Wednesday, June 25, 2014

Have Lunch on K Street with Execs from Microsoft, BAE, Cognizant, Huawei USA, and the IC - Updated 7/14/14

UPDATE (July 14, 2014): We have room for six more cyber security startups to join our lunch however registrations will close by end-of-day July 15, 2015.

If you're a cyber security startup, chances are good that you may have a product or service of interest to the U.S. government but do you know the complexities that come with that? If you attend our Security Startup Lunch in DC on July 22, you can ask Hendrik van der Mueler, Barbara Hunt, and Lewis Shepherd for their advice.

If you'd like to be a vendor for one or more prime defense contractors, you can chat with JC Dodson, BAE Systems Global CISO about your product or service and receive his recommendations on how to go about it.

On July 22, at PJ Clarke's in Washington, DC, our Suits and Spooks Security Startup Speed Lunch will help startups find customers, VCs find startups, and give executives a chance to hear about cutting edge technologies person-to-person - over lunch.

You won't be pitching a room full of people. You'll be meeting 1:1 in six minute rounds with decision-makers from multinational companies and other organizations, and you'll enjoy a delicious lunch in the Sidecar at PJ Clarke's.

Here's who you'll be meeting with:
  • Lewis Shepherd, Director and GM, Microsoft Institute for Advanced Technology in Governments (MSI). Lewis joined Microsoft in December 2007 from the Defense Intelligence Agency, where he accepted a position as Chief of Requirements & Research (or R2).
  • Barbara Hunt, President and CTO, CuttingEdge CA. Ms. Hunt is a retired Central Intelligence Agency (CIA) Executive Technical Expert and program manager with over 20 years of experience in the fields of cyber, information, and telecommunications technology and operations. She also served as Director of Capabilities, Tailored Access Operations Group at NSA.
  • Henry Shiembob is VP and Chief Security Officer at Cognizant Technology Solutions, and was formerly the Deputy Chief Security Officer and Executive Director of Cyber Security and Fraud Operations at Verizon.
  • Jeffrey C Dodson, VP Cybersecurity, Global CISO, BAE Systems
  • Andy Purdy, CSO, Huawei USA. Andy formerly served as the 'Cyber Czar' of the United States from 2004 to 2006, in his role heading the Department of Homeland Security’s National Cyber Security Division and US-CERT.
  • Hendrik van der Meuler - Retired senior CIA officer in three foreign countries and CIA Operations Officer during six tours of duty in the Middle East, Africa, and Europe, 1981-2000. Since retiring from the CIA in October 2010, he has worked for the Monitor Group and MonitorQuest, with an emphasis on Social Media issues.
  • Edward V. Marshall, Vice President - Private Banking North America, Credit Suisse; formerly with the U.S. Department of State.
  • LaToya Staten: Cyber Collaboration Manager, MD Dept.of Econ Dev., Cyber Development at Maryland Department of Business and Economic Development
You can attend if you meet one of these three categories:
  1. You are employed at the Director level or higher with a medium-sized or larger corporation.
  2. You're employed with a cyber security start-up that is no more than 5 years old and has not yet raised more than a Series A funding round.
  3. You're employed by a Venture Capital firm or an investment bank.
It wasn't easy getting these outstanding executives together for three hours to meet with a group of startups and I doubt that I'll be able to get them all together a second time so don't miss this opportunity. The registration fee is $199 if paid before July 1st and seats are limited!

Visit the Suits and Spooks website for more information or call (855) 777-8242 ext. 3 with any questions.

Tuesday, June 17, 2014

Hank Crumpton on Wolfowitz: "What was he smoking?"

I read Hank Crumpton's book "The Art of Intelligence: Lessons from a Life in the CIA's Clandestine Service" in about six hours spread over two flights between NY and Seattle. It's a great book which I highly recommend everyone read.The recent attempt by Paul Wolfowitz to rewrite his colossal fuck-up on the Iraq war or to even have the audacity to provide advice prompted me to go back and find this relevant section:

Chapter: "Afghanistan, Strategy"
pp. 187-188
A few days later, Tenet and I were in the White House Situation Room. National Security Advisor Rice chaired the meeting. Rumsfeld, Card, Secretary of State Colin Powell, Deputy Secretary of Defense Paul Wolfowitz, Chairman of the Joint Chiefs of Staff General Myers, and others attended. 
<cut for brevity> 
Rice asked Tenet to provide an update, followed by General Tommy Franks, who piped in via secure video from CENTCOM HQS in Tampa. Others added their views. There were some questions about Afghanistan, and I provided some short ansers. I was cautious in my responses. I did not know this environment. 
It was making sense. All of the people here were sticking to their roles as I had imagined them. They were all calm and polite. They were rational. 
Then it got weird. 
With no prelude, prompt, or reference point that I could fathom, Wolfowitz launched into a monologue. 
"Iraq. We must focus on Iraq - 9/11 had to be state-sponsored. Iraq is central to our counterterrorism strategy." He spoke with great emphasis. There was a short pause, with no response. So he lectured in this vein for another couple of minutes. Then he stopped as abruptly as he had started. 
There was a heavy silence around the table. 
I looked around the room. Still nobody said anything. 
What was he smoking? I wondered. 
There was nothing in our intelligence collection or analysis that implicated Iraq in 9/11. On the contrary, Saddam Hussein was a secular despot with no affinity for AQ ideology or for AQ as an ally of convenience. White Saddam was a terrorist and supported terrorist groups, especially those in the radical Palestinian networks, he saw AQ as more of a threat than an ally. Moreover, AQ had organized, trained, and plotted the 9/11 attack from Afghanistan, not Iraq. 
I sat mum. It seemed too strange to warrant a response, particularly from me, the new guy, policy rookie, field spook. But neither did anybody else challenge Wolfowitz. I dismissed the commentary as temporary contorted logic, an aberration of an otherwise intelligent and responsible policy leader. I had no idea what would unfold in the next couple of years.

Monday, June 16, 2014

Crowdstrike's PLA 61486 Report - Using Photoshopped Pictures? No. (Updated 6/16/14 6:45pm)

This post has been updated from the original thanks to some criticism that I received on Twitter for suggesting that Chen's photos were either photoshopped by Chen or taken from somewhere other than the PLA base. That criticism helped me resolve problems that I and others had with Chen's pictures. Here's my update. The original post is below.

UPDATE (6/16/14): Here are Google Earth images which show just how close the Pearl Tower and the Jin Mao tower are (the two illuminated buildings in the background. The World Financial Center is slightly left and behind the Jin Mao tower).

The red line in the above picture originated from the PLA base as seen below.

And here's the full site path from Google Earth.

Based upon this site line, the Jin Bao tower and the World Financial Center should appear slightly to the right of the Pearl tower which is in line with Chen's photo. Therefore my suspicion and those who also felt that Chen had taken the photos from a different location or had doctored them, were wrong.

However that doesn't change any of the problems that Crowdstrike has in proving its allegation that the person they identified as Chen Ping is responsible for any hacking attacks. As I wrote in my post of June 10th, they failed to prove that Chen Ping or whatever his real name is has breached the network of a foreign company while under orders of the PLA. Those failings and Crowdstrike's failure to even acknowledge them, doesn't inspire confidence. And while no one likes to have their findings criticized, there aren't nearly enough critical reviewers when it comes to cyber intelligence reports generated by for-profit companies.


(Original post with some edits) There's something wrong with those dramatic pictures of military satellite dishes contained in the Crowdstrike report on Chen Ping and PLA 61486. This is especially troubling since they play such a big role in Crowdstrike's attribution theory.

First, here's the picture from the Crowdstrike report on page 19:
Click to enlarge
Now here's the original photo from CPYY's online photo album with some labeling provided by one of Taia Global's Hong Kong-based consultants:

Click to enlarge
Notice that in the original photo you can see the Pearl Tower and the World Financial Center (labeling added). That part of the photo was cropped out of the Crowdstrike version. The distance from the PLA base to the Oriental Pearl Tower is 6.4 km but in the photo they seem to be half that distance.

Furthermore, to have taken this picture from the base, CPYY-Chen would have to be looking West. From that angle, the World Financial Center should be to the right of the Pearl Tower rather than to its left as it is in this photo.

On page 20 of the report, Crowdstrike features another satellite dish photo which shows the Pearl Tower in the background.
Click to enlarge
As before, the World Financial Center is on the wrong side of the Pearl Tower; which clearly cannot be the case unless this photo was doctored. And if you look at this image at its full size, it really doesn't take a trained eye to see that something isn't quite right. It's almost as if the satellite dish was layered on top of a different picture.


"Crowdstrike, PLA 61486, and the Secret Hacker Language that wasn't"

Tuesday, June 10, 2014

Crowdstrike, PLA 61486, and the Secret Hacker Language that wasn't.

