Notes from the Cyber Trenches – A Security Intelligence Blog

Cyber Warfare, Voting Enemies and Legal Frameworks

2010-09-28T18:24:49Z

A couple of weeks ago, I talked about the DOD's new cyber warfare policy. Deputy Secretary of Defense, William Lynn, rolled out his justification and strategy in an essay published in Foreign Affairs magazine. I gave an evaluation on how far along the DoD is in implementing that policy and gave Secretary Lynn a thumbs up for crafting a cogent plan.

In the Strategy section of the essay, Lynn mentions a concept called active defense. This is a government euphemism for Offensive Cyber Operations. He basically says that you cannot be effective in cyber space if you are only playing defense. Lynn said,

"In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun."

This is a basic tenant of regular warfare (Look up quotes from any famous general or military expert like Napoleon, Clausewitz, McArthur, Patton, etc). To win, you have to take the fight to the enemy. This is not different just because we operate in cyberspace. The basics tenants of warfare do not change simply because you are in a new medium. They are the same on land, in the air and on the sea. If we fight in cyberspace, we have to go on the offense.

This is consistent with what General Alexander, the Army General in charge of the new Cyber Command, said in August when he spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference:

"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."

But developing and deploying a framework for these kinds of operations is hard and must be done in advance. You don't want to be making this stuff up on the fly during a crisis. Working out the legal and civil liberties issues is tough. Lynn agrees,

"The speed at which active defense systems must act means that the rules of engagement governing network defense must be set largely in advance. Devising these protocols is not easy."

Also, just saying the Army will conduct offensive operations sounds so clean and precise. It is not. It will be messy. Unforeseen consequences will happen. The enemy will react. As civilians, we like to think that just because the Army will hit back, the enemy will wither and run away. That will absolutely not happen. It has not happened in Iraq and in Afghanistan, and it will not happen in cyberspace. I had an old commander of mine who always use to say, "The Enemy gets a vote." Most likely he will not vote to quit.

General Alexander and Deputy Secretary of Defense Lynn know this. They have been around the block a few times. They know what is in store when we start down this path. That is why it is imperative that the framework is in place before the crisis occurs. We must have a general game plan in place that is transparent and generally agreed upon before the first cyber digit is fired in anger; transparent to the good guys and yes to the enemy. The enemy must know what we are likely to do before they cast their vote. This will all influence the shape of the battle space.

I believe that all of this is years away, but we have started down the path. The DOD must still negotiate many obstacles; but Secretary Lynn has outlined a strategy and General Alexander has committed to it. It is just a matter of time now.

The US DOD Proposes their Cyber Security Plan

2010-09-09T10:13:27Z

William Lynn, the US Deputy Defense Secretary, published an essay in Foreign Affairs magazine last week describing recent US Department of Defense (DoD) policy changes concerning cyber warfare. Although the essay does not present much new information, it is the most cogent description of the issues, challenges and potential solutions on the table that I have read in one easy-to-read article. Here is a summary of Lynn's Justification and Strategy:

Justification

In 2008, hackers - most likely from a foreign government - successfully penetrated DoD networks (both the CLASSIFIED SIPIRNET and UNCLASSIFIED NIPRNET) and exfiltrated large volumes of official documents. This situation instigated the formalization of a US strategy (See below).

Cyberspace is asymmetric and the offense will always have the upper hand.

Cold War deterrence models of assured retaliation do not work because the attribution problem is hard.

Cyber warfare forces will not attack just military targets. They will go after the nation's critical infrastructure and industrial secrets.

Cyber Warfare forces will not always come from the network. They will infiltrate the supply chain, both hardware and software, and attack from within.

Strategy

(My assessment of each plank's completeness in parentheses)

Formally recognize cyberspace as a new domain of warfare (Done)

Put one command in charge of the strategy: Cyber Command (Done)

1). Lead daily defense operations (On-going)

2). Provide an accountable way to marshal cyber warfare resources across the military (On-going)

3). Coordinate with other government bodies and commercial entities (Just Beginning)

Dynamic reaction to Attacks (On-going)

1). Maintain computer hygiene (On-going)

2). Deploy advanced sensors (On-going)

3). Develop an "Active Defense" but protect US civil liberties (Just Beginning)

Define rules of engagement (Just Beginning)

Support broader efforts to protect critical infrastructure (Just Beginning)

Coordinate Signals Intelligence (SIGINT) with allies (On-going)

Bring the commercial sector into the discussion (Just Beginning)

Fund research and development (R&D); focus on superior technology (On-going)

Train and equip the military cyber warrior (Just Beginning)

Streamline the government's procurement process (Just Beginning)

My Observations

Like I said, there is not much new here. Many of the concepts expressed in the justification and in the strategy have been on the table for the last 10 years. That's the bad news. The good news is that they are starting to congeal into something more than just a set of slides in PowerPoint deck.

Regarding the actual 2008 data breach, it is not clear who the actual perpetrators were. The code, agent.btz, had been around for at least 3 years when discovered by the US military skipping through both the classified (SIPRNET) and unclassified (NIPRNET) networks. As reported by our Russian analyst, Kimberly Zenz, in December 2008, a Russian hacker most likely crafted the code, but the attack vector was so lame that it seems unlikely that any nation's cyber espionage program would launch it. Wired Magazine's Noah Shachtman echoed this observation when he interviewed Lynn last week.

Still, Lynn's essay is a signpost in the continuing discussion and developing plans of the US government. It definitely shows the direction the US government is heading. It also supports the notion that iDefense put forward in last year's 2010 Cyber Threats and Trends paper: We are witnessing the incipient stages of a significant shift in the center of gravity away from the commercial enterprise and toward the government in terms of new policy, the amount of money that will be spent on cyber security and what the cyber security professional will look like in terms of skill set.

Whether or not the US government will be successful in executing the above strategy remains to be seen. Lynn has cogently laid out the plan. It is clear what he wants to do. Like we said in last year's trends paper though, the space is likely to be muddled for the next couple of years while government leaders work through the issues.

