Tuesday, September 30, 2008

More Calls for U.S. Offensive Cyber Capabilities

The Washington Post reports on U.S. Representative Jim Langevin's (chairman of the House Homeland Security subcommittee on emerging threats, cybersecurity and science and technology and a member of the House Permanent Select Committee on Intelligence) call for the U.S. to develop an offensive cyber capability. Rep. Langevin sees this as a deterrence against potential attacks on U.S. systems. In order for the deterrence to be effective, he called for much of the Comprehensive National Cybersecurity Initiative (CNCI) to be declassified and for responsibility of cyber security to be taken away from the Department of Homeland Security.

The article also discusses some of the important issues in implementing an offensive capability, namely the identification of the motive and source of an attack:

"We have a tremendous amount of trouble determining attribution ... where an attack actually came from, who was responsible, who might have been behind that computer. And we have a very, very long way to go on that," commission member Paul Kurtz, a former White House cybersecurity official, told the House intelligence committee.

"Until we start to get clarity in that piece, it's going to be very difficult to contemplate the military option, of responding appropriately," Mr. Kurtz added."

U.S. urged to go on offense in cyberwar

Jihadist Websites Move to the U.S.

FrontPage Magazine has an editorial piece concerning the movement of extremist websites to US ISPs:
"In counterterrorism circles there is significant buzz about “Al-Qaeda 2.0”, warning of highly decentralized jihadist networks operating independently and driven by a highly toxic internet-inspired Islamic ideology. The sad reality is, however, that an increasing number of jihadist websites, especially those in the English language, are finding safe haven in the US – and the US government seems powerless, or unwilling, to stop them."

Mainstream US Islamic Websites -- and Terror

Monday, September 29, 2008

The Law of Unintended Consequences - Security Creates Its Own Threat

An anti-war blog has posted an article alleging Israeli spying on US government communications by installing backdoors into telephone systems. Regardless of the accuracy of the article or its political slant, it does bring up an interesting issue: When can security controls or measures create vulnerabilities?

Specifically, the article discusses the potential vulnerability created by implementation of the FBI's 1994 Communications Assistance for Law Enforcement Act (CALEA) that mandated telecommunication providers develop the capability for law enforcement agencies to wiretap any communication in the U.S.:
"The real novelty – and the danger – of CALEA is that telecom networks are today configured so that they are vulnerable to surveillance. "We've deliberately weakened the computer and phone networks, making them much less secure, much more vulnerable both to legal surveillance and illegal hacking," says former DOJ cybercrimes prosecutor Mark Rasch. "Everybody is much less secure in their communications since the adopting of CALEA."
This issue is not academic: I have investigated many serious computer crimes where the intruder(s) targeted security information and controls to determine the status of investigations, to introduce backdoors into control systems or lockout or monitor the activities of investigators. Too often the very tools used by security personnel and investigators were used against them or in some way compromised.

It is critical that security professionals and engineers understand that many technological controls can (and probably will be) used by an adversary to their advantage. This is particularly true of communication systems and any control that monitors activity or collects intelligence data such as log files, network and host vulnerability scans, IP based communication systems such as VoIP and IP based surveillance and access control systems.

Trojan Horse: How Israeli Backdoor Technology Penetrated the US Government's Telecom System and Compromised National Security

Thursday, September 25, 2008

Commentary: The Problem with Information Security

A recent article from Australian IT provided an Australian perspective of the international cyber warfare games named Cyber Storm II. The exercise was conducted by private and public sectors in Australia, Britain, New Zealand, Canada and the United States. It is available at: Govt can do more on cyber security: report.

However, one point stood out in the article's analysis:
"...participants [of Cyber Storm II], which included the private sector, were surprised by the "borderless nature" of cyber attacks and the "speed with which they can escalate"."

How can people who call themselves "security professionals" be surprised that the Internet is "borderless" or that attacks (or any online activity) can occur quickly? This lack of understanding the basic nature of threats is mindboggling and one of the most daunting problems in information security.

