Thursday, December 29, 2011

An Open Letter to George Friedman and Stratfor

29 Dec 2011

Mr. George Friedman,

As one of Stratfor's Free Intelligence Report subscribers, I received an e-mail message from you expressing your "deep regret (that) an unauthorized party illegally obtained and disclosed personally identifiable information and related credit card data of some of our paying subscribers." Your email went on to request feedback from me and your other subscribers about "this situation". Here's my response.

You clearly want to restore confidence among your customers and potential customers after a breach occurs. Your email was unsuccessful in doing that for two main reasons:

  1. You failed to address why your customer credit card numbers weren't encrypted. This is probably the most serious aspect of your breach.
  2. You failed to disclose how the breach occurred. Anonymous is known for discovering simple website vulnerabilities and exploiting them. I'm guessing that that was the case for you, which means that there's an issue with your own risk assessment capabilities.

Instead of addressing these two critical challenges to your competence as a web-based business and provider of intelligence analysis, you've chosen to offer me one year of consumer identity protection services and pledged to continue sending me your free Security and Geopolitical weekly reports (which I've been unable to get you to stop sending me for well over a year). I hope that you can now see how ludicrous your attempt to restore my confidence is and instead will make a more sincere effort to 1) acknowledge what you did wrong, 2) apologize for it, and 3) tell me what you're going to do differently so that it won't happen again.


Jeffrey Carr
CEO, Taia Global, Inc.
Author, "Inside Cyber Warfare" (O'Reilly Media 2009. 2011)

Tuesday, December 27, 2011

What's New in the 2nd Edition of Inside Cyber Warfare (O'Reilly Media 2011)

I've added 5 new chapters to the 2nd edition of my book Inside Cyber Warfare: Mapping the Cyber Underworld (O'Reilly Media 2011) which comes out on December 28, 2011. Here is a top-level Table of Contents for those new chapters.

Chapter 14: Conducting Operations in the Cyber-Space-Time Continuum
- Anarchist Clusters: Anonymous, LulzSec, and the Anti-Security Movement
- Social Networks: The Geopolitical Strategy of Russian Investment in Social Media
- Globalization: How Huawei Bypassed U.S. Monitoring by Partnering with Symantec

Chapter 15: The Russian Federation - Information Warfare Framework
- The Russian Information Security State
- Russian Ministry of Defense
- Internal Security Services: FSB, MVD, FSO
- Ministry of Communications and Mass Communications

Chapter 16: Cyber Warfare Capabilities by Nation State

Chapter 17: U.S. Dept of Defense Cyber Command and Organizational Structure

Chapter 18: Active Defense for Cyber: A Legal Framework for Covert Countermeasures

I hope you enjoy the new edition. Shoot me an email if you'd like a signed copy. If there's enough interest, I'll set up a book signing somewhere in Washington DC. 

Wednesday, December 21, 2011

Why I Oppose The 12 Chinese Hacker Groups Claim

The claim that I'm referring to was reported by Associated Press to a variety of news outlets and essentially stated that "as few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts."

My view is that this claim is bullshit. Here's why:

ONE. It's self-serving. The cybersecurity analysts and experts quoted in the article from Mandiant and Dell SecureWorks have 1) a vested interest in painting China as the bad guy since the bulk of their marketing is APT-centric (APT being a code word for China) and 2) SecureWorks has a less than stellar track record in analysis (Stuxnet and Duqu 2011) and attribution (Kyrgyrzstan 2009) - they've made highly questionable claims in both cases.

TWO. The 12 hacker groups have not been named which prevents independent analysis being performed by individuals who don't have a vested interest in the outcome.

THREE. There's been no proven reliable way to assign attribution. Digital DNA is a marketing ploy, not a fact.

FOUR. It conflicts with our own research on State and non-State actors involved in cyber espionage.

FIVE. It conflicts with our confidential work in incident response and protection for Taia Global clients including members of the Defense Industrial Base.

SIX. It lacks rigor. For example, I highly doubt that either Mandiant or Dell SecureWorks applied negative analysis to their findings before making their claims (i.e., looked for reasons why their findings could be wrong - a standard analytic technique).

The companies behind this claim should make their case publicly and present their evidence for peer review or not make it at all. This type of sensationalist reporting, besides trolling for government contracts, feeds anti-China paranoia while minimizing the role of many other State actors engaging in the same activity as China. Senators and Congressmen unfortunately don't have enough knowledge about cybersecurity to discern truth from fiction so what starts off as highly questionable analysis soon becomes terrible U.S. government policies; especially when it is advocating for permission for civilian U.S. companies to counterattack a specific nation's network. There has never been a worse idea in the history of bad ideas than that one.