2-Tiers of Internet Goodness, Sponge Bob Square Pants and the Latest iDefense Russian Country Study

2010-08-25T17:45:07Z

We just published our latest Global Threat Research Report on Russia to our customer base. I have to say, it is a very interesting read; 48 pages of deep-dive intelligence about what is going on in that country. But one thing caught my eye in our Russia report that dovetails nicely with another report written by the National Security Cyberspace Institute (General-Retired-Ron Keys, Charles Winstead and Kendra Simmons). This is the idea of a two tier internet.

A "Two-Tier Internet" is the concept that for day-to-day internet surfing activity (like checking out what Sponge Bob episode is on the cartoon network tonight or whether or not Mel Gibson's wife has released another phone rant by her extremely mad ex), the internet is anonymous and should remain anonymous like it is for the most part today. For official transactions (like banking, ecommerce, government functions, etc), reliable authentication between parties is not just a nice to have feature but a prerequisite for doing business. The NSCI paper explains it this way:

"[...]the bottom layer is the anonymous layer, the place where you can surf the web without anybody knowing who you are. The second tier is the maturity layer; the place where you go when you have to function in the real world: finical transactions, government exchanges, business transactions, etc. In the maturity layer, you must identify yourself with absolute precision."

What caught my eye about the NSCI paper is that the thesis is very similar to what the Russian leadership is advocating within their own country; namely that the internet should be split into two categories: humanities (unrestricted) and economics (restricted). Here we have two similar positions; one advocated by the Russian Government and one advocated by a US conservative think tank.

At first glance, I thought that the motivations between the two advocates (Russia and NSCI) were different. Russian leadership wants to uplift business opportunities within the country through the power of the internet but they are concerned that this increased communication capability will threaten their hold on power. The NSCI authors are not afraid of losing power as much as they are concerned about getting some of it back.

This is not to say that a two tier internet is a bad idea. Indeed, I think it is a great idea. It is a wonderful compromise between privacy rights advocates who think everything should be free and private on the internet and global governments who are ultimately responsible for protecting their citizens wherever they travel, whether that be on land, in the sea, in the air or in cyber space. If you want to watch your Sponge Bob episodes without anybody knowing your geometric and yellow proclivities, use the humanities portion of the internet. But, if you want to do some sort of official transaction, you need to step up and identify yourself with precision. This would be the price of doing business on the internet.

This in no way describes how we might go about establishing a two-tier internet. That path is fraught with engineering design geekiness that just might insert more security holes into the system then we have already. But if we could do it, I think it might go a long way in making the internet a safer place.

Am I worried that I am coming down on the side of the Russian Government when it comes to internet monitoring? Ok, I'll admit it. It does worry me a little. But, I do not normally discard ideas just because I am concerned. If it makes it easier for me to watch my Sponge Bob episodes, I think it is worth giving it a try.

Paranoia in APT Land

2010-07-21T03:36:33Z

I just visited the US International Trade Commission. They invited me to discuss what iDefense knows about intellectual property theft in cyberspace; in other words, what is going on with the "Advanced Persistent Threat" (APT)? Just this past year, it seems like the APT acronym has really emerged as the catch-phrase for the security industry. We use to call this activity "cyber espionage." I guess old-timers like me still call it that, but the cool kids call it APT.

This year there have been three very public demonstrations of large APT-styled attacks: Google, the Indian Government and the US Oil Industry. iDefense sources tell us that the actual target numbers, the ones that are not being reported, are in the thousands. The point I am trying to make is that, thanks to Google going public with its incident, a lot of organizations are now aware of this style of threat. They were ignorant about it before and didn't understand that these kinds of activities have really been going on for the past decade.

That's the good news. The more people that understand the threat, the better we can all protect our enterprises. The bad news is that there is not a lot of consensus about what we are supposed to do about it.

Some of my friends jump right to detection. They think the most important thing you can do to defend yourself against the APT is to detect and eradicate the activity on your network. I don't disagree that we all should be doing that, but I would like to make an argument for putting some significant effort into prevention. If it is true that the number of victims that have been penetrated by some APT group is in the thousands, shouldn't we pretty much assume that we can all be had by these players and that we all might have something useful that they want? If thousands of victims exist, doesn't that mean that our traditional cyber security defenses are not working?

Off the top of my head, here are some things network defenders should consider. Assuming that some APT organization is attacking your enterprise, what do they want? Two things come to mind: they want the secret sauce that makes your company unique and they want leverage in any contract deal that is currently underway. To protect both of these "crown jewels," here is a list of things I would add to my standard network defenses:

1. Physical separation between the corporate network, the secret sauce, any Merger & Acquisition (M&A) groups and any contract deals. I would go as far as physically separating each contract group and M&A group into its own network. Defend the walls of these networks rigorously.

2. Ruthlessly enforce the "Need to Know" rule for each separate network. If you do not need to know about an M&A Deal, you don't get into that network.

3. Encrypt everything in transit and at rest. This included data on your smartphone.

4. If you are traveling in foreign countries. Use throw-away laptops and phones (You still have to encrypt them though).

5. Label all documents and e-mail with the appropriate data classification. Do not allow designated classifications out of each separate network. For the exceptionally paranoid, install beacons in all documents; small snippets of code layered into headers or footers that call home every time a user opens them.

I know these remedies are not as sexy as catching the APT groups in the act. Sometimes, the least sexy remedies are the most effective. In addition, I'll admit, these remedies seem a little paranoid; however, if the victim list is in the thousands, isn't it time to be a little paranoid?

Open vs Closed Systems - Why the iPad May Save Us All

2010-07-09T03:35:32Z

Recently I have been giving electronic readers a working test (Kindle, iPad). iDefense pushes volumes of written intelligence products to our customers. Sometimes it is a struggle to keep up with it all. Like most security practitioners, I fill downtime gaps (traveling, the 30-minute gap between two three-hour meetings, lunch, listening to my wife, etc.) with reading. Most of what I read comes in three forms: PDFs, Websites and books. It turns out that the iPad is the perfect device for this endeavor. The Kindle is great for books (so is the Kindle reader on the Blackberry and iPhone), but it just does not handle PDFs that well and it has no mechanism at all for reading Websites. The iPad does all that with ease and it does it in color. I am sold.

