Category Archives: cyber war

Originally a fictional story on cyber war that parallels the hacking events surrounding Google and China in early 2010. Now contains newer commentary on current events.

Feel Good

12 Saturday Jun 2021

Posted by in Colorado Trail, cyber war, Novel

3 Comments

I don’t sell enough books to brag about, but every now and then, I get something like this. Would have been nice as an Amazon review, but I received it via LinkedIn of all places.

***

Good morning, 

I just finished your second book. Brilliant work, both of them. I am retiring from the Army this week, and have appreciated the motivation you’ve given me. I ran electronic warfare teams, among other things. And I really appreciated the references in your second book. 

I am transitioning from intelligence work to cyber. This fall I even start graduate work at Brown in cybersecurity. It’s been daunting changing fields when I didn’t plan for it. But my body can’t take kicking doors anymore. Your books gave me a feeling, especially from ‘Rob’, that my chances are good for landing on my feet. So thank you for the good books, and thank you for the confidence they instilled.

Keep writing, you are great at it.

Corbett

***

That made me feel pretty good. It’s been a week of feeling good. I’m counting down to an epic backpacking trip along the Continental Divide Trail through the Collegiates in another week. My buddies and I have been exchanging emails on possible routes and gear choices all month. Each email gets me more excited. Seriously, we’ve been salivating over our dehydrated camp meal selections. Maybe its the Covid cabin fever but I was near manic as I inventoried my trail gear.

Wish I was in better shape for this trek but, assuming I survive it, I’ll be in better shape afterward. I’ll be struggling to keep up with my trail mates. Rob is a fitness coach at Fort Lewis College in Durango. He even teaches a course on hiking. He hikes over one hundred days each year. Rob tends to get naked and swim in alpine lakes. This pic of him wading into the waters above tree line on Snow Mesa near Lake City gives you a sense of just how fit he is.

I might be able to hang closer to George, since he’s coming up from Austin and won’t be acclimated to the altitude. This photo of his dying carcass from the last time I hiked with him, on top of Greys Peak, is what gives me confidence. Still, I know he’s as fit today as he was forty years ago in the Marines. These sexagenarian beefcakes might find themselves having to wait for the young 59 year old.

Cozy Bear vs Fancy Bear

20 Sunday Dec 2020

Posted by in cyber war, Geek Horror, Novel

3 Comments

I would be remiss to let this SolarWinds story go without commenting and self-promoting my cyberwar series.  These opportunities don’t come around every day.  Well, actually there is a story just about every day, but few on par with the colorful intrigue of SolarWinds, FireEye, and Cozy Bear.

My favorite aspect to this story is how it more resembles cyberwar than cybercrime.  Experts are downplaying the cyberwar facets, but espionage is on the war spectrum.  I focused my novels on cyberwar to respond to what I perceived as a dearth of stories because most books published on the topic are on cybercrime.  The difference is that cyberwar is acted out by nation states and, North Korea’s Lazarus notwithstanding, for non-financial reasons.

Remember when you used to read stories of thieves stealing money from banks?  Two decades deep into the 4th generation of the industrial revolution (4IR), data is the new currency.  Steam power dramatically increased productivity three hundred years ago in 1IR as the industrial revolution launched a still-accelerating advance in technology.  Steam locomotives shrunk distance in terms of time travel.

Electricity further accelerated productivity, making the work day longer, in 2IR.  The 3rd industrial revolution commenced in the fifties, around the time white collar workers exceeded blue collar workers in the US work force.  Compute tech put the world on an exponential growth rate in the Information Age.  

Data networking, namely the Internet, and everything since from AI to blockchain has established a digital economy that drives 4IR.  We have complete industries now that exist only online.  But our success is our weakness.  The leading, most advanced economies of the world have more to lose in a cyberwar than the digital have-nots.  And that’s why so many people believe the next world war will be digital.  It’s where we are vulnerable, our Achilles heel.

Here’s the promo part.  If you are curious enough to read up on all this tech, but find it all just a bit too dry for your taste – read my books.  Read fiction.  I wrote my cyberwar series partly as a cybersecurity primer, so you’ll learn something.  But I chose a fictional format to make the content entertaining.  You don’t need a text book when you’ve got Cyber War I and Full Spectrum Cyberwar on your shelf.

You’ll discover that my stories are fairly prescient.  The first made Iran the bad guys but had attacks like this supply chain malware that compromise a large segment of the economy.  The second story focuses on Russia and might spook you just how closely it mirrors current events.

The Russian threat actors in Full Spectrum work for the GRU – Russia’s Military Intelligence.  I considered writing about the SVR, Russia’s Foreign Intelligence agency behind the SolarWinds hack.  I find one of their code names more literary – Cozy Bear.  The GRU is nicknamed Fancy Bear, which is still cool; Bear of course stands for Russia.

I felt forced to use Fancy Bear because it’s more plausible they would launch the type of attacks in my story.  Cozy Bear is more about intel gathering.  This is why some experts are suggesting this isn’t a cyberwar attack.  Cozy Bear doesn’t destroy systems.  They just listen to our secrets.  That doesn’t make for as fun a story as the mayhem in Full Spectrum.  Sometimes I choose plausibility when deciding my storyline.  Other times I take extreme liberties for a good story.

Source Content

27 Wednesday Mar 2019

Posted by in cyber war, Novel

Leave a comment

Tags

, , ,

Cyber War

I wrote Cyber War I because there was no good fictional content on cyberwar.  Not really.  The first cyberwar story I know was when Clifford Stoll wrote the non-fiction The Cuckoo’s Egg in 1989.  He tracked a spy and wrote about it in first person.  

I was junior in something at IBM at the time.  Can’t recall if I was in data networking, let alone security yet.  My tech career vector has been data networking with a useful understanding of network operating systems, which somehow led to IT systems architecture, back to network, then to security, where I remain stuck.

That tech career vector is what has formed my desires for the better-than-text-book content that can only be delivered with fiction.  Those needs did not go unsatisfied, not by me.  There is other good non-fiction, although mostly cybercrime instead of cyberwar.  You know the difference, right?  “There’s money in cybercrime, but cyberwar will get you killed.”

Read Joseph Menn tell his Fatal System Error story on Barrett Lyon, the Mafia, and Russia.  Or read Kevin Poulsen turn some clever hacker into a super protagonist out to save the world in Kingpin.  Trust me, there’s some non-fiction out there that sets the bar high for fiction.

What I did differently in the blog book-cover photo is it’s literally the front cover, spine, and back cover jpeg of my paperback edition.  After creating the jpeg above, I leveraged the KDP cover-creating publishing tool to add some text to the back cover, and it added the barcode programagically.  What I could not do was move or adjust the text box window, so I hit the return key until I was half way down the page, in order to begin my text on the lower half of the back-cover page.

If you want to be blown away by non-fictional cyberwar, read Malcom Nance’s The Plot to Hack America.  The writing is of course very good, but talk about prescient.  Macolm published it in September of 2016 – before Trump was elected.  You might not believe his story personally, but my point is that it serves as the original source of content for everything about the topic since.

I’ve also shared with you some of my source content that I read around the time of writing the sequel to Cyber War I, Full Spectrum Cyberwar.  That link is to GoodReads, which allowed me to post my unique perspective of the entire book cover.  From there, you can click on the link to buy my book from Amazon – ebook or paperback.  While you’re at Amazon, look for a link in my author page that takes you back to this blog.  If enough of us click through that loop, excessively, I’m wondering if that wouldn’t create an internet looping vortex with enough force to possibly tear a seam into the very fabric of cyberspace itself.  There’s only one way to find out.  Experimentation.

By now, you’ve guessed that this post is pure marketing.  That doesn’t change the fact that you’re still reading and I’m still pitching.  My expectation is for anyone who is my friend on GoodReads to spend $3 on my ebook, read it, and give me a review.  The way reviews work, I probably don’t need overwhelmingly positive  feedback as much as I just need volume.  

Hopefully, GoodReads will sort the best reviews at the top.  So go on, click on that link.  Worse thing that could happen is we take GoodReads down with a massive Distributed Denial of Service attack.

The Sequel

21 Thursday Mar 2019

Posted by in cyber war, Novel

Leave a comment

Tags

Full Spectrum Cyberwar ebook Cover

For those of you who haven’t read a good tech thriller in over two years, because it’s been that long since I published Cyber War I, your wait is over.  I published the sequel last night, an ebook version of Full Spectrum Cyberwar on Amazon (₹99 in India) (£2.27 in UK).  The print version is coming soon, once I recover from the tedium of having formatted an ebook and feel up to the task of formatting print.  Self-publishing is not as glamorous as it sounds.

A year after Cyber War I made Robert Warner a celebrity in his field of cybersecurity forensics, he’s ready to cash it all in and retire young, with the sale of his software firm to a conglomerate for over $100 million.  He’s two weeks away from starting the next chapter of his life living large in a Colorado resort community.  He just has one more business trip to complete, an international assignment to pen test a wind farm in the North Sea.

Rob turns over one too many stones and finds himself the target of Fancy Bear, the infamous Russian military hacking organization.  It’s Rob’s nature to dig deeper, to solve the crime.  Instead, he’s forced to play defense, to protect the welfare of his employees, his wife, and himself.  If he can survive a chase through Europe, he can complete the transaction to sell his software firm and retire wealthy.

Full Spectrum Cyberwar exposes the real-world activities of the Russian GRU as they conduct hybrid warfare on their European neighbors in this gripping sequel to Cyber War I.  U.S. CyberCom attempts to confront the Russians with a forward defense strategy that escalates well beyond Major Calvert’s control.  In Full Spectrum Cyberwar, the battlefield extends beyond the keyboard.  Lives are on the line in this relentless exchange of one-upmanship between nation states as they battle for dominance over geopolitical assets.

I know you’re not reading anything else right now, or you wouldn’t be on the Internet reading blogs.  Download my book and give me what I need – reviews!

Cyan

10 Sunday Mar 2019

Posted by in cyber war, Novel

2 Comments

Tags

 

13536634 - pretty futuristic cyber girl posing over dark background

And now, for something completely different.

My first two books were on cyberwar.  Book one was intended to serve as a tech primer of sorts, to explain cybersecurity concepts in a fictional story.  Iran was the adversary.  Book two, which I’ll publish in the next few weeks, focuses on explaining the concepts of hybrid warfare, with Russians as the bad guys.  Book three will pivot toward cyber terrorism, where the motives become murkier.

I won’t be able to reference cyberwar in the title.  That’s fine.  I already have a working title for my draft manuscript, Cyan, the name of the story’s heroine.  This graphic is her.  I’ve licensed it and might use it for the book cover.

Shifting the content focus from cyberwar to cyber terrorism isn’t the only turning point in my writing.  The genre will evolve from a tech thriller to cyberpunk – a derivative of science fiction.  Twenty years into the future, I’ll be able to take more liberties with technology – the focus of which will be on virtual and augmented reality.

I completed the first chapter this weekend.  I would tell you that I started the story in January, but really, I’ve been planning before I finished book two, Full Spectrum Cyberwar.  I fleshed out a character in that story who wasn’t even born yet by the end.  How’s that for foreshadowing?  Obviously, Cyan will be twenty years old in this 3rd book.

I expect to have fun working in a new genre.  I know that my writing improved dramatically between books one and two, but I’m already somewhat bored with the conventions of a tech thriller.  Writing in a new genre should continue my growth on the skills curve while keeping the exercise fun and interesting.  Of course, just continuing writing is the most important thing.  Repetition is the key to learning.  Let me say that again, repetition is the key to learning.

With the inherent ability of cyberpunk to take more liberties with reality, I hope to put more focus on character development.  And structurally, I’m improving on my outlining.  There are two types of writers, plotters and pantsers.  I wrote the first two books more by the seat of my pants than from outline.  I started them before I knew how they would end.  Although strangely, in Full Spectrum Cyberwar, I wrote the beginning after the end.  For Cyan, I have the first half of the book fully outlined.  I still don’t know the end, but then neither do you.  Stay tuned.

 

The End

24 Saturday Nov 2018

Posted by in cyber war, Novel

Leave a comment

Tags

,

Cyber War

Just finished the first draft of my second novel.  I haven’t named the title yet but I’ve been calling the draft Cyber War II since it’s a sequel to the first book.  I already licensed the graphic above for the cover.  Nothing says cyberwar more than computer mice dressed up as tanks.

Once again, Thanksgiving week plays a special role in the timing of my writing.  Two years ago, I took off the entire week to self publish my novel.  I’m on a slower schedule this time around, taking two full years to get to a first draft, whereas I completed writing the first book in six months, then edited and published two months later.  Still, this week plays a productive role in my personal storyline.

For those of you who served as beta readers the first time around, I promise you, this first draft is much more readable.  I’ve developed my skills.  I can tell it isn’t finished yet though.  It’s 40,000 words less than my first novel, 10,000 too short.  There really aren’t rules on this but the convention for a tech thriller is to be between 70,000 and 100,000 words.  This draft is at 60,000.

No doubt, it could use another 10,000 words worth of character development.  I’ll take feedback from friends on that.  I developed some new characters that I actually plan to use for my third novel.  It’s not exactly a trilogy, but the 3rd book will be 20 years in the future, using the more youthful characters from this story, and will be in the cyber punk genre.  Always thinking ahead.

I know that I improved my writing in one specific area for this book.  My biggest criticism from the first book was that it was way, way too technical.  That I should consider writing for people who enjoy reading user manuals.  Fair enough.  Not that I shied away from writing another primer on cyberwar, but I’ve employed a number of tricks to make the learning more digestible.

Despite my confidence on improving in that area, I find it impossible to know if I’ve written a good story or not.  I’m too close to it.  I’m certain Stephen King never scared himself with his own novels.  I’ll find some help on that.  I’m targeting completion of a second draft by end of winter, seek out my ‘ole editor, and maybe publish in the spring.

The Cyphers

02 Saturday Jun 2018

Posted by in cyber war, Novel

1 Comment

Tags

,

steganogrphy

I belong to a covert writing club.  We publish on the deep web.  Like using steganography.  I probably shouldn’t say anything more.  It started from a private invite.  We publish privately to promote creativity.

If any of this sounds illicit to you, let me define terms.  The dark net is where people conduct nefarious transactions.  Dark net sites are generally also part of the deep web, but the deep web is not inherently bad.  It’s simply web sites that have not been indexed by search engines or otherwise have their access obscured.  The metaphor is of an iceberg.  We use the Internet that’s been indexed for queries.  That’s the tip of the iceberg.  The vast majority of the web is not visible to us, like the deeply submerged section of the iceberg.

This started out as a way for us to hone our craft.  It’s also a good method to draft snippets of dialogue for later regurgitation in other works – for me, my novel.  I’m considering submitting my current writing for review, sort of like the conventional writer’s discussion group.

I’m relating this under my novel category because I think it’s a novel approach (forgive the pun) for writers to practice their craft.  Your contributions can be easily copy/pasted years into the future into derivative works.  A post today by one of the other writers spoke to me so directly, it felt unnatural.  Like the narrator had a Gods-eye view into my life.  That’s impressive writing that does that.  Not only will I benefit from the writing exercise, but I expect to read some really good stories, exclusive to my private group.

 

Dmitri and the Wallet

14 Thursday Sep 2017

Posted by in cyber war, Novel

Leave a comment

Tags

, , ,

DmitriHow big is your wallet?  Look at the objects on this tabletop.  I bet your wallet is not as big as Dmitri’s is.  I don’t really know his name.  Like any other guy, I was minding my own business in the hotel lobby when I was engulfed by a gaggle of techies attending some international conference for the betterment of humanity.  This guy sits in front of me, blocking my view of equally attractive people, and proceeds to pull out his wallet. Seemingly to make room for, not just one, but two smart phones.

To his credit, he used both mobiles at the same time.  Possibly dueling the same issue that was so important to him that he worked it while his comrades drank voraciously nearby.  Sounded more to me though that he was working some tech issue with skilled subject matter experts on the one phone, to the point he could set it down occasionally, while he yelled at the Help Desk on the other.  The wallet, despite serving as a focal point to at least me, was lost in all this performance art.

If you think it’s bad how I’m making fun of this guy, you should consider how much worse it is for me to take a photo of a complete, non-celebrity stranger, and post it online.  I don’t care.  This guy has earned a role as a European hacker in my pending novel.

Weeping Angel

08 Wednesday Mar 2017

Posted by in cyber war

Leave a comment

Tags

, , , ,

Bethesda_angel_cloudy_jeh

Any Doctor Who fans?  If so, you should appreciate the reference to the weeping angels from that show, and perhaps understand why this is such a clever name for an exploit kit to hack into Samsung TVs considering how the CIA uses it in collaboration with MI5 – or the Brits.

I’m referring of course to this week’s data dump of classified CIA material on their hacking program, actually their toolkits, by WikiLeaks.  Much of the news hovers around the ethical concerns of the CIA hacking into American citizens’ Internet-connected Samsung TV sets to listen in to their conversations or track what shows they watch.  Or the issue of them not sharing exploits with vendors.  I’m not interested in that.  It’s all inference anyway.  All we really know is the software programs they use, in conjunction with other European agencies, to electronically eavesdrop.  Personally, I’d be disappointed in them if they didn’t have some cool capabilities like this.

I might be more technical in this area than you, but to let you know, I’m not really all that savvy on how these exploits work.  Which is why I think you might find my take-away from this event interesting.  You should be able to identify with my high-level understanding.  Understand it is really quite possible for a hacker to eavesdrop on your conversations, to hack into your iPhone, to capture your sensitive WhatsApp texts before they are encrypted.  For Pete’s sake, last week’s news was about two million internet-connected teddy bears, from Spiral Toy’s CloudPets, making their customers’ conversations available online.  The point isn’t that the CIA uses these tools, it’s that anyone can use these tools.  It’s that these tools exist.  There is no assurance of data privacy.

In Cyber War I, I explain to readers about how ransomware works and to be aware.  I give some technical details on several aspects of hacking and cybercrime.  I intend to go deeper and explore other dangers in my sequel.  I hope you enjoy this information; I’ll try to blog more on these topics.

If you’re looking for assurances, there aren’t very many.  For online protection for when you don’t mind the inconvenience and are uber concerned on protection, consider employing two-factor authentication.  At least on financial sites.  This is typically a process of logging into a site with your password (something you know), and a passcode that gets sent to your phone (something you have) during the login process.  More and more sites are adopting this, but leave it to you to use it.  It probably won’t be available on your TV any time soon.

Ransomware

29 Tuesday Nov 2016

Posted by in cyber war, Novel

2 Comments

Tags

sf-ransomware-attack

This week’s ransomware attack against San Francisco’s Municipal Transportation Agency underscores just how real the events in my Cyber War I novel are.  My soon-to-be-released story is fictional of course, but I didn’t make this stuff up. These attacks I describe are literally off the front pages.  This attack requested 100 bitcoin, roughly $70,000, to free their ticketing systems.

I mirror another true story from last year where a hospital was attacked, requesting a similar ransom.  My story details this attack vector and how you might recover from an attack.  Hint, backup your system, preferably offsite.  While farfetched, you might even get lucky and find your files still unencrypted in your trash bin.  It doesn’t hurt to look.

Hope you appreciate this small computer security primer.  It’s really a thinly-veiled attempt at self-promotion for my book.  I’m in the marketing phase of book writing and publication.  If I were serious about it, I’d have started marketing more aggressively months earlier.  And I’m too cheap, or just not committed enough, to drop 100s if not 1000s of dollars into book promotion – so I am leveraging my blog.  Hoping my book will be available by end of week.

Cyber Terrorism

24 Thursday Mar 2016

Posted by in cyber war

Leave a comment

Tags

,

iStock cyber warfare

The Department of Justice announced charges against seven Iranian hackers today for launching cyber attacks against the U.S. financial system and a dam in New York.  There is no question, these events were malicious cyber attacks.  But when is it cyber crime and when is it cyber war?  Apparently, sometimes never.  Loretta Lynch is calling this cyber terrorism, because also this week the Justice Department announced they have changed their approach and now treat nation-state affiliated hacking attacks like terrorism threats.

Lest you think everything is now clear, in the same statement, Loretta said, “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,”  Really?  How powerful!  I imagine then the State Department, in coordination with the Department of Justice, will now approve travel visas for these seven terrorists so that we might possibly arrest them after stepping onto U.S. soil.

Here’s my disconnect.  I understand terrorism to be used to classify harmful acts that are attributed to stateless warriors.  The circumstances around terrorism differ from crime and war such that we have this third category of aggression.  Hence, we have tribunals in Gitmo.  I sort of understand it.  Cyber Security experts have coined unique terms for hacking to categorize attacks as militaristic or criminal.  Fairly intuitive.  War is when we’re attacked by a government-attached army and crime is when we’re attacked by a civilian.  I would then think that cyber terrorism is when we’re attacked by a stateless army, but I’m wrong.  It means when we are attacked by real countries, namely China and Iran, but electronically rather than by arms.  Maybe there is additional criteria, such as the attack is against a corporation or citizen rather than against our military?

So if Iran blows up Wall Street, that’s war.  If Iran only electronically implodes Wall Street, then that is terrorism by the individuals working for the Iranian government.  Not sure how to classify the dam attack.  We need to stop pussy-footing around and call it what it is.  Cyber War!

Going Dark

25 Thursday Feb 2016

Posted by in cyber war, Geek Horror, Running

1 Comment

Tags

, , , , , , ,

scytale 2

FBI Director James Comey testified to Congress today that encryption will end law enforcement’s ability to perform their job.  He suggests that the FBI’s primary tool is court orders to search for information, and he makes the general assumption that data is never accessible once encrypted.  To paraphrase, encryption leads to information “going dark” for the purpose of public safety.  As if encryption is game over for the FBI.  This reminds me of a famous quote (famous misquote actually as I don’t believe this is true) attributed to the Commissioner of U.S. Patent and Trademark office Charles Duell when he purportedly quipped, “Everything that can be invented has been invented.”  Comey seems like a decent guy but suggesting that the FBI requires clear text access to American’s data because the court order process is predicated on this is disingenuous.  The FBI has an obligation to keep up with technology.

I stated in my previous blog on this topic that cryptography and cryptanalysis have been playing a cat and mouse game throughout world history.  So let’s review that, because I believe government is obligated to defeat encryption technologically rather than by  eroding America’s privacy laws.  To be fair, I recognize they are currently playing catch-up.  Consider that cyber crime is nearly a half trillion dollar market.  Security products and services are well under $100B market.  Meaning we are applying $100B to the good side and cyber criminals are making $500B.  So I can sympathize with Comey.  The bad guys are winning.

Understand the etymology of these terms.  We began by covering up secrets.  For example, Histaiaeus, in the 5th century BC, wrote his message for Miletus to revolt against the Persian King on his messenger’s shaven head.  He then waited for his messenger’s hair to grow back before sending him on his way.  This was before instant messaging.  A similar technique was used in the latest version of Mad Max.  “Steganos” is Greek for “covered” while “graphein” is the Greek term “to write”, hence steganography means “covered writing.”  So steganography was the art of covering up a message.  It goes without saying, one didn’t necessarily have to be a rocket scientist to be a code breaker back in the day.

The art of secrecy evolved to hiding the meaning of the message, rather than simply covering up the message itself – with the understanding the message will likely be discovered eventually.  The Greek term for “hidden” is “kryptos”; hence we use the term “cryptography” which we now practice with encryption.  The picture above is of a 5th century Spartan Scytale that transposed the position of letters to hide the meaning of the otherwise open message.

Technology advanced and today one does have to be a rocket scientist to be a code breaker.  Bill Gates was quoted by Representative Bob Goodlatte (wonder if he owns shares in Starbucks?) in today’s Congressional Hearing as suggesting Quantum Computing will soon be powerful enough to break any encryption.  I don’t know about that but point is technology does eventually catch up in this cat and mouse game.  Consider the plight of Mary, Queen of Scots.

On trial for treason, her prosecutor, Sir Francis Walsingham was also England’s Spymaster.  Sir Walsingham first captured Mary’s correspondance, which she hid inside the hollow bungs that sealed barrels of beer.  This was steganography.  But Mary was clever and further used a cypher to hide the meaning of her correspondence.  Sir Walsingham engaged Thomas Phelippes to perform the requisite cryptanalysis and ultimately succeeded in proving Mary’s guilt.  The rest is history.  Point being, Cryptanalysis was on par with the cryptography of the time.  Fast forward to WWII where the British successfully decoded the German’s Enigma with the use of early computing technology.  So Bill Gates might actually know what he’s talking about.

I’m in the cyber security industry and agree with Comey that the bad guys are winning.  For now.  Still, I’m not willing to surrender any more rights to privacy than have already been suspended post 9-11.  Technology will catch up.

 

 

Secrets

23 Tuesday Feb 2016

Posted by in cyber war, Geek Horror

Leave a comment

Tags

, , ,

secret

I understand everyone believes there should be a balance between security and privacy.  Seems sensible.  Bill Gates came out today in favor of the FBI over Apple, but then he’s been making business decisions counter to consumer needs for decades.  I myself am so impassionately middle of the road on most topics that I wonder sometimes if I’m not actually dead.  It’s great when everyone can win a trophy but you cannot avoid the reality that there are winners and losers.  I believe the current Apple/FBI debate is one of those binary scenarios.  It’s as difficult for me as anyone else to plant my flag when I want both privacy and security.  The following example though helps clarify my position.

The 4th Amendment provides both privacy protection, and presents the guidelines for the State to void those privacies given reasonable cause.  Assuming proper due process, the State wins.  This is a nice template for balance, but it doesn’t stop there.  The 5th Amendment protects us from self incrimination.  “I plead the 5th.”  Taken together, people must allow the State entry into their home for a warranted and reasonable search of evidence of a crime.  However, people are not obligated to point out where they hid the evidence.  “Oh, it’s under the seat cushion.”

There are two centuries of legal precedent supporting these Amendments to where most of us are fairly knowledgeable of the rules, without being actual lawyers.  Let me dumb this discussion down though even further.  Let me use the term secrets instead of privacy.  We all have secrets.  Not just our banking PIN code but family history and deep, dark fantasies.  I know that there are things I would never consider telling anyone, and I’m about as transparent as a person can possibly be.  Have you read my prostate chronicles?  I might be wavering a bit from the core Apple/FBI topic since not all secrets necessarily contain criminal content, but I believe the principle points remain intact.  I’m allowed to have secrets.

I’m not even that strong of a privacy advocate.  See above on my middle of the roadness.  For example, I don’t consider privacy an inalienable right.  We were born naked in a garden, so God wasn’t that big on personal privacy either.  Clearly, there was very little personal privacy when we were living together as tribes in caves.  But like anyone else in western civilization, I’ve grown accustomed to certain privileges and I do want privacy.  Even if I didn’t, the information age ascribes so much value to data integrity that encryption is paramount to how our society and economy function.  It’s not until I substitute the word privacy with the word secret that I begin to understand where I fall on this topic. The State can try to search but I can try to hide.  Tell me I’m wrong on this.

Cryptography and cryptanalysis have been a cat and mouse game played throughout millennia.  Technology plays the lead role.  I understand that if the State can decrypt my communications, they already have legal justification to do so.  My information is only as safe as my encryption is strong.  But if they can’t decrypt my data, I don’t have to hand them the keys.  That’s like showing them the evidence is hidden under the seat cushion.  And they can’t outlaw encryption.  That’s like saying I can’t have secrets.  Who doesn’t have secrets?

A Bad Apple

17 Wednesday Feb 2016

Posted by in cyber war, Geek Horror, Politics

1 Comment

Tags

, ,

apple n worm

All you need to know in terms of Tim Cook vs the FBI is Donald Trump’s position on the matter.  Trump believes Apple is in the wrong and should be forced to provide the government with a backdoor hack into their iPhone.  Because he believes national security trumps personal privacy.  This is actually true – in China.  And Russia.  If you already take issue with this self-made celebrity, then you can assume Apple is right.

To be fair, and less political, personal privacy is a complex issue.  The U.S. Constitution references no protections for personal privacy.  The Bill of Rights however references numerous Amendments that allude to privacy.  Privacy of beliefs, privacy in your home, privacy of person and possessions against unreasonable search and seizure.  I think the list goes on but I’m not a lawyer and can’t defend any of them.  I do know Americans expect a certain degree of privacy and the government has the authority and corresponding legal process to transcend our privacy given sufficient warrant.  In this case, the FBI is leveraging the All Writs Act to demand that Apple engineer a new IOS version that disables the feature that would wipe the iPhone data after 10 unsuccessful login attempts.  This would allow the FBI to subsequently hack into the iPhone with a brute force password attack.

Precedent is set that allows the government to do this.  Shoot, there is even a recent case where the U.S. Attorney’s Office forced another smart phone manufacturer to unlock a screenlock.  But Apple is refusing to comply.  Tim Cook wrote an open letter explaining why.  He frames his argument from his customers’ perspective.  But just think about the consequences for his company.  Apple is being forced to weaken their product in a global market and their competitors are not being forced to do this.  They will immediately be at a competitive disadvantage in a global market for their most successful product.  Game over for the iPhone.

And recall, corporations are deemed people by the Supreme Court.  Apple will have all of the same assurances to privacy, to protection from self incrimination, to a right to earn a living.  They have every right to do business as any American as an individual.  They have the resources and will win this battle.

Why is it so hard to take a position on personal privacy vs State security?  The State has laws and legal precedent allowing them to violate your personal privacy.  We have laws and legal precedent allowing us to refuse, assuming we have the financial resources to fight.  But encryption just sort of breaks everything.  Encryption means, even if the government gets their way, they might not be technically able to have their way.  You can’t hand them the keys to your data if you’re dead.  Encryption puts the government in a real pickle.

This will be the data privacy fight of the new millennium.  This will be good.

Cross Border Data Flow

06 Tuesday Oct 2015

Posted by in cyber war, Geek Horror

4 Comments

education-ukeulitigation

The U.S. completed their Trans-Pacific Partnership Trade Deal yesterday.  If signed by Congress, this will lower trade barriers to the import and export of physical goods.  How quaint in the Information Age.  Today, the European Union Court of Justice declared the U.S. Safe Harbor policy for demonstrating compliance with the EU Directive for Data Privacy to be invalid.  EU 1 : Pacific Rim 0.

I don’t know of the availability of any stats that show the value of global trade in information vs physical goods bought and sold, but I’m willing to guess data is at least more strategic if not already more valuable.  Explaining the details of the EU Data Privacy Directive, Safe Harbor, and this new ruling isn’t my objective here.  Much of it is very legal in nature and over my head.  My goal with my cyber security series is to offer a basic primer on topics I deem of interest.  At issue here is data privacy, specifically personally identifiable data or PI.

