Thursday, September 28, 2006
"Individually, each piece of information gives only a small glimpse into people’s lives -- but over time, these bits of personal information can begin to reveal patterns. Such as the places they go, the products they buy, or perhaps the type of people they associate with.This pattern-recognition process is called “Data Mining” or sometimes “Knowledge Discovery.” Since September 11, the federal government -- especially intelligence and law enforcement agencies -- have turned to data mining programs to make sense of growing oceans of data. The end result isn’t always about discovering what people have done -- but what people might do tomorrow. What does a terrorist look like? What is the culmination of their credit, contacts, purchases and travel? Is it possible that you might share these similar patterns? Chances are at least some of these programs sift through personal information about you."
Go through the questionnaire for a specific case, directly on a program of interest and see its relationship with the rest, if any of course. Go through a previous post on Able Danger's Intelligence Unit Findings Rejected to find out more about the state of information sharing.
- Predator Drone Returning From Mission
- Predator Drones at Remote Airstrip
- Predator Drone Taking Off From Remote Airstrip
- TAGS 45 'Waters'
- M80 'Stiletto' Stealth Boat
- U-2 Being Readied For Mission
- Underground Hangars at Sunchon Airbase
- North Korean No-Dong Missile Assembly Building
- Former MI6/FCO high security SIGINT enclave at Poudon
- Former NSA/DoD satellite intercept site
- CIA 'Black Site' for terrorist interogations
- Russian Foreign Intelligence (SVR) Headquarters
- CFS Leitrim - Satellite Singal Interception station
- Russian Don-2NP Pill Box Radar
- Star Wars missile defense support site
- AN/FRD-10 Classic Bullseye Antenna
- Radomes on Fort Belvoir
- Northrop "Secret" Research Facility
- Classic Bullseye listening antenna array
As you will find out the data provided is a historical one -- the UAVs and B2s have already dissapeared for instance. Does the publicly obtainable imagery represent a threat to these locations? Not necessarily, as threats from which these facilities were supposed to be protected from have been replaced by ones requiring a different perspective. The dishes however, are still there, listening..
Related posts and resources:
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems
Stealth Satellites Developments Source Book
Anti Satellite Weapons
"Curt Cobain of the musical group "Nirvana" was another victim of NSA brainwashing and was terminated by NSA. Cobain had started writing clues to the NSA activities into his music to communicate it to his music followers. He referred in music to the NSA as the "Friends inside his head". Once the NSA puts on the highest level of brainwashing pain, the subject expires quickly. Cobain used heroin to numb and otherwise slow the effect of the brainwashing."
He had different "friends".
You might find a previous post "Pass the Scissors" worth reading as well.
Wednesday, September 27, 2006
Taking passwords to the grave is always be default, and while your email service provider may get socially engineered -- or have to comply with a court order -- under the excuse of emotional crisis, family relations, reconsider how you would like to have your (accounting) data handled :
"The situation poses a dilemma for e-mail providers that are pilloried by privacy rights advocates at the mere suggestion of sensitive data being exposed, at the same time they are expected to hand over the digital keys to family members when a customer dies. Last year, Yahoo was forced to provide access to the e-mail of a U.S. Marine killed in Iraq to his father, who got a court order in the matter. "The commitment we've made to every person who signs up for a Yahoo Mail account is to treat their e-mail as a private communication and to treat the content of their messages as confidential," said Yahoo spokeswoman Karen Mahon. Beyond acknowledging that Yahoo complies with court orders, Mahon declined to discuss Yahoo's requirements for providing family members access to the e-mail accounts of their deceased loved ones. Google will provide access to a deceased Gmail user's account if the person seeking it provides a copy of the death certificate and a copy of a document giving the person power of attorney over the e-mail account, said a Google spokeswoman."
Sometimes, on your journey to happiness and emotional balance you end up opening more and more of pandora's boxes, when what you're looking for is right inside your head - the clear memory of the person in question, not the pseudo-individuality in all of its twisted variations. Make sure what you wish for, as it may actually happen!