Monday, December 19, 2011

Symantec Still Selling Huawei Equipment - to the Dept of Defense

A November 17, 2011 article in Channelnomics states that "Symantec may have ended its experiment as a hardware manufacturer by selling its stake in its joint venture with Huawei Technologies, but Big Yellow remains committed to developing appliance-based backup solutions and will continue to contract with Huawei and Huawei Symantec as a hardware supplier (emphasis added). In a letter to partners, North America channel chief Randy Cochran says the contract manufacturing relationship between Symantec and Huawei will remain unaffected, as will Symantec’s commitment to marketing and developing appliance-based solutions."

So one of the world's largest security companies continues to partner with the very Chinese company that most of Symantec's customers are buying their systems to protect against. That displays a level of hypocrisy that I have no tolerance for.

Even worse, as General James Cartwright and others in the U.S. government rail against China, the Department of Defense, Boeing, Lockheed Martin and CSC are all buying Huawei Symantec hardware according to one Huawei Symantec channel partner that I spoke with privately. If Rep. Rogers makes good on his promise to hold hearings on Huawei and ZTE, I hope that he investigates who in the U.S. government and the Defense Industrial Base are buying Huawei Symantec products, which are all made by Huawei in China.

The Use of Covert Cyber Counter Strikes as Active Defense (and other topics) at Suits and Spooks DC

Waterview Conference Center,  Rosslyn VA
Can the U.S. legally engage in covert cyber counter strikes as a form of active defense against hostile actions by non-state actors in Russia, China or elsewhere? That's one of the forward-looking talks being given at Suits and Spooks DC by Professor Catherine Lotrionte of Georgetown University.

Are tamper-proof chips really tamper proof? Can firmware be extracted from the locked chips such as those used on the captured RQ-170? Travis Goodspeed will show how it can be done on the cheap.

Can a privately funded spy satellite system be used to secure evidence targeting criminal behavior by governments or their officials? Thanks to the work of the Enough Project organization, we know the answer to that question is yes. Jonathan Huston will explain how they did it.

And that's just 3 of our talks. In addition to Catherine, Travis, and Jonathan, Suits and Spooks attendees will interact with:
  • Don O'Donnell - Rand Corporation
  • Rand Waltzman amd Randy Garrett - DARPA
  • Dan Geer - In-Q-Tel
  • Anup Ghosh - Invincea
Then from outside of the InfoSec space, reflecting our multi-disciplinary approach, we'll hear talks from:
  • Christopher Burgess - Atigeo
  • Ben Milne - Dwolla
  • Janina Gavankar - Posterous Spaces for Actors
  • John Robb - author, Brave New War
  • Jodee Rich - CEO, PeopleBrowsr
Every attendee will have an opportunity to ask questions and interact with the speakers in an elegant setting overlooking the Potomac river and the Capital. The entire day will be focused on brain-storming new security solutions that we hope will give birth to a revolution in security affairs. Real-time analysis on a Palantir workspace will be flashed onto a screen behind the speakers and a final report will be issued afterwards to members of Congress and interested agencies.

Pricing includes breakfast, lunch, and a wine reception afterwards:
  • Students and academics: $195
  • Gov't employees: $295
  • Early bird registration: $395
  • Standard registration: $495
The early bird registration ends January 6, 2012 and we are capping attendance at no more than 100 individuals, including speakers so reserve your seat today.

Sunday, December 18, 2011

Just How Vulnerable To Attack Are U.S. Drone Operations?

GAO Reports Ongoing U.S. Air Force Vulnerabilities 

The alleged downing of an RQ-170 by Iran has raised a lot of public attention to existing problems in how the Air Force is managing its Unmanned Aerial Systems. As I reported earlier, an unknown person with FOUO access uploaded an Air Force report to the Public Intelligence website that detailed some of those vulnerabilities one day after Iran announced its capture.  On Saturday another FOUO document appeared on regarding Afghan drone operations by the US Marine Corps. The Government Accountability Office (GAO) has produced quite a few reports that delineate numerous problems with Unmanned Aerial Systems over the past few years. Some as far back as 2008. Some of the problems identified back then have yet to be fixed, such as the lack of a redundant satellite relay site (GAO report 10-331).

The above graphic illustrates the command and control framework that's in place for Predator, Reaper and Global Hawk UAS missions that support contingency operations in Iraq and Afghanistan. A ground control station in the U.S. takes control of the aircraft. A satellite relay site at a fixed location outside of CONUS relays signals from the ground control station to the UAS. Any disruptions at the satellite relay site would impair the operation of the aircraft. While the Air Force has told that GAO that they're working on implementing a redundant system to solve this problem, as of March, 2010 they "had not conducted a detailed analysis of these options to determine the extent to which they would provide for the continuity of UAS operations, or established a specific milestone to formalize a plan that could be implemented quickly in the event of a disruption." Furthermore, the Air Force didn't anticipate bringing a redundant Satellite system online until fiscal year 2012 at the earliest.

Two other detailed examinations of vulnerabilities present in the Air Force's UAS operations are in the following GAO reports (FOUO):
  • GAO, Defense Critical Infrastructure: DOD’s Evolving Assurance Program Has Made Progress but Leaves Critical Space, Intelligence, and Global Communications Assets at Risk, GAO-08-828NI (Washington, D.C.: Aug. 22, 2008)
  • GAO, Defense Critical Infrastructure: Additional Air Force Actions Needed at Creech Air Force Base to Ensure Protection and Continuity of UAS Operations, GAO-08-469RNI (Washington, D.C.: Apr. 23, 2008)
Cyber Attacks Against Unmanned Aerial System Producers and Developers
The above table of U.S. UAS Producers and Developers comes from the Department of Commerce' Flight Plan 2011 (.pdf). Of the 11 companies listed, the following have acknowledged that they have been the victim of cyber attacks: BoeingLockheed MartinNorthrup Grumman, and Raytheon. Most likely all 11 of these companies as members of the Defense Industrial Base would fall into that category, but the above four have gone publicly on record that they are constantly defending against malicious network attacks. However this reflects only a tiny portion of the attack surface for an adversary who's looking to acquire intelligence on operations or R&D. Globalization has extended an adversary's ability to compromise UAS company networks by attacking affiliates or sub-contractors. For example, Japan's UAV association membership includes Mistsubishi Heavy and Kawasaki Heavy, both of whom were hit with simultaneous cyber attacks last summer and both of whom regularly engage with U.S. defense contractors on various projects such as Boeing.

Europe has 153 UAS producers and developers, some of whom are giant companies like EADS and BAE. BAE was implicated in the massive theft of data from the F-35 Joint Strike Fighter program in 2009 when it was believed that access to the data was gained by breaching BAE's network. It's impossible to know how many of those 153 companies have suffered attacks against their network but considering the value of this technology and the rapidly growing demand for drone aircraft world-wide, it would be naive to believe that any of their networks could withstand a targeted attack.

The most important outcome from Iran's capture of the RQ-170 should be an indepth vulnerability assessment of both U.S. intellectual property and operational vulnerabilities of our Unmanned Aerial System aircraft. This must include an international analysis of partnering companies like Boeing - Mitsubishi, Lockheed Martin-BAE, Insitu-ADASI, and many others. The worst outcome is blind denial that Iran or other U.S. adversaries is capable of compromising U.S. drone operations. 

Thursday, December 15, 2011

Iran to put 3 U.S. Drones and 4 Israeli Drones on Public Display

Iranian cartoon (FARS)
Here's some disconcerting news from an Israeli news source. FARS has reported that the government of Iran possesses not one but 3 U.S. drones and 4 Israeli drones - all of which will be put on display and open to foreign ambassadors for inspection. The same article reports that an Iranian government official has traveled to Moscow to discuss Russia's request to examine the RQ-170. If Russia gets permission, China's next.

FARS has also been busy running its own Information Operations campaign mocking the U.S. and President Obama for asking Iran to return the drone. I'm not sure who in the White House thought that was a good idea but he needs to be fired.

Wednesday, December 14, 2011

U.S. Air Force Study Reports Vulnerabilities in Drone C2 Systems

US Air Force Scientific Advisory Board graphic
Interesting timing. At some point after Iran captured a sophisticated RQ-170 RPA (Remotely Piloted Aircraft - UAV is a misnomer), the Public Intelligence website received an FOUO report entitled "Operating Next-Generation Remotely Piloted Aircraft for Irregular Warfare" published in April 2011 by the U.S. Air Force Scientific Advisory Board. One of the many issues that the panel was asked to investigate was electronic threats. Its related finding - "Limited communications systems result in communications latency, link vulnerabilities, and lost-link events."

Section 2.4.3 "Threat to Communication Links" expands on the state of vulnerabilities present for RPAs:

  1. Jamming of commercial satellite communications (SATCOM) links is a widely available technology. It can provide an effective tool for adversaries against data links or as a way for command and control (C2) denial.
  2. Operational needs may require the use of unencrypted data links to provide broadcast services to ground troops without security clearances. Eavesdropping on these links is a known exploit that is available to adversaries for extremely low cost.
  3. Spoofing or hijacking links can lead to damaging missions, or even to platform loss.

Section 2.4.4 "Threat to Position, Navigation, and Guidance":

  1. Small, simple GPS noise jammers can be easily constructed and employed by an unsophisticated adversary and would be effective over a limited RPA operating area.
  2. GPS repeaters are also available for corrupting navigation capabilities of RPAs.
  3. Cyber threats represent a major challenge for future RPA operations. Cyber attacks can affect both on-board and ground systems, and exploits may range from asymmetric CNO attacks to highly sophisticated electronic systems and software attacks.
These are just a few of the key findings that impact the mission of RPAs. With this report as background, the capture of the RQ-170 by Iranian forces needs to be evaluated fairly and not dismissed as some kind of Iranian scam for reasons that have more to do with embarrassment than a rational assessment of the facts. Remotely Piloted Aircraft are the future of Air combat, not just for the U.S. but for every military force in the world. Theft of this technology via cyber attacks against the companies doing R&D and manufacture of the aircraft is ongoing. Whether or not the Iranians got lucky or have acquired the ability to attack the C2 of the drone in question, there's obviously some serious errors in judgment being made at very high levels and secrecy about it is only serving the ones guilty of making those bad decisions.

UPDATE (1453 PST 14DEC11): I just confirmed with the Public Intelligence website that the Air Force document was provided to their site about one week ago which would make it the day after the news on the downed RQ-170 was announced. Clearly someone with FOUO access wanted this information to be made public to inform the controversy surrounding the incident.

Loss of the RQ-170. What Happens Next?
Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran
How Iran May Have Captured an RQ-170 Stealth Drone
Was Iran's Downing of the RQ-170 Related to the Malware Infection at Creech AFB?

Monday, December 12, 2011

My Expensive "Expert" Advise for the U.K. Government On Cyber Warfare

I was going to name this post 'My Free 'Expert' Advice ..." but we all know that free advice is ignored so once I hit the 'publish' key on this blog, I'll send an invoice to 10 Downing Street requesting payment. I'll make sure that the invoice is in 7 figures since they're obviously quite willing to throw extravagant amounts of money at companies with the word "expert" in their marketing materials (hence my use of the word "expert" in the title).

The reality is that there are no experts in this field. I wrote a well-received book on the subject, have spoken at dozens of conferences, had papers published, regularly consult for U.S. and foreign government agencies, and have engaged in incident response for very large corporations and I don't call myself an expert. In fact, authentic experts never bestow themselves with that title. If its used at all, it's given to them by others who have experienced their work first-hand. I know many people who I would call experts in different fields but none in the area of cyber warfare. The field is too new, too undefined and we're all still finding our way.

The British government appears to have bought into the marketing materials of prime contractors like Lockheed Martin, BAE, Ratheon, General Dynamics, RSA, McAfee, Mantech and who knows who else. Big mistake. They not only cannot protect the British government, they've been unable to protect the U.S. government. The director of the NSA along with the director of DARPA have both admitted that the current security framework we use is broken. Who implements that framework? Prime contractors like the ones I mentioned above and their sub-contractors with some help by government employees.

So here's my "expensive expert advise" for whoever is in charge of the British government's purse strings:

  1. You can't keep China, Russia, France, or any other State out of your network. They're already there and they aren't leaving.
  2. You can't secure what you don't own so if you want to secure your power grid, buy it back from the Chinese company that owns it.
  3. If anyone tells you that they can do 1 or 2 above, grab your checkbook and run the other way.
  4. While you can't keep bad guys out, you can raise the cost to mount a successful attack. Or - you don't have to out run the bear, you just have to out-run the other countries who are being chased by that bear (or dragon).
  5. While you can't keep a dedicated adversary out of your network, you can keep your data from leaving. That's in large part where you need to focus your resources and where you'll get the best return-on-investment.
  6. You have serious supply chain problems and need to start testing firmware updates for all those servers that you own which were made in China for backdoors.
  7. You have serious software issues and need to investigate any code written by Russian firms for backdoors.
  8. Cancel your contracts with Chinese telecommunications companies if they are providing products that would give them access to sensitive data.

My bill is in the mail.

Britain Has Already Lost A Future Cyber War

General Cartwright's Inflammatory Remarks are Hurting, not Helping

General James E. "Hoss" Cartwright
Now that General Cartwright is free from the restrictions that he had to operate under as an employee of the U.S. government, his remarks regarding China are even more inflammatory than they were when he held the position of Vice Chairman, Joint Chiefs of Staff, at least according to this article in The Guardian.