My 13 year old daughter is uncomfortable with the notion that data can never be fully erased with any certainty.  I don’t know why or how she developed this very specific concern, likely something to do with the proliferation of online photos.  She is totally aware of the EU’s Right to be Forgotten ruling wherein citizens can demand their online references be deleted by digital firms such as Google and Facebook.  Understand that the EU considers personal privacy to be a basic human right.

The irony here is in the arrogance of any U.S. citizens who think we invented personal privacy.  Indeed, the 4th Amendment of the U.S. Constitution states that, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”  Or stated more plainly, “Each man’s home is his castle.”  Well that was written over 200 years ago.  Post-911, the U.S. has conceded leadership on the personal privacy front to Europe.

I probably shouldn’t reveal what I really think because I suspect I’m on the wrong side of history here, but I will.  I don’t believe in personal privacy.  I want it to a degree but I certainly don’t think of it as a basic human right.  I can assure you there was little to no personal privacy when humans were living in caves.  Were Adam and Eve not born naked?  And yet I do like the 4th Amendment.  I believe we need a balance between personal privacy and the benefits that the sharing of personal information ascribes to a society – like security.  An example of that is the Patriot Act.  This latest EU ruling impacts a more commercial benefit, such as advertising.

I don’t think I’m alone on this one.  Anyone reading this is online and therefore highly likely also surrendering a large degree of their personal data privacy to social networks.  You’ve probably granted Facebook complete digital rights to more family photos than your parents ever collected in photo albums.  There are benefits to sharing.  And I don’t believe we ever, ever had complete personal privacy; so I don’t think of it as a basic human right.  No man is an island.  In the end, I imagine personal data privacy will be determined more by technological capabilities than regulation.  Your data is only as secure as your encryption.  I’m interested in comments.

BYOE

04 Wednesday Mar 2015

Posted by in cyber war, Geek Horror, Politics

5 Comments

Tags

, , , ,

email chainI’m not sure whether to file this one under Cyber War or Geek Horror.  The subject matter fits under Cyber War.  My goal with cyber war is to discuss topics of interest while sneaking in a bit of a computer security primer for friends and family.  But Hillary’s Bring Your Own Email to work story also smacks of tech gone horribly wrong.  And I don’t have enough stories in that genre.  I’ll classify this under both categories.

Hillary has yet to respond so it’s premature for me to comment, but this is a blog.  She might surprise us by stating other reasons once she does respond, but the general consensus at this point in time is that the Clintons are private people (no really, everyone is saying this on the air about the most public figures in America) and they have lessons learned from their share of lawsuits and subpoenas.  So I don’t question Hillary’s desire to set up an email server at home before beginning her tenure as Secretary of State to maintain a degree of privacy.  In fact, and I’m still struggling to digest this, it’s common practice for high-level politicos.  Apparently there’s a strong market for consultants to set up personal email servers for public figures.

I can even relate to Hillary, and so can you.  Does your employer support BYOD in the workplace?  You know, Bring Your Own Device to work?  Mine does.  If they didn’t, they would have to buy 450,000 $500 smart phones for us all.  Do the math on that.  This is a real trend.  You use your personal iPhone to access your company email.  You use your iPad to access company databases while sitting on your couch and also drafting your fantasy football team.  The tradeoff is that you install your company’s computing policy onto your phone.  That sets configuration specs such as the complexity of your password and how often you have to change it.  And we’re as okay with this as we are with granting Facebook complete copyright to our family photo library.

Do you think Hillary complied with State Department computing policies on her home email server?  The discussion to date is about her operating within the guidelines (at the time) of leveraging a personal email account for official business.  My point is there is so much more to comply with.  All of us working from home at the remote end of a VPN tunnel understand that we’re the weak link in the corporate security chain.  We have family members accessing our keyboard.  We allow guests on our wifi.  Shoot, I use my personal MacBook Pro as my primary work computer.  I also sacrifice half my CPU utilization to my company’s AV and computing policy auditing software.  Some people use their work computer to host their personal pictures, play their music, and send personal email.  I prefer to subject my personal MacBook Pro to crippling corporate security and compliance software in order to use a single device.  Before that, I used two devices.

No one is talking about this yet but my concern is that Hillary did none of this.  Maybe she ran AV software.  Well of course she did.  Computers don’t run for very long if you don’t.  Point is, how would we know?  How would the State Department I/T staff know?  And AV is just one small example.  There are many essential security practices that must be followed.  Once that home email server is compromised, it can then email malware to heads of state!  I’m trying to remain optimistic.  Maybe this server was supported by a special team of State Department I/T staff.  That’s not unusual at all for C-levels at large corporations.  But stories like this remind us not to be surprised when common sense is ignored by people who should know better.  Lost in this week’s news, General David Patraeus reached a plea agreement for sharing extremely confidential information with his biographer/lover.  Trust no one.

Anthem

06 Friday Feb 2015

Posted by in cyber war

2 Comments

Tags

, , , ,

Anthem logoAnthem has no shortage of registered trademarks.  If you’re not familiar with them, before yesterday’s announced breech of 80 million personal records, you might know them as BlueCross BlueShield.  Or WellPoint, which they recently acquired.  What do you suppose their brand logo will be worth three months from now?  The prevailing consensus after every corporate breech is that the company’s equity value will dive.  Oftentimes it does.  Usually though for far much less than twelve months, and then it recovers.  Target was an exception, not because customers remember the compromise of their credit card data, but for their fundamentals and managerial fubars.  Rather than pilot a few outlets in Canada, they went all-in.  And failed.  Spectacularly.  I have this sense that Anthem might be the first to not recover their brand from a cyber attack.  I suspect I might feel this way because I’m pissed.  They stored my records.  Unencrypted!  Freakin’ idiots!

I’m not being mean.  Anthem is negligent in their compliance to the Health Insurance Portability and Accountability Act (HIPAA).  This isn’t some newly erected Obama healthcare thing.  This regulation is nearly twenty years old.  The guidelines for Protected Healthcare Information (PHI) include much of what is considered Personally Identifiable Information (PII), which in turn includes social security numbers.  I was tempted there to include the abbreviation for social security numbers but understand I’ve already drowned you in alphabet soup.  The government might only fine Anthem a few million dollars, but I have to believe a class action lawsuit should be expected.

On a more constructive, non-litigious note, what should we do about this?  The best advice I’ve seen so far is to place a security freeze on my credit reports with the three major players, Equifax, Experian and TransUnion.  Of course, dealing with these firms has got to be painful.  Placing a security freeze on my credit reports is essentially what LifeLock does.  Having just completed feezing my reports on all three online, I’m not sure I would mind paying LifeLock $19.99 per month.  The process actually went quite well with Experian and TransUnion.  A few minutes per site.  Equifax though did not print out my pin code which I will need to remove the freeze when I need access to my credit reports.  And trust me, contacting them is virtually impossible.  With that said, their customer service number is 800-829-4577 and their direct security freeze number is 888-298-0045.  These are non automated, real person answers the phone numbers.  I finally got through and was able to get a pin.  The websites to freeze your credit reports are:

Equifax  https://www.freeze.equifax.com/

Experian:  https://www.experian.com/freeze/center.html

TransUnion:  http://www.transunion.com/securityfreeze

I think it was free for me to place these freezes.  This varies per state.  I suspect it will cost me $10 or so to remove the freeze.  Maybe not but there is a temporary removal called a lift that will likely cost money.  There is an option to mail them a letter describing myself a victim of the Anthem breech that would waive any fees.  I don’t have the patience for that.  Wish me luck with this.  And if you’re one of the 80 million, good luck to you.

