Category Archives: cyber war

Originally a fictional story on cyber war that parallels the hacking events surrounding Google and China in early 2010. Now contains newer commentary on current events.

Weeping Angel

08 Wednesday Mar 2017

Posted by in cyber war

Leave a comment

Tags

, , , ,

Bethesda_angel_cloudy_jeh

Any Doctor Who fans?  If so, you should appreciate the reference to the weeping angels from that show, and perhaps understand why this is such a clever name for an exploit kit to hack into Samsung TVs considering how the CIA uses it in collaboration with MI5 – or the Brits.

I’m referring of course to this week’s data dump of classified CIA material on their hacking program, actually their toolkits, by WikiLeaks.  Much of the news hovers around the ethical concerns of the CIA hacking into American citizens’ Internet-connected Samsung TV sets to listen in to their conversations or track what shows they watch.  Or the issue of them not sharing exploits with vendors.  I’m not interested in that.  It’s all inference anyway.  All we really know is the software programs they use, in conjunction with other European agencies, to electronically eavesdrop.  Personally, I’d be disappointed in them if they didn’t have some cool capabilities like this.

I might be more technical in this area than you, but to let you know, I’m not really all that savvy on how these exploits work.  Which is why I think you might find my take-away from this event interesting.  You should be able to identify with my high-level understanding.  Understand it is really quite possible for a hacker to eavesdrop on your conversations, to hack into your iPhone, to capture your sensitive WhatsApp texts before they are encrypted.  For Pete’s sake, last week’s news was about two million internet-connected teddy bears, from Spiral Toy’s CloudPets, making their customers’ conversations available online.  The point isn’t that the CIA uses these tools, it’s that anyone can use these tools.  It’s that these tools exist.  There is no assurance of data privacy.

In Cyber War I, I explain to readers about how ransomware works and to be aware.  I give some technical details on several aspects of hacking and cybercrime.  I intend to go deeper and explore other dangers in my sequel.  I hope you enjoy this information; I’ll try to blog more on these topics.

If you’re looking for assurances, there aren’t very many.  For online protection for when you don’t mind the inconvenience and are uber concerned on protection, consider employing two-factor authentication.  At least on financial sites.  This is typically a process of logging into a site with your password (something you know), and a passcode that gets sent to your phone (something you have) during the login process.  More and more sites are adopting this, but leave it to you to use it.  It probably won’t be available on your TV any time soon.

Ransomware

29 Tuesday Nov 2016

Posted by in cyber war, Novel

2 Comments

Tags

sf-ransomware-attack

This week’s ransomware attack against San Francisco’s Municipal Transportation Agency underscores just how real the events in my Cyber War I novel are.  My soon-to-be-released story is fictional of course, but I didn’t make this stuff up. These attacks I describe are literally off the front pages.  This attack requested 100 bitcoin, roughly $70,000, to free their ticketing systems.

I mirror another true story from last year where a hospital was attacked, requesting a similar ransom.  My story details this attack vector and how you might recover from an attack.  Hint, backup your system, preferably offsite.  While farfetched, you might even get lucky and find your files still unencrypted in your trash bin.  It doesn’t hurt to look.

Hope you appreciate this small computer security primer.  It’s really a thinly-veiled attempt at self-promotion for my book.  I’m in the marketing phase of book writing and publication.  If I were serious about it, I’d have started marketing more aggressively months earlier.  And I’m too cheap, or just not committed enough, to drop 100s if not 1000s of dollars into book promotion – so I am leveraging my blog.  Hoping my book will be available by end of week.

Cyber Terrorism

24 Thursday Mar 2016

Posted by in cyber war

Leave a comment

Tags

,

iStock cyber warfare

The Department of Justice announced charges against seven Iranian hackers today for launching cyber attacks against the U.S. financial system and a dam in New York.  There is no question, these events were malicious cyber attacks.  But when is it cyber crime and when is it cyber war?  Apparently, sometimes never.  Loretta Lynch is calling this cyber terrorism, because also this week the Justice Department announced they have changed their approach and now treat nation-state affiliated hacking attacks like terrorism threats.

Lest you think everything is now clear, in the same statement, Loretta said, “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,”  Really?  How powerful!  I imagine then the State Department, in coordination with the Department of Justice, will now approve travel visas for these seven terrorists so that we might possibly arrest them after stepping onto U.S. soil.

Here’s my disconnect.  I understand terrorism to be used to classify harmful acts that are attributed to stateless warriors.  The circumstances around terrorism differ from crime and war such that we have this third category of aggression.  Hence, we have tribunals in Gitmo.  I sort of understand it.  Cyber Security experts have coined unique terms for hacking to categorize attacks as militaristic or criminal.  Fairly intuitive.  War is when we’re attacked by a government-attached army and crime is when we’re attacked by a civilian.  I would then think that cyber terrorism is when we’re attacked by a stateless army, but I’m wrong.  It means when we are attacked by real countries, namely China and Iran, but electronically rather than by arms.  Maybe there is additional criteria, such as the attack is against a corporation or citizen rather than against our military?

So if Iran blows up Wall Street, that’s war.  If Iran only electronically implodes Wall Street, then that is terrorism by the individuals working for the Iranian government.  Not sure how to classify the dam attack.  We need to stop pussy-footing around and call it what it is.  Cyber War!

Going Dark

25 Thursday Feb 2016

Posted by in cyber war, Geek Horror, Running

1 Comment

Tags

, , , , , , ,

scytale 2

FBI Director James Comey testified to Congress today that encryption will end law enforcement’s ability to perform their job.  He suggests that the FBI’s primary tool is court orders to search for information, and he makes the general assumption that data is never accessible once encrypted.  To paraphrase, encryption leads to information “going dark” for the purpose of public safety.  As if encryption is game over for the FBI.  This reminds me of a famous quote (famous misquote actually as I don’t believe this is true) attributed to the Commissioner of U.S. Patent and Trademark office Charles Duell when he purportedly quipped, “Everything that can be invented has been invented.”  Comey seems like a decent guy but suggesting that the FBI requires clear text access to American’s data because the court order process is predicated on this is disingenuous.  The FBI has an obligation to keep up with technology.

I stated in my previous blog on this topic that cryptography and cryptanalysis have been playing a cat and mouse game throughout world history.  So let’s review that, because I believe government is obligated to defeat encryption technologically rather than by  eroding America’s privacy laws.  To be fair, I recognize they are currently playing catch-up.  Consider that cyber crime is nearly a half trillion dollar market.  Security products and services are well under $100B market.  Meaning we are applying $100B to the good side and cyber criminals are making $500B.  So I can sympathize with Comey.  The bad guys are winning.

Understand the etymology of these terms.  We began by covering up secrets.  For example, Histaiaeus, in the 5th century BC, wrote his message for Miletus to revolt against the Persian King on his messenger’s shaven head.  He then waited for his messenger’s hair to grow back before sending him on his way.  This was before instant messaging.  A similar technique was used in the latest version of Mad Max.  “Steganos” is Greek for “covered” while “graphein” is the Greek term “to write”, hence steganography means “covered writing.”  So steganography was the art of covering up a message.  It goes without saying, one didn’t necessarily have to be a rocket scientist to be a code breaker back in the day.

The art of secrecy evolved to hiding the meaning of the message, rather than simply covering up the message itself – with the understanding the message will likely be discovered eventually.  The Greek term for “hidden” is “kryptos”; hence we use the term “cryptography” which we now practice with encryption.  The picture above is of a 5th century Spartan Scytale that transposed the position of letters to hide the meaning of the otherwise open message.

Technology advanced and today one does have to be a rocket scientist to be a code breaker.  Bill Gates was quoted by Representative Bob Goodlatte (wonder if he owns shares in Starbucks?) in today’s Congressional Hearing as suggesting Quantum Computing will soon be powerful enough to break any encryption.  I don’t know about that but point is technology does eventually catch up in this cat and mouse game.  Consider the plight of Mary, Queen of Scots.

On trial for treason, her prosecutor, Sir Francis Walsingham was also England’s Spymaster.  Sir Walsingham first captured Mary’s correspondance, which she hid inside the hollow bungs that sealed barrels of beer.  This was steganography.  But Mary was clever and further used a cypher to hide the meaning of her correspondence.  Sir Walsingham engaged Thomas Phelippes to perform the requisite cryptanalysis and ultimately succeeded in proving Mary’s guilt.  The rest is history.  Point being, Cryptanalysis was on par with the cryptography of the time.  Fast forward to WWII where the British successfully decoded the German’s Enigma with the use of early computing technology.  So Bill Gates might actually know what he’s talking about.

I’m in the cyber security industry and agree with Comey that the bad guys are winning.  For now.  Still, I’m not willing to surrender any more rights to privacy than have already been suspended post 9-11.  Technology will catch up.

 

 

Secrets

23 Tuesday Feb 2016

Posted by in cyber war, Geek Horror

Leave a comment

Tags

, , ,

secret

I understand everyone believes there should be a balance between security and privacy.  Seems sensible.  Bill Gates came out today in favor of the FBI over Apple, but then he’s been making business decisions counter to consumer needs for decades.  I myself am so impassionately middle of the road on most topics that I wonder sometimes if I’m not actually dead.  It’s great when everyone can win a trophy but you cannot avoid the reality that there are winners and losers.  I believe the current Apple/FBI debate is one of those binary scenarios.  It’s as difficult for me as anyone else to plant my flag when I want both privacy and security.  The following example though helps clarify my position.

The 4th Amendment provides both privacy protection, and presents the guidelines for the State to void those privacies given reasonable cause.  Assuming proper due process, the State wins.  This is a nice template for balance, but it doesn’t stop there.  The 5th Amendment protects us from self incrimination.  “I plead the 5th.”  Taken together, people must allow the State entry into their home for a warranted and reasonable search of evidence of a crime.  However, people are not obligated to point out where they hid the evidence.  “Oh, it’s under the seat cushion.”

There are two centuries of legal precedent supporting these Amendments to where most of us are fairly knowledgeable of the rules, without being actual lawyers.  Let me dumb this discussion down though even further.  Let me use the term secrets instead of privacy.  We all have secrets.  Not just our banking PIN code but family history and deep, dark fantasies.  I know that there are things I would never consider telling anyone, and I’m about as transparent as a person can possibly be.  Have you read my prostate chronicles?  I might be wavering a bit from the core Apple/FBI topic since not all secrets necessarily contain criminal content, but I believe the principle points remain intact.  I’m allowed to have secrets.

I’m not even that strong of a privacy advocate.  See above on my middle of the roadness.  For example, I don’t consider privacy an inalienable right.  We were born naked in a garden, so God wasn’t that big on personal privacy either.  Clearly, there was very little personal privacy when we were living together as tribes in caves.  But like anyone else in western civilization, I’ve grown accustomed to certain privileges and I do want privacy.  Even if I didn’t, the information age ascribes so much value to data integrity that encryption is paramount to how our society and economy function.  It’s not until I substitute the word privacy with the word secret that I begin to understand where I fall on this topic. The State can try to search but I can try to hide.  Tell me I’m wrong on this.

Cryptography and cryptanalysis have been a cat and mouse game played throughout millennia.  Technology plays the lead role.  I understand that if the State can decrypt my communications, they already have legal justification to do so.  My information is only as safe as my encryption is strong.  But if they can’t decrypt my data, I don’t have to hand them the keys.  That’s like showing them the evidence is hidden under the seat cushion.  And they can’t outlaw encryption.  That’s like saying I can’t have secrets.  Who doesn’t have secrets?

A Bad Apple

17 Wednesday Feb 2016

Posted by in cyber war, Geek Horror, Politics

1 Comment

Tags

, ,

apple n worm

All you need to know in terms of Tim Cook vs the FBI is Donald Trump’s position on the matter.  Trump believes Apple is in the wrong and should be forced to provide the government with a backdoor hack into their iPhone.  Because he believes national security trumps personal privacy.  This is actually true – in China.  And Russia.  If you already take issue with this self-made celebrity, then you can assume Apple is right.

To be fair, and less political, personal privacy is a complex issue.  The U.S. Constitution references no protections for personal privacy.  The Bill of Rights however references numerous Amendments that allude to privacy.  Privacy of beliefs, privacy in your home, privacy of person and possessions against unreasonable search and seizure.  I think the list goes on but I’m not a lawyer and can’t defend any of them.  I do know Americans expect a certain degree of privacy and the government has the authority and corresponding legal process to transcend our privacy given sufficient warrant.  In this case, the FBI is leveraging the All Writs Act to demand that Apple engineer a new IOS version that disables the feature that would wipe the iPhone data after 10 unsuccessful login attempts.  This would allow the FBI to subsequently hack into the iPhone with a brute force password attack.

Precedent is set that allows the government to do this.  Shoot, there is even a recent case where the U.S. Attorney’s Office forced another smart phone manufacturer to unlock a screenlock.  But Apple is refusing to comply.  Tim Cook wrote an open letter explaining why.  He frames his argument from his customers’ perspective.  But just think about the consequences for his company.  Apple is being forced to weaken their product in a global market and their competitors are not being forced to do this.  They will immediately be at a competitive disadvantage in a global market for their most successful product.  Game over for the iPhone.

And recall, corporations are deemed people by the Supreme Court.  Apple will have all of the same assurances to privacy, to protection from self incrimination, to a right to earn a living.  They have every right to do business as any American as an individual.  They have the resources and will win this battle.

Why is it so hard to take a position on personal privacy vs State security?  The State has laws and legal precedent allowing them to violate your personal privacy.  We have laws and legal precedent allowing us to refuse, assuming we have the financial resources to fight.  But encryption just sort of breaks everything.  Encryption means, even if the government gets their way, they might not be technically able to have their way.  You can’t hand them the keys to your data if you’re dead.  Encryption puts the government in a real pickle.

This will be the data privacy fight of the new millennium.  This will be good.

Cross Border Data Flow

06 Tuesday Oct 2015

Posted by in cyber war, Geek Horror

4 Comments

education-ukeulitigation

The U.S. completed their Trans-Pacific Partnership Trade Deal yesterday.  If signed by Congress, this will lower trade barriers to the import and export of physical goods.  How quaint in the Information Age.  Today, the European Union Court of Justice declared the U.S. Safe Harbor policy for demonstrating compliance with the EU Directive for Data Privacy to be invalid.  EU 1 : Pacific Rim 0.

I don’t know of the availability of any stats that show the value of global trade in information vs physical goods bought and sold, but I’m willing to guess data is at least more strategic if not already more valuable.  Explaining the details of the EU Data Privacy Directive, Safe Harbor, and this new ruling isn’t my objective here.  Much of it is very legal in nature and over my head.  My goal with my cyber security series is to offer a basic primer on topics I deem of interest.  At issue here is data privacy, specifically personally identifiable data or PI.

My 13 year old daughter is uncomfortable with the notion that data can never be fully erased with any certainty.  I don’t know why or how she developed this very specific concern, likely something to do with the proliferation of online photos.  She is totally aware of the EU’s Right to be Forgotten ruling wherein citizens can demand their online references be deleted by digital firms such as Google and Facebook.  Understand that the EU considers personal privacy to be a basic human right.

The irony here is in the arrogance of any U.S. citizens who think we invented personal privacy.  Indeed, the 4th Amendment of the U.S. Constitution states that, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”  Or stated more plainly, “Each man’s home is his castle.”  Well that was written over 200 years ago.  Post-911, the U.S. has conceded leadership on the personal privacy front to Europe.

