Monday, August 27, 2012

The ST&I Flash Traffic Monthly Brief on International Priority R&D

S&TI Flash Traffic is Taia Global’s monthly summary of R&D activities for 14 high risk nation states (i.e., states with high levels of hacker activity and/or acts of cyber espionage). Its content consists of priority research topics, awards, joint ventures, etc. on a state by state basis. These topics compose a virtual "shopping list" for foreign intelligence services or mercenary hacker crews. The states that we track include:
  1. Brazil
  2. Bulgaria
  3. China
  4. France
  5. Germany
  6. India
  7. Iran
  8. Israel
  9. Netherlands
  10. Romania
  11. Russia
  12. South Korea
  13. Taiwan
  14. Ukraine
Access to this type of Scientific and Technical Intelligence has many benefits:
  1. Help a company’s security operations center identify which files should be considered high value (thus treated differently)
  2. Provide informed guidance on which actors are interested in obtaining those files
  3. Receive competitive intelligence on product R&D
  4. Use for in-house red team exercises (opposition research)
The standard annual subscription rate for S&TI Flash Traffic is $500 but our introductory rate until October 1, 2012 is only $250. All new subscribers will also receive a free copy of the 2011 and 2012 Russian Federation Information Security Framework (a $308 value).

Our inaugural issue will be sent out via email on October 1, with recurring issues on the first of each month thereafter so please subscribe today. Your free copies of the 2011 and 2012 RF Information Security Frameworks will be delivered on a CD via Priority mail.

Who's Responsible for the Saudi Aramco Network Attack?

Saudi Aramco R&D headquarters
At least three different hacker groups have claimed responsibility for the August 15th, 2012 attack against Saudi Aramco's network which damaged 2000 servers and up to 30,000 workstations but which failed to impact the segregated production and exploration networks. Only two of the three groups are named and neither of the two have an Internet history associated with their names.

The first, which calls itself the Arab Youth Group, uses terms like "evil Al-Saud" and "Al-Saud traitors" and specifically refers to Lebanon and the Forqan War (aka Operation Cast Lead 12/2008-1/2009) which at least one Iranian hacker crew - the Ashiyane Security Group - participated in.

The second hacker group call themselves the Cutting Sword of Justice. They posted multiple pastebins containing proof of the scale of the attack in the form of compromised IP addresses of servers. They also posted the start date and time which corresponds to the code string found in Shamoon. Their posts lacked the religious phrasing of the Arab Youth Group and emphasized "tyranny" and "oppression" instead.

The third hacker group is the one which announced a second attack on 25 Aug 2012 at 2100 GMT in order to prove that they didn't need an insider's help. That attack doesn't appear to have been successful. The Cutting Sword of Justice specifically referred to them as a separate group and their phrasing and word choice is different from that used by the Arab Youth Group. This third group seems to be a late comer and can be dismissed as an active participant in the attack. And while the Arab Youth Group and Cutting Sword of Justice have claimed responsibility, the timing and circumstances of the attack elevate it beyond either of those groups ability to conduct it alone.

Iran and Hezbollah
According to the analysis that's been done on Shamoon by Kaspersky Labs, it appears to be related to the Wiper virus that struck Iran's oil ministry last April. None of the security labs have a copy of Wiper but since Iran was the victim, it would be in the best position to produce a similar or reverse-engineered version that Kaspersky has named Shamoon.

Hezbollah, a Shi'a militant group based in Lebanon receives financial and political support from Iran. Since Hezbollah members include hackers, and since Iran's decision to recruit hackers to join the ranks of its Basij paramilitary corps in late 2010, Hezbollah's possible involvement in this attack against Saudi Aramco must be properly evaluated.

In fact, a Saudi Arabian minister in 2007 was quoted in a U.S. diplomatic cable in which he expressed his fear that Saudi Aramco had some employees who were members of Hezbollah and who were in a position to disrupt oil production.

Lebanese Shi'a Questioned
According to this Arabic website, up to 70 Aramco employees, including Lebanese Shi'a, are being investigated for involvement in the attack. There's not enough information to know if they were investigated because their religious beliefs made them suspect or because there was evidence connecting them to the attack. Knowledgable sources have told me that this number of suspects has been reduced from 70 to 20.

Tension between Iran and Saudi Aramco Over Oil Embargo
The stated motivation for this attack by the Arab Youth Group and Cutting Sword of Justice is a nebulous religious objection which completely fails to acknowledge recent events related to the oil embargo placed upon Iran by the U.S. and European Union that went into effect on July 1, 2012. Is it just coincidence that these groups attacked now? More likely, in my judgment, is that this attack represents retribution for Saudi Arabia's Foreign Minister Prince Saud al-Fisal saying that talks with Iran are a waste of time and that the oil embargo should proceed as planned.

To add fuel to this fire, on July 20 India's Mangalore Refinery & Petrochemicals Limited "bought Azeri, Saudi and Emirati crude to replace imports from Iran in July 2012 and it may halt purchases from Tehran altogether as sanctions make shipments more difficult." Iran responded with a threat to close the Strait of Hormuz if sanctions weren't revoked however that same threat has been made many times before and Iran has never carried it out. A much more likely form of retribution, and one that's considerably safer for Iran, is to sponsor a damaging network attack against Saudi Aramco through a proxy like the Arab Youth Group.

Iran is at the center of every significant aspect of this attack. It is the only nation with access to the original Wiper virus from which Shamoon was copied. Iran is angry at Saudi Aramco for off-setting Iran's drop in oil production due to the Embargo that started 45 days prior to the attack which gives it motive. It supports a militant organization (Hezbollah) that uses hackers and who allegedly has members employed at Saudi Aramco which gives it opportunity and access. While both the Arab Youth Group and the Cutting Sword of Justice involvement gives it the appearance of a mere hacktivist attack, I think that a careful analysis of the known facts points to a state-sponsored attack by Iran that was crafted to look like the work of hacktivists. Perhaps Iran has learned something from Russia about the strategy of misdirection via the government's recruitment of patriotic hackers.

Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Saturday, August 25, 2012

Lessons for CEOs from the Saudi Aramco Breach

Source: Joint Intelligence Preparation of
the Operational Environment (JP 2-01.3)
It's doubtful that Saudi Aramco will issue any substantive statements about the scope of the network attack that it suffered last week. However the information that's been privately shared with me by people with inside knowledge as well as by the attackers themselves reveals enough about the incident to draw certain lessons that CEOs from multi-national corporations (MNC) need to pay attention to. Here are my top 3 recommendations:

1. The Conventional Cyber Threat Landscape Is Too Narrowly Viewed
Most if not all companies' security operations centers are monitoring for the now conventional Advanced Persistant Threat-style of attack and their defensive tactics are geared towards interrupting that attack by use of an "intrusion kill chain". The attack suffered by Saudi Aramco didn't fit this model, and hence would have been completely missed by most of the world's largest companies. A multinational corporation must perform a comprehensive review of its entire threat landscape prior to designing its security framework. This includes evaluating its network exposure through its offices in foreign nations, its vendors (including U.S. vendors) and their relationships with the governments of potential adversary states, compromise of its senior executives while traveling, legal access to its intellectual property (i.e., source code) by foreign intelligence services (FIS) if the company conducts business in those same states, and so on. None of these potential attack vectors rely on spear phishing, social engineering, or other commonly watched-for schemes nor would any of them be caught by the vast array of security software being shopped by vendors today. While MNCs are busy sticking their fingers into the APT holes in their dike, State FIS are quietly re-routing the entire river behind the dike.

