Tag Archives: Hactivism

Surveillance versus Breach

GCN published an article on June 3, 2013 regarding the possible data breach of Customs and Border Protection (CBP) systems operated by third-parties for clearances. The information used to obtain clearances is not only personal identifiable information (PII), but also re-tells the past ten or more years of history of an individual. So the potential compromise of this information is a serious issue.

Now add the recent scandals regarding surveillance by the NSA and other government agencies adds to the concern. This is more than a privacy issue, but one of the capability to maintain data secure. DHS is meant to provide the “cybersecurity” component of the government in conjunction with the DoD, but if DHS and the DoD have issues with maintaining the security of their respective systems, what will the potential breach be with the new surveillance information. While granted, the information of the phone calls from the various telecoms is currently not maintaining the call content itself, the associated metadata could expose even greater risk to individuals than is being expressed. Most phones maintain GPS and cell tower information with a call. Add the additional cell phone number and owner information, it is now possible to track the patterns of the individual in addition to the various calls.

While the potential privacy issues around surveillance has its place, the ability for the government to protect the data is also equally important.

Tagged , , , , , , , , ,

Cyber Pearl Harbor or Just Cyber Space…

There has been a lot of news recently about the potential for the coming Cyber Pearl Harbor. A cyber attack that would mirror the devastation that hit the naval base in Pearl Harbor during the beginning of WWII. According to an article in CSO Magazine on October 18, 2012, the United States is concerned of a coming cyber attack. The concept of comparing the attack to Pearl Harbor has been around for several years. It wasn’t until a recent a speech by U.S. Secretary of Defense Leon Penetta in New York that this has become more of a topic.

The article states the following:

The results of cyberttacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid “could be a cyber Pearl Harbor — an attack that would cause physical destruction and the loss of life,” Panetta said. “In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”

Panetta also invoked the image of a cyberattack on the level of 9/11. “Before September 11, 2001, the warning signs were there. We weren’t organized. We weren’t ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment,” he said.

In a follow-up article in CSO Magazine November 7th, the opposing viewpoint was brought forth. Many in the security industry feel that the concept and description of a Cyber Pearl Harbor is nothing more than hot air. Experts including Bruce Schneier have chimed in. Bruce has reduced the extent to which he believes the concept to be exaggerated but according to he article:

Critics argue argue that not only is the threat of a catastrophic cyberattack greatly exaggerated, but that the best way to guard against the multiple risks they agree exist is not with better firewalls or offensive strikes against potential attacks, but to “build security in” to the control systems that run the nation’s critical infrastructure.

Bruce Schneier, author, Chief Technology Security Officer at BT and frequently described as a security “guru,” has not backed off of his contention made at a debate two years ago that the cyber war threat “has been greatly exaggerated.” He said that while a major attack would be disruptive, it would not even be close to an existential threat to the U.S.

“This [damage] is at the margins,” he said, adding that even using the term “war” is just a, “neat way of phrasing it to get people’s attention. The threats and vulnerabilities are real, but they are not war threats.”

The reality is that it is probably somewhere in the middle of the two viewpoints. It can be likened to the Y2K issue a little over a decade ago. The world was going to come to an end and the dark ages would re-emerge. The reality was that preparation help minimize what little impact there may have been. Security is a risk decision, but most risk decisions are defensive in nature. The other decision of a preemptive cyber capability is another aspect of the decision-making that needs to be addressed. Should the U.S. begin cyber strikes on perceived threats? What is the impact of doing this on the long-term? The world has already seen a small view of what can be done with Stuxtnet and will these type of state-sponsored cyber attacks the new nuclear deterrent…that is yet to be seen.

Regardless of the direction that gets taken, business needs to look at potential cyber attacks/hacks as a real potential threat and determine what risk is willing to be accepted and what will need to be mitigated. Whether the issue is the size of a country or your home computer, measure twice, cut once is still the best direction.

Tagged , , , , , , , , , , , , , , ,

Taking the Hacker and Heading Home…

Many may have heard of the ongoing dispute between England and the United States about the pending extradition of British hacker Gary McKinnon. Well the wait is over, the British Home Secretary Theresa May in an announcement yesterday before Parliament stated that she would block the extradition of Gary McKinnon. She based her decision on the several medical examinations and his Asperger’s Syndrome diagnosis. He has been charged by the United Stated for hacking into highly classified Pentagon computer systems, for what McKinnon alleges in search of proof of extraterrestrial evidence.  USAToday.com has a good article on the coverage.

According to the article:

Officials in Washington expressed disappointment at the outcome, and State Department spokeswoman Victoria Nuland said the decision meant McKinnon would not “face long overdue justice in the United States.”

British prosecutors will now decide if he should face charges in the U.K.

There has also been discussion that England will also renegotiate the extradition treaty to make it harder for British citizens to be extradited to the United States.

Tagged , , , , , , , , , ,

Hakin9 is a security magazine that calls itself “the biggest IT security magazine in the world” and has been published for over 10 years. It is a magazine that is rather pricing, but occasionally provides free articles that in most cases are relatively good. In the recent issue, some security professionals became very upset with the magazine and decided to make a stand. Some within ApplyLogic occasionally read the articles and did this particular article (Nmap: The Internet Considered Harmful – DARPA Inference Cheking Kludge Scanning). After reading it, it was interesting but seemed to good to be true…and in fact it was. It was nothing more than a bunch of hokum or in the articles own words, it was D.I.C.K.S. The Register has a good article covering the issue. According to the article:

“Maybe they were sick of Hakin9’s constant please-write-an-unpaid-article-for-us spam and decided to submit some well-crafted gibberish in response,” security researcher Gordon Lyon (Fyodor) wrote in a post to the popular seclists mailing list last week. “They clearly chose that title so just so they could refer to it as DICKS throughout the paper. There is even an ASCII penis in the ‘sample output’ section, but apparently none of this raised any flags from Hakin9’s ‘review board’.”

Ultimately this brings other articles into question and the accuracy of what they publish. Another measure twice, cut once example… Here is the hakin9-nmap-ebook-ch1 if it is no longer available.

Tagged , , , , , , , ,

This Window is Closed…

According to a CSO Online article, Prolexic Technologies identified the distributed denial of service (DDoS) attacks against several online banking institutions including Wells Fargo, U.S. Bank, PNC Bank, Bank of America and JPMorgan Chase as a toolkit called itsoknoproblembro. The attackers who identified themselves Izz ad-Din al-Qassam Cyber Fighters, claim to be muslim hacktivists angry over the YouTube video that has recently sparked controversy regarding its portrayal of Muhammad.

According to Prolexic:

The “itsoknoproblembro” toolkit is capable of simultaneously attacking components of a website’s infrastructure and application layers, flooding the targets with sustained traffic peaking at 70 gigabits per second. In addition, Prolexic found that traffic signatures were unusually complex and therefore difficult to reroute away from the targets.

The vendor, which declined to name the banks whose sites it tracked, said the attackers likely spent months probing the sites for the components most susceptible to a DDoS assault. They also were knowledgeable in the technology used to mitigate such attacks.

“From a DDoS perspective, they are on the level of a Stuxnet type of attack,” said Scott Hammack, chief executive of Prolexic.

This recent hack should drive home that attacks against business will become more complex over time and that it is necessary to re-evaluate risk levels and the associated mitigation/defense strategies deployed. Security is a life-cycle that needs to be re-evaluated on a regular basis to adapt to the shifting landscape.

Tagged , , , , , , , ,
%d bloggers like this: