Friday, December 28, 2012

A Meditation on Three Things

I've tried a lot of different systems over the years in my search to live and work optimally and never found one single, successful system to embrace. Instead, I've boiled it down into these three core pillars that I practice daily. It is the closest thing that I have to a religious practice (I generally dislike religion) because it is has certain spiritual undertones but there's no worship or dependence upon any higher powers involved. There is simply an awareness that I'm a part of a mysterious universe (aka nature,  the mysterious unknown, etc.) which flourishes both with and in spite of me, and that the closer I come to being a part of that universe, the happier, healthier and more prosperous I become. The three practices are:

  1. Daily joy
  2. Trust the unknown
  3. No-mind
"Daily joy" means that your default setting when you wake up in the morning is one of sheer pleasure and happiness to be alive. If you have a dog, you know what I mean. For many years, this was not the case for me, nor for many of the people that I knew and hung out with. I used to make happiness conditional; i.e., I'll be happy when I'm earning $X; when I'm in a good relationship; when I get the right job; when I no longer have this boss; etc. Happiness, let alone joy, was - in my mind - something to be achieved rather than something that I had by virtue of my simply being alive. Daily joy is especially difficult when you are financially destitute or physically or mentally ill but those are the times when it is most needed because joy works like a magnet, just like fear does. We attract what we fear because emotion is a powerful attractant. The unfortunate truth is that it's a lot easier to feel fear in the face of the unknown than to feel joy. You have to consciously practice the latter in order to overcome the former. That practice may need to include removing yourself from negative people and environments and finding ones more conducive to helping you feel joy on a regular basis.

Thursday, December 27, 2012

Would a Malware BuyBack Program Work?

I just read a story about how successful L.A.'s gun buyback program has been and it reminded me about a suggestion that was made at our Boston Suits and Spooks event - that a buyback program might be successful in reducing the amount of malware in circulation. Most malware writers just want to be paid for their research; something that isn't happening frequently enough or at a rate that's considered fair by the researchers. As a result, some of those researchers are exploring grey markets in offensive malware development or are selling 0-days to clients as a form of threat intelligence, or both.

Imagine how much malware the U.S. government could buy for the price of one F-35 ($600 million per jet). And the intelligence gleaned from a forensics review of all that malware would be priceless. Certain precautions would have to be built in to the program to reduce fraud or recompiling malicious code to create slightly different versions for sale, etc., but I think it's worth at least a pilot program to gauge its effectiveness.

Friday, December 14, 2012

The "January Effect" - An Annual Phenomenon Since 2009

I was recently interviewed for a feature in Discover magazine's Top 100 Stories of 2012 (January 2013 issue - on newsstands now). I'm #62 "Defender of the Digital Domain". During the interview, I was asked about a future forecast for 2013. I mentioned a phenomenon that I've noticed each year since 2009 - a major breach or act of cyber warfare that kicks off the New Year. It may start in December and then get publicized in January, or happen in January and get publicized a bit later but it has happened four years in a row now so I fully expect it to occur once again.

December 2008 - January 2009: Operation Cast Lead (a land war w/ thousands of simultaneous cyber attacks between Israel and Hamas)
December 2009 - January 2010: Google and 20+ companies are breached
January 2011 (approximate) - March 2011: RSA was breached sometime early in 2011 with the announcement being made on March 17, 2011.
January 2012: A hacker announces that he has Symantec's source code for Norton and other products.

What will occur or be announced in December 2012 - January 2013? I have no idea but I'm confident that it'll be something impressive.

Tuesday, December 11, 2012

Cyber Laws May Need Tweaking

The following is an excerpt of an article that I wrote for SC magazine on the need to amend the Computer Fraud and Abuse Act to keep pace with active defensive options by corporations; an issue that we'll be exploring indepth at Suits and Spooks DC (Feb. 8-9, 2013):

"Law in the United States has not kept pace with the tsunami of cyber attacks that have overwhelmed corporations and the government. It's become such a frustrating problem that information security start-ups, like CrowdStrike, as well as established ones like Mandiant, are pushing for a “strike-back” capability, something that the Computer Fraud and Abuse Act(CFAA) prohibits. Even if a company takes a network counter-attack off the table and just wants to encrypt its own data which it finds stored on another computer, the CFAA makes even that common-sense action illegal. I don't think that will be the case for much longer. In fact, I predict that 2013 will be the year when the concept of “active defense” will finally become a reality.
"It's been a year since the directors of the National Security Agency and the Defense Advanced Research Projects Agency both acknowledged that the U.S. government has been unable to protect its own networks and asked for help from private industry. Earlier this year, two high-profile FBI officials and an Air Force general left government service to join CrowdStrike, a decision driven in part out of the same frustration. Then there was the provocative and somewhat disturbing speech given by Secretary of Defense Leon Panetta in October which warned foreign adversaries that we had significantly improved our attribution capabilities (although there's little evidence to support that claim) and that we would respond militarily to anyone who launched a “destructive” cyber attack against us.
"The drive by private industry to be more aggressive in defending corporate networks and the “signalling” by Panetta that we will respond to destructive cyber attacks are both examples of a military strategy known as “active defense.” However, while computer attacks between nation-states may be allowable under certain conditions, such as a presidential finding under Title 50 for a cyber covert action or under the Law of Armed Conflict, there is no such leeway for private corporations under Title 18, Section 1030 – and there's the rub."

Read the rest of the article at SC Magazine.

Friday, December 7, 2012

Flipping Malware: A Profit Opportunity for Corporate IT Departments

The one thing that corporate IT departments are not is a profit center. But the trend towards developing offensive exploits and selling them to government agencies could change that tomorrow if CEOs can be convinced to take the opportunity. Up to this point, CEOs and their Boards of Directors have been reluctant to spend too much money on cyber security because, frankly, it could easily become a serious money pit. A typical incident response bill for a breach can easily exceed the mid-six figures. Saudi Aramco and Sony probably paid a hefty multiple of that. Then there's the 5 figure monthly bills for threat intelligence feeds, plus the charges to protect against Denial of Service attacks, AV, IDS, IPS, etc. And the worst part of this money pit is that the company can only hope that their previously compromised network is clean. There's no way to tell for certain because it could still contain un-discovered malware.

The good news, or at least potential good news since no one is doing this yet, is that the undiscovered malware lurking on corporate networks potentially represent tens or hundreds of thousands of dollars in income for the corporation. And since it resides on the corporate network, it becomes the property of that corporation. All of a sudden, something that you've viewed only as a threat and an expense has become a valuable commodity thanks to the trend in selling offensive malware to government agencies.

The U.S. government is a customer for offensive exploits and so are a number of allied governments. In fact, if they aren't already doing this, defense contractors like Lockheed Martin, Raytheon, Northrup Grumman, and many others should already be mining their own networks for undiscovered malware, reverse-engineer what they find, and use it to fill orders by DoD since they've already got the contract vehicles in place.

Some of the more forward-looking DOD contractors who have robust internal Computer Emergency Response Teams (CERT) staffed with engineers who can do reverse-engineering could be in the best position to offer free or low-cost network defense to corporations who want to "flip" the malware found on their network for a nice profit. The best part is that everybody comes out a winner except for the malware writers who may have spent a lot of time and money developing 0-days for targeted attacks (i.e., the creators of Stuxnet, DuQu, Gauss, and Flame). In my scenario, they've merely provided a sellable commodity for free to the targets that they were hoping to exploit.

If you're a C-level executive and you'd like to discuss this idea privately with me, feel free.

Thursday, December 6, 2012

Please Remember the CIA Officers Memorial Foundation this Holiday Season

There are lots of great charities out there that are deserving of a share of our gift-giving this holiday season (and year-round for that matter). I'd like to introduce you to one of my favorite charitable organizations - the CIA Officers Memorial Foundation.
"The Foundation was established in December 2001 to provide educational support to the children of CIA officers killed in the line of duty. In May 2006, the Foundation's Board of Directors voted to expand its mission to include providing educational support to the spouses of CIA officers killed in the line of duty, and the children and spouses of officers who die on active duty as a result of accident, illness or other causes."
I just received my supporter letter from them and was happy to learn that they've been able to increase their scholarship awards to 28 students for the 2012-2013 academic year ($575,000) from 26 students ($512,000) for the prior year. However, according to their letter, they "still have a long way to go to realize our strategic goals and to sustain our ability to fund programs in the future as education expenses continue to soar and the number of families in need of our support increases."

Please keep this wonderful organization in mind this month as you make your charitable donations in the holiday spirit of giving. Thank you.

Tuesday, December 4, 2012

Anonymous Reveals The 24 hr Violence Cycle in Syria

Part of the Syrian government email dump that was published by contained daily reports from the Syrian government to its embassy at the U.N. on terrorist attacks occurring on its soil. These "terrorists" were, of course, Syrian rebels looking to overthrow Assad. While the country has been in a state of civil war for many months, it's eye-opening to see the level of violence when it's broken down by dozens of specific instances on a daily basis as it is done in these reports. There are literally dozens of them in the email dump. I arranged for the translation of two documents to share via this blog.