scobb's information security blog

Criminal hackers force down volunteer site serving hemochromatosis help

noreply@blogger.com (Stephen Cobb) — Sat, 30 Mar 2013 16:58:00 +0000

Just a quick note to say that the website I created at CelticCurse.org is offline at the moment due to compromise by illegal access. It looks like criminal hackers forced their way into the server that hosts the site and installed their own code to launch DDoS attacks.

If you are not familiar with the site, it is an entirely volunteer project that serve up information and resources for people with hemochromatosis, a potentially fatal genetic disorder that affects millions around the world. Due to low awareness in the medical community hemochromatosis is widely under-diagnosed and often ill-treated, leading to a lot of needless pain and suffering.

I am working to restore the site, but in the meantime people who need more information about hemochromatosis can visit:

The Facebook Hemochromatosis page (please Like the page, it will help spread the word).

If you want THE book on hemochromatosis, we highly recommend:

More Cobb security resources

noreply@blogger.com (Stephen Cobb) — Tue, 04 Dec 2012 19:10:00 +0000

This is just a quick post to update links to Cobb-sourced information security resources. Here's a round of articles by Mike Cobb, CISSP:

Best Practices: 6 Security Services Every Small Business Must Have

Best Practices: 5 Security Tools Every Small Business Must Have
Strategy: Evaluating and Choosing Threat Intelligence Tools
Strategy: Measuring Risk: A Security Pro's Guide
Strategy: Finding the Right Security Outsourcing Balance
Strategy: Tracking the Source of APTs
Strategy: Detecting and Defending Against Advanced Persistent Threats
Strategy: Stop Illicit Data Dumps
Biometrics for the Rest of Us
Strategy: Biometrics

And here is a handy link for the articles Stephen Cobb posts on the ESET blog:

Stephen Cobb on the ESET blog

More Cobbs on Information Security: Selected articles by Stephen & Michael

noreply@blogger.com (Stephen Cobb) — Sun, 07 Oct 2012 17:10:00 +0000

As you may know from my previous post, my first book on computer security was published in 1992. That led to an invitation to speak at the 1994 Virus Bulletin conference, and in 1996 I was one of the first people to pass the CISSP exam. A few years later, my brother Michael Cobb, became an MCDBA and then a CISSP, and later a CISSP-ISSAP.

Michael, who also writes as Mike Cobb, is also CLAS (stands for the UK's CESG Listed Advisor Scheme--CLAS consultants play a key role in providing Information Assurance advice to government departments and other organisations that provide services for the government.)

Over the year's Mike and I have written and spoken a lot about security. W've taught a lot of security classes, and delivered a host of security and privacy themed seminars, podcasts, and webcasts. Right now I am working up the strength to create a library of links to as many of these as I can find online. But in the meantime, here are 5 recent items from each of us.

Michael's List

Mike/Michael Cobb writes for a variety of publications, including SearchSecurity and Dark Reading. Here are 5 recent articles:

Stephen's List

I write for the ESET Threat Blog as well as my own blog and SC Magazine's Cybercrime Corner. Here are 4 widely read items and an index of my posts from the ESET blog:

I hope you find this material helpful.

Cobb's PC and LAN Security: 20th anniversary of publication (available as a free download!)

noreply@blogger.com (Stephen Cobb) — Sun, 22 Jul 2012 18:30:00 +0000

The Stephen Cobb Complete Book of PC and LAN Security first appeared in print in 1992, an amazing 20 years ago. In celebration of this anniversary, I'm publishing a PDF copy of the most recent version of the book, freely downloadable under a Creative Commons license. The large file size of this 700 page tome led me to publish it in three easily digestible parts: Part One; Part Two; and Part Three. (Yes, my organizational skills are legendary.)

Despite the title, which was imposed by the publisher, the volume that appeared 20 years ago was by no means a "complete book" on the subject; nor is it now a contemporary guide. However, you can still find it on Amazon, even though Amazon.com did not exist when the first version was published. The images immediately on the right are the current Amazon listings of the three versions (which I will explain shortly).

If you are inclined to take this particular trip down computer security's memory lane, I suggest you download the free electronic version rather than purchase on Amazon. On that trip you will find a few items of note, such as this:

The goal of personal computer security is to protect and foster the increased creativity and productivity made possible by a technology that has so far flourished with a minimum of controls, but which finds itself increasingly threatened by the very openness that led to its early success. To achieve this goal, you must step from an age of trusting innocence into a new era of realism and responsibility, without lurching into paranoia and repression.

I'd say that's a decent piece of prognostication for 1992. It's one of the reasons I have kept the book available all these years, a mix of nostalgia and history. At some point in the future it might be interesting to see what computer security looked like in the late 20th century.

Three Versions and a Free Version

I made a lot of changes when I turned that 1992 volume into The NCSA Guide to PC and LAN Security--a 700 page paperback that was published in 1995--but that edition is also very outdated these days. Around 12 years ago I obtained the copyright to these works and, through an arrangement with the Authors Guild, got it reprinted as Cobb's Guide to PC and LAN Security. This was done largely for sentimental reasons and the copies are only printed on demand. However, in that process I obtained a high resolution scan of the entire book. I then converted this to text using Adobe OCR software. The result is what I have put online. (Warning: you may encounter OCR errors and artifacts; no claims are made as to accuracy of the information in this document; use at your own risk and discretion).

LEGAL STUFF: THIS FREE ELECTRONIC EDITION IS LICENSED BY THE AUTHOR FOR USE UNDER CREATIVE COMMONS, ATTRIBUTION, NONCOMMERCIAL, NO DERIVATES.

Computer Security Prognosis and Predictions

I plan to post more thoughts on computer security "then and now" but for now I leave you with another quote from the 1992 Stephen Cobb Complete Book of PC and LAN Security:

The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use.

Stuxnet, Flame, Information Security and Privacy Blog Posts

noreply@blogger.com (Stephen Cobb) — Fri, 29 Jun 2012 06:34:00 +0000

I thought I would update the blog for June by listing some of my recent articles and posts from elsewhere, mainly the ESET Threat Blog, unless stated otherwise.

Stuxnet, Flamer, Flame, Whatever Name: There’s just no good malware
The negative impact on GDP of state-sponsored malware like Stuxnet and Flame
Data security and digital privacy on the road, what travelers should know
Cybercrime and the small business: Basic defensive measures
Malware RATs can steal your data and your money, your privacy too
Privacy and Security in the Consumer Cloud: The not so fine print
Cyber crime as a market - Information security experts often talk about the costs of cybercrime to businesses, but a new report from Russia quantifies how much criminals make in the "cybercrime market." (SC Magazine)
America's privacy and security enforcer - The FTC has made major moves this year in its fight against cyber crime, and if enterprises and organizations aren't careful, they may be facing a team of the agency's investigators. (SC Magazine)

As you can see, the reports that Stuxnet was indeed a U.S. government project sparked a couple of articles. It also got me talking on a podcast: Demystifying nation-state attacks and their impact

QR Code Privacy Issues and AT&T

noreply@blogger.com (Stephen Cobb) — Wed, 16 May 2012 22:20:00 +0000

Ouch! After saying that I thought AT&T had done a better-than-average job with its QR code scanner app for the iPhone someone pointed out that AT&T's scanner is one of a number of such apps that have privacy issues. The point was made in a comment on the ESET Threat Blog by Roger Smolski who runs this excellent website focused on QR codes.

It seems that, like me, Roger is a fan of technology but keeps a wary eye on potential downsides, like a QR code scanner that does more than the user bargained for. This definitely seems to be the case with the AT&T scanner, which let's AT&T know what you scan. I liked the AT&T scanner for installing with a preview option by default, but now dislike it because of this under-disclosed sharing of data that I consider personal (i.e. what QR codes I choose to scan).

According to Roger, confirmed by his technical code scanner analysis, some QR scanner apps, like NeoReader, are gathering data on your use of the app. The AT&T scanner is an example of this. An example of a decent scanner that does not do this is Bar Code Scanner for Android. I am going to have to look further for an iPhone QR Code scanner app that is independently confirmed as "non-tracking." In the meantime, here are other QR/privacy articles by Roger Smolski:

Oh, and BTW, FYI, it seems QR Code is a registered trademark of Denso Wave Corp. So maybe I will adopt Roger's usage of 2D codes to avoid stepping on anyone's IP toes.

AT&T Gets QR Code Scanner Right

noreply@blogger.com (Stephen Cobb) — Mon, 23 Apr 2012 23:51:00 +0000

AT&T might not be the best-loved company in America but it deserves praise for getting something right: The QR code scanner that it supplies for the Apple iPhone has a preview-and-authorize mode installed as the default.

I have explained why this is important in this article on QR codes and NFC tags which includes a video that makes the point quite vividly: You should not let your hardware act on the instructions embedded in a QR code of NFC tag without first knowing what those actions are. The AT&T code scanner for iPhone is set up to do that. Other scanners also have that ability but do not behave that way by default.

I have bashed AT&T for poor wireless products and service on numerous occasions, but I believe in praise where praise is due. Security has long been a priority at AT&T. Over the years I have trained thousands of AT&T employees on everything from server security to security in the workplace. So I was happy to see their QR code reader was designed right.

Cybersecurity Reading List for March 2012

noreply@blogger.com (Stephen Cobb) — Sun, 18 Mar 2012 01:33:00 +0000

Cybersecurity reports, blog posts, and white papers are not in short supply these days, so I thought I would help folks decide what subset to read. I'm hoping this will make up for some of the neglect this blog has suffered over the past few months, due in no small part to my heavy--yet enjoyable--workload at ESET.

The paper "Follow the Money" offers great insight into the spam business today. A lot of other papers worth reading are listed on the same page.
The Trustwave Global Security Report 2012 has a lot of interesting statistics, some quite surprising: "Industries with franchise models are the new cyber targets: more than a third of 2011 investigations occurred in a franchise business."
The Verizon 2011 Data Breach Investigation Report (pdf) is almost a year old but still worth reading is you haven't already. Good background for the 2012 report.
Some highlights from the forthcoming Verizon 2012 DBIR, like "29% of threat incidents involved the ability to guess a user's password correctly."
Selections from the ESET Threat Blog:

Drive-by FTP: a new view of CVE-2011-3544. Novel way to distribute the payload for the most common java exploit.
OSX/Imuler updated: still a threat on Mac OS X and hiding Trojan code in erotic pictures.
Modern viral propagation: Facebook, shocking videos, browser plugins, spreading Koobface, Boonana, Win32/Delf.QCZ, Yimfoca, and more.

Chinese hacks and Anonymous hacking: Lessons of the end game when nothing is 100% secure

noreply@blogger.com (Stephen Cobb) — Tue, 03 Jan 2012 00:33:00 +0000

I read about the hacking of the California State Law Enforcement Association or CSLEA website by Anonymous "for fun and m4yh3m!"just after reading about the latest round of hacking of Chinese websites. Nota Bene: I am NOT saying Anonymous hacked the Chinese websites; I'm NOT talking abut Chinese hacking of U.S. websites; and I'm NOT writing as an employee of any organization.

Cartoon depicting hacking in China Daily

What I am saying is that a new age of understanding may be dawning for those who seek to exploit unauthorized system access. For example, if the Chinese government has been turning a blind eye to hacking in China in the hopes of harnessing those hacking skills for state purposes--which is what some commentators have alleged--then the hacking of Chinese commercial entities by Chinese hackers seeking justice or attention (or both) should be raising serious doubts in government circles.

Here's the sort of thing that happens when you don't enforce strict laws against unauthorized system access and rules requiring protection of personal data:

The website of China Mengniu Dairy Co Ltd was hacked on Wednesday night after the country's biggest dairy operator admitted some of its milk products contained a cancer-causing substance, Chinese media reported. (Reuters)

Or this:

The Qihoo 360 Technology, an anti-virus company that claimed to offer free Internet security services to more than 300 million netizens, issued a red alert on Dec 22, saying that the databases of many websites were hacked recently, causing the leakage of more than 50 million Internet users' registered accounts and codes. (China Daily)

Of course, such things can happen even when you have strong laws and regulations in place, but laws tend to be obeyed in proportion to the degree to which they are enforced and the severity of punishment suffered by those judged to have broken them. The FBI and other U.S. authorities indicted scores of people for cybercrimes in 2011 and dozens are in jail awaiting trial. If the Chinese government begins to feel public pressure to clamp down on illegal hacking within China to a similar degree, that may prompt reassessment of its stance towards Chinese nationals who hack public and private entities outside China.

Putting Internet scam artists behind bars strikes me as a noble undertaking in any country and the law enforcement folks who do this for a living deserve our thanks. Anyone who disapproves of some actions taken by some law enforcement agencies would be wise to show they understand that not all law enforcement is worthy of contempt. There's a good sci-fi story to be written about a 911 system that filters calls for help based on comments you have made about law enforcement on social networks. (How about a mandatory 10 minute response time penalty for people who habitually refer to law enforcement officers as scum?)

As for hacking law enforcement agencies and security companies, here's something to consider: One of the first things you learn when you study information system security is that no information system is 100 percent secure. Not even the proverbial "box buried in the ground" with no power or connectivity is safe (because if someone digs it up I'm betting we can get the data off the hard drive if there was ever any written to it). Ergo, any use of any computer system anywhere involves risks to the data on the system. Connection = exposure.

Can you hack my system? Can I hack your system? Can entity Y hack system X? The answer is always Yes! The only variable is the means required.

When you study human behavior as a relationship between ends and scarce means that have alternative uses you realize the reason that most IT systems and websites are not hacked is because doing so would require too many means or have too few uses. Your home wireless network protected with WPA is less likely to be hacked than the WiFi belonging to the small business on the next block that employs WEP. The data on that network is likely to have more uses, and hacking WEP requires less means than hacking WPA. Of course, if you personally happen to be a high value target, that equation changes.

