(Translated from the original Italian)

One more to worry about is the real security of satellite infrastructures.

In a technological civilization, satellites play a vital role in the management and transmission of information of all kinds. Satellites in fact do the work in silent that we enjoy every day, but we often forget this crucial aspect of communications.

Are these powerful systems of communication actually safe? Is it sufficient just to be in orbit thousands of miles above our heads  in order to ward off the danger of an attack? In using satellites, are we sure that nobody could listen in on our communications?

Of course not! The main concern is the possibility of compromising satellite those communications in the context of warfare.

Consider that satellite communication are widely used in military applications, particularly in those regions where other communication infrastructures are insufficient or absent, like the Middle East and Africa.

Security researchers have demonstrated that satellite phones can be easily intercepted and deciphered.

It is already of enough concern any common computer can be used to hack the two encryption systems used to protect satellite phone signals, so anyone with a computer and a radio could conceivable eavesdrop on calls, and a multitude of satellite phones are vulnerable. 

With a few thousand dollars it is possible, according a researchers' announcement, to buy the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users.

The academics have summarized the threat in a single sentence: "Do not Trust Satellite Phones".

The two main standard encryption algorithms that have been compromised are known as GMR-1 and GMR-2, which are implemented by the satellite phone operators. The problem really affects only those companies that use the ETSI GMR-1 and GMR-2 encryption algorithms. 

The speed with which it is possible to decipher a call is linked to the computing power applied, but keep in mind that it is possible with suitable equipment decipher the communications in real time.

The researchers are convinced that the main problem is related to the encryption algorithms and the "security through obscurity" approach applied by attempting to use secrecy of design and implementation to provide security, and preventing the security community from testing them.

In publishing the hacking procedure proof-of-concept, the researchers hoped to prompt the ETSI organization to set new standards based on stronger encryption algorithms.

It was revealed in the past that GSM communications, an approach used to hide the algorithms for encrypting communications is certainly wrong, and represents a risk to the integrity of the overall infrastructure.

Due to this incorrect approach in the management of the algorithms, many organizations have implemented extra layers of cipher software in their satellite phones with the unintended result of increasing its vulnerability.

A consequence of the announcement is that satellite handsets with built in encryption mechanisms based on the hacked algorithms are no longer secure, which could pose a considerable threat to the business and military sectors. Hostile governments and criminals are actually able to monitor satellite phone networks on a large scale.

If the situation regarding satellite encryption algorithms is worrying, certainly the security of the satellites themselves is not any better.

A report released in 2011 named titled the "2011 Report to Congress of the U.S.-China Economic and Security Review Commission" revealed that some US operated satellites were vulnerable to attacks, and on more than one occasion attackers had taken control of the systems.

Sensitive satellite systems have been successfully breached, according to the report:

"Satellites from several U.S. government space programs utilize commercially operated satellite ground stations outside the United States, some of which rely on the public Internet for 'data access and file transfers,' according to a 2008 National Aeronautics and Space Administration quarterly report.† The use of the Internet to perform certain communications functions presents potential opportunities for malicious actors to gain access to restricted networks." 

Information regarding several attacks to satellite control systems are in the public domain, and these events have been confirmed also by The National Aeronautics and Space Administration (NASA).

Below is a brief list of events:

• On October 20, 2007, Landsat-7, a U.S. earth observation satellite jointly managed by the National Aeronautics and Space Administration and the U.S. Geological Survey, experienced 12 or more minutes of interference.

• On June 20, 2008, Terra EOS [earth observation system] AM–1, a National Aeronautics and Space Administration- managed program for earth observation, experienced two or more minutes of interference.The responsible party achieved all steps required to command the satellite but did not issue commands.

• On July 23, 2008, Landsat-7 experienced 12 or more minutes of interference. The responsible party did not achieve all steps required to command the satellite.

• On October 22, 2008, Terra EOS AM–1 experienced nine or more minutes of interference. The responsible party achieved all steps required to command the satellite but did not issue commands.

In the report, the responsibility for the attacks was assigned to China, but similar hacks can be conducted by every hostile foreign government. We must consider that compromised satellites are a serious risk, the exposure could affect communications in the business and military sectors, and also can cause the loss of sensitive and strategic technological information.

My last consideration is related to threats to satellite systems. In our imagination we make the mistake of considering only as possible sources of attacks as being foreign governments.

The proof that this view is wrong arrived in recent weeks when the group Anonymous announced that it had successfully hacked a NASA satellite The group has also published on Pastebin evidence of knowledge on NASA project.

Clearly the situation merits a high level of attention given the looming threat.

References

• http://infosecisland.com/blogview/18279-Malicious-Cyber-Activities-Directed-Against-US-Satellites.html

Cross-posted from Security Affairs

Researchers at Symantec have identified a crafty Trojan targeting Android devices which slightly modifies its code every time the malware is downloaded.

The technique is called server-side polymorphism, and it allows the malware to remain more difficult to detect when examined by traditional signature-based antivirus software defenses.

The technique has been used for years to hide malicious code targeting PCs using the Windows operating system, but has only recently been discovered in malware aimed at infecting mobile devices.

"For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites," Symantec's Security Response blog explains.

Symantec has identified multiple variants of the malware, which is being distributed by Russian-based websites offering Android application downloads.

"We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software," Symantec warns.

The malicious code is able to accomplish the "morphing" of its signature in several different ways, one of which is a manual adaptation that researchers believe is a sign that the attack are being actively administered by the malware authors.

"Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files... The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family," the blog continued.

Source:  http://www.symantec.com/connect/blogs/server-side-polymorphic-android-applications

Pretty Good Privacy (PGP) “is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications.”

Say you have a manufacturing plant in China that makes a one of a kind widget and you have a U.S patent that you don’t want other companies stealing.

