In recent House testimony, the FBI Director gave a glimpse into the future of law enforcement with his suggestion that his agency be given the authority to filter network “choke points” for illegal activity.
[From FBI wants to move hunt for criminals into Internet backbone]
Once again this organization shows it’s blissful ignorance or stupidity; depends on your outlook
New software vulnerabilities are announced all the time. In fact, according to the NITS database, last year a new software vulnerability was announced every 57 minutes.
A software vulnerability is defined as a flaw in a software program which may allow a third party or program to gain unauthorized access. Some experts say that over 70% of the nearly 7,000 vulnerabilities discovered last year were exploitable remotely. This remote capability makes them valuable assets for cyber attackers.
The ability to rapidly respond to and mitigate the risks posed by these vulnerabilities is one of the most important parts of computer and network security. Vendors rapidly respond to the reports of newly discovered vulnerabilities in their products. But wouldn’t we all be better off if the vulnerabilities did not exist in the first place?
I consulted a 25 year veteran of the software industry that hails from one of the icons of the software industry and posed the following question to him: Based on your experience, how often do software vendors investigate the root cause of reported vulnerabilities? He said, “They Don’t — they jump in and try to create a patch.”
I followed up and asked so you are saying they do not look to see if the vulnerability was purposefully programmed? After a significant pause he said, “We never considered that possibility, we only worked to respond to the vulnerability.”
If that’s not bad enough think about the amount of software being developed offshore. Product liability exists in virtually every other category except software. How would you react if every 57 minutes your car dealer called you and said there is a problem with your car? We have been conditioned to accept software products with these problems and have allowed organizations to protect themselves by hiding behind the armor of the “Software License.”
If software vendors, whose products run our critical infrastructure, do not investigate if these vulnerabilities are actually acts of espionage, that would seem to be a critical flaw in our efforts to protect ourselves against cyber attack.
[From Cyber-Holes in Your Software]
A break-in can happen to any system administrator. Find out how to use Autopsy and Sleuthkit to hit the ground running on your first forensics project.
[From Introduction to Forensics]
“Details of George Bush’s Cyber Initiative are beginning to trickle out. The Cyber Initiative was created in January to secure government against electronic attacks. Newsweek says that over the next seven years, Bush’s Cyber Initiative will spend as much as $30 billion to create a new monitoring system for all federal networks, a combined project of the DHS, the NSA and the Office of the Director of National Intelligence. The U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government’s most critical networks. ComputerWorld reports that all data traffic flowing through agency networks will be checked, and that it will be inspected at a deeper level than the current system is capable of. BusinessWeek, meanwhile, reports that one requirement is to reduce the number of internet access points in the Federal Government from the thousands now in use to only 100 sites by June 2008. How this will impact public information resources such as the Library of Congress, National Library of Medicine or even the US Congress remains to be seen.”
[From Bush Cyber Initiative Aims To Monitor, Restrict Access To Federal Network]
“It probably won’t surprise you, but in 2005, the FBI manufactured evidence to get the power to issue National Security Letters under the PATRIOT Act. Unlike normal subpoenas, NSLs do not require probable cause and you’re never allowed to talk about having received one, leading to a lack of accountability that caused them to be widely abused. The EFF has discovered via FOIA requests that an FBI field agent was forced by superiors to return papers he got via a lawful subpoena, then demand them again via an NSL (which was rejected for being unlawful at the time), and re-file the original subpoena to get them back. This delay in a supposedly critical anti-terror investigation then became a talking point used by FBI Director Robert Mueller when the FBI wanted to justify their need for the power to issue National Security Letters.”
[From FBI Lied To Support Need For PATRIOT Act Expansion]
Anyone really surprised here? They continue to not amaze.
Congress, DHS battle over domestic spy sats
Sun platform strategist Ian Murdock presented OpenSolaris at LugRadio Live. The platform looks promising, but serious advantages of adopting it on the desktop remain elusive.
[From Sun touts big plans for OpenSolaris as first release nears]
The NSA is not the only agency with advanced eavesdropping capabilities.
Cyber espionage is getting renewed attention as fresh evidence emerges of computer spying against corporations and government agencies here and abroad. Late last year MI5 warned British companies of Chinese espionage activities. Computer Security Professionals have stated there is growing evidence of attacks from China and other countries. Zhao Shangse, an official from the Chinese embassy in London, has denied the allegations. This is not new. Way back in 2001 when we were preparing for my congressional testimony and demonstration we considered hacking the computer and using the webcam and built-in PC microphone to look and listen in. We had to scrap that plan when we found out that we had to use a dial up modem to connect in the hearing room.
Now many more people have caught on to our tricks. Numerous news stories report the use of Trojans and Worms using webcams to spy on users. In one case it was college students spying on female students.
Other stories report that similar malicious code is in use by corporate and government spies alike. With the growth of VoIP this takes on a new and more significant risk. In November of 2007, CISCO Systems confirmed it is possible to eavesdrop on remote conversations using Cisco VoIP phones.
Multiple computer manufacturers admitted that microphones attached to their workstations can be used to eavesdrop on conversations near the computer. I discussed cyber spying with the experts at Spy-Ops and they strongly recommended microphones on systems in sensitive areas be either physically switched off or totally disconnected from the system. In addition, they told me that last year the global cost of industrial espionage topped $1.5 trillion dollars.
This is a pretty good hi res photo of a PLAN Russian Kilo class submarine. At most she has been in service for what, 4 years tops?Sexy. However, sometimes it is about perspective. I think these photo’s are the same submarine.
Updated: My commenter’s as usual are much smarter than me, and they have excellent links.
The Washington Post reports that ‘The Bush administration said yesterday that it plans to start using the nation’s most advanced spy technology for domestic purposes soon’ and that Homeland Security Secretary Michael Chertoff has said that ‘Sophisticated overhead sensor data will be used for law enforcement.’ Initially, it appears that the administration plans to leverage conventional satellites for domestic surveillance purposes. Congress last October delayed launch of the DHS office that would coordinate law-enforcement requests for satellite and other technical data, and demanded answers to legal questions about the program. The administration supplied answers that some Congress members characterized as inadequate and appears determined to to ahead anyway.
U.S. gov’t pushes cybersecurity at con
[From News: U.S. gov't pushes cybersecurity at con]
In the CRS report by Ronald O’Rourke on PLAN modernization there is an interesting table that outlines the commissionings of PLAN submarines by year starting in 1995. Because good hard data is difficult regarding the PLAN, this might be the most useful chart yet on the subject.
According to this chart, the PLAN only commissioned a single submarine in 2007. If true, that would be ver
Presto Vivace notes a report from the RSA conference on the cybercrime economy, and it’s not an optimistic one. Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research. “As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money.”
At first, we were not really sure where the interesting Carrier vs Subs series by Martin Sieff was going, and to be honest, it is still unclear where his conclusions lie, but as a discussion topic we find the series quite interesting and compelling for analysis. The first, second, and third part of his series are all good reads. While we admittedly don’t agree with some of what he is saying….
A great inside look at a Pentagon after-action report on that embarrassing nuke flub where the Air Force flew a couple doomsday weapons across the US without even knowing it.
Let’s hope this report doesn’t just collect dust on some general’s shelf and that the recommendations are actually implemented.
From our friends at Popular Mechanics:
One might think that the United States’ nuclear weapons — the cornerstone deterrent in the country’s arsenal — would be treated with the utmost precision.
This comfortable illusion was shaken on Aug. 31, 2007, when crews loaded six live nuclear warheads onto a B-52 bomber and flew from Minot Air Force Base in North Dakota to Barksdale Air Force Base in Louisiana, cruising over the nation’s heartland. Each warhead was 10 times more powerful than the atomic bombs dropped on Hiroshima and Nagasaki during World War II.
During the analysis of the incident by the Defense Science Board (DSB), released this month, the ugly truth came out: America’s nukes are so neglected that they are stored alongside conventional missiles, with nothing but an 8.5 x 11-in. sheet of paper to differentiate the two. The last day in August, Air Force personnel loaded the nuclear warheads on a routine repositioning of weapons stocks, believing them to be cruise missiles.
The system of checks and balances has degraded to a point that six of the planet’s most powerful weapons were missing for 36 hours — and no one noticed until they had landed in Louisiana. “The process and systemic problems that allowed such an incident have developed over more than a decade and have the potential for much more serious consequences,” the report warns.
So what can be learned by this near miss, and how can something worse be avoided?
1. No one Air Force command is solely responsible for taking care of nuclear weapons.
There are plenty of weapons systems and missions out there, and each one is more exciting and has a higher priority within the command structure.
The DSB report notes that, after the demise of Strategic Air Command, three operational Air Force commands took over the nation’s nuclear weapons: ICBMs went to Air Force Space Command; bombers went to Air Combat Command, and Air Mobility Command retained ownership of the refueling portion of the bomber missions. That means that there is no one central place where the nuclear mission — upkeep, training and such — is the primary mission. So the nukes got lost in the post-Cold War shuffle.
Recommendations in the report include the establishment of an Assistant Secretary of Defense for Nuclear Enterprise to focus solely on nuclear missions. This person would report directly to the Secretary of Defense. The DSB report notes that the U.S. Navy, which handles nuclear missiles in its submarine fleet, has a system that keeps those weapons under one banner, “Strategic Systems Programs.” It’s commanded by a rear admiral, whereas in the Air Force the highest rank with a primary, daily focus on nukes is that of colonel. “While the attack submarines no longer routinely carry nuclear missiles, the submarine forces retain their nuclear legacy and nuclear focus,” the report says.
2. Human error was at the heart of the incident.
The staff at Minot Air Field had neglected to follow procedure for the sake of saving time. The verification of weapons — what kind, what warheads they carry, their armament status — should take about 45 minutes, and be performed before anything else happens.
“But, over time, to speed the process, breakout and convoy crews had established a process of concurrent activity,” the report states. “In this case, the breakout and convoy crew [at Minot] were connecting the trailer to the tow vehicle while the initial status verification was under way.” The checks had become pro forma, and a near disaster slipped through.
Indeed, the gaff that allowed six nukes out over three major American cities (Omaha, Neb., Kansas City, Mo., and Little Rock, Ark.) could have been avoided if the Air Force personnel had followed procedure.
“Let’s not forget that the existing rules were pretty tight,” says Hans Kristensen, director of the Nuclear Information Project for the Federation of American Scientists. “Much of what went wrong occurred because people didn’t follow these tight rules. You can have all sorts of rules and regulations, but they still won’t do any good if the people don’t follow them.”
In fact, some see the incident as a way to draw attention to the importance of the job of babysitting nukes. “This review gave the Air Force the opportunity to improve on an already sound nuclear enterprise,” says Col. West Anderson, vice commander of the 2nd Bomb Wing at Barksdale AFB in Louisiana. “We handle weapons safely and ensure the highest possible standards of individual reliability and professional competence.”
OrochimaruVoldemort writes “In an unexpected move, Microsoft has disclosed 14,000 pages of coding secrets. According to The Register: ‘This is Microsoft’s latest effort to satisfy anti-trust concerns of the European Union, which is possibly a tougher adversary for the company than Google.’ The article mentioned that this will be done in three phases. ‘Between now and June it will garner feedback from the developer community. Then, at the end of June, Microsoft will publish the final versions of technical documentation — along with definitive patent licensing terms.’ Lets just hope those terms are pro open source.”Read more of this story at Slashdot.
What some users thought was their imagination turns out to be a very real problem…
[From Research Reveals Internet "Black Holes"]
The US Air Force’s new Cyber Command will not only serve as a standing reminder that “cyber” should’ve died in the 90′s with “multimedia,” but it will also mount online counter-attacks in response to military and economic espionage.
[From US Air Force to China: our geeks can beat up your geeks]
superglaze writes “Lieutenant General Robert J Elder, Jr, a senior figure in US Air Force Cyber Command (AFCYBER), has told ZDNet UK that communication issues are hampering the division’s co-ordination. ‘IT people set up traditional IT networks with the idea of making them secure to operate and defend,’ said Elder. ‘The traditional security approach is to put up barriers, like firewalls — it’s a defense thing — but everyone in an operations network is also part of the [attack] force. We’re trying to move away from clandestine operations. We’re looking for real physics — a bigger bang resulting in collateral damage.’
Bad Behavior has blocked 172 access attempts in the last 7 days.
