Saturday, October 26, 2013

Germany's BND Caught Spying on Afghan Minister's Emails (2008)

In light of the current tensions between German Chancellor Merkel and President Obama over alleged NSA spying, I found this Der Speigel article in the bookmarks that I keep on nation state espionage:

The BND, Germany's foreign intelligence service, was caught spying on Minister Amin Farhang of the Afghan government via a trojan that they installed on his computer. The campaign lasted for about six months and included collecting the emails of a Der Speigel journalist.

Then in 2009 there was this Der Speigel headline: "BND Infiltrated Thousands of Computers Abroad" - which describes how Germany's foreign intelligence service used keyloggers and other tactics to monitor at least 2500 computers in a highly targeted espionage campaign. 

Granted, this is nowhere close to the scale of the NSA revelations, however Chancellor Merkel should certainly be aware that her own intelligence services have engaged in the same activities as everyone else's and her outrage should be tempered accordingly.

Monday, October 21, 2013

Carmen Medina to teach Workshop on Analytic Methods and Critical Thinking at Suits and Spooks DC 2014

As the rush to the Cloud and the aggregation of data in amounts here-to-for unheard of accelerates, the one area that continues to suffer from lack of attention is the use of analytic methods designed to off-set cognitive bias; in other words the rare skill of critical thinking.

This is particularly true among information security companies but it applies across all industry vectors. I've recognized and railed against this problem for years, but now with Suits and Spooks entree into offering workshops, I'm able to offer a solution in the person of Carmen Medina.

Carmen is a CIA veteran of almost 32 years. She was the Director of the Center for the Study of Intelligence (CSI) from January 2007-December 2009. As the CSI Director, she developed and managed CIA’s first Agency-wide Lessons Learned Program. Her record as a visionary analytic thinker and a dedicated, caring leader made her widely recognized--inside CIA and beyond--as an articulate, passionate voice for excellence in intelligence.

From 2005 through 2007, she was the Deputy Director for Intelligence, a member of the executive team that led the CIA’s analytic directorate. In her CIA career, Carmen held positions of increasing responsibility to include Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

By attending Carmen's four hour workshop on Analytic Methodology and Critical Thinking, your analysts will learn:

  1. Different analytic techniques to help organize data.

  2. The value chain of analytic insight.

  3. Question templates to use when evaluating information.

  4. Rules and techniques for using data and information.

  5. Techniques to assist in more rigorous what if and future thinking.

The early bird rate for this workshop is only $495 and attendees must also register for Suits and Spooks DC. Complete information is available here. Register early to save money and to secure your seat.

Sunday, October 20, 2013

Huawei Claims Transparency But These Facts Say Otherwise

"(A)s the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies. 
"Huawei will continue our open and transparent approach and responsible position to its operations and everything we do." 
- Ken Hu (Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee)
 Mr. Hu wrote the above statement in a web posting which announced Huawei's Cyber Security white paper "Cyber Security Perspectives: Making Cyber Security a part of a Company's DNA" (October, 2013).

This PR campaign is clearly mean't to take advantage of the Snowden leaks regarding NSA activities and data collection. Mr. Hu wants to paint a picture that Huawei, unlike U.S. companies named with supporting legal NSA requests, has not received any such requests from the Chinese government.

That's disingenuous at best, and purposefully misleading at worst.

The government of China is one of Huawei's biggest customers; primarily the State-owned telecommunications companies - China Telecom, China Unicom, and China Mobile. Those companies engage in State-mandated monitoring of all telecommunications inside the PRC using in part Huawei's equipment. In fact, China's State Security Law requires that companies and individuals comply with any request for assistance by the MSS or other state security organs up to and including technological means of surveillance.

If the MSS hasn't asked Huawei to provide access, it's because Huawei has already built that access in so that China Telecom can do its job of lawful intercept. And that's not just for telecommunications services. The law was updated in 2010 to include Internet traffic.

Regardless of how Mr. Plummer, Mr. Purdy, Mr. Hu and other Huawei executives try to spin their company's dedication to transparency and security, they work for a company whose equipment is used to surveil the communications of a country of 1.3 billion people, including all of the foreign-owned companies which have offices in China. Their white paper doesn't talk about that, nor does it reveal how Huawei hardware supports MSS collection efforts.

That's not being transparent, gentlemen.

Tuesday, October 15, 2013

Who's Spear-Phishing the CEO of Mandiant?

According to this Foreign Policy article, someone spear-phished Kevin Mandia, CEO of the information security firm Mandiant, using one or more fake invoices from the company which provides his limo service. According to Mandia the name of his limousine service has never been publicly announced so the question is, how did the attacker know it?

One possibility according to Kevin Mandia is that Chinese foreign nationals have followed him to speaking engagements and observed which car service he used. Personally, I've never seen a limo with a billboard mounted to it or the name painted on the side. When I use Uber, for example, I'm given the license plate number of the driver so that I can tell which black town car is the one I'm waiting for. Usually limos and SUVs that belong to private transportation services are pretty discrete, unlike taxi cabs.

Another possibility is that the someone is targeting CEOs at companies based in MD/DC/VA metroplex with a spear phishing attack that assumes they use a particular high end car service. There's probably not more than a few dozen reputable car services, if that.

Yet another possibility is that the attack came from a disgruntled former employee or competitor with inside knowledge of the Mandiant CEO's travel preferences. I've heard that thanks to Mandiant's rapid growth, it's been actively recruiting security engineers from other companies. That's probably left a bad taste in more than one person's mouth and this might be someone's idea of getting a small measure of revenge.

Or it could be that despite Mandiant's best efforts, an attacker was able to access inside information on the company's network and he sent the email just to stir the pot.

Mandiant's security team believes that they've identified the attacker as an "advanced hacking group back in China". Such groups focus on stealing intellectual property. China, like many states, is investing money in information security research and development. Would Mandiant's intellectual property match and/or accelerate China's own InfoSec R&D priorities? If so, that would be yet another explanation for this attack.

The bottom line is that no one is immune from a motivated attacker; not even a leading information security company.

UPDATE (10/15/13): A reader reminded me of this article which described a Chinese group engaged in espionage-as-a-service via a significant foothold in the travel and tourism industry.

Thursday, October 10, 2013

A Suits and Spooks Collision in Washington DC

No, President Obama didn't authorize a CIA direct action against House Tea Party members who are keeping the government closed. The "Collision" that I'm talking about is the Suits and Spooks event that is happening in Washington DC on January 19-21. Some of you know that I've been reluctant to call it a "conference" ever since I created this event in 2011. Finally, thanks to my friend Jim Stogdill at O'Reilly Media, I've got a new name for it - a collision.

It's the perfect word because that's precisely what happens during many of the talks. It's not a Summit where high profile speakers get to express their opinions without the opportunity for audience members to question them. Our speakers understand that the content of their talks can be challenged at any time by the attendees. And since we keep our total attendance capped to under 150 and keep all of the sessions on a single track, there's a lot of interaction taking place that just doesn't happen at any other event. In fact, when you consider who some of our speakers are, that's a remarkable thing to experience.

Here are just a few of the 25 or so high profile speakers that we've lined up for SNS DC:

  • Barbara M. Hunt: Co-founder of Cutting Edge C.A. who was formerly the Director for Capabilities of Tailored Access Operations at NSA as well as a 20 year veteran technical expert at CIA
  • David Howe: CEO at Civitas Group; formerly Special Assistant to the President (Homeland Security Council)
  • Carmen Medina: Career senior national security executive at CIA (retired). Assignments included Director for the Center of the Study of Intelligence; Deputy Director of  Intelligence; and Chief of the Strategic Assessments Group, Office of Transnational Issues, Directorate of Intelligence.
  • Eric O’Neill: Attorney and co-founder, The Georgetown Group; former FBI operative who was instrumental in the Robert Hanssen espionage case.
  • John Gilkes: Principal, Deloitte Financial Advisory Services; more than twenty years experience in asset tracing and recovery and in the management and conduct of financial/fraud investigations involving wire transfer fraud, bribery/corruption, and extortion.
  • Steven Chabinsky: General Counsel, Chief Risk Officer at CrowdStrike; Previously Deputy Ass’t Director Cyber at FBI
  • Stewart Baker: Partner, Steptoe & Johnson LLP; Previously Ass’t Secretary for Policy at DHS

Another first for Suits and Spooks DC 2014 will be our workshops. We're not a hacker con so you won't find the workshops that you're accustomed to at Blackhat and other events. That's because there's more to cyber security than malware alone. We'll be offering four workshops in January:

  • Lance Cottrell, the founder of Anonymizer, will teach a half-day workshop on Internet Anonymity and Pseudonymity.
  • Rob DuBois, a retired Navy SEAL and former director of operations for the Dept of Defense Red Team will teach a full-day course on how to train and operate a full spectrum red team.
  • Carmen Medina, a former Deputy Director of Intelligence at CIA will teach a half-day course on analytic methods.
  • Phil Rosenberg and John Gilkes will teach a course on financial fraud investigations and money laundering.

Registration for SNS DC is now open and we're already 25% full. Registration for the workshops is currently open for Lance Cottrell's topic and the others should be ready by next week (separate tuition is charged for the workshops). Here's the link for the SNS DC webpage. See you in January.

And if you're interested in having your company become a sponsor, please shoot me an email