The ultimate question - Why does a deceased soldier’s email thoughts become the property of a company?
What is the current media policy in China?
How free is Chinese media?
What are the primary censoring agencies in China?
How does China exert media controls?
How does China control the influence of foreign media?
How do journalists get around media control measures?
The main agencies responsible for history engineering :
"But the most powerful monitoring body is the Communist Party’s Central Propaganda Department (CPD), which coordinates with GAPP and SARFT to make sure content promotes and remains consistent with party doctrine. Xinhua, the huge state news agency (7,000 employees, according to official statistics), is beholden to the CPD and therefore considered by press freedom organizations to be a propaganda tool. The CPD gives media outlets directives restricting coverage of politically sensitive topics—such as protests, environmental disasters, Tibet, and Taiwan—which could be considered dangerous to state security and party control."
Centralization as the core of control, why am I not surprised? Don't tolerate censorship, learn how to undermine it.
Monday, September 25, 2006
Here's another map of terrorist networks in America for 1991-2005, based on states and possible cell of operation -- two more previous versions available.
The report found that the recollections of most of the witnesses appeared to focus on a “single chart depicting Al Qaeda cells responsible for pre-9/11 terrorist attacks” that was produced in 1999 by a defense contractor, the Orion Scientific Corporation.
While witnesses remembered having seen Mr. Atta’s photograph or name on such a chart, the inspector general said its investigation showed that the Orion chart did not list Mr. Atta or any of the other Sept. 11 terrorists, and that “testimony by witnesses who claimed to have seen such a chart varied significantly from each other.” The report says that a central witness in the investigation, an active-duty Navy captain who directed the Able Danger program, had changed his account over time, initially telling the inspector general’s office last December that he was “100 percent” certain that he had seen “Mohamed Atta’s image on the chart.”
Issues to keep in mind:
- the chaotic departamental information sharing or the lack of such, budget-deficit arms race, thus departments wanting to get credited for anything ground breaking
- prioritizing is sometimes tricky, wanting to expand a node, thus gather more intelligence and more participants might have resulted in missing the key ones, marginal thinking fully applies
- OSINT as this Social Network Analysis of the 9-11 Terror Network shows, is an invaluable asset and so is the momentum and actual use of the data
Despite that if you don't have a past, you're not going to have a future, true leaders never look into the past, they shape the future and don't mind-tease what they could have done. Necessary evil moves the world in its own orbit now more than ever, and if you really don't have a clue what I'm trying to imply here, then you're still not ready for that mode of thinking.
So, the man who knew, but no one reacted upon his findings in a timely manner, or a case-study of how terrabytes of mixed OSINT and Intelligence data weren't successfully data mined? I go for the first point.
Able Danger chart courtesy of the Center for Cooperative Research.
- HP obtained phone records for seven current or former HP board members, nine journalists, and their family members;
- HP provided investigators with the Social Security number of one HP employee, in addition the Social Security numbers of 4 journalists, 3 current and former HP board members, and 1 employee were also obtained by investigators;
- HP investigators attempted to use a tracer to track information sent to a reporter;
- The concept of sending misinformation to a reporter and the contents of that email were approved by Mr. Hurd, although no evidence was found to suggest that he approved the use of the tracer for surveillance;
- Investigators hired by HP monitored a board meeting, a trip to Boulder taken by a board member, as well as the board member's spouse and family members;
- In February of 2006, investigators watched a journalist at her residence and in February of 2006 “third party investigators may have conducted a search of an individual’s trash.”By the time HP provided the associated parties SSNs, they've pretty much left them on the sharks to finish the rest, disinformation though, is something I previously thought they didn't do, but with dumpster diving in place as well, I guess they did order the entire all-in-one surveillance package.
Megacorp ownz your digitally accumulated life, and yes, it can also engineer and snoop on your real one. All they were so talkative about, is publicly available information that every decent analyst should have definitely considered starting from HP's historical performance as a foundation for future speculations. In between HP is (was) also sponsoring a Privacy Innovation Award.
Who's the winner at the bottom line? That's ex-CEO Carly Fiorina -- phone records also obtained -- whose upcoming book will profitably take advantage of the momentum.
Friday, September 22, 2006
"In the following, we examine the Hizballah domains in light of which companies have provided DNS service. A domain's whois record specifies DNS servers, and the DNS servers tell browsers what IP address/server is currently hosting the domain. This is a mission critical service without which the domains in question would be unreachable. Despite the fact that Hizballah is a designated Terrorist entity in the United States, American companies have been, and continue to be the primary providers of service to Hizballah. We now know of 40 domains of Hizballah, based largely on a list provided by Hassan Nasrollah on a previous incarnation of his own web site. Of those 40 domains, 23 are now or have been provided DNS services by Alabanza Inc. of Baltimore, Maryland. No other provider comes close. Alabanza's domain name registration business, Bulkregister, is Hizballah's registrar of choice. See our report regarding the registrars of Hizballah's domains."
Who knew Hezbollah are indeed the rocket scientistics they pretend to be? UAVs, night vision gear, SIGINT gear, or has rocket science became so "outsourceable" nowadays?
Cyberterrorism isn't dead, it's just been silently evolving under the umbrella provided by the mainstream media -- wrongly understanding the concept, and stereotyped speculations.
01. Social Phishing
The fundamental purpose of this study was to study the effects of more advanced techniques in phishing using context. Receiving a message from a friend (or corroborated by friends), we hypothesized the credibility of the phishing attempt would be greater
02. Browser Recon and Countermeasures
One can use a simple technique used to examine the web browser history of an unsuspecting web site visitor using Cascading Style Sheets. Phishers typically send massive amounts of bulk email hoping their lure will be successful. Given greater context, such lures can be more effectively tailored---perhaps even in a context aware phishing attack
03. Socially Transmitted Malware
People are drawn in by websites containing fun content or something humorous, and they generally want to share it with their friends. This is considered social transmission: referral to a location based on reccommendation of peers. We measured possible malware spread using social transmission
04. Phishing with Consumer Electronics: Malicious Home Routers
It is easy to "doctor" a wireless router like the ones found at home or at a local WiFi hotspot to misdirect legitimate browser links to phoney and often harmful website.
05. Net Trust
Individuals are socialized to trust, and trust is a necessary enabler of e-commerce. The human element is the core of confidence scams, so any solution must have this element at its core. Scammers, such as phishers and purveyors of 419 fraud, are abusing trust on the Internet. All solutions to date, such as centralized trust authorities, have failed. Net Trust is the solution -- trust technologies grounded in human behavior
06. A Riddle
Could your browser release your personal information without your knowledge?
Exploiting comparison shopping engines to bait victims
You might also be interested in Google's Anti-Phishing Black and White Lists.
North Korea's not lacking behind, and despite the end of the Cold War, is still taking advantage of well proven and self-serving psychological techniques to further spread their ideology.
Here are some collections of ITsecurity related ones as well.
Tuesday, September 19, 2006
"Today we will analyze a new banking trojan that is a qualitative step forward in the dangerousness of these specimens and a new turn of the screw in the techniques used to defeat virtual keyboards. The novelty of this trojan lies in its capacity to generate a video clip that stores all the activity onscreen while the user is authenticating to access his electronic bank.
The video clip covers only a small portion of the screen, using as reference the cursor, but it is large enough so that the attacker can watch the legitimate user's movements and typing when
using the virtual keyboard, so that he gets the username and password without going into further trouble. It would obviously be place a heavy burden on the resources of the computer to capture the complete screen, both when generating the video clip as well as sending it to the attacker. The main reason for doing only a small portion of the screen referenced to the cursor is that the trojan guarantees the speed of the capture to show all the sequence and activity with the virtual keyboard seamlessly."
Anything you type can be keylogged, but generating videos of possibly hundreds of infected users would have a negative effect on the malware author's productivity, which is good at least for now. Follow my thoughts, the majority of virtual keyboards have static window names, static positions, and the mouse tend to move over X and Y co-ordinates, therefore doing a little research on the most targeted bank sites would come up with a pattern, pattern that should be randomized as much as possible. Trouble is, the majority of phishing attacks are still using the static image locations of the banks themselves, when this should have long been randomized as well.
OPIE authentication, suspicious activity based on geotagging anomalies, and transparent process for the customer -- please disturb me with an sms everytime money go out -- remain underdeveloped for the time being. You might find Candid Wüest's research on "Phishing in the Middle of the Stream" - Today's Threats to Online Banking informative reading on the rest of the issues to keep in mind.
No Anti Virus Software, No E-banking for You, or are Projection Keyboards an alternative?
Monday, September 18, 2006
- To disrupt specifically targeted critical infrastructure through cyber attacks
- To hinder the governments' ability to respond to the cyber attacks
- To undermine public confidence in the governments' ability to provide and protect services"
Seems like the results from the exercise are already available and among the major findings are related to :
- Interagency Coordination
- Contingency Planning, Risk Assessment, and Roles and Responsibilities
- Correlation of Multiple Incidents between Public and Private Sectors
- Training and Exercise Program
- Coordination Between Entities of Cyber Incidents
- Common Framework for Response and Information Access
- Strategic Communications and Public Relations Plan
- Improvement of Processes, Tools and Technology
Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other.
Go through a previous post on the Biggest Military Hacks of All Time in case you're interested in knowing more on specific cases related to both, direct and indirect attacks.
Here's an interesting research on "Examining Internet Privacy Policies Within the Context of Use Privacy Values" :
Results from this study can help managers determine the kinds of policies needed to both satisfy user values and ensure privacyaware website development efforts. This paper is organized as follows. First, we discuss relevant research on privacy, policy analysis, and software requirements engineering. Next, we cover the research methodologies of content analysis and survey development, and then the survey results. Finally, we discuss the results and implications of this work for privacy managers and software project managers."
The only time privacy policies get read is whenever a leak like AOL's one happens, and mostly for historical purposes, where's the real value, not the perceived one? Don't responsibly generate privacy policies, consider preemptively appointing chief privacy officers, thus commiting yourself to valuing your users's privacy and having a strategy in mind.
Snooping on Historical Click Streams
A Comparison of US and European Privacy Practices
What's Cyber Intelligence, or Intelligence analysis for Internet security, can we model it, how long would the model survive before what used to static turns into a sneaky variable knowing its practices has been exposed? What would the ultimate goal of CYBERINT be? To map the bad neighborhoods and keep an eye on them, to profile the think-tanks and assess their capabilities, background motivations for possible recruitment? Or to secure Cyberspace, no matter how megalomanic it may sound, or to basically acquire know-how to be used in future real-life or cyber conflicts?
Intelligence Analysis for Internet Security proposes an intelligence model for the development of an overall systems security model, here's an excerpt :
"Obtaining prior knowledge of both threats and vulnerabilities – as well as sensitivity to possible opportunities to exploit the vulnerabilities - is essential. Intelligence analysis, of course, operates at different levels, ranging from the specific to the general, and from short-term incidents and operations to long term patterns and challenges. Each form or level of analysis is crucial, and complements and supplements the others. Nevertheless, it is important to distinguish them from one another and to be clear at which level the activities are taking place. It is also important to recognize that the most critical insights will be obtained from fusion efforts that combine these different levels. The several complementary levels of intelligence analysis are strategic analysis, tactical analysis and operational analysis. In practice, these categories shade into each other and are not always sharply differentiated, and differing definitions for these terms exist in the intelligence community. Nevertheless, they offer a useful framework within which intelligence tasks and requirements can initially be delineated."
A very informative and relevant research emphasizing on strategic intelligence analysis, tactical intelligence analysis, operational intelligenec analysis, and how cyber intelligence intersects with traditional approaches.
What's the core of CYBERINT?
- the maturing concept of cyberterrorism, propaganda and communications online, thus huge amounts of data to be aggregated and analyzed
- an early warning system for new attack tools, their easy of use, availability, ability to be tracked down, and level of sophistication
- offensive CYBERINT is perhaps the most interesting and aggresive approach I consider fully realistic nowadays. Operational initiatives such as nation-wide pen testing, OS and IP space mapping for instant exploitation, segmented economic espionage attacks -- ip theft worms achieving efficiency -- passive google hacking and reconnaissance, tensions engineering, zero day vulnerabilities arms race
Outsourcing to objective providers of intelligence and threats data should also be considered, but then again it's just a tiny portion of what can actually be achieved if a cross-functional team is acting upon a common goal - to be a step ahead of tomorrow's events, and pleasently going through threat analysis conducted year ago predicting and responding to them.
If you don't have enemies, it means you're living in a world of idleness, the more they are, the more important is what you're up to.
Related resources and posts:
Benefits of Open Source Intelligence - OSINT
"The grainy black and white photo shows what NBC says are some 190 Taliban militants standing in several rows near a vehicle in an open area of land. Gunsight-like brackets were positioned over the group in the photo. NBC quoted one Army officer who was involved with the spy mission as saying "we were so excited" that the group had been spotted and was in the sights of a U.S. drone. But the network quoted the officer, who was not identified, as saying that frustration soon set in after the officers realized they couldn't bomb the funeral under the military's rules of engagement."
Hezbollah are also known to be able of operating drones, as well as their "window-shopping" purchasing capabilities for night vision gear but how come? Politically independent parties whose revenues get generated by their ability to be totally neutral and, of course, tactics for bypassing gear embargoes.
However, it would be naive to assume everyone is as rational as you are, as it's a rather common practice for various military forces to build up their foundations near highly populated areas, schools and hospitals. Insider leaks like these show certain weaknesses, namely operatives with access to information whose significance slightly devaluated, so why not generate some buzz on the findings.
Naturally, the Pentagon is taking measures to limit the potential of yet another media fiasco, taking into consideration the growing use of gadgets in the military. Moreover, successfully realizing the power of OSINT, an information security/web site alert was issued during August on what can't be posted at .mil sites.
Predator UAV image of Serbian fighters surrendering in Kosovo, courtesy of Military Intelligence Satellites.
Thursday, September 14, 2006
You may find this research conducted back in 2001, still relevant on the basics of psychological operations and propaganda online. A brief summary of The Internet and Psychological Operations :
"As an information medium and vehicle of influence, the Internet is a powerful tool, in both open societies as well as in those whose only glimpse of the outside world is increasingly viewed and shaped through webpages, E-mail, and electronic chat rooms. Moreover, the sword cuts both ways, as unconstrained (legally, socially, politically) adversaries find the Internet an effective vehicle for influencing popular support for their cause or inciting the opposite against the U.S. or its interests. Consequently, the realm of military psychological operations (PSYOP) must be expanded to include the Internet. Just as obvious is the need for action to remove or update current policy and legal constraints on the use of the Internet by military PSYOP forces, allowing them to embrace the full range of media, so that the U.S. will not be placed at a disadvantage. Although current international law restricts many aspects of PSYOP either through ambiguity or noncurrency, there is ample legal room for both the U.S. and others to conduct PSYOP using modern technology and media such as the Internet. Existing policy and legal restrictions, however, must be changed, allowing military PSYOP forces to both defend and counter adversarial disinformation and propaganda attacks which impact on the achievement of military objectives. By examining this issue, I hope to highlight the importance of the Internet for PSYOP and foment further discussion."