Deterrence

15 Thursday Jan 2015

Posted by in cyber war

3 Comments

Tags

, , , , ,

keyboard grenadeDoesn’t it just seem obvious that at some point, to protect our digital selves, we’ll have to fight back?  Firewalls and anti virus software are like fences – merely obstacles.  Leaving the porch light on and locking your door is no doubt wise.  Thieves target easy prey.  You don’t have to out run the bear, just your buddy.  The metaphors advising essential layers of protection are endless, but by now everyone should understand that absolutely no one is entirely safe from online intrusions.  Lest we all agree to simply run around naked, data privacy requires more than protection; we need to increase the risk/reward ratio of cyber attacks with a strong deterrent.

We’re building a fence along our border with Mexico – which is to say that’s a problem we don’t really care to see fixed.  Where American lives and real money are on the line, we deter attack with our armed forces.  The best defense is a good offense.  Cyber theft is starting to become real money.  It’s one thing for a credit card company to build fraud into its business model.  Not every business can do that.  The potential losses aren’t always known.  The information age is rapidly approaching its kairotic moment.  If we can’t control technology, then we might as well reboot ourselves back to the dark ages before cyber extremism launches us into the stone age.

I’m proposing the ability to respond to hacking efforts with intrusion countermeasures electronics.  ICE.  There are other terms for this but I like the literary reference from Tom Maddox and William Gibson.  The concept is an active defense that strikes back.  Currently there is very little risk to deter internationally remote cyber criminals.  This proposal is not new, the concept has been around since Burning Chrome and Neuromancer.  Black ICE takes it further by suggesting the response actually include deadly force.  Assuming that’s even possible.  So why are we not enacting an idea that’s older than the Internet?

Consider what we learned recently from the Sony attack, ostensibly by North Korea.  I have to use the adjective ostensibly, not because the FBI has yet to make their proof public, but because other agencies believe they have evidence demonstrating this is an inside job.  Point being, certainty is difficult in proving the source of cyber attacks.  So much can be spoofed.  IP addresses.  So much more is circumstantial and inferred.  This type of malware was used by this cyber warrior previously against that target.  The more sophisticated the attacker, the more likely they have obscured their tracks if not framed another source.  The level of certainty required in a U.S. civil court of law is virtually impossible.

Given that, you can be certain responding with a counter attack is illegal.  And your response will leave undeniable evidence.  No corporate legal team will approve counter attacks.  They would be complicit.  There is also the risk of escalating the conflict.  I don’t subscribe to that fear personally, but it doesn’t matter.  No legal entity can perform counter attacks.  It’s simply not allowed.  Only governments can respond with intrusion countermeasures.  Israel is transparent about this.  You can only hope the U.S. does it.  Deterrence requires we do so in a public and comprehensive manner.

Perhaps the government could outsource this to corporate ethical hackers like they do some military security now.  Regardless, I think this cost should come out of our defense budget.  I haven’t put any thought into how we should triage attacks.  Should our response to an attack against a small startup be as severe as that of a Fortune 500 company?  Should we discriminate at all.  Is our first level of response a denial of service attack or do we erase attacker hard drives?

The technology for countermeasures will be interesting.  The solution might require a government layer of software on every citizen’s computing device, much as we run anti virus now.  That’s a scary thought.  Worse than NSA snooping would be having to call the gov’t helpdesk when a software patch crashes your machine.  That Obama is responding with Executive orders now to the Sony hack tells me what direction we’re headed.  Could be years given the pace of political policy-making.  Could be months given the pace of technological progress.

The Dark Side of the Cloud

18 Thursday Dec 2014

Posted by in cyber war

2 Comments

Tags

, , , , ,

KimThe first thing I have to say about the Sony hack is that I can’t believe both this and the Cuba thing are keeping the Taliban slaughter of over 130 children out of the news.  Seriously?  I’m commenting on this because I work in the cyber security industry.  Because $10M of pre-hack movie hype has bought this story top billing.  But I consider it a non-event relative to the school children massacre in Pakistan this week.

I thought I was fully up on this story yesterday but it ruled the news today.  It was bigger than Cuba by day’s end.  Poor GOP, does anyone even remember the immigration story?  Today’s dominant news theme was around the response of Americans to the Sony decision to yank the movie.  I watched ET and read news stories.  I saw it all day long on CNBC.  I’ve yet to hear one person say this.  Sony is Made in Japan.

So, armed with this intelligence; was America really hacked?  To everyone clamoring for a military response; would you like to pause and think about this now that you understand N. Korea invaded Japan?  I know, virtual borders are tough to decipher.  Trust me on this.  Check out Wikipedia.  Query their stock listing.  Sony is run by the Japanese.  Maybe you won’t have to totally back down from your position.  Perhaps there’s some clause in our joint defense treaty that provides Japan more protection than the U.S. Gov’t brings to bear each year when your credit card is hacked.

And how sure are you that Kim Jong-un is the culprit?  I actually wouldn’t challenge the U.S. Gov’t. on this.  It’s just I’m not sure I’ve read any credible government sources yet confirm this.  I feel like the media has liberally referenced government sources as they confirm it’s North Korea.  I think what makes me question this is how fast North Korea has been confirmed.  Otherwise, I have no doubt our boys can determine the source.  If not 100%, within five nines.

I will tell you I’m not worried about Sony.  I mean about them making money from the film.  I am starting to pity them somewhat with all the hits they keep taking.  In terms of profiting from the film, I always think of the old Hollywood expression, “even bad publicity is good publicity.”  So I’m not worried about the film making money.  In fact, The Interview will likely become the highest grossing non-release of all time.  Sony should start to care about all the damage this is doing to their brand.  And Prime Minister Abe might want to beef up his cyber security forces along with his plans to increase funding for the military.

As far as that goes, every one of you better start to shore up your security.  A cyber storm is coming.  If you feel wounded from the Sony cyber battle, wait to see what it feels like when you take a direct hit.

Phone-Record Tracking

06 Thursday Jun 2013

Posted by in cyber war

Leave a comment

Tags

, , , , ,

iStock data privacyData Privacy is the biggest oxymoron in Computer Security.  Well, maybe second biggest after the name of the industry itself.  If it exists at all, it’s ephemeral.  My point is the expectation should not exist.  At most, even with encryption, it exists at a point in time only.  That the NSA program to track American citizen phone records became public today via a leak to the Guardian only proves the point even more.

What should your expectation be towards data privacy?  Basically what I just said.  Limited.  But that’s the practical position.  Americans further have an expectation of certain rights to privacy from the government.  This isn’t one of them.  Let me explain why what the government is telling us in terms of our need for protection easily trumps our right to privacy in this case.

To summarize what the NSA has been doing; they track what they accurately refer to as ‘meta data’ from phone calls.  By the way, if you’re familiar with the term Web 2.0 as it applies to social networking or current programming techniques, the next trend is Web 3.0 and is all about meta data and the semantic web.  In this case, the NSA is not listening to our phone conversations.  They are tracking calls made from or to specific phone numbers.  Data mining these connections provides patterns that suggest terrorism, and if warranted the NSA seeks court approval to then gather more personal information on the call.

Is the number called from your number private information?  I should add, the NSA doesn’t yet know the number is yours’.  They are simply tracking the numbers anonymously.  Of course, with a couple of clicks, any lay person can perform a reverse phone lookup.  Apparently this isn’t illegal when your neighbor does it.  I equate our phone calls with driving a car from point A to point B.  We can’t do that privately.  Roads are a fairly public space.  The Police however cannot stop you and search your vehicle without following reasonable search and seizure guidelines as part of our personal rights to freedom.  Authorities need probable cause.  Our telephony infrastructure, especially since most analog voice has migrated to data lines if not the actual Internet, is a public utility.  This is debatable, but I believe access to the traffic, or meta data of the phone traffic, should not be considered private.  Anyone who remembers party lines or operator switchboards should agree.