Every so often you must send an email back and forth to your man of the ground in Beijing to update the specs and ways in which that product is to be created. 

You know that if your emails are intercepted that it’s just a matter of time before a cheap knockoff comes on the market and kills your business. So, you better learn how to encrypt email.

This is where PGP email encryption comes in:

#1 There are PGP key generators online and others available in purchased or open source software. To create a PGP key you will plug in your email address and provide a password. Your security vendor can point you in a direction. Or go here to generate a PGP key.

#2 PGP keys are public and private. Your public key is posted to your website or contained in your email. People use this key to send you encrypted emails. The private key is kept private.

My public key looks like this:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mI0ETt1GvAEEAInk6+FnNbDug/VTJTqladmbymCx3Oh3LT/YQpB1/j8PavNAAhtr

nC5dwhludRTE2bAG28ZcPkK5j8aRZTYTmSpCjUOfwNRaIott0L4SKSgLbkUWDfim

pbEOTLN9eTmStNispjWVdmP099t5SJqsGvkPBhCxLHOCxxPae0037Lb1ABEBAAG0

FnJvYmVydEByb2JlcnRzaWNpbGlhbm+InAQQAQIABgUCTt1GvAAKCRDVXcwnBdX+

k3poA/93D0usqCSemcf0jE8BMUlqIHxdblH7eH4IXngjV+bgfZxeX6pK6BuxMghN

6NaX8VqOHV574MctAnxVkGqqjJH4jALQn+ExoG9YFh004UK46pa4BCoh+xkD72zu

dGm3I3xVjj7g3e7XJ0R7aVDStK1s+7izd00PzbJP9xDI9MqJUA==

=22J2

—–END PGP PUBLIC KEY BLOCK—–

#3 When receiving an encrypted email you plug in your private key that looks a lot like a public key and include the password.

Find here a cool free online tool that generates PGP keys for fun and lets you see how PGP email encryption is done.

Caution: I’m not sure of what’s going on in the background of this site so I can’t recommend using this key generator for ongoing secure use.

Robert Siciliano personal and small business security specialist to ADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

A faction of the rogue Anonymous movement temporarily disrupted the online presence of several major banks with an onslaught of distributed denial of service (DDoS) attacks.

Among the targets of the group identifying itself as Anonymous Brasil were Citibank and HSBC, as well as multiple South American financial institutions including Banco BMG, Banco Bradesco, Banco Panamericano, Itau Unibanco Banco Multiplo and Febraban.

In denial of service attacks, generally a large amount of information is sent to a web server at such high frequency that it overwhelms the processing capacity or causes the system to shut down and reset altogether.

The net effect is that the server can not longer operate correctly and the targeted website is rendered unusable for its primary purposes, such as for customer interface or sales.

Denial of service attacks attacks are low-tech, and the majority of internet servers are vulnerable to the attack method, which makes the tactic increasingly popular.

The latest attacks come just a few weeks after after multiple DDoS attacks were launched against entertainment industry and US government websites by Anonymous supporters in an operation dubbed "OpMegaupload".

The attacks caused disruptions for several websites, including those operated by the Justice Department, the FBI, the US Copyright Office, Universal Music, BMI, and the RIAA.

OpMegaupload was a response to Justice Department indictments issued against executives at the file sharing website Megaupload.com for copyright infringement and piracy, as well as in general opposition to the Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA) legislative bills currently being considered by Congress.

The crowd-sourced DDoS attacks quickly diminished, but US-CERT subsequently received reports of attacks using emails designed to infect systems by way of malware-laden attachments, and advised government agencies and the private sector to be vigilant against the continued threat of denial of service attacks.

Check out this video in which I ambushed 2 random attendees of the Master the Cloud event in Montrèal and got them to talk to me on camera about the event.

One of the fantastic things about events like this is that real people just like you show up at these events to listen, learn and share with their fellow attendees... and that's absolutely amazing. 

In a 1-day seminar style trade-show, we managed to bring together some of our biggest partners and industry experts with vast practical knowledge on cloud computing as a key enabler to the enterprise.

Listen to what these guys are saying... This isn't a typical trade-show, this is definitely one event you're going to want to not miss if you're in one of the cities we're coming to soon.

If you're interested in attending, or have something to share with us, click the above "Master the Cloud" link and come out to Toronto, Vancouver, or Calgary in the next few weeks... and let's tame the cloud in the land of hockey.

Cross-posted from Following the White Rabbit

ICS-CERT is issuing this alert to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity involving secure shell (SSH) scanning of Internet facing control systems.

ICS-CERT is aware that many organizations have been seeing a large number of access attempts by remote attackers. Systems that provide SSH command line access are common targets for “brute force” attacks.

As recently as this week, ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against their networks.

Brute Force Attacks

A brute force authentication attack attempts to obtain a user’s logon credentials by guessing usernames and passwords. Brute force login tools exist for most services that allow remote access.

Attackers can use brute force applications, such as password guessing tools and scripts, to automate username and password guessing. Such applications may use default password databases, dictionaries, or rainbow tables that contain commonly used passwords, or they may try all combinations of a character set to guess a password.

To find running SSH services on networks, attackers probe a large number of IPs on Port 22/TCP—the default SSH listening port. If a response from the probe of Port 22/TCP is received, the attacker may initiate a brute force attack.

SSH Scanning

ICS-CERT recommends that organizations monitor network logs for port scans as well as access attempts. Hundreds or thousands of login attempts over a relatively short time period is an indicator of a brute force attack because systems running SSH normally do not receive high volumes of login attempts.

However, indication of an attack does not necessarily mean that the organization is the actual intended target. Scans are frequently executed against a wide range of IP addresses looking for any system meeting the attacker’s criteria (in this case, systems running SSH).

Because high volume scans tend to be quickly discovered, attackers may try to evade intrusion detection systems (IDS) by making only a few careful attempts, then waiting to try again later. Organizations should look carefully for these “quiet” attempts as possible precursors to more direct attacks.

While SSH is popularly associated with UNIX or Linux systems, many types of devices provide SSH access by default, including control systems equipment. Control system devices are often found on networks with SSH enabled by default.

MITIGATION

ICS-CERT strongly encourages CIKR asset owners and operators to examine their control network configurations and establish a baseline configuration and traffic pattern.

ICS-CERT also recommends that asset owners and operators audit their control systems—whether or not they think their control systems are connected to the Internet—to discover and verify removal of any default user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.

Control system owners and operators are encouraged to take the following defensive measures to minimize the risk of exploitation of these vulnerabilities.

GENERAL MITIGATIONS

• Minimize network exposure for all control system networks and devices. Control system devices should not directly face the Internet.

• Locate control system networks and devices behind firewalls, and isolate them from the business network. Stay actively aware of what is on the network by performing periodic port scans (where and when possible).

• If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

• Remove, disable, or rename any default system accounts wherever possible.

• Implement account lockout policies to reduce the risk from brute forcing attempts.

• Implement policies requiring the use of strong passwords. Make password lengths long and combine letters, numbers, and special characters. For additional guidance, see Microsoft’s Online Privacy and Safety web page: Create Strong passwords.

• Monitor the creation of administrator level accounts by third-party vendors.

SSH-SPECIFIC MITIGATIONS

• Configure SSH servers to use nonstandard ports. SSH normally listens on Port 22/TCP, but can be configured to listen on any other unused TCP port (the TCP protocol offers 65,535 ports). Because many scanning tools only scan a limited (low) port range by default, selecting a nonstandard high port number can make the SSH less likely to be detected by those tools.

• Restrict access to SSH servers. Only allow access from specific hosts rather than allowing access from anywhere. If the SSH server supports public‐key authentication, consider using this as an option to static passwords.

• Use Intrusion Detection/Intrusion Prevention. An intrusion detection system (IDS) monitors networks for malicious activity or policy violations. IDS systems can aid in investigations of system breaches. Intrusion prevention systems (IPS) incorporate IDS functionality but also include the ability to block an attack as it is happening, preventing harm to the control system network rather than simply announcing that an attack has occurred.

The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

RECOVERY AND REPORTING

Organizations that detect suspicious activity should check their logs to see if any of the attempts were successful. If a successful login attempt from a brute force attack is detected, follow-on steps should be taken to implement a cyber incident response plan.

In addition, organizations should carefully adhere to computer forensic best practices to avoid destroying potential evidence.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

The full ICS-SERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-034-01.pdf

Does your service delivery process reflect your company brand?

The intangible nature of a brand sometimes defeats our ability to connect it to aspects of our work product and client communications.

We sometimes view a brand in terms of our company’s logo or motto; easily losing sight of the subtext communicated by those symbols.

A brand’s purpose is to communicate a promise to a potential customer. Operational alignment with a brand can be accomplished by focusing on how the company has fulfilled that promise.

According to Gary Moss, chairman of Brand Vista, “real Brand Alignment demands an aligned approach across a brand’s customer service, key company processes, staff training and all the important activities that impact key customer touch-points – not just its marketing communications.”

One of these touch-points is the implicit promise that the security of client information is assured at an acceptable risk level. Why is it important to deliver security services consistent with your brand?

The fundamental archetype created by your brand must be supported by behaviors which confirm its relevance. Performance that is inconsistent with the brand will lead your customers to question your brand promise.

For example, a Los Angeles-based retail chain targeting the Latin American community engaged me to perform a vulnerability assessment and penetration test on their headquarters and sample stores.

During my preparation for the assessment, I analyzed their marketing presence. These materials promoted a business that served their customers honorably and were good stewards of their trust.

My assessment of their store locations, however, revealed default passwords on their Point of Sale terminals and on the servers that communicated financial information to the main office. Additionally, the lack of back office physical safeguards was obvious from the cashier lanes, making it a target.

The lack of consistency between the brand and risk management controls had its greatest impact in the behavior of store employees. Recognizing the lack of policy enforcement and security investments, they began to question their brand promise and their role in its enforcement.

My final report focused on the critical vulnerabilities, descriptions of successful attacks, and screenshots of the assets that could be compromised. Embedded in these observations were references to the literature which communicated their brand and notations of how their security practices were inconsistent with that brand.

These insights, together with the technical details, allowed them to revitalize their security training program and make strategic control investments.

In closing, branding is not just for the marketing department. We are all responsible for shaping and strengthening the brand that promotes the ethos of our work. 

The threat to U.S.-based computer networks is one of the country’s most pressing security problems, and Congress needs to act on it soon, the director of national intelligence told a congressional panel.

James R. Clapper Jr. said he and all of the U.S. intelligence leadership agree the United States is in a type of cyber Cold War, losing some $300 billion annually to cyber-based corporate espionage, and sustaining daily intrusions against public systems controlling everything from major defense weapons systems and public air traffic to electricity and banking.

Clapper was joined by CIA Director David H. Petraeus, Defense Intelligence Agency Director Army Lt. Gen. Ronald L. Burgess Jr. and FBI Director Robert S. Mueller for a House Select Intelligence Committee hearing on worldwide threats.

He urged lawmakers to pass a bill that forces intelligence sharing between the government and the private sector, such as the Defense Industrial Base pilot program that then-Deputy Defense Secretary William J. Lynn III launched last year.

“It’s clear from all that we’ve said – and I hope predications about mass attacks don’t become a self-fulfilling prophesy – but we all recognize we need to do something,” he said.

Clapper also urged Congress to reauthorize the Foreign Intelligence Surveillance Act, which he called crucial to intelligence gathering. It expires this year.

The director said he foresees a cyber environment in which technologies continue to be fielded before effective security can be put in place. Among the greatest challenges in cyber security, he added, are knowing the perpetrator of a cyber attack in real time and capabilities gaps in the cyber supply chain – the entire set of key actors involved in the cyber infrastructure.

Mueller noted that the National Cyber Task Force includes 20 U.S. agencies, “so when a major intrusion happens, we’re all at the table.” The “breaking down of stovepipes” and sharing information in cyber security “is as important now as it was before 9/11,” he added.

The FBI director told the panel that 47 states have different reporting requirements for cyber attacks, and the private sector doesn’t have to report them at all. “If they’re not reported, we can’t prevent the next one from happening,” he said.

Mueller said the cyber threat is growing and is important to address. “I do believe cyber threats will equal or surpass the threat from terrorism in the near future,” he said.

Clapper agreed. “We all recognize this as a profound threat to this country, to its future, to its economy, to its very being,” he said. “We all recognize it, and we are committed to doing our best in defending the country.”

Source:  http://www.defense.gov/news/newsarticle.aspx?id=67035

Anonymous Factions and Influences

Anonymous being what it is, has always been susceptible to influence and infiltration from the outside as well as the inside.

The nature of the movement is such that it resembles the cell structure of terrorist action groups like Al Qaeda that have adopted over the years:

• Decentralized
• Autonomous (to an extent)
• Headless (perceived only in some cases)
• They have “wings” (action wings, propaganda wings, technical wings etc)
• Small cells with distinct leadership working in compartmented protocols

In the anonymous world, the communications take a stratified approach as well. IRC is the medium for much of the communications, but there are hidden chat rooms on various servers where the core meet to plan and talk.

I am sure there are other means that they utilize as well such as i2p email addresses and other anonymized means of communication. Due to the nature of Anonymous though, it would seem that the various players do not form a cohesive whole for the most part. So the cell’s that are out there can affect to greater and lesser extents due to the members of the cell and their capabilities.

An example of this would be the core group called AntiSec. AntiSec, comprised of the more technical hackers from what has been gathered, has been attacking various sites for the lulz as well as perhaps with an agenda to cause the government and corporations pain by releasing embarrassing and or compromising data (See HBGary for an example).  

Over the last year we have seen an evolution within Anonymous and its various movements. The latest being the AntiSec movement that really came out swinging after the LulzBoat set sail once their 50 day run was over.

It is this latest group that has people concerned and may in fact be the more cohesive core of Anonymous, one that has a set group of leaders at its core, leaders with an agenda… Anarchy.

Escalation and Over Reaction

The latest “hack” and release this last Friday (#FFF frak FBI Friday’s) is a case in point and I think as I started this post over Shmoocon weekend, it is only appropriate to use the FBI conference call as a focus today.

Over the year AntiSec has been performing more and more actions against whoever they could attack. It seems that from the attack vectors to date (except this last one) have been attacks of opportunity with some direction (such as look for all police departments with holes on the internet) others seem to be perhaps fortuitous hacks given to the movement by those out there sympathetic to Anon or just looking to have their lulz while others perform the dirty work.

Either way, the stakes have been rising and the escalation has been seen over the last year into this one between the governments (in my case the US) and Anonymous and AntiSec. With the leaking of the FBI/MET con call this last Friday, we will see another evoution to the escalation because now, the Anon’s have directly shamed the FBI, the Met, and other orgs seeking to prosecute them.

Think of it as the angry bee’s nest Colbert spoke of about Aaron Barr.. Except this time AntiSec has deliberately slapped the bee’s nest with a bat as they walked away pointing and laughing. This will not end well for either really I think. As of today the FBI has stared yet another case file on the hack of the email accounts attached to the distribution list that the invitation for the call went out to.

The assumption here is that someone forwarded the email to a private acct, one that had been compromised earlier and was the source of the email that allowed the Anon’s to dial into the call.

Meanwhile, Sabu has tweeted that AntiSec has been monitoring FBI communications for a while now and still had access as of Friday. I am unsure that this is truly the case but it cannot be discounted as just another braggadocio about their hacking prowess.

You see, the Feds for the most part are not the most tech savvy as a group, especially within the rank and file SA’s or SSA’s. So, it is possible that there has been some pwnage and that the net effect is they have been compromised to the point where investigations may become harder to prosecute.

(Think about it this way.. Hacked FBI accts etc leave much for a good defense attorney to work with on the idea of reasonable doubt).

This is going to make the FBI over react and possibly over reach. This in turn will also put the government on a back footing as well and make them more apt to do things in a knee jerk fashion as well. You all thought ACTA and SOPA were bad.. Wait until these government guys feel the burn of future hacks on them as well as what just happened.

Of course I am not condoning either side here, but, I am trying to get across that we once again have the Batman conundrum. “You made me… I made you…Let’s dance”...

Meanwhile, the collateral damage piles up and the innocent are the ones most likely to feel the bite from both sides. Ironically, while both sides tell us all that what they do is for our own good.

Heh.

A Master Plan or Unintended Consequences?

Since the beginning of the Anonymous movement’s gaining critical mass and bearing the AntiSec fruit, I have been wondering if there is indeed a master plan here. Anonymous claims that they are autonomous, amorphous, a swarm, but I think that is a generalization that only fits when you look at the whole.

When you start to bore down into the cells out there, you can readily see that there are pockets of cohesive groups. One of these groups is of course AntiSec. This group I think has acquired a certain amount of play within the Anonymous circle and thus would be a leadership cell.

Recent posts of the “Coming Insurrection” on sites that have been hacked by AntiSec have lead me to believe that there is a fair amount of Anarchist belief and activity within this cell of Anonymous. In fact, there seems to be from information sources, that AntiSec is in fact running the show now or would like to.

As the hacking wing, so to speak, of Anonymous, they wield a certain cachet and also, from same sources, may in fact intimidate the moral fags a bit. All of this means that the core of AntiSec and their acolytes are really making the agenda as well as performing the actions to drive their agenda.. More than the penumbra of Anonymous as a whole.

So, in looking at the use of the Coming Insurrection and the propaganda by the “Sabu’s” on Twitter, it has become more and more clear in my mind, that the agenda is not only Anarchy, but also quite a socialist (for lack of a better term) bent.

By watching the Sabu account on Twitter, one can also see the socio-political bents of “Free Palestine” as well as a general call for the downtrodden to rise up against the government. Is this just Sabu being Sabu? Is there an agenda that the others within the AntiSec core also believe?

As well, the use of the “AntiSec” name comes directly from a movement of Hackers and Anarchists back in the 90′s who did not believe that the nascent “Security Industry” was a good thing and that ideas like responsible disclosure of vulnerabilities was a bad thing. It all just fed a cycle where the corporations out there could hide vulnerabilities, keep writing bad code, and generally skate on their responsibilities to keep things secure.

Oddly enough, all of those things today are in effect and still we have issues where companies are not doing the right thing as well as have a security “Industry” that contains many charlatans.

The AntiSec of yesterday I am told by sources, do not like the current AntiSec core out there today. In fact, some are a bit peeved from what I have been told.So, if today’s AntiSec is not a descendant of this original group.. Who are they? As best as can be figured by me, they took the name as they liked it but for the most part, there seems to be an Anarchist and Nihilist bent within their ranks and their agenda..

This begs the question though, just how much of their action has been just to sow anarchy and how much has been part of a goal to fight the government for perceived crimes against those they govern? For me, it seems that perhaps the overall goal here may be in fact to push the issue until there is a civil war of sorts. How would this play out?

Well, I think we are seeing the beginnings of this now:

• More governance of the internet
• Less privacy
• Additions to laws concerning terrorists and terrorism that now center on the internet and “cyber-issues”
• knee jerk reactions creating bills with over-reaching language allowing for abuses of power

Granted, some of this may have organically been created from today’s issues over hacking and the so called cyber-warfare ongoing between countries. However, i think that this has sped up quite a bit as Anonymous? AntiSec push the buttons more and more against the police and the government.

The net effect is that AntiSec is baiting the government and the authorities into over reacting. With each dump of data and compromise of site, they push and push the fools running the country into being more fearful that they cannot control the situation.

The reality is that they can’t control it... Hell, they barely understand it…  And this makes it all the worse.

Predictive Behavioral Analysis of Both Anonymous and Government (USA) Using Game Theory

I have been watching this Greek tragedy play itself out over the last year and frankly I just don’t see this going well for anyone. It really boils down to a couple of outcomes and neither one I think is good:

1. AntiSec becomes even more brazen attacking more frequently as they gain more power/synergy with more followers and people willing to help them
2. The government will continue to attempt to catch the players. Some will get caught and there will be trials.
3. The trials will escalate the anger and the AntiSec crew will seek more and more directed targets to shame and disrupt the authorities cases
4. Laws will be enacted restricting the internet and the privacy we all should be able to have

The thing here is that AntiSec will not just go away... Nor will the governments of the world change their ways. If indeed AntiSec’s core believe in anarchy as a way of life, then they will go on sowing it. This will cause the government to over react and do some pretty stupid things as well.

It’s really Batman and the Joker all over again... And as I think about it more, it becomes a very apt allusion to what is going on. Except that the government is not as smart as Batman or as moral/ethical…

Normally, the use of “Game Theory” attempts to determine the best outcomes for winners and losers within games, politics, economics etc. In this case though, the real loser I think is the third party here… You and I.

This game cannot be won. It will continue back and forth and there will only be collateral damage. Think of it this way… This war being waged by AntiSec and our government/authorities can be seen as the next war between all parties in the Middle East.

Fought over thousands of years because of perceived differences of opinion over religion and land. Like the Shia and the Sunni, or the Israeli’s and Iranian’s this tribal tit for tat will continue on and there will be no clear winner... Ever.

Perhaps WOPPR said it best… “A strange game. The only winning move is not to play. How about a nice game of chess?”

K.

Cross-posted from Krypt3ia

As the Libyan war came to a close, the computer networking blogosphere was chock-a-block with speculation that the U.S. government chose not to employ cyber attacks against Gaddafi’s air defense network on the principle that it would not be the first country to do so.

Perhaps it did. According to Henry Bar-Levav*, head of ace cyber security firm Recursion Ventures and a pioneer of the commercial Internet, “War is deceit. Forensics depends on attribution. Falsification is trivial these days.”

Speaking with JINSA Policy Director James Colbert, Bar-Levav, asked whether he thought that, like Israel’s assumed nuclear arsenal, America’s cyber warfare capabilities were purposefully being kept opaque, replied, “Can you imagine a country ‘declaring’ cyber warfare?

Smoking guns are often wishful thinking… Geography is largely irrelevant. One group can ‘mass their “cyber” troops’ with almost no possibility of detection or attribution.”

Cyber Warfare and Opacity

Continuing on this theme, Bar-Levav declared that, “Cyber warfare will remain opaque because it is fundamentally asymmetric, deniable, and, strangely, because any group can claim attribution to scare others and to increase the group’s morale.”

Implying a more aggressive approach to America’s cyber warfare plans, U.S. Deputy Defense Secretary Bill Lynn recently said that “a fortress mentality will not work in [the] cyber [realm].” Asked what he thought this meant, Bar-Levav replied that, “there are three basic security strategies: security by obscurity (passwords, crypto), security by correctness (education, following secure procedures), and security by isolation (air gapping, the fortress mentality). Defense in depth requires all of these approaches working in harmony.”

After all, he explained, “a firewall might get you 80% of the way there, but you need to realize that all aspects of security are converging, and you have to take all of them into account, and realize you can be compromised anyway, say by a rogue CFO. So, we must develop and practice emergency preparedness including incident response, public relations, disaster recovery, etc.”

“What I hope Secretary Lynn meant,” he continued, “is that ‘A fortress mentality alone will not work…’ The silver lining of 9-11 should be the lessening of the complacent belief in Fortress America, both physical, and virtual.

National Cyber Defense Stymied

Asked whether he believes the U.S. government’s growing array of cyber security agencies and military cyber warfare centers will be adequate to defend not only government networks but private industry, Bar-Levav responded with an emphatic, “No.”

“Hackers can’t really be trained – at least not the best ones – and attacking and defending are pure meritocracies,” Bar-Levav noted. “If you win, you win. It’s a way of thinking, not a set of procedures. These are people who ‘repurpose’, and they’re not going to go to work for the U.S. government.”

In fact, Bar-Levav declared that the U.S. government’s hidebound practices with regard to security clearances and corporate contracts hurts its ability to attract the best talent. “The enemy doesn’t have top secret clearances, why should our defenders? Right now, the government has little chance, because the first question they ask after ascertaining that they want your help is ‘do you have a contract vehicle?’ This has nothing to do with security.”

But what about so-called public-private cyber defense partnerships, can they work? “Sure. Microsoft successfully shut down botnets in concert with the FBI and a bunch of warrants. But, to make this strategy sustainable, the U.S. government needs to allow what we call an ‘unregulated well-armed militia’ of security experts with ‘letters of marque’ to be able to point out and solve security problems in a risk-neutral, indemnified environment.”

Bar-Levav did allow that, “There is some interesting work going on in certain agencies, but our experience is that it’s being done by isolated brave individuals who are bucking the system, and we’ll see how well their careers develop.” The biggest challenge in this realm, he said, is that, “the bad guys don’t have to follow any rules, and we do.” We are hamstrung by “risk-averseness.”

Stuxnet-type Threats to National Infrastructure

Asked to assess the degree of vulnerability of American industrial facilities and utilities to Stuxnet-style attacks on vital control systems, Bar-Levav said that, “It’s a serious threat, made worse because the motivations are much more political and ideological than economic.”

Told that the cyber security firm Symantec had announced that some 60 percent of the 100,000 Stuxnet-infected computers worldwide were in Iran, leaving some 40,000 computers infected elsewhere in the world, Bar-Levav said, “Stuxnet had one aspect that was novel, the specificity of the target. In this case it was the Siemens SCADA systems at the Iranian enrichment facility at Natanz.

It’s a good bet to assume that Stuxnet looked for characteristics like a Farsi language pack and Siemens software and would be quite harmless to any other system. Don’t worry about Stuxnet harming anyone but who it was meant to harm.”

Regarding rampant speculation about the provenance of Duqu, the Trojan Horse with strong similarities to Stuxnet, Bar-Levav asked, “Who had the motive? Even if it wasn’t Israel, it doesn’t hurt them for everyone to believe it was.

The fact is, malware researchers all pay attention to the cyber arms race, and it’s not at all surprising if we found out that Duqu’s creators were inspired by the techniques used by the creators of Stuxnet. Technologically and financially, a private group could have created both of these attacks. These aren’t at the level of the Manhattan Project.”

A New Breed of Security Required

“Even if they brilliantly secure their networks, the greatest threat that organizations face is that they are still vulnerable if their minimum wage security guards are disgruntled or their physical access control systems can be easily bypassed,” Bar-Levav explained.

“Today, security must be holistic. It must include securing information, hardware, physical access and business processes. An attacker will find and exploit any vulnerability not just the vulnerabilities the organization has self-identified. Security is no longer the domain exclusively of the IT department or of the security guards. Attacks come opportunistically,” he warned.

* On November 7, 2011, Bar-Levav addressed JINSA’s Board of Directors at their Fall Meeting

Cross-posted from The Sentry

Quis Custodiet Ipsos Custodes? (Who Will Watch the Watchers?)

Reading the news that VeriSign, the company responsible for delivering people safely to more than half the world's websites, suffered a series of breaches back in 2010 comes as no surprise. 

Why?  Because I think that we have entered a new era of cybersecurity; one where the objective is not to protect against a breach - it's not that I think organizations shouldn't try, just that I think the majority of large organizations are no longer able to - but instead to detect them and mitigate the damage done by them.

The fact that the breaches have only been made public because a Reuters journalist, Joseph Menn, found the company's disclosure in a quarterly US Securities and Exchange Commission [SEC] filing should worry anybody that has a .com, .net or .gov domain. 

It proves that the new guidance from the SEC works - but the fact that the breach was not immediately disclosed means that critical data MAY have been compromised, without its owners realizing that the risk had increased significantly. 

To their credit, it appears VeriSign acted quickly once it became aware - but reports indicate that staff waited a year before alerting senior management.

Perhaps the most worrying aspect of the story is that senior executives still don't know exactly what happened, and what data was stolen. 

While it is likely that VeriSign has all of the right tools in place – end-point security tools, a traditional SIEM, a netflow analyzer, etc. – it appears unable to make sense of the data. 

As a CISO, I once had to face my board to explain why my organization had been hit by the SQL slammer worm back in 2003 (long before situational awareness tools were available); I can only presume that attempts to do get answers were the reason for the 12 month delay.

