Friday, September 28, 2012

Fact-checking the Iranian DDoS Attacks Against US Banks

There's a boat-load of misinformation being dispensed by CNN and Bloomberg about the DDoS attacks targeting our largest U.S. banks. Since this involves erroneous quotes from certain cyber security executives along with a U.S. Senator, I think a little fact-checking is in order.

Bloomberg: "Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. (JPM) and Wells Fargo (WFC) & Co., have breached some of the nation’s most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults."

FALSE. This was a Distributed Denial of Service (DDOS) attack. Nothing was "breached". The web servers which hosted the banks' online services were overwhelmed by "calls" and couldn't handle them all.

Bloomberg: "Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the U.S. official, who asked not to be identified because he isn’t authorized to speak publicly."

FALSE. There's no one that I know at the NSA (past or present) who believes that customer inconvenience resulting from a DDOS attack against their bank's website is a "worst-case scenario". That's utterly ridiculous.

Bloomberg: "The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to (Dmitri) Alperovitch and (Rodney) Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said. “The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said."

CNN: "To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a "botnet."

FALSE. This attack did not take months to plan for two reasons: 1) This was a crowd-sourced opt-in botnet commonly used in social activism (aka hacktivist) attacks, and 2) No one needs to create a botnet from scratch anymore. You can find them to rent on pretty much any hacker forum world-wide.

CNN: "Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.
"I don't believe these were just hackers who were skilled enough to cause disruption of the websites," he said. "I think this was done by Iran ... and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

BULLSHIT.  There are lots of good reasons for tensions to exist between Iran and the U.S. but this isn't one of them. If you read the excellent open source analysis done by Dancho Danchev you'll see that this was nothing more than Islamic activists protesting the "Innocence of Muslims" video.

Paste bin notice by Qassam Cyber Fighters group
If Senator Lieberman thought this would be a good opportunity to do some Iran-bashing in order to drum up support for his cyber security legislation, he mis-calculated. This statement by the Senator only serves to reinforce the feeling by many that Congress is out of touch with the problem and is in no position to create new cyber security controls or policies.

Meet the Person who is helping set the R&D priorities for the U.S. Intelligence Community

Dr. David Bray of the Office of the Director of National Intelligence (ODNI) is giving the keynote talk at Suits and Spooks Boston: Offensive Tactics Against Critical Infrastructure. I've asked Dr. Bray to speak because he's the principal strategist for a national commission whose mandate is to determine the high priority research topics for the U.S. Intelligence Community over the next 10 years. I've had the privilege of speaking with he and his colleagues at the commission and found them to be very well-informed, inquisitive, open-minded and highly motivated. If you provide services to any of the 16 agencies of the U.S. Intelligence Community, you should be very interested in the work of Dr. Bray and his team. His bio follows:

Dr. David A. Bray currently serves as Principal Strategist and Senior National Intelligence
Service Executive with the National Commission for Review of Research and Development
Programs of the U.S. Intelligence Community. He overseeing a team of interagency assignees
working with twelve Congressionally appointed bipartisan Commissioners working with
Executive Branch per Public Law 111-259, reviewing the full range of current research and
development programs under the purview of the IC, to include individual agencies, IARPA,
DARPA, In-Q-Tel, and others.

He previously served as Executive for Innovation, Integration, and Interoperability, Office
of the Program Manager, Information Sharing Environment starting in 2010. The Program
Manager has government-wide authority to plan, oversee the build-out, and manage use of the
ISE to implement the President’s terrorism-related information sharing priorities. Dr. Bray’s
work focuses on empowering the ISE partnerships of five communities – Defense, Intelligence,
Homeland Security, Foreign Affairs, and Law Enforcement – in support of whole-of-government
solutions for assured information sharing, protection, and access.

Prior to joining ISE, Dr. Bray served as a strategist at the Institute for Defense Analyses and
the Science and Technology Policy Institute. In 2009, he deployed to Afghanistan as a Special
Advisor to STRATEGIC EFFECTS for NATO’s International Security Assistance Force and U.S.
Forces Afghanistan, with the task of helping to “think differently” on critical strategic efforts.

Dr. Bray also served as IT Chief for the Bioterrorism Preparedness and Response Program at
the U.S. Centers for Disease Control and Prevention, where he led the technology aspects of
the bioterrorism program’s response to 9/11, anthrax in 2001, SARS, and other outbreaks. He
started working for the government in 1993, providing strategy on crisis response, collaboration,
cybersecurity, national intelligence, information sharing, and innovation. He has worked as a
senior developer and project manager for the government and private sector.

Dr. Bray holds a PhD in information systems, a MSPH in public health informatics, and a
BSCI in computer science and biology from Emory University, alongside two post-doctoral
associateships with the Massachusetts Institute of Technology’s Center for Collective
Intelligence and the Harvard Kennedy School’s Leadership for a Networked World Program.
He also serves as a Visiting Associate with the National Defense University and on the Board of
Directors for the Senior Executives Association.

The Early Bird rate for Suits and Spooks Boston will end on October 1st. More information including how to register can be found here.

Tuesday, September 25, 2012

Faulty Attribution Analysis by RSA's VOHO Report Negates Its Findings

RSA's First Watch Research and Intelligence Team just released its VOHO report (.pdf) with the declaration that China was responsible (aka "APT"). Their attribution analysis was summarized in two paragraphs:
RSA FirstWatch research has revealed an exploit and compromise campaign with connections over the past 8 months.  The collected data suggests that this attack was orchestrated and carried out by threat actors commonly referred to in the industry as “APT”:
  1. Use of the “xKungFoo” script kit for victim redirection
  2. Use of attack methodology that matches motives seen in past APT attacks – most notably such as those seen in the Aurora and GhostNet campaigns
  3. Use of the “gh0st” remote access tool (RAT) in this and previous campaigns
  4. Use of command and control infrastructure in the Hong Kong area in this and previous campaigns
  5. Gross impact and on almost 900 unique organizations 
  6. Targets of Interest and Opportunity being geographically disperse in addition to industrial & vertical diverse with a heavy concentration in the following areas:
    • International finance & banking
    • Technology
    • Government – municipal, state, federal and international 
    • Utilities & energy
    • Educational 
    • Defense Industrial Base (DIB)
    • Corporate Enterprise
The possibility exists that this was intentional misdirection on the part of the attackers in
regards to their origin
(emphasis added). However, the RSA FirstWatch team believes the data supports our analysis and this is further evidence of APT intrusion into United States government and corporate assets.
Of those two paragraphs, only one sentence was dedicated to alternative analysis (the one in italics). While it may seem like I'm picking on RSA, they aren't the only InfoSec company that performs lazy, biased analysis. Every company that has issued a report which included a section on attribution has failed to assess the alternatives in a non-biased, rigorous manner (.pdf). RSA's VOHO report can serve as an example of what I mean. Readers are encouraged to look for these types of analytic errors in other InfoSec reports as well.

Use of "xKungFoo script"
The authors referenced the work of researcher Mila at Contagio Dump. While it's true that the xKungFoo script is written in Chinese, that doesn't mean that Chinese hackers were responsible, nor does it mean that a person of Chinese descent wrote it. I personally know Russian, American, and Indian engineers who speak and write Chinese fluently. More importantly, as Mia pointed out in the same blog post footnoted by RSA's researchers, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it was used by Chinese hackers in all instances.

Use of Attack Methodology that Matches Motives Seen in Past APT Attacks
- Watering Hole Specifics
The authors acknowledge that "the idea of using a target’s interests and likely access points is not a new method of attack" but that its scale is notable. The authors go on to note the array of websites that were used as lures:
  • Related to Boston, MA
  • Related to political activism
  • Related to Washington DC Metro area
  • Related to the Defense Industrial Base
  • Related to Education
There's nothing in this grouping which would attribute this attack to any one State or non-State actor.
Additionally, the authors wrote that "one of the main sources of infection for these campaigns were sites that support the cause of democratic process in non-permissive environments, or the communication of information related to free speech. " That's way too broad an assessment to come to any conclusion on attribution. In fact, this entire section of the report doesn't include a single piece of evidence that would uniquely identify an attacker.

