The Bureaucratic Nature of the CIA
While the popular image of the CIA conveyed in books and movies is often that of a rogue organization. It's probably much closer to the truth to say that the CIA, as Chomsky has characterized it, is "basically just an obedient branch of the White House."
This view is supported by a Top Secret interview with David Cohen, the former Deputy Director for Operations for the CIA. In this interview, he notes that:
"When you take an action on the edge and you don't think leadership will stand with you, you soon decide to stay far from the edge. The DO had many years in which they thought that the White House endorsed action, only to find out that the White House was not supportive in the end. CIA is as risk-taking as the policy environment will support. Just having case officers asked by senior officials, 'why did you do this?' sends a message that risk-taking is not supported."
I suspect that the White House would prefer to maintain the CIA's rogue elephant image so that a certain degree of plausible deniability can be exercised when need be. If something unpleasant comes to light, the White House can claim "we didn't do it, it was those loose cannons over in the CIA." Then they feed a couple of CIA officials to the wolves and wash their hands. -BB(2010-12-31)
Update: Former NSA Director, General Bill Odom disagrees. He claims that "The CIA currently does not work for anyone - it pretends to work for the President but is in fact out of control."
Bruce Sterling on Wikileaks
Mr. Sterling offers his synopsis of Wikileaks and Assange.
"While others stare in awe at Assange's many otherworldly aspects: his hairstyle, his neatness, his too-precise speech, his post-national life out of a laptop bag, I can recognize him as pure triple-A outsider geek. Man, I know a thousand modern weirdos like that"
Reading this essay, I cannot help but detect a hint of offhand dismissal. "Never you mind" says Mr. Sterling, "just another cyber misfit, they're a dime a dozen." As an author, I can heartily testify that you can spend your life reading books, or you can go out and live a life that someone will want to write a book about. For better or for worse, Julian Assange falls into the latter category. Merry Christmas, Wikileaks. -BB (2010-12-25)
In this article, Michel Chossudovsky makes his case:
"On the surface, nothing proves that Wikileaks was a CIA covert operation. However, given the corporate media's cohesive and structured relationship to US intelligence, not to mention the links of individual journalists to the military-national security establishment, the issue of a CIA sponsored PsyOp must necessarily be addressed... It is in the interest of the corporate elites to accept dissent and protest as a feature of the system inasmuch as they do not threaten the established social order. The purpose is not to repress dissent, but, on the contrary, to shape and mould the protest movement, to set the outer limits of dissent."
In other words, if you control both of the prize fighters in a boxing match you'll profit regardless of who wins. -BB (2010-12-19)
Update: Over the past several days I have received mail from a number of government employees who've protested that Wikileaks couldn't possibly be a CIA psyop because the Wikileaks staff are "far too competent." -BB (2010-12-23)
Jeffrey Carr, in this Forbes article, questions the notion that Israel is responsible for Stuxnet.
"The appeal of a U.S. or Israeli cyber attack against first Bushehr, then Natanz, was just too good to pass up even though there was no hard evidence and very slim circumstantial evidence to support a case for either country. The best that Ralph Langner, CEO of Langner Communications (and the leading evangelist for this scenario) could point to was an obscure Hebrew word for Myrtus and a biblical reference for a date found in the malware that pertained to Persia; both of which could have been explained in a half dozen alternate ways having nothing to do with either Israel or the U.S."
"As far as China goes, I've identified 5 distinct ties to Stuxnet that are unique to China as well as provided a rationale for the attack which fits China's unique role as Iran's ally and customer, while opposing Iran's fuel enrichment plans. There's still a distinct lack of information on any other facilities that suffered damage, and no good explanations for why there was such massive collateral damage across dozens of countries if only one or two facilities in one nation state were the targets however based solely on the known facts, I consider China to be the most likely candidate for Stuxnet's origin."
In this white paper, he also questions the assumption that Stuxnet is a state-sponsored project.
"The Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner Communications, and Microsoft all point to a well-funded team of developers with certain unique skill sets and several months for development and testing. The obvious conclusion is that this team was sponsored by a nation state, however certain multi-national corporations have the same or better resources than many governments. In some countries, the government has a controlling interest in their largest corporations such as China's national champion companies (i.e., Huawei) or France's majority ownership of Areva."
It's been months, now, and we still don't have the answers we need. This demonstrates the truck-size hole that exists in the flawed strategy of cyberwar deterrence or the idea that we can limit problems with treaties (that we can't enforce). -BB (2010-12-17)
Yet again, the central issue of attribution rears its ugly head. Even if you succeed in tracing an attack back to a specific geographic location, there's really no fool-proof way to ascribe responsibility. Such is the nature of contemporary anti-forensic technology (and the internet in general). There's nothing to prevent a determined (e.g. state funded) attacker from breaking the terms of a treaty and then shielding themselves with plausible deniability or, even worse, framing a 3rd party.
Let's not forget the possibility that the intel services of a treaty participant could simply pay one of the more sophisticated criminal groups to do their dirty work for them. The aforementioned outlaws would probably have no idea who really hired them, providing an extra layer of obfuscation.
Whenever I read about the idea of cyberwar treaties, I think back to the Biological Weapons Convention that the US and USSR signed in 1972. The Soviets seemed to interpret the treaty as an opportunity to accelerate their weapons program. -BB (2010-12-04)
Related: Attribution cuts both ways. "Recall as well that the main technical tool used to anonymize submissions to WikiLeaks, Tor (The Onion Router), came out of a US Naval Research Laboratory project to protect clandestine activities overseas. In fact, members of the military are some of the most vocal opponents of current attempts in the US to require person-level attribution of data packets online."
One of the world's leading experts on developing secure software speaks out against the hype surrounding cyberwar in this Q&A from CNET.
"There is a lot of crime, less espionage, and very little cyberwar. (chuckles) And the root cause for capability in all these things is the same. That is dependence on systems that are riddled with security defects. We can address all three of those problems. The most important is cybercrime, which is costing us the most money right now. Here's another way to think about it: everyone is talking about the WikiLeaks stuff, and the impact the latest (confidential files) release is having on foreign policy in the U.S. The question is, would offensive capability for cyberwar help us solve the WikiLeaks problem? The answer is obvious. No. Would an offensive cyberwar capability have helped us solve the Aurora problem where Google's intellectual property got sucked down by the Chinese? The answer is no. What would have helped address those two problems? The answer is defense. That is building stuff properly. Software security."
I couldn't agree with him more. -BB(2010-12-01)
Last night on PBS, Zbigniew cut to the chase pretty quickly:
"I think the most serious issues are not those which are getting the headlines right now. Who cares if Berlusconi is described as a clown. Most Italians agree with that. Who cares if Putin is described as an alpha dog? He probably is flattered by it."
"The real issue is, who is feeding Wikipedia on this issue -- Wiki -- Wiki -- WikiLeaks on this issue? They're getting a lot of information which seems trivial, inconsequential, but some of it seems surprisingly pointed...It's, rather, a question of whether WikiLeaks are being manipulated by interested parties that want to either complicate our relationship with other governments or want to undermine some governments, because some of these items that are being emphasized and have surfaced are very pointed. And I wonder whether, in fact, there aren't some operations internationally, intelligence services, that are feeding stuff to WikiLeaks, because it is a unique opportunity to embarrass us, to embarrass our position, but also to undermine our relations with particular governments."
Wikipedia? Was that a Freudian slip? All joking aside, I think he's alluding to an issue that is worth some thought. Just as intelligence services have long standing back channels with the press, as pointed out by editors like the New York Time's Max Frankel, have interested parties devised ways to influence Wikileaks? This is the danger of being an information chokepoint. -BB (2010-11-30)
"Mr. Ahmadinejad publicly acknowledged, apparently for the first time, that Iran's nuclear program had recently been disrupted by a malicious computer software that attacked its centrifuges. 'They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,' he said at the news conference."
This New York Times article implies that the malware was indeed Stuxnet. Though it isn't stated explicity. In fact, the article mentions that "Mr. Ahmadinejad did not specify the type of malware or its perpetrators." Assuming that Stuxnet was to blame, questions still remain: Who wrote Stuxnet? Was Iran an intended target?
Related: Another New York Times article provides additional information concerning the Google attacks:
"China's Politburo directed the intrusion into Google's computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said."
Keep in mind that this is based on information from a "contact." Before we invaded Iraq, our Secretary of State stood before the UN Security Council on May 27, 2003, and (based on intel from a contact) alleged that Iraq had developed mobile production facilities for biological weapons.
Another thing to keep in mind is that China isn't the only nation-state that ventures into other peoples networks. I'm fairly confident that we do it just as much (if not more so). -BB (2010-11-29)
The cables, which date from 1966 up until the end of February this year, contain confidential communications between 274 embassies in countries throughout the world and the State Department in Washington DC. 15,652 of the cables are classified Secret. The embassy cables will be released in stages over the next few months.
The White House has responded:
"Such disclosures put at risk our diplomats, intelligence professionals and people around the world who come to the United States for assistance in promoting democracy and open government. These documents also may include named individuals who in many cases live and work under oppressive regimes and who are trying to create more open and free societies."
The New York Times thinks otherwise:
"The cables tell the unvarnished story of how the government makes its biggest decisions, the decisions that cost the country most heavily in lives and money. They shed light on the motivations and, in some cases, duplicity of allies on the receiving end of American courtship and foreign aid. They illuminate the diplomacy surrounding two current wars and several countries, like Pakistan and Yemen, where American military involvement is growing. As daunting as it is to publish such material over official objections, it would be presumptuous to conclude that Americans have no right to know what is being done in their name."
Regardless of how government officials and the press view the release of these documents, one thing is certain: leaders are probably now aware that they may one day be held accountable for what they do and say. The veil of secrecy has been pulled back. This will impact how our government operates and how we interact with other countries. Perhaps this is one of the ulterior motives of cablegate? -BB (2010-11-28)
Life in The Wilderness of Mirrors
This New York Times book review looks at a number of recent books that have been authored by former CIA officers. These sort of memoirs tend to fall into two categories. On one side you'll find people like Miles Copeland, an officer in both the OSS and CIA, who asserts that the general public has a biased view of the CIA because we only hear about the failures (an argument that rests heavily on the secret nature of intelligence operations). In his book, Without Cloak Or Dagger, Copeland explains that:
"Unless you can believe that even a government as wasteful and inefficient as our own would tolerate the existence of a vast and costly facility which is inactive and ineffective, you must believe that it accomplishes something. More than that, you must believe that most of what it does is successful. No Government, even our own, would tolerate for long a costly agency that has more failures than successes."