But the chatter around the water cooler at iDefense is not so sure. You have to remember, most of the people here at iDefense are deep water geeks. What I mean by that is that on the scale of smart people, we have:

Smart People
   |
Nobel Prize Winners
   |
Geeks
   |
   |
   |
   |
   |
iDefense Geeks

In other words, you may not want these guys and gals to set any fashion trends, but when it comes to figuring out cyber issues, they have an opinion or two.

And they hate the idea of the iPad.

They hate it because it is a closed system. As you can imagine, these folks love gadgets (like the LINUX operating system and the Android phone to name two) because there are an infinite number of ways for geeks to configure them. They will spend hours manipulating one of these devices to automatically download toast recipes from the Internet daily and run home-grown python scripts that engage steam-punk cooking apparatus in an effort to have a new variety of toast prepared before they wake up each morning. They don't do this because they need it. They do it because it is cool. (And I have to say, having a steam punk apparatus making my toast in the morning would be very cool indeed.)

But they can't do that with the iPad because Apple maintains a strangle hold on how the system works. Geeks can not configure it. Oh, you can probably buy a steam-punk application for the iPad that will make your toast for you, but that is not the same thing. Geeks want the ability and power to do it themselves. And that is where the problem lies.

If the geeks of the world have the power to endlessly configure their toys, the bad-guy geeks of the world will leverage that. In fact, they have been doing that for the past 20 years.

The simple fact is that most Internet users do not need all of that power. Most do not even know what a steam punk engine is. I know. It is hard to imagine, but it is sadly true. Most are like my mother-in-law: consumers of information. They want to read their e-mail, read a Website or two, play Farmville and exchange pithy one-liner status messages with their friends on their social network of choice. Why would they need all of that power that is inherent in an Android smart phone? The answer is that they don't.

I am not saying that Apple's iPad is the device that everybody should use. I am not even saying that the iPad is hacker proof. What I am saying is that devices like the iPad are the safest and most secure device today that will work for the largest Internet using population. If my mother-in-law is using an iPad device and a banking application designed for it by the bank that she uses (a closed system), she is much less likely to get owned by a bad-guy-geek then if she did using the latest incarnation of the windows operating system (relatively an open system).

But the good-guy-geeks of the world will complain that they can't configure it. That is OK. Besides being smart, the other thing that geeks are good at is complaining. So, if I am king for a day, I would give the geeks their toys to play with, but I would also give my mother-in-law an iPad to protect herself.

Intelligence Squared, Cyber Warfare and Entertainment Extravaganzas

2010-06-17T10:52:16Z

I attended the Intelligence Squared debate on Cyber Warfare on June 8, in Washington, DC.

Those of you who read my blogs regularly know that I am an avid podcast listener (I have a one-hour commute each way to work). One of the podcasts in my regular rotation is the Intelligence Squared debates. The organizers use an Oxford-style format where two sides debate an issue and the audience decides the winner. Before the debate, the organizers ask the audience to vote on the motion. After the debate, the organizers ask the audience to vote again. The winner is the team that changed the most votes. Intelligence Squared has debated many interesting issues during the last year: "Organic Food is Marketing Hype," "America cannot and will not succeed in Afghanistan," and "Blame Washington more than Wall Street for the Financial Crisis," just to name three.

The debate itself was a hoot. It was a beautiful night in the capital and the debate was well attended even though it was competing with several high-end entertainment extravaganzas at the same time including the Washington National's debut of their phenom pitcher Stephen Strasberg and a family concert by Carly Simon and her son Ben Taylor.

This was the motion: The Cyber War Threat has been grossly exaggerated.

On the left side of the stage (for the motion) was Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) and Bruce Schneier, my former boss and general pundit for the security community.

On the right side of the stage (against the motion) was Jonathan Zittrain, co-founder of the Berkman Center for Internet & Society and Mike McConnell, executive vice president for Booz Allen Hamilton and a former US Director of National Intelligence (DNI).

Let me just say that the Zittrain/McConnell team spanked the Rotternberg/Schneier team and the star of the show was Zittrain. He was funny and articulate and every time the Rotternberg/Schneier team tried to make a point, Zittrain bumped them right back into their corner. Here are the results:

Before the Debate:

For the Motion (Rotternberg/Schneier): 24 percent
Against the Motion (Zittrain/McConnell): 54 percent
Undecided: 22 percent

After the Debate:

For the Motion (Rotternberg/Schneier): 23 percent
Against the Motion (Zittrain/McConnell): 71 percent
Undecided: 6 percent

Like I said, this was a spanking. Throughout the debate, the Rotternberg/Schneier team never debated the issue. They were more concerned about what the US Intelligence apparatus might do to US citizens' privacy rights if the US government ever considered the threat of Cyber War to be real. Rottenberg repeatedly came back to the point that the NSA has been trying to take control of the Internet since the early 1970s and this is just the latest salvo in that effort. The Zittrain/McConnell team challenged this argument by agreeing that it was a concern, but it does not really address the question at hand.

Schneier pointed out that Cyber War is a theatrical metaphor similar to other metaphors we use to add emphasis to important issues; like the war on drugs or the war on terrorism. The Zittrain/McConnell team countered with the idea that this is not a metaphor; that it is possible to disrupt and destroy in cyber space just like it is in the real world and that we should prepare to defend against those contingencies. McConnell explained that the US economy is annually valued at $14 trillion. In just one day, two high-end US banks transfer more than $8 trillion alone. If a nation state made it impossible for bankers to track that dollar flow, the result would ruin the country. From my point of view, we can all come up with our pet "Doomsday" scenarios that a nation state might use against our respective countries. If we went to war with another country, do we really think that the other side would not use cyber space as a vector? The Rotternberg/Schneier team said yes; they did not think that another nation state would use Cyber War as a vector.

The Rotternberg/Schneier team also denied the two examples that everybody trots out, including me, to prove the point that cyber war is real: Estonia and Georgia. They said they were done by kids and therefore not an act of war and they failed to see how denying access to government websites qualifies as a war. The Zittrain/McConnell team countered with the fact that, at least in the Georgia incident, the attacks were deliberate, rehearsed and executed with impeccable timing. For my part, I would make the argument that anything that adds to your adversary's "Fog of War" only helps your cause. If you can't communicate with your staff electronically just before the tanks roll across your border, I'd say your pucker factor would rise exponentially. Moreover, just as an aside, kids conduct many of the conflicts going on today; it does not make them any less lethal.

In the end, both sides agreed that the policies the US adopts around cyber warfare should be open to everyone; that there should be no secret planks hidden in the bowels of the Pentagon. McConnell suggested that we need to get the law right before there is a crisis. Everybody agreed.

From my perspective, this is a no-brainer. Of course there will be a cyber warfare component in any future war. It is the great leveler. For relatively little cost, a small country could easily compete with a big country in terms of affect in cyber space. Compare that to trying to outspend the US in building an aircraft carrier fleet that can travel unopposed in five oceans. Does the press over hype the phrase "cyber warfare" sometimes? Absolutely. Does that make the threat of cyber warfare grossly exaggerated? I don't think so. I am not the only one who thinks that either. The debate audience definitely thought that at the end of the festivities, but so do a lot of governments around the world. In iDefense's 2010 Trends Paper, published in December 2009, we talked about a shift in the center of gravity away from enterprise IT departments and toward governments in terms of cyber security policy, money spent on cyber security programs and the cyber security personnel that governments hire. Part of that shift concerns itself with cyber warfare.

In the end, I had a great time. I got to see some cyber security super stars square off on a very important issue and witnessed the crowd shift their viewpoint from one side to the other. I'll admit, it was a little geeky, but hey, the geeks of the world need entertainment extravaganzas too.

Gonzalez, TJX and the FS-ISAC Conference

2010-06-02T12:27:13Z

A couple of weeks ago I presented at the annual FS-ISAC (Financial Sector - Information Sharing and Analysis Center) conference held in Saint Petersburg Florida. I know. It is a tough gig. Somebody has to do the hard jobs around here.

The FS-ISAC is one of several ISACs "mandated" by the US Government to facilitate information sharing between companies within the same business sector. Other prominent ISACs are the IT-ISAC and the Multi-State ISAC.

During the talk, I got to the part where I was discussing the Albert Gonzalez case. If you have been sleeping under a rock for the past year, Gonzalez is the guy that masterminded the TJX breaches. The US Government just recently sentenced him to 20 years for his efforts. It turns out though that he was also involved in some of the most nefarious cyber activity of the past decade in one shape or another.

For example, he was the snitch used by the USSS (United States Secret Service) in Operation Firewall back in 2004 where the feds snatched some 28+ underground carders. He was also a member of the infamous Darkmarket forum; the forum where FBI Agent Mularski infiltrated for two years and resulted in the arrest of some 56 underground carders. It is iDefense speculation that Gonzalez used Darkmarket to exchange credit card numbers with one of his main TJX accomplices: Maksym Yastremskiy. The USSS used Yastremskiy as the linchpin in the case to tie everything back to Gonzalez.

At this point in the presentation, I was telling the part of the story where the feds were paying Gonzalez an annual salary to be a "consultant" for them. You see, they did not know that he was secretly going behind their backs to do the TJX job while he earned $70K a year for being an informant. That was not a typo. They paid Gonzalez $70K a year.

But that is not the good part. This is the good part.

At this point in the presentation, one of the FS-ISAC leaders stopped me cold and said that he wanted to make an announcement. In the interest of full disclosure, he wanted the audience to know that, in fact, Albert Gonzalez presented at this very same conference not five years ago as part of his federal consultancy gig. The USSS brought him in to give the FS-ISAC membership a view from the hacker's mind. This was about the same time that Gonzalez was launching his TJX scheme.

How cool is that?

As you might imagine, this little nugget of information brought the house down. I was almost wiping tears from my eyes because I was laughing so much. I could not have planned it better if I was making it all up.

Shadow Network

2010-05-24T16:19:16Z

I just finished reading the paper called, "Shadows in the Cloud" published by our friends over at the Information Warfare Monitoring Group and the Shadowserver Foundation around the beginning of April. The folks in the Information Warfare Monitoring Group are the same guys that published the Ghostnet paper last year regarding cyber espionage attacks against the Dalai Lama, In fact, this most recent paper is based on leads not pursued by the original research.

This is really a well written paper. It does not go off half cocked like many other research efforts of the same ilk. The authors make it very clear that although the attacks originated from the Peoples Republic of China (PRC), the researchers have absolutely no evidence linking the Chinese government to the attacks. In other words, there is no smoking gun. They also do a very thorough job outlining their methodology.

The report suggests that although the attackers targeted victims from around the world, they were most interested in government officials in India. Places like

The Indian National Security Council Secretariat
Any and all Indian Diplomatic Missions
Indian Military Engineer Services

... just to name three.

They propose two interesting hypotheses that they admit do not have enough evidence to prove, but seem intriguing.

The first is that "political espionage networks may be deliberately exploiting criminal kits, techniques and networks both to distance themselves from attribution and to strategically cultivate a climate of uncertainty."

iDefense has no proof of this either but I think it is highly likely. In fact, another security research group called Damballa suggested that the Google Aurora attacks were nothing more then a cyber criminal attack based solely on the techniques used by the attackers. Here at iDefense, we disagree. Our hypothesis has always been that the tools of the trade are the same regardless of what malicious activity you are pursuing. But we should consider this hypotheses from the "Shadows in the Crowd" report. It may not be a matter of convenience but a distinct choice for cyber espionage groups to use criminal kits as a way to hide in the noise.