I probably shouldn’t reveal what I really think because I suspect I’m on the wrong side of history here, but I will.  I don’t believe in personal privacy.  I want it to a degree but I certainly don’t think of it as a basic human right.  I can assure you there was little to no personal privacy when humans were living in caves.  Were Adam and Eve not born naked?  And yet I do like the 4th Amendment.  I believe we need a balance between personal privacy and the benefits that the sharing of personal information ascribes to a society – like security.  An example of that is the Patriot Act.  This latest EU ruling impacts a more commercial benefit, such as advertising.

I don’t think I’m alone on this one.  Anyone reading this is online and therefore highly likely also surrendering a large degree of their personal data privacy to social networks.  You’ve probably granted Facebook complete digital rights to more family photos than your parents ever collected in photo albums.  There are benefits to sharing.  And I don’t believe we ever, ever had complete personal privacy; so I don’t think of it as a basic human right.  No man is an island.  In the end, I imagine personal data privacy will be determined more by technological capabilities than regulation.  Your data is only as secure as your encryption.  I’m interested in comments.

BYOE

04 Wednesday Mar 2015

Posted by in cyber war, Geek Horror, Politics

5 Comments

Tags

, , , ,

email chainI’m not sure whether to file this one under Cyber War or Geek Horror.  The subject matter fits under Cyber War.  My goal with cyber war is to discuss topics of interest while sneaking in a bit of a computer security primer for friends and family.  But Hilary’s Bring Your Own Email to work story also smacks of tech gone horribly wrong.  And I don’t have enough stories in that genre.  I’ll classify this under both categories.

Hilary has yet to respond so it’s premature for me to comment, but this is a blog.  She might surprise us by stating other reasons once she does respond, but the general consensus at this point in time is that the Clintons are private people (no really, everyone is saying this on the air about the most public figures in America) and they have lessons learned from their share of lawsuits and subpoenas.  So I don’t question Hilary’s desire to set up an email server at home before beginning her tenure as Secretary of State to maintain a degree of privacy.  In fact, and I’m still struggling to digest this, it’s common practice for high-level politicos.  Apparently there’s a strong market for consultants to set up personal email servers for public figures.

I can even relate to Hilary, and so can you.  Does your employer support BYOD in the workplace?  You know, Bring Your Own Device to work?  Mine does.  If they didn’t, they would have to buy 450,000 $500 smart phones for us all.  Do the math on that.  This is a real trend.  You use your personal iPhone to access your company email.  You use your iPad to access company databases while sitting on your couch and also drafting your fantasy football team.  The tradeoff is that you install your company’s computing policy onto your phone.  That sets configuration specs such as the complexity of your password and how often you have to change it.  And we’re as okay with this as we are with granting Facebook complete copyright to our family photo library.

Do you think Hilary complied with State Department computing policies on her home email server?  The discussion to date is about her operating within the guidelines (at the time) of leveraging a personal email account for official business.  My point is there is so much more to comply with.  All of us working from home at the remote end of a VPN tunnel understand that we’re the weak link in the corporate security chain.  We have family members accessing our keyboard.  We allow guests on our wifi.  Shoot, I use my personal MacBook Pro as my primary work computer.  I also sacrifice half my CPU utilization to my company’s AV and computing policy auditing software.  Some people use their work computer to host their personal pictures, play their music, and send personal email.  I prefer to subject my personal MacBook Pro to crippling corporate security and compliance software in order to use a single device.  Before that, I used two devices.

No one is talking about this yet but my concern is that Hilary did none of this.  Maybe she ran AV software.  Well of course she did.  Computers don’t run for very long if you don’t.  Point is, how would we know?  How would the State Department I/T staff know?  And AV is just one small example.  There are many essential security practices that must be followed.  Once that home email server is compromised, it can then email malware to heads of state!  I’m trying to remain optimistic.  Maybe this server was supported by a special team of State Department I/T staff.  That’s not unusual at all for C-levels at large corporations.  But stories like this remind us not to be surprised when common sense is ignored by people who should know better.  Lost in this week’s news, General David Patraeus reached a plea agreement for sharing extremely confidential information with his biographer/lover.  Trust no one.

Anthem

06 Friday Feb 2015

Posted by in cyber war

2 Comments

Tags

, , , ,

Anthem logoAnthem has no shortage of registered trademarks.  If you’re not familiar with them, before yesterday’s announced breech of 80 million personal records, you might know them as BlueCross BlueShield.  Or WellPoint, which they recently acquired.  What do you suppose their brand logo will be worth three months from now?  The prevailing consensus after every corporate breech is that the company’s equity value will dive.  Oftentimes it does.  Usually though for far much less than twelve months, and then it recovers.  Target was an exception, not because customers remember the compromise of their credit card data, but for their fundamentals and managerial fubars.  Rather than pilot a few outlets in Canada, they went all-in.  And failed.  Spectacularly.  I have this sense that Anthem might be the first to not recover their brand from a cyber attack.  I suspect I might feel this way because I’m pissed.  They stored my records.  Unencrypted!  Freakin’ idiots!

I’m not being mean.  Anthem is negligent in their compliance to the Health Insurance Portability and Accountability Act (HIPAA).  This isn’t some newly erected Obama healthcare thing.  This regulation is nearly twenty years old.  The guidelines for Protected Healthcare Information (PHI) include much of what is considered Personally Identifiable Information (PII), which in turn includes social security numbers.  I was tempted there to include the abbreviation for social security numbers but understand I’ve already drowned you in alphabet soup.  The government might only fine Anthem a few million dollars, but I have to believe a class action lawsuit should be expected.

On a more constructive, non-litigious note, what should we do about this?  The best advice I’ve seen so far is to place a security freeze on my credit reports with the three major players, Equifax, Experian and TransUnion.  Of course, dealing with these firms has got to be painful.  Placing a security freeze on my credit reports is essentially what LifeLock does.  Having just completed feezing my reports on all three online, I’m not sure I would mind paying LifeLock $19.99 per month.  The process actually went quite well with Experian and TransUnion.  A few minutes per site.  Equifax though did not print out my pin code which I will need to remove the freeze when I need access to my credit reports.  And trust me, contacting them is virtually impossible.  With that said, their customer service number is 800-829-4577 and their direct security freeze number is 888-298-0045.  These are non automated, real person answers the phone numbers.  I finally got through and was able to get a pin.  The websites to freeze your credit reports are:

Equifax  https://www.freeze.equifax.com/

Experian:  https://www.experian.com/freeze/center.html

TransUnion:  http://www.transunion.com/securityfreeze

I think it was free for me to place these freezes.  This varies per state.  I suspect it will cost me $10 or so to remove the freeze.  Maybe not but there is a temporary removal called a lift that will likely cost money.  There is an option to mail them a letter describing myself a victim of the Anthem breech that would waive any fees.  I don’t have the patience for that.  Wish me luck with this.  And if you’re one of the 80 million, good luck to you.

Deterrence

15 Thursday Jan 2015

Posted by in cyber war

3 Comments

Tags

, , , , ,

keyboard grenadeDoesn’t it just seem obvious that at some point, to protect our digital selves, we’ll have to fight back?  Firewalls and anti virus software are like fences – merely obstacles.  Leaving the porch light on and locking your door is no doubt wise.  Thieves target easy prey.  You don’t have to out run the bear, just your buddy.  The metaphors advising essential layers of protection are endless, but by now everyone should understand that absolutely no one is entirely safe from online intrusions.  Lest we all agree to simply run around naked, data privacy requires more than protection; we need to increase the risk/reward ratio of cyber attacks with a strong deterrent.

We’re building a fence along our border with Mexico – which is to say that’s a problem we don’t really care to see fixed.  Where American lives and real money are on the line, we deter attack with our armed forces.  The best defense is a good offense.  Cyber theft is starting to become real money.  It’s one thing for a credit card company to build fraud into its business model.  Not every business can do that.  The potential losses aren’t always known.  The information age is rapidly approaching its kairotic moment.  If we can’t control technology, then we might as well reboot ourselves back to the dark ages before cyber extremism launches us into the stone age.

I’m proposing the ability to respond to hacking efforts with intrusion countermeasures electronics.  ICE.  There are other terms for this but I like the literary reference from Tom Maddox and William Gibson.  The concept is an active defense that strikes back.  Currently there is very little risk to deter internationally remote cyber criminals.  This proposal is not new, the concept has been around since Burning Chrome and Neuromancer.  Black ICE takes it further by suggesting the response actually include deadly force.  Assuming that’s even possible.  So why are we not enacting an idea that’s older than the Internet?

Consider what we learned recently from the Sony attack, ostensibly by North Korea.  I have to use the adjective ostensibly, not because the FBI has yet to make their proof public, but because other agencies believe they have evidence demonstrating this is an inside job.  Point being, certainty is difficult in proving the source of cyber attacks.  So much can be spoofed.  IP addresses.  So much more is circumstantial and inferred.  This type of malware was used by this cyber warrior previously against that target.  The more sophisticated the attacker, the more likely they have obscured their tracks if not framed another source.  The level of certainty required in a U.S. civil court of law is virtually impossible.

Given that, you can be certain responding with a counter attack is illegal.  And your response will leave undeniable evidence.  No corporate legal team will approve counter attacks.  They would be complicit.  There is also the risk of escalating the conflict.  I don’t subscribe to that fear personally, but it doesn’t matter.  No legal entity can perform counter attacks.  It’s simply not allowed.  Only governments can respond with intrusion countermeasures.  Israel is transparent about this.  You can only hope the U.S. does it.  Deterrence requires we do so in a public and comprehensive manner.

Perhaps the government could outsource this to corporate ethical hackers like they do some military security now.  Regardless, I think this cost should come out of our defense budget.  I haven’t put any thought into how we should triage attacks.  Should our response to an attack against a small startup be as severe as that of a Fortune 500 company?  Should we discriminate at all.  Is our first level of response a denial of service attack or do we erase attacker hard drives?

The technology for countermeasures will be interesting.  The solution might require a government layer of software on every citizen’s computing device, much as we run anti virus now.  That’s a scary thought.  Worse than NSA snooping would be having to call the gov’t helpdesk when a software patch crashes your machine.  That Obama is responding with Executive orders now to the Sony hack tells me what direction we’re headed.  Could be years given the pace of political policy-making.  Could be months given the pace of technological progress.

