In Through The Out Door

Cyber attacks from individuals, organized crime, extremist groups, terrorists as well as nation states pose a significant threat to the national security of the United States. While many believe that this is a government issue, closer analysis of the problem suggests otherwise. Any computer that is not properly protected can be compromised and used as a weapon against the system owner, businesses and our economy, the nation’s infrastructure or in some rare cases our defenses. Personal, business and government systems are constantly under attack and the frequency and sophistication of the attacks is rapidly increasing.

The number of new computer systems threat skyrocketed nearly 570 percent from those identified in 2006. According to one 2007 computer security study, the average annual loss reported by U.S. companies increased by nearly 210 percent to $350,424 (per occurence) in 2007. The top three primary sources of loss were financial fraud, losses due to computer virus and system penetration by outsiders. About 20 percent of the companies reporting security incidents said they have fallen victim to targeted malware attacks. Nearly 1.2 million different pieces of malware have been identified and reside in the malware repository. Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. The term is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, destructive, intrusive, or annoying software. The bad news is malware is just one of the many threats to computers, systems and networks.

A reader of the blog asked me “Why with all the U.S. technological expertise are we so vulnerable to these threats?” That is a great question. Considering a recent report suggested that around 90 percent of breaches could have been prevented, why are our computer systems so at risk?

After giving this a fair amount of thought I came to the following realization. It is our attitude! For some reason there is an abundance of “I know more than they do” types in information security. If that is not bad enough, the second most prominent attitude is “It can’t happen here” followed closely by “I will address it when it happens to me.”

Example 1 - A $13 billion publically traded corporation has five full time staff assigned to information security. When I asked the Director how he spent his time he said by far most was in the Human Resources Department and with corporate lawyers.

Example 2 - A systems design and development organization that services part of our nation’s infrastructure was briefed on the issues and threats of cyber attack. Numerous examples were provided to that organization that showed their industry had already experienced cyber attacks. In addition, a high level overview of their operational procedures resulted in the identification of two critical vulnerabilities that exposed the systems to compromise. The organization addressed one of those issues and decided to take a wait and see approach to addressing the other.

Example 3 - A security consulting firm contacted me as an advisor. They were brought in to review security and recommend changes of a publically traded company. During their work they discovered the company had been breached. They had found a “bot” attached to an Oracle database. The “bot” collected information about the manufacturing cost of the company’s products. They approached the CIO with the facts and the Sarbanes-Oxley issues, he refused to communicate the issue to the senior executives and then cancelled their contract.

Well, we don’t know more than all the hackers do. This is a highly dynamic threat environment that even the top security professional say is “challenging.” The “it can’t happen here” attitude is insane. One veteran US Special Agent in cybercrime investigation publically stated how companies do their best to cover up corporate espionage and insider theft. He went on to say he had seen entire corporate networks of over 100,000 systems completely compromised and hundreds of thousands of files exfiltrated and not disclosed. The fact is, if all system breaches were reported the security metrics would be much worse that the ones reported earlier here. So it not only can happen here, it probably already did and got covered up.

[From Covering Up Cyber Assaults]

New research could allow ISPs to selectively block or slow down your encrypted traffic even if they cannot snoop on your transmitted data. Italian researchers have found a way to categorize the type of traffic that is hidden inside an encrypted SSH session to around 90% accuracy. They are achieving this by analyzing packet sizes and inter-packet intervals instead of looking at the content itself. Challenges remain for ISPs to implement this technology, but it’s clear that encrypting your traffic inside an SSH session or VPN connection is not a solution to protect net neutrality.

The FBI has confirmed to Popular Mechanics that it’s not only adding palm prints to its criminal records, but preparing to balloon its repository of photos, which an agency official says ‘could be the basis for our facial recognition.’ It’s all part of a new biometric software system that could store millions of iris scans within 10 years and has privacy advocates crying foul. Quoting: ‘The FBI’s Next Generation Identification (NGI) system, which could cost as much as $1 billion over its 10-year life cycle, will create an unprecedented database of biometric markers, such as facial images and iris scans. For criminal investigators, NGI could be as useful as DNA some day — a distinctive scar or a lopsided jaw line could mean the difference between a cold case and closed one. And for privacy watchdogs, it’s a dual threat — seen as a step toward a police state, and a gold mine of personal data waiting to be plundered by cyber criminals.

My favorite group of federal Darwin Candidates are at it again.

Although its features and terminology may seem strange if you’re used to more traditional Linux filesystems, ZFS offers a great deal of flexibility.

[From ZFS on FUSE]

Computers and networks have blurred the boundaries when you look at cyber warfare, cyber crime, and cyber terrorism. There is no doubt that future conflicts will involve cyber warfare between nations. Distinguishing between military and criminal and civilian attacks is tough and could create a dangerous problem in determining who is behind a cyber attack. It’s very difficult to trace cyber attacks back the responsible parties. It is rarely the case that the computer forensic analysis conducted as a result of a cyber attack yields enough hard evidence that would meet the “beyond a reasonable doubt” standard we apply in non-civil court actions.

There are millions of pieces of malicious code available today along with a significant number of vulnerabilities that can be exploited by cyber soldiers, hackers and others who wish to compromise computers and networks. Websites now provide both novice and expert level computer attackers with the latest, up-to-date programs and support needed to plan, design, develop and initiate cyber attacks. In fact, these websites provide services to parties that are interested in hacker computer systems and networks.

When you use the Internet, you leave the equivalent of digital footprints and attacks leave digital fingerprints as well as digital DNA. Every message a computer sends to a different computer travels in a series of hops from one router or server to another leaving behind logs and addresses of the route. Even after the message is received, the record of its path of travel remains behind. There are also a number of ways that attackers use to obscure their location and identity. Intelligence around cyber weapons development and cyber attacks is very limited. In our vast sources of intelligence gathering capabilities only electronic intercepts and human intelligence have the ability to provide the primary sources for our intelligence helping to defend our nation against cyber attacks. The tools and technologies available to law enforcement and the Defense Department are not keeping pace with the rapid advances being made in cyber weapons used by attackers. The current state of the practice and available tools regarding the technical ability to track and trace cyber attacks remains very primitive. The advanced level of sophisticated cyber attacks make it close to impossible to trace to their true source and have the hard evidence that would pass the court of public opinion. In addition, the technical nature of the investigation would make it difficult to effectively communicate to those serving on a jury. Advanced tools for tracing complex attacks are among the research topics that are currently under development by multiple organizations and agencies, but we need them now.

We have seen the harbingers of cyber warfare and the image they present instills fear in our military and technical professionals. Dozens of nation states currently have highly sophisticated cyber attack capabilities and many others are in the process of developing cyber weapons of mass disruption. Advances are needed now to defend our systems against such attacks. Likewise, advances tools, techniques and trained staff are needed now to conduct the investigations into the rash of cyber attacks we are experiencing. Finally, international laws and doctrine must rapidly be developed and implemented as part of our overall cyber defense activities.

[From Identifying the Cyber Attacker]

In the face of growing demand to target security investments based on risk management principles–a domain foreign to many CIOs and infosec practitioners–there’s wisdom to be garnered from our peers.

[From 2008 Security Survey: We're Spending More, But Data's No Safer Than Last Year]

OPEC’s Strategic End Run on Progressive Energy Policy

InfoWorld’s Tom Yager offers insight on how digital TV is rapidly heading toward the kind of lockdown that entertainment and broadcast lobbies desire for the Internet. Standards such as HDMI and HDCP are acting in concert to strip your equipment of its functionality, displaying ‘incompatibility’ messages when plugged into older HDMI-enabled devices, shutting down analog outputs when active, and requiring balky handshake credentials that force many consumers to reboot their TVs to recover permission to watch them. Even broadcast flagging, which has been overturned by the Court of Appeals, is still on the de-facto table, as the entertainment lobby retains the power to bully technology companies into baking broadcast flagging into their wares. Sure, digital TV has far fewer points of origin than the Internet and is therefore easier to control, but, as Yager writes, ‘Internet rights restrictions come through your telecommunications equipment’ — and it is likely through that equipment that the entertainment and broadcast lobbies will chip away at your rights on the Web.

From Digital TV Foreshadows Erosion of Net Rights ]

[

Throughout history wars have been triggered by events. Being at war is a state or condition. To be legal, a war must be declared by a branch of the government entrusted by the Constitution with this power. In the Constitution of the United States, Article I provides Congress the power to declare war. War is defined as a contention by force; or the art of paralyzing the forces of an enemy. An act of war is typically defined as an aggressive act that constitutes a serious challenge or threat to national security, armed conflict, whether or not war has been declared, between two or more nations; or armed conflict between military forces of any origin. This frames the discussions around traditional war. In the physical sense it is easy to define such infractions; enemy troops crossing another countries border, military strikes by missiles or bombs, basically you know it when you see it. What constitutes a serious challenge and a threat to our national security in cyber space? That is much more difficult to define.

In the U.S. Army’s Cyber Operations and Cyber Terrorism Handbook 1.02 I found the following reference to the definition of Cyber Warfare & Terrorism: “the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or to further social, ideological, religious, political or similar objectives or to intimidate any person in furtherance of such objectives.” This was an excerpt from an article I wrote back in 2003 when the issue of cyber war was in its infancy. While this frames acts of cyber war, in retrospect it does not address a measure of the disruptive acts or provide guidance assess if individual acts, or a collection of acts rise to the level to be considered an act of cyber war.

If a foreign government hacks a sensitive system of another government and accesses security and defense information, is that an act of cyber war? If so, that has already occurred. If a foreign government hacks a sensitive system of another government and places software on the system that collects data and sends it back, is that an act of war? If military personal from a foreign government infiltrates another nation’s networks or systems through the use of counterfeit hardware and monitors communications, is that an act of cyber war? Both are certainly acts of espionage and have already taken place. The factor that will determine if an act or acts of cyber attack rise to the level of an act of war rests in the magnitude of disruption that accompany the acts. Adding to the complexity is the fact that much of our critical infrastructure that are prime targets for cyber attacks are owned or operated by the private sector not the government. This infrastructure in some cases carries military communications, supports civilian emergency services as well business and consumer services. An attack on the infrastructure impacts multiple segments. The question of what constitutes an act of cyber war remains unanswered.

Given that we are in relatively new territory, each individual attack must be examined and the forensic evidence weighed to determine the source of attack. Little physical evidence will ever exist that you can hold up and point to or take a picture of and say “they did this.” Much debate is currently taking place over the legality of cyber warfare tactics and their use. Is a cyber attack on our networks and systems an act of war? Are acts of cyber espionage a violation of international law? It is better we investigate and answer these questions now rather than reacting to cyber events in the heat of the moment when they occur.

[From What Constitutes an Act of Cyber War?]

Is the US falling behind when it comes to science and technology? Not according to an evaluation by the RAND Corporation, performed at the behest of the Department of Defense. The report does identify some areas of concern, and makes some specific recommendations.

[From RAND study: US still #1 in R&D, but sees areas of concern]

More bloggers than ever are being arrested around the world, highlighting the dangers of citizen journalism, according to a new report from the University of Washington.

[From Governments step up blogger arrests]

South Korea launched its third Type 214 submarine last week. While it is often noted the quantity of naval growth taking place in China and India, we continue to observe both growth and quality in the naval forces being produced by South Korea. The addition of Type 214s to the naval mix by South Korea is not a small thing, while not often discussed, the quality of ASW capabilities by North Korea

[From South Korea Launches New Type 214]

Recently much attention is being given to the topic of cyber warfare and rightfully so. Our computers and networks are under continuous attack from all over the world. The level of sophistication of these attacks and the quality of the code written to perform these attacks both have raised significantly in the past year. Experts agree we have entered a new era of warfare and are transitioning from bombs and bullets to bits and bytes.