And you do need to be savvy about the quantification of means and uses. Several decades ago we learned that teenagers with time on their hands can have, in the aggregate, greater means than a large software company (if said teenagers apply that time to try every possible way to break a piece of software). We also learned that defacing a website is "useful" to some people, for some meaning of useful (think 1996 CIA website hack used to send a message to the Swedish prosecutor Bo Skarinder). In other words, the uses of unauthorized access extend well beyond theft of data, IP, personal credentials, etc.

Exposing the security weaknesses of a system you have hacked is a use of unauthorized access that might, one could argue, have redeeming virtues (in some cases it amounts to a free penetration test for the victim). However, there are diminishing returns to this type of hactivity. The main reason most systems fail penetration tests is not the stupidity of the system's operators, but the reality of scarce resources. And that goes 10X for non-commercial entities. Try securing a state or local government system on a shrinking budget that caps salaries for technical skills well below market rates. That's a real hacking challenge.

Here is another great hacking challenge: Explain to the owner of a system whose security you have breached how they can maintain the profitability of their operation while improving security to a level you deem appropriate. I am not suggesting that anyone engage in attempting illegal system access, I'm just making the point that just because you can break into a system does not mean the owner of that system, or the people whose data are stored on the system, are worthy of scorn and public exposure.

So when we see personal data pertaining to law officers or the clients of companies in the security space shared for any random scam artist to abuse, it is natural to wonder: Where's the fun in that? And if the point is mayhem (m4yh3m) one has to wonder what the end game is. In China they are now learning valuable lessons about the value of good information security. They are also learning about the need to respect other people's data privacy. We wish them well and trust our fellow citizens will provide examples of that kind of respect.

Etymologically Speaking: Cracking or hacking, mobile phones or voicemail?

noreply@blogger.com (Stephen Cobb) — Sun, 14 Aug 2011 13:21:00 +0000

In the wake of the News of The World (NOTW) scandal in which "journalists" are alleged to have listened to, and sometimes erased, messages left on phones that did not belong to said journalists, the term phone hacking has shot up the charts of widely misused phrases.

As this very helpful article on Geek News Central points out, the NOTW scandal is not really about phone hacking, it is about voicemail hacking, which the article's title tries to make clear: How To Hack Mobile Phone Voicemail.

Like the proverbial Trojan Horse, which was really neither horse nor Trojan, we are probably stuck with phone hacking as a phrase hacked together by hacks to describe some types of phone system manipulation and/or phone user duping. Such subtle distinctions may not matter to some people, but I think they matter to information security professionals. Why? Because part of our role in society, one that I personally take very seriously, is trying to bring clarity to matters involving the theft of information, unwarranted invasions of privacy through the abuse of information systems, use of computer systems to commit fraud, and so on.

And perhaps no word in recent memory has been more abused and hacked than hackers. As Steven Levy firmly established more than 25 years ago in his book, Hackers: Heroes of the Computer Revolution, the word started out with a positive connotation, a subject he addressed at the recent DefCon hacker conference in Las Vegas.

For almost as many years, my good friend Dr. Mich Kabay has tried to maintain a consistent distinction between hackers and criminal hackers. In his copious writings and teachings on information assurance, Mich diligently avoids omitting the word criminal from the phrase, either for convenience or brevity (see these Google results for examples).

(In the 1990s, some people tried to get criminal hackers shortened to crackers but that was doomed by ambiguity, between the decidedly non-technical use of the term cracker in the Southern states and people who specialize in cracking encryption codes.)

While criminal hackers are generally to be reviled for the mess they are making of otherwise beneficial technology, some hackers may be deserving of praise. You can get a personal perspective on this distinction by watching the excellent documentary made by another good friend, Ashley Schwartau, titled "Hackers Are People Too."

All of which underlines the ambiguity--some might say neutrality--of information technology, and the need to use care, as well as clear and specific language, when discussing its use or abuse. Voicemail can be incredibly useful, but it can be abused and cause pain when "hacked" by people of questionable ethics. Encryption can protect your private information from prying eyes, or allow a criminal hacker to hold your data for ransom. Cracking encryption can save lives or expose people to their enemies.

You might say that the problem with technology is the people who abuse it. We need to distinguish them from the people who try to improve it. And choosing our words wisely is one way of making that distinction.

Footnote: I will have a lot more to say about this and other aspects of information security after September 1, which is when I transition to a new position: Security Evangelist for ESET.

The NOTW Phone Hacking Scandal: Lessons for risk managers keep coming

noreply@blogger.com (Stephen Cobb) — Wed, 13 Jul 2011 02:57:00 +0000

In the context of data privacy, cyber security, and risk management I once wrote: "Failure to police your employees and sub-contractors can have serious consequences."

In the last 6 days we have seen massive proof of that as the News of the World (NOTW) phone hacking scandal has erupted onto the world stage, spewing a toxic mix of consequences, the like of which we have never seen before.

Consider anyone who owned stock in BSkB. I documented their bad news yesterday. And consider any innocent employees of the News of the World who are suddenly without a job. If those people find it hard to get new jobs because of the stigma of being ex-NOTW employees, they could argue that NOTW robbed them of their professional reputation and possibly sue NOTW and its executives on that basis.

I will admit that the possibility of getting sued for running a company in such a disreputable manner that you drag down your employees with you is not a risk that I had previously considered. But we now see that such a thing could play out as a consequence of a company hiring people to do illegal hacking, or turning a blind eye to hacking, in other words, failure to enforce ethical business practices and appropriate privacy policies. Here's what the Guardian wrote on the subject around the 1.52pm mark on their July 10 live blogging of the NOTW scandal:

Dismissed News of the World journalists who are unable to find replacement jobs and feel their professional reputations have been severely damaged could have legal grounds for suing News International, according to one employment law source. Owen Bowcott, who is the Guardian's acting legal affairs correspondent, writes about a Lords ruling that could have implications:

"There is a precedent in a 1997 House of Lords judgment that covers the predicament of two former employees of the collapsed Bank of Credit and Commerce International who claimed they suffered the "stigma" of being associated with the ex-employer that put them at a "serious disadvantage" of finding new work. "In [Malik vs BCCI] the House of Lords upheld, in principle, the right of innocent ex-employees to sue a former employer for common law damages where revelations concerning the employer's corrupt practices had damaged their prospects of future employment in the industry," one employment expert suggested. "Corruption was assumed as a hypothesis for purposes of the decision"."

Bowcott went on to say "Loss of reputation, the 1997 judgment pointed out, is "inherently difficult to prove" but it added that there is an implied mutual obligation of trust and confidence between employer and employee." The House of Lords judgment concluded. "Difficulties of proof cannot alter the legal principles which permit, in appropriate cases, such claims for financial loss caused by breach of contract being put forward for consideration."