The Dark Side of the Cloud

18 Thursday Dec 2014

Posted by in cyber war

2 Comments

Tags

, , , , ,

KimThe first thing I have to say about the Sony hack is that I can’t believe both this and the Cuba thing are keeping the Taliban slaughter of over 130 children out of the news.  Seriously?  I’m commenting on this because I work in the cyber security industry.  Because $10M of pre-hack movie hype has bought this story top billing.  But I consider it a non-event relative to the school children massacre in Pakistan this week.

I thought I was fully up on this story yesterday but it ruled the news today.  It was bigger than Cuba by day’s end.  Poor GOP, does anyone even remember the immigration story?  Today’s dominant news theme was around the response of Americans to the Sony decision to yank the movie.  I watched ET and read news stories.  I saw it all day long on CNBC.  I’ve yet to hear one person say this.  Sony is Made in Japan.

So, armed with this intelligence; was America really hacked?  To everyone clamoring for a military response; would you like to pause and think about this now that you understand N. Korea invaded Japan?  I know, virtual borders are tough to decipher.  Trust me on this.  Check out Wikipedia.  Query their stock listing.  Sony is run by the Japanese.  Maybe you won’t have to totally back down from your position.  Perhaps there’s some clause in our joint defense treaty that provides Japan more protection than the U.S. Gov’t brings to bear each year when your credit card is hacked.

And how sure are you that Kim Jong-un is the culprit?  I actually wouldn’t challenge the U.S. Gov’t. on this.  It’s just I’m not sure I’ve read any credible government sources yet confirm this.  I feel like the media has liberally referenced government sources as they confirm it’s North Korea.  I think what makes me question this is how fast North Korea has been confirmed.  Otherwise, I have no doubt our boys can determine the source.  If not 100%, within five nines.

I will tell you I’m not worried about Sony.  I mean about them making money from the film.  I am starting to pity them somewhat with all the hits they keep taking.  In terms of profiting from the film, I always think of the old Hollywood expression, “even bad publicity is good publicity.”  So I’m not worried about the film making money.  In fact, The Interview will likely become the highest grossing non-release of all time.  Sony should start to care about all the damage this is doing to their brand.  And Prime Minister Abe might want to beef up his cyber security forces along with his plans to increase funding for the military.

As far as that goes, every one of you better start to shore up your security.  A cyber storm is coming.  If you feel wounded from the Sony cyber battle, wait to see what it feels like when you take a direct hit.

Phone-Record Tracking

06 Thursday Jun 2013

Posted by in cyber war

Leave a comment

Tags

, , , , ,

iStock data privacyData Privacy is the biggest oxymoron in Computer Security.  Well, maybe second biggest after the name of the industry itself.  If it exists at all, it’s ephemeral.  My point is the expectation should not exist.  At most, even with encryption, it exists at a point in time only.  That the NSA program to track American citizen phone records became public today via a leak to the Guardian only proves the point even more.

What should your expectation be towards data privacy?  Basically what I just said.  Limited.  But that’s the practical position.  Americans further have an expectation of certain rights to privacy from the government.  This isn’t one of them.  Let me explain why what the government is telling us in terms of our need for protection easily trumps our right to privacy in this case.

To summarize what the NSA has been doing; they track what they accurately refer to as ‘meta data’ from phone calls.  By the way, if you’re familiar with the term Web 2.0 as it applies to social networking or current programming techniques, the next trend is Web 3.0 and is all about meta data and the semantic web.  In this case, the NSA is not listening to our phone conversations.  They are tracking calls made from or to specific phone numbers.  Data mining these connections provides patterns that suggest terrorism, and if warranted the NSA seeks court approval to then gather more personal information on the call.

Is the number called from your number private information?  I should add, the NSA doesn’t yet know the number is yours’.  They are simply tracking the numbers anonymously.  Of course, with a couple of clicks, any lay person can perform a reverse phone lookup.  Apparently this isn’t illegal when your neighbor does it.  I equate our phone calls with driving a car from point A to point B.  We can’t do that privately.  Roads are a fairly public space.  The Police however cannot stop you and search your vehicle without following reasonable search and seizure guidelines as part of our personal rights to freedom.  Authorities need probable cause.  Our telephony infrastructure, especially since most analog voice has migrated to data lines if not the actual Internet, is a public utility.  This is debatable, but I believe access to the traffic, or meta data of the phone traffic, should not be considered private.  Anyone who remembers party lines or operator switchboards should agree.

Why is this useful?  Why is the government right?  Consider a commercial application.  First, let me reiterate as I have throughout my blog and on my About page that I do not speak for or in any way represent the views of my employer IBM.  I’ll make note though that I have been in computer security for a very long time.  A popular computer security service is to monitor network traffic for signatures that suggest hacking efforts.  It’s called intrusion detection and prevention.  One particular problem with this technique is that smart hacking is encrypted so it’s difficult to monitor.  The next step then is to do exactly what the NSA is doing with phone records.  Track the end points.  The source and destination IP addresses.  Then correlate (data mine) the IP addresses with published lists of known bad guys – generally botnet command-and-control web sites.  The data is still encrypted but now some inference can be applied to determine if this is bad traffic and steps can be taken to block it.

My ISP Comcast does this for its customers.  They send customers an email stating they have noticed computers from their home talking to known botnets.  They then suggest to their customer that they should take action to eradicate any infection of malware from their computers.  In the case of Comcast, this email is actually quite useless as it doesn’t provide you with the IP address of the botnet command-and-control nor does it provide you with the IP address of the computer in your house.  The average person using Comcast for their ISP likely has a half dozen computers and mobile devices accessing the Internet.  I’ve called them only to learn that this email is really just a marketing ploy to sign you up to their Xfinity Signature Support.

Back to point, this is a good technique to root out illegal activity based on meta data.  Only after positive identification of possible wrong-doing are more personally identifiable records obtained.  I’m not a lawyer but suspect this meets probable cause.  This is my perspective and admit I could be wrong legally.  But I support this action by the NSA.

Stuxnet

07 Thursday Jun 2012

Posted by in cyber war, Geek Horror

Leave a comment

Tags

, ,

My favorite story in the news right now is confirmation of sorts that the U.S. and Israel launched a first-strike in cyber warfare against the Iranian nuclear jihad.  One of the more fun debates is political party rhetoric about the importance of confidential information – they want to find the source of the leaks.  Nevermind the stuxnet wiki article at the time of me writing this blog already quotes from Gary Samore as an early White House leaker.  So there are discussions of that nature.

Of course I read blogs on cyber security and anything else I’m currently interested in.  I discovered a pattern with this topic – the industry I work in.  Everything I read takes the position that cyber war is bad.  This only leads to an escalation in cyber warfare.  Stuxnet points to the need for more protection.

I couldn’t disagree more.  I felt compelled to comment on a recent blog but noticed the site was an aggregator.  The blog itself looked well read but I didn’t like the idea of publishing my content to this site that’s nothing more than an index selling advertisement.  It seemed like less of a professional dialog* and more of being part of someone’s business model.  Not that there’s anything wrong with that, but it occurs to me I have my own digital presence.  So rather than comment on that blog – I’ll blog it myself.

My position is this.  These security industry analysts are looking at this from inside the fish bowl.  In the context of a safe and free Internet and online commerce, this is a setback.  This is an escalation of arms and advances the bad guys.  In fact, by definition of cyber warfare, the bad guys are the government.

I look at this from the context of war.  A conventional approach to international conflict is to start out small and progress your actions slow enough so that they can be monitored by other nations and even weighed in on.  Going to the UN first or establishing a block-aid before the actual bombing of humans.  In the context of preemptive strikes, I’d personally prefer getting hit with a computer worm.  Cyber war is good.

Yes, cyber war leads to civilian casualties.  I’d argue maybe the damage is on par with a block-aid.  I understand Iran lost several months of production on their centrifuge operations.  In the context of war, this isn’t nearly as bad as the enemy sinking a passenger ship to stop the flow of supplies.  It’s a reasonable, less harmful approach in terms of human life.

I can’t interpret a blog written by someone in the computer security industry well enough to say what the blogger’s motives are.  I just know it’s bullshit taking the position this is bad for the industry.  Any company making security products or providing security services benefits from this.  The Cold War didn’t hurt the Defense Industry.  They say even art excels during times of war.  Innovation explodes in times of conflict.

Whatever your qualms over cyber warfare, get over it.  It beats real attacks against humans.  It promotes growth of the industry.  Turn your focus to lessons learned.  How successful was the attack at mitigating Iran’s nuclear development.  How fast did production return to normal – what was the downtime?  Was this effective in the context of international conflict?

* Poetic license on “dialog” because in social networking it’s really a broadcast.  A many-to-many discussion.  A party line.

Web Security

12 Saturday Feb 2011

Posted by in cyber war, Geek Horror

5 Comments

Tags

, , , , , ,

This was annoying.  I received an abuse letter (email) from Comcast, my ISP, last night.  For copyright infringement related to the illegal file sharing of some inane Kanye West song.  I’ve appended their email to the end of this blog.  The first thought that ran through my mind was, “Really, I have a Kanye West song?”  So my first action was to query my iTunes library of over 5000 songs and sure enough, I have exactly one Kanye West song – Gold Digger featuring Jamie Foxx.

I immediately suspected my tenants since they’re fairly young.  Although I knew it could also have been from Brittany – she always brings her MacBook whenever she comes home from college.  I doubt I could prove the source of the Gnutella file sharing.  I turned off my web filtering half a year ago when I was trying to install Lo-Jack on Brittany’s new laptop.  It required some call home function that my firewall was blocking.  Unless I’m specifically blocking something, my firewall won’t log the traffic.  It can, but I didn’t have it configured to do that either.  So the Kanye West download could have been from any computer in my house – or carriage house which I rent out.  The Comcast abuse letter only lists the IP address of my cable modem and it doesn’t provide the DHCP address from my home network(s).

My second action, after reviewing my iTunes, was to turn web filtering back on.  I have an old IBM Proventia FW that I have setup between my cable modem and my home LANs.  One network is for my tenants, and they have their own WiFi server.  I allow that LAN access to the Internet but not to my home office LAN (network 2) or my home LAN (network 3).  My home office network has access to all three networks in order to manage the WiFi servers.  With the web filtering running, I setup two FW rules to block traffic to the Gnutella service.  One rule for TCP ports 6346 to 6347 and another for UDP ports 6346-6347 – both at 202.0.0.0 with a 28 bit mask.  Then I asked my tenant if he was using Gnutella and informed him about the abuse letter and my new web filters.  He was pretty humble about it and apologized.