"Right now we have the worst of worlds," said Cartwright. "If you want to attack me you can do it all you want, because I can't do anything about it. It's risk free, and you're willing to take almost any risk to come after me."
The US, he said, "needs to say, 'if you come after me, I'm going to find you, I'm going to do something about it.' It will be proportional, but I'm going to do something ... and if you're hiding in a third country, I'm going to tell that country you're there, if they don't stop you from doing it, I'm going to come and get you."

General Cartwright's opinion that the best cyber defense is a good offense is a throwback to his honorable career as a Marine waging war in on a physical battlefield. Unfortunately, that strategy doesn't work in cyberspace. It's ironic that Dell Secureworks has come out on Cartwright's side in this debate since Dell is heavily invested in its operations in China. Secureworks' engineers would make a better use of their time by creating a way to test Dell servers for backdoors than trying to get legal permission to attack Chinese hacker crews that they suspect are behind espionage attacks against U.S. corporations.

Calls to action are good and appropriate for a problem as serious as IP theft has become and the frustration at the lack of effectiveness of what we're currently doing is certainly understandable. The problem is that the outlet for that frustration is being directed in a harmful, not helpful, way. Giving the green light to U.S. industries to "go after" groups that they perceive as bad actors is akin to vigilantism and could easily trigger a war that spills over into actual bombs and bullets instead of bits and bytes. Further, any Information Security outfit that believes that the problem is solely China doesn't have a clue about the nature of the environment that they're supposed to be operating in. Besides Russia and North Korea, U.S. allies like France, Germany, and Israel are benefiting from acts of cyber espionage against the U.S. too and if they're smart about it (and they are), they'll leave evidence which implicates China. General Cartwright's calls for offensive action simply plays into the hands of those States' strategies of misdirection and obfuscation.

A smarter and more effective alternative is to switch from network-centric to data-centric protective mechanisms. If you want to keep your valuable data from being stolen, you first have to start monitoring it. Threatening China or any other country is just wasting valuable time and making the person doing the threatening look ineffective.

Attribution: Vital for Offense, Irrelevant for Defense

Saturday, December 10, 2011

The Impact of Social Networks on War, Politics, and the Sons of Anarchy

Kurt Sutter's Sons of Anarchy on FX Network
Evidently there is nothing that has remained unscathed by the power of instantaneous communications via social networks like Twitter and Facebook. The protest against perceived fraud in the Russian elections is the largest seen in Russia since the fall of the Soviet Union. The protest against the 1% by the Occupy movement hasn't been seen since the anti-war protests of the 60's. The State Department is still struggling with how to cope with the exposure of hundreds of thousands of classified diplomatic cables published on Wikileaks a year ago.

A clue to how the Russian government, the U.S. State Dept. and pretty much every other related agency and organization needs to re-think their strategy thanks to the power of social networks can be found in two podcasts by Sons of Anarchy creator and show runner Kurt Sutter. Sutter is clearly passionate about his show, and deservedly so. I think it's one of the best dramas on television and both my wife and I are fans. But passion isn't enough in today's wired world. Sutter has to factor in union production requirements, network schedules, and something which didn't exist in the first few seasons - instantaneous critical reviews. Unfortunately, he hadn't counted on the power of that last factor in this latest season. As I watched Kurt Sutter's podcasts (WTF Sutter Finale parts 1 and 2) I sympathized with his frustration as he talked about learning the hard way that crafting a great season wasn't enough; that his entire season would now be judged in the world of instantaneous communications solely upon the strength of his last show.

Lots of powerful figures besides show runners have underestimated the power of social networks. The ability for huge numbers of individuals to observe, communicate, and act in real-time is throwing traditional strategies of law enforcement agencies and battlefield commanders into obsolescence. We should be open to learning new strategies wherever they may be found - including the musings of the creator of a show about an outlaw motorcycle club.

As a side note, if anyone has a contact for Kurt Sutter, I think he'd make a great addition to the Suits and Spooks conference. Consider this your invitation, Mr. Sutter.

Sons of Internet Anarchy
George Clooney's Satellite Sentinel Project to be Featured at Suits and Spooks

Spontaneous Analysis of Unstructured Speech for Idea Development using Palantir

Sample Palantir Analysis:
My goal for each Suits and Spooks anti-conference is to tackle a hard challenge with a unique approach. In this case, we're going to use Palantir to navigate and intuite patterns in unstructured human speech instead of unstructured data to find hidden connections and spark creative solutions.

Palantir was created to perform information analysis. We used it 3 1/2 years ago for our open source intelligence experiment called Project Grey Goose. In February, 2012 we're going to reinvent its use by moving from finding "fragments of data which tell a larger story" to finding fragments of ideas presented by speakers and commented upon by attendees. I'm particularly excited about the input from attendees because unlike the standard conference where attendees have to que up before one or two microphones, at SnS every attendee will have a microphone at their seat and will be able to challenge speakers during their 30 minute presentations. Additionally, attendees will be able to send text messages to the Palantir engineer for ingestion into the application. Twitter will be a third source of input by ingesting everything tweeted to @suitsandspooks on the day of the event. We will not only be capturing the remarkable information provided by our speakers but the ideas and feedback that it inspires on the part of our attendees.

Finally, all of those inputs will be linked and analyzed in real time by projecting the Palantir workspace onto a screen behind the speaker podium which will multiply the effect of idea generation as new linkages and conceptual ideas are displayed, added to, spoken about, analyzed and re-displayed repeatedly throughout the day. After the event is over, we'll publish a report containing our findings along with screen shots of the Palantir workspace that will portray how the analysis was done.

10 Days Left For The Early Bird Discount
Register today to be a part of this unique process and interact with the following remarkable individuals who'll be speaking:
  • Ben Milne (founder of Dwolla)
  • Jonathon Huston (Satellite Sentinel Project)
  • John Robb (Brave New War)
  • Janina Gavankar (Posterous Spaces for Actors)
  • Jodee Rich (founder of PeopleBrowsr)
  • Anup Ghosh (founder of Invincea)
  • Daniel Geer (In-Q-Tel)
  • Rand Waltzman (Darpa)
  • (and more to come)
Please support this event with your attendance and with word of mouth. The topic - Shaping a Revolution in Security Affairs - is vitally important as the recent capture of a Top Secret RQ-170 Stealth Sentinel drone so dramatically illustrates. Everyone from the Director of the NSA on down knows that the present system is broken (with the exception of the RSA's of the world). This is your opportunity to be a part of discovering a more effective model. 

Friday, December 9, 2011

Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran

Courtesy of Recorded Future:
The loss of the RQ-170 Stealth Sentinel drone to Iran is potentially one of the most critical events that has occurred in 2011 because it implies an offensive electronic warfare or cyber capability that no one expected Iran to have. Now that Iran has released a video of the captured drone and the U.S. government has confirmed that it's authentic, it's clear that the original FARS report claiming that it was captured via electronic means may have been accurate in spite of unanimous Western media reports to the contrary; i.e., that it was shot down.

EMEA's strategic intelligence report on the RQ-170 says that the Stealth Sentinel is a high altitude and long endurance unmanned aerial vehicle (UAV) designed and manufactured by Skunk Works, a division of Lockheed Martin Corporation, for the United States Air Force (USAF). According to EMEA:
The UAV can capture real time imagery of the battlefield and transfer the data to the ground control station (GCS) through a line of sight (LOS) communication data link. The 27.43m wide and 1.82m high aerial vehicle was designed to execute intelligence, surveillance, reconnaissance and target acquisition (ISTAR) and electronic warfare missions over a target area.
According to Earl Lum, President of EJL Wireless Research LLC what is supposed to happen when an Unmanned Aerial Vehicle (UAV) like the RQ-170 loses its comms link is that it should autonomously follow a pre-programmed lost-link profile consisting of waypoints at various altitudes, forming a loop until it re-establishes contact or crashes. The communication link for the UAVs is typically today LOS (line of sight). If it falls below the mountains and loses LOS, it is supposed to then go through this process. However while this applies to UAVs in general it may not be the case with the RQ-170.

Navigation technology
According to the EMEA report, the RQ-170 can be controlled either manually from the GCS or through autonomous mode. An automatic launch and recovery (ALR) system facilitates the aircraft to land safely when communication with the control station fails.

Ground control station
The GCS of the RQ-170 displays the real time imagery or videos captured by the vehicle's payload cameras onboard. The data supplied by the vehicle is retrieved, processed, stored and monitored at the control station which was designed and built by Skunk Works. The GCS tracks, controls and monitors the RQ-170 by transferring commands to the vehicle via LOS SATCOM data link. The sentinel is being operated by 432nd wing of air combat command (ACC) at Creech Air Force Base, Nevada, and 30th reconnaissance squadron at Tonopah Test Range, Nevada.

Related cyber incidents that may have compromised the RQ-170:
- A South Korean newspaper, JoongAng Daily, reported in December 2009 that the RQ-170 was flight tested in South Korea to supersede the U-2 aircraft at Osan Air Base for carrying out missions over North Korea. North Korea is an ally of Iran and has conducted offensive CNE (Computer Network Exploitation) and CNA (Computer Network Attack) missions against South Korea repeatedly for several years. It's unknown what information has been stolen however this type of intelligence is highly sought after and its reasonable to assume that the DPRK would include it on a CNE acquisitions list.
- Lockheed Martin reported a cyber attack in June, 2011 that lasted about one week. LM didn't report what was taken however as with the DPRK example, UAV research has been targeted at U.S. defense firms as late as this past summer according to my own confidential sources.
- Creech Air Force Base experienced a malware infection that impacted its UAV Ground Control Stations in October 2011. It's public report on the incident was confusedly written and lacked details regarding the malware involved, its propagation and its remediation.

