Tuesday, June 26, 2012

2012 Russian Federation Information Security Reference

This book is an updated version of the 2011 Russian Federation Information Security Reference. It consists of original research conducted by Taia Global’s intelligence analysts who’ve recently retired from the U.S. intelligence community. The information was acquired through open sources on the Russian Internet (Runet) over a period of 8 months. Analysis was conducted by Taia Global’s veteran intelligence analysts who’ve recently retired from the U.S. intelligence community. This book is the culmination of many hundreds of hours of work. It contains findings that will be of use to corporate executives and their boards, law enforcement, intelligence agencies, and the military. It is unique in the marketplace and has been priced accordingly.
This book contains indepth reports on the following key agencies and one private company:
  • The Russia Federal Security Service (FSB) Center for Electronic Surveillance of Communications (TSRRSS) is responsible for the interception, decryption, and processing of electronic communications.  The Center—also known as the 16th Center (Directorate) FSB and Military Unit (Vch) 71330—is directly subordinate to the FSB Director.
  • Federal State Unitary Enterprises(FGUP) supervised by the Federal Security Service (FSB).  The list included the Orion Research and Development Center located in Moscow. Orion provides a range of information technology services including research, development, testing, consulting and certification of software and hardware.
  • FGUP STC Atlas is responsible for developing and certifying information technology (IT) security and cryptographic systems for the Russian government.
  • FGUP Center-Inform is the leading Russian state owned systems integration company for information technology (IT) and information security.
  • The Russian firm OOO Speech Technology Company (STC) provides surveillance and monitoring equipment.
  • Kaspersky Labs is licensed to provide classified work for the FSB and Defense Ministry.

To Order: US$159.00

Contact Jeffrey Carr to order.  

Wednesday, June 20, 2012

Arquilla's "Cool War" is Fiction

In this article for Foreign Policy, John Arquilla poses the question "Could the age of cyberwarfare lead us to a brighter future?". Arquilla proposes that it will but his article utterly fails to make the case.

He builds his case for pure cyber war as an alternative to kinetic war by using Stuxnet as an example claiming that it achieved "a serious disruption of Tehran's nuclear enrichment capabilities -- and possibly of a secret proliferation program." The fact is that Stuxnet caused limited disruption (by design) and it failed to halt Iran's nuclear enrichment program. It's also important to note that Stuxnet was only discovered because the malware design was flawed, which underscores the fundamental problem with Arquilla's imaginings of the efficacy of a pure cyber war. The effects of malware are often unpredictable and unpredictability is the enemy of military planners.

Later, he suggests that Flame, the cyber espionage tool which apparently infected Iran's network years before the Stuxnet worm was created, demonstrates how cyber espionage can replace old school tradecraft - "The code that comprises it seems to make the point that we no longer need physical agents in place if we can now rely on artificially intelligent agents to dredge up the deepest secrets." This is as ridiculous a notion as the one that Arquilla offers about cyberwarfare replacing boots on the ground. Both Chinese and Russian intelligence services continue to recruit human assets for acts of espionage even as they utilize cyber espionage as a force multiplier. HUMINT isn't going away - ever.

Arquilla writes that "On balance, it seems that cyberwar capabilities have real potential to deal with some of the world's more pernicious problems, from crime and terrorism to nuclear proliferation. In stark contrast to pitched battles that would regularly claim thousands of young soldiers' lives..." I challenge Professor Arquilla to present even a shred of evidence that supports his fantasy that this future could ever come to pass. I don't know what John Arquilla's motivations are behind this embarrasingly weak article but I wouldn't accept this from a student let alone a professor of his standing.

Tuesday, June 19, 2012

BREACH ALERT: Putin Makes Unmanned Aerial Systems Development a National Priority

“Intelligence ... aims at supporting the process of modernization of our country and
creating the optimal conditions for the development of its science and technology.”
- Mikhail Fradkov, Director, SVR, December 2010

Source: Moscow Times
One of the easiest ways to determine what data is at risk is to know what the strategic imperatives are of  those countries who engage in "technology transfer" and industrial espionage. Russian president Vladimir Putin has made it clear that he's a supporter of espionage as a tool to be used in Russian technology development. A recent article in RIA Novosti discussed Putin's call for long range bombers and Unmanned Aerial Systems. Russia plans to spend US$13B on UAS development over the next eight years. Part of that technology development strategy is almost certainly going to be acquiring intellectual property on related technology from foreign firms.