2. Companies Need To Pay Closer Attention to the Insider Threat
It's my understanding from a confidential source that the initial infection vector wasn't through a spear phishing attack but instead was via a Shamoon-infected USB stick which was inserted into a workstation in one of Aramco's foreign offices. This required the cooperation of an insider which, in fact, has been a serious and growing threat vector for a number of years. It's also one that conventional defenses like anti-virus, firewalls, and IPS/IDS cannot stop and that more sophisticated defenses like encryption and virtualization are not entirely effective against. This threat vector requires a more specific and potentially intrusive security posture which monitors for early signals that an insider typically presents prior to his malicious act.

3. Companies Cannot Keep a Dedicated Adversary Out of their Network
Saudi Aramco's attackers have threatened another attack today, the 25th at 2100 GMT to prove their ability to cause harm to the company. And the fact is, they can. This is a David and Goliath scenario if there ever was one. The world's wealthiest company cannot stop a small group from successfully performing an attack. No one can. Therefore, the correct course of action for not only Aramco's CEO but every CEO is to focus on being able to absorb an attack and not have it affect its critical operations. This requires making choices between what's critical and what isn't. Keeping your website up 24/7 in the face of a DDOS attack isn't critical. Keeping your oil production from being interrupted is. Keeping your intellectual property from being stolen is. An MNC's CEO and Board of Directors need to perform a difficult but necessary inventory of their corporation's assets and divide them into critical and non-critical groups. Different security protocols and controls need to be applied based upon criticality and resiliency.

While I haven't had the privilege of consulting with Aramco's leadership on their breach, my team and I have provided counsel for other MNCs and the above guidance is a very high level overview of our recommendations in those cases. Obviously, the devil is in the details and specifics on how to implement the above guidance will vary on a company by company basis. The bottom line is that if a company's board still believes that their company is safe from being breached, they have their heads up their collective asses.

Was Iran Responsible for Saudi Aramco's Network Attack?
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Thursday, August 23, 2012

The Poor State of Cyber Intelligence

I recently had the privilege of speaking at a government cyber conference which was sponsored by one of the three-letter agencies and which included analysts from all 16 agencies that comprise the U.S. Intelligence Community (IC). Besides myself there were a number of other well-known and well-respected speakers. My session focused on Russia and their technology priorities, but the first question that the moderator asked me had to do with the the fact that I was apparently wrong regarding who created Stuxnet. His point in raising that issue was not to embarrass or shame me but to have me talk about how intelligence analysts must not be afraid to be wrong; about how important the role of negative analysis is along with the dangers associated with mirror imaging (i.e., a cognitive trap in which an intelligence analyst imagines that the target thinks like he does). Another cognitive trap is target fixation, where an analyst becomes fixated on one hypothesis and only sees the evidence that supports it. I see "cyber intelligence" analysts falling into that trap almost all the time.

Regardless of the problems faced by trained analysts in the IC, the state of cyber intelligence as its practiced by information security practitioners and others who are not trained in the science of rigorous analysis is often exponentially worse. The word "intelligence" is used to describe everything from a clipping service to threat data. The only thing worse are the marketing pitches promoting what their so-called "cyber intelligence" product will do for the customer - which is everything short of bringing him to orgasm. Don't call the result of your work analysis if you haven't performed any negative analysis to test your hypothesis. Call it conjecture, or opinion, because that's what it is.

I'm writing a chapter on this topic for my next book "Assumption of Breach" and my paper on the same subject will soon be published by the U.S. Air Force so I'm not going to go into further detail here except to say that if cyber intelligence analysts want to do justice to their craft, I encourage them to read Dick Heuer's "Psychology of Intelligence Analysis" (.pdf) and find ways to apply it to their work in the cyber field. Another excellent resource is "Understanding Rigor in Information Analysis". Right now, between mirror-imaging and target fixation, many cyber intelligence analysts are missing huge gaps in the threat landscape and are doing a great disservice to both their customers and their craft.