Why is this useful?  Why is the government right?  Consider a commercial application.  First, let me reiterate as I have throughout my blog and on my About page that I do not speak for or in any way represent the views of my employer IBM.  I’ll make note though that I have been in computer security for a very long time.  A popular computer security service is to monitor network traffic for signatures that suggest hacking efforts.  It’s called intrusion detection and prevention.  One particular problem with this technique is that smart hacking is encrypted so it’s difficult to monitor.  The next step then is to do exactly what the NSA is doing with phone records.  Track the end points.  The source and destination IP addresses.  Then correlate (data mine) the IP addresses with published lists of known bad guys – generally botnet command-and-control web sites.  The data is still encrypted but now some inference can be applied to determine if this is bad traffic and steps can be taken to block it.

My ISP Comcast does this for its customers.  They send customers an email stating they have noticed computers from their home talking to known botnets.  They then suggest to their customer that they should take action to eradicate any infection of malware from their computers.  In the case of Comcast, this email is actually quite useless as it doesn’t provide you with the IP address of the botnet command-and-control nor does it provide you with the IP address of the computer in your house.  The average person using Comcast for their ISP likely has a half dozen computers and mobile devices accessing the Internet.  I’ve called them only to learn that this email is really just a marketing ploy to sign you up to their Xfinity Signature Support.

Back to point, this is a good technique to root out illegal activity based on meta data.  Only after positive identification of possible wrong-doing are more personally identifiable records obtained.  I’m not a lawyer but suspect this meets probable cause.  This is my perspective and admit I could be wrong legally.  But I support this action by the NSA.

Stuxnet

07 Thursday Jun 2012

Posted by in cyber war, Geek Horror

Leave a comment

Tags

, ,

My favorite story in the news right now is confirmation of sorts that the U.S. and Israel launched a first-strike in cyber warfare against the Iranian nuclear jihad.  One of the more fun debates is political party rhetoric about the importance of confidential information – they want to find the source of the leaks.  Nevermind the stuxnet wiki article at the time of me writing this blog already quotes from Gary Samore as an early White House leaker.  So there are discussions of that nature.

Of course I read blogs on cyber security and anything else I’m currently interested in.  I discovered a pattern with this topic – the industry I work in.  Everything I read takes the position that cyber war is bad.  This only leads to an escalation in cyber warfare.  Stuxnet points to the need for more protection.

I couldn’t disagree more.  I felt compelled to comment on a recent blog but noticed the site was an aggregator.  The blog itself looked well read but I didn’t like the idea of publishing my content to this site that’s nothing more than an index selling advertisement.  It seemed like less of a professional dialog* and more of being part of someone’s business model.  Not that there’s anything wrong with that, but it occurs to me I have my own digital presence.  So rather than comment on that blog – I’ll blog it myself.

My position is this.  These security industry analysts are looking at this from inside the fish bowl.  In the context of a safe and free Internet and online commerce, this is a setback.  This is an escalation of arms and advances the bad guys.  In fact, by definition of cyber warfare, the bad guys are the government.

I look at this from the context of war.  A conventional approach to international conflict is to start out small and progress your actions slow enough so that they can be monitored by other nations and even weighed in on.  Going to the UN first or establishing a block-aid before the actual bombing of humans.  In the context of preemptive strikes, I’d personally prefer getting hit with a computer worm.  Cyber war is good.

Yes, cyber war leads to civilian casualties.  I’d argue maybe the damage is on par with a block-aid.  I understand Iran lost several months of production on their centrifuge operations.  In the context of war, this isn’t nearly as bad as the enemy sinking a passenger ship to stop the flow of supplies.  It’s a reasonable, less harmful approach in terms of human life.

I can’t interpret a blog written by someone in the computer security industry well enough to say what the blogger’s motives are.  I just know it’s bullshit taking the position this is bad for the industry.  Any company making security products or providing security services benefits from this.  The Cold War didn’t hurt the Defense Industry.  They say even art excels during times of war.  Innovation explodes in times of conflict.

Whatever your qualms over cyber warfare, get over it.  It beats real attacks against humans.  It promotes growth of the industry.  Turn your focus to lessons learned.  How successful was the attack at mitigating Iran’s nuclear development.  How fast did production return to normal – what was the downtime?  Was this effective in the context of international conflict?

* Poetic license on “dialog” because in social networking it’s really a broadcast.  A many-to-many discussion.  A party line.

Web Security

12 Saturday Feb 2011

Posted by in cyber war, Geek Horror

5 Comments

Tags

, , , , , ,

This was annoying.  I received an abuse letter (email) from Comcast, my ISP, last night.  For copyright infringement related to the illegal file sharing of some inane Kanye West song.  I’ve appended their email to the end of this blog.  The first thought that ran through my mind was, “Really, I have a Kanye West song?”  So my first action was to query my iTunes library of over 5000 songs and sure enough, I have exactly one Kanye West song – Gold Digger featuring Jamie Foxx.

I immediately suspected my tenants since they’re fairly young.  Although I knew it could also have been from Brittany – she always brings her MacBook whenever she comes home from college.  I doubt I could prove the source of the Gnutella file sharing.  I turned off my web filtering half a year ago when I was trying to install Lo-Jack on Brittany’s new laptop.  It required some call home function that my firewall was blocking.  Unless I’m specifically blocking something, my firewall won’t log the traffic.  It can, but I didn’t have it configured to do that either.  So the Kanye West download could have been from any computer in my house – or carriage house which I rent out.  The Comcast abuse letter only lists the IP address of my cable modem and it doesn’t provide the DHCP address from my home network(s).

My second action, after reviewing my iTunes, was to turn web filtering back on.  I have an old IBM Proventia FW that I have setup between my cable modem and my home LANs.  One network is for my tenants, and they have their own WiFi server.  I allow that LAN access to the Internet but not to my home office LAN (network 2) or my home LAN (network 3).  My home office network has access to all three networks in order to manage the WiFi servers.  With the web filtering running, I setup two FW rules to block traffic to the Gnutella service.  One rule for TCP ports 6346 to 6347 and another for UDP ports 6346-6347 – both at 202.0.0.0 with a 28 bit mask.  Then I asked my tenant if he was using Gnutella and informed him about the abuse letter and my new web filters.  He was pretty humble about it and apologized.

I’m relating this in my blog, and probably FaceBook, because it occurs to me many of my friends could use some advice on computer security.  I’ve been in this industry for a long time, and I just got in trouble from my ISP.  Maybe I should be embarrassed – I’m not.  I do appreciate the irony.  But I know that many of my friends have kids – with their own computers – whom run these illicit and dangerous file sharing applications.  The last link above shows you how to block some of the more nefarious sites.  Understand that I’m not judging.  I support some copyleft arguments as they juxtapose certain tenets of innovation against the precepts of copyright protection.  But these applications put your computer and home network at extreme risk of being compromised.  These apps are favorites of hackers and are as likely as visiting free porn sites to result in your machine becoming pwned into a botnet.  Forget fears of Comcast cutting off your access – be afraid of being pwned.

I’m serious.  I’d rather blog on my running themes, but you need to know this stuff.  My YouTube instructions on protecting your texting privacy was originally intended in jest when Tiger Woods got clubbed by his wife after she saw his text history.  I was just having fun, but it’s turned into one of my most watched YouTube episodes.  Likewise, my commentary on the Google vs China cyber story last year continues to receive 4 or 5 views a day based on people searching on the terms cyberwar and cyber warfare.  So I figure this is good information.  I hope so.  Or if not, I hope you get a chuckle from knowing that Comcast is on to me.

————————————————————————

Notice of Action under the Digital Millennium Copyright Act

Abuse Incident Number:      Not Applicable
Report Date/Time:           Thu, 10 Feb 2011 11:31:02 -0600

ED MAHONEY
1805 S COFFMAN ST
LONGMONT, CO  805047568

Dear Comcast High-Speed Internet Subscriber:

Comcast has received a notification by a copyright owner, or its authorized agent, reporting an alleged infringement of one or more copyrighted works made on or over Comcast’s High-Speed Internet service (the ‘Service’).  The copyright owner has identified the Internet Protocol (‘IP’) address associated with your Service account at the time as the source of the infringing works.  The works identified by the copyright owner in its notification are listed below.  Comcast reminds you that use of the Service (or any part of the Service) in any manner that constitutes an infringement of any copyrighted work is a violation of Comcast’s Acceptable Use Policy and may result in the suspension or termination of your Service account.