The current slew of publications seem to claim just the opposite. They paint a picture of an unwieldy bureaucracy that's mired in the security of administrative rituals which place an emphasis on quantity over quality. Some former officers even go so far as to suggest that we start over with a clean slate. This definitely doesn't jibe with Copeland's description of the indoctrination process that CIA officers undergo during training.
"Even the most anti-Government cynic comes out with the conviction that the nation faces dangers to national security which are more awful than even the gloomiest columnist imagines, and that the machinery of which the CIA is a part has means of combating them which are so sophisticated and powerful as to be beyond the comprehension of all but those who are a part of them."
How's that for hyperbole? So, who do you believe: the old stalwart or the groans of disenchantment that point to the conspicuous absence of intelligence "slam dunks?"
Perhaps Lindsay Moran can offer some insight. In her book, entitled Blowing My Cover, she recalls a warning from a grizzled rank and file CIA veteran who advises her not to let the job consume her, as the higher-ups in the beltway pay much more attention to failure than success. -Barry Bennington (November 27, 2011)
According to this article in the Washington Post, Wikileaks is gearing up to release US State Department documents. The current administration appears to be bracing for impact. The article reports:
"U.S. officials are concerned that some of the leaked cables could include details of conversations in which senior foreign politicians offer candid appraisals of their governments. Those assessments could prove embarassing, not only to the United States but to the politicians and governments concerned."
Elizabeth King, the Assistant Secretary of Defense for Legislative Affairs recently sent an e-mail to Senate and House Armed Services Committees asserting that "The publication of this classified information by WikiLeaks is an irresponsible attempt to wreak havoc and destabilize global security. It potentially jeopardizes lives."
Julian Assange is no stranger to this sort of critique. In a correspondence sent to volunteers[at]lists.wikileaks.org in March of 2008, he stated that:
"The first ingredient of a democracy is the people's right to know, because without such understanding no human being can meaningfully choose to support anything, let alone a political party. Knowledge is the driver of every political process, every constitution, every law and every regulation... Since knowledge is the creator and regulator of all law, it must be placed beyond law."
As the clock ticks down to the release date, which the Pentagon suspects may be as soon as November 26th, I wonder if the State Department will simply weather the oncoming storm. Or, (as Wikileaks has intimated ) "the coming months will see a new world, where global history is redefined." Either way, I cannot help but notice the admonishment by Wikileaks to "Keep us strong." Says Cryptome: "it's the patois of whispering promises of manifold return on investiment for riches to come. Open your wallet." -BB (2010-11-24)
In this article from Network World, the NSA's Information Assurance Technical Director, Dickie George, acknowledges the issues posed by attribution. He states, "Back then, if the Soviets fired a missile you knew it was the government and could tell where it was fired from... Today, it's bits and you don't see them coming through the air." In other words, how can you rely on a policy of deterrence when you can't even tell who attacked you? Correct me if I'm wrong, but it's been months now and we still don't have any concrete evidence that will tell us who, exactly, built stuxnet.
In this arena, Dickie claims that we need to "make ourselves harder targets." The best defense isn't a good offense, contrary to what you may hear from retired government officials who now represent corporate interests in the defense industry. The best defense is... a solid defense.
These are similar to some of the basic arguments that I touched on this past October during an event at San Francisco State University. -BB (2010-11-21)
RELATED: A recent Senate hearing on Stuxnet. Notice who provided the witness testimony. Do you think they might have a vested interest in painting an ominous picture?
Researchers at Symantec have uncovered more details with regard to what this malware does. Specifically, they discovered that "Stuxnet requires particular frequency converter drives... [and] changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process."
Note that Details over who created Stuxnet and why they created it are still sadly absent. Though this didn't stop anyone in the press from taking almost comical speculation about Stuxnet and presenting it as fact. -BB (2010-11-13)
"This technology is very easy to build since it does not rely on deep analysis of chip logical gates architecture. Floating Point Arithmetic (FPA) looks promising to define a set of tests to identify the processor or, more precisely, a subset of possible processors."
This is the first step towards building malware that targets a specific chipset, as opposed to a specific OS. Once you know the chipset, you can look for hardware-specific exploits. Finding a hardware-level flaw... that, dear reader, is the challenging part. -BB (2010-11-11)
If this doesn't raise an eyebrow, I don't know what will:
"The Bureau of Information Resource Management's Radio Programs Branch (IRM/OPS/ITI/LWS/RPB) provides all overseas missions two-way radios equipped with Digital Encryption Standard (DES) or Advance Encryption Standard (AES). These encryption algorithms provide limited protection from unauthorized interception of voice communications and are only approved for the transmission of Department of State Sensitive But Unclassified (SBU) and Department of Defense For Official Use Only (FOUO) communications. Under no circumstances should DES- or AES-equipped radios be used for the transmission of classified information, as defined by Executive Order 12958."
If there are flaws in AES that make it undesireable as an encryption algorithm for classified information, then it's probably not a good standard. Unless of course, for whatever reason, you want people to rely on an algorithm that allows you to eavesdrop. Someone has some explaining to do... -BB (2010-11-07)
The Wall Street Journal reports that "a group that includes former WikiLeaks staffers who left the organization after disagreements with founder Julian Assange is pursuing plans for a rival document-leaking venture, said people familiar with their plans."
It's interesting to examine how the WSJ frames this story. They present it as if it were a bad thing. The reality is that having multiple outlets makes it more difficult for opponents to subvert the flow of information to the public. A single outlet represents a choke point that becomes an attractive target for prosecution, bribery, and disinformation campaigns. Don't think "competition," think "failover." - BB (2010-11-05)
RELATED: Here are some notes from a recent event at the NYU School of Law. "Wikileaks should be seen as one of many counter-authority initiatives stretching back three millennia, the numbers increasing rapidly via the Internet, including those using public benefit initiatives to hide the authoritarian -- every authoritarian allows a controlled counter for gloss." I find the last part of the previous sentence to be particularly disturbing. Every power structure tolerates a token amount of resistance to help legitimize itself. - BB (2010-11-06)
The Press, Intel Agencies, & Wikileaks
New York Times Op-ed: "Some say that what's important is the material itself. Whether or not Julian Assange is a rogue with a political agenda, what matters most is that The Times authenticates the information."
Cryptome: "This is the Times's vainglorious argument: we will take the information, for free, thank you very much, then transform it into our 'reputable' product. The same with spies. In the end there is little difference among thieves who steal open and leaked information and bump up the price as if exploiting sweat labor."
The Drive Towards National Operating Systems
Reliance on Windows has motivated countries like Russia, India, and China to think about building their own OS. The basic premise being that it may not be a wise to base your core digital infrastructure on an OS that you don't own, control, and audit. Who really knows what's in that special sauce? Is that a genuine kernel bug or a cleverly disguised back door? Can you say "plausible deniability?"
Perhaps these governments should chat with Joanna Rutkowska. There's definitely something to be said for her disposable VM concept. Though I wonder how this would impact a forensic investigation?
One might speculate that certain problems we have regarding cyber security may be rooted in the short-term mindset of our culture in general. Executives focus on the next business quarter, politicians focus on the next election cycle, and as a result we never step back to see that there's a long-term endgame being played out; one that will require us to make investments that may not yield significant returns (or appear attractive) over the short-term but will be necessary for us to function as years turn into decades. -BB(2010-10-27)
"At 5pm EST Friday 22nd October 2010 WikiLeaks released the largest classified military leak in history. The 391,832 reports ('The Iraq War Logs'), document the war and occupation in Iraq, from 1st January 2004 to 31st December 2009 (except for the months of May 2004 and March 2009) as told by soldiers in the United States Army. Each is a 'SIGACT' or Significant Action in the war. They detail events as seen and heard by the US military troops on the ground in Iraq and are the first real glimpse into the secret history of the war that the United States government has been privy to throughout."
"The reports detail 109,032 deaths in Iraq, comprised of 66,081 'civilians'; 23,984 'enemy' (those labeled as insurgents); 15,196 'host nation' (Iraqi government forces) and 3,771 'friendly' (coalition forces). The majority of the deaths (66,000, over 60%) of these are civilian deaths. That is 31 civilians dying every day during the six year period. For comparison, the 'Afghan War Diaries', previously released by WikiLeaks, covering the same period, detail the deaths of some 20,000 people. Iraq during the same period, was five times as lethal with equivallent population size."
According to the Washington Post, main outlets like the The New York Times, The Guardian, and Der Spiegel, were granted early access to the War Logs and have established portals focusing on different aspects of the reports. -BB(2010-10-23)
RELATED: The New York Times reports that Afghan President Hamid Karzai has admitted that he accepts "bags of cash" from the Iranian government.
RELATED: PBS News Hour included a segment last night that addressed what we've learned from the leaked information. John Mearsheimer, a West Point graduate, former Air Force officer and professor at the University of Chicago had this to say: "It's quite clear from the documents that numerous cases are found where Americans were reporting these abuses. The problem is that people further up the chain of command, both the military and civilian individuals, didn't do anything to stop it. There is no question that the Americans knew what was going on. It's not like this was happening in the dark, and we only suspected it and didn't really know about it. We knew about it, and we didn't do anything to stop it. We effectively turned a blind eye. And this was strategically foolish and, I think, morally bankrupt."
RELATED: I thought the following excerpt from an article published by Der Spiegel summed things up nicely. "In one respect, the US Armed Forces, which compiled these documents, and the website WikiLeaks, which is now publishing them, share a common interest. Both organizations view the documents as an inside look at the Iraq war -- the most precise, detailed and comprehensive proximity to the bloody truth yet."