The objective of this article is to assess possibilities. Based on EMEA's report on the RQ-170, it appears that the drone had the ability to land itself without operator control. I'd appreciate hearing from any experts who can confirm whether that's the case or not. If it is, then Iran may have lucked out. If it isn't, then Iran's claim that it used its electronic warfare capacity to assume operational control of this substantial U.S. military asset appears to be true. Considering how easy it is for an adversary to conduct CNE against targeted U.S. networks, this is probably a capability that they obtained from one of many mercenary hacker crews who engage in that type of activity. While the scope of this article is hypothetical, the CNE targeting of UAV R&D is a fact born out by my own company's work in this area. Iran may or may not have that capability now but eventually it will. The RQ-170 event should be a massive wake-up call on the part of the U.S. Air Force to reinstall a self-destruct capability, harden the RQ-170's operating system, and examine potential vulnerabilities in its UAV fleet supply chain.

UPDATE (1528 PST 09DEC11): From an article in today's SF Gate:

The most frightening prospect raised by what appears to be a largely intact Sentinel is that the Iranians' second claim about how they brought it down -- by hacking into its controls and landing it themselves -- might be true, said a U.S. intelligence official, who spoke only on the basis of anonymity because the RQ-170 is part of a Secret Compartmented Intelligence (SCI) program, a classification higher than Top Secret.
The official said the possibility that the Iranians or someone else hacked into the drone's satellite communications is doubly alarming because it would mean that Iranian or other cyber-warfare officers were able to disable the Sentinel's automatic self-destruct, holding pattern and return-to-base mechanisms. Those are intended to prevent the plane's secret flight control, optical, radar, surveillance and communications technology from falling into the wrong hands if its controllers at Creech Lake Air Force Base or the Tonopah Test Range, both in Nevada, lose contact with it.
UPDATE (1708 PST 22DEC11): Cryptome has an interesting thread on the use of the RSA cyber to protect the GPS Red band used on military systems like the RQ-170. This suggests that data from the RSA breach last March may have been shared with the Iranians.

UPDATE (0715 PST 05JAN12): AviationWeek has an excellent technical article on the F-22 technology used on the RQ-170.

Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?
How Iran May Have Captured An RQ-170 Stealth Drone
U.S. Air Force Demonstrates How Not To Report A Malware Attack 

Wednesday, December 7, 2011

George Clooney's Satellite Sentinel Project to be Featured at Suits n' Spooks DC

Time magazine recently ran a story about how George Clooney and John Predergast of the Enough Project decided to raise money to set up a private satellite spy network to focus on the atrocities being committed in Sudan. The program has been so successful that the International Criminal Court is bringing charges against a Sudanese government official. This is an example of the kind of disruptive thinking that Suits and Spooks 2012 in Washington DC is looking for. Fortunately, Jonathan Huston, the Communications director of Enough has agreed to speak about how the project works. He's given similar talks to the U.S. Geospatial Intelligence Foundation.

Suits and Spooks 2012 isn't a passive conference. Both attendees and speakers will be interacting the entire day to produce innovative and disruptive ideas that relate to creating a new security framework to address the new and rapidly expanding threat landscape created as the physical and virtual worlds continue to become interwoven with each other. The ideas of both speakers and attendees will be captured in real-time in a Palantir workspace with live analysis being done and projected onto a screen behind the speakers. A final report will be released summarizing the day's findings.

You can be a part of this revolutionary experience by registering today. We offer a special rate for students and academics as well as government employees, and an early bird discount will run for everyone until January 6, 2012.