Two good examples of companies at risk are Boeing and General Atomics. Boeing, which has a defense, space and security division alongside its civil aircraft division, has 170,000 employees in over 70 countries, including Russia. General Atomics, who makes the Predator drone, has an affiliate office in Moscow. In fact, GA was recently praised by Russian military analyst Konstantin Makiyenko.

Any foreign business operating inside of Russia which holds technology vital to Russia's national security interest will be contacted by the Russian Security Service (FSB). Under article 15 of the FSB law, those companies are obliged to provide assistance to the Federal Security Service in carrying out their assigned duties which could include a wide range of possibilities including the examination of source code. All communications emanating from those companies including landline, VOiP, mobile, and satellite will certainly be harvested electronically and entirely legally by the FSB.

While I'm using Russia and these two U.S. companies who do business there as examples, this same problem exists in many other nations which have active industrial espionage operations. It is a major part of a company's threat landscape and one that is frequently being ignored because (a) it doesn't involve a spear phishing email or a piece of malware and therefore doesn't fit the business model of most cyber security companies and (b) defending against it requires a specialized skill set.

Wednesday, June 13, 2012

R&D Priorities for 13 Nation States: a White Paper

One of the ways for companies to identify their critical data is to know what they have that's valuable to others.

My company assists our clients with that effort by regularly monitoring the R&D budgets and research priorities of several dozen nation states. Today, I'm making available the latest research that we have on 13 nation states in one white paper. If you'd like a free copy, just send your request via email.

Monday, June 11, 2012

The Ian Somerhalder Foundation and Project Grey Goose Team Up To Stop Poachers

[Press Release 12 June 2012] A former CIA chief targeting officer (Nada Bakos) and an international authority on cyber warfare (Jeffrey Carr) have teamed up with the Ian Somerhalder Foundation to apply pressure on Rhino poachers as well as the governments who allow them to operate. “We’re going to look at online forums and identify the more active groups that use this for monetary gain,” Bakos said. “We will review their tactics, how they move the illegal goods, how they accept payment and provide our findings to the appropriate law enforcement agencies.” This part will be done by Carr’s open source intelligence cell known as Project Grey Goose - a group of volunteer law enforcement, intelligence, and data professionals working on their own time to tackle hard security challenges. 

While Project Grey Goose’s collection, analysis and sharing of actionable intelligence is one part of the solution to this problem, it does nothing to solve the other part - lax enforcement of the existing laws by certain foreign governments such as Mozambique and China. Those governments and others like them only act when public pressure and media exposure places an intense spotlight on their failure to enforce existing laws. That’s where the Ian Somerhalder Foundation comes in. The IS Foundation has a successful track record of mobilizing thousands of youths and adults in the service of helping the environment and animals in need. When Carr approached the IS Foundation’s executive director Kim Klingler about this particular project, she and her team were immediately supportive. 

This week the IS Foundation will begin mobilizing their volunteer base to prepare for the July launch of the joint Project Grey Goose/IS Foundation’s Rhino Rescue Tribe campaign. The IS Foundation’s global reach means that thousands of young people will be given tools to send emails, sign online petitions and create viral videos asking why China tolerates the wholesale slaughter of an endangered species when it can act to save them.
This type of collaborative, crowd-sourced solution may succeed where governments and agencies have their biggest challenges. Jeffrey Carr and Nada Bakos will be presenting a preliminary progress report for the media on June 29th at the SuitsandSpooks.com event in Los Angeles, CA.

Sunday, June 10, 2012

Josh Corman at Suits and Spooks LA: Adapting to the Age of Anonymous

Joshua Corman
I'm very pleased to announce that one of the most respected names and original thinkers in the InfoSec world will be speaking at Suits and Spooks LA on June 29th - Joshua Corman, the Director for Security Intelligence at Akamai Technologies. His topic will be "The Rise of the Chaotic Actor: Adapting to the Age of Anonymous".