So, there you have one more risk of bad corporate governance: Revelation of the company's corrupt practices damaging the employment prospects of your employees, leading to lawsuits. And to think it all started with a voicemail PIN number being guessed or social engineered.

Hacking Costs Billons in Stock Losses: 2.88 billion more reasons to enforce security policies

noreply@blogger.com (Stephen Cobb) — Tue, 12 Jul 2011 02:30:00 +0000

The negative impact of information security incidents on stock prices has been documented numerous times over the past ten years, but I think we are now witnessing the most dramatic hacking-related stock losses ever seen, as reported in the Guardian last Friday under the headline BSkyB shares fall £1.8bn. For American readers:

BSkyB is British Sky Broadcasting, a satellite TV company
BSkyB is like DirecTV only bigger (based on Market Cap),
the Guardian is a very reputable British newspaper,
one British pound is worth about $1.6,
that share drop erased $2.88 billion from the company's value.

What information security incident at BSkyB triggered this share drop? That's a trick question! The stock dropped because of the illegal hacking of voicemail by a person or persons hired by a British newspaper, News of the World, often referred to as NOTW.

The owner of NOTW is Rupert Murdoch's News International (NASDAQ:NWS) which has been looking to buy BSkyB, pending approval by regulators, who may not be so keen to approve the deal given the mess that News International is now in as a result of the scandal surrounding the voicemail hacking. When you look at how the stock of NWS fared today you see where the term "fell off a cliff" comes from:

Bear in mind that NWS owns the Wall Street Journal, the New York Post and Fox everything, from movies to TV channels to TV stations.

So what we have here is an amazing example of how a few people committing acts of hacking on behalf of one relatively small part of a big company can cause massive damage that extends beyond the company itself, not to mention the victims of the hacking, like the parents of deceased soldiers and at least one murder victim.

And the collateral damage will roll on. People who own shares of BSkyB and NWS may sue the company executives. People laid off by the News of the World, which has been closed for good, may sue for loss of reputation by association. Victims of the hacking may sue.

All of which could have been avoided if the News of the World had adhered to privacy standards and ethical business standards. But the company allowed this to happen, over a period of years, so there can be no defense based on the existence of policies. (If you have your company network password taped to the bottom of your keyboard, in violation of company security policy, there is legal precedent for saying that is not grounds for dismissal if the company has tolerated everyone doing the same thing for some time.)

There will be much more about this hacking-induced upheaval as the days roll on...including the huge irony of hacking closing a major British newspaper, not because of outside criminal hackers breaking in, but because of insiders illegally hacking people outside the company.

BTW, if you want the whole sordid story of this hacking debacle prior to this latest development, including police corruption and royal family secrets, this Wikipedia article is a good source. I will end with a footnote on the BSkyB share value: the amount wiped out by the end of today was $3.84 billion.

CIA Website Hack Recalls Early Days of eCommerce

noreply@blogger.com (Stephen Cobb) — Sat, 18 Jun 2011 17:12:00 +0000

Recent hacking of the CIA website brings back memories of the earliest days of eCommerce on the Web and the first wave of website hacking. The first defacing of the CIA website was carried out in September 1996. For those too young to remember, here's what it looked like:

The hacking was done by Swedish hackers using the name "Group Power Through Resistance" and their goals went beyond embarrassing the CIA. According to TechWorld Sweden:

"The attack messages were primarily intended for the then Swedish state prosecutor [Bo Skarinder] who accused members of the Swedish Hackers Association of hacking. The sentence "Stop lying Bo Skarinder!" is remembered to this day."

The most recent CIA website hack, as of this post, was the following effort by an Indian hacker who goes by “lionaneesh":

Lionaneesh claims to have gained access by exploiting an XSS or cross-site scripting vulnerability (here's a detailed explanation of XSS written by my brother Mike).

When Lionaneesh tweeted about his exploits on a Twitter account his name was listed as Aneesh Dogra (that name has since been removed, but the Twitter account is still active). Posting a "follow me" message on a hacked CIA web page is one of the more interesting ways to gain followers (of which @lionaneesh now has 206).

Via Twitter, Aneesh expressed affinity with LulzSec, the hacker group that claimed responsibility for an attack on the CIA earlier in the week.The page defaced by Mr. Dogra was taken down quite quickly, but a screenshot of it was posted on The Hacker News (as reported on GMA NEWS, the Filipino news site).

That first round of government agency website hacks in 1996 served as a wakeup call to eCommerce sites which were starting to come on line at that time (a time when I was providing consulting services to such companies, via the NCSA that later became ICSA Labs, and the Miora Systems Consulting company that later became InfoSec Labs, founded by Michael Miora, Vincent Schiavone, David Brussin, and of course me).

When I was writing my first paper on the topic of Internet Commerce, delivered at a conference in Hong Kong in early 1996, I struggled to find examples of website defacing. The one that does stick with me is a fur dealer who was targeted by animal rights activists. That sent a strong message about brand-tarnishing and activist-hacking, which became known as hacktivism. It also alerted companies to the truly global nature of the world wide web. you might write your website content for your customers, but the entire world can read it if they choose to do so.

To this day I would advise companies against publishing content on their websites that advocates an unpopular point-of-view or employs insensitive language, unless they are well-prepared to repel attacks from people who do not share that point of view. An example I used to cite was a timber industry website that was thinking of putting its newsletters online, the content of which was standard stuff within the industry, but a red flag to environmental extremists (who would be able to find it much more easily on the web than by getting a copy of the printed edition.)

A quick read of the Wikipedia page on hactivism will tell you the term is still emotion-laden because both hacking and activism remain ambiguous terms, seen as the illegal actions of bad actors by those on the receiving end, and the right thing, done for good reason, by the doers. The issue is not made any easier by the pugnacious "shoot-the-messenger" reaction of many organizations to news that their systems are vulnerable.

My wife encountered this when she questioned a suspicious network connection at a government facility containing highly sensitive classified data. She was angrily asked: "What do you think you're doing probing this network?" As a graduate of the Stephen Cobb School of Tact and Diplomacy she avoided snapping back with the obvious: "My job!" Instead, she calmly explained that her boss had asked her to create a map of the network for which he was responsible and, in doing so, she had found an undocumented connection to an insecure network. Thanks to a boss who stood by his employee [my wife] the issue was resolved, but not before the threat of prosecution was raised by the "offended" party who owned the insecure network (and who chose to remain in denial of its insecurity).

Many such stories are documented on the web and one can imagine a hacker finding a flaw in the CIA website wondering what to do about it. Tell the CIA? Who may come looking for you because they can't accept that a. their site is insecure, b. your intentions are honorable. Clearly this is a dilemma. When you exploit the vulnerability that you have found you create an example that can be used to remind governments and companies that web security is not a fix-and-forget challenge but an ongoing effort. Nevertheless, the right thing to do is NOT hack the site. And hacking it for personal glory does nothing to help your claim that you were trying to do the right thing.

Finally, it has to be said that if any federal government agency ought to be a showcase of website security best practices it is the CIA. I'm NOT saying they deserved to be hacked, but they deserve to be on the receiving end of probing questions. As do other government entities. For example, the method that Private Bradley Manning used to remove copies of classified government documents from SIPRNET, the ones that ended up on Wikileaks, was clearly a violation of policies and procedures that my wife laid down over ten years ago to address such problems. It is hard to argue that the people who chose not to enforce such policies are entirely blameless for what their actions, or inaction, allowed to transpire.

Internet Security and Satellite Internet: A gap that needs to be patched?

noreply@blogger.com (Stephen Cobb) — Sun, 08 May 2011 02:33:00 +0000

Today there are over a million computers in America that connect to the Internet via a satellite connection, and the number continues to grow. During this past winter I used my spare time to write a white paper on satellite Internet connectivity, mainly to drive home the point that it is no substitute for DSL/cable/fiber when it comes to broadband access for rural communities. The white paper has just been published by the Rural Mobile and Broadband Alliance (RuMBA).

However, an interesting security issue came up in the course of writing this 22-page paper and I thought I would highlight it here. If you like, you can download the full report at no charge from this link.

One of the reasons nobody should seriously consider defining satellite Internet as broadband is the daily download limit that satellite services impose, typically about 400 megabytes a day, which is less than some operating system upgrades we have seen in recent years. These capacity limits are not just a serious inconvenience, they have serious implications for computer security.

Basically, satellite Internet users have to turn off automated updating of operating systems and applications to prevent incurring costs and usage restrictions arising from bandwidth caps. However, as I am sure you know, computer and software makers increasingly rely on these automated processes to distribute the security “patches” required to prevent exploitation of computers by criminal hackers.

Computers with unpatched operating systems and applications are a prime target for hackers as these machines are more easily exploited and turned into “zombies” under the control of attackers. Zombies are then orchestrated into “botnets” that are used to attack other systems, from commercial and government websites to utility systems and entire sections of the Internet itself. The Department of Homeland Security today considers unpatched consumer computers a threat to national security and the problem has been openly discussed by cyber-security officials at the federal level since at least 2002.

Some might argue that computers on a relatively slow satellite connection (you're lucky to get above 256Kbps when uploading) are not attractive to botnet builders, But some botnet attacks don't need much speed or capacity to be effective. The fact that the IP address blocks occupied by these "at risk" systems are relatively easy to identify may also be considered an added risk factor.

Solutions are possible, like special exemptions on bandwidth caps for authorized OS and application patches, but so far I have not heard any talk of these being implemented. Since the federal government is currently handing over tens of millions of taxpayer dollars to satellite Internet service providers to help them build their subscriber base, maybe that money should come with strings, like better provision for prompt security patching.

Twitter Spam Getting Bad, Now Poisoning Health-Related Search Results

noreply@blogger.com (Stephen Cobb) — Sun, 01 May 2011 20:48:00 +0000

What is Twitter spam? A whole bunch of "people" tweeting the same thing from accounts that are likely automated. These bogus accounts have a human name followed by a number, like Colettaj339. When you check out the profile you see this person has:

Sent many tweets (all pushing links),
Not followed anyone (Following=0).

In other words, the account merely exists to direct clicks to a promotion in return for money. Following the pattern of previous forms of spam this Twitter-spam is growing fast and targeting vulnerable people.

For example, I have been encountering more and more of this stuff when searching Twitter for the term "hemochromatosis" which is a scary and potentially fatal genetic condition that causes iron overload, a toxic buildup of iron in joints and organs like the liver, heart, brain, thyroid and so on.

Given the pathetically poor level of knowledge about this condition that exists in the general medical population it is very common for people who find they have hemochromatosis to turn to various channels on the Internet for information, including Twitter.

My hemochromatosis search on Twitter today found a bunch of tweeted links leading to a pitch page for an eBook on Iron Overload priced at $37. Bear in mind that the highly regarded and medically reviewed Iron Disorders Institute Guide to Hemochromatosis can be purchased in paperback on Amazon.com for a lot less than half that price, and can be had as an eBook on Kindle for $9.89.

Maybe the tweet-spammed book is brilliant and worth $37 but the large number of spam Tweets makes me doubtful. And this is by no means the first targeting of hemochromatosis sufferers on Twitter. Tweet spam leading people to an article site has also used this hook. In fact, I'm willing to bet that whenever you search a nasty disease, for example multiple sclerosis, you will see this Tweet spam. Here are some observations about this depressing phenomenon:

Cobb's First Law of Communications Technology: Every new communications technology will quickly be abused, most likely by people lying in the hopes of making money.
Twitter has not done enough to make sure new accounts are opened by real people.
Twitter is not doing enough to remove blatant spam accounts (email me as scobb[at]scobb[dot]net for the algorithm to identify these accounts guys, it's not that complicated)
A depressingly large number of people need to ask themselves whether what they are doing with their computers is helping or hurting their fellow man, woman, or child.
Until the median level of morality among computer literate humans starts to rise, we will see spam, scams, fraud, and the like continuing to poison the technology and waste precious resources (like the energy that email spam wastes, enough to power millions of homes).

BTW, if you want solid information about hemochromatosis, visit The Iron Disorders Institute. If you want Twitter to do more to stop Twitter-spam contact the company. I find that a fax to the CEO is a good communications channel to use: Mr. Evan Williams, CEO, Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, fax 415-222-0922.

Cost of a data breach climbs higher

noreply@blogger.com (Stephen Cobb) — Sat, 30 Apr 2011 19:02:00 +0000

Well worth paying attention, whether you are in privacy or security, in business or investing in businesses, CIPP or CISSP:

Cost of a data breach climbs higher - Dr. Ponemon's blog

"The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends."

Mobile Payments: One Trillion More Reasons to Think About Mobile Security

noreply@blogger.com (Stephen Cobb) — Sun, 30 Jan 2011 20:03:00 +0000

It is hard to think of anything more attractive to hackers than a widely-deployed digital payment system. And the world is now witnessing the fastest rollout of a digital payment system ever, to your mobile phone, a.k.a. smartphone, cellphone, iPhone, tablet/slate, i-device. Consider just two stories that appeared one day last week:

"With corporate behemoths such as Starbucks Coffee Co. and McDonald's Corp. leading the way, 50 percent of consumers will have made a mobile payment of some kind by 2014, according to Juniper Research."

And "according to this report, U.S. mobile payments could reach $1 trillion by 2015."

That's one trillion dollars with a "T' headed to a bunch of devices that are, from an historical IT perspective, barely out of beta testing. Consider a couple of random stories I found hanging around in my browser cache when I sat down to write this post:

November, 2, 2010: An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.

December 29, 2010: Mobile security firm Lookout is sounding the alarm about a Trojan targeting Android devices that, while confined to China so far, represents one of the most sophisticated pieces of malware it has seen to date. The malware, named “Geinimi” is the first Trojan to display botnet-like capabilities, allowing it to receive remote commands...

And don't think that using an iPhone or Blackberry will eliminate security risks. Just check out this page of stories about password cracking software available from Russia. Something to bear in mind when you read that "MasterCard's PayPass wallet application can be password-protected so that a lost or stolen handset cannot be used to make payments"

But let's get back to what I meant when I said it's hard to think of anything more attractive to hackers than a widely-deployed digital payment system. Notice I didn't qualify "hacker" in this context. That's because hackers of all stripes find computerized payment technology fascinating. Back in 1995, when I spoke for the first time at DefCon, the now legendary annual hacker convention in Las Vegas, the speaker ahead of me presented a detailed explanation of just how easy it was to make fake credit cards that worked.

When I cited that presentation as an example of the damage that hacking could do, the response was vociferous and articulate and could be summed up like this: The banks are to blame for using such lame technology when a few tweaks to the system and a little more effort could actually make it a lot more secure, as shown in the presentation.

That was a valuable lesson for me. Not everyone who hacks payment systems is out to steal your money. Hence the useful qualifier "criminal" as used by my friend and colleague Mich Kabay who is always careful to say criminal hackers when that is the type of hackers to whom he is referring. A lot of people see a spectrum of hackers. One can describe it, if you leave out the nuances, like this: black hat hackers who are criminally-minded, gray hat hackers who may hack for profit, and white hat hackers who are trying to find solutions to hacks before the hacks are widely exploited (and may profit professionally for so doing).

What I'm saying is that every shade of hacker is likely to look long and hard at hacking mobile payment systems, from those who want to hack the system for illegal gain to those who seek to gain fame for finding the holes. The question is: Can the systems now being rolled out withstand the scrutiny? History gives me a clear answer: No.

Unless some fundamental changes have occurred in the technology and banking industries, changes of which I am unaware, that negative answer has a high probability of being right. I predict holes will be found and some of those holes will be exploited for illegal gain before they are plugged. I also predict that:

Mobile payment systems will still be rolled out, and
Companies that already have a good track record in mobile security will do very well this decade.

One to Watch: MAD's MECS is mobile security made real

noreply@blogger.com (Stephen Cobb) — Wed, 26 Jan 2011 03:33:00 +0000

There is no doubt in my mind that the new information security frontier is mobile, as in mobile phones and mobile pads/slates/tablets. More and more data is going to be processed by, stored on, and accessed from mobile devices. You can see this very clearly if you spend any time in the world of consumer marketing where the biggest buzzword right now is "mobile" as in mobile advertising, mobile shopping, and mobile payments.

And where the money goes, criminal hacking is sure to follow, along with scams, spammers, phishing and fraud. Which is why I've been very interested for a while now in a mobile security company called MAD, a company of which my good friend Winn Schwartau is Chairman.

MAD's flagship product has already won several awards like this. And I can assure you that awards like these don't grow on trees. Industry analysts don't like to get burned by endorsing flash-in-the-pan products that leave them looking all egg-faced in 12 months if the product peters out. Bear that in mind when you read this assessment:

“The Mobile Enterprise Compliance and Security Server (MECS) innovative solution focuses primarily on delivering a new dimension of security, management and compliance to enterprises. Compared to standard mobile device management (MDM) solutions, which are not regarded to be viable security platforms, M.A.D.’s offering promises to provide the utmost protection for mobile enterprise devices.” and goes on to state that “Owing to the extensive capacity offered by M.A.D.’s solution, Frost & Sullivan feels that the company has gained a significant advantage compared to its competitors...”

Pretty impressive! MAD's MECS is definitely one to watch as the struggle to secure the mobile frontier heats up in 2011.

Wikileaks, Assange, Cyberwar and the Real Information Security Story

noreply@blogger.com (Stephen Cobb) — Sat, 11 Dec 2010 13:04:00 +0000

Time for some perspective on Wikileaks, the cyber attacks against it, and for it, and the real informaton security story that may get lost in the mix. (Note: I am not under any illusion that the world has been holding its breath waiting for me to weigh in on this subject, this is more of a "memo to the file" undertaking).

For me, the real meat of the Wikileaks story is the content of the documents that are being leaked. Coming a close second is the pathetic state of information security within the US government in general and military/intel systems in particular.

(BTW, I commented on this in the context of a Danger Room story on Wired which apparently was not deemed worthy of approval--one reason I am repeating myself here: American taxpayers have been thoroughly ripped off when it comes to the money spent protecting state secrets.There used to be policies and procedures in place to prevent something like Pfc Manning recording secret documents on a CD-RW labeled Lady Ga Ga, but the army brass likes its tunes too much to put up with that kind of inconvenience, part of the same mindset that leads so many of them to use the same lame password for everything).

However, the BIG story may be the implications of hactivists taking up cyber-arms against the perceived foes of Wikileaks. It reminded me of a Network World column by my friend Mark Gibbs in 2005 titled "The selfish 'Net and the Big One." In that piece I reiterated my longstanding opinion that "the Internet continues to function at the whim of those who know how to bring it down."

As the hactivist fans of Wikileaks tone down their attacks on dot com sites there may be a temptation to dismiss them as a sideshow. However, it would be a big mistake to just say "Those guys couldn't take down Amazon.com" and leave it at that. I would argue that the only reason Amazon.com or any other website is still online is that the people who know how to take it down have decided not to do so. Remember: "the Internet continues to function at the whim of those who know how to bring it down."

To put it another way, the world's virtual economy is built upon a web of trust and mutual self interest, not a bullet-proof framework of resilient technology. To think otherwise is to risk massive losses should a real cyberwar break out.

Of Satellites and Zombies and Recurring Security Themes

noreply@blogger.com (Stephen Cobb) — Sat, 23 Oct 2010 21:38:00 +0000

I recently came across some archival security wordage while writing a whitepaper about satellite Internet service. Because it still seems relevant, I thought I would reprint it. But first, some background on satellite Internet. America's telecom companies are fending off demands for universal broadband service requirements by telling politicians that satellite Internet is broadband. It most certainly is not.

Satellite Internet does provide an “always on” connection that is faster than dialup, but one problem with this service is that you have to turn off those automatic software updates that sometimes patch security holes in applications and operating systems (this is because of tight bandwidth caps, as low as 300 megabytes a day, with penalties for going over your limit). So you have these “always on” connections that are not getting patched promptly.

A few years back in the history of computer security it emerged that "always on computing" in the form of consumer computing devices connected to high speed Internet connections created the potential for large-scale attacks on corporate and government systems through compromised hosts (zombies) organized into malicious networks (botnets) by criminal hackers or cyber-terrorists. A prime strategy for turning personal computing devices into zombies is to exploit software vulnerabilities before they are fixed or “patched” by users downloading and installing updates.