Information on the Satellite Sentinel Project
Information on Suits and Spooks 2012 - Washington DC

Tuesday, December 6, 2011

How Iran May Have Captured An RQ-170 Stealth Drone

On December 4th, the Iranian FARS news agency announced that the electronic warfare group of the Iranian military took over the operations of a very sophisticated, un-manned RQ170 Stealth Sentinel drone along the border between Afghanistan and Iran. NATO acknowledged that operators lost control of a drone in that area one week ago but that doesn’t necessarily mean that Iran was responsible. Iran has lied about drone captures before and they may be lying this time, but there are at least four good reasons why they may have succeeded.
  1. Through my company’s work in this area, I know that Un-manned Aerial Vehicle (UAV) technology is actively being targeted and acquired via acts of cyber-espionage. This includes research in the Narrowband spectrum which is how UAVs receive their commands.
  2. It’s not enough to know that Narrowband technology is used. An adversary would need to know the specific frequency in order to assume control of the vehicle. That obstacle may have been solved in October with the discovery of “credential-stealing” malware infecting the Ground Control Stations at Creech AFB. If the UAV operators (or pilots) entered the narrowband frequencies used to control their drones on a keyboard, and that keyboard was infected with a keylogger, that information would be captured and delivered to a command and control server and then collected by whomever was responsible for the attack.
  3. The RQ170 Stealth Sentinel along with the Reaper and Predator drones are all operated by pilots manning ground control stations at Creech AFB. The Air Force has not been forthcoming with details of the malware attack nor its remediation and the information that it has provided has been vague and misleading.
  4. Thanks to Stuxnet, Iran is spending a lot of money to ramp up its cyber warfare capabilities, and it's highly motivated to obtain some "get-back" against the U.S. since it believes that the U.S. and possibly Israel are responsible for the Stuxnet attack.
No one will know for sure if Iran successfully launched a cyber attack against “The Beast of Kandahar” (as the RQ170 is called) unless Iran presents proof, but its intent to do so is real; the theft of related technology is real; the lapse in cyber-security at Creech AFB was very real and the Air Force would be well-advised to take this threat seriously and re-evaluate the vulnerabilities that exist today in its UAV fleet.

Danger Room - Wired.Com: Iran Probably Did Capture A Secret U.S. Drone
Was Iran's Downing of an RQ-170 Related to the Malware Infection at Creech AFB?
U.S. Air Force Demonstrates How Not To Report A Malware Attack

Sunday, December 4, 2011

Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?

The Washington Post has reported that Iran's cyber warfare unit took over the controls of a Lockheed Martin RQ-170 Sentinel stealth drone flying over Eastern Iran and landed it with minimal damage. As of this writing, the U.S. Air Force hasn't yet confirmed or denied the attack. I've left a message with the on-call PA officer at Creech Air Force Base, which is the home of the 432d Wing which flies RQ-170 Sentinels according to this factsheet.

Creech Air Force Base, as you may recall, suffered a malware infection of its Reaper and Predator Ground Control Stations last October. After Noah Shachtman broke the story, the Air Force issued a press release claiming that the malware was a simple "credential stealer" and not a "keylogger", which is a distinction without a difference as I pointed out here. Approximately one and a half months after the Air Force issued that statement, Iran claims to have successfully compromised the flying operations of one of its drones - possibly flown out of the same Air Force base.

Iran's Cyber Warfare Capabilities

Note: The following assessment comes from chapter 16 of the 2nd edition of Inside Cyber Warfare, due out this month:
In 2010 the Iranian Islamic Revolution Guards Corps (IRGC) set up its first official cyber warfare division.Since then, its budget and focus has indicated the intention of growing these cyber warfare capabilities. Education is considered a top priority in the strategy, with increased attention to computer engineering-specific cyber security programs. The IRGC budget on cyber capabilities is estimated to be US$76 million. The IRGC’s cyber warfare capabilities are believed to include the following weapons: compromised counterfeit computer software,wireless data communications jammers, computer viruses and worms, cyber data collection exploitation, computer and network reconnaissance, and embedded Trojan time bombs.
The cyber personnel force is estimated to be 2,400, with an additional 1,200 in reserves or at the militia level. In June 2011 Iran announced that the Khatam al-Anbiya Base, which is tasked with protecting Iranian cyberspace, is now capable to counter any cyber attack from abroad, a claim that will likely be tested soon given the volatile nature of cyberspace. In August 2011 Iran challenged the United States and Israel, stating that they are ready to prove themselves with their cyber warfare capabilities. Should the Iranian cyber army be provoked, Iran would combat these operations with their own “very strong” defensive capabilities. 
In my opinion, the U.S. Air Force needs to respond to this claim by the Iranians quickly and authoritatively because its lackluster conduct regarding the initial infection found at Creech makes this claim by Iran more believable, not less.

UPDATE (1121 04DEC11): CNN quotes a U.S. official confirming that an operator lost flight control of an RQ-170 Sentinel over Western Afghanistan (which borders Eastern Iran).

UPDATE (1807 04DEC11): Western sources are reporting that the RQ-170 drone was shot down however FARS quoted an Iranian military official saying that it was taken down via electronic means "with electronic war units" and with minimal damage which makes this a cyber attack. The Al-Jazeera story is here.