If you have any questions regarding this notice, you may direct them to Comcast in writing by sending a letter or e-mail to:

Comcast Customer Security Assurance
Comcast Cable Communications, LLC
1800 Bishops Gate Blvd., 3rd Floor East Wing
Mount Laurel, NJ 08054 U.S.A.
Phone: (888) 565-4329
Fax: (856) 324-2940

For more information regarding Comcast’s copyright infringement policy, procedures, and contact information, please read our Acceptable Use Policy by clicking on the Terms of Service link at http://www.comcast.net.

Sincerely,
Comcast Customer Security Assurance

Copyright work(s) identified in the notification of claimed infringement:

Infringing Work : Graduation
Filename : Kanye West – Graduation – Stronger.mp3=20
Filename : Kanye West – Graduation – Stronger.mp3=20
First found (UTC): 2011-02-10T12:21:17.61Z
Last found (UTC): 2011-02-10T12:21:17.61Z
Filesize  : 7583872 bytes=20
IP Address: 76.25.159.42
IP Port: 17677
Network: Gnutella
Protocol: Gnutella    =20

Cyber War – Game Over

22 Friday Jan 2010

Posted by in cyber war

2 Comments

Tags

, , ,

“Are you kidding me!  WTF Sarge!  I mean, do you have any idea what you’re asking me to do?  You might as well just ask me to kill my first born!”  I/O was inconsolable, fairly incoherent and in a state of complete disbelief as he absorbed his Console Sergeant’s command to wipe the drives of all honeypots and pwned bots under the command of the Cyber Force.  This was over 50,000 computers world wide.  But it wasn’t the difficulty in carrying out the task.  Computers are automated if nothing else.  Apparently I/O had developed an emotional attachment to his bots.

“We’re withdrawing from this theater of conflict soldier.  Report back when it’s complete.”  The Console Sergeant turned and walked out of the war room.

Nearly everyone in the room was empathetic to I/O, except Tyler.  “Let it go I/O.  We have bigger concerns.  Game over man.  We all need an exit strategy.”

“What are you talking about?”  I/O was coming to terms and seemed ready to talk logic.  “Exit strategy for what?”

Tyler addressed the entire room, SecIntel along with the Ethical Hack team.  “You heard the Console Sergeant.  We’re shutting down operations.  And we never existed.  Most of us are within a year of returning to the private sector.  What do we do for resumes?  We can’t talk about it.”  Tyler paused but everyone stared at him with blank faces.  Clearly they must have understood his point but no one had a response yet.  “So, we need an exit strategy.  We need to latch on to opportunities where the employer has at least some implicit knowledge of our experience.”

Jane was the first to suggest a plan.  “My older brother went to work for the NSA after he left the Rangers.  And after two years there he had his pick of employers.  NSA will know what we’re about.”

Tyler liked that idea.  “Sounds pretty smart.  We all need to think about this.  This war might be over but it’s not like cyber warfare itself is going away.  And we’re not going away – in terms of our skills.  We need new homes.  And those new homes are going to need a new army of bots, so you might want to be selective in how you carry out your command I/O.”

The End

Cyber War – We Have Met the Enemy, and it is Us

19 Tuesday Jan 2010

Posted by in cyber war

Leave a comment

Tags

, ,

Tyler planned to spend the day in bed – Jane’s bed – playing her video games.  And he began the day like that but as his attention drifted to Jane’s concern about a possible inside attack, he logged into the Cyber Force’s VPN to research some ideas.  He couldn’t authenticate initially and then he remembered the computing policy in effect that mapped everyone’s home ISP IP address to their user credentials.  He ran into this issue when he was working from I/O’s house and recalled the network admin assigned him a temporary account without the restriction.  He tried that user account and it still worked.  Unbelievable!

Once on the network, Tyler did a telnet to a machine with some of his personal utilities.  This way he could run the utilities from within the Cyber Force data center network rather than over the wide area.  He booted up a wifi sniffer that searched the local area network for wireless access points.  He scrolled down the list it generated until he found one that clearly did not conform to the data center’s SSID naming convention as it had the default name of Linksys.  This suggested to him that perhaps the admin login was also default, and it was.  No user ID and the password was admin.  Brilliant.

Tyler then reviewed the DHCP log  which contained the MAC addresses that had been assigned IP addresses.  MAC addresses are 12 digit hexadecimal numbers in the format of MM:MM:MM:SS:SS:SS where the first 6 digits refer to the hardware manufacturer of the network adapter.  Tyler knew the Air Force was in bed with Cisco and most of the MAC addresses looked to be them – but he double checked against a list of vendors and they were all Cisco.  The Cyber Force were all on Apple computers and he didn’t see any of those vendor types, but then he spotted two MAC addresses that looked different.  He checked and sure enough these were from a Chinese manufacturer.  He cross checked against yet another list he had of known Chinese hackers and they matched that list in terms of the hardware vendor portion as well.

So now Tyler understood how the hackers got onto their network and were able to bypass network intrusion detection.  They were very likely sitting in the parking lot jacked into the Air Force unsecured WiFi.  Brilliant.  Talk about shooting yourself in the foot! Tyler called his Console Sergeant and advised him to search the parking lot.

Cyber War – Insider Threat

18 Monday Jan 2010

Posted by in cyber war

2 Comments

Tags

, , ,

Jane was dressing with her back to Tyler, first her panties and then her bra.  She attached the snap in front of herself and then twisted it around to the back and lifted the straps over her shoulders.  As she put on her uniform blouse, she turned towards Tyler and buttoned it top down.  She stepped into her uniform skirt and said, “Tyler, I have to talk to you on a personal subject.”

“As opposed to?”  Tyler remained in bed because he had a full 24 hours off – even though it was her bed in her apartment.

“Oh, well, last night was personal too.  And very nice, thank you.  But this is actually work related, only I need it to remain personal – between us.”  Jane was hesitant in her speech and Tyler thought she might completely drop the subject, but she persisted after a moment.  “I think the black ice against us the other day might have come from inside.  Or at least it had some inside help.”

“Well, it doesn’t hurt to think that while you research it.  I’m not sure of the current percentages, but I believe most cyber crime occurs with inside help.  And if not, it can appear that way because of the first inside hop.  This would be pretty serious Jane.  We’re not talking about employee revenge about not getting a raise.  Everyone I know is completely dedicated to their work, and the cause.”  Tyler found this less likely the more he talked.  “Jesus Jane, that drone pilot is brain dead!  And the entire Ethical Hack Unit had their homes either bombed or targeted for bombs!”

“I don’t suspect the Ethical Hack team.  I think it’s someone on SecIntel.  And that’s why I can’t talk to anyone about this.” Jane had her uniform jacket on now and stepped into her heels.  “I have to go, but can we talk later?  I need someone to search some things for me in case I’m being monitored.”

“Wow, you’ve already put some thought into this.  Yeah, sure.  We can use secure chat.  I pulled a jailbreak on a pair of Magic Jacks to create a secure tunnel across our secure chat app in the war room.  So secure chat from your mobile to mine via the Mobile Jacks.  That way you can avoid any keylogger on your desktop.  I’ll give you one of them at the start of your 2nd shift when I get in.  But before you go, can you tell me why you think it’s an insider?”

“Well, suddenly we have five vulnerabilities?  Us?  There doesn’t seem to be anything before that.  No corresponding logs tracing the ingress vector.  It doesn’t add up.”  Jane grabbed her keys, turned and left.