Software companies responded to this threat by developing automated distribution systems for security updates. Turning off these automated patching systems increases the risk that consumer Internet devices will be compromised and used in botnet attacks. This threat appears in government reports as early as 2004 (National Infrastructure Advisory Council, Hardening the Internet: Final report and Recommendations by the Council, October, 2004).

I know that it was openly discussed during FTC hearings on computer security in 2002 because I was part of the discussion. The Consumer Information Security Workshop, held May 21-22, 2002, in Washington was addressed by Dick Clarke, then the President's special advisor on cyber security issues and chair of the President's commission on critical infrastructure protection. At that time he was formulating the national strategy for cyber security, a multi-pronged strategy to improve the security of government agencies, businesses and consumers.

(Before his appointment as special advisor to the President, Clarke served as national coordinator for security infrastructure protection and counter-terrorism on the National Security Council. As national coordinator, he led the U.S. government's efforts on counter-terrorism, cyber security, continuity of government operations, domestic preparedness for weapons of mass destruction and international organized crimes. In the George H. W. Bush Administration, Clarke was the assistant secretary of state for political military affairs. In that capacity, he coordinated State Department support for Desert Storm and led efforts to create post war security architecture. In 1992, General Scowcroft appointed Mr. Clarke to the National Security Council staff.)

So here's what Clarke said about the 2002 FTC Consumer Information Security Workshop:

"We see this two-day workshop as part of the national outreach effort that we are making as we develop the national strategy to secure cyberspace. How can the home user, without knowing it, hurt other people? Tim mentioned distributed denial of service attacks, and we've seen that happen already. This is not a theoretical possibility where the home user, without knowing it, has their computer attacked. A part of their computer is then covertly taken over by an automated program, and it sits waiting for instructions or it sits waiting for a time, and then when that time comes, it launches what's called a distributed denial of service attack, firing messages out many times a second, and it does it in concert with hundreds or thousands of other computers, and those messages from all of those computers are aimed at one site on the Internet. The effect can be that the site closes down under the volume, that the routers and the servers crash under the wave.

"...In point of fact, denial of service attacks occur every day. There are hundreds a month aimed at all sorts of different sites all over the Internet and all over the world, and many of them are happening because the home consumer hasn't been told how to prevent his or her computer from becoming a zombie. Many people don't even know when their computer has become a zombie."

Later, the same FTC workshop heard from Tatiana Gau, Vice President of Integrity Assurance at America Online about "one of the approaches that we took earlier this year with the National Cyber Security Alliance."

This was a Call to Action that went like this:

"As a citizen of the United States it is your duty to do your part in trying to protect the nation's infrastructure. Yes, there's other elements that need to play a role in protecting our nation's infrastructure, but you as a consumer need to make sure that you don't unwittingly become the mechanism through which an organized group or a disorganized group could, in fact, attack a government web site or some other system in our country by having your computer become a robot simply because you had a password that was too easy to guess."

So, here we are, eight years later. The average consumer is probably a little better informed about cyber security than they were back then, but not much. And America's telecomm companies are trying to avoid serving rural areas by touting an "always on" consumer Internet service that arguably has a higher risk profile than cable, DSL, or fiber optic. Good job we're less reliant on computers these days...no wait, we're a lot more reliant, pity we're not a lot more aware of the risks.

Enterprise PDF Attack Prevention Best Practices: As commended by SANS

noreply@blogger.com (Stephen Cobb) — Wed, 16 Jun 2010 16:40:00 +0000

"According to McAfee Avert Labs, as of Q1 2010, malicious malformed PDF files are now involved with 28% of all malware directly connected to exploits." So states Mike Cobb in this very handy article on Enterprise PDF Attack Prevention Best Practices (free registration may be required but is totally worth it).

Of course, you may be thinking: Stephen Cobb says it's worth reading because Mike Cobb wrote it. So here's an objective opinion: "very good refresher on best practices for protecting against any malware spread by using any number of compromised attachments." That's Deb Hale of Long Lines, writing in SANS Internet Storm Center Diary.

True, Mike Cobb is my brother, but he is also Mike Cobb, CLAS, CISSP-IASSP, MCDBA. (BTW, for the acronymically-minded, CLAS = CESG Listed Adviser Scheme. CESG is the Communications-Electronics Security Group, which describes itself as the Information Assurance (IA) arm of GCHQ (as in Government Communications Headquarters) which is basically the UK equivalent of the USA's NSA/NRO). In other words, Mike knows quite a bit about security, as well as initials and acronyms.

The Feed to Read When You Need Cyber-Security Info

noreply@blogger.com (Stephen Cobb) — Fri, 23 Apr 2010 19:57:00 +0000

I think I have mentioned David Kennedy's information security updates before. I get them on FriendFeed but you can read them on Google as well (and that might be more convenient for some people).

David consistently flags the most interesting cyber-security stories out there and is a great resource if you want to stay current. Here's just one example, a very elaborate phishing scam recently perpetrated via Gmail, as written up by Cyveillance.

So why is there a Dilbert comic in this post? Well, reading a constant stream of breaches and scams and cyber-crimes is not much fun and can be somewhat overwhelming when you are responsible for fighting an uphill and inherently asymmetric battle to keep your systems safe.

But what else are you going to do? If you don't stay informed, you could fall prey to a "known attack" and that is no fun at all.

So I pasted in some Dilbert for light relief. I actually licensed this strip and several others for the 1996 edition of my guide to PC and LAN security. As I recall, Dilbert creator Scott Adams was a lot more helpful than some other cartoonists I contacted back then. Thanks Scott!

Dumb and Dumber: School district spying, assisted burglary

noreply@blogger.com (Stephen Cobb) — Sun, 21 Feb 2010 22:48:00 +0000

This post was supposed to contain further details of the CAFE cycle that I outlined in my previous post but no, two dumb things cropped up this past week on which I feel obliged to comment.

First, we have the school district in Pennsylvania that gave all its high school students laptops with built in cameras that could be remotely activated by teachers to take pictures of the students without the students' knowledge. Sounds like a really dumb idea? Yes, it was a really dumb idea, particularly in light of the high statistical probability that at least one of those teachers is a paedophile (no, I'm not accusing anyone of paedophilia, but statistically I'm right--it was true in my high school and it is/was probably true in yours).

So yes, a dumb idea, and what makes it particularly shocking is that this school district is not in some backwater town. The Lower Merion School District is one of the most affluent in the country, located in an upscale suburb of Philadelphia (after all, it was rich enough to out 2,300 Apple laptops with built in cameras).

This monumentally dumb idea came to light when a student was upbraided by a teacher for inappropriate behavior. The evidence? A snapshot taken remotely by one of those laptops with a built in camera that could be remotely activated by teachers to take pictures of the student without his or her knowledge. Talk about the the beam in thine eye versus the mote in mine. Here's more of what has been reported:

The Assistant Principal of Harriton High School reprimanded 15-year-old student Blake Robbins for "improper behavior in his home," according to the lawsuit. Matsko cited as evidence a photograph from the webcam on the boy's school-issued laptop. Harriton High School student Blake Robbins, claims that an assistant principal reprimanded the 15-year-old for "improper behavior in his home" that was captured by the embedded camera on Robbins' school-issued Apple MacBook. Robbins told reporters that the improper behavior he was cited for was eating Mike & Ike candies, which he said the school mistook for illegal pills.

Just how inappropriate was the assistant prinicipal's action? Well, the logic behind the remote picture taking was to aid in the recovery of a stolen laptop. In other words, it was a "security feature." There has been no claim that Robbins' laptop was stolen, but more importantly, one of the basics that any decent class in computer security teaches you is that all security features can be abused.

The example I normally use in my classes is a company deploying data encryption and a disgruntled employee encrypting company data, then demanding a ransom to decrypt it. That is why security features must deployed very carefully, with controls to prevent abuse, like a master key to the encryption scheme that prevents data ransoming.

In the case of Lower Merion School District the abuse was to invade the student's privacy and the point of failure was a lack of sufficient controls to prevent such abuse (i.e. a strong permissioning process for the use of the remote viewing capability, e.g. requiring two teachers and the principal signing off on the activation after a documented evidence of theft).

Part of the stupidity in Lower Merion School District was the commission of this particular act of privacy invasion within this particular demographic. This is a place where many parents are well-educated, tech-savvy, and probably more inclined to outrage than most. When you read the complaint filed by parents of the student you will know what I mean. Given the international attention this case has received, not to mention FBI involvement, I would say it is destined for the textbooks. It sure looks like omitting this security feature and taking the risk of losing a few laptops would have been a much better decision.

So, there was one more stupid thing I wanted to mention, a web site created to show how stupid people can be. Yes, that's right. Some people in the Netherlands created a web site called PleaseRobMe that shows how you could target a home for low-risk burglary by monitoring social media sites where people mention their comings and goings. Talk about a pointless exercise, the only point apparently being media attention for the people who created the site (and yes, the media loved this story, playing it on the evening news along these lines: "Be scared oh you sheep, burglars can now use Facebook and Twitter to rob you!"

Well, let's see how that might work. I'm going out of town to a trade show tomorrow. I will be gone for several days. This is well known to my friends and family and colleagues. It can also be deduced from any number of web sites about the show, the company, or me. But you'd have to be an exceptionally stupid burglar to try robbing my place next week. Apart from the dog and the attack cats that will be in residence, there will be one heavily-armed lady at home who is an excellent shot. Do you feel lucky?

I will pick up the CAFE cycle next post.

Do They Ride the Same Cycle? Criminal hacking, terrorists, and other security threats

noreply@blogger.com (Stephen Cobb) — Sat, 06 Feb 2010 20:39:00 +0000

I have written this post/article/paper because I see a pattern of human behavior, the understanding of which may have some potential to improve the security of data and data subjects in the virtual world, as well as the security of persons and property in the real world. Because my thoughts about this pattern came together while I was in my favorite coffee shop, I coined the term “CAFE cycle” to describe a cycle of behavior that goes like this:

Cause-Action-Frustration-Exposure/Extremism

I will describe the cycle in generic terms then present two examples. Generically, a person becomes motivated by a Cause and takes Action to achieve the goal of that cause. Frustrated by failure to achieve the goal through legal means, the person takes illegal action, exposing him or her to three potentially problematic experiences: illicit thrills, illegal gains, and group membership. Continued failure to achieve the goal leads the person to pursue extreme forms of these experiences until they become an end in their own right, an Extremism that supplants the original Cause for Action, essentially rendering it irrelevant.

For a basic example consider an adolescent male who wants to learn, through direct experience, the workings of large computer networks. He exhausts the limited avenues of legal access to a large network and so he makes repeated attempts to gain unauthorized access, breaking the law as he does so.

The hacker is now a criminal hacker and part of a criminal hacking sub-culture which has a certain appeal, partly due to irresponsible and ill-informed media coverage of criminal hacking. He did not try to break into the network for the thrill of it, or for financial gain, or to join a sub-culture. His cause was education. His goal was knowledge. But through the CAFE cycle all that can change. He may pursue illegal acts for kicks, for gain, or for the feeling of belonging that comes from participation in a group committed to this lifestyle.

Consider another adolescent male. He perceives an injustice in the world and he wants to change it. He exhausts the limited avenues of legal redress such as peaceful demonstrations and goes one step further, throwing a stone at a police barricade, breaking the law as he does so. He is now a part of a sub-culture of violent protest which has a certain appeal, partly due to irresponsible and ill-informed media coverage of such protests. He did not throw the stone for the thrill of it, or for financial gain, or to join a sub-culture. His cause was justice. His goal was redress. But through the CAFE cycle all that can change. He may pursue illegal acts for kicks, for gain, or for the feeling of belonging that comes from participation in a group committed to this lifestyle. And the lifestyle can become extreme, going as far as violence against innocent persons for its own sake.

The CAFE cycle indicates that, for a certain percentage of people, the repetition of illegal acts committed to achieve a desired goal leads to one or more forms of motivational displacement, the three most worrying of which are: kicks, gain, and membership. Over time these can become sociopathic thrill-seeking, greed, and fanatical attachment. An example: terrorists who kill innocent civilians, extortion gangs that feed off innocent civilians in regions of political instability, and suicide bombers who kill themselves for the cause.

Note that I am not equating criminal hackers with terrorists or suicide bombers, but I think the underlying pattern is the same. Some criminal hackers get hooked on the thrill, others get hooked on the growing profits to be made from their skills. Some form groups by which the thrills and/or the profits can be enhanced through collaboration, and to which there is satisfaction in belonging. Likewise, some people who adopt virtuous causes go through the CAFE cycle so many times they become addicted to the life of the freedom-fighter-terrorist, a life driven by thrills, or greed, or bonding or some combination thereof.

The CAFE cycle has the power to produce, from the totality of supporters of a legitimate cause, some subset of persons who engage in illegal activity for reasons other than furtherance of the cause. This power can be seen when a cause gets close to achieving its goal, and also when the goal has been achieved and the cause is moot. Some criminal hackers just can't stop hacking. Some terrorists can't handle the outbreak of peace and continue to commit acts of greed, violence, extortion, and so on.

Clearly there are many variables involved in the CAFE cycle and these can vary greatly from one community to another or between communities. Analysis of this phenomenon is further complicated when there is lack of consensus within a community as to what constitutes a reasonable goal. The phenomenon takes on its most difficult form when the “community” is the world community. Global consensus is hard to reach. For advocates of some causes who are perpetually frustrated the CAFE cycle generates multiple subsets of persons acting primarily for the perpetuation of an illegal lifestyle.

In my next post I will outline implications of the CAFE cycle for security. (And I will probably post something about the use of hacking versus criminal hacking, terms that are fraught with potential to upset some people.)