Who Needs a Zero-Day? "Plants are Insecure by Design" - Dale Peterson

Dale Peterson of Digital Bond is one of the most respected security voices in the Industrial Control System community. He runs an annual SCADA security conference called S4 that's always filled to capacity and he has equal credibility with the U.S. Intelligence Community (Dale's an ex-NSA'er) and the private sector. His blog post "Suits & Spooks vs. Engineers" is a great read because it underscores an important issue: security engineers talking exclusively to other security engineers frequently results in nothing getting done. Here's how Dale put it in his article:
Over the past ten years have seen dramatic increase in cyber security of a specific DCS or SCADA system occur in two different ways: 
(1) A CEO/COO determines that ICS security is a top priority. In this case the security posture improves dramatically in 2 to 3 years. The security posture is at a level that most in the ICS security community believes is near impossible or doesn’t exist. 
(2) The Operations team determines that ICS security is a top priority. In this case the security posture improves to an appropriate level in 5 to 7 years. Improving ICS security is much more of a time investment than equipment purchase, so with the right emphasis and diligence over years an Operations team can get there. 
So one key is to convince CEO/COO or those that influence CEO/COO that run SCADA and DCS that they need to get serious about securing their ICS. Convince them it is in their best risk management interest to devote resources to this and measure results. Unfortunately, we are reaching few if any CEO/COO at ICSJWG, WEIScon, SANS Summits, … or on this website. 
Of course it would help if those active in ICS security would stop “the soft bigotry of low expectations”. The security deficiencies from insecure by design to basic security implementation vulns are frequently bemoaned, but the same people who recognize the dire situation more often make excuses that call people or companies out to fix the real problem.
Please read Dale's entire article, and if you agree, please support Suits and Spooks Boston by registering to attend and spreading the word. And if you want to add your company's name to the event, we're still looking for one more corporate sponsor.

Wednesday, August 22, 2012

Was Iran Responsible for Saudi Aramco's Network Attack?

I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Armaco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil.

The attackers who call themselves the "Cutting Sword of Justice" probably used Shamoon (Symantec's W32.Disttrack). It destroyed 2000 servers and affected business operations based upon this list of affected IP blocks. It looks like Iran tried to mimic the Wiper virus that was used against its oil ministry last April. Kaspersky called Shamoon a copycat of Wiper. The differences were:
The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.
It's also important to note that Wiper was not Flame; that they are two distinct and separate pieces of malware and that the investigation of Wiper led to the discovery of Flame. Since none of the software security companies have a complete copy of Wiper, it makes sense to me that Iran, the victim of the Wiper attack, reverse-engineered or at least mimic'd it to create Shamoon. Kaspersky Labs noted that the start date of the Aramco attack was August 15 11:08 AM (Arabia Standard Time - AST) per the attackers first pastebin posting. This exactly corresponded with a date and time found in the code "15th August 2012 08:08 UTC". The difference between UTC and AST is +3 hours.

Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker.

I understand that Aramco has been vigorously investigating the attack to determine how their network was compromised and that some firings of employees and contractors have already occurred. I've asked Saudi Aramco's public affairs office for a comment but so far no one has returned my call.

UPDATE (23AUG12): I've received new information from knowledgable sources that the attack vector for delivery of the worm was via a USB stick inserted into a workstation at one of Aramco's global offices (not in Saudi Arabia). Further, the timing of the attack was carefully chosen to be one hour before the end of the work day which was the end of the month of Ramadan and the start of the Eid holiday.

Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Sunday, August 19, 2012

Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors and More

After Friday's blog post on Saudi Aramco's lack of Operations Security involving its network infection by Shamoon, I was contacted by a former Aramco IT employee who provided me with a lot more background on just how bad the security situation is at the world's largest oil producer. My contact's career with Saudi Aramco spanned over 30 years dating back to the late 80's when by royal decree the Arabian American Oil Company became the Saudi Arabian Oil Company or Saudi Aramco.