Use of GhostRAT
Under the reports' Attack Methodology section, it refers to the use of Ghost RAT, a widely available Remote Access Tool which anyone can use. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.

Use of Hong Kong ISPs
The geolocation of command and control servers is probably the weakest evidence that one can give when assigning attribution, especially when the suspected attacker is China - the world's most popular cyber villan.

Targets of Interest
The targets of interest mentioned by the authors are too broad to be attributed to any one nation state. In fact, the targets of interest combined with the use of widely available malware and Hong Kong-based C&C servers makes it more likely that this was the work of an Eastern European hacker crew who was casting a wide net for data that it could sell to interested third parties.

Intelligence is a two-part process: collection and analysis. RSA and its peers, by virtue of their widespread customer base, do a very good job with the collection of data but they fail in performing rigorous analysis. Further, because RSA is a vendor in the business of gaining market share, it's good business today to blame China. I know from experience that many corporations, government and DOD organizations are more eager to buy cyber threat data that claims to focus on the PRC than any other nation state. When the cyber security industry issues PRC-centric reports like this one without performing any alternative analysis of the collected data, and when the readership of these reports are government and corporate officials without the depth of knowledge to critically analyze what they're reading (i.e., when they trust the report's authors to do the thinking for them), we wind up being in the position that we're in today - easily fooled into looking in one direction when we have an entire threat landscape left un-attended. We got into that position because InfoSec vendors have been left alone to define the threat landscape based upon their product offerings. In other words, vendors only tell customers to worry about the threats that their products can protect them from and they only tell them to worry about the actors that they can identify (or think that they can identify). This has resulted in a security awareness clusterfuck of epic proportions. For more information on how the threat landscape should be defined (versus how it's being defined by security vendors), see my paper "Intelligence Preparation of the Information and Communications Environment".

Monday, September 24, 2012

SC Magazine's Awful "Cyber Cold War" Article

Deb Radcliff wrote a feature article for SC magazine entitled "Cyber Cold War: Espionage and Warfare". Since SC is an IT Security publication and since international tensions are rising daily around this topic, I think it's important to confront errors and/or faulty judgments when they arise. This article is filled with them. Here are the top four that stood out to me:

SC: "But, the talk (Gen. Alexander's talk at DEFCON 2012) was also ironic, given that the NSA has been outed as the agency behind Stuxnet – which caused collateral damage on unintended targets in multiple countries, while the United States provided no intel to system operators that may have needed protection."

Wrong. Even though hundreds of thousands of computers had the Stuxnet worm present, it remained inert for all systems except those that it was specifically programmed to attack at Natanz. There was no collateral damage in multiple countries as Radcliff claimed.

SC: "As with Stuxnet, cyber war starts out ‘cold,' with the theft of information that can lead to larger-scale attacks. In that instance, information about targets (Siemens control systems at Iranian enrichment facilities) was collected in preparation for stage two and three of cold war – to disrupt and cause damage. The final stage is when attacks against the national infrastructure and military operations make it impossible for the target nation to respond to a physical assault."

Wrong on multiple counts. The use of the word "cyber war" is ridiculously provocative. Stuxnet was an act of sabotage, not war. In fact, there is no such thing as "cyber war"- not in law and not in fact. The rest of that paragraph is a hypothetical chain of events that Radcliff invented for her article. Stuxnet  was not part of any larger plan to attack Iran's "national infrastructure and military operations". Its sole purpose was to disrupt a specific number of centrifuges involved in nuclear fuel enrichment. Period.

SC: "Stuxnet is one of only a few cases of actual cyber warfare with intent to damage physical systems, says Martin Libicki, senior management scientist at the RAND Corp., a government advisory think tank."

Wrong. I know Martin Libicki and have had occasion to interact with him at closed Intelligence Community events and with all due respect to his credentials, he's frequently misinformed about issues related to cyber warfare, what defines it, who conducts it and in what ways. The only actual events which can be legally described as cyber warfare are the cyber attacks launched during the Russia Georgia war in 2008, Operation Cast Lead in 2009, and possibly the most recent Kyrgyzstan revolution in 2011. In other words, cyber warfare exists when there's kinetic conflict with a cyber component. That's it.