In January two classified presidential directives were signed related to defending the country against cyber attacks. At that time the price tag was estimated at $6 billion. In mid May the price tag was revised and believed to be $17 billion. Now, the price has risen again to be $30 billion. That is a big pot of money by anyone’s standards. So the question is, where will this money be spent? Increasing cyber defense will require investment in Research and Development as well as in existing technology and services. The first and most critical activity will be to fortify current systems against known cyber threats.

Spending Allocation:

• Hardware 18% $5.4 Billion USD
• Software 25% $7.5 Billion USD
• Consulting 29% $8.7 Billion USD
• Services 24% $7.2 Billion USD
• R&D 4% $1.2 Billion USD

The R&D efforts will focus on near term delivery of advanced defensive capabilities (like behavioral modeling) of software processes and transaction to evaluate if they pose a threat to the system. Additionally, advanced modeling capabilities are required for evolving defenses and investigative activities. Advanced modeling will be used to certify and authenticate chips, hardware and software to be authentic and free of malicious code. One of the most promising capabilities centers on the development of a “Digital DNA” database repository. The ultimate goal of this work is the same as with current DNA forensics - to identify the perpetrators of the assault. Most cyber attacks leave behind forensic evidence that can be used to assess the capabilities of the attacker, understand the implications of the attack and to create defensive measure to guard against this type attack in the future. With all the attacks that have taken place, there is significant intelligence out there about techniques, cyber weapons, and strategies that have been used in these cyber assaults. Analysis of this evidence can create Digital DNA which could also help to identify the source of the malicious code and potentially lead to the attacker.

ASDF represents the four Digital DNA characteristic sets.

A = attributes, abilities, abstraction, architecture, assembly, adaptation
S = style, signatures, syntax, structure, source, specification, scope
D = demographics, delivery, development, discipline, data, design
F = functions, features, faults, formidability, fields, forms, factors

There are currently over a million pieces of malware. On average there are approximately 200 new computer viruses released monthly, so the raw cyber DNA materials are not in short supply. The potential use and value of the Digital DNA repository will increase with every single entry and the analysis of attacks. According to a source close to the Digital DNA project, the repository is currently in its infancy, it continues to grow and mature with the knowledge gained from each cyber attack. John Foley, CEO of Defcomm1 and former CEO of Vigilant Minds a leading managed security services provider said, “Much like the human genome project, Digital DNA will basically fingerprint the technical and human factors behind the malicious software and attacks.” Security experts believe that Digital DNA type data is a critical component and required to fight cyber attacks and defend systems.

[From A Big Pot of Money]

Schwartz a Chief to Mend Fences

[From Secret Spy Court Repeatedly Questions FBI Wiretap Network ]

[From iWork and Office: How to share files]

The good folks over at Verizon Business have released a report that summarizes what they’ve found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. What did they find? How about (1) Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and (3) attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East.

[From Data Breach Study Spanning 500 Break-Ins Released ]

Albert writes “Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques — such as tying spam campaigns to a current event or site of interest — as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized — and with Storm using the latest generation of P2P technology, it cannot be disabled by simply ‘cutting off its head.’ In addition, Storm is self-propagating — once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes.”

[From Storm and the Future of Social Engineering ]

LinucksGirl writes “Journaling file systems used to be an oddity primarily for research purposes, but today it’s the default in Linux. Discover the ideas behind journaling file systems, and learn how they provide better integrity in the face of a power failure or system crash. Learn about the various journaling file systems in use today, and peek into the next generation of journaling file systems.”

[From Anatomy of Linux Journaling File Systems ]

Your papers please: TSA bans ID-less flight