Friday, December 28, 2012

A Meditation on Three Things

I've tried a lot of different systems over the years in my search to live and work optimally and never found one single, successful system to embrace. Instead, I've boiled it down into these three core pillars that I practice daily. It is the closest thing that I have to a religious practice (I generally dislike religion) because it is has certain spiritual undertones but there's no worship or dependence upon any higher powers involved. There is simply an awareness that I'm a part of a mysterious universe (aka nature,  the mysterious unknown, etc.) which flourishes both with and in spite of me, and that the closer I come to being a part of that universe, the happier, healthier and more prosperous I become. The three practices are:

  1. Daily joy
  2. Trust the unknown
  3. No-mind
"Daily joy" means that your default setting when you wake up in the morning is one of sheer pleasure and happiness to be alive. If you have a dog, you know what I mean. For many years, this was not the case for me, nor for many of the people that I knew and hung out with. I used to make happiness conditional; i.e., I'll be happy when I'm earning $X; when I'm in a good relationship; when I get the right job; when I no longer have this boss; etc. Happiness, let alone joy, was - in my mind - something to be achieved rather than something that I had by virtue of my simply being alive. Daily joy is especially difficult when you are financially destitute or physically or mentally ill but those are the times when it is most needed because joy works like a magnet, just like fear does. We attract what we fear because emotion is a powerful attractant. The unfortunate truth is that it's a lot easier to feel fear in the face of the unknown than to feel joy. You have to consciously practice the latter in order to overcome the former. That practice may need to include removing yourself from negative people and environments and finding ones more conducive to helping you feel joy on a regular basis.

Thursday, December 27, 2012

Would a Malware BuyBack Program Work?

I just read a story about how successful L.A.'s gun buyback program has been and it reminded me about a suggestion that was made at our Boston Suits and Spooks event - that a buyback program might be successful in reducing the amount of malware in circulation. Most malware writers just want to be paid for their research; something that isn't happening frequently enough or at a rate that's considered fair by the researchers. As a result, some of those researchers are exploring grey markets in offensive malware development or are selling 0-days to clients as a form of threat intelligence, or both.

Imagine how much malware the U.S. government could buy for the price of one F-35 ($600 million per jet). And the intelligence gleaned from a forensics review of all that malware would be priceless. Certain precautions would have to be built in to the program to reduce fraud or recompiling malicious code to create slightly different versions for sale, etc., but I think it's worth at least a pilot program to gauge its effectiveness.

Friday, December 14, 2012

The "January Effect" - An Annual Phenomenon Since 2009

I was recently interviewed for a feature in Discover magazine's Top 100 Stories of 2012 (January 2013 issue - on newsstands now). I'm #62 "Defender of the Digital Domain". During the interview, I was asked about a future forecast for 2013. I mentioned a phenomenon that I've noticed each year since 2009 - a major breach or act of cyber warfare that kicks off the New Year. It may start in December and then get publicized in January, or happen in January and get publicized a bit later but it has happened four years in a row now so I fully expect it to occur once again.

December 2008 - January 2009: Operation Cast Lead (a land war w/ thousands of simultaneous cyber attacks between Israel and Hamas)
December 2009 - January 2010: Google and 20+ companies are breached
January 2011 (approximate) - March 2011: RSA was breached sometime early in 2011 with the announcement being made on March 17, 2011.
January 2012: A hacker announces that he has Symantec's source code for Norton and other products.

What will occur or be announced in December 2012 - January 2013? I have no idea but I'm confident that it'll be something impressive.

Tuesday, December 11, 2012

Cyber Laws May Need Tweaking

The following is an excerpt of an article that I wrote for SC magazine on the need to amend the Computer Fraud and Abuse Act to keep pace with active defensive options by corporations; an issue that we'll be exploring indepth at Suits and Spooks DC (Feb. 8-9, 2013):

"Law in the United States has not kept pace with the tsunami of cyber attacks that have overwhelmed corporations and the government. It's become such a frustrating problem that information security start-ups, like CrowdStrike, as well as established ones like Mandiant, are pushing for a “strike-back” capability, something that the Computer Fraud and Abuse Act(CFAA) prohibits. Even if a company takes a network counter-attack off the table and just wants to encrypt its own data which it finds stored on another computer, the CFAA makes even that common-sense action illegal. I don't think that will be the case for much longer. In fact, I predict that 2013 will be the year when the concept of “active defense” will finally become a reality.
"It's been a year since the directors of the National Security Agency and the Defense Advanced Research Projects Agency both acknowledged that the U.S. government has been unable to protect its own networks and asked for help from private industry. Earlier this year, two high-profile FBI officials and an Air Force general left government service to join CrowdStrike, a decision driven in part out of the same frustration. Then there was the provocative and somewhat disturbing speech given by Secretary of Defense Leon Panetta in October which warned foreign adversaries that we had significantly improved our attribution capabilities (although there's little evidence to support that claim) and that we would respond militarily to anyone who launched a “destructive” cyber attack against us.
"The drive by private industry to be more aggressive in defending corporate networks and the “signalling” by Panetta that we will respond to destructive cyber attacks are both examples of a military strategy known as “active defense.” However, while computer attacks between nation-states may be allowable under certain conditions, such as a presidential finding under Title 50 for a cyber covert action or under the Law of Armed Conflict, there is no such leeway for private corporations under Title 18, Section 1030 – and there's the rub."

Read the rest of the article at SC Magazine.

Friday, December 7, 2012

Flipping Malware: A Profit Opportunity for Corporate IT Departments

The one thing that corporate IT departments are not is a profit center. But the trend towards developing offensive exploits and selling them to government agencies could change that tomorrow if CEOs can be convinced to take the opportunity. Up to this point, CEOs and their Boards of Directors have been reluctant to spend too much money on cyber security because, frankly, it could easily become a serious money pit. A typical incident response bill for a breach can easily exceed the mid-six figures. Saudi Aramco and Sony probably paid a hefty multiple of that. Then there's the 5 figure monthly bills for threat intelligence feeds, plus the charges to protect against Denial of Service attacks, AV, IDS, IPS, etc. And the worst part of this money pit is that the company can only hope that their previously compromised network is clean. There's no way to tell for certain because it could still contain un-discovered malware.

The good news, or at least potential good news since no one is doing this yet, is that the undiscovered malware lurking on corporate networks potentially represent tens or hundreds of thousands of dollars in income for the corporation. And since it resides on the corporate network, it becomes the property of that corporation. All of a sudden, something that you've viewed only as a threat and an expense has become a valuable commodity thanks to the trend in selling offensive malware to government agencies.

The U.S. government is a customer for offensive exploits and so are a number of allied governments. In fact, if they aren't already doing this, defense contractors like Lockheed Martin, Raytheon, Northrup Grumman, and many others should already be mining their own networks for undiscovered malware, reverse-engineer what they find, and use it to fill orders by DoD since they've already got the contract vehicles in place.

Some of the more forward-looking DOD contractors who have robust internal Computer Emergency Response Teams (CERT) staffed with engineers who can do reverse-engineering could be in the best position to offer free or low-cost network defense to corporations who want to "flip" the malware found on their network for a nice profit. The best part is that everybody comes out a winner except for the malware writers who may have spent a lot of time and money developing 0-days for targeted attacks (i.e., the creators of Stuxnet, DuQu, Gauss, and Flame). In my scenario, they've merely provided a sellable commodity for free to the targets that they were hoping to exploit.

If you're a C-level executive and you'd like to discuss this idea privately with me, feel free.

Thursday, December 6, 2012

Please Remember the CIA Officers Memorial Foundation this Holiday Season

There are lots of great charities out there that are deserving of a share of our gift-giving this holiday season (and year-round for that matter). I'd like to introduce you to one of my favorite charitable organizations - the CIA Officers Memorial Foundation.
"The Foundation was established in December 2001 to provide educational support to the children of CIA officers killed in the line of duty. In May 2006, the Foundation's Board of Directors voted to expand its mission to include providing educational support to the spouses of CIA officers killed in the line of duty, and the children and spouses of officers who die on active duty as a result of accident, illness or other causes."
I just received my supporter letter from them and was happy to learn that they've been able to increase their scholarship awards to 28 students for the 2012-2013 academic year ($575,000) from 26 students ($512,000) for the prior year. However, according to their letter, they "still have a long way to go to realize our strategic goals and to sustain our ability to fund programs in the future as education expenses continue to soar and the number of families in need of our support increases."

Please keep this wonderful organization in mind this month as you make your charitable donations in the holiday spirit of giving. Thank you.

Tuesday, December 4, 2012

Anonymous Reveals The 24 hr Violence Cycle in Syria

Part of the Syrian government email dump that was published by contained daily reports from the Syrian government to its embassy at the U.N. on terrorist attacks occurring on its soil. These "terrorists" were, of course, Syrian rebels looking to overthrow Assad. While the country has been in a state of civil war for many months, it's eye-opening to see the level of violence when it's broken down by dozens of specific instances on a daily basis as it is done in these reports. There are literally dozens of them in the email dump. I arranged for the translation of two documents to share via this blog.

Friday, November 30, 2012

HostDime, SoftLayer, et al, Need to be Federally Bitch-Slapped For Violating Syrian Sanctions

Source: website
When the New York Times released its story that some of the Syrian government's websites were hosted outside of Syria, I wasn't surprised to see SoftLayer Technologies as one of the hosts. They are also the company that hosted, the Russian forum which coordinated many of the cyber attacks against Georgian government websites during the Russia Georgia war (2008).

Other U.S. ISPs in addition to SoftLayer who are hosting Syrian government websites in violation of an Executive Order by President Obama (EO 13582) are,, 383Inc., HopOne, Net2EZ, Tiggee, and PEER 1. Of those seven, HostDime and Softlayer are consistently among the world's 50 worst hosts for serving malicious content.

Furthermore, this isn't the first time that Softlayer and the other offending ISPs learned of their violation of EO 13582. CitizenLab first created their report The Canadian Connection: An investigation of Syrian government and Hezbullah web hosting in Canada in November 2011. A blog posting by shows that SoftLayer didn't respond to their inquiry back then and still hasn't. A spokesperson for HostDime responded on the HostJury blog last November by saying "We are currently aware of all OFAC (Office of Foreign Assets Control) rules and regulations and continue to comply and monitor to the best of our ability." Since they have continued to hosting a Syrian government website (MOW.GOV.SY) more than a year ago and have done nothing about it, they and the other ISPs involved are knowingly in violation of EO 13582.

In my opinion, these ISPs need to be federally bitch-slapped for this. I hope that one or more of my federal government readers takes the hint and sets a much-needed example with HostDime, SoftLayer and the others.

UPDATE (30NOV2012 0634PST): VF (Vicki Fraser) of HostDime (@HostDime) responded to me on Twitter shortly after I published this article: "We do not host any Syrian websites and are not in violation of federal sanctions.   ^VF". Say, Vicki. Do you know how to use ROBTEX?

VF responded via Twitter: "@jeffreycarr it is hosted within our datacenter but not by us, we've reached out to our direct client expressing our concerns ^VF".

UPDATE (30NOV2012 0829PST): @HostDime announced via their Twitter feed: "@jeffreycarr Update: Our client (the host of the Syrian site) has taken action and taken the site offline. ^VF"

Monday, November 26, 2012

Help Navy SEALs Fund Support SAS Sgt. Danny Nightingale

I've spent the last week trying to find a way to support an SAS sniper who's been unjustly jailed in Britain over a handgun possession charge. The article that I wrote about it is now up at Please read it, sign the petition, and make a donation to help Sgt. Nightingale and his family through this very difficult time.

Thanks very much!

Debate: "Private Companies Should Be Authorized To Take Measured Offensive Action Against Attackers"

On Feb. 8-9, 2013, up to 100 people including some of the world's leading experts in law, incident response, reverse-engineering and intelligence will meet in Washington DC to debate the topic: "Private Companies should be Authorized to take Measured Offensive Actions against Attackers". The list of speakers includes CrowdStrike's Dmitri Alperovich, Mandiant's Richard Bejtlich, Microsoft's Dave Aucsmith, Dambala Labs' Gunter Ollmann, CrySys Labs' Boldi Bencsath, ReVuln's Donato Ferrante, INTERPOL's new Digital Crime Center's director, the ITU's Marco Obiso, The Grugq, The Jester, and many more.

The Agenda of Suits and Spooks DC will feature the most intriguing panel discussions every held on the highly controversial issue of "striking back" at those responsible for cyber attacks as well as how offensive markets for malware are changing the world of vulnerability exploits. The second day will include breakout sessions as well as an afternoon debate between two teams consisting of 12 volunteers from our attendees along with time for research and strategizing over a working lunch.

Friday, February 8, 2013 - Waterview Conference Center

9:00am - Registration and Continental Breakfast
9:45am - Welcome and Briefing on the Day's Activities
10:00am - 12:00pm: Panel Discussion - Offensive Tactics and Takedowns by Security Vendors
Featuring Mr. Dmitri Alperovich (CTO and Co-Founder, Crowdstrike), Mr. Richard Bejtlich (CSO, Mandiant), Mr. David Aucsmith (Sr. Director, Microsoft Institute of Advanced Technologies for Governments), and Mr. Nick Selby (Police Officer, DFW Area Department of Public Safety; Partner, Enterprise Security at N4Struct, Inc.).
12:00pm - 1:00pm: How Duqu, Flame, Gauss, and Shamoon can be reconfigured and reused against different victims
Featuring Dr. Boldizsár “Boldi” Bencsáth (Associate Professor, Laboratory of Cryptography and Systems Security (CrySyS), Department of Telecommunications, Budapest University of Technology and Economics)
1:00pm - 1:45pm LUNCH (provided on-site)
1:45pm - 3:45pm: Panel Discussion - Finding Exploitable Loopholes in the Computer Fraud and Abuse Act and International Law for Offensive Actions in Cyberspace
Featuring Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University),  Mr. Stewart A. Baker (Partner, Steptoe & Johnson), Mr. Frank J. Cilluffo, Director, Homeland Security Policy Institute at George Washington University, and Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU)
3:45pm - 4:00pm BREAK
4:00pm-6:00pm: Panel Discussion - Offensive Markets for Vulnerability Research - Pros and Cons
Featuring Mr. Donato Ferrante (Co-Founder and Security Researcher, ReVuln), The Grugq (a security engineer who specializes in reverse-engineering and anti-forensics), Mr. Gunter Ollmann (Chief Technology Officer, Damballa Labs)

Saturday, February 9, 2013 - Waterview Conference Center

9:00am Continental Breakfast
9:30am Welcome and Briefing on the Day's Activities
9:45am - 10:45am (Classroom A): Calculating The Adversary's Return-On-Investment and How That Can Inform Defense
Featuring Mr. Josh Corman (Director of Security Intelligence, Akamai)  and Mr. David Etue (Vice President, Corporate Development Strategy at SafeNet)
9:45am - 10:45am: (Classroom B): (topic to be announced)
Featuring Mr. Spencer Wilcox (Lead Security Strategist and Special Assistant to the Vice President of Corporate and Information Security Services for Exelon Corporation)
9:45am - 10:45am: (Classroom C): Q&A with The Jester via IRC "Is Offense The Best Defense, and Who Should Conduct It?"
This will be a moderated discussion with The Jester via IRC chat. Attendees will be able to pass their questions to the moderator and The Jester will respond in real-time.
 10:45am - 12:45pm: What's the Downside of Private Sector Offensive Engagement?
Featuring Dr. Anup Ghosh (Founder and CEO at Invincea), Mr. Jeffrey Carr (Founder and CEO, Taia Global, Inc.), Mr. Gunter Ollmann (Chief Technology Officer, Damballa Labs), and Mr. Josh Corman (Director of Security Intelligence, Akamai)
12:45pm-2:00pm: Working Lunch
12 attendees will volunteer to debate the proposition (6 per team). The working lunch will be spent dividing into teams and assisting the debaters in preparing research and debate strategies.
2:00pm - 3:30pm: Debate the Proposition "Private Companies Should be Authorized to Take Measured Offensive Actions Against Attackers"
The debate will be judged by a panel of 5 of our speakers
3:30pm - Closing Remarks

The Waterview Conference Center is one of Washington D.C.'s most beautiful and exclusive facilities but it has a capacity of only 100 people so don't miss out. Register today and be a part of one of 2013's most important events.

We are also still looking for companies to join Basis Technology in sponsoring this important event. Please contact me for more information.

Wednesday, November 21, 2012

France Throws Cyber Stones From Its Glass House

Source: L'Expansion.L' 20 NOV 2012
The government of France shouldn't be so quick to charge the U.S. with being responsible for the Flame malware found on President Sarkozy's computer. Kaspersky Lab had remarkably little evidence to support their charge that it was created by the team that created Stuxnet and Duqu, and CrySys Labs said that it probably wasn't created by the Stuxnet/DuQu team.

Further, France is in no position to throw stones. It's use of cyber espionage operations is well-known inside the U.S. Intelligence Community as well as by the German gov't who consider them a more severe risk to intellectual property theft than Russia or China. France's state-owned energy firm EDF also conducted cyber espionage attacks against Greenpeace.


Report: French officials accuse US of hacking Sarkozy's computers
Votre Secrets, Monsieur? "The idea of the French using their intelligence service to obtain scientific, economic, and technological information from friendly countries is not new."

Friday, November 16, 2012

Anonymous Attacks Israeli Air Force Website and Other Targets

English language page of Israeli Air Force Website
A Middle East faction of Anonymous has taken the side of the Palestinian settlers in Gaza and announced that it would be attacking Israeli government websites. One of them belonged to Israel's Air Force according to this tweet:
Screenshot captured on 11/16/2012 0658 PST

Screenshot captured by AnonymousSky and referenced in the above tweet
In less than two days after Israel launched Operation Pillar of Defense (the English version of the more obscure Pillar of Cloud designation), civilian supporters on both sides of the conflict have begun launching cyber attacks against key websites (see my original post on this conflict). 88 defacements have been posted to Pastebin today and much more are expected to occur.

UPDATE 16NOV12 0944PST: The following Israeli gov't websites have been attacked by Anonymous per @AnonymousSKY
  • Israel Security Agency (
  • Ministry of Justice (
@YourAnonNews has reported that cyber attacks from pro-Israel hackers have impacted VoxAnon - an IRC network popular with Anons.

  • Israel's Ministry of Foreign Affairs is down (
  • More than 663 Israeli websites defaced 


The Cyber Warfare Component to Israel's Pillar of Cloud Op

Thursday, November 15, 2012

The Cyber Warfare Component to Israel's Pillar of Cloud Op

Israeli Defense Forces have been engaged in missile attacks against Hamas targets in Gaza off and on for about a month, however it has escalated in the wake of the killing of Ahmed Jabari, Hamas’ military chief of staff on November 14, 2012. Hamas has announced at least 8 deaths since Israel launched Operation Pillar of Cloud (aka Pillar of Defense), which has primarily involved missile attacks from both sides and the campaign is intensifying.

Operation Pillar of Cloud is reminiscent of Operation Cast Lead which occurred during December '08 - January, '09, however Cast Lead had a widely publicized cyber component in which tens of thousands of attacks were launched by Israeli and Arab hackers against government websites and communications infrastructure on both sides. To date, no such action has been publicized short of an Information Operation being conducted on Twitter between the IDF and the al-Qassam Brigades.

However, back in October when the missile attacks first began, the IDF announced that it was stepping up its recruiting efforts for computer-savvy soldiers. This announcement came the day before the IDF was to hold an awards ceremony honoring 12 soldiers "engaged in the army's cyber-defense activities".  I checked on the likelihood that offensive cyber operations by the IDF would be included in Operation Pillar of Cloud with retired Mossad officer, Michael Ross, who told me that it's safe to say that "every IDF operation includes cyber network attacks of a greater or lesser scale."

Finally, there's this announcement which appeared today on Twitter:

While it's too early to know for sure the scale of cyber warfare running concurrently with this operation, one thing is certain. The Middle East is proving to be the best practical "lab" there is for studying what does and doesn't constitute acts of cyber warfare.

UPDATE 16NOV12 0424PST: Arab hacker group Oujda-Tech Group (formerly Mr. Ben Laden) defaced 40 Israeli websites (non-government) to protest Gaza missile strikes.

UPDATE 15NOV12 2000PST: Th3J35t3r takes down Hamas-friendly websites including ""and "".

UPDATE 15NOV12 1728PST: Anonymous aligns itself with Gaza and against the IDF:
[W]hen the government of Israel publicly threatened to sever all Internet and other telecommunications into and out of Gaza they crossed a line in the sand. As the former dictator of Egypt Mubarack learned the hard way - we are ANONYMOUS and NO ONE shuts down the Internet on our watch. To the IDF and government of Israel we issue you this warning only once. Do NOT shut down the Internet into the "Occupied Territories", and cease and desist from your terror upon the innocent people of Palestine or you will know the full and unbridled wrath of Anonymous.
UPDATE 15NOV12 1110PST: Evan Kohlmann (@IntelTweet) posted via Twitter today: "Hackers in Gaza have leaked 35,000 credit card numbers of "Zionist civilians" as a "response from the lions to the aggression of the Jews."


Early Warnings: Cyber and Kinetic Warfare in Gaza (
Anonymous Attacks Israeli Air Force Website and Other Targets

Tuesday, November 13, 2012

Have iSight Partners - PayPal - Skype Bypassed Due Process?

The recent incident involving the release of Skype user data to law enforcement by iSight Partners raises serious due process questions; especially considering the rapid growth of the cyber intelligence sector. iSight Security, Inc. dba iSight Partners is a privately owned cyber intelligence firm based in Dallas, TX that was founded by John Watters after he sold iDefense to Verizon. According to their website, the company provides insight into malware actors and threats to their corporate and government clients.

Two of iSight's corporate clients are PayPal and Microsoft's Skype. According to the Dutch journalist who broke the story, PayPal hired iSight to investigate Anonymous after it coordinated DDoS attacks against it in protest to PayPal's blocking payments to Wikileaks in 2011. In the course of doing work for PayPal, iSight discovered the alias of a person who they believed was a member of Anonymous and found that it matched a Skype name. An iSight employee then contacted Skype, another client company of iSight's, and asked for the user data that accompanied the Skype name. Skype complied since it had a contractual relationship with iSight.

NOTE: Apparently if you're a Skype customer, your data can be shared with any other company that partners with Skype per its Privacy policy:

Except as provided below, Skype will not sell, rent, trade or otherwise transfer any personal and/or traffic data or communications content outside of Microsoft and its controlled subsidiaries and affiliates without your explicit permission, unless it is obliged to do so under applicable laws or by order of the competent authorities. 
Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone's rights, property, or safety.

Either Skype sees its relationship with iSight as an affiliate or it sees its sharing of info as a way to protect its interests. Either way, it completely bypasses the necessity for a warrant. However, iSight turned that protected information over to the Dutch authorities without being presented with a warrant or having been part of any due process to protect the Dutch citizen's rights.

I understand from a confidential source that Skype (or possibly Microsoft) is investigating iSight's actions in that regard to ensure that it never happens again. This could be especially damaging to Microsoft since it's already on the EU's radar from past legal disputes regarding anti-trust matters. Although I've tried to get iSight to comment on this incident, no one from the company has replied to my email requests.

UPDATE (13 NOV 2012): The larger issue is the question that iSight refuses to answer. Does iSight co-mingle this type of data between client companies and share it with law enforcement or other  government organizations thus bypassing privacy rights in the U.S., E.U. and elsewhere?

OSCE's Cyber Security Confidence Building Measures Revealed by Anonymous

Anonymous has been able to exfiltrate a second, smaller batch of documents from OSCE's webserver (OSCEPA.AT) on November 11, 2012; even after the company knew that they had been attacked. This second batch of documents contains up-to-date information on the OSCE's Internal Working Group 1039 whose mandate (.pdf) is to create cyber security Confidence-Building Measures (CBMs) that would reduce the risk of cyber conflicts. The chairman of the IWG 1039 is U.S. Ambassador Ian Kelly.

The latest revised draft set of CBMs was circulated in a document marked RESTRICTED among IWG 1039 members on November 7, 2012 in preparation for their meeting today, November 13, 2012 in Dublin. They are as follows:
  1. Participating States will voluntarily provide their national views on some aspects of national and transnational ICT security. These may include, but are not necessarily limited to, views on doctrine; strategy; norms; lessons learned; real and potential threats; protective measures; concepts of operating in cyberspace.
  2. Participating States will voluntarily share information on national organizations, programmes, or strategies relevant to their ICT security. This information will include the organization of the structures and a description of their mandate. Participating States will nominate a contact point to facilitate communications and dialogue on ICT-security matters.
  3. Participating States will voluntarily provide contact details of existing official national Computer Security Incident Response Teams (CSIRTs), or equivalent official national structures, so that national experts can enter into a direct dialogue. Participating States will update contact information annually but in any event no later than thirty days after a change has occurred.
  4. In order to reduce the risk of misunderstandings in the absence of agreed terminology, participating States will on a voluntary basis provide a list of national terminology related to ICT security accompanied by an explanation or definition of each term. It will be for each participating State to select those terms they deem most relevant for sharing.
  5. Participating States will voluntarily exchange views on how existing OSCE mechanisms, such as the OSCE Communications Network, maintained by the OSCE Secretariat's Conflict Prevention Centre, could be used to facilitate communications regarding incidents involving ICTs, (e.g. establishing protocols to ensure rapid communication at high levels of authority, to permit concerns to be raised at the national security level.)
  6. Participating States will, at the level of national experts, meet at least three times each year, within the framework of the Security Committee and its Informal Working Group established by PC Decision 1039 to discuss information exchanged and explore appropriate development of this initial list of confidence building measures as well as others that might be candidates for future consideration.
This set of draft CBMs are for discussion by the members. One of the documents included in the latest batch (Comments_AZE_IWB_1039.doc) offers comments from the delegation of Azerbaijan and Lithuania who both want to considerably beef up the language with a few intriguing suggestions:
General comment: Proposed list of CBMs, in general is not result-oriented and does not identify any imperative actions. All proposed CBMs are based on voluntary actions and most of them are already carried out by pS through other various international and regional organizations. We need some more concrete actions that define the responsibilities of the Participating States for the incidents stemming from the use of ICTs. 
Specific comments:
  • Support the proposal made by Lithuania to add the following CBM to the list: “Participating States will refrain from directing malicious cyber activities against critical infrastructure vital to the wellbeing of civilians, such as telecommunications, energy, transportation and financial systems”;
  • We support the following proposal made by Lithuania, as well: “Participating States will accept responsibility for their national cyberspace jurisdictions”.
  • Moreover, in addition to the CBMs defining the responsibilities of the states for their actions in the cyber-space, it is very important to identify also the responsibilities of the States over their ICT companies to act in accordance with national legislation of other Participating States.
The concept of a nation state being held responsible for attacks emanating from servers within its borders has come up for discussion within U.S. DoD too. It would certainly make attribution a lot easier if we could simply point to the geolocation of an IP address and say case closed. Unfortunately, that's a completely unrealistic scenario since Internet Service Providers aren't regulated entities and because web servers are easy to compromise (i.e., OSCEPA.AT).

Most of the suggested CBMs are voluntary and fairly ineffective even if put into practice. That's probably due to the fact that the membership of this committee is heavily loaded with policy makers and lawyers and has very few technologists or security engineers. The attack that was levied against the OSCE by Anonymous was apparently of the same variety that its members prefer - looking for easy pickings against poorly-protected web servers. The first confidence building measure that these OSCE national experts should draft is to invoke an Assumption of Breach security framework. In other words, expect to be breached and keep your sensitive documents in a separate, controlled and monitored environment ; i.e., not on a web server.

Friday, November 9, 2012

OSCE Breached; Internal Documents Posted by Anonymous

The Organization for Security and Cooperation in Europe decided in 2011 to take on cyber security as one of its missions. The reality of threats in cyber space for the OSCE has become even more real now that their internal network has been breached in early November, 2012 by an unknown person or persons and the stolen files uploaded to There has been no public acknowledgment from the OSCE that they have even had a breach. Frane Maroevic, Deputy Head of Press and Information for the OSCE told me in an email that "We condemn any illegal publication of confidential documents and will not comment on any such material."

The documents that Anonymous have posted are clearly genuine although it isn't known how they were obtained nor has anyone claimed responsibility for the attack. In addition to election monitoring reports and briefing books for Ukraine, Bosnia and the United States, there are internal RESTRICTED documents as well as emails and contact lists whose contents could be leveraged by bad actors to target members of OSCE and others with spear phishing or other types of targeted attacks.

Several of the documents referred to the "Informal Working Group Established Pursuant to PC Decision 1039" along with a list of its members. The purpose of this group is to establish "a breakthrough on Confidence Building Measures (CBM) designed to enhance cyber security. Our goal must be to maintain the momentum so as to outline a set of Confidence Building Measures in time for adoption at the Ministerial Council in Dublin." I asked Mr. Maroevic if he saw the value in demonstrating such CBMs right now in the face of their own breach. As of the time of this posting there's been no response from Mr. Maroevic.

The Dublin Council meeting mentioned in that document is scheduled to meet on December 6-7, 2012, however a captured Bi-weekly work schedule shows a meeting of the 1039 Working Group happening in Ireland on November 13, 2012 at 15:00. I expect this incident will be the highlight of their meeting especially since the names and email addresses of all of the members were part of the collection of documents posted to

I'll update this post with any new developments from OSCE and/or from our examination of the documents.

UPDATE (09NOV12 2314GMT): A source representing Anonymous has claimed credit for the attack against OSCE. They breached the server which is the OSCE Parliamentary Authority hosted by; an Austrian service provider. The attack vector was not revealed although it may have been SQLi or perhaps an employee was compromised via a malicious payload delivered in a .pdf attachment.

Mr. Maroevic told me after my original article was posted that due to the sensitivity of the issue, the OSCE was unable to comment any further.

Wednesday, October 31, 2012

What's Happening at Russia's MEPHI and China's Key Lab of Aerospace Information Security?

Each month, Taia Global's Science and Technical Intelligence Flash Traffic brief looks at key R&D projects in any one of 14 nation state's research facilities including those of Russia and China. Tomorrow, November 1st, we will feature some key projects being worked on of the Russian Federation's premier universities (Moscow Engineering Physics Institute - MEPHI) who specializes in information security with customers in the Ministry of Defense and the Security Services.

An additional area of coverage in tomorrow's report will be two key labs in China - the Key Lab for Intelligent Networks and Network Security and the Key Lab of Aerospace Information Security and Trusted Computing.

If you believe as I do, that threat intelligence isn't just about malware signatures then I'd like to invite you to become a subscriber to this service. You can buy a single issue for $65 or subscribe for the year for $500. Annual subscribers will also receive free copies of the Russian Federation Information Security Framework 2011 and 2012. Thanks for your support.

Active Defense as a Chinese Military Strategy for Informatized Warfare

U.S. Secretary of Defense Leon Panetta said in a speech in New York City on October 11, 2012 that “If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President.” This is known as active defense and its a strategy that China had adopted back in the mid-90’s when the PLA decided to mount a revolution in military affairs in order to confront the U.S. military’s new network-centric warfare doctrine.

Recent military writings published in the journal China Military Science continue to emphasize the need for an active defense:[1]
“While post-emptive moves are a self-defensive strategy of defense upon which our military must insist in the opening of war, it is not an effective way to seize the initiative on the informatized battlefield. To achieve the goal of seizing the initiative, the art of controlling war situations in the initial stage of combat must emphasize active offense, striving to dominate the enemy by capturing early moments of opportunities and conquering the enemy in early battles.”
“[O]ur military’s seizure of early moments of opportunities to dominate the enemy by conducting offensive operations cannot be separated from the basic requirements of active defense.”
According to Timothy L. Thomas[2], the author of many books on both Chinese and Russian Informatized Warfare, an informatized offense is part of China’s active defense plan. This is best described in a 2005 article published in Chinese Military Science “Systems of Military Strategy in the Information Age” about which Thomas writes:[3]
“The primary objective consists of paralyzing an opponent’s strategic command systems to introduce the deterrence function. The five steps to this process are striking at an opponent’s strategic command system, their economic foundations, that nation’s transportation infrastructure, the human resources of the country (especially reserve personnel), and the armed strength of the country in question.”
This 5-part strategy was refined in 2011 in a paper written by Ye Zheng and Zhao Baoxian, “How Do You Fight a Network War?”[4] wherein the authors detailed the following 5 operational forms:

  • Network intelligence
  • Network paralysis
  • Network defense
  • Network psychology
  • Network-electromagnetic integration

Finally, Major General Dai Qingmin, author of New Perspectives on War[5], wrote about the need to expand an information attack beyond combat systems to include the enemy’s critical infrastructure (financial, transportation, communication, and power).

System of Systems
In 2010, Chairman Hu Jintao used the phrase “System of Systems” in describing priorities in strategy and planning for the Peoples Liberation Army[6]. Unfortunately, the exact meaning of the phrase is difficult to determine. It isn’t a concept that’s unique to China. U.S. military writers used the phrase as early as the mid-90’s.[7] Tim Thomas dedicated a chapter in his book to exploring this important topic but wasn’t able to come to a clear distinction between what it means for the PLA versus the U.S. Armed Forces. Thomas quotes one PLA research fellow who said the difference came down to “capabilities and objectives” between the two nations.

In this author’s opinion, the phrase System of Systems as used by Chinese military theorists refers to an over-arching strategy that assumes network dependence by both sides and seeks to gain control over a greater system within which network-centric warfare is a subset. One example might be the dependence that critical DOD bases have upon the public power grid. The local energy provider will be a much softer target than the military base and the base is most likely entirely dependent upon it. Another example of a System of Systems strategy may be corrupting the supply chain that provides the integrated circuitry used in weapons systems. The bottom line is that when faced with a superior adversary, you don’t attack the adversary directly. You attack the systems which sustain him.

Active Defense Workshop at Suits and Spooks DC
This blog post comes from the research that I've been doing for my next book "Assumption of Breach" which will feature a chapter on Active Defense. I'll also be conducting a one hour workshop at Suits and Spooks DC on Feb 8-9, 2013 which examines active defense in Chinese and Russian military theory. Hopefully, Dr. Thomas will get approval from DoD to speak as well. He's been invited - confirmation is pending. Registration is limited so I encourage you to sign up early.

[1] Thomas, Timothy L., Three Faces of the Cyber Dragon, Foreign Military Studies Office, Fort Leavenworth, KS, 2012, p. 144
[2] Lieutenant Colonel Timothy L. Thomas, U.S. Army, Retired, is a senior analyst at the Foreign Military Studies Office (FMSO) at Fort Leavenworth, Kansas. He holds a B.S. from the U.S. Military Academy and an M.A. from the University of Southern California

[3] Thomas, ibid, p. 151

[4] Ye Zheng and Zhao Baoxian, “How Do You Fight a Network War?”, Zhongguo Qingnian Bao Online, 3 June 2011

[5] Dai Qingmin, New Perspectives on War, PLA Publishing House, 2008, p.64 (quoted by Thomas, ibid)

[6] Li Huamin, Zhang Kejin, and Fu Wenwu “Fierce Tigers of Tashan Ask for Directions in Guagxi – Record of Actual Events about Group Army of Guangzhou Military Region Building Greater Capability for System of Systems Operations,” Jiefangjun Bao Online, 30 July 2010 (quoted by Thomas, ibid)

[7] Manthorpe Jr., W.H., "The Emerging Joint System-of-Systems: A Systems Engineering Challenge and Opportunity for APL," Johns Hopkins APL Technical Digest, Vol. 17, No. 3 (1996), pp. 305–310.

Friday, October 26, 2012

10 Years Ago Today - Another Build-up to War on Bad Intelligence?

10 years ago in October 2002, a National Intelligence Estimate (NIE) was produced whose findings concluded that Iraq had Weapons of Mass Destruction. In February, 2003, SECSTATE Colin Powell addressed the U.N. Security Council on that same subject. His remarks were based entirely on source material vetted by intelligence analysts. That speech was the U.S. case - and his case - for going to war against Iraq. On March 19, 2003, the U.S. invaded Iraq for reasons that later proved false.

It didn't take long for the U.S. and the world to see that the rush to war against Iraq was a colossal error in intelligence and good judgment. Colin Powell to this day regrets the speech he made before the U.N. An investigation into the intelligence failures leading up to war with Iraq - "Report of the Select Committee on Intelligence on the U.S. Intelligence Community's Prewar Intelligence Assessments on Iraq" - laid out the many analytic failures that informed Powell's speech and the Bush Administration's position in minute detail.

Now we seem to be laying the political groundwork for yet another war in the Middle East - this time against Iran. While there's no doubt that Iran wants to acquire nuclear weapons, there's a lot of doubt regarding how close that is to happening. Iran has only been successful at enriching low levels of uranium at low amounts. It's certainly a serious problem and one that needs addressing but it's not in and of itself sufficient cause to go to war over yet. So let's pile on another layer of threat - Iran's capability to cause a "cyber Pearl Harbor" or the cyber equivalent of "9/11". In order to underscore those threats, Secretary Panetta pointed to two recent cyber attacks: the DDoS attacks against major U.S. banks allegedly performed by an Iranian hacktivist group that no one had ever heard of before, and the Shamoon attacks against Saudi Aramco and RasGas which the Secretary referred to as a "very sophisticated virus". In reality, Shamoon is neither a virus nor sophisticated. It was a quick and dirty piece of malware (a worm), probably reverse-engineered from the original Wiper (not Flame) that struck at Iran's oil ministry back in April. Half of its functionality didn't even work properly due to a coding error. And the DDoS attacks were most likely the work of an Eastern European criminal gang who specialize in banking attacks and decided to mask this one with an Iranian hactivist false flag.

The bottom line on Iran is that both its Uranium enrichment and its cyber warfare capabilities are not fully developed. There are lots of other countries, including the U.S. its allies, and some adversary states who are far more advanced than Iran in both of those categories. While it's certainly possible that at some point in the future the West will have no choice but to go to war with Iran, we aren't there yet and certainly not for the reasons given by Secretary Panetta. I have nothing but respect for the current Administration but I cannot in good conscience watch a repeat - or what even smells like a repeat - of the 2002-2003 build-up to war with Iraq happen a second time. Not while I have a voice and an opportunity to try to stop it by calling out errors in facts when I see them.

Wednesday, October 24, 2012

Ridiculous Administration Premise on U.S., Iran, and Saudi Aramco

Nicole Perlroth's New York Times story - In Cyberattack on Saudi Oil Firm, U.S. sees Iran Firing Back - is a ridiculous premise based on confusing hypotheses regarding malware that may not even have come from the U.S. But before I cover that, I'd like to know in what universe does a country who was on the receiving end of multiple perceived U.S. cyber attacks go after an entirely different nation in revenge?

The answer to that rhetorical question is none. There's no logical reason for Iran to attack Saudi Aramco in order to send a message to the U.S. I've written many times my belief that the Aramco attack was Iran sending a message to Saudi Arabia to not increase its oil production because of sanctions imposed on Iran. That may or may not be true but at least it follows a logical order. 

1. Iran makes a threat to SA - Don't increase your oil production. 
2. SA ignores the threat and increases production anyway.
3. Iran destroys Aramco's 2000 servers and 30,000 workstations.

To believe the Times story, the logic would have to flow differently:

1. Iran is hit by malware that it believes was created by the U.S. which destroyed some servers in its oil ministry.
2. It retaliates against the U.S. by destroying servers owned by Saudi Aramco.

Really? Does that make sense to anyone? 

Apart from that glaring logical inconsistency, there's a factual flaw in Ms. Perlroth's reporting that needs to be corrected. No one has a copy of the original Wiper malware that hit Iran's oil ministry last April so it's impossible to know that it was part of Flame. Further, no one knows who was responsible for Flame because the connection between Flame's creators and Stuxnet/DuQu's creators is limited to the assumption that they "knew each other".  That hardly qualifies as coming from the same nation-state. All in all, this article was far below the quality that I've come to expect from Nicole Perlroth. I hope it doesn't serve to aggravate an already tense situation between between the U.S. and Iran.

UPDATE (24OCT12): I just spoke with Nicole Perlroth and learned that her article was mean't to take a skeptical view of the administration's campaign to pin cyber attacks on Iran. I reread the article and I'm still not clear on which points she was being skeptical about however based upon my respect of her past research, I've changed the name of this post to "Ridiculous Administration Premise ..." instead of "Ridiculous NY Times premise" since that was Ms. Perlroth's intent - to express skepticism of the Administration's position on this issue.

Monday, October 22, 2012

The Most Important Cyber Issue in 2013: Offense as Defense

Between SECDEF Panetta signaling Iran and other states that the U.S. won't tolerate increased cyber attacks without a response and the increasing impatience on the part of the private sector of being legally restrained from doing anything when they see their stolen data sitting on a foreign server, I predict that the most important cyber topic of 2013 will be active defense. In fact, we had a lively discussion about this very topic last Thursday at Suits and Spooks Boston.

In order to provide a forum where the various implications of taking offensive action under the umbrella of active defense can be explored, debated, and tested, I've decided to dedicate our next Suits and Spooks event to this critical area. I've also expanded it from a single day to a two-day event that will feature hands-on labs in addition to plenary sessions. And unlike SNS Boston, journalists will be welcome at SNS DC 2013.

Two speakers and one lab that are already lined up include Dr. Boldizsar Bencsath, director of the Laboratory of Cryptography and System Security, Budapest who's lab first discovered DuQu, Richard Bejtlich, the Chief Security Officer of Mandiant, and via IRC in one of our labs - th3j35t3r (hacktivist for good). Dr. David Bray, who had been earlier announced, may have a conflict on either of those days so his may be a last minute appearance. Many more speakers and labs will be announced in the coming weeks.

It will be held in the same venue as our February 2012 event - The Waterview Conference Center; a spectacular space overlooking the Potomac river and the Capital from the 24th floor. I'm inviting both national and international experts to participate and am open to your suggestions for the types of labs that you'd like to participate in as well as receiving inquires from companies who'd like to be a sponsor.

As is our custom, attendance will be capped at 100. I've set up a super early bird rate in order to help keep your costs associated with attending low. Considering the controversial nature of this topic in combination with its criticality, I expect fully expect this event to sell-out. See you in DC.

Suits and Spooks DC: Offense as Defense
  • February 8-9, 2013 at the Waterview Conference Center, Arlington, VA
  • Featuring plenary and breakout sessions (labs)
  • Two Continental breakfasts
  • Two lunches
  • A free signed copy of my new book "Assumption of Breach: A New Security Paradigm" (O'Reilly Media, 2013)
Super Early Bird $225.00 (until November 9, 2012)
Early Bird $395.00 (until January 9, 2013)
Standard $595.00 (until February 7 or when the event is sold-out)


Wednesday, October 17, 2012

Fact-checking Secretary Panetta's Speech Regarding a Preemptive Strike

In an important speech on Thursday night, Defense Secretary Leon Panetta spoke about how the Department of Defense has improved capabilities to protect the U.S. against the threat of a catastrophic cyber attack; that if such an attack were imminent, the U.S. would strike first. While this statement was clearly mean't to deliver a message to Iran which featured prominently in the Secretary's remarks, the U.S. lacks the technical ability to deliver on that threat.

According to the Law of Armed Conflict, a nation state must be under imminent threat of an attack which will cause grievous harm to its populace before it can launch a pre-emptive strike in self defense. Rather than a traditional kinetic attack, Secretary Panetta specifically referred to a cyber attack by "an aggressor nation or extremist group [who] could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals". The Secretary went on to say that "If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President".

The fact is however that neither the NSA nor any other agency has the ability to identify a malicious program that was custom-written to target an industrial control system before the attack occurs. It cannot "see" such a program traveling across the Internet backbone assuming that were the delivery method. More likely, as in the case of Stuxnet, Shamoon, and other malware, it would be hand-carried onto the target's premises and inserted via removable media into a networked computer which bypasses the capabilities of any NSA-run signals intelligence program to identify it.

Even if we had the ability to discern the purpose and target of malware in-transit, we'd also have to know which nation state was behind it. Although Secretary Panetta claimed that DoD has made "significant advances" in determining attribution, there's ample reason to doubt that statement - the most obvious being the Secretary's own words that "DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." Anonymity has provided much of the impetus for the increasing number of automated and targeted attacks against the U.S. and other countries. Those attacks are on the rise because anonymity remains intact.

U.S. offensive cyber warfare capabilities are second to none, but in the words of General Peter Pace, the former Chairman of the Joint Chiefs of Staff, we cannot defend against what we send out, and since what we have sent out (like Stuxnet) is being reverse-engineered, we should re-think whether our being in a weak defensive state is really the best time to be running offensive cyber operations in the first place.