Verisign aside, the story raises a much more important question.  It is one that I wrote about more than three years ago in a piece authored for Risk magazine entitled, ‘Quis custodiet ipsos custodes?’ (Who will watch the watchers?). 

If we can’t trust the guardians of the data at the heart of our new network-dependent economy, who can we trust?

Answers on a postcard please… alternatively, you can add yours in the comments section below.

Cross posted from The Situational Room

Recently I read a piece in ComputerWeekly that made me cheer.

Risk and audit professionals, as a rule, have never seen an (adverse) risk* they didn’t want to stamp on and kill.

When is the last time you saw an audit report that said management had too many controls or was not taking sufficient risk? When did you last hear a risk officer urging planners to move into a new market more quickly?

The same thing applies to information security personnel, so I was pleased when I read an article on “How the CISO must evolve to balance risk and business”.

Here are some excerpts that appeal:

• “Business success increasingly depends on the ability to balance the demands of cyber threats and regulatory compliance with innovation and growth.”

• “...communicate with the board and managers in various parts of the business;… run security as a business;… eliminate redundant controls; and… work with the business to enable innovation and growth”.

• “More specifically, the CISO needs to evolve from an isolated subject matter expert and analyst to a trusted advisor on how technology can improve business; to an integrated business thinker, facilitator, leader, evangelist and educator.”

• “The CISO must move from being a technical risk expert who focuses on the risk of loss, to include risk as a more central part of the role by understanding business priorities while continuing to maintain the corporate moral fibre [sic].”

• “This involves taking risks to meet business objectives, but this can only be done successfully with a thorough understanding of the risk appetite of the business involved.”

• “…identify where the business is missing opportunities – either by being too risk-averse or through worrying too much about risks that were a real threat once, but can now be mitigated with relative ease.”

It’s this balance in thinking about risk, that if you don’t take risk the business will fail, that is missing for too many audit, risk, and security professionals.

I don’t believe it is acceptable to take the attitude that “our job is to identify a risk; it is management’s job to determine what to do about it”, and then complain when management decides to accept the risk.

Let’s take a risk and accept that some risks should be allowed to live.

*I define risk as the effect of uncertainty on objectives (ISO 31000:2009)

Article by Zack Cronin

In continuation Chris Wysopal’s discussion with cyber-security guru Richard Clarke, this second installment focuses on questions asked by webinar participants. (Part I Here).

Q: Are you concerned about the merge to electronic healthcare records?

RC: Yes – part of the healthcare reform package has requirements that accelerate the reliance on electronic file records in medicine. There’s some real incentives in the bill that force the industry into doing it relatively quickly. The question in my mind is who the actor is in this case that would go after health care records.

Is it a criminal or is it an espionage organization? I don’t know the motivation, but I do know that these enormous insurance companies and enormous medical centers have lots and lots of vulnerabilities because they’ve never looked systematically before and done real sophisticated security analysis – that’s the last thing a major medical center has been doing in the past.

So yes it is a source of concern any time a new industry runs headlong into a reliance on IT systems it hasn’t been reliant before.

Q: Is it safe to assume that most attacks come from compromised servers? If so, are there any government agencies or companies that scan for vulnerabilities that notify that company of a server issue?

RC: The simple answer to that is no. The government does not run around scanning private company servers. In fact, unless you specifically sign up with a provider to do that, no one’s going to automatically do it for you.

Q: Would you please comment on what small businesses can do to learn more about what they can do to contribute to increasing security in their respective businesses?

RC: I’m going to say something here that may be a little counter intuitive and a bit controversial. I think small businesses should think about the cloud. I know some people say, “Oh the cloud is automatically insecure,” or, “the cloud is automatically less secure.” Well it depends on what you ask the cloud provider to do.

If you’re truly a small business, you don’t have the time, you don’t have the expertise, you don’t have the money to defend yourself to the level of perhaps what you would be satisfied with. But a bunch of small and medium-sized companies going to a cloud provider together can have much better security than they can have individually.

If, and this is the key thing, if they ask for it, and if they compare offerings on the criteria of a service, and of security, because if you just go to a cloud provider, they’ll say, “Oh yea, we did all of the security stuff,” and that will be the end of it.

You get these situations where you get the cloud provider kind of believing it’s up to you to do your own security, and you think the cloud provider is doing it, so you have to be careful, you have to be explicit, you have to ask them what additional security you can buy from them, and how you have compare the security offerings’ among the cloud providers.

But I would urge a small business owner to try to do that rather than try and secure it themselves.

We’d love to keep the discussion going, so please leave your comments below!

Cross-posted from Veracode Blog

January 19, 2012. What was the significance of this date? Pitchers and catchers report to Spring Training in one month!

It is a time of year that even 2011’s worst team in baseball, the 106-loss Houston Astros have a chance to succeed in the upcoming baseball season.

Do I have unrealistic expectations or is it just wishful thinking? I prefer the phrase ‘hope springs eternal, especially in Spring Training.”

I pondered my love of baseball, especially during Spring Training, whilst reading an article in the January/February edition of the SCCE Magazine, in an article entitled “Rock in the pond ethics” by Frank Bucaro.

Bucaro’s article is based around the concept that “Decision making is like throwing a rock in a pond. No matter how big or small the rock is, water is displaced.” His thesis is that it is better to consider the ripple effects of your decision making before throwing that rock into your company’s ethics pond.

If you do not do so you can easily run the risk of not only having unintended consequences occur but consequences for which you may have no response for, yet be held accountable for in your company.

So to help navigate this, he provides five bases to touch before making such a decision:

• When a decision needs to be made, hold the rock, hold and then hold it longer. In other word, preparation prevents poor performance. To the best that you can do so, do not pull the trigger on the decision until you know what the consequences will be and that you can deal with those you know and be prepared for the unforeseen consequences.