Too often, the "security experts" (in both the government and private sectors) are simply IT engineers who view security as a technical problem with technical solutions. This myopic world view is not only misguided, it precludes proper threat and risk assessments.

While understanding the technological infrastructure and its vulnerabilities are an important component of any threat assessment, it is just as critical to understand adversary motivations, capabilities and methods. Likewise, threats must be analyzed at both the macro and micro levels.

For some reason, physical security professionals and intelligence analysts "get this". However, IT security engineers not only have difficulty incorporating the "people" element but are often hostile to anything that strays from their technical comfort zone.

It is no wonder that security problems are only growing in numbers and impact and they will continue to do so as long as information security is viewed as an engineering issue and the "experts" are "surprised by the "borderless nature" of cyber attacks".

For more on this topic see:

Friday, September 19, 2008

Saudi Arabia Arrests Five for Internet Use

The Saudi Ministry of Interior announced the arrest of five individuals "who used the Internet to propagate extremism and incite youths to go to troubled areas".

"The group members "hid behind their computers and gave themselves several assumed names" in order to post material under one alias and post support for it under a different alias, the [interior] ministry said.

"The aim was to give the impression that their ideas "enjoy support from society and to encourage those deluded (by the propaganda) to communicate with them as a prelude to recruiting them for their despicable goals," it added."

Saudi arrests five web 'jihadis'

U.K. Sentences 18 Year Old for Downloading Terrorist Material

Eighteen year old Hammaad Munshi was sentenced in the U.K. to two years in prison for using the Internet to gather terrorist related information:
"During his trial at Blackfriars Crown Court, the jury heard that Munshi had spent many hours viewing jihadist websites and had downloaded guides to making napalm, detonators and explosives."

Computer terror teenager jailed

VP Candidate Sarah Palin's Personal Email Compromised

Sarah Palin, the Republican Vice Presidential candidate's personal Yahoo email account was compromised and emails and family photographs were made public:

"Among the emails posted on the Internet is a message sent from Palin to the vice-governor of Alaska, Sean Parnell, who is currently seeking election to Congress.

"The hacking comes at a time when Palin is suspected of using her personal email account for conducting public affairs in Alaska.

"According to law, all messages relating to the official functions of governor must be archived and not destroyed, but allows for personal messages to be destroyed."

Hackers infiltrate Palin's email account

Wednesday, September 17, 2008

U.S. Cyber Security Not Adaquate

The U.S. Government Accountability Office (GAO) has released a report (originally dated July 2008) critical of the U.S. Government's cyber security.

The report defined, in part, the threat:
"There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on the national critical infrastructure, including the infrastructure’s control systems. The Department of Defense (DOD) and the Federal Bureau of Investigation, among others, have identified multiple sources of threats to our nation’s critical infrastructure, including foreign nation states engaged in information warfare, domestic criminals, hackers, virus writers, and disgruntled employees working within an organization. In addition, there is concern about the growing vulnerabilities to our nation as the design, manufacture, and service of information technology have moved overseas. For example, according to media reports, technology has been shipped to the United States from foreign countries with viruses on the storage devices. Further, U.S. authorities are concerned about the prospect of combined physical and cyber attacks, which could have devastating consequences. For example, a cyber attack could disable a security system in order to facilitate a physical attack."
The GAO broadly assessed operations in four areas: Monitoring, Analysis, Warning and Response and found issues in each domain.

One of the key challenges the report identified was organizational and management issues within the U.S. Department of Homeland Security (DHS) stating that the cyber security initiative is:
"...operating without organizational stability and leadership within DHS—the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT’s role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level."

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission."

CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Better Address Its Cybersecurity Responsibilities

Thursday, September 11, 2008

U.S. Considers Developing Offensive Cyber Warfare Capabilities

The Los Angeles Times reports on Pentagon debates about developing offensive cyber capabilities. It appears the renewed discussion is at least partially driven by the Russian Georgian conflict.