SC: "On the other hand, a good example of mitigation and containment through fast response time is the March 2011 exfiltration of RSA SecurID code. The attack had only been in the network for days when EMC's security team discovered the compromise and took action."

Wrong. In fact, insultingly and ridiculously wrong. RSA lost its entire seed database to that attack. That breach, in turn, led to attacks against one confirmed defense contractor (Lockheed Martin) and probably a half dozen more throughout the year including L3, Northrup Grumman, and others. Nor does RSA's so-called "fast response" timeline hold up under scrutiny.

Radcliff closed her article with the following statement: "Cyber war is upon us, and organizations need better means of protecting themselves and sharing threat information to protect the larger infrastructure."
This is a false claim, irresponsibly made by a reporter who appeared to be determined to write a one-sided article. I really hope that this isn't a sign of SC magazine becoming a FUD mouthpiece for InfoSec vendors who want to stir the pot in hopes of increasing their profits.

Monday, September 17, 2012

Where's the "Strike" in CrowdStrike?

I've had mixed feelings about CrowdStrike from the moment that it launched in stealth status last February. On the one hand, I'm a big fan of how Shawn Henry (President of CrowdStrike Services) helped move the FBI from a terribly incompetent position vis a vis cyber investigations (circa 2005-06) to one of the world's premiere cyber investigative bodies in just a few short years. On the other hand, I detest McAfee and I've openly ridiculed their so-called "reports" on more than one occasion. As an Israeli friend of mine put it, Anti-Virus companies aren't security companies. And I might add, they aren't intelligence organizations either. The one thing that McAfee does have are rich executives, including CrowdStrike co-founders Gregg Marston, Dmitri Alperovich, and George Kurtz who arranged CrowdStrike's $26 million Series A funding from Warburg Pincus where Kurtz was an Executive-in-Residence after McAfee was acquired by Intel for $7.86 Billion in cash.

A LinkedIn search shows that the company has been attracting/recruiting lots of talent but so far they haven't announced much in the way of a product line. They did launch an open source reverse-engineering portal called CrowdRE which lets anyone play with a highly regarded Disassembler called IDAPro in a cloud-based server. The benefit to CrowdStrike is that in exchange for providing the portal, it can quickly grow a database of reverse-engineered malware that it can utilize on behalf of its paying customers.

The question that I and others have been asking since last February's launch has to do with the "offensive" hook that CrowdStrike advertises via its tag line "You don't have a malware problem. You have an adversary problem"(tm). The company website claims to offer "Enterprise Adversary Assessment" where "we identify the adversary and find out what they're after." And how do they do that? Back to the website: "Through hunting operations, including host-based detection, threat-specific network analysis, and victim threat profiling".

In case you have any doubt as to who the adversary is, their cool t-shirt makes it pretty clear:

Gee, what a surprise. CrowdStrike has determined that the adversary is China. And that's a continuation of the piss-poor intelligence that Dmitri Alperovich published while at McAfee: Operation Shady Rat (China), Operation Aurora (China) and Operation Night Dragon (China). There's over 30 nation states developing computer network attack, defense, and exploitation capabilities and at least a dozen that are highly proficient and actively conducting cyber espionage yet somehow McAfee's "intelligence analysts" only see China. Not Israel, Russia, Taiwan, France, Germany, or South Korea - just the PRC. In a video interview, CrowdStrike's Director of Intelligence Adam Meyers talks about identifying adversaries via toolmarks and the usual TTPs that every so-called cyber intelligence firm narrowly focuses their attention on but that's not analysis (See Michael Tanji's recent article on the subject "Malware Analysis: The Danger of Connecting The Dots"). In the intelligence community, that's a cognitive trap known as target fixation. If after looking at all of the technical parameters, the only nation state that you see is China, you need to find another job because you suck as an intelligence analyst.

