Wednesday, February 29, 2012

Anonymous Declares War Against the U.S.; And Calls "Bullshit" At The Same Time

Here's a glimpse at the confusing landscape of a "stateless nation". I spent some time yesterday on Twitter speaking with a variety of individuals who associate themselves with Anonymous over a literal declaration of war against the U.S. by Anonymous. Here are links to the video and its transcript. It contains pretty inflammatory language:
We are not calling upon the collective to deface or use a distributed denial of service attack on a United States government agency website or affiliate. We are not calling upon the people to occupy a city or protest in front of a local building. This has not brought on us any legislative change or alternate law. It has only brought us bloodshed and false criticism. For the last 12 years, voting was useless. Corporations and lobbyists are the true leaders of this country and are the ones with the power to control our lives. To rebuild our government, we must first destroy it.
Our time for democracy is here.
Our time for real change is here.
This is America’s time, to have its own revolution.
Therefore, Anonymous has decided to openly declare war on the United States government. This is a call to arms. We call upon the Citizens of the United States to stand beside us in overthrowing this corrupted body and call upon a new era. Our allegiance is to the American people, because they are us, and we are them.
Operation V, engaged.
Although the video in question looks like other Anonymous videos, the operation has been called "bull shit" by Anonymous IRC and other individuals who consider themselves part of the collective. It's also been labeled a "fake op" on YouTube

Operation V points out a serious problem for Anonymous. By having no centralized authority, it leaves itself open to suffering repercussions by the U.S. government for these questionable operations launched by pretty much anyone who feels like it. The organizers or "old fags" could easily see the non-violent protest organization that they worked to create over the years become radicalized by "new fags" who have no respect for their efforts and will subvert it to their own ends. A declaration of war against the U.S., fake or not, may come with serious consequences for the group and its members, including those who don't support it.

Thursday, February 16, 2012

Reflections on Suits and Spooks DC

It's been one week since the Suits and Spooks DC (SNSDC) event took place and I've made four of the presentations given that day available for download. Not all of the speakers, including me, wanted their information available outside of the protected venue that we offer so for those of you who couldn't make it last week, watch for our upcoming announcement of Suits and Spooks LA this summer. Yes - the next event will be in Los Angeles - probably Santa Monica, to be specific. The exact date and venue is still being explored. but I can tell you that it will be held on a Friday so that, if you're traveling in, you can enjoy the weekend on the beach afterwards.

The general consensus of those attending Suits and Spooks DC was overwhelmingly positive. Dr. Mark Drapeau attended and wrote a review of SNSDC: "Suits and Spooks Rendezvous for the Greater Good". It was my hope that by inviting a multi-disciplinary lineup of speakers that some common themes would emerge, and in fact - that's what happened. One of the points that I made in my opening remarks was that we should re-assess which attacks should be investigated and which should be let go. The FBI and US-CERT are overwhelmed with tracking everything from probes against government networks to DDoS attacks to targeted attacks against the Defense Industrial Base. That's far too much to expect any agency to do let alone ones burdened with budgetary and staffing problems. One of John Robb's 27 Rules was that "it’s better to damage and impair a network than to completely destroy it, because it forces the target to use up more resources for repair." That's what Anonymous is succeeding at doing so brilliantly - using up massive amounts of federal, state and local resources in multiple countries without ever actually destroying anything. Someone needs to conduct a hard target evaluation on whether Anonymous attacks deserve the same importance as the theft of critical data or attacks against critical infrastructure.

While Anup Ghosh gave example after example of how inept our past approaches to information security have been, Dan Geer made an elegant argument for the need harness the world's "unemployed geniuses who are, incidentally, desperate for a job" rather than continue to turn over our security to machines. Jonathan Hutson started off his remarkable presentation on the Satellite Sentinel Project by explaining that the worst question one can ask when faced by a seemingly impossible task is "how can I help?" The passivity of that question doesn't fare well against insurmountable odds. A far better question, Jonathan explained, is "what needs to be done?". Then do it, no matter how impossible the problem looks to be. That's great advice, regardless of the challenge.

Tuesday, February 14, 2012

Cyber Threats Require An Expansion Of The Sensitive Countries List

The website Public Intelligence has released Sandia National Labs and the Department of Energy's Sensitive Countries List. This is a list of 26 countries where approval is required for a visit or an assignment by a DOE employee because the country is known to engage in activities which may be contrary to the interests of the U.S. Of those 26 countries, I've identified 11 who are also developing CNO (Cyber Network Operation capabilities including CNE (Cyber Network Exploitation):
  • Democratic Peoples Republic of Korea (North Korea)
  • Peoples Republic of China (including Hong Kong)
  • Georgia
  • India
  • Iran
  • Israel
  • Kyrgyzstan
  • Russian Federation
  • Syria
  • Republic of China (Taiwan)
  • Ukraine
There's actually many more countries with these capabilities that do not appear on the Sensitive Countries list and I hopeful that that will change in the next few years. 

Wednesday, February 1, 2012

Did Symantec's 2006 Breach Impact These High Risk Customers?

The fact that Symantec (NYSE: SYMC) never knew that its 2006 source code had been compromised until the Lords of Dharmaraja announced it was astoundingly bad news. As the world's largest vendor of security software, it's more than just an embarrassment; it puts all of its corporate and government customers at risk because if Symantec didn't know the extent of its breach back then, how do Symantec's customers know that their current product line is safe to use? Nothing that Symantec has said since it acknowledged the loss of its Norton source code has addressed this core issue of why they didn't know their that source code had been breached and what they're doing differently to be sure that it doesn't happen again. Until they answer those critical questions, the security of their entire product line should be considered at risk.

I've begun looking at who their customers were post-2006 that have been attacked for a talk that I'm giving next week at Suits and Spooks DC. This doesn't mean that their customers' breaches were the result of Symantec's own poor network practices, nor does it rule out the possibility that other breaches may have occurred that were never discovered. I hope, however, that it will illustrate the potential scope of this problem and encourage Symantec's customers to put pressure on the company to fully disclose what happened and put its own house in order. Here's a small sampling of what I've found so far:

NASDAQ suffered a breach of its network in early 2010 which wasn't discovered until February 2011. It's been blamed in part on NASDAQ's use of out-of-date software and uninstalled security patches. As a Symantec customer, NASDAQ used Endpoint Protection, which was included in the list of products affected by the 2006 source code breach.

U.S. Department of Energy
The Energy Dept and its many agencies and national labs have been Symantec customers since before 2006. The number of cyber security breaches that have occurred during those years and up to the present (five last summer alone) are too numerous to recount however this GAO report describes some of the security problems at Los Alamos National Laboratory's unclassified network including weaknesses in its remote access policies. It'd be interesting to know if pcAnywhere was used to facilitate that remote access.

Other U.S. Government Departments
Symantec's government customers include every major department including:
  • Department of Justice
  • Department of Homeland Security
  • Department of Treasury
  • Department of Defense
  • Department of Commerce
  • Department of Energy
  • Department of Health and Human Services
  • Department of Agriculture
  • Department of Veterans Affairs
  • Department of the Interior
  • General Services Administration
  • Executive Office of the President
  • Federal Trade Commission
All of these departments (and this is not a complete list) have used Symantec products during the years from 2006 forward which means that any of them could have been victims of a person or group who exploited their knowledge of Symantec's stolen source code to successfully breach their network at will. This isn't limited to its U.S. customers either. The British government's entire email system has been managed and secured by a Symantec subsidiary since 2008. I'll be addressing that in more detail on Feb 8th. In the mean time, which is more likely - that someone acquired Symantec's source code and did nothing with it or that they did?