Wednesday, October 17, 2012

Tools of Oppression

"In reality, cyber tools of oppression are most often in the form of databases."

Just a short note for the day. Gary McKinnon not being extradited is interesting as well - truth be told, America's sentencing guidelines for hackers tend to be far out of the ordinary for a first world nation. Generally a hacker is looking at more time than a rapist or murderer, which is probably a bit out of whack.

You don't see the EFF going on about this though. You do see them talking about exploit sales, which I think is a misjudgment.

Monday, October 15, 2012

Being "held accountable" is the new black.

There's a general proscription in the IC about talking in any way about offensive things - for good reason. For for that reason, I recommend you take a little grain of salt with some of the things in Secretary Panetta's talk (here).

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco.  Shamoon included a routine called a ‘wiper’, coded to self-execute.  This routine replaced crucial systems files with an image of a burning U.S. flag.  But it also put additional garbage data that overwrote all the real data on the machine.  More than 30,000 computers that it infected were rendered useless and had to be replaced.  It virtually destroyed 30,000 computers.

For example, the reason the Iranians named their module "wiper" is to reflect the name against their attackers, who had previously destroyed some Iranian oil refinery computers ( .

Over the last two years, DoD has made significant investments in forensics to address this problem of attribution and we're seeing the returns on that investment.  Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.

Likewise, offensive operations are how you do attribution, although defensive tools (such as forensics) typically have a small role as well (IMHO).

A big question here is the meaning of "Hold them accountable." Does this mean targeted assassination, the way it does with Iranian nuclear scientists? Is that how far we've come?

Friday, October 12, 2012


There's been no real "Cyber Security" in the last two debates, either the Presidential or last night's VP debate. In fact, there's been very little "tech" at all in the last few debates, although the Republicans are coming out as "anti-green-energy-subsidies" which may or may not be a good political move.

Is it possible we'll get all the way to the election without cyber security becoming a Presidential-level issue?

Monday, October 8, 2012

There are Consequences for Getting Caught

So the big news is about to drop. The unfortunate thing, whether Huawei has been spying or not, is they are in a very difficult and indefensible position. Even their direct whitepaper response leaves a lot to consider.

Huawei's response that it would required hundreds of thousands of people to pull off an attack of this magnitude is false. The final firmware burn-in on their products would be controlled by very small teams, if not individuals. A well placed government asset in this position could very easily slip code in that passes all regression testing by the quality assurance team, but has additional behaviour that doesn't affect the end product.

Assuming their manufacturing process is locked down, do they apply the same rigor when handling remote firmware updates? Numerous times in the past we've seen build servers (ala Adobe) or source repositories get remotely compromised. The result varies, but the typical end goal is to backdoor the product, and Huawei is a prime target for an attack of this nature. The important thing to note is that this does not require an embedded government asset, only a well placed attack. Let's not forget that Cisco had their own breach that saw an 800MB chunk of source code get stolen, some of which was later publicly posted. Had the Cisco attacker used a little less ego, he very well could have begun a targeted campaign to backdoor Cisco products or IOS updates.

It begs to ask the question: how does the CSO of Huawei, or the US government know that the supply chain has or hasn't been compromised? The only way for the US to know this for certain is to have someone embedded at the same trust level as the people actually coordinating or carrying out the espionage. Disclosing this fact compromises their own position, so less likely, but still a possibility.

Could it also be that Huawei has been caught enough times, and a mountain of independent evidence has finally piled up to a tipping point? If this is the case then how does their CSO not know that they have been compromised? If this is true, it is the most damaging situation Huawei could find themselves in.

I often wonder why the US has picked Huawei out of a number of foreign telecommunications manufacturers. Why aren't we examining all foreign entities that power critical infrastructure in North America? The unfortunate thing is the congressional report will give the high level information, but their classified annex will have the real dirty details as to why they did this in the first place. Information that only a select few will have access to.Yet they are still free to wage a very public campaign against Huawei.

There is a key takeaway from this story that other foreign companies should be aware of. If the US comes knocking at your door: open it, let them do what they want, see what they want, and record what they want or they will make you pay dearly for it.

UPDATE: The committee report is here.

Friday, July 20, 2012

Obama and Cyber Security

President Obama has released an Op-Ed with some interesting comments on Cyber Security.

To put his post into context, every year FEMA runs these big "games" which are essentially planning sessions for national-level emergencies. They help the country organize roles and responsibilities, and get all the legal paperwork in place in the event something happens. On one hand, they are large brainstorming sessions, where various parts of industry get to explain how they would react or be hurt or could help in the event of some kind of attack, and on the other hand, they're political stunts where various industries and parts of government can demonstrate their needs and sometimes their usefulness.

In this year's simulation, Obama had to use new laws to shut down the Internet in response to ongoing effective cyber-attacks. And, although I'm not privy to the classified side of the simulation, he probably also had to absorb intelligence, establish attribution, and launch a military response. Of course, the FEMA simulation ends there. In the real world, we would have to deal with the aftermath.

Politically, Cyber is an area Obama is demonstrating vision in - assuming Sanger's book is at all accurate, he's seen first hand the role Cyber can play in the future of war, and wants to inoculate his own country from the oncoming threat. Frankly, that's Presidential.

It's telling the the Romney team (which includes former DIRNSA Michael Hayden) has not come out on this issue one way or the other, choosing instead to focus their message entirely on "the economy" as relates to internal social issues (aka Health Care and Taxation). But addressing cyber security issues should be a key component of any job-bill, with regards to protecting industries from nation-state economic espionage, or simply noting that there's a huge proportion of people invested in the industry and effected by the oncoming sequester.

Wednesday, May 9, 2012

Where have all the hackers gone (in VA)?

The latest polls say Obama is beating Romney by seven points in Virginia. Either way, it's close, and it's close entirely because of this weird beast called Northern Virginia, where I grew up. When I was growing up, there was a large collection of people who worked for the federal government. But now, if you throw a rock, and you don't hit L-3 or Raytheon or ManTech or another federal contractor, you have a really really bad arm.

And a large amount of what these people are doing is cyber security and technology related. I know all the media play is in the exploit business, assessments, FISMA, etc. But the actual job ads in the cafes are for "Big Data" and "HADOOP", and that sort of thing. And generally when they say "Big Data" they actually mean it - it's sort of like "If you can afford it without being the government, it's not big data".

Hackers, of course, have a society like any other sub-culture, and it's largely libertarian. So what you would expect is that you'd see Ron Paul picking up votes in Arlington and Fairfax. But, if you look at the "Federal" counties in NoVA they voted largely for Mitt Romney over Ron Paul (more than the average).

There are some contributing factors, perhaps. Virginia is an open primary state. Seems like low turnout since 300K people voted, but five million are eligible to vote (especially considering the democratic primary is not competitive this year).

Likewise, a lot of the voters are women, especially among newly registered voters. Women are underrepresented in tech fields (and in Ron Paul supporters).

But the bigger question is this: Given that there IS a voting block of swing voters in NoVA (and swing donors), why hasn't EITHER campaign tried to woo them? Mitt Romney has Michael Hayden advising him, and no reason not to drum the "Anti-Chinese" beat on the economy. But he doesn't. You'll notice he has NO opinion whatsoever on CISPA or the Lieberman bill now being debated. None.

Obama has a strong cyber-security track record, and has taken a position on CISPA (anti), but does not seem to engage on cyber-security issues even when his administration is making news about it!

So from both sides we have relative silence. The question is: Why?