Getting back to CrowdStrike's "offensive" marketing theme, in Shawn Henry's keynote at BlackHat last summer, he made it clear that CrowdStrike wasn't advocating hacking back; that such activities were still illegal. CrowdStrike's latest high profile FBI hire Steven Chabinsky has also made it clear that the laws currently don't support even something as mild as a company encrypting its own data found on a foreign server. So what's the point in promoting a "take the fight to the adversary" approach when it's impossible to do in the current legal climate?

The bottom line is that, in my opinion, CrowdStrike cannot currently deliver anything unique in the infosec space that Mandiant and other companies aren't already doing unless it significantly improves its sources and methods regarding identifying adversary state and non-state actors and pushes the envelope on active defense. It's not enough to have a cool t-shirt that says "Change the Game". They literally have to do it.

Friday, September 14, 2012

21st Century Christian Violence, Terry Jones, and Free Speech

While the anti-Muslim hate film made by Egyptian Coptic Christian Nakoula Basseley Nakoula under the pseudynm Sam Bacile and promoted by Pastor Terry Jones wasn't the primary cause of the multiple attacks against U.S. embassies in the Middle East on 9/11/12, it served to inflame an already bad situation. It's debatable whether religious hate speech is a protected First Amendment right however even if you have the right to profane someone else's god, it doesn't mean that you should. Words bear consequences, and religious violence isn't exclusive to Muslims. The following are just the most recent examples of religious violence engaged in by American Christians against American Muslims.

Christian Taunts and Violence Mar Arab Festival In Michigan (June 18, 2012)
Christian protesters traveled across the country to Dearborn, Mich., where they taunted attendees and even held a severed pig’s head for three days at the annual Arab International Festival. The protests turned violent Sunday, and by the end of the day as many as 10 people facing disorderly conduct or assault charges, according to ABC News Detroit affiliate WXYZ.

A Quiet Campaign of Violence Against American Muslims (August 20, 2012)
On Aug. 4, teenagers pelted a mosque in Hayward, Calif., with fruit. On Aug. 5, Wade Michael Page murdered six congregants and wounded a police officer at a Sikh temple in Wisconsin, quite possibly because he thought the Sikhs were Muslim. That same day, a man vandalized a mosque in North Smithfield, R.I. On Aug. 6, a mosque in Joplin, Mo., was burned to the ground. On Aug. 7, two women threw pieces of pork at the site of a proposed Islamic center in Ontario, Calif. On Aug. 10, a man allegedly shot a pellet rifle at a mosque near Chicago while people prayed inside. On Aug. 12, attackers fired paintball guns at a mosque in Oklahoma City, and a homemade bomb filled with acid was thrown at an Islamic school in Lombard, Ill. On Aug. 15, assailants threw a Molotov cocktail at the home of a Muslim family in Panama City, Fla.

And that's just this summer. Further, violence by Christians isn't limited to attacks against Muslims. What about the bombing of abortion clinics and the targeted killings of those who perform them? Or the support and comfort given to Christian terrorist Eric Rudoph by other Christians?

Religious violence is not exclusive to one religion, and both Islam and Christianity have plenty of blood on their respective hands up to and including the present day. General Dempsey asked Terry Jones to drop his support of the film because it's serving to aggravate a bad situation. Is freedom of speech a vitally important and fundamental right for the U.S. and other democracies? Absolutely. However every right comes with a responsibility to exercise it in a way that doesn't result in harm to others. That includes U.S. Christians as well as Middle Eastern Muslims. And propagators of hate speech, on both sides, need to be held responsible for their contribution to violence just as much as the terrorists who fire munitions and throw bombs.

UPDATE (15 SEP 12): I found this resource written by CRS on Exceptions to the First Amendment. My point isn't to show that this particular film falls within those exceptions. That's up to a court to determine. My point is that the First Amendment does not guarantee unrestricted speech, and that in addition to what the law provides, we must engage our brains and apply common sense regarding the impact of our speech on others. 

Wednesday, September 12, 2012

Offensive Tactics That You Won't Hear About At HackerCons

Here's a first look at the partial agenda for Suits and Spooks Boston. We're still finalizing content for some of our speakers (i.e., "to be announced"). You'll quickly see the reason why it's closed to journalists and why no presentations will be shared or made public. And you'll also see why Suits and Spooks isn't just another security conference. No one covers what we do.