This Thursday, October 21st, our primary investigator and resident heretic will appear at San Francisco State University to speak on the gilded hyperbole of Cyberwar. Come see what drives the media frenzy behind this term and learn how the power brokers in our society manipulate our institutions to manufacture consent. -R. James (10/18/2010)
Former DHS secretary Michael Chertoff repeats a message originally promoted by former DNI Mike McConnell: deterrence. As I've pointed out, this is a flawed approach that could lead us to initiate hostilities against the wrong country. Anti-forensics has progressed to the point where it would be entirely feasible for one nation-state to frame another. Currently there seem to be any number of former government officials talking about Cyberwar, and this fact hints at the reasons why this idea has achieved so much momentum. -BB (2010-10-15)
RELATED: A Reuters article notes that "The Pentagon's biggest suppliers -- including Lockheed Martin Corp, Boeing Co, Northrop Grumman Corp, BAE Systems Plc and Raytheon Co -- each have big and growing cyber-related product and service lines for a market that has been estimated at $80 billion to $140 billion a year worldwide"
RELATED: The truth finally starts to come out. The BBC reports on the UK's recently published National Security Strategy. This document claims that Cyberwar is right up there with nuclear weapons and pandemics. These assertions have been made in light of annual cuts of 8% to the defence budget over the next four years.
John Markoff in the New York Times has written an article which intimates that the Stuxnet worm may be the work of Israel's Unit 8200. According to Markoff, "Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus... an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively."
Really? Personally I'd be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code). Most of the Israeli developers I've met are pretty sharp. Just ask Erez Metula.
It may be that the "myrtus" string from the recovered Stuxnet file path "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" stands for "My-RTUs," as in Remote Terminal Unit. See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. Who knows? The guava-myrtus connection may actually hold water.
As you can see, the media's propaganda machine is alive and well. -BB (2010-10-01)
UPDATE: Elinor Mills of cnet tries to separate fact from theory in this reality check. For example: there's no solid evidence as to who's behind the malware or even what country or operation was the intended target, and it's unknown if any serious damage has been done.
RELATED: As the frenzy over Stuxnet plods onward, The FBI has released details on Operation Trident Breach. According to the FBI's press release, criminals made off with roughly $70 million.
I'm sure you can see a pattern here. While we're distracted with a litany of ominous sounding potential threats to our welfare, actual losses caused by tangible crimes are occurring on a daily basis. As Bruce Schneier has pointed out, the solutions that we turn to depend on how we frame what's going on. Will we focus on Cybergeddon or will we focus on more mundane events that have an actual cost which we can directly measure?
Stuxnet: Despite Rumors and Hyperbole, Questions Remain
RELATED: George Smith observes that "the lack of substantial proof of success in offensive malware operations won't stop anyone in the business of insisting just the opposite... Stuxnet as a super cyber weapon is a hot, sexy story. The hype behind it is predictable, even logical"
RELATED: Cybercrime Continues As CyberWar Fizzles - "In a rash of dawn raids, police in the United Kingdom nabbed 19 people suspected of stealing more than $9 million from online bank accounts."
RELATED: Yet Even More Cybercrime - "The FBI and the U.S. Attorney's office in southern New York announced charges today against 37 people accused of being part of an international crime ring that stole $3 million from bank accounts." No rumors, no hype, no anonymous sources. Just hard facts. Cybercrime is the domain where we are suffering death by a thousand cuts.
The issue of attribution once again comes to the forefront. This morning an Associate Press article declared that "Government experts and outside analysts say they haven't been able to determine who developed it [Stuxnet] or why." Keep this in mind because there are any number of interests that stand to gain by planting the seed of suggestion.
Another thing that I found interesting was the admission by commercial researchers that this might not be the work of a nation-state. Rather, it might just be a "well-funded private entity." Trust me, there are plenty of these out in the wild (just take a look at how Presidential elections are financed in the United States). Contrary to popular belief, you don't necessarily need a billion-dollar budget to develop cyber weapons. Though I'm sure there are contractors who would insist that this is the case. Charlie Miller has asserted that paralyzing the United States would requires two years of effort and less than 100 million dollars. In the case of Stuxnet, the estimate seems to be a team of 5-10 people. In my opinion, this kind of effort would easily be in reach of a private organization that has a few million dollars to throw around.
Finally, despite all the media buzz that reflects on what could have happened, according to Siemens: of the 15 industrial control plants that Stuxnet found its way into, none have been adversely affected. -BB (2010-09-26)
Not So Cutting-Edge Aspects of Stuxnet
Despite certain facets of this malware that are definitely notable (e.g. employing multiple 0-day exploits, the use of code signing certificates, auto-update with an option to use P2P channels in the event that the C2 node goes down), there are aspects of the implementation that surprised me as being slightly dated.
For example, to map DLLs into memory Stuxnet relies on a well-known hook-based approach that alters a handful of lower-level APIs used by the Kernel32.LoadLibrary() routine. This strategy generates forensic artifacts by virtue of the fact that a DLL loaded in this manner ends up in memory, and in the system's runtime bookkeeping, while failing to show up on disk (a telltale sign, just ask the response team at Guidance Software). In other words, the absence of an artifact is itself an artifact.
A less conspicuous strategy is to use what's been called "Reflective" DLL injection, which is what contemporary suites like Metasploit use. Essentially, reflective DLL injection sidesteps the Windows Loader entirely in favor of a custom user-mode loader (an idea that was presented years ago by researchers like the Grugq, e.g. Data Contraception).
Stuxnet also uses DLLs packed with UPX. Any anti-forensic developer worth their salt knows that UPX leaves a signature that's easy for a trained investigator to recognize. A brief glance at the file headers is usually enough. Once recognized, unpacking is a cake walk. Now, I would expect that if the engineers who built this software took the time and care to implement the obscure PLC features that they did, they'd also have the resources and motivation to develop custom packing components. I mean, if you're going to pack your code, at least make it difficult for the forensic guy wading through your payload. C'mon! It's not that much work.
Why even use DLLs? Why not create some special-purpose file format that relies on a shrouded address table and utilizes an embedded virtual machine to execute one-of-a-kind bytecode? Really, if you have a federal budget backing you up why not go full bore? Heck, I know I would. Ahem.
What all of this seems to indicate is that the people who built this in some respects took the path of least resistance. They opted to trade development effort for a forensic footprint. Is this the super weapon that the media is making Stuxnet out to be? -BB(2010-09-24)
We've Met the Enemy and He Is...
When reading stories about espionage in the press there can be a tendency to adopt a mindset that frames incidents in terms of one nation-state versus another, and this often lends itself to tacitly assuming a sort of moral high ground. Or, put more mildly, it gives the general impression that a specific nation-state is an offender in this arena more so than other nation-states (e.g. man, it's those darn Canadians again!).
While certain intelligence agencies have been known to establish "special relationships," for the most part everyone spies on everyone else. Such is life in the theatre of international relations. As in the genre of noir fiction, everyone is dirty to some extent (even the protagonist). While most of the stories I've read seem to point to China or Russia as the usual suspects, I think it's interesting to note something that retired Air Force General Michael Hayden said during an interview on the Jim Lehrer News Hour program:
"There was a survey done not too many months ago. They asked the citizens of some cyber-savvy nations around the world, who do you fear most in the cyber-domain? And, quite interestingly, we were number one.
The Chinese were a close second, but we were number one, which I think is simply a reflection that we are a technologically agile country, and we have very good intelligence services, and the rest of the world is kind of responding to that reality."
RELATED: Recall the Crypto AG story reported by the Baltimore Sun. If these allegations had been leveled at another country, you can imagine the outrage that we would have voiced.
"For four decades, the Swiss flag that flies in front of Crypto AG has lured customers from around the world to this company ...Some 120 nations have bought their encryption machines here. But behind that flag, America's National Security Agency hid what may be the intelligence sting of the century. For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents."
A Cyberwar Gulf of Tonkin Incident?
An article by SecurityWeek offers opposing viewpoints on the Pentagon hack.
Chester Wisniewski, Sophos Chief Security Adviser: "Why would a foreign intelligence agency attack the U.S. government with such a low-powered weapon? ...In his words, 'Either it wasn't put there by a foreign government or it wasn't agent.btz.'"
Tom Conway, McAfee's Director of Federal Business Development: "Why reveal your trade craft if something that's widely available on the black market will do the job?"
Comments: I'm inclined to side with Chester. The fact is that the agent.btz worm didn't "do the job." In an age of custom firmware rootkits, rogue hypervisors, and circuit-level subversion, a payload that "does the job" wouldn't have been discovered!
"Never ascribe to malice that which is adequately explained by incompetence" - Napoleon Bonaparte
If intel agencies from other countries had wanted data from top secret networks, I have a very hard time believing that they'd be anywhere near this sloppy. It sounds more like someone is exaggerating a pedestrian malware infestation as a means to bolster funding and then shielding themselves against further scrutiny by using the standard secrecy argument: "I can't tell you, it's classified." -BB (2010-09-05)
The decision makers at the Pentagon are at it again. According to an article published by the Washington Post, officials are considering preemptive strikes as a way to protect us. The difference is that it's being dressed up with new jargon; in this case it's being referred to as an "active defense." Oh, that's rich.
This suffers from the same basic problem as the doctrine of massive retaliation: attribution. If you can't identify the actual origin of an attack, it's an exercise in futility to build up a huge stockpile of offensive capabilities (unless of course you're in the business of building offensive weaponry). Furthermore, are we prepared to live with the consequences when we attack the wrong country? Correct me if I'm wrong but did we just spend close to a trillion dollars to protect ourselves from imaginary weapons of mass destruction? Think of what that money could have done here in the US if we had directed it towards health and human services.
In what military officials are calling the fifth domain, the best defense is not a good offense. We'd be much better off focusing on, well, defense. -BB (2010-09-02)
In this Foreign Affairs article, Deputy Secretary of Defense William Lynn hypes an incident with a thumb drive that occured back in 2008:
"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control"
Reports from Wired appear to counter his assertions.
"Agent.btz is a variant of the SillyFDC worm... Agent.btz's ability to compromise classified information is fairly limited. SIPRNet, the military's secret network, and JWICS, its top secret network, have only the thinnest of connections to the public internet. Without those connections, intruders would have no way of exploiting the backdoor, or, indeed, of even knowing that agent.btz had founds its way into the CENTCOM network... What spy service would launch such a lame attack?"
Another thing to keep in mind, dear reader, is that Foreign Affairs is a publication of the Council on Foreign Relations. -BB (2010-08-26)
UPDATE: The New York Times has printed an article on this. According to the Times, Lynn composed his Foreign Affairs essay to "to raise awareness of the threat to United States cybersecurity ...and partly to make the case for a larger Pentagon role in cyberdefense."
I'd pay close attention to the second half of that previous sentence. -BB(2010-08-26)
"This CIA 'Red Cell' report from February 2, 2010, looks at what will happen if it is internationally understood that the United States is an exporter of terrorism..."
"The report looks at a number cases of US exported terrorism, including attacks by US based or ﬁnanced Jewish, Muslim and Irish-nationalism terrorists."
RELATED: A WSJ article that looks at how WikiLeaks conceals funding information. The empire strikes back, so to speak. -BB (2010-08-26)
"Secrecy hides privilege, incompetence and deception of those who depend on it and who would be disempowered without it...
A vast global enterprise of governments, institutions, organizations, businesses and individuals dependent upon the secrecy of abuse of secrecy has evolved into an immensely valuable practice whose cost to the public and benefits to its practitioners are concealed by secrecy...
Secrecy poses the greatest threat to the United States because it divides the poplulation into two groups, those with access to secret information and those without. This asymmetrial access to information vital to the United States as a democracy will eventually turn it into an autocracy run by those with access to secret informaton, protected by laws written to legitimate this privileged access and to punish those who violate these laws."
This may sound a bit overblown. But consider this: according to the Top Secret America project, some 854,000 people (more than the entire city of San Francisco) hold top-secret security clearances. In the greater DC area, 33 buildings for top-secret intelligence work are under construction or have been built in the aftermath of September 2001. These structures consume the same amount of space as three Pentagons - roughly 17 million square feet.
Does John Young really sound so far off of the mark? -BB (2010-08-23)
"Barclays Bank PLC, a United Kingdom corporation headquartered in London, has agreed to forfeit $298 million to the United States and to the New York County District Attorney's Office in connection with violations of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA)"
"According to court documents, from as early as the mid-1990s until September 2006, Barclays knowingly and willfully moved or permitted to be moved hundreds of millions of dollars through the U.S. financial system on behalf of banks from Cuba, Iran, Libya, Sudan and Burma, and persons listed as parties or jurisdictions sanctioned by OFAC in violation of U.S. economic sanctions."
Though this may seem like a lot of money at first blush. It's just a slap on the wrist, which Barclays will probably accept as the cost of doing business. At best, this is a symbolic victory. -BB (2010-08-18)
"The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies duplicate the same work."
"The major function of secrecy in Washington is to keep the U.S. people and U.S. Congress from knowing what the nation's leaders are doing. Secrecy is power. Secrecy is license. Secrecy covers up mistakes. Secrecy covers up corruption." - Major John Stockwell
In this New York Times op-ed, Richard Falkenrath applauds the United Arab Emirates for its recent decision to suspend BlackBerry service within its borders. The Canadian company that developed the technology, Research In Motion, has resisted modifying its infrastructure to enable authorities to easily intercept the data streams of selected users.
Falkenrath concludes: "In the end, it is governments, not private industry, that rule the airwaves and the Internet. The Emirates acted understandably and appropriately: governments should not be timid about using their full powers to ensure that their law enforcement and intelligence agencies are able to keep their citizens safe."
It's interesting to note that Falkenrath, who was a deputy homeland security adviser to President George W. Bush, now works for the Chertoff Group. The Chertoff Group is a consulting firm that derives its name from one of its principals, Michael Chertoff, the Secretary of the U.S. Department of Homeland Security from 2005 to 2009.
Co-CEO of Research in Motion responded that "Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off."
RELATED: Nicholas Merrill (aka John Doe) of Calyx Internet Access finally speaks out.
"I kind of felt at the beginning, so few people challenge this thing, I couldn't just stand by and see, in my opinion, the basic underpinnings of our government undermined ... I was taught about how sophisticated our system of checks and balances is . . . and if you really believe in that, then the idea of one branch of government just demanding records without being checked and balanced by the judicial just is so obviously wrong on the surface."
"At the center of the drama was the posting last week of a massive 1.4 gigabyte mystery file named 'Insurance' on the WikiLeaks website. The 'Insurance' file is encrypted, nearly impossible to open until WikiLeaks provides the passwords. But experts suggest that if anyone can crack it - it would be the National Security Agency."
"'Do we believe that WikiLeaks has additional cables? We do,' said State Department spokesman P.J. Crowley. 'Do we believe that those cables are classified? We do. And are they State Department cables? Yes.'"
Cryptome: Doubts about the invulnerability of AES have persisted since NSA selected an algorithm from an AES competition that was considered by cryptographers not to be the strongest. And that it is likely for strongest protection NSA uses a top secret cryptosystem while promoting AES for public and official use. It is argued that NSA, like all official comsec agencies, would never endorse a system it could not secretly access. And these agencies never reveal that capability -- NSA's backdoor access to Crypto AG was revealed by an employee of the company.
The following excerpts are from an op-ed in The New Yorker
"Shutting WikiLeaks down, assuming that this is even possible, would only lead to copycat sites devised by innovators who would make their services even more difficult to curtail. A better approach for the Defense Department might be to consider WikiLeaks a competitor rather than a threat, and to recognize that the spirit of transparency that motivates Assange and his volunteers is shared by a far wider community of people who use the Internet."
"There is a simple lesson here: whatever the imperfections of WikiLeaks as a startup, its emergence points to a real shortcoming within our intelligence community. Secrets can be kept by deterrence, that is, by hunting down the people who leak them, as Thiessen proposes, and demonstrating that such behavior comes with real costs, such as prison time. But there are other methods: keep far fewer secrets, manage them better."
Wikileaks and Our Foreign Policy
"No amount of rhetorical tap dancing will allow the White House to escape the fundamental contradictions that underlie U.S. policy toward Af-Pak."
Contradiction #1: We're in Afghanistan to prevent future attacks by Al Queda
"Now that al Qaeda can attack the United States, its friends and allies from Yemen or Somalia or Pakistan or London or New Jersey, it's hard to claim any uniqueness for Afghanistan. So, why does the United States have to fight the war there with 100,000 troops?"
Contradiction #2: We're in Afghanistan to prevent an extremist coup in Pakistan
"Here's where the new trough of secret WikiLeaks comes in Pakistani military intelligence... is indeed helping the Taliban against Americans in Afghanistan. To boot, the Pakistani government is providing safe haven to the Taliban in Northwest Pakistan, thus making it militarily impossible for U.S. forces to smash them."
"The principal thing that WikiLeaks is doing and as I'm -- and I'm doing, also on another side, is we're trying to give a more fuller picture of the -- of the terrible situation in these countries, that the -- the U.S. military is killing thousands of people over there and that that is not being reported very well.
We regularly publish photographs put out by the Department of Defense about Afghanistan and Iraq. And there's never any carnage shown. You seldom see any of the carnage caused by the military in these wars. And war is carnage. But what you see are a kind of scenes you've just shown. And that's a -- that's an unbalanced view of what's happening there.
There is far more killing being done by the military in Afghanistan than there is by the Taliban, including innocent people. And we just don't get to see that. That is heavily censored. It's classified. It's not put out. What we get is the sanitized version that makes it look like the young soldiers are at risk or innocent civilians are at risk of being killed by the Taliban. But that is a completely inaccurate picture.
...the two talking points that are now being used to change the -- the dialogue about this leak. One is the risk of these informants. The other is that there's nothing new here. Those are talking points that are used by people who are trying to change the topic away from the carnage caused by the military into a polite kind of talking head version, as though there's nothing new here.
Notice that Admiral Mullen talked about blood on the soldiers' hands. WikiLeaks has answered that very effectively. He's changing the topic. He does not want to talk about what the military is doing in Afghanistan.
It is uncontrolled carnage going on over there as American policy. Otherwise, they'd be showing more of the truth."
This is it, dear readers. John Young is pointing out the propaganda machine in action. Pick up a copy of Noam Chomksy's Manufacturing Consent for a more detailed description of how the media works. -BB (2010-07-31)
I Walk The Line
"Mr. Assange can say whatever he likes about the greater good he thinks he and his source are doing, but the truth is they might already have on their hands the blood of some young soldier or that of an Afghan family. Disagree with the war all you want, take issue with the policy, challenge me or our ground commanders on the decisions we make to accomplish the mission we've been given, but don't put those who willingly go into harm's way even further in harm's way just to satisfy your need to make a point."
"Foresight requires trustworthy information about the current state of the world, cognitive ability to draw predictive inferences and economic stability to give them a meaningful home. It's not only in Vietnam where secrecy, malfeasance and unequal access have eaten into the first requirement of foresight ('truth and lots of it'). Foresight can produce outcomes that leave all major interests groups better off. Likewise the lack of it, or doing the dumb thing, can harm almost everyone."
In a bold move that probably constitutes this generation's version of the Pentagon Papers, Wikileaks has published thousands of classified documents that describe U.S. military operations in Afghanistan from 2004 to 2010.
The documents imply, among other things, that Pakistan's intelligence service may be assisting the Taliban despite the billions of dollars in support that Pakistan receives from the United States. In addition, as with Vietnam, things may be less encouraging than our leaders are willing to admit.
The White House has responded. Julian Assange dismissed accusations by Obama administration officials, stating that "We are familiar with groups whose abuse we expose attempting to criticise the messenger to distract from the power of the message."
"Mission Accomplished" proclaims the former President, with a big grin on his face. After spending hundreds of billions of dollars to no avail, one has to wonder who the winners are. My guess is that the answer to this question can be gleaned by scanning through annual reports of companies in the defense industry. Pay no attention to the man behind the curtain. -BB (2010-07-26)
The first time I heard the term Praetorian used, it was in a book written by former CIA agent John Stockwell. By the time you're done reading these three Washington Post articles you should have a pretty good idea what's driving all of the recent Cyberwar fear-mongering ...
Overview of Project : "'Top Secret America' is a project nearly two years in the making that describes the huge national security buildup in the United States after the Sept. 11, 2001, attacks."
Project Articles - PART 1
Quotes and Comments
"The U.S. intelligence budget is vast, publicly announced last year as $75 billion, 21/2 times the size it was on Sept. 10, 2001."
"Because it lacks a synchronizing process, it inevitably results in message dissonance, reduced effectiveness and waste ...We consequently can't effectively assess whether it is making us more safe."-Retired Army Lt. Gen. John R. Vines
comment: So, in other words, we have no idea if all of this money is simply a gift to the private corporate interests that help build this system.
"Secrecy can undermine the normal chain of command when senior officials use it to cut out rivals or when subordinates are ordered to keep secrets from their commanders."
"In the Department of Defense, where more than two-thirds of the intelligence programs reside, only a handful of senior officials - called Super Users - have the ability to even know about all the department's activities. But as two of the Super Users indicated in interviews, there is simply no way they can keep up with the nation's most sensitive work."
"'I'm not going to live long enough to be briefed on everything' was how one Super User put it. The other recounted that for his initial briefing, he was escorted into a tiny, dark room, seated at a small table and told he couldn't take notes."
comment: This makes me wonder if the people who are supposed to be in control are actually in control? Has the system been subverted by a cabal of mid-level people who know how to firewall the boss?
Project Articles - PART 2
Quotes and Comments
"Out of 854,000 people with top-secret clearances, 265,000 are contractors"
"Contractors can offer more money - often twice as much - to experienced federal employees than the government is allowed to pay them. And because competition among firms for people with security clearances is so great, corporations offer such perks as BMWs and $15,000 signing bonuses, as Raytheon did in June for software developers with top-level clearances."
"A 2008 study published by the Office of the Director of National Intelligence found that contractors made up 29 percent of the workforce in the intelligence agencies but cost the equivalent of 49 percent of their personnel budgets."
"The evolution of General Dynamics was based on one simple strategy: Follow the money... Revenue from General Dynamics' intelligence- and information-related divisions, where the majority of its top-secret work is done, climbed to $10 billion in the second quarter of 2009, up from $2.4 billion in 2000, accounting for 34 percent of its overall revenue last year"
comment: As I noted earlier, if all of this funding isn't necessarily making us more secure, then who is truly benefiting from the massive intel build up?
"In September 2009, General Dynamics won a $10 million contract from the U.S. Special Operations Command's psychological operations unit to create Web sites to influence foreigners' views of U.S. policy. To do that, the company hired writers, editors and designers to produce a set of daily news sites tailored to five regions of the world. They appear as regular news Web sites, with names such as 'SETimes.com: The News and Views of Southeast Europe.' The first indication that they are run on behalf of the military comes at the bottom of the home page with the word 'Disclaimer.' Only by clicking on that do you learn that 'the Southeast European Times (SET) is a Web site sponsored by the United States European Command.'
comment: Widespread manipulation of public opinion is alive and well. Don't think for a minute that it's only limited to other countries.
Project Articles - PART 3
Quotes and Comments
"From the road, it's impossible to tell how large the NSA has become, even though its buildings occupy 6.3 million square feet - about the size of the Pentagon - and are surrounded by 112 acres of parking spaces. As massive as that might seem, documents indicate that the NSA is only going to get bigger: 10,000 more workers over the next 15 years; $2 billion to pay for just the first phase of expansion; an overall increase in size that will bring its building space throughout the Fort Meade cluster to nearly 14 million square feet."
"Six of the 10 richest counties in the United States, according to Census Bureau data, are in these [Fort Meade] clusters."
"Loudoun County, ranked as the wealthiest county in the country, helps supply the workforce of the nearby National Reconnaissance Office headquarters, which manages spy satellites. Fairfax County, the second-wealthiest, is home to the NRO, the CIA and the Office of the Director of National Intelligence. Arlington County, ranked ninth, hosts the Pentagon and major intelligence agencies. Montgomery County, ranked 10th, is home to the National Geospatial-Intelligence Agency. And Howard County, ranked third, is home to 8,000 NSA employees."
comment: All animals are equal. It's just that some animals are more equal than others. This is your federal tax money at work.
David C. Gompert : Acting Director of National Intelligence
Wired : "This piece is about much more than dollars. It's about what used to be called the Garrison State: the impact on society of a praetorian class of war-focused elites. Priest and Arkin call it 'Top Secret America,' and its so big and grown so fast, that it's replicated the problem of disconnection within the intelligence agencies that facilitated America's vulnerability to a terrorist attack."
The Office of the DNI : Attempts to apologize for redundancy, mission overlap, and poor information sharing.
The Atlantic: "The culture of secrecy has fascinated observers and participants for decades. It is always deplored as a fundamental rejection of American values: citizens need reliable information in order to exercise their rights, and lawmakers cannot use the cloak of secrecy to hide their own sins. But somehow, the secrecy apparatus resists all efforts to shrink it. Presidents come and go, but secret-keepers burrow deep into the government."
Salon: "Secrecy is the religion of the political class, and the prime enabler of its corruption. That's why whistle blowers are among the most hated heretics. They're one of the very few classes of people able to shed a small amount of light on what actually takes place."
"Over the past two years, one of the most thought-provoking observations I have heard from both military and intelligence folks is this: There are probably 500 al-Qaeda members left in the Afghanistan-Pakistan region. At most, the organization may have a couple thousand people worldwide. Why do we need such a large intelligence effort ---the 1,300 agencies we identified that are a part of this effort--- to defeat a couple thousand people?" -Question posed by Dana Priest
1. This issue does not affect any Dell PowerEdge servers shipped from our factories and is limited to a small number of the replacement motherboards only which were sent via Dell's service and replacement process for four servers: PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410. The maximum potential exposure is less than 1% of these server models.
2. Dell has removed all impacted motherboards from the service supply. New shipping replacement stock does not contain the malware.
3. The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.
4. All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer's operating system.
5. Systems running non-Microsoft Windows operating systems cannot be affected.
6. Systems with the iDRAC Express or iDRAC Enterprise card installed cannot be affected.
7. Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.
RELATED: Richard Bejtlich calls out Dell to step up their game with regard to how they handled the incident.
I have to admit, this story really caught my attention.
"We have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly. The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware. This malware code has been detected on the embedded server management firmware as you indicated."
It will be interesting to see how this story unfolds. How did the malware find its way into the firmware? Who was responsible? Will we ever know? How can you protect yourself from this sort of subversion, especially on a tricked out machine that only the OEM truly understands. -BB (2010-07-21)
Years ago, when the debate over offshore outsourcing took center stage, we were told that high-tech corporations were simply following their financial prerogatives by finding new ways to stay competitive in the free market economy. Never mind the long-term strategic costs that would come back to haunt us years later when the countries we shipped our jobs off to started to catch up with us. Naturally, many students saw the writing on the wall and pursued work in other fields. Why take out all of those student loans and devote years of your life preparing for a job that's headed overseas?
This "shortage" of computer security talent: we did it to ourselves. It's a symptom of a much larger problem. The unpleasant truth is that our leaders have willfully allowed this state of affairs to develop. This is because they're beholden to a powerful group of business interests that have no real sense of obligation to the U.S. as a country. Strictly speaking, the multinationals exist to generate value on behalf of their shareholders, whoever they may be.
Furthermore, I would contend that the free market argument is nothing more than an ideological ploy that's brought into discourse whenever it happens to be convenient. What exists in our society is a thinly veiled double standard. Unemployed workers can be sternly lectured by drug-addled radio commentators on the advantages of self-reliance. But for large corporations that need to be bailed-out or benefit from wars based on imaginary weapons of mass destruction, the welfare state must thrive to the tune of hundreds of billions of dollars.
To see where this trend is going to take us, I would start by reading a book published by the Cornell University Press (a notably conservative institution) entitled The State of Working America. If you want to extrapolate even further, research the origins of the term "Plutonomy."
Though free market advocates ridicule protectionist measures as decidedly un-American, Intel's former CEO Andy Grove has a few words of his own to offer:
"I fled Hungary as a young man in 1956 to come to the U.S. Growing up in the Soviet bloc, I witnessed first-hand the perils of both government overreach and a stratified population. Most Americans probably aren't aware that there was a time in this country when tanks and cavalry were massed on Pennsylvania Avenue to chase away the unemployed. It was 1932; thousands of jobless veterans were demonstrating outside the White House. Soldiers with fixed bayonets and live ammunition moved in on them, and herded them away from the White House. In America! Unemployment is corrosive. If what I'm suggesting sounds protectionist, so be it."
WSJ: Raytheon Wins $100 Million Classified Contract
According to an article written by Siobhan Gorman in the Wall Street Journal, Raytheon Co. has been awarded a $100 million dollar classified contract to perform initial work on a program called "Perfect Citizen." Note that Gorman is relying on information received from "a person familiar with the project." This report claims that Perfect Citizen is a surveillance program intended to detect cyber attacks on organizations that maintain our critical infrastructure. Both the NSA and Raytheon declined to comment.
Reuters has also looked into this development. They quote an NSA spokesman who claims that "This is a research and engineering effort... there is no monitoring activity involved, and no sensors are employed in this endeavor." Other than that, both the NSA and Raytheon are very tight-lipped about the contract itself.
The Reuters article points to a speech given by Secretary of Defense William Lynn, where Lynn states that "more than 100 foreign intelligence organizations are trying to break into U.S. systems."
What this seems to confirm is that the actual threats we face are related to espionage and cybercrime. It think it's pretty safe to assume that nation-states spy on each other, and that espionage has been going on for centuries. Furthermore, I bet we're neck deep in our own efforts when it comes to compromising systems in other countries and so it strikes me as odd that people are so shocked when we happen to be on the receiving end.
The gilded hyperbole of cyberwar exists partially because certain contracting companies, consulting firms, and federal agencies know that they stand to benefit from the spotlight that's been put on the Internet. They know that with the right amount of fear-mongering they can steer some of the resulting federal funding their way. -BB (2010-07-10)
While government officials, and former government officials, stoke the flames of hysteria, it's reassuring to occasionally hear a measured voice of dissent. I'm speaking of Bruce Schneier's recent op-ed piece on CNN. Schneier states:
"Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored. But we're not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion."
Based on the relative frequency of cybercrime and espionage, I would agree with him. These are the clear and present dangers. As Schneier points out, what cyberwar advocates tend to do is to lump everything together such that occurrences of espionage suddenly become acts of war. If that's the case, then it's safe to say that we're currently at war with half of the developed world, including our allies (and we have been for decades). For example, Schneier observes:
"Recent news articles have claimed that China declared cyberwar on Google, that Germany attacked China, and that a group of young hackers declared cyberwar on Australia. (Yes, cyberwar is so easy that even kids can do it.) Clearly we're not talking about real war here, but a rhetorical war: like the war on terror."
Though, I would add that, because attribution is such a basic issue, we may never know who was behind the attacks on Google. It could very well have been another nation-state using anti-forensic technology. For the time being, we only know that the attacks originated from China. I think that this is an important point.
So why all of the hyperbole? Why all of the semantic acrobatics? Why all of the doomsday Cassandra's? According to Schneier:
"It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top."
Let's not forget all of those defense contractors and consulting firms that stand to make a tidy profit if the government decides to steer tax dollars in their direction. It's been well documented that these organizations have been bolstering their cyber divisions in anticipation of a windfall.
Instead of giving control of the Internet over to the military, Schneier advocates leveraging existing peacetime institutions that can be moderated by the judicial system and legal protections. I would also recommend that we focus on the core vectors that facilitate these attacks to begin with: like insecure software. -BB (2010-07-07)
Comments on The Economist, July 3rd - 9th, 2010 Issue
The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. Note the dramatic mushroom cloud and the intimations of mass destruction. The first article concludes that "countries should agree on more modest accords, or even just informal 'rules of the road' that would raise the political cost of cyber-attacks." It also makes vague references to "greater co-operation between governments and the private sector."
When attribution is a lost cause (and it is), international treaties are a meaningless because there's no way to determine if a participant has broken them. The second recommendation is even more alarming because it's using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions.
The following article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Perhaps this is because the author is grasping for examples to impress the reader with. Then there's also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author shows his true colors in closing when he concludes with the ominous warning that terrorists "prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage...for now."
What disturbs me the most is that The Economist never goes beyond a superficial analysis of the topic to examine what's driving all of the fear, uncertainty, and doubt. Perhaps that would be dysfunctional, as it might lead the press to investigate itself. To help shed light on what's taking place in the body politic, I've decided to release my Lockdown 2010 white paper and slide deck. Read through this material and then go back and re-visit the articles in The Economist. -BB (2010-07-03)
RELATED: A NYTimes article detailing proposed "solutions." Including Howard Schmidt's "voluntary trusted identity" system and Vinton Cerf's internet driver's license.
Charlie Miller:"It would take two years and cost less than 50 million dollars a year to prepare a cyberattack that could paralyse the United States."
Bruce Schneier:"It's very easy to invent scare scenarios but this does not mean we should actually be scared by them."
The threat of cybercrime is real, just read the articles in Below Gotham's News section. Cyberwar, however, is more likely a pretext. The ultimate question is what can we do to protect ourselves from the former and insulate ourselves from the fear-mongering agenda of the latter?
As Estonian President, Mr. Toomas Hendrik Ilves noted on the opening day of the conference: "we lack clear attribution to any political entity; we lack a response doctrine to apply were we to know who committed the aggression." This is a central issue that will define the debate that follows. I think that Richard Clarke may have touched a nerve when he started talking about regulating the software industry. -BB (2010-06-19)
Microsoft: "Don't regulate security in the software industry, don't let the Pentagon stop using our software no matter how many security flaws it has, and don't say anything about software production overseas or deals with China."
This isn't anything new to us folks who slog away in I.T. oblivion. What's interesting is that someone high up finally got the nerve to acknowledge the truth. Until we hold software vendors liable, we can expect the same lip-service that self-regulation has generated in the past. There are some public goods that the free market simply cannot generate. -BB (2010-06-10)
Fear and Loathing at Lockdown 2010
In mid-July our frontman, Bill, will be headed to the midwest to talk about manufacturing consent and the gilded hyperbole of cyberwar. He's been invited by the folks who run Lockdown 2010 at UW. -Rick James (June 3, 2010)
David Cornwell, also known by the pen name John le Carré, worked for both MI5 and MI6 before he retired in 1964 to focus on writing. His literary depiction of intelligence work is in stark contrast to the romantic stereotype promulgated by actors like Sean Connery and Pierce Brosnan. In what may be his best novel to date, The Spy Who Came in from the Cold, he uses the main character as a means to comment on the nature of his earlier profession:
"What do you think spies are: priests, saints and martyrs? They're a squalid procession of vain fools, traitors, too, yes; pansies, sadists and drunkards, people who play Cowboys and Indians to brighten their rotten lives. Do you think they sit like monks in London, balancing the rights and wrongs?"
When spies come in from the cold they often have trench-level insights that differ sharply with popular conceptions. Take Philip Agee's 1978 book entitled Dirty Work: The CIA in Western Europe, where he dispels several myths about the Central Intelligence Agency. For example:
Myth: The major problem is lack of control; that is, the CIA is a "rogue elephant."
"As former Secretary of State Kissinger told Representative Otis Pike's Intelligence Investigating Committee, 'Every operation is personally approved by the President.' ... Successive administrations - together with American-based multinational corporations - have continually demanded the freest possible access to foreign markets, labor, agricultural products, and raw materials. To give muscle to this demand for the 'open door', recent presidents have taken increasingly to using the CIA to strengthen those foreign groups who cooperate - and to destroy those who do not."
On the surface, this is just another glossy article put out by a University's PR department. But there are actually a couple of interesting nuggets embedded in this alumnus biography. For example, while most of the books that I've read seem to indicate that intelligence agencies draw primarily on the military to fill positions, my own experience is that agencies like the CIA also tend to attract people who possess what might be seen as unconventional backgrounds. Sometimes these are the best hires (Fidelity's Peter Lynch was a philosophy major as an undergraduate). Sulick has both components in his background; he served in the Marines and spent years in academia studying Russian literature.
Note Sulick's recruitment tactic: "Foreigners, certainly Russians who were my main target, are proud of their literature and are proud when a foreigner knows something about it. When you discuss literature with somebody, they reveal much about themselves."
If Sulick's career trajectory is any indication, it's my guess that twenty years from now the director of the CIA's Clandestine Service will be someone who's completely fluent in Farsi and Mandarin. Perhaps they will have analyzed the Persian translation of Shuǐhǔ Zhuan. -BB (2010-05-28)
Joe Riggins: Don't be a Know-It-All
Wednesday at CEIC 2010 I sat in on Joe Riggins "Spy vs. Spy" presentation, which focused on the vagaries of the insider threat. Joe did a commendable job of maintaining our attention with a series of war stories. My personal favorite involved an engagement where a team from Guidance was inspecting a machine that processed credit card transactions. It had five (count them: five) different remote desktop applications installed on it. As it turned out, the server was managed by a number of administrators who couldn't agree on a standard package; definitely a case of too many cooks in the kitchen.
Joes also reported that organized crime elements in Russia are now making more money off of credit card fraud than the Columbian crime lords are making off the drug trade. Now that's one hell of a statement! While I'd like to know where he got that information, I wouldn't necessarily be surprised if it was true.
Finally, Joe hinted at where security software vendors will be headed to expand their market space: intelligent mobile devices. -BB (2010-05-28)
After my talk at CEIC 2010, a couple of people asked me where they could pick up a copy of The Rootkit Arsenal. The publisher (Jones and Bartlett) is offering copies at a discount. See the above link for details. -BB (2010-05-28)
More cyberwar doom and gloom. Who can come up with the best movie script? Mike McConnell or Richard Clarke? - BB (2010-04-28)
Cryptome's John Young adds his two cents:
"Pity Kakutani [book review author], dim-wittingly flogging for two highly paid promoters of cyber pearl harbors. Cybersec, a favorite DC scam spreading around the globe, meanwhile all govs and coms working together are going full speed at spying on cyber users, as ever, for racketeering national security. What the racketeers want is perfect cybersecurity for their trashing that of everyone else."
SOURCE Boston 2010 Post-Game Wrap-up
The demands of my job prevented me from staying for more than a day, so I sat in on a couple of presentations on the 22nd. Perhaps that's a good thing, as my mere presence tends to attract black helicopters and clean cut fellows talking into their sleeves. All told, Stacy Thayer and her SOURCE co-conspirators did an admirable job of managing the flow of people and events. The weather was balmy, the lobster was fresh, and (best of all) the Seaport Hotel, where the event took place, was a $2 bus ride from Boston Logan International. -BB (2010-04-23)
Assurance at Oracle
Mary Ann Davidson is a suit that doesn't sound like a suit. This is definitely a mark in her favor. During her presentation she described how Oracle is trying to build assurance into its products. She said that isn't so much about establishing a brigade of security police as much as it's about putting the requisite expertise into development so that engineers do the right thing to begin with. Prevention beats detection, so to speak. Davidson observed: "My goal in life is to be out of a job."
Opting Into Surveillance
By far, this was the highlight of the day. Moxie Marlinspike offered an insightful look at how small choices about the technology we use can end up being big choices that impact our ability to participate in society. His delivery was crisp and very entertaining. Why mandate telescreens when you can solicit people to voluntarily be monitored? Who needs TIA when we have Google? Who knows more about their local population: Kim Jong-Il or Google? (Hint: it's not Kim Jong-Il).
I was in the front row taking notes and midway through the talk he came rushing over to where I was seated. At that very moment, I had visions from the movie The Manchurian Candidate flashing through the back of my mind. The Man was finally going to dispatch me with a deep cover plant. Lucky for me, Moxie just wanted a glass of water. "I should have planned ahead," he muttered under his breath.
The Current State of Metasploit
HD was back, and this time he was wearing a suit and a bit more formal in his manner. Hey, give the guy a break, he's a father now. With the blessings of the demo gods, HD managed to pack two hours of material into a 60-minute period. As things stand now, Metasploit has attained the 100,000 LOC mark in light of full-time QA and an accelerated release cycle. He also showed off a slick GUI interface and talked about the Express version's price tag (somewhere around $3K). I think what I appreciate the most was his side-comment that the presentation basically amounted to a thinly veiled sales pitch.
This past week, experts met at a Russian-sponsored security conference in Germany.
"During a panel discussion on computer crime, Col. Gen. Boris N. Miroshnikov, an official with the Russian Interior Ministry, and Stewart A. Baker, a fellow at the Center for Strategic and International Studies in Washington, and the former chief counsel for the National Security Agency, agreed that the most important step in combating Internet crime would be to do away with the anonymity that has long been a central tenet of Internet culture."
As Dan Greer has observed: "If the tariff of security is paid, it will be paid in the coin of privacy"
As Cryptome has observed: "There it is: spies oppose anonymity for anyone except their own criminal operators, winking, 'do what we say not what we do.'"
My thoughts: It's dangerous to install the machinations of a totalitarian state and then simply assume that it will never come to that. There was a time, not so long ago, when social security cards were printed with the caveat that they were not to be used for purposes of identification. -BB (2010-04-17)
RELATED: According to Lt. General Keith Alexander, the impact of new security technology on Internet privacy is classified.
Notable researchers Joanna Rutkowska and Rafal Wojtczuk (from Invisible Things Lab, aka ITL) have released an open source OS that uses virtualization technology to implement security through isolation. Given the architect's reputation with rootkit technology, who else would you trust to offer a secure platform? -BB (2010-04-07)
This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. It examines "a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."
As usual, attribution is an issue. The true identity of the attackers is unknown -BB (2010-04-06).
"At exactly the time when U.S. government secrecy is at an all-time high, the institutions ostensibly responsible for investigation, oversight and exposure have failed. The American media are largely co-opted, and their few remaining vestiges of real investigative journalism are crippled by financial constraints. The U.S. Congress is almost entirely impotent at providing meaningful oversight and is, in any event, controlled by the factions that maintain virtually complete secrecy."
The CIA document that this article links to is particularly disturbing. Basically, it confirms my suspicion that leaders often depend on voter apathy and manipulate the local population to manufacture consent. It will be interesting to see how things unfold in Iceland. - BB (2010-03-29)
After All These Years: Zero-Day Exploits Persist
Hats off to Peter Vreugdenhil, who bypassed both ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) as part of his bid to compromise IE8 at this year's CanSecWest. Well played, Peter.
RELATED: The reknowned Charlie Miller also demonstrated his superior Black Hat Gong Fu with a Safari hack.
...One tends to wonder how much a fellow like Charlie could make on the open market by selling exploits to the people behind the current generation of APTs? This is literally the sort of technology that can make or break a covert operation. In my opinion, guys like Charlie are worth their weight in plutonium. BB - (2010-03-25)
In this essay, James Lewis states that: "Expanded attention to cybersecurity is a good thing, but it seems that it is difficult to discuss this topic without exaggeration. We are not in a 'cyber war.'"
Yet, this doesn't seem to have stopped people from using the term to encourage the sort of hysteria that leads to heavy federal spending. In my opinion, we need to be focusing on cybercrime, not cyberwar. - BB (2010-03-19)
When the New York Times publishes a story on you, you've definitely gotten someone's attention. Perhaps this is what happens when you release unclassified copy of the "standard operating procedures" at Guantnamo Bay. Recently Wikileaks published an Army Counterintelligence analysis of the threat posed by Wikileaks. The report concludes:
"Wikileaks.org uses trust as a center of gravity by assuring insiders, leakers, and whistleblowers who pass information to Wikileaks.org personnel or who post information to the Web site that they will remain anonymous. The identification, exposure, or termination of employment of or legal actions against current or former insiders, leakers, or whistleblowers could damage or destroy this center of gravity and deter others from using Wikileaks.org to make such information public."
The report also speculates that Wikileaks may be supported by the CIA. As the accusations fly, and the water becomes ever more muddied, one is left to ponder who's telling the truth. Now you know why spies refer to their professional environment as the "hall of mirrors." -BB (2010-03-18)
Comes see the tradecraft of the grand rumor mill. This excellent compilation of tactics is based upon "Appendix I: PSYOP Techniques" from "Psychological Operations Field Manual No.33-1" published by Headquarters; Department of the Army, in Washington DC, on 31 August 1979.
UPDATE: To witness a classic example of this sort of manipulation, there's an article you can view online in Monday's WSJ. When it comes to overt, state-sponsored, propaganda on a large scale, China really excels. According to the WSJ's report:
"Chinese news Web sites have also been told they will be required to use only official accounts of the situation if Google.cn is closed... It's not uncommon for propaganda authorities in China to give orders dictating the nature of news coverage on sensitive issues where they fear dissent. The fact that authorities have decided that Google's situation should get that treatment suggests they know that many Chinese Internet users, tens of millions of whom are Google users, don't see things the same way the government does."
...Beware the Ides of March. -BB (2010-03-15)
The Big Haircut
Another remark that Robert Baer makes in the WSJ piece mentioned earlier is that "The art of assassination, the kind we have seen over and over again in Hollywood movies, may be as passe as killing people by arsenic or with a garrote. You just can't get away with it anymore."
This led to some lively banter among members of the lab this evening. OK, guarded by a phalanx of bodyguards and custom armored vehicles, how would one world power decapitate another nation state?
According to Colonel Stanislav Lunev, a Russian military officer who defected to the United States, the GRU planned to employ suitcase nukes to take out our leadership if the need ever arose. It makes sense, I guess. Why gamble on a huge operation that allows no margin for error when all you really need to do is get a high-yield bomb within range of a capital building?
As Baer asserted: "If it had been a Russian hit, for instance, they would have used a pistol or a car bomb, indifferent to the chaos left behind." Or, in this case, a kiloton nuclear device. -BB (2010-03-03)
Here's an interesting WSJ article by Robert Baer, a former CIA spook. In it, he concludes that:
"There should be a cost-benefit calculation in deciding whether to assassinate an enemy... There's certainly an argument to be made that we should have assassinated Saddam Hussein rather than invade Iraq."
This sounds remarkably similar to ideas presented by Jim Bell over a decade ago in his "Assasination Politics" manifesto. The difference is that Bell takes Baer's somewhat offhand observation and follows through with it to reach a rather novel corollary.
"Consider how history might have changed if we'd been able to 'bump off' Lenin, Stalin, Hitler, Mussolini, Tojo, Kim Il Sung, Ho Chi Minh, Ayatollah Khomeini, Saddam Hussein, Moammar Khadafi, and various others, along with all of their replacements if necessary, all for a measly few million dollars, rather than the billions of dollars and millions of lives that subsequent wars cost."
"But that raises an interesting question, with an even more interesting answer. 'If all this is so easy, why hasn't this been done before?' I mean, wars are destructive, costly, and dangerous, so why hasn't some smart politician figured out that instead of fighting the entire country, we could just 'zero' the few bad guys on the top?"
"The answer is quite revealing, and strikingly 'logical': If we can kill THEIR leaders, they can kill OUR leaders too. That would avoid the war, but the leadership on both sides would be dead, and guess who is making the decisions about what to do? That's right, the LEADERS!"
"And the leaders (both theirs and ours!) would rather see 30,000,000 ordinary people die in WWII than lose their own lives, if they can get away with it. Same in Korea, Vietnam, the Gulf War, and numerous other disputes around the globe. You can see that as long as we continue to allow leaders, both 'ours' and 'theirs,' to decide who should die, they will ALWAYS choose the ordinary people of each country."
Not to mention that large military operations are costly affairs, demanding a nontrivial infusion of taxpayer dollars. -BB (2010-03-02)
New Information on Aurora Attacks "Leaked"
The New York Times reports that "people involved in the investigation" have disclosed that the recent attacks on Google have been traced back to Shanghai Jiaotong University and the Lanxiang Vocational School.
First it's Taiwan, then it's somewhere in the mainland, who knows where things will lead to next? Perhaps Toledo, Ohio? As the NYTimes article concedes, "computer industry executives and former government officials said it was possible that the schools were cover for a 'false flag' intelligence operation being run by a third country."
Keep in mind that, for all intents and purposes, that this is a leak. As Cryptome has observed:
"Leaks depend upon secrets, they thrive on each other. Leakers and secret keepers are complicit and share characteristics: both exaggerate the importance of information they process, keep secret their sources and operations."
"The business of leaks has become a racket of journalism in cahoots with governments, maybe it always was, but it got a big boost in the 1960s and 70s. Leaks of secrets are now standard operating procedure of official and unofficial secret keepers to boost their budgets and privileges and to garner public belief and best of all, coins. Secret keepers supply leaks to media to lure eyeballs for advertising hypnosis."
The danger of leaks, and the gilded hyperbole that they often employ, is that they can lead to a sort of crisis mentality that's less resistant to plans that might otherwise not stand up to logical examination. Keep people off balance for long enough, on a steady diet of fear and anger, and they'll fall right into the trap that's been set for them by the people who stoke the flames of hysteria. -BB(2010-02-19)
UPDATE (More Leaks): Joseph Menn reports that an anonymous researcher working for the US government told the Financial Times that US analysts have identified the author of code used in the Google attacks.
According to this leak, the consultant who wrote this code isn't an an employee of the Chinese government and didn't launch the attack. Though he did post parts of his code to an online forum.
Great. In other words they still can't prove who performed the attack. For all we know, the attackers outsourced development, or perhaps trawled the internet looking for proof-of-concept sample code. Plenty of claims with little or no solid evidence; the SOP of media leakers. -BB(2010-02-22)
You'll Just Have to Trust Us
In matters of foreign policy, one way to sideline opposition is to employ the veil of national security. When "experts" try to pull this tactic, I'm reminded of a lecture that a former CIA officer named John Stockwell gave back in 1987. Stockwell, a Major in the Marine Corp who served on the subcommittee of the National Security Council as chief of the CIA's Angola Task Force, noted that:
"It's a very powerful argument, our presidents use it on us. President Reagan has used it on the American people, saying, 'if you knew what I know about the situation in Central America, you would understand why it's necessary for us to intervene.'"
When he questioned his superiors, they assured him that he should just focus on doing his job, that there were wise men in DC sitting in the National Security Council who had access to all the necessary information, who could see the big picture and make the tough decisions. After toiling for years in the field, Stockwell came in from the cold and was rewarded with the opportunity to peek behind the curtain. According to Stockwell:
"What I found, quite frankly, was fat old men sleeping through sub-committee meetings of the NSC in which we were making decisions that were killing people in Africa. I mean literally. Senior ambassador Ed Mulcahy... would go to sleep in nearly every one of these meetings...."
Stow this away somewhere in a far cranial recess, so that as the indictments fly over who is doing what to whom in the new cyber cold war (and why), you can maintain a semblance of objective equilibrium.
This a fairly comprehensive summary of what's been released to the public so far. HBGary has also developed a tool that can remotely scan Windows machines for the Aurora code and remove it. With regard to identifying the ultimate source of the attacks, the report states:
"At this time, there is very little available in terms of attribution. A CRC algorithm tends to indicate the malware package is of Chinese origin, and many attacks are sourced out of a service called 3322.org, a small company operating out of Changzhou. The owner is Peng Yong, a Mandarin speaker who may have some programming background with such algorithms. His dynamic DNS service hosts over 1 million domain names. Over the last year, HBGary has analyzed thousands of distinct malware samples that communicate with 3322.org. While Peng Yong is clearly tolerant of cyber crime operating through his domain services, this does not indicate he has any direct involvement with Aurora."
Greg Hoglund, the company's CEO (and the godfather of Windows rootkits), recently acknowledged: "there's no hard evidence anywhere that shows that China's government has anything to do with it." Truth is, regardless of what the headlines in the mainstream media infer, we don't know yet who's responsible (though we can definitely speculate). If there's one lesson that I took from Black Hat DC last week it's that attribution on the Internet is problematic. -BB(2010-02-11)
Sort of ironic, given the recent NYTimes article on state-sponsored hacking. Then there's the TimesOnline report that quotes officers who believe that they should strengthen their military until China is "strong enough for a hand-to-hand fight with the US."
Talk about mixed messages. Pay no attention to the man behind the curtain. -BB(2010-02-07)
Black Hat DC 2010 Postgame Wrap-Up
Jeff Moss kicked off this year's Black Hat DC by observing that we'll probably never be able to completely eliminate cyber attacks, and because of this perhaps we should follow Israel's example and work on improving our response capabilities. He also mentioned the issue of attribution, my current pet peeve given all the media coverage that cyber-attacks have been getting.
Next up was keynote speaker Greg Schaffer, Assistant Secretary for Cyber Security and Communications. According to Moss, he's the highest ranking DHS official to ever speak at Black Hat. It was obvious he was up there: lots of abstract references to "spaces" and "practices." Though, I did appreciate his observation that, in the age of worldwide connectivity, every unprotected node is a potential threat. This sort of reminded me of Richard Bejtlich's "Protect The Data" blog entry.
The first session I attended was hosted by a panel of speakers, including the director of Network Abuse at GoDaddy.com. The underlying message (one which Joseph Menn would echo later on the same day) was that going after offenders isn't horribly effective because law enforcement doesn't work that well in an international environment. In so many words, Russia and China don't do squat (and in some cases may actually be shielding offenders). To add insult to injury, when organizations like GoDaddy suspend domains, they end up getting lawsuits thrown at them. Granted no one's ever been successful, but still it's expensive to go through all of the legal steps to get each lawsuit thrown out.
Joe Grand offered an informative discussion on how to cross over to the hardware side of hacking. A lot of what he touched on (e.g. the emergence of small-scale collaboration and outsourcing) reminded me of an article that appeared a while back in Wired Magazine about the rise of DIY.
If a Russian chief of police and his henchmen invite you to go hunting late at night after several rounds of vodka, lock yourself in your room and don't open the door for anyone. In this talk, Financial Times journalist Joseph Menn offered highlights from his recently published book "Fatal System Error." All told, Menn paints a pretty ominous picture. Though attribution is possible, it's very (very) resource intensive. Couple this with the fact that Russian authorities seem to be protecting high-level offenders. Menn suggests that we start over because, as things stand now, there's no way to impose rule of law on the internet.
Black Hat DC 2010: Day 02
The caveat of implementing wiretapping functionality in a network infrastructure, AKA Lawful Intercept, is that it can be turned against the people who it was originally intended to help. The Athen's Affair is a well known example of this. In this session, IBM's Tom Cross examined flaws in Cisco's lawful intercept facilities.
Though I can relate to the basic premise of this session, that the goals of the average pen tester are constrained (and perhaps artificial), I disagree with the speaker's claim that "In general using rootkits to maintain control is not advisable or commonly done by sophisticated attackers because rootkits are detectable."
Stealth technology is part of the ongoing arms race between Black Hats and White Hats. To dismiss rootkits outright implies that this arms race is over (and I assure you, it's not). I suspect that Greg Hoglund, Jamie Butler, Holy Father, Joanna Rutkowska, and several defense contracting agencies would all agree. By definition, the fundamental design goal of a rootkit is to subvert detection.
The grand finale of this year's Black Hat DC was a session led by HD Moore. This guy, HD, is a geek's geek; a man whose mind is working so fast that the words tumble out of his mouth like a 10 GB text file streaming to stdout. He gave the audience a personal history of the Metasploit project and some interesting insights into what can happen when the suits get involved. Congrats on the baby HD!
NOTE: I've put up the slides and white paper for my presentation.
Here's a story you don't read about every day... -BB(2010-01-29)
"There's also another, highly secretive market for zero days [exploits]: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.
TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability ...a price tag that private industry currently doesn't match.
Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.
One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system."
UPDATE: The Register has called out the mainstream media on China's connection with the recent Google attacks: "If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?"
The Christian Science Monitor reports that Marathon, ExxonMobil, and ConocoPhillips appear to have suffered at the hands of an Advanced Persistent Threat ( APT ). The attacks, which took place in 2008, targeted "bid data" which details the potential value of oil-bearing land.
The use of custom tools and spear-phishing hints at the involvement of skilled teams. At the same time, I'll admit that it's refreshing to note that the experts cited in this article have the integrity to admit that attribution is a fundamental problem, forgoing the urge to shout out accusations:
"A simple thirst for oil is no proof that a country is conducting corporate espionage. Even the suggestion, contained in one of the documents, that some data had flowed from a ConocoPhillips computer to a computer in China could have been the result of some other nation's cyber-spy unit co-opting Chinese servers to cover their tracks, experts say. Lee and other specialists admit that it will be difficult, and perhaps impossible, to ever determine definitively who was behind the attacks."
Read that last sentence carefully, and repeat it to yourself over the next few months. -BB(2010-01-26)
Fear and Loathing at SOURCE Boston 2010
In April, our spiritual fixer (Bill Blunden) will infiltrate the home of the Red Sox to speak at the SOURCE Boston conference. His talk will touch on the futility of disk-based forensic analysis. Presentation date TBA. -R. James (Jan. 23, 2010)
About now, I suppose that the engineers who designed the payloads used in the attacks on Google (whoever they may be) are wishing that the stealth technology and anti-forensic measures that they employed were half as good as those that U.S. intelligence agencies use. -BB(2010-01-19)
The China Syndrome - Updates
UPDATE: Metasploit has released a module that utilizes the IE exploit mentioned below.
UPDATE: Code used in the Google attack is now available.
UPDATE: A newsflash from Reuters reports that the United States has backed Google's decision to end its support for censorship in China. An official from the Chinese government responded that all foreign companies are expected to abide by Chinese law.
Microsoft's CEO, Steve Ballmer, is anything but sympathetic:
"I don't understand how that helps us, and I don't understand how that helps China... There are attacks every day. I don't think there was anything unusual, so I don't understand."
I would agree that attacks happen every day. However, I think that the level of expertise demonstrated by the attackers, and the precise nature of the intrusions, warrants a certain amount of attention (especially when one of the targets is a high-profile corporation that publicly flaunts the intelligence of its employees).
Perhaps China doesn't want "help?" Perhaps they'd like this whole thing to blow over so that they could get back to business as usual. - BB (2010-01-15)
The China Syndrome: "Highly Sophisticated/Coordinated Attacks"
Big names like Google and Adobe have recently announced that they've been hit by precision-guided cyber attacks. According to the WSJ, Google and Adobe were among dozens of companies that the attackers targeted. Based on Google's response, it would appear that they believe the intrusions to be state-sponsored. I can almost hear Eric Cartman (screw you guys, I'm going home).
For those readers interested in the "how" of the attacks, this article from Wired magazine offers a number of details. Consultants from iDefense leaked specifics that Google has declined to confirm.
Though there seems to be a political angle to the Google attack, one thing's for sure: theft of intellectual property can offer a huge return on investment. Just ask Vladimir Kryuchkov, former KGB Chairman:
"Intelligence is probably the most profitable structure in the country. It pays its expenses with dividends. One single operation, concerning outer space, pumped 500 million dollars into our economy."
Hell, even Ugly Betty isn't safe! (The Chinese knock-off is a show called "Ugly Wudi")
Evgeny Legerov, of the Moscow-based company Intevydis, explains why he thinks responsible disclosure is flawed and why Intevydis is releasing a series of zero-day exploits:
"We do not support it [responsible disclosure]. Because it is enforced by vendors and it allows vendors to exploit security researches to do QA work for free."
"You, ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free? Instead of wasting your and our time would not it be better to allocate resources to enforce good coding practices for all your amateur software developers?"
Offensive Technology in CS Programs
This morning the New York Times published a story detailing how American universities are scrambling to develop academic programs that focus on computer security:
"Banks, military contractors and software companies, along with federal agencies, are looking for 'cyber ninjas' to fend off a sophisticated array of hackers, from criminals stealing credit card numbers to potential military adversaries."
Here's a question: how many of these newly minted programs give their students first-hand experience creating offensive (e.g. malicious) software? The Times article mentioned an MS program in cyber-security offered by NYU-Poly. I checked out the curriculum to this program and didn't see anything remotely resembling a course on malware design. Why are institutions in other countries, like Canada and Finland, able to offer such courses? Once more, will this state of affairs put the U.S. at a long-term strategic disadvantage?
The best way to construct an effective defense is often through direct exposure to offensive technology (why should the bag guys be the only ones with the requisite know-how?). If we fail to encourage an open discussion of malware analysis and development in academia, we'll end up in a position where we're constantly playing catch-up with the Black Hats. Given the steady rise of cyber-crime over the past few years, this is not somewhere that the United States will want to be. -BB (2010-01-04)