In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:
  1. "Exploration and Petroleum Engineering Center Advanced Research Center (EXPEC ARC) which is solely managed by Exploration & Producing and focuses on upstream research"
  2. "The Research and Development Center (R&DC), which focuses on downstream research and includes bio-research. Leading research undertaken at these two major facilities provides Saudi Aramco with competitive technology solutions throughout the vast range of its petroleum-related activities"
I'm including data on Aramco's R&D and patents because in my professional judgment, that's the best way for CEOs and Boards of Directors to plan for and justify their IT security budget - as a percentage of their annual R&D investment. While it's clear that Aramco has a lot to protect, what's not clear is why Aramco's leadership has made so many bad decisions or received such bad security advice. The following information in italics comes directly from the emails that I received and in my opinion helps explain why the company is struggling to defend against what Kaspersky Labs has called the work of some "script kiddies". More importantly however is that if the below information is accurate, then the company has probably experienced multiple breaches that it never discovered; breaches targeting its R&D, mining data, or other valuable IP over the course of several years just like many other oil and mining companies in the U.S., Australia, Brazil, Canada, and elsewhere have reported.

Here are the issues:

All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."

Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks. 

The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.

If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.

Insider Threat 
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.

Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management.  It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.

Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.

UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.

Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Operations Security at Saudi Aramco? Zero.

Friday, August 17, 2012

Operations Security at Saudi Aramco? Zero.

The world's largest oil producer Saudi Aramco has apparently suffered a cyber attack according to this announcement on its Facebook page:
Saudi Aramco Responds to Network Disruption  
On Wednesday, Aug. 15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network.  
The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network. Saudi Aramco confirmed the integrity of all of its electronic network that manages its core business and that the interruption has had no impact whatsoever on any of the company’s production operations. 
The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems. Saudi Aramco IT experts anticipate resuming normal operations of its network soon.
What's shocking in terms of operational security (OPSEC) is that Aramco employees are publicly commenting on the event and adding information that wasn't disclosed in the announcement, such as:
  • (name and position deleted): "My hard disk crashed, not cool"
  • (name and position deleted) "I lost everything I did for this week too"
Besides poor OPSEC, Saudi Aramco has other major issues with its network security. Oil companies, like power companies, should have air-gapped networks which isolate their industrial control systems from their business networks as well as from the Internet. That appears not to be the case based upon the wording in Aramco's announcement - "the company has isolated all its electronic systems from outside access as a precautionary measure ...". If the systems responsible for its production operations were air-gapped, there'd be no reason to take such draconian measures. On the other hand, the company appears to be relying on McAfee as their security vendor which means that the House of Saud doesn't understand that their anti-virus vendor should never be relied upon for best practices in the area of network security nor should an AV vendor be trusted to perform incident response.

Thursday, August 16, 2012

An Inconvenient Truth: LadyPHP "Cleans" Eugene Kaspersky's Wikipedia Page

Wired's Noah Shachtman wrote a thorough, fact-checked, balanced article about Eugene Kaspersky and his company Kaspersky Labs which properly identified Kaspersky's relationships (business and personal) with the Russian government. I know this because (a) I provided some background research on Kaspersky Labs' Russian activities to Noah and (b) I was contacted by Wired's fact checkers before the article was published. In fact, so was Kaspersky Labs.

Noah's article came out on July 23. Kaspersky posted his criticism of the article on July 25. At some point, the Wired article was added to Eugene Kaspersky's Wikipedia page. On August 3 and August 7, someone with the newly created alias of "LadyPHP" removed all mention of the article as an "un-neutral and un-proven link"- but it's neither. I agree that biographies of living persons should be as accurate and unbiased as possible and Eugene Kaspersky deserves credit for creating a prosperous and successful business in the Russian Federation. However part and parcel of that includes owning the facts about his business relationships with the Russian government. Whoever deleted that reference is only making it appear like Eugene Kaspersky has something to hide.

Monday, August 13, 2012

Request for Code Comment Samples From International and U.S. Programmers

I'm working on a joint project with an expert in linguistic analysis on evaluating the structure and syntax of comments embedded in the source code of malware. As part of the study we need to build a database of sample code comments where we know a few characteristics about the programmer (age, gender, nationality, but no names). If you have some samples that you can provide to us for this study, please contact me ASAP. Feel free to forward this post to anyone who you think would be interested in participating. The results will be published here and in my forthcoming book "Assumption of Breach".

Friday, August 10, 2012

Disruption from Within - the Insider Threat

The publicity, focus and funding associated with advanced persistent attacks and other external threats have left many companies ill prepared to defend against another vector of attack, one that operates below the radar and whose impact can rival that of any external attack - a compromised employee, vendor, supplier - the Insider Theat. Why is it increasing, sometimes  forgotten and how best to protect against it.

I'm pleased to announce that one of the telecommunications industry's leading security professionals will present just such an attack scenario at Suits and Spooks Boston. Henry Shiembob is the Executive Director of Cyber Security and Fraud Operation for Verizon and has responsibility for all global activities related to cyber compliance and investigations, insider threat, supply chain security and external fraud investigations.  Prior to his current role, Henry was Executive Director of International Security for Verizon where he was responsible for all security operations outside the United States; including investigations, physical security, crisis management and executive protection.  Henry also served as the responsible compliance executive for all international operations.

Henry’s career includes over 23 years in risk management, cyber security and international operations, including five years with Kissinger & Associates where he was Team Leader for former Secretary-of-State Dr. Henry A. Kissinger. In this capacity, he directed domestic and international security operations, including risk assessments, executive protection and intelligence briefings and was a government liaison for security matters.

This is one of 15 different offensive talks that you'll hear on October 18th and our attendance will be kept to no more than 130 people to give you ample opportunity to interact with all of our speakers while you're there. If you want to hear and discuss this particular offensive tactic with Mr. Shiembob, then register for Suits and Spooks Boston today. 

Thursday, August 9, 2012

15 Attack Plans To Disrupt or Destroy U.S. Critical Infrastructure

On October 18, 2012 at the Larz Anderson Auto Museum in Brookline, MA, I've invited 15 subject matter experts who will provide unique offensive attack plans designed to disrupt or destroy water, power, transportation, communication, healthcare and banking systems; i.e., the nation's critical infrastructure. There will be no media in attendance nor will any of those presentations be made available to the public. Only the attendees of Suits and Spooks Boston will hear those plans along with the vulnerabilities in each sector that make those plans viable.

This is the most ambitious Suits and Spooks event that I've held to date and the reason why I've organized it is because there's a serious lack of information among decision makers in the public and private sector regarding actual vulnerabilities. Instead what's most often heard are inflated threats of a "cyber 911" or a multitude of technical exploits involving SCADA software and hardware that only about 5% of the population understands. It's impossible to develop effective solutions without first understanding the reality of the threat landscape surrounding critical infrastructure. At SNS Boston, our experts will present offensive tactical plans in precise, non-technical language. I can promise you that the information communicated to you on October 18th will cause you to shift your thinking around security in profound ways. Dale Peterson, for example, will show you how an adversary could take out thousands of power plants around the world and disrupt large parts of the electrical transmission system. Suits and Spooks Boston will be the first time that such a plan has ever been presented.

A few of our subject matter experts include:

COMMUNICATIONS: Mr. Henry Shiembob, Executive Director Cyber Security & Fraud Operations, Verizon.

WATER: Mr. John Sullivan, Chief Engineer at the Boston Water & Sewer Commission; member of the board of directors at the Association of Metropolitan Water Agencies and Chairman of the board of managers at the WaterISAC.

POWER: Mr. Dale Peterson: Dale is an internationally-renowned SCADA security technologist. In addition to his widely read SCADA security blog Digital Bond, Dale has written two Protection Profiles for NIST’s PCSRF, many whitepapers, magazine articles and presentations.

BANKING: Mr. Phil Rosenberg: Director, Deloitte Financial Advisory Services; 39 yrs experience in the collection and analysis of strategic policy relevant and actionable financial intelligence for banks, corporations, and governments.

HEALTHCARE: Mr. Christopher Burgess: COO and CSO, Atigeo; Prior to joining Atigeo, Burgess was senior security advisor to the CSO at Cisco. He also served 30 years within the Central Intelligence Agency, from which he retired and was awarded the Distinguished Career Intelligence Medal.

PHYSICAL PLANT SECURITY: Mr. Rob DuBois: Red Team Operations Manager and Author of “Powerful Peace; A Navy SEAL’s Lessons on Peace from a Lifetime at War”

We are capping our attendance at 130 and limiting our sponsors to no more than 5 in order to provide maximum benefit to everyone who participates. Our current sponsors include Basis Technology, RecordedFuture, and LookingGlass Cyber Solutions (there are two remaining if you're interested). If you register to attend SNS Boston by August 18th, you can take advantage of the super early bird rate of $195, which is a savings of $200. Complete information including how to register is available here.

Was Flame's Gauss Malware Used To Uncover Hezbollah Money Laundering via Lebanese Banks?

Today, Kaspersky announced that it had discovered yet another nation-state sponsored piece of malware that's closely related to Flame (aka Flamer, SkyWiper) called Gauss which targets Lebanese banks:

Gauss is a project developed in 2011-2012 along the same lines as the Flame project. The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks – for instance, Bank of Beirut, Byblos Bank, and Fransabank.

On December 13, 2011, the New York Times published an article on the Obama Administration's claim that Lebanese banks were engaging in money laundering services for Hezbollah. The investigation led to the take down of the Lebanese Canadian Bank and it was at least six years old according to the Times article.

On June 27, 2012, the U.S. Treasury Dept designated four individuals under the Kingpin act for laundering money through Lebanese banks.

There's no question that Lebanon's banking system has been a target of the U.S. government for several years and apparently for good reason. I can easily imagine someone in the IC suggesting that an espionage platform (Flame) which has worked well for many years against Iran be tweaked to help conduct intelligence on alleged money laundering by drug cartels and terrorists via Lebanon's banks. 

Mr. Makram Sadr, the Secretary General of Lebanon's Banks, said on July 4, 2012 that the U.S. Treasury Dept has failed to produce any evidence that Lebanese banks are involved in such activities.

Wednesday, August 1, 2012

Russia's Kaspersky Labs to Develop a Secure O/S for Critical Infrastructure and Military Use

A Russian IT news service has reported that Kaspersky Labs is developing its own secure operating system for use in industrial control systems. One of Eugene Kaspersky's competitors, Renat Yusupov of Kraftway, predicts that Kaspersky is "most likely developing a process control operating system where security is vital. It will probably be used in production, aviation, transport, energy, and may be used for military purposes."

While Kaspersky Labs hasn't made an official announcement, it has advertised for a requirements analyst and a senior security system designer for SCADA automated control systems. The ad which was listed with a HeadHunter website also said that Kaspersky is developing a new secure operating system.

Kaspersky has been in the forefront of investigating the Stuxnet, DuQu, and Flame attacks against Iran so the announcement that it's developing a secure O/S for the same types of systems that Stuxnet was designed to attack makes a lot of sense. Further, the quality of their security research plus the fact that Russia produces some of the best software engineers in the world suggests to me that this product could be in high demand - especially by its Rosatom customers. However, Kaspersky's close relationship with Russia's security services should also be considered by its potential customers. Under Russian law, the FSB could ask Kaspersky to include a backdoor in its secure O/S and the company would be required to comply. In fact, I can't imagine the FSB missing out on such an opportunity for intelligence collection against potential customers among the Commonwealth of Independent States, India, China, South Africa and others.