Abstract:  "One can't go a week these days without hearing or talking about what Anonymous just did - or what they're planning to do next. While some see these chaotic actors like Anon, LulzSec, and derivatives, as Chaotic Good like Robin Hood... other see these actors as Chaotic Evil like the Joker (see also http://www.csoonline.com/article/682511/the-rise-of-the-chaotic-actor-understanding-anonymous-and-ourselves ). Most of the veterans in the IT Security community have sustained a cognitive dissonance about them. At DEFCON 19, a few of us confronted the issue (and active participants). We found that much of the narrative in the press fails to understand their varied motives, permutations, and evolutions of these pockets of chaotic actors. We also saw the groups are experiencing some of the growing pains and complications we expected them to (and some we didn't) as this saga unfolds. Regardless of our understanding, Chaotic Actors are here to stay - and we must better understand the implications of these powerful factors. Every action has reaction, so we must be conscientious and deliberate about how we adapt to the age of Anonymous."

"Together we'll frame some of the timeline and facts behind this Renaissance of Hacktivitism. We'll get specific about some of the incidents, outcomes, victims and collateral damage left in the wake of those attacks. We'll build upon the insights, discussion, and debates from our DEFCON "Whoever Fights Monsters" panel (including our exchanges on "Building a Better Anonymous"). We'll outline the white paper the panelists crafted post-DEFCON. Last, we'll explore how organizations can intelligently adjust their threat models and risk postures in the face of this developing reality."

Besides Josh, our speakers include Rob DuBois (retired Navy SEAL), former CIA Chief Targeting Officer Nada Bakos, former FBI Supervisory Special Agent Jason Smolanoff, China intelligence analyst Matt Brazil, and more. The complete speaker list and agenda can be found here. The link to register is below. Be sure to click an arrow to see if any of the pricing options apply to you.


Saturday, June 9, 2012

LinkedIn Either Failed To Meet Industry Standards Or Standards Need To Be Raised

In light of this breach of 6.5 million LinkedIn password hashes (mine was included in that group), I took a closer look at LinkedIn's "Security" section of its Privacy Policy:
Personal information you provide will be secured in accordance with industry standards and technology (emphasis added). Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
The first question that I had after reading this was what's the "industry standard" that LinkedIn should be held to? It didn't salt its password hashes and it used an encryption algorithm (SHA1) that has been proven unreliable and which NIST discourages for certain applications. In 2010, a German researcher demonstrated how he could crack a SHA1 encrypted password using 6 characters in 49 minutes at a cost of $2.10 using Amazon's cloud service.

LinkedIn apparently doesn't have a CSO or CISO which for a publicly traded company communicates the message that security is not a priority. Considering that they still don't know how this breach occurred and the minimal attention payed to password security, I can't help but wonder how secure the credit card information is which LinkedIn stores for its premium account holders.

I'm closing my LinkedIn account in protest for LinkedIn's poor handling of this breach. I still haven't been notified by the company that my password was one of the 6.5 million stolen and I hate the fact that security is so far down their priority list. LinkedIn was a professional convenience but it's no longer worth the risk as far as I'm concerned. 

Thursday, June 7, 2012

The Myth of the CIA and the Trans-Siberian Pipeline Explosion

There's a well-known expression that if you repeat a rumor often enough, it becomes a fact. Such is the case with the oft-repeated rumor that the CIA was responsible for the Trans-Siberian pipeline explosion in June, 1982 by sabotaging the SCADA system that ran the pipeline. The latest iteration of that rumor was in the Washington Post's special report on cyber security called Zero Day. The rumor is based upon two sources - The Farewell Dossier and Thomas Reed's book "At The Abyss: An Insiders History of the Cold War". The Farewell Dossier is an authentic historical document on a joint CIA/DOD/FBI operation in the 80's which centered around a Russian defector code-named "Farewell". As part of the deception operation:
"contrived computer chips (would make) their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory. The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft. The Soviet Space Shuttle was a rejected NASA design. When Casey told President Reagan of the undertaking, the latter was enthusiastic. In time, the project proved to be a model of interagency cooperation, with the FBI handling domestic requirements and CIA responsible for overseas operations. The program had great success, and it was never detected."
So that part is true. However, former Air Force Secretary Thomas Reed apparently assumed that the Trans-Siberian pipeline explosion in June, 1982 was what the Farewell Dossier was referring to when he wrote his book. Actually, according to an informed source from one of the three-letter agencies, that explosion had nothing to do with CIA sabotage and everything to do with a Russian engineer who, when discovering a leak in the pipeline, simply kept increasing pressure to maintain the flow of natural gas.  The gas leak kept building and building until a passing Russian train sparked the gas cloud and KA-BOOM. It was a true disaster but it certainly didn't qualify as a "key event in cyber history". Cyber had nothing to do with it. Instead think Chernobyl and the Sayano-Shushenskaya hydroelectric dam explosion in August, 2009.

Tuesday, June 5, 2012

Google's Worst Security Idea Ever

Today, Google announced that it will notify a subset of its Gmail customers if they're the victim of a State-sponsored attack. The actual wording is "Warning. We believe that state-sponsored attackers may be attempting to compromise your account or computer." However as you read further down Google's blog posting, it seems like an actual attack isn't required to receive this warning. Google may send it to you if they believe that you "may" be targeted.
If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware ....
The warning then makes recommendations that you increase your security by selecting a strong password, using Google's two-step verification, updating your browser, etc.

There are so many things wrong with this new Google initiative that I hardly know where to begin.

First, it generates fear on the part of Google's customers because regardless of the fine print, such a warning will most likely send the recipient into panic mode when there's no reason to panic.

Second, it makes a claim which upon investigation is so vague that it's meaningless. You may be the victim of a state or someone working on a state's behalf? That's pretty much the case for all targeted attacks.

Third, if you are a target of interest for a foreign intelligence service (FIS), one of the first things you should do is STOP USING GMAIL or any popular cloud-based service that cannot guarantee you where in the world on its many data farms your data resides. If the Mossad, the FSB, the MSS, or the NSA is interested in you, they'll find a way to legally and covertly intercept your data without sending a spear phishing email to your Gmail account.

Spear phishing attacks are used by both financial cyber criminals as well as hacker crews who, having cracked a high value target's account, will sell that information to a FIS, a corporate competitor, or some other customer. Security advice for a high value target (which is what my firm specializes in) could range from moderately to highly restrictive depending on who you are but one thing's for sure. None of Google's recommendations will keep you safe if you're in that group.

On the other hand, if you aren't a HVT, read my article "Cyber Self Defense for Non Geeks" to understand what your best security options are. The bottom line as far as Google's advice is concerned is that it's FUD-inducing for the people who aren't targets and its insufficient for those who are. I have to wonder what Google was thinking when it created this awful program.

Saturday, June 2, 2012

Stuxnet, Disgraceful Conduct and the Next Growth Industry

For over a year I was one of the few people who was convinced that the U.S. wasn't behind Stuxnet. When New York Times journalists William J. Broad, John Markoff, and David Sangar wrote "Israeli Test on Worm Called Crucial in Iran Nuclear Delay", I criticized them for producing no verifiable evidence as well as mis-stating some facts. Almost 18 months later, David Sangar published an excerpt from his forthcoming book that had so many confidential details about the U.S. and Israeli operation called "Olympic Games" that there's no longer any doubt as to which nation state is responsible for the world's first cyber weapon - mine. The United States. I was wrong and I'm sick about it - but not because I had guessed it was China. I had laid out my reasons for my assessment and I made it in good faith. I don't mind being wrong about my analysis. At least I made an analysis which was more than most people did. No, what I'm sick about - horrified actually - is that so many U.S. citizens with security clearances who had sworn oaths to protect their country gave up everything about a highly classified program at the request of a journalist. It's my sincere hope that each and every one of them is caught and prosecuted to the fullest extent of the law. And - if any of you are reading this blog - your lack of honor disgusts me.

I'm also very worried about the consequences that we'll face as a country now that it's known that we once again broke the barrier of introducing a new weapons system that no one in the world had ever before used (at least that anyone knows about). We have a history of this so the consequences are easy to predict.

Nuclear weapons proliferated after our use of them against Japan. Unmanned Aerial Systems are being developed in over 130 countries after our introduction of them in Afghanistan. Now it's known that the U.S. with Israel's help has virtually attacked and caused physical damage to an industrial control system in another nation's nuclear laboratory. The blow back on this is going to be monumental and so will the pressure by the Pentagon on Congress to increase cyber-related spending because of a world-wide development race thanks to our own operation Olympic Games. If you're wondering what the next growth industry is going to be for the next 20 years, you can stop wondering. It'll be cyber munitions.

UPDATE (06JUN12): The FBI has opened an investigation into those leaks.