Undoubtedly, Abu Ghraib's fiasco is among the most relevant cases of unintentional PSYOPS in reverse, where the leak's echo effect would continue to spell sskepticism towards what democracy really is. And while there're indeed legal issues to consider when using such operations, what is legal and illegal in times of war is questionable.
Some basic examples:
- your web sites spread messages of your enemies
- sms messages and your voice mail say you're about to lose the war
- your fancy military email account is inaccessible due to info-warriors utilizing the power of the masses, thus script kiddies to distract the attention
- you gain participation, thus support
- you feel like Johnny Mnemonic taking the elevator to pick up the 320 GB of R&D data when a guerilla info-warrior appears on the screen and wakes you up on your current stage of brainwashing
- starting from the basics that the only way to ruin a socialist type of government is to introduce its citizens to the joys of capitalism -- it always works
- hacktivism - traffic acquisition plus undermining confidence
- propaganda - North Korea is quite experienced
- self-serving news items, commissioned ones
- achieving Internet echo as a primary objective
- introducing biased exclusiveness
- stating primary objectives as facts that have already happened
The evolution of online PSYOPS is on its way and is actively utilized by both adversaries, and everyone in between, it's entirely up to you to be either objective, or painfully subjective.
Wednesday, September 13, 2006
"A son of the head of Russia's main intelligence agency has been named an adviser to the chairman of state oil company OAO Rosneft, the daily newspaper Kommersant reported Wednesday, citing an unidentified source on Rosneft's board of directors. Andrei Patrushev, the 25-year-old son of Federal Security Service (FSB) director Nikolai Patrushev, had previously been an FSB official himself, working in the department that keeps tabs on the Russian oil industry, according to Kommersant."
The courage to rise above shown by Mikhail Khodorkovsky has its own butterfly effect, and it's so easily predictable one. Here's a Google bomb for you -- it means enemy of the people. Here's another. Враг народа or a vivid protectionist?
The main findings of the study are:
- Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.
- Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.
- AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.
- While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.
IP enabled, Windows running ATM's with anti-virus, IPv6 enabled fridges with anti-virus, smart phones with anti-virus, Play Stations with anti-virus, birds as early warning systems for an epidemic, so where's my signature, dude?
"Cell phones throughout a downtown hotel beeped simultaneous Tuesday with an alert: there is a suspicious package in the building. It was a drill, run by Dutch authorities testing an emergency "cell broadcasting" system that sends a text message to every mobile phone in a defined area. Representatives from 21 national governments, New York City and the U.S. Federal Emergency Management Agency, or FEMA, watched the signal go out to cell phones throughout the Sofitel hotel in Amsterdam. About half the people in the building then followed instructions and evacuated. "We want to see what worked and what didn't," said David Webb, of FEMA's Urban Search and Rescue Program. "The EU (European Union) is really leading the way with this technology."
What if :
- Even in case that key emergency personal were to use a seperate communication network, radio for instance, broadcasting to anyone accepting could result in significant delays, and even though the message is sent, it doesn't mean it would take advantage of the momentum
- cell phone jammers are often used by hotels to preserve the unique atmosphere and undisturbed conference meetings can prove contradictive, excluding the fact that the parties supposidly plotting the attack don't use one by themselves
- despite the fact that one in five will pick up their mobile during sex, how many obsessively check for newly arrived sms messages?
- how would a tourist know how the successfully authenticate the local authories at the first place, in case of emergencies watch out for an sms from 010101, now I assume you know how easily I can sms you from the same number and impersonate the number
- what should the user be mostly aware of be aware of, mobile malware, SMSishing, or "call this 0 900 or else I won't tell you where's the attack" type of messages
- from a multilingual point of view, will it be using English by default, and how many would be still enjoying their meals while everyone's leaving
Great idea, but it may prove challenging to evaluate the actual results in a timely manner. Sent doesn't mean received or read on time, even actioned upon.
SMS disaster alert and warning systems - don't do it !
Revisiting SMS during Disasters
Concept Paper on Emergency