Their 2d hypothesis is the idea of Collateral Compromise. The researchers say that "there is a high probability for collateral compromise in any malware network because of mutual dependencies between targeted victims and their associations in Social networks."

I'd say this is highly likely too. It has been my experience over the years that cyber espionage groups throw a large net out initially to see what is there. Then they seek targets of opportunity as they are discovered. This is what happened here in India. The bad guys went after the Dalai Lama and eventually found their way over to Indian Government officials through mutual social networking connections.

The researchers also outline attack methodologies in this report that iDefense has documented in other cyber espionage attacks for the past decade: essentially, attackers compromise machines using .PDF, .PPT, and .DOC file formats exploits and exfiltrate any documents found on the hard drive back to another region of the world. That region usually has no extradition treaties with the west.

One interesting intelligence nugget that is very similar to the Google incident is the conjecture that there were at least two, and possibly three, different hacking groups involved in the Shadow Network attacks. Our own iDefense sources say that there may have been multiple groups within Google too and they did not know about each other until Google went public. In my line of work, there is no such thing as a coincidence. What it means exactly is not clear. It could mean that that perpetrators contracted multiple hacker groups to go after the same targets on purpose or it could mean that the perpetrating organization is so large that they don't know what everybody is doing. Regardless, the fact that two separate, highly publicized cyber espionage attacks in two completely different regions of the world involved multiple hacking groups at the same time that may or may not have known about each other is very interesting indeed.

It's inconclusive who is behind the latest intrusions into India and the researchers are certainly not ready to lay blame. However, the report is fascinating and well worth a read.

Kirllos and the 1.5 Million Stolen Accounts

2010-05-05T01:35:47Z

A couple weeks ago, iDefense got a lot of press for reporting an anomaly found while conducting research on the criminal buying and selling of PII (Personal Identifiable Information). A hacker named "Kirllos" claimed that he had 1.5 million Facebook accounts to sell. That was interesting enough. Most underground sellers of PII don't sell in bulk like that. It causes too much attention; which this did. As the press would say, it had legs. It seems like every press outlet in the world picked up the story; which was not a story really, it was more of an observation.

The second anomaly was with Kirllos himself. iDefense analysts had high confidence that he was at least a native Russian speaker based on his language skills used in the forums and it was likely that he lived in Eastern Europe. The reason this is an anomaly is that we have not seen many Russian speakers selling Facebook accounts. They tend to stick to their own regional sites like the VKontakte social networking site that is popular in Russia, Belarus and Ukraine. This is not to say that Russians do not sell Facebook accounts, it is just that it does not occur too often and definitely not in that volume.

So there you are; two pieces of data that don't really mean that much but kind of makes you say hmmmm, that is interesting. To be clear, we never said that these were valid accounts. We made no effort to prove it. The thing that was interesting to us was the volume advertised and the location of origin. At first glance, Kirllos seemed like a valid seller at the time. Before the press got a hold of him, he was a seller in good standing on the forum where we noticed him.

Enter Facebook.

The Facebook security team reached out to me after reading the press accounts. As one might suspect, they were all over this Kirllos fellow. They had been following him for some time and knew exactly what his capabilities were. I use the word "were," the past tense, on purpose. This entire episode crippled Kirllos' fledging carrier using the Kirllos alias. Once the iDefense "observation" hit the press, many other underground buyers, including the Facebook security team, attempted to contact him to buy the accounts. Kirllos ignored them. Either he did not have the accounts to sell or he was afraid that law enforcement was onto him. Most likely, it was both. Regardless, many underground forums banned Killros from the space.

Facebook's assessment of Killros is that he is a low-level player and that he had nowhere near the 1.5 million accounts he advertised. Most likely, he had a few hundred accounts most of which he likely created himself. Through some interesting and impressive forensic work, the Facebook security team identified the real Facebook accounts owned by Kirllos, reset the passwords, and notified the account owners. Awesome!

The bad news is that iDefense's reporting on a simple "observation" created quite a media frenzy for Facebook. Unfortunately, even though iDefense never claimed to have verified the accounts as real, most stories suggested that they were.

The good news for iDefense is that we now have a new security research collaboration partnership with Facebook. I look forward to exchanging information with Facebook's security team in the future. As Rick says in my favorite movie, "Louis, I think this is the beginning of a beautiful friendship."

PowerPoint Rangers and Ninjas and Generals - Oh My!

2010-04-29T16:46:50Z

I have been looking back through some of my previous blogs these past few weeks and I just happened to notice that I seemed to be on a minor rant about how security personnel present security information (in this blog and this blog). I told myself that I would pick another topic this week to avoid seeming like a broken record. Then, this story popped up in the New York Times called "We Have Met the Enemy and He Is PowerPoint." It is about how some of the leaders in the US military hate the use of PowerPoint as the default way to convey information up and down the chain of command. This quote sums the article well:

"The amount of time expended on PowerPoint, the Microsoft presentation program of computer-generated charts, graphs and bullet points, has made it a running joke in the Pentagon and in Iraq and Afghanistan."

According the article, most junior officers fill their time building slide decks for one meeting or another, with many affectionately referring to them as PowerPoint Rangers. (Full disclosure: When I was in the service, I was a qualified PowerPoint Ranger myself. Since I retired, I have upgraded my skills to PowerPoint Ninja.)

I love the New York Times quotes from the generals (especially the McMaster quote):

"It's dangerous because it can create the illusion of understanding and the illusion of control. Some problems in the world are not bullet-izable."
-- Brig. Gen. H. R. McMaster

"When we understand that slide, we'll have won the war."
-- General Stanley A. McChrystal referring to this slide that tries to convey the complexity of the Afghanistan war (I want to meet the Captain that put that slide together - he must have had a lot of time on his hands).

"PowerPoint makes us stupid."
-- Gen. James N. Mattis of the Marine Corps.

It seems that these military leaders are of like mind with Doctor Edward Tufte.

