Cyber Sabotage is yet another new wrinkle in the emerging threats from cyber space. Whether delivered over the internet or purposefully installed during the manufacturing process, contaminated hardware or software is now a concern. Sabotage is defined as deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.
The Department of Defense operates and estimated 3.5 million PCs and 100,000 local-area networks at 1,500 sites in 65 countries. In one study a common piece of network equipment sold by a US company was found to have nearly 70 percent of the components produced by foreign suppliers. This equipment is critical to our security as well as our economy. If we cannot trust the computer equipment out of the box, then where are we? At this point it would be impractical to validate each and every computer before we place it into operations.
In the commercial sector cyber sabotage could be used to attack competition and steal market share. In 2007 there were an estimated 269 million PCs shipped worldwide. Just imagine the backlash if a saboteur was able to contaminate the master software file used to image all the computers produced by the huge computer manufacturer HP. The millions of computers they ship each month could pose a significant threat to the business customers, and consumers and could even pose a national security threat. If that is not bad enough, can you imagine the impact of HPs stock if such an event were ever to happen. Now it should be noted that computer manufactures all have security controls in place to guard against such malicious acts. But then again, I am sure Seagate and Insignia would have said the same thing.
Offshore manufacturing diminishes our ability to control and monitor the manufacturing process for computers and related equipment. However, these malicious acts can occur even if all manufacturing is done in the United States. Insiders are thought to be involved in nearly 80 percent of security breaches that occur each year and who knows what percentage of the $1.5 trillion a year in corporate espionage. The fact is no matter what you do, what technology you use and how careful you are, you cannot be 100 percent sure you have managed all your risks.
Here are a couple of recent examples:
January 2008 Digital picture frames were one of the hot items for this holiday season. However, some of them came with an unexpected surprise. Insignia NS-DPF10A digital picture frames connect to computers via the standard USB port. The digital picture frames were contaminated with a computer virus during the manufacturing process according to a notice posted on the company’s website.
November 2007 Seagate Maxtor Basics Personal Storage 3200 hard drives were infected with a Trojan Horse virus. The hard drive has been temporarily pulled off the shelves and is no longer available for purchase. Intelligence reports that the Trojan was designed to copy information on the computer and send it to a Beijing web sites without the user’s knowledge.
July 2007 A space program worker deliberately damaged a computer that was supposed to fly aboard the shuttle Endeavour in less than two weeks. This was an act of sabotage that was caught before the equipment was loaded onto the spacecraft.
[From Cyber Sabotage]
Browsing Posts published on February 6, 2008
While American press reports continually headline China’s buildup of naval forces, in reality there is only one warship category in which the Chinese Navy is superior to the U.S. fleet — diesel-electric submarines. In no other category is the People’s Liberation Army (PLA) Navy even close to U.S. Navy force levels or capabilities.
The Chinese have an estimated 55 diesel-electric submarines in service, including several modern, Russian-built Kilo-class units. In addition, China is building advanced conventional as well as nuclear-propelled torpedo attack submarines. (The U.S. Navy now operates only nuclear-propelled attack submarines — 55 SSNs are in commission.)
Non-nuclear submarines are difficult to locate — if operated by competent crews — especially in coastal or littoral waters. In those areas the advanced submarine detection systems developed by the U.S. and other NATO navies during the Cold War have limited effectiveness because of shallow depths and the massive noise put into the water by coastal shipping, fishing craft, offshore oil drilling rigs, and other sources.
However, China’s conventional submarines, like their nuclear-propelled units, spend little time at sea. Researcher Hans M. Kristensen, writing for the Federation of American Scientists, reports that China’s “55 general-purpose submarines conducted a total of six patrols during 2007, slightly better than the two patrols conducted in 2006 and zero in 2005.”
The patrol information was obtained from the U.S. Navy. Kristensen continued, “Just what constitutes a Chinese ‘patrol’ is secret, according to the U.S. Navy .”
This writer has learned that such patrols have a maximum of about 30 days with the boats averaging a speed of four or five knots while on patrol. Still, these patrols have demonstrated that the submarines can locate U.S. ships, as evidenced by the surprise of U.S. officials when the carrier Kitty Hawk (CV 63) encountered a Song-class diesel submarine. Obviously, diesel boats cannot effectively track U.S. warships, but could probably be guided to such intercepts by reconnaissance aircraft or satellites.
Little is known about the operations of China’s nuclear torpedo-attack submarines (SSN). However, according to reliable sources, neither the first Chinese ballistic missile submarine (SSBN) of the Xia design, launched 25 years ago, nor the new Jin-class SSBNs launched since 2004 have undertaken a patrol. Indeed, reportedly the Chinese still do not have an operational submarine-launched ballistic missile for those craft.
Rather, it is the non-nuclear submarines that should be of major concern to U.S. and allied naval planners who wish to operate in Far Eastern waters.
While I’m not trying to only focus on security topics, they just seem to pop up more often than not, including today’s serendipitous discovery that TrueCrypt is available for OS X. Security isn’t just about maintaining system integrity (loosely defined as keeping malicious code from getting onto/running on your system). A critical component is ensuring that your valuable data is protected according to your risk appetite (loosely defined as confidentiality). Macs already have FileVault and secure disk images to handle basic encryption needs, so you may be asking why we need yet another utility for protecting information our systems (a fair question).
If you need/desire cross-platform compatibility, then TrueCrypt is a perfect choice. You can encrypt a virtual disk image onto a USB drive and take it from Windows to Linux to OS X and gain access to your all your secret data, something that is not possible with OS X secure disk images.
The other big “selling point” (difficult to use that term with a free & open source product) is the concept of plausible deniability. Until you go through the process of decrypting/mounting a volume, TrueCrypt file or disk volumes appear to consist of nothing more than random data (i.e. there is no “signature”). It is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. This is an important point since we’re going down a very slippery slope (at least in the United States) where folks are now being forced to give up their secrets with full legal backing. You can rename a TrueCrypt file to “Family Vacation.mov” and be able to claim that it’s just a corrupted transfer from your video camera with no way for the authorities to prove otherwise. Similarly, non-boot volumes (which is not an option for OS X yet) have no identifiable tags, making it look like an unformatted partition with random data.
Sadly, one of the coolest features – creating a hidden volume within an encrypted volume – is also not available on OS X yet. This option would allow you to give up your keys/passphrase to an outer-encrypted volume, but have another hidden, encrypted volume within it that uses a separate set of keys/passphrase. This lets you give up some of your secrets but not all of them.
My attempts at downloading and installing TrueCrypt were woefully unsuccessful with Safari under Leopard (the download file was corrupted). It worked fine in Firefox and is available for 10.4 and 10.5, Intel or PPC. I’ll be putting the software through some tests over the next few days, so drop a note in the comments or forums if you have any questions or want to share your experiences with the product,
[From TrueCrypt 5.0 Brings Plausible Deniability To OS X Users]