According to George Kurtz's introduction to Crowdstrike's Putter Panda report, his company has revealed the activities of PLA unit 61486, the identity of one of its employees' Chen Ping aka cpyy, and the primary location of Unit 61486 in Shanghai. By any definition of proof that you care to name, that assertion is only partially true. They located the headquarters of the PLA's General Staff Dept. 12th Bureau in Shanghai thanks to a public announcement by the PLA itself. That's the part that's true.
UPDATE 10 June 2014: The Project 2049 Institute, which Crowdstrike sourced extensively from, was the first organization to out the address of the Third Department 12th Bureau offices in its 2011 report "The Chinese Peoples Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure", not Crowdstrike.
Crowdstrike did not prove that the person they've identified as Chen Ping aka cpyy is actually named Chen Ping or is an employee of PLA unit 61486 or is even a hacker. All of that is speculation on the part of the researchers. Even the name "Chen Ping" is believed to be real because it corresponds to the "cp" of cpyy. Really? It's not possible that it would also correspond if Chen Ping was a fictitious name; just like the fictitious phone number, postal code, and email address on his WHOIS registration for

Crowdstrike attempts to connect "Chen Ping" with another Chinese hacker named Linxder by pointing to a forum thread which Crowdstrike claims is "superficially about cars" but could be "a reference to hacking jobs wrapped up in car metaphors."

Nope, and let this be a PRO TIP to everyone who thinks that Google Translate is sufficient to do your "intelligence" work in. Ask a native Chinese speaker (like I did) to translate, then do a little further research and you'll learn that Linxder was talking about her yellow car which looks like a bun.

Crowdstrike refers to this report as intelligence. If it is, it's the worst kind because the authors start with a bias and then search only for evidence that confirms their bias. Even worse, they failed to prove any of their key findings:

  • Where is the proof that Chen Ping is a PLA soldier assigned to Unit 61486? 
  • Or that Chen Ping is even his real name?
  • Or that Unit 61486 has conducted even one cyber attack against a U.S. company?

Just because China is interested in satellite technology and engages in acts of cyber and industrial espionage to get it doesn't mean that Crowdstrike, Mandiant, or anyone else can play fast and loose with attribution. Yes, China does it but so do many nations along with countless independent hacker groups. If you want to prove that Col. Mustard hacked Acme Satellite Company with a Candlestick, then either prove it using accepted international standards of evidence or leave attribution out of your report altogether. 

Sunday, June 8, 2014

Former Classified Presidential Directive to anticipate foreign cyber and tech developments

On January 9, 2008, President Bush signed National Security Presidential Directive (NSPD) 54 / Homeland Security Presidential Directive (HSPD) 23 which back then was classified TOP SECRET. That document was declassified with some redacted material by the NSA on June 5, 2014 thanks to an FOIA request. The purpose of NSPD 54 was to enhance U.S. defensive capabilities in cyberspace.
"Actions taken pursuant to this directive will improve the Nation's security against the full spectrum of cyber threats and, in particular, the capability of the United States to deter, prevent, detect, characterize, attribute, monitor, interdict, and otherwise protect against unauthorized access to National Security Systems, Federal systems, and private-sector critical infrastructure systems."
While the document doesn't contain too many surprises, it does contain an important paragraph which directly relates to Taia Global's REDACT search engine.
"The Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the DNI, and other heads of Federal agencies as appropriate shall increase predictive, behavioral, information, and trend analyses to better understand and anticipate foreign cyber and technology developments." (Paragraph 47 (c))
Assuming that steps were taken to comply with this directive, the findings of the National Commission for the Review of the Research and Development Programs of the U.S. Intelligence Community found the IC's work in this area insufficient:
"Finding 1: The Commission found a limited effort by the IC to discern and exploit the strategic R&D—especially non-military R&D—intentions and capabilities of our adversaries, and to counter our adversaries‘ theft or purchase of U.S. technology." (p.5)
That finding and others from the Commission's report have been inserted into the Intelligence Authorization Act for 2014. The ability to look forward and see what technological innovations in computer network operations are being developed by rival or adversary states is critical, not just for nation states but for multinational companies as well.
That level of insight cannot be achieved simply by reading China's Five Year Plan (i.e., CrowdStrike and Mandiant); a document that matches many other nations' R&D priorities.  For more information on how Taia Global's REDACT search engine can inform government and corporate clients about thousands of foreign R&D projects in a half-dozen different verticals, contact us today.
NOTE: This article has been cross-posted from