• Do not let your emotions dictate when to throw that rock. Ask a trusted colleague for some time and explain the situation. Not only does this bring communal wisdom into your decision making process but it slows down the process to let any excess emotionalism burn off. A good rule of thumb – sleep on it before throwing the rock.

• Sometimes you need to put the rock down. It is not always wrong to put the rock down and obtain additional information and data. Be careful that you do not fall into catharsis but if you need to put the rock down, do not be afraid to do so.

• The bigger the rock, the bigger the ripples. A big splash means simply that, your decision will have many ripples and may well splash back on you. But trust your instincts. If your gut says something to you, you had best listen to it.oning

• Know what your values are before a decision is made. What are the three most important things about your company’s ethical culture? Values, Values and Values. Know what your values are before you throw that rock. If your decision is values based (assuming you have the right values); both you and your company should be in a good place.

Will the Bucaro five points guarantee a 100% correct decision each and every time? No, they will not, but it will put you in position to anticipate the issues and be prepared for the consequences of your actions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

Cross-posted form Tom Fox Law

IT is about executing predictable business processes. Security is about reducing the impact of unpredictable attacks to a your organization.

IT and security adopt a common goal and a common language – a language  of customer-centric threat modeling.

Typically, when a company (business unit, department or manager) needs a line of business software application, IT staffers will do a system analysis starting with business requirements and then proceed to buy or build an application and deploy it.

Similarly, when the information security group needs an anti-virus or firewall, security staffers will make some requirements, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.

Things have changed – both in the IT world and in the security world.

Web 2.0 SaaS (software as a service) offerings (or  Web applications in PHP that the CEO’s niece can whip together in a week…) often replace those old structured systems development methodologies.

There are of course,  good things about not having to develop a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is buggy software.

Buggy software is insecure software. The response to buggy, insecure software is generally doing nothing or installing a product that is a security countermeasure for the vulnerability (for example, buying a database security solution) instead of fixing the SQL injection vulnerability in the code itself.  

Then there is lip-service to so called security development methodologies which despite their intrinsic value, are often too detailed for practitioners to follow), that are not a replacement for a serious look at business requirements followed by a structured process of implementation.

There is a fundamental divide, a metaphorical valley of death of  mentality and skill sets between IT and security professionals.

• IT is about executing predictable business processes.
• Security is about reducing the impact of unpredictable attacks.

IT’s “best practice” security in 2011 is firewall/IPS/AV.  Faced with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications, hacktivists or competitors mounting APT attacks behind the lines), IT management  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.

Threat modeling and analysis is the antithesis of installing a firewall, anti-virus or IPS.

Analyzing the impact of attacks requires hard work, hard data collection and hard analysis.  It’s not a sexy, fun to use, feel-good application like Windows Media Player.  

Risk analysis  may yield results that are not career enhancing, and as  the threats  get deeper and wider  with  bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of  customer-safety oriented.

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.

Around this common challenge, I  propose that IT and security adopt a common goal and a common language – a language  of customer-centric threat modeling - threats, vulnerabilities, attackers, entry points, assets and security countermeasures.  

This may be the best or even only way for IT and security  to traverse the valley of death successfully.

Cross-posted from Israeli Software

Data Privacy Day was January 28, an internationally recognized day whose purpose is to raise awareness of data privacy and promote data privacy education. It currently is held in the U.S., Canada, and 27 European countries.

In light of this effort, let’s examine the topic of data privacy:  Why it’s important, what consumers aren’t doing right, and what businesses must start doing better.

Recently another seven new breaches were made public (1).  A recent study places lost personal records at over 806 million between 2005 and 2010 (2), and another 32.3 million since then (1). 

What does this mean for consumers?  What does this mean for businesses?  The much over-quoted, then Sun co-founder and CEO Scott McNealy opines:  “You have zero privacy anyway.  Get over it.”

Consumers are desensitized to breaches, as evidenced by the meager response rate of consumers applying for free credit monitoring services after a company breaches their personal information. If you analyze the data that was breached, sometimes you have to ask, “Why are they even collecting all of that data?” 

The types of data collected often are articulated in corporate privacy policies, but few consumers bother to read Privacy Policies to better understand what companies collect.  If consumers don’t demand better safeguarding of their personal information, businesses have little incentive to invest resources in protecting it!

As businesses decide how to leverage their information assets, including the terabytes of consumer data, the privacy trend is growing increasingly unfavorable!  Google, for example, is combining some 60 Privacy Policies. 

Google probably was counting on no one reading their new Privacy Policy.  Also recall the April Fool’s Day prank by Game-Station which added an “immortal soul clause” to their privacy policy - a clause thousands of customers unwittingly agreed to!  Why can’t those lengthy, arcane privacy policies be written in succinct, plain English?

A paradigm shift is needed.  Businesses must do three things:

• Collect less personal information

• Do a better job securing that information

• Better explain, in plain English, what they collect and what they do with the data collected

But consumers are not devoid of responsibility. Consumers need to read privacy policies and make cognitive decisions as to which companies they wish to do business with.

We all need to take an active role in privacy, ot last Saturday was just an oxymoron and just wishful thinking. Maybe Scott McNealy was right.

Brian Dean is a former Senior Vice President, Chief Privacy Officer, HIPAA Officer, and GLBA Officer for one of the nation’s largest financial institutions.  He now is the Privacy Officer for SecureState and provides consulting services to the banking, healthcare, and other industries in the area of privacy.  For more information contact Brian at www.SecureState.com

1.Privacyrightsclearinghouse.com

2.The Leaking Vault 2011, Six Years of Data Breaches,  Suzanne Widup, August 2011