The article touches on some of the high level issues involved in cyber war. Like many technical revolutions in military history, cyber warfare presents many challenges and unknowns:
"To some, the tension over cyberspace echoes military debates through the centuries. Maj. Gen. William T. Lord, head of the Air Force cyber-effort, said that such discussions were akin to an old military puzzle known as "intelligence gain-loss."

"Do you not destroy a target because you can exploit it? Or do you destroy the target -- and lose the ability to exploit -- because troops are in harm's way?" Lord said. "That is not a debate. It is a discussion that goes on in war fighting."

Pentagon debates development of offensive cyberspace capabilities

Facebook Used to Target Israeli Interests

The Middle East Times ran an article discussing issues with the social networking site Facebook including accusations that Hezbollah uses Facebook to gather intelligence on Israel. Of more interest is that this surprising to anyone.
"...reports from the Lebanese capital, Beirut, are emerging that Hezbollah ... is using Facebook to learn of potential Israeli military movements, to gather possibly sensitive information about Israeli military bases and to pick up intelligence that could be harmful to Israel's security."

Cyber Terrorism: Perils of the Internet's Social Networks

Friday, September 05, 2008

Terrorism and Engineers - An Indian Perspective

CyberMedia India Online Ltd. (CIOL) published an interesting article on the relationship between terrorist groups and high tech individuals. The article discusses both why terror groups are interested in recruiting engineers for their operations (both cyber and physical) and why well educated and paid people would be attracted to terrorist organizations:
"Engineers that come from societies that are in themselves under threat from internal and external influences, and where alternate (and legal) means of expression are either banned or methodically suppressed will have the third terrorism necessity, a socio/political cause, and will be recruited by (or be found offering their services to) terrorist organizations."

Terror minds look for techie brainpower

Thursday, September 04, 2008

Various Articles on Russian Georgian Cyber Attacks

In an attempt to catch up on past articles concerning the Russian Georgian cyber attacks, I'll just post links to several articles that provide at least some factual information - Thanks to S.Y. for the pointers.

July 2008:

Wednesday, September 03, 2008

Recommended Reading: "Georgia Cyber Attacks By Russian Gov't? Not So Fast"

Gadi Evron, the founder of Israel's Government CERT group, wrote an article that was published in the Australian version of CIO.com (notably absent from the U.S. site) concerning the recent attacks on Georgia.

It is always refreshing to hear an experienced investigator discuss the issues:

"Running security for the Israeli government Internet operation and later founding the Israeli government CERT, I found that such attacks were routine. Seeing the panicked reaction this type of attack has generated seems quaint from my perspective. Not all fighting is warfare. While Georgia is obviously under DDoS attacks that are political in nature, it doesn't so far seem different from any other online aftermath by fans. Political tensions are always followed with online attacks by sympathizers.

"DDoS attacks harm the Internet itself rather than just this or that website, which often requires some of us in the vetted Internet security operations community to get involved in mitigating the attacks, if they don't just drop on their own. Our purpose is not to get involved in any local situation, but rather to preserve our common global critical infrastructure - the Internet.

"Could this somehow be indirectly related to Russian military action? Yes, but there is no evidence to indicate it is the case as of yet. If anything, the opposite seems likely at this point in time."

As with similar online attacks, there is wild speculation and near hysteria in the media concerning cyber attacks against Georgia originating in Russia. It is rare to have a commentator that can take a step back and analyze the situation based on known facts and an understanding based on real-world investigations.

Mr. Evron also notes the effect of the traditional media as both a motivator and as propogandia. This symbiotic relationship between poitically motivated cyber attacks and PR is documented in Hacktivism & Politically Motivated Computer Crime.

Georgia Cyber Attacks by Russian Gov't? Not So Fast

Researching Politically Motivated Computer Crimes

The Washington Post provides details of two groups researching politically motivated computer crimes. The article provides some information concerning the Georgian Russian online attacks as well as a discussion about online tactics and the effects of attacks:
"It's unclear who is behind the attacks, however. In some cases, the locations of botnet controllers can be traced, but it's impossible to know whether an attacker is working on the behalf of another organization or government."

A New Breed of Hackers Tracks Online Acts of War