I’m relating this in my blog, and probably FaceBook, because it occurs to me many of my friends could use some advice on computer security.  I’ve been in this industry for a long time, and I just got in trouble from my ISP.  Maybe I should be embarrassed – I’m not.  I do appreciate the irony.  But I know that many of my friends have kids – with their own computers – whom run these illicit and dangerous file sharing applications.  The last link above shows you how to block some of the more nefarious sites.  Understand that I’m not judging.  I support some copyleft arguments as they juxtapose certain tenets of innovation against the precepts of copyright protection.  But these applications put your computer and home network at extreme risk of being compromised.  These apps are favorites of hackers and are as likely as visiting free porn sites to result in your machine becoming pwned into a botnet.  Forget fears of Comcast cutting off your access – be afraid of being pwned.

I’m serious.  I’d rather blog on my running themes, but you need to know this stuff.  My YouTube instructions on protecting your texting privacy was originally intended in jest when Tiger Woods got clubbed by his wife after she saw his text history.  I was just having fun, but it’s turned into one of my most watched YouTube episodes.  Likewise, my commentary on the Google vs China cyber story last year continues to receive 4 or 5 views a day based on people searching on the terms cyberwar and cyber warfare.  So I figure this is good information.  I hope so.  Or if not, I hope you get a chuckle from knowing that Comcast is on to me.

————————————————————————

Notice of Action under the Digital Millennium Copyright Act

Abuse Incident Number:      Not Applicable
Report Date/Time:           Thu, 10 Feb 2011 11:31:02 -0600

ED MAHONEY
1805 S COFFMAN ST
LONGMONT, CO  805047568

Dear Comcast High-Speed Internet Subscriber:

Comcast has received a notification by a copyright owner, or its authorized agent, reporting an alleged infringement of one or more copyrighted works made on or over Comcast’s High-Speed Internet service (the ‘Service’).  The copyright owner has identified the Internet Protocol (‘IP’) address associated with your Service account at the time as the source of the infringing works.  The works identified by the copyright owner in its notification are listed below.  Comcast reminds you that use of the Service (or any part of the Service) in any manner that constitutes an infringement of any copyrighted work is a violation of Comcast’s Acceptable Use Policy and may result in the suspension or termination of your Service account.

If you have any questions regarding this notice, you may direct them to Comcast in writing by sending a letter or e-mail to:

Comcast Customer Security Assurance
Comcast Cable Communications, LLC
1800 Bishops Gate Blvd., 3rd Floor East Wing
Mount Laurel, NJ 08054 U.S.A.
Phone: (888) 565-4329
Fax: (856) 324-2940

For more information regarding Comcast’s copyright infringement policy, procedures, and contact information, please read our Acceptable Use Policy by clicking on the Terms of Service link at http://www.comcast.net.

Sincerely,
Comcast Customer Security Assurance

Copyright work(s) identified in the notification of claimed infringement:

Infringing Work : Graduation
Filename : Kanye West – Graduation – Stronger.mp3=20
Filename : Kanye West – Graduation – Stronger.mp3=20
First found (UTC): 2011-02-10T12:21:17.61Z
Last found (UTC): 2011-02-10T12:21:17.61Z
Filesize  : 7583872 bytes=20
IP Address: 76.25.159.42
IP Port: 17677
Network: Gnutella
Protocol: Gnutella    =20

Cyber War – Game Over

22 Friday Jan 2010

Posted by in cyber war

2 Comments

Tags

, , ,

“Are you kidding me!  WTF Sarge!  I mean, do you have any idea what you’re asking me to do?  You might as well just ask me to kill my first born!”  I/O was inconsolable, fairly incoherent and in a state of complete disbelief as he absorbed his Console Sergeant’s command to wipe the drives of all honeypots and pwned bots under the command of the Cyber Force.  This was over 50,000 computers world wide.  But it wasn’t the difficulty in carrying out the task.  Computers are automated if nothing else.  Apparently I/O had developed an emotional attachment to his bots.

“We’re withdrawing from this theater of conflict soldier.  Report back when it’s complete.”  The Console Sergeant turned and walked out of the war room.

Nearly everyone in the room was empathetic to I/O, except Tyler.  “Let it go I/O.  We have bigger concerns.  Game over man.  We all need an exit strategy.”

“What are you talking about?”  I/O was coming to terms and seemed ready to talk logic.  “Exit strategy for what?”

Tyler addressed the entire room, SecIntel along with the Ethical Hack team.  “You heard the Console Sergeant.  We’re shutting down operations.  And we never existed.  Most of us are within a year of returning to the private sector.  What do we do for resumes?  We can’t talk about it.”  Tyler paused but everyone stared at him with blank faces.  Clearly they must have understood his point but no one had a response yet.  “So, we need an exit strategy.  We need to latch on to opportunities where the employer has at least some implicit knowledge of our experience.”

Jane was the first to suggest a plan.  “My older brother went to work for the NSA after he left the Rangers.  And after two years there he had his pick of employers.  NSA will know what we’re about.”

Tyler liked that idea.  “Sounds pretty smart.  We all need to think about this.  This war might be over but it’s not like cyber warfare itself is going away.  And we’re not going away – in terms of our skills.  We need new homes.  And those new homes are going to need a new army of bots, so you might want to be selective in how you carry out your command I/O.”

The End