From my blog at the end of March:

"You will be interested to know that Dr. Tufte hates PowerPoint; at least the default way that most people use it: Title, 3-5 bullets of text, spinning doughnuts that have nothing at all to do with the presentation. In his seminar, Dr. Tufte does not use it. His famous example-- how NASA's engineers might have failed to prevent the Challenger Space Shuttle catastrophe in 1986 because a badly designed slide deck did not convince NASA leadership to scrub the launch-- is bone chilling."

Alas, PowerPoint is not to blame here. Presentation software, like PowerPoint and other software packages are merely presentation tools. Where the military, NASA, the commercial sector and, of course, the security community fail is how we all use the tool.

For what is PowerPoint good? It is good for conveying ideas to a large group of people - it is actually quite good at that.

For what is it not good? Summarizing very complex ideas - at least in its default use (reams of slides filled with indented bullet lists). Presenters can use the tool for good summaries, but the creator needs to back up the work with a longer narrative. This is similar to what we do at iDefense with our written products that cover the same topic at different lengths: Long Papers, Minis, Executive Summaries and One-Page Bullet Lists.

Where we all have failed is using the tool as the only vehicle to construct an original thought. PowerPoint has no method that I know of to convey subtlety or complexity; indeed, its creators did not intend for it to do so. I have come to believe that most PowerPoint decks should point back to a larger body of work or should accompany a resident expert. In most cases, the deck should not stand alone. How many times have you requested a copy of the slides used for a briefing that you thought was outstanding, but by the time you got around to reading them again, you found that you could not remember why you thought they were so good?

The bottom line is that many people are tempted to use PowerPoint as their only vehicle for organizing their thoughts. As General Mattis says, that "makes us stupid." Here is my recommendation for all the security geeks out there. If you are trying to convey your idea, before you resort to slide decks, write it out. Talk to your friends about it. Draw it on the white board or a handy bar napkin or your passed-out buddy's bald head. When done, write it out again and look for holes in your thinking. When you are done with all of that, you might be ready to pull out the PowerPoint program and work on your Ranger tab.

Actually, the slide that General McChrystal denounced in the New York Times article is the perfect slide that the presenter should have used. With one slide, General McChrystal instantly understood how complex the Afghanistan problem is. If that were the author's intent, then hoorah - the meeting would have been over! Doctor Tufte would be proud.

Books for the Security Professional

2010-04-21T16:58:16Z

This is not a comprehensive list of books that all security professionals should read. It is really my own eclectic collection that I have found valuable in understanding the cyber security landscape throughout my career. If you are new to the field, start with the titles in the "Novels and Books for Historical Context." As the subtitle implies, you should have read these by now.

Novels and Books for Historical Context
(You should have read these by now.)
"Neuromancer" by William Gibson
"The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage" by Cliff Stoll
"Snow Crash" by Neal Stephenson
"Fatal System Error: The Hunt for the New Crime Lords" by Joseph Menn

Current State-of-the-Art Books
"Cyber Fraud: Tactics, Techniques and Procedures" by iDefense (shameless plug)

Books You Should Hand Your New Boss as He Comes in the Door
"Secrets and Lies: Digital Security in a Networked World" by Bruce Schneier

Good Hacker Novels that Don't Exaggerate the Genre
"The Blue Nowhere: A Novel" by Jeffery Deaver

Interesting Cyber Security Novels that I Just Liked
"Cryptonomicon" by Neal Stephenson
"Killobyte" by Piers Anthony
"The Zenith Angle" by Bruce Sterling

Gaming and Future Intelligence Collection
"Daemon" by Daniel Suarez
"Halting State" by Charles Stross

Information Design
"The Visual Display of Quantitative Information, 2nd edition" by Edward Tufte
"Visual Explanations: Images and Quantities, Evidence and Narrative" by Edward Tufte
"Envisioning Information" by Edward Tufte
"Beautiful Evidence" by Edward Tufte
"The Wall Street Journal Guide to Information Graphics" by Donna Wong

Book Review: "The Wall Street Journal Guide to Information Graphics" by Donna Wong

2010-04-21T16:47:03Z

I just finished reading "The Wall Street Journal Guide to Information Graphics" by Donna Wong. A couple of weeks ago, I went on a fan-boy rant regarding the research and writings of Dr. Edward Tufte; who in my opinion, is the smartest person on the planet when it comes to conveying complex ideas in a chart. His books and lectures over the years have really helped me convey complex security ideas to my bosses and customers. However, the downside to Doctor Tufte's methods is that he does not make it easy for you. He expects you to wade through the entire set of books (count 'em, four in all) and decide for yourself. He gives no executive summaries, no bullet points and definitely no accompanying PowerPoint slide decks. Enter Ms. Wong.

According to the back cover, Ms. Wong has been doing information graphics for more than 20 years and she was a student of Doctor Tufte back in the day. Compared to Tufte though, Wong is concise; her thin book of 149 pages is a how-to book for creating effective charts; mostly for newspaper-type publications as the title implies.

This is not a book you read cover to cover. It is more of a cook book. Want to know how to do a line chart? Turn to page 49 and admire the layout. On the left page, Wong describes all the incorrect ways to do it. "Never shade below a line unless the chart has a zero baseline." On the right, she shows all the ways to do a line chart correctly. "Choose the y-axis scale so that the height of the fever line occupies roughly two-thirds of the chart area." On both pages, she outlines the dos and don'ts in a terse and easy-to-read form. Unlike Tufte, she is not giving you the history of line charts from the beginning of time to the present. She just gives her opinions based on 20 years of industry experience. If you are in a hurry, this is a book to keep on your shelf regardless if you are just beginning your security career or if you are a grizzled veteran.

My only knock on the book is that as the reader gets to latter parts, the examples tend to be more and more specific to journalism; mostly financial journalism; however, this is a minor knock. You can learn a lot by spending three or four hours perusing this book. You can definitely make your own charts better if you review the appropriate section of Ms. Wong's book before you go final with your own chart designs. I think it is so valuable that I am going to add it to my own recommended book list for security professionals. For those of you following along at home, here is the latest list:

Novels and Books for Historical Context
(You should have read these by now.)
"Neuromancer" by William Gibson
"The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage" by Cliff Stoll
"Snow Crash" by Neal Stephenson
"Fatal System Error: The Hunt for the New Crime Lords" by Joseph Menn

Current State-of-the-Art Books
"Cyber Fraud: Tactics, Techniques and Procedures" by iDefense (shameless plug)

Books You Should Hand Your New Boss as He Comes in the Door
"Secrets and Lies: Digital Security in a Networked World" by Bruce Schneier

Good Hacker Novels that Don't Exaggerate the Genre
"The Blue Nowhere: A Novel" by Jeffery Deaver

Interesting Cyber Security Novels that I Just Liked
"Cryptonomicon" by Neal Stephenson
"Killobyte" by Piers Anthony
"The Zenith Angle" by Bruce Sterling

Gaming and Future Intelligence Collection
"Daemon" by Daniel Suarez
"Halting State" by Charles Stross

Information Design
"The Visual Display of Quantitative Information, 2nd edition" by Edward Tufte
"Visual Explanations: Images and Quantities, Evidence and Narrative" by Edward Tufte
"Envisioning Information" by Edward Tufte
"Beautiful Evidence" by Edward Tufte
"The Wall Street Journal Guide to Information Graphics" by Donna Wong

Software Liability, World of Warcraft, and the Principles and Practice of Engineering Exam

2010-04-09T13:10:38Z

One of my colleagues at iDefense, Sean Larsson, and I were discussing software liability last week. This popped up around the water cooler because Toyota executives admitted that software glitches caused some of the brake failures that have been in the news lately.

From my take on the US zeitgeist, most people are shrugging this off as just another big company not executing the proper due diligence on its products, but this situation is different. This is a software problem and one of my pet peeve topics.

As a computer scientist, I am embarrassed that my field has not developed into a profession more akin to our civil, mechanical and electrical engineering counterparts. Those engineers have to attend at least a four-year college program sanctioned by the Accreditation Board for Engineering and Technology (ABET), pass the Fundamentals of Engineering Exam and then, after several years working for a licensed engineer, pass the Principles and Practice of Engineering Exam before they can call themselves "professional engineers." Many software development companies, by contrast, will allow anybody who can get a program to compile to work for them. Professional engineers build bridges, spacecraft, dams and power grids without risk of life or limb to the general populace. When somebody does screw up though, there are consequences for that engineer and most likely everybody that works for him or her.

Computer scientists, by contrast, have no equivalent professional program. If they are lucky, they get to attend an ABET school for computer science, but that is about it. Until recently, if they screwed up, these computer scientists just went back to their computers and published a patch for software that should have worked in the first place. There are no consequences for building bad software, no outside organization that can uphold community standards as some do for professional engineers, doctors and lawyers.

Don't get me wrong. Software developers have created some beautiful pieces of code over the years. There are, perhaps, an infinite number of examples you could point to that would make you say to yourself, "Wow, that is amazing." Off the top of my head, here are three relatively recent examples: the Google search engine, the WolframAlpha knowledge engine and the World of Warcraft massively multiplayer online role-playing game (MMORPG). For you gamers out there, you know I had to slip in a game for my list.

Here is the rub. Even though we have built some amazing automation over the years, we still cannot eradicate the most basic of security coding errors: the "buffer overflow." This problem and others like it have been around for 50 years because they are "too hard" to fix. Wait, that is not correct. We absolutely know how to code without introducing buffer overflow errors. Every college student in CS-101 is taught how. The problem is that, as a profession, we do not have the will to enforce it. Tell that to the NASA engineers who put people on the moon and brought them back safely.

Thus, you can see my embarrassment. On one hand, we put people on the moon. On the other, we still have buffer overflows. Perhaps the computer scientists of the world, me included, could raise our sites a bit.

As Sean says, there is hope. It is ironic to me that we might have Microsoft to blame for any success in this area. Its Trustworthy Computing Security Development Lifecycle, although not perfect, is the model for the industry. Indeed, Adobe adopted similar practices about two years ago and is working to get it right. Gary McGraw's book, "Software Security: Building Security In" is a treatise on best practices that software houses and internal software development programs can use to improve their secure coding practices. (By the way, Gary works in the building adjacent to ours in Virginia. I met him at the FS-ISAC conference last year). All of this is a long way from passing the Principles and Practice of Engineering Exam for computer scientists, but it is progress.

As Bruce Schneier said in 2002, "[C]omputer security is at a crossroads. It's failing, regularly, and with increasingly serious results." The Toyota example is just the latest and probably the most obvious to the general populace. Eight years after Schneier's blog and 50 years after computer programming began in earnest, we still have not figured out how to legitimize our profession.

Tufte, Presidential Panels and PowerPoint Ninjas

2010-03-25T18:54:10Z

I'll admit it. I am a fan boy for Dr. Edward Tufte, professor emeritus of political science, statistics and computer science at Yale. In my opinion, he is the world's leading expert on how to display complex data in a visual form. When I learned last week that President Obama had appointed him to advise the Recovery Accountability and Transparency Board, I was elated. The board's mission is to monitor the way the US Government is spending the $787 billion stimulus package. There is not a better person for the job.

I ran into Dr. Tufte almost a decade ago when I was still in the service. I was running the Army's Computer Emergency Response Team at the time and we were struggling with how to convey the complex concepts of network defense, network offense and network exploitation to Army leadership; mostly to generals who had spent their entire Army careers leading infantrymen, tankers and artillerymen into battle. These guys are smart but they do not spend a lot of time in the land of Ones and Zeros. I needed help. A friend of mine suggested Dr. Tufte's traveling seminar that just happened to be in town that week.

I was stunned.

He spent eight hours running the audience through a historical cornucopia of visual presentations, both bad and good, to illustrate what works and what does not work. His famous example-- how NASA's engineers might have failed to prevent the Challenger Space Shuttle catastrophe in 1986 because a badly designed slide deck did not convince NASA leadership to scrub the launch-- is bone chilling. His more positive example-- how Dr. John Snow was able to determine the cause of London's Cholera epidemic of 1854 by plotting the deaths on a city map and learning that a communal water hole was the most likely source-- is inspiring.

As a former soldier, I am most impressed with Charles Joseph Minard's chart depicting the folly of invading into Russia. Tufte thinks that this is "[p]robably the best statistical graphic ever drawn." On one chart, Minard displays the gross losses of Napoleon's Army as it traveled to Moscow (Tan Line left to right) and retreated back (Black Line right to left), the time frame it took, the weather and temperature that accompanied the Army and the devastating personnel loss of doing multiple river crossings in the dead of winter during a retreat. Germany's generals would have learned a lot from this chart before they tried and failed to do the same thing in World War II.

For the price of the course, Dr. Tufte gives you all four of his books on the subject:

That night, I ran home to devour the books. Over the course of a few evenings, I could do nothing but sift through example after example of charts and displays from China's Railway Table of 1985 to Galileo's proof that sun spots were not orbiting the sun, but were actually part of it. I recommend all of the books highly and, of course, if you get the chance to attend the seminar, just do it. You will not be disappointed. I have since been back to attend a second time.

You may be asking yourself just what does all of this have to do with security. I am glad you asked.

Like most of you, I do a lot of presentations. In fact, I am a PowerPoint Ninja. I have done so many presentations that I am getting close to the magic 10,000 hour number that Malcolm Gladwell mentions in his book, "Outliers: the Story of Success." I am usually educating an audience on some security matter or trying to convince leadership to give me something that I want. In both cases, how I present the information is key to the success.

You will be interested to know that Dr. Tufte hates PowerPoint; at least the default way that most people use it: Title, 3-5 bullets of text, spinning doughnuts that have nothing at all to do with the presentation. In his seminar, Dr. Tufte does not use it. The fact is though that PowerPoint, and its non-Microsoft equivalents, are tools of the trade for most businesses and especially for security people. We need to report status, explain technical issues and beg for money to start and maintain pet projects. We all use a PowerPoint equivalent to do it. More importantly, we as security professionals have to build the charts and diagrams and graphs that we stuff into those slide decks and other written reports to make our point. Even though Dr. Tufte hates PowerPoint, his design guidelines will help you build better decks and reports.

According to Tufte, "Presentations largely stand or fall on the quality, relevance, and integrity of the content. If your numbers are boring, then you've got the wrong numbers. If your words or images are not on point, making them dance in color won't make them relevant. Audience boredom is usually a content failure, not a decoration failure."

He is now helping the government explain where it is spending the stimulus money at recovery.org. According to Newsweek, "The result, as anyone who has spent significant amounts of time scouring government Web sites for information will tell you, is perhaps the clearest, richest interactive database ever produced by the American bureaucracy."

That is exactly my point.

eCrimes and an Internet Tax

2010-03-16T19:33:16Z

I am in London this week getting ready to kick off the eCrimes conference. This is my second trip out here for this great event. I get to travel to London, burn my tongue senseless on some very hot Thai food (I highly recommend the Mango Tree, but I may have to go through several therapy sessions to recover) and spend the week seeing customers.

The marketing folks have me on the treadmill today. I am facilitating a discussion with Eli Jellenc, the Manager of the iDefense International Cyber Team, at breakfast this morning with about 25 CISOs. We are going to touch on these topics:

Targeted attacks by criminal organizations
Invasive government activity (e.g., monitoring)
Hacking of mobile hardware devices
Increases in corporate espionage
Distribution of malware via social networking sites
Outsourcing software development to foreign countries

I am then presenting during the 9:20 a.m. keynote slot behind Paul Hoare, the Senior Manager of UK's SOCA (Serious and Organized Crime Agency). I am giving the Reader's Digest version of the iDefense patented Trends Briefing -- it should be a "hoot." If you are in town, let me know. I am buying the beer.

But, none of this is what I want to talk about today. During the RSA conference two weeks ago, Microsoft's Scott Charney suggested that an Internet tax might be a way to reduce the cost of implementing a vaccination-like program for consumer-infected Malware machines. This type of program would be similar to how parents vaccinate their children before sending them to school. He suggested that the Internet Service Providers (ISPs) might be the designated vaccinators, scanning and cleaning machines before they let "grandma's" machine access the Internet. Charney noted that the business world already does this today. Many enterprises scan computers on the fly every time someone accesses their corporate networks. If a computer does not pass a scan, the user cannot access the company network. In his RSA speech, Charney asked, who does that for the consumer?

Of course, the ISPs have no incentive to do that kind of thing today. What's in it for them? Charney suggested that the government could compel the ISPs to conduct such scans as part of their business license requirements. He was not naive enough, though, to suggest that this was a no-cost operation for the ISPs. In order to offset those costs, Charney suggested an Internet tax -- an added cost to consumers in order for the ISPs to pay for the vaccination program.

Well, you would have thought that Charney publicly advocated the buying and selling of babies for slave labor. Everybody jumped in to say why this was a "horrible" idea, including Gartner's John Pescatore, Qualys' Wolfgang Kandek, ESET's Randy Abrams and nCircle's Andrew Storms.

After reading their reasons, it seems to me that some of these folks had not understood Charney's suggestion in context. They reacted to the tax idea without understanding the reasoning behind the tax; they knee-jerked against the general principal of an Internet tax, as if there could be no possible reason to hinder their God-given rights to free use of the Internet. This all appears short sighted to me.

As Charney pointed out in his speech, "We pay a fee to put phone service in rural areas, we pay a tax on our airline ticket for security. You could say it's a public safety issue and do it with general taxation."

Computerworld quotes Microsoft statistics: "there are 3.8 million infected botnet computers worldwide, 1 million of which are in the U.S. They are used to steal sensitive information and send spam and were a launching point for 190,000 distributed denial-of-service attacks in 2008."

Clearly, we have a problem. Using ISPs as vaccinators is a wonderful idea; paying for it is problematic. An Internet tax may fit the bill, but we should all start getting used to the idea that running and securing this great experiment in connecting the world is not free.