8:30am Registration and Continental Breakfast

9:00am: David Bray: "The Need for a Science of Cybersecurity and Critical Infrastructure"

9:30am: Rob DuBois "How would a red team plan and launch an assault against a typical power plant"

10:00am: Dale Peterson: "How adversaries could take out thousands of power plants around the world as well as large parts of the electric transmission system"

10:30am: Break

10:45am: John Sullivan: "How a large municipal water system can be disrupted and why there's no defense against it"

11:15am: Dan Kuehl: to be announced

11:45am: Lunch

12:45pm: Christopher Ahlberg "How to create a targeting package against a corporation or individual using social media"

1:15pm: Henry Shiembob "How multi-national corporations watch for outside threats but miss the more dangerous insider threat"

1:45pm: Dan Geer: to be announced

2:15pm: Larry Castro: "A Policy Review of Pending Cyber Security Legislation and What an Executive Order Might Cover"

2:45pm: Break

3:00pm: Christopher Burgess: "Creating havoc through the disruption of medical devices and electronically altering patient data"

3:30pm: Derek Gabbard: to be announced

4:00pm: Zach Tumin: to be announced

4:30pm: Closing Remarks

The final agenda will be announced on October 1st. A full list of speakers and their bios is at the Suits and Spooks Boston web page. Our early bird registration rate of $295 ($100 savings off the standard rate) ends in six days so reserve your space today.


Monday, September 10, 2012

Why Wasn't Saudi Aramco's Oil Production Targeted?

The recent cyber attack against Saudi Aramco resulted in the destruction of thousands of servers and hard drives. Replacement costs along with incident response fees had to have exceeded US$15 million dollars. While it's true that oil production and distribution were not affected, it may be because they weren't targeted.

It's not because Saudi Aramco's network security prevents such attacks from happening. I'm sure that the company has done everything that it can to implement best practices but that's not enough to stop a dedicated attacker. And today, with the amount of open source data on SCADA exploits available combined with the alleged existence of hostile insiders working for the company, it could have been easily done. So why didn't it happen this time?

Saudi Aramco is a state-owned company so an attack against it is equivalent to an attack against the Kingdom of Saudi Arabia. If the outcome of a cyber attack is principally financial with some disruption to business processes, then it will probably be treated as a criminal matter. If the attack resulted in a disruption of oil production and/or delivery, it would almost certainly be treated as an attack against a military objective (see Section 4 "Attacks Against Objects" of the Tallinn Manual on the International Law Applicable to Cyber Warfare for an indepth discussion of this legal term of art).

Iran is a possible suspect in the Shamoon attack and had it targeted one of Aramco's SCADA systems, then what was probably a warning to Aramco not to increase its oil production would almost certainly have been treated as an act of war instead. The IRGC which is in command of Iran's cyber warfare units would know that. Whether it was the IRGC or a proxy Iranian hacker group working on their behalf, Iran knows better than to do anything that would interrupt the world's oil supply.

UPDATE (14SEP12): I've edited this post to correct some errors in my original post regarding the types of operating systems used at Aramco.

Friday, September 7, 2012

Lockheed Martin's Contest Rip-0ff of your IP

I didn't think my opinion of Lockheed Martin could sink any lower but after reading this - yes it has! Lockheed Martin has announced a contest which awards $50,000 to the winners of "Innovate The Future Challenge: How Might We Enable A More Secure Future For Our Planet?". They want you to share your ideas on how to solve that question for free, and for the winning submissions they'll pay combined awards equalling $50,000 (1st place $25K; 2nd $10K; three 3rd places $5K@). Sound good? You'd better read the fine print.

Winners will be required to sign agreements providing Lockheed Martin with a worldwide, nonexclusive royalty-free, paid-up license to make, have made, use, sell, import, reproduce, distribute and otherwise practice your entry.  The first prize winner will also be required to sign an incubation contract providing Lockheed Martin with access to any and all copyrightable material developed in the performance of the incubation contract. If you do not sign and return these required forms within the time period listed on the winner notification message (but by no later than 14 days after the notification message), we may disqualify you and select an alternate winner.
 In other words, that prize money is the last money that you'll ever see from your idea. And if your submission doesn't win one of those prizes, it'll be made public for anyone to read and implement.

POSTING OF YOUR ENTRY.  Please note that following the end of this Challenge we will not return your entry and your entry may be posted on a website selected by us for viewing by visitors to that website.  We are not responsible for any use of your entry by visitors to this website which has not been authorized by Lockheed Martin.  However, we are not obligated to use your entry for any purpose even if it has been selected as a winning entry, except that the names and counties (equivalent) of the winners and their winning entries will be published on a website selected by us and/or made available on request by sending a stamped, self-addressed envelope to the promoter.
So by all means, send in your valuable idea to Lockheed Martin. If they don't rip you off by selecting you as a winner, someone else who reads it on their website certainly will. 

Wednesday, September 5, 2012

Saudi Aramco Under Attack Again

According to at least one knowledgable source, Saudi Aramco is currently dealing with another network attack which affected some of its business systems at 0800 AST but not its production or distribution facilities. At this time the company's websites at and are down and employees have been advised to unplug their workstations while U.S. and Saudi security teams attempt to conduct incident response.

There's been no announcement from the company nor has anyone yet claimed credit for the attack. A call to Saudi Aramco's public affairs department went to voicemail. If anyone has additional information to provide, please contact me via Twitter (@jeffreycarr) or email.

UPDATE (0751 PST 05SEP12): Saudi Aramco's official Twitter account denies that anything is wrong.
However more than one source has confirmed to me that Aramco never fully recovered from the first attack and that Aramco employees were asked this morning to disconnect their workstations from the network.

UPDATE (0858 PST 05SEP12): I've been told via Twitter that this morning's attack may have been a false alarm. At this time, Aramco's website isn't accessible from my location in the U.S. but a journalist in UAE can access it. Email correspondence also seems to be working.

UPDATE (0944 PST 05SEP12): Aramco's websites and field offices are all affected by an Internet outage at the company according to an email from Aramco's CEO, and they may be down for awhile.

Tuesday, September 4, 2012

Huawei's Cavernous Cyber Security Credibility Gap

Approximately one month before Huawei officials (along with ZTE officials) are supposed to testify before the House Permanent Select Committee on Intelligence (October 2012), the company's Global Cyber Security Officer and SVP John Suffolk released a white paper entitled "Cyber Security Perspectives: 21st Century Technology and Security - a Difficult Marriage".

I've been monitoring Huawei for several years and have given dozens of briefings on the security risks associated with the company, its management and its products. I've had several Huawei employees contact me privately about issues within the company and I've spoken to at least one of their senior executives last year about my concerns. I just finished reading Mr. Suffolk's white paper, which Andy Purdy, former Director of DHS National Cyber Security Division and now Huawei's Chief Security Officer, helped write. While it covered all of the usual bases regarding Huawei's commitment to security (I'm not going to recap these - read the paper if you must know), it addressed none of the issues that underscore the opinion of myself and others that Huawei is a security threat, such as:
  • Madam Sun Yafang's past employment with China's Ministry of State Security and how she helped the young company secure loans form the Chinese government.
  • Claims that Huawei benefited from Nortel's IP in 2004 including duplicating its instruction manuals.
  • Claims that Huawei stole source code from Cisco and its settlement of those claims in 2004.
  • Lack of full disclosure regarding Huawei's obligations to the Chinese government as a national champion firm and a provider of services and products to the State including the Peoples Liberation Army. 
  • Lack of full disclosure regarding how many of its executives are members of the powerful Chinese Communist Party (CCP) and therefore bound to comply with directives from the CCP. After all, the CCP plays a dominant role in China's economy.
If Huawei's white paper is an example of how Huawei intends to address the concerns of the House Intelligence Committee, it's not nearly enough - even with Andy Purdy's help.

UPDATE (06SEP12): According to Reuters, Huawei is negotiating terms for its testimony before the House Intelligence committee. The fact that they have to "negotiate terms" says a lot to me about how valid the scope and validity of the concerns that I mentioned above are, not to mention the ones that Huawei doesn't want to have discovered.