Tuesday, October 16, 2012

My Talk on Cyber Warfare and China's Active Defense Strategy

I'm very pleased to be able to announce that I'll be speaking at The New York Military Affairs Symposium in New York City this Friday, October 19th with renowned historian Dr. John Prados. If you're in the city or close by,  please attend and introduce yourself. My portion of the evening will include a discussion of China's use of Active Defense as part of its informatized warfare strategy (China doesn't use the term "cyber warfare"). I'll also include comments on SECDEF's recent speech, Iran's cyber operations, and the attack against Saudi Aramco's facility.

Also, if you're in or near the Boston area, it's not too late to register for Suits and Spooks. Dale Peterson of Digital Bond's talk on how to simultaneously compromise multiple power facilities is going to blow everyone away, and rather than hearing whispers about Israel's cyber capabilities, a former IDF hacker will tell you first hand how he and a red team would run a full spectrum (cyber and kinetic) offensive op against a power plant. The full agenda and registration info can be seen at the above link. Don't miss this one.

Friday, October 12, 2012

U.S. SECDEF on Attribution - A Little Too Optimistic?

U.S. Secretary of Defense Leon Panetta gave a speech on Thursday, October 11, 2012 at the Business Executives for National Security (BENS) Eisenhower Award dinner in New York City where he made the following statement:
In addition to defending the Department’s networks, we also help deter attacks. Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses. The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex:the difficulty of identifying the origins of an attack. Over the last two years, the Department has made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments. Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.
With great respect for our former Director of Central Intelligence, now SECDEF, I don't believe that we're anywhere near being able to identify sophisticated adversaries in cyberspace that extends beyond being able to give code names to anonymous hacker groups or recognizing certain TTPs. For one thing, five seconds before Secretary Panetta made the above remarks he said "Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." So clearly if we have "made significant advances to link our cyber adversaries to an attack" and we're still fending off thousands of cyber actors probing DoD networks every day, then someone didn't get the memo!

In fairness, the Secretary didn't say that we are able today to solve the attribution problem. He said that we're making "significant advances" which is too nebulous a phrase to have a fact-based discussion about. The reason why I'm skeptical is because attribution is the kind of hard challenge that DOD farms out to private contractors, who sub-contract that work out to specialists at boutique security firms and I know a lot of those firms. They're all still focused on finding an answer by focusing on the forensics, and the answer won't ever be found through pure forensic research. Why? Because everything that we know about forensics is also known by our adversaries thanks to 900 security cons held worldwide annually and because our adversaries in cyberspace are highly skilled.

It's also ironic that while the SECDEF talks about our growing ability to deter through attribution, that it was the U.S. who was caught conducting a cyber-sabotage operation against Iran's Natanz nuclear fuel enrichment plant, and is suspected in two other high profile cyber attacks (DuQu and Flame). If anyone has demonstrated their ability to disguise their own cyber attacks while attributing the attacks of others, it would be Russia. Many of the U.S. security companies who promote their ability to identify bad guys to the DOD and IC never seem to catch Russia doing anything, yet Kaspersky Labs produces report after report post-Stuxnet on malware that seems to have originated with the U.S. Perhaps we could solve our attribution problem by hiring more Russian security engineers.

Tuesday, October 9, 2012

OSINT analysis of U.S. capabilities to attack industrial control systems

I'm very pleased to announce that Sean McBride, co-founder of Critical Intelligence, is our latest speaker at Suits and Spooks Boston. With Sean's addition, we'll have the most aggressive set of talks on how to take down critical infrastructure that I've ever seen at any security conference. Here's a summary of Sean's presentation:

Title: OSINT analysis of U.S. capabilities to attack industrial control systems

Critical Intelligence provides industrial control systems (ICS) security stakeholders with actionable intelligence pertinent to protecting information assets that operate physical critical infrastructure. This presentation, which fuzes official military doctrine, state department leaks and sanction lists, control system vendor forum comments, online resumes, and traditional news reports, represents the most comprehensive OSINT effort to characterize the capabilities of the United States government to attack ICS undertaken to date.

Before coming to Critical Intelligence, Sean instituted and led the situational awareness effort for the Department of Homeland Security (DHS) Control Systems Security Program (CSSP) at the Idaho National Laboratory (INL).

The complete agenda and registration information for Suits and Spooks Boston is here. We only have a few seats remaining so register today and don't miss this opportunity to get no FUD, in-depth, solid information on offensive tactics against CI.

Monday, October 1, 2012

October Research Priorities for Brazil, China, Iran, Russia, S. Korea, Taiwan

My firm, Taia Global, has launched a new monthly report called S&TI (Science and Technical Intelligence) Flash Traffic Monthly Brief, and today the first issue went out to our subscribers. We use foreign language search and country experts to do a monthly round-up of high priority research and development projects underway in 14 nation states: Brazil, Bulgaria, China, France, Germany, India, Iran, Israel, The Netherlands, Romania, Russia, South Korea, Taiwan, and Ukraine.

In this inaugural issue, we covered the six states mentioned in the title. Here's a sampling of some of the projects that we reported on:
  • EADS plans to co-develop Continuous Detonation Wave Engines at Skolkovo Innovation Center in Moscow
  • Iran's new spy drone is an exact replica of Israel's Hermes 450
  • Brazil is auctioning off-shore oil leases if foreign companies will open and fund R&D labs in Brazil's technology corridor.
  • South Korea plans to produce indigenously-developed surface-to-air guided missiles next year
The October issue is now available for $42.50, or you may contact us for information on on our annual subscription. It's a condensed report, fully sourced, delivered in plain text via your email inbox.

Friday, September 28, 2012

Fact-checking the Iranian DDoS Attacks Against US Banks

There's a boat-load of misinformation being dispensed by CNN and Bloomberg about the DDoS attacks targeting our largest U.S. banks. Since this involves erroneous quotes from certain cyber security executives along with a U.S. Senator, I think a little fact-checking is in order.

Bloomberg: "Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. (JPM) and Wells Fargo (WFC) & Co., have breached some of the nation’s most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults."

FALSE. This was a Distributed Denial of Service (DDOS) attack. Nothing was "breached". The web servers which hosted the banks' online services were overwhelmed by "calls" and couldn't handle them all.

Bloomberg: "Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the U.S. official, who asked not to be identified because he isn’t authorized to speak publicly."

FALSE. There's no one that I know at the NSA (past or present) who believes that customer inconvenience resulting from a DDOS attack against their bank's website is a "worst-case scenario". That's utterly ridiculous.

Bloomberg: "The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to (Dmitri) Alperovitch and (Rodney) Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said. “The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said."

CNN: "To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a "botnet."

FALSE. This attack did not take months to plan for two reasons: 1) This was a crowd-sourced opt-in botnet commonly used in social activism (aka hacktivist) attacks, and 2) No one needs to create a botnet from scratch anymore. You can find them to rent on pretty much any hacker forum world-wide.

CNN: "Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.
"I don't believe these were just hackers who were skilled enough to cause disruption of the websites," he said. "I think this was done by Iran ... and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

BULLSHIT.  There are lots of good reasons for tensions to exist between Iran and the U.S. but this isn't one of them. If you read the excellent open source analysis done by Dancho Danchev you'll see that this was nothing more than Islamic activists protesting the "Innocence of Muslims" video.

Paste bin notice by Qassam Cyber Fighters group
If Senator Lieberman thought this would be a good opportunity to do some Iran-bashing in order to drum up support for his cyber security legislation, he mis-calculated. This statement by the Senator only serves to reinforce the feeling by many that Congress is out of touch with the problem and is in no position to create new cyber security controls or policies.

Meet the Person who is helping set the R&D priorities for the U.S. Intelligence Community

Dr. David Bray of the Office of the Director of National Intelligence (ODNI) is giving the keynote talk at Suits and Spooks Boston: Offensive Tactics Against Critical Infrastructure. I've asked Dr. Bray to speak because he's the principal strategist for a national commission whose mandate is to determine the high priority research topics for the U.S. Intelligence Community over the next 10 years. I've had the privilege of speaking with he and his colleagues at the commission and found them to be very well-informed, inquisitive, open-minded and highly motivated. If you provide services to any of the 16 agencies of the U.S. Intelligence Community, you should be very interested in the work of Dr. Bray and his team. His bio follows:

Dr. David A. Bray currently serves as Principal Strategist and Senior National Intelligence
Service Executive with the National Commission for Review of Research and Development
Programs of the U.S. Intelligence Community. He overseeing a team of interagency assignees
working with twelve Congressionally appointed bipartisan Commissioners working with
Executive Branch per Public Law 111-259, reviewing the full range of current research and
development programs under the purview of the IC, to include individual agencies, IARPA,
DARPA, In-Q-Tel, and others.

He previously served as Executive for Innovation, Integration, and Interoperability, Office
of the Program Manager, Information Sharing Environment starting in 2010. The Program
Manager has government-wide authority to plan, oversee the build-out, and manage use of the
ISE to implement the President’s terrorism-related information sharing priorities. Dr. Bray’s
work focuses on empowering the ISE partnerships of five communities – Defense, Intelligence,
Homeland Security, Foreign Affairs, and Law Enforcement – in support of whole-of-government
solutions for assured information sharing, protection, and access.

Prior to joining ISE, Dr. Bray served as a strategist at the Institute for Defense Analyses and
the Science and Technology Policy Institute. In 2009, he deployed to Afghanistan as a Special
Advisor to STRATEGIC EFFECTS for NATO’s International Security Assistance Force and U.S.
Forces Afghanistan, with the task of helping to “think differently” on critical strategic efforts.

Dr. Bray also served as IT Chief for the Bioterrorism Preparedness and Response Program at
the U.S. Centers for Disease Control and Prevention, where he led the technology aspects of
the bioterrorism program’s response to 9/11, anthrax in 2001, SARS, and other outbreaks. He
started working for the government in 1993, providing strategy on crisis response, collaboration,
cybersecurity, national intelligence, information sharing, and innovation. He has worked as a
senior developer and project manager for the government and private sector.

Dr. Bray holds a PhD in information systems, a MSPH in public health informatics, and a
BSCI in computer science and biology from Emory University, alongside two post-doctoral
associateships with the Massachusetts Institute of Technology’s Center for Collective
Intelligence and the Harvard Kennedy School’s Leadership for a Networked World Program.
He also serves as a Visiting Associate with the National Defense University and on the Board of
Directors for the Senior Executives Association.

The Early Bird rate for Suits and Spooks Boston will end on October 1st. More information including how to register can be found here.

Tuesday, September 25, 2012

Faulty Attribution Analysis by RSA's VOHO Report Negates Its Findings

RSA's First Watch Research and Intelligence Team just released its VOHO report (.pdf) with the declaration that China was responsible (aka "APT"). Their attribution analysis was summarized in two paragraphs:
RSA FirstWatch research has revealed an exploit and compromise campaign with connections over the past 8 months.  The collected data suggests that this attack was orchestrated and carried out by threat actors commonly referred to in the industry as “APT”:
  1. Use of the “xKungFoo” script kit for victim redirection
  2. Use of attack methodology that matches motives seen in past APT attacks – most notably such as those seen in the Aurora and GhostNet campaigns
  3. Use of the “gh0st” remote access tool (RAT) in this and previous campaigns
  4. Use of command and control infrastructure in the Hong Kong area in this and previous campaigns
  5. Gross impact and on almost 900 unique organizations 
  6. Targets of Interest and Opportunity being geographically disperse in addition to industrial & vertical diverse with a heavy concentration in the following areas:
    • International finance & banking
    • Technology
    • Government – municipal, state, federal and international 
    • Utilities & energy
    • Educational 
    • Defense Industrial Base (DIB)
    • Corporate Enterprise
The possibility exists that this was intentional misdirection on the part of the attackers in
regards to their origin
(emphasis added). However, the RSA FirstWatch team believes the data supports our analysis and this is further evidence of APT intrusion into United States government and corporate assets.
Of those two paragraphs, only one sentence was dedicated to alternative analysis (the one in italics). While it may seem like I'm picking on RSA, they aren't the only InfoSec company that performs lazy, biased analysis. Every company that has issued a report which included a section on attribution has failed to assess the alternatives in a non-biased, rigorous manner (.pdf). RSA's VOHO report can serve as an example of what I mean. Readers are encouraged to look for these types of analytic errors in other InfoSec reports as well.

Use of "xKungFoo script"
The authors referenced the work of researcher Mila at Contagio Dump. While it's true that the xKungFoo script is written in Chinese, that doesn't mean that Chinese hackers were responsible, nor does it mean that a person of Chinese descent wrote it. I personally know Russian, American, and Indian engineers who speak and write Chinese fluently. More importantly, as Mia pointed out in the same blog post footnoted by RSA's researchers, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it was used by Chinese hackers in all instances.

Use of Attack Methodology that Matches Motives Seen in Past APT Attacks
- Watering Hole Specifics
The authors acknowledge that "the idea of using a target’s interests and likely access points is not a new method of attack" but that its scale is notable. The authors go on to note the array of websites that were used as lures:
  • Related to Boston, MA
  • Related to political activism
  • Related to Washington DC Metro area
  • Related to the Defense Industrial Base
  • Related to Education
There's nothing in this grouping which would attribute this attack to any one State or non-State actor.
Additionally, the authors wrote that "one of the main sources of infection for these campaigns were sites that support the cause of democratic process in non-permissive environments, or the communication of information related to free speech. " That's way too broad an assessment to come to any conclusion on attribution. In fact, this entire section of the report doesn't include a single piece of evidence that would uniquely identify an attacker.

Use of GhostRAT
Under the reports' Attack Methodology section, it refers to the use of Ghost RAT, a widely available Remote Access Tool which anyone can use. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.

Use of Hong Kong ISPs
The geolocation of command and control servers is probably the weakest evidence that one can give when assigning attribution, especially when the suspected attacker is China - the world's most popular cyber villan.

Targets of Interest
The targets of interest mentioned by the authors are too broad to be attributed to any one nation state. In fact, the targets of interest combined with the use of widely available malware and Hong Kong-based C&C servers makes it more likely that this was the work of an Eastern European hacker crew who was casting a wide net for data that it could sell to interested third parties.

Intelligence is a two-part process: collection and analysis. RSA and its peers, by virtue of their widespread customer base, do a very good job with the collection of data but they fail in performing rigorous analysis. Further, because RSA is a vendor in the business of gaining market share, it's good business today to blame China. I know from experience that many corporations, government and DOD organizations are more eager to buy cyber threat data that claims to focus on the PRC than any other nation state. When the cyber security industry issues PRC-centric reports like this one without performing any alternative analysis of the collected data, and when the readership of these reports are government and corporate officials without the depth of knowledge to critically analyze what they're reading (i.e., when they trust the report's authors to do the thinking for them), we wind up being in the position that we're in today - easily fooled into looking in one direction when we have an entire threat landscape left un-attended. We got into that position because InfoSec vendors have been left alone to define the threat landscape based upon their product offerings. In other words, vendors only tell customers to worry about the threats that their products can protect them from and they only tell them to worry about the actors that they can identify (or think that they can identify). This has resulted in a security awareness clusterfuck of epic proportions. For more information on how the threat landscape should be defined (versus how it's being defined by security vendors), see my paper "Intelligence Preparation of the Information and Communications Environment".