It has established intelligence agencies in more than 170 cities and in nearly 50 countries and regions all over the world. These agencies are classified as general branches, branches, and sub-branches. MSS aggressively targets the United States, placing particular emphasis on California's high-tech sector. Cover for Beijing's espionage in the United States includes the 1,500 Chinese diplomats operating out of 70 offices, 15,000 Chinese students who arrive in the United States each year, and 10,000 Chinese who travel in some 2,700 visiting delegations each year.
The Federation of American Scientists (FAS) has a much more detailed description of its history and operations here.

Madame Sun's past with the MSS was first disclosed by a Financial Times article last April. Her Huawei biography neglects to mention that key affiliation, however it is commonly reported in many places on the Chinese Internet. One place in particular is the alumni page for her alma mater; at least it did until just recently when it was mysteriously corrected. Here is a table showing the original time line which included her tenure at MSS and the new "corrected" timeline.
The redaction occurred shortly after I posted two back-to-back articles about Huawei's questionable employee stock loans. Apart from the alumni website, similar information about Madame Sun's time at the MSS also appears in Baidu's version of Wikipedia. Considering how difficult a time Huawei is having convincing the U.S. government that it's just another technology company, I would think that the company would respond by releasing a verifiable resume of their Chairwoman which would end this controversy once and for all; similar to what President Obama did to resolve questions about his birth certificate.

UPDATE: I just learned about the Washington Times article of Oct 11, 2011: "Chinese telecom firm tied to spy ministry", which reports on essentially the same facts mentioned here (sans the attempted cover-up). Bill Gertz references an Oct 5 report by the Open Source Center: “Huawei Annual Report Details Directors, Supervisory Board for First Time,”

UPDATE (12 Oct 2012): Here's an archived copy of the web page that mentions Madame Sun's time with the MSS.

Thursday, October 13, 2011

U.S. Air Force Demonstrates How NOT to Report a Malware Attack

I just ended a phone call with Air Force Space Command Public Affairs after reading their press release "Flying operations of remotely piloted aircraft unaffected by malware". I figured that since the malware was "found routinely on computer networks and is considered more of a nuisance than an operational threat" that there would be no problem in telling me the name of the malware involved.

That didn't happen, which is too bad because the press release has some confusing language in it and conflicts with unnamed Air Force sources quoted in the two earlier Wired articles (here and here). For example, the release makes a distinction between a "credential stealer" and a "keylogger". Well, that's a distinction without a difference. What we're really talking about is a trojan that steals credentials by logging key strokes. Zeus and SpyEye are two of the largest but there are lots of trojans out there. Here's one I found on a game forum: "Trojan.KillAV.RS Steals Gamers’ Login Credentials". The other important fact to know about trojans or "credential stealers" as the Air Force likes to call them, is that they transmit their stolen credentials out to a Command & Control site. The Air Force PR statement said that their particular credential stealer wasn't designed to transmit data or video. Video? No. Data? Absolutely. That's the entire point of the malware - to capture data and send it back to the C&C.

I think that what happened here is that the Air Force is focusing on what the malware isn't instead of what it is. It's not designed to take over the controls of a remotely piloted aircraft. It is, however, designed to steal data. If the Air Force wants to put this to bed and stop the speculation, here are two tips for future briefings:
  1. Have an engineer from the 24th Air Force write the press release so that the language is precise and accurate.
  2. Name the malware.
The only thing that your current press release did was raise more questions.

Wednesday, October 12, 2011

Here are the Facts about Huawei and the Chinese Government

Yesterday Huawei was blocked by the U.S. Government from participating as an equipment supplier for the Public Safety 700-MHz Demonstration Network, which is a first responders communications network that's part of the Commerce Department. Huawei VP William Plummer wants to know why. According to Plummer:
“Huawei has repeatedly and factually demonstrated its corporate independence,” Plummer said. “No one has ever factually demonstrated otherwise and playing Huawei as a pawn in some geopolitical game of chess is doing nothing more than threatening U.S. jobs, investment, competition and innovation.”
Well, that's not really true. Here are the facts regarding Huawei's affiliation with the Chinese government and why the U.S. as well as other nation states should be cautious about acquiring Huawei equipment.

  1. The company's founder Ren Zhengfei was an engineer in the PLA prior to forming his company.
  2. The company's chairwoman Sun Yafang worked for the Ministry of State Security and while there helped arrange loans for Huawei before joining the company as an employee.
  3. The government of China is Huawei's biggest customer; specifically the State-owned telecommunications services. 
  4. Huawei equipment is used to intercept communications in China for state-mandated monitoring.
So to recap, Huawei is considered a national champion telecommunications firm in a nation that monitors all telecommunications networks and engages in cyber-espionage activities using, at least in part, Huawei equipment. The company's Chairwoman used to work for the MSS, China's foreign intelligence service and its founder started the company after serving in the PLA. Those are the facts, and they should be sufficient to justify denying Huawei access to the U.S. market as well as shame U.S. companies like Symantec who have partnered with them.

I'm happy to debate these facts with any representative from Huawei in any venue at any time. My contact information is at my company website.

Tuesday, October 11, 2011

U.S. Defense Dept.'s Organizational Chart for Cyber Operations

In light of today's article about how Creech AFB failed to report its virus attack to the 24th Air Force, I thought it might be helpful to see exactly how DoD has structured its cyber operations. The above graphic is best viewed as a Prezi.

Organizations with responsibility in this case could have included USSTRATCOM which directs DOD's Global Information Grid's operations and defense, USCYBERCOM which is a dual-hatted command with the NSA who has direct responsibility for protecting the .MIL domains. And then there's the 24th Air Force which is responsible for the Air Force Enterprise Network GIG and three Wings which report to it.

24th Air Force
  • Plans and conducts cyberspace operations in support of combatant commands.
  • Maintains and defends the Air Force Enterprise Network GIG.
67th Network Warfare Wing
  • Organizes, trains, and equips cyberspace forces to conduct network defense, attack, and exploitation.
  • Executes air force network operations, training, tactics, and management for the 24th Air Force and combatant commands.
688th Information Operations Wing
  • Aims to deliver proven IO and engineering infrastructure capabilities integrated across air, space, and cyberspace domains.
689th Combat Communications Wing
  • Trains, deploys and delivers expeditionary and specialized communications, air traffic control, and landing systems for Humanitarian Relief Operations and dominant combat operations.
  • Conducts tactical operations in austere, deployed, and joint/coalition environments.
We prepared the above graphic along with a full explanation of DOD's Cyber Operations with the help of the U.S. Government Accountability Office for use in the 2nd edition of my book Inside Cyber Warfare: Mapping the Cyber Underworld (O'Reilly Media) when it's published later this year or early 2012.

    Monday, October 10, 2011

    Cybersecurity Issues with Predators, Reapers, and Unmanned Aerial Systems

    Creech Air Force Base UAV hangars
    According to Wired, Creech Air Force Base has been struggling to clean its Reaper and Predator Ground Control Stations (GCS) of a persistent virus of unknown origin; perhaps something like TDL-4 which loads before the operating system, right at the beginning of the computer's boot-up sequence. This type of virus is almost impossible to get rid of. Whether its TDL-4 or something with similar behaviors, I spent the last few days researching Unmanned Aerial Systems (UAVs plus their ground control stations) and there are a few serious cybersecurity issues besides the 2009 unencrypted video feed controversy and the one Noah Shachtman reported about last Friday. Before we get to those, I think it's important to note that while there are only a few countries (U.S., Israel, Britain, France) who are using drones operationally in Afghanistan, there are over 50 who have built or bought them. I wouldn't be surprised to see this technology near the top of someone's list for targeted cyber-espionage.

    Unencrypted mission control data feeds
    On 20 Dec 2009, shortly after the news broke about unencrypted Predator video feeds, a security engineer using the alias "kingcope" posted an article to the Full Disclosure list entitled "Reading Mission Control Data Out Of Predator Drone Video Feeds". He pointed out that not only was the line of sight transmission unencrypted, but so was the Ku-Band satellite transmission which extends the range of interception far beyond just line-of-sight and that if the MPEG stream wasn't encrypted, then the metadata inside the stream was probably being transmitted in the clear as well. Both the mission control data and the video stream data are part of the MPEG stream and could be read using a free tool called LEADTOOLS.

    According to the Air Force, they've known about the unencrypted video feeds for over 10 years, and that it'll be 2014 before that vulnerability is fixed. Presumably that'll include the unencrypted mission control data feed as well.

    Internet Access
    There shouldn't be any connection between the UAS network and public-facing Internet however at least one GCS that I looked at did utilize an Internet connection as part of its architecture: the Network Centric Ground System.

    I assume that the above network architecture was not deployed at Creech AFB since the GCS stations would be handling classified data however it would be worth a look at how Creech AFB has connected its Ground Control Stations to the Global Information Grid. The volume of data handled is growing at an extremely rapid pace as are the number of analysts who are viewing it according to the New York Times. With the deployment of "Gorgon Stare", an incredible 1.8 gigapixel camera offering 12 simultaneous views of the target environment, the UAV firehouse must be more massive than ever. Whatever has infected the Creech GCSs could theoretically spread beyond Creech AFB via the GIG. Let's assume that the point of entry was one of the portable hard drives used to load map updates and transport mission videos. Once in the network, its infection path could include printer servers and other shared resources regardless of geography. In other words, other Air Force bases who are conducting analysis on this data may be exposed to the same virus that the Creech technicians are struggling with.  This could include Britain's Royal Air Force whose 39 Squadron use Creech AFB as ground control for their own fleet of UAVs. I assume that the Brits are conducting their own analysis of the video feeds which would stream from Creech's GCS, thus providing a means for the virus to possibly infect British networks.

    Why Kaspersky?
    One of the nagging questions that I had after reading Noah's article was why would the Creech AFB technicians go to Kaspersky? DISA's Host-Based Security System website references McAfee as a supporting vendor, not Kaspersky. One of my Twitter followers suggested that they might be dealing with TDL-4, a particularly nasty TDSS variant that was originally detected by Kaspersky and which they've dubbed the "most sophisticated threat today". That might explain why the technicians turned felt they needed to visit the Russian company's site even though no one has a patch for this; not even Kaspersky. Based upon its description and functionality, a TLD-4 infection would be a worst-case scenario for the U.S. Air Force because it means that their data is being exfiltrated to cybercriminals in a way that's extremely hard to detect:
    TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
    If it is TDL-4, no one has a way to remove it short of shit-canning the old hard drives and buying new ones. And speaking frankly, the Air Force appears to me to be a bit too relaxed about its vulnerabilities in cyberspace. It let its UAS data stream remain unencrypted for over 10 years because someone thought the enemy was too unsophisticated to know how to read it. Someone else apparently thought it was OK to make an exception on its removable media rule for UAV data transfer. And as far as its public response to this breaking story goes, a standard CYA response like the one Lt. Col. Tadd Sholtis gave - "We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover" - is pretty meaningless in light of past events. Then there's the remarks of an unidentified senior Air Force official for Fox News who claimed that Wired's entire story was over-blown:
    "The planes were never in any jeopardy of 'going stupid'," the source said, and the virus "is not affecting operations in any way ... it showed up on a Microsoft-based Windows system. We have a closed-loop system and heavily protected cockpits -- the planes were never in jeopardy."
    I have no idea who this un-named source is or what article he thinks he read but it wasn't the article in Wired. There's not a single mention of planes being in jeopardy or "going stupid" in Noah Shachtman's article. If he can't get his facts straight about what the article said, why should anyone believe his assessment of the malware? Having met and spoken with many USAF officers involved in cyber including some General officers, I know that the Air Force is capable of better cybersecurity management. Hopefully this breach will spur some positive changes before any more damage is done.

    Tuesday, October 4, 2011

    CFIUS Should Deny Acquisition Of Yahoo By Alibaba and DST

    Yahoo may be fielding an acquisition offer by China's Alibaba Group, which is flush with new cash from Russian investment company DST Global. This isn't necessarily because Yahoo is such a wonderful asset. Microsoft raided the only thing valuable about the company a few years ago - its search engineers. Yahoo holds value for Alibaba because Yahoo owns a part of the Chinese company and Alibaba Group Chairman and CEO Jack Ma wants those shares back according to analyst Muzhi Li (Mizuho Securities). Still, this is an interesting problem from a national security perspective. Lots of U.S. federal and state government employees use free email services like Yahoo (ex-Governor Sara Palin being the most visible), as do government officials from other countries such as India. Foreign ownership of Yahoo, particularly where China and Russia are involved, makes access to those email accounts a national security matter for the U.S.

    I've already documented DST-Global's many links to the Russian government. When it comes to Chinese companies, certain rules apply; the most important one being that a company must "stay within the good graces of Beijing to retain its permissions to do business". In general, here's the situation for Chinese IT companies according to Taia Global's China experts:
    All Chinese IT companies are required to comply with Internet regulations and will provide user information on demand by the Chinese government.  The regulatory framework is designed for self regulation and censorship by Internet service providers and subscribers, rather than government monitoring on a daily basis.  While this collaborative arrangement may work generally and many Western analysts take this design at face value, Taia Global's analysts believe that the Chinese government still retains its own formidable monitoring capability in addition to cooperation from providers.  In this framework, national security and social stability are paramount, and the Ministry of Public Security and local Public Security Bureaus have the authority to investigate and enforce laws.  Other responsible government entities are:  the Ministry of Industry and Information Technology; the State Council Information Office; The State Administration of Radio, Film, and Television; and the General Administration of Press and Publications, Ministry of Commerce. 
    So while apologists for Chinese companies like to argue that they are just another employee-owned company engaging in the global free market, the reality is more complex than that. CFIUS should take note and act to stop any foreign acquisition of Yahoo; particularly one involving Chinese and Russian companies.

    Monday, October 3, 2011

    DST Global's Connections to the Russian Government

    I've created a Prezi which depicts the many connections between the principals of DST Global and the Russian government. The Prezi graphical user interface allows you to zoom in to each of the connections. Sources and a description follow:

    Yuri Milner
    Milner currently serves the Russian government directly through several affiliations. He serves on the Presidential commission for the modernization and technological development of the Russian economy, a body on which Vladislav Surkov is deputy chairman. The commission is chaired by President Medvedev, and Sergey Sobyanin, who is Chief of Government Staff and Deputy Prime Minister, also serves as deputy chairman. [1]

    Sunday, October 2, 2011

    Questions about Yuri Milner, the KGB, and the Influence of Foreign Governments

    Yuri Milner during a session of the Presidential commission
     on Modernisation of Russian Economy held in MISIS* 
    As discussed at the recent Suits and Spooks conference, social networks are contributing to revolutionary changes taking place worldwide and as a result they've become an indispensable platform for offensive operations as well as intelligence collection. One of the world's most sophisticated investors in social meda is Yuri Milner. As co-founder and CEO of DST Global (formerly known as Digital Sky Technologies), he leads a multi-national social media investment powerhouse staffed by many ex-Goldman Sachs employees and fueled with investment by Tencent (China) and Naspers (South Africa). Combined, these three companies have significant ownership interest in some of the largest online properties in the world including Facebook, Twitter, GroupOn, Zynga, Riot Games, Astrum Online Entertainment,, QQ, ICQ, Ibibo, Alibaba, and many more.