I read in disbelief: “Details are emerging of security leaks at the White House which have shut down an internet spying operation that had successfully cracked al-Qaeda’s computers… Within an hour of the publicity al-Qaeda’s intranet was taken offline.”

An organization formed to study and report on terrorist activities, Site Institute, accessed al-Qaeda’s intranet and obtained the recent Bin Laden video before it was released to the press. Somehow screenshots of this intranet found their way to Fox News and other news organizations and shortly thereafter the intranet was shutdown. Way to go!!!

“Techniques that took years to develop are now ineffective and worthless,” Rita Katz, Site’s founder, told the Washington Post. “The US government was responsible for the leak of this document.”  — VNUNet

Newsflash: the bad guys have cable and satellite tv too!

I love the Terminator movies, Arnold is great in them. (No flames please!)

He apparently has some savvy advisers who have flexed their political and technical muscle in a way similar to Arnold’s physical: see Governor Kills California Data Protection Law. I find this line of logic amazing, especially given that Arnold is supposed to be some dumb jock elected Governor of California:

However, the current version of the bill, Schwarzenegger said, “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information.”

The governor argued that “the industry”—presumably a reference to credit card companies and the PCI Council—is in a better position to know what is realistic and reasonable for credit card security.” Also, he said, signing such a bill could actually create a conflict.

“This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace,” he said. “This measure creates the potential for California law to be in conflict with private sector data security standards.”   –eWeek / Security Focus

I know security experts that couldn’t come up with the logic behind that statement. I’m not a fan of legislating everything and I think what the Payment Card Industry is doing with Data Security is great, if significantly late to the game.

The major problem I have with the PCI DSS requirements is the subjectiveness of assessment, audit, and enforcement. If the PCI DSS actually had teeth, then the breaches we read about would be less likely to occur because of the financial impact associated, For instance, when a merchant can’t process credit cards due to noncompliance with the PCI DSS, they would signficantly more interested in complying with PCI DSS.

Go Arnold!!!

News reports of foreign countries hacking other foreign country’s web sites and networks has been reported as far back as 2000. It seems the frequency of these attacks has been increasing over time and I am inclined to agree with an article in the Brisbane Times suggesting China willing participates or looks the other way when these attacks are happening. I say this because China reportedly has a tremendous Internet filtering infrastructure in place, they make the covert filtering mechanisms active in the US look like the efforts of a feeble script kiddie. They know who you are, where you surf, and what you’re surfing. They don’t allow certain protocols to enter/exit the country and often times traveling users’ VPN and SSH sessions fail to operate from China.

At any rate, the Briabane Times article is here. It also makes reference to the Estonia attack and points out the damage sustained in one of these cyber attacks is more efficiently obtained and is more discreet at the onset than amassing a network of spies or deploying a battalion of tanks. The article goes on to say:

“States are starting to figure out how cyberwarfare can help them achieve their goals, espionage, economic embargo, or coercion — to cause pain to your enemies so they change their behavior,” Moran said.

Cyber warfare is now a common pursuit among most states, said Bruce Schneier, who has written books on the subject. “Everybody does it,” he said.

Moreover, government networks are plagued with “lousy security” arrangements, he said. And as government information networks become more complex, the networks become increasingly vulnerable.

“Complexity is the worst enemy of security,” Schneier said.

I know this is dated, but I found it too funny given other recent articles like the article suggesting Israel hacked Syrian Air Defenses. I watched Wired Science’s report on the Estonia attacks this week, as well.

Command and Control systems are definitely lacking in user-friendliness, but my concern here is the unlikeliness of a more secure, robust version of Windows available for Warships. I get nervous at the thought of combat systems on destroyers and submarines running Windows and suffering from the same fate as my desktop when something goes awry.

The notion of hacking Command & Control systems gets a lot more plausible when one considers the Operating System on the other side of the radar array or sensor grid. The news story on the radar hack gets a little more plausible, when you consider an aircraft spewing electronic garbage at a radar array or sensor grid running Windows. It even makes for a great cartoon, given that Syrian air defenses are suggested to have been supplied by Russia and Russia is alleged to be awash with software piracy. It amounts to an electronic equivalent of a DOS attack or fuzzing at the least, on these nodes.

In fact, it is down right scary to think that an information attack can be more destructive than a conventional attack with no notice, little cost, and possible anonymity. Consider the Internet attacks on Estonia that practically cut off the country from the outside world: warfare in the 21st Century has evolved to include the Internet. It makes perfect sense, it can be taken right out of SunTzu’s Art of War or Clausewitz’s Principles of War.

There are similarities in the radar hacking and the attacks on Estonia. Estoniawas blanketed by a remote controlled army of PC’s set to cripple servers and services over the Internet by overwhelming Estonia’s servers and communications links. The Israeli aircraft are reported to have potentially used erroneous RF signals and commands to overwhelm the Syrian Air Defenses from the outside of their perimeter. In effect, these attacks are making use of Internet-based attack techniques from the late 1990’s and early 2000. Warships running Windows software, would make these warships vulnerable to similar threats my home PC is vulnerable to. I pray that the Windows Firewall is enabled by default!!!

Alas, these DoS-style attacks are nothing new. I’m inclined to agree with Kevin Poulsen’s blog on the Estonia attacks, these attacks are nothing like what other nations have done in the past. The Isreali aircraft story is more interesting because of the notion of specialized hardware attempting to subvert the defenses by use of hacking techniques purposely deployed on the aircraft. I imagine, if the story is true, Russia, China, or North Korea are all hardening their systems as we speak.

As for the Warships and Windows, counter-intelligence agencies can just start creating 0-Day Windows exploits and hacking warships instead of having spies conduct clandestine operations to steal technology. It could even be the makings of a new installment in the Wang/No Starch Press Steal This book series, with: Steal This Warship.

Security and Safety…

Ever notice the similarity between these words? Capitalists have been banking on the similarities, there are products and services offered for years that provide for security what they’ve provided under the umbrella of safety for years, insurance. Now average folks can purchase Security Insurance. Policy makers didn’t miss the boat either, they often interchange these words when addressing the public. Let’s take a closer look at these words and their contextual use.

Google security and you’ll likely end up at Wikipedia reading:

Security is the condition of being protected against danger or loss.

That’s funny, I tend to think of insurance when I read that statement, but that’s probably because of the implications associated with the word loss. Insurance helps to insulate the insured from loss by providing a means to recover, substitute, or recompense what has been lost or damaged. What about danger, that word seems more appropriate in physical security than logical security, yet in the physical security sense it draws in the word safety.

While you’re over at Wikipedia, click on safety and see what happens:

Safety is the state of being “safe” (from French sauf), the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm, or any other event which could be considered non-desirable. 

Undesirable events or effects is one of the things I think of when I think about what security is trying to manage or constrain, curious that it is part of the definition / description of safety. The various failures of safety lead to similar consequences when security fails, if you disagree consider what’s going on in Iraq. You have a “security” issue and a “safety” issue. 

Just something to consider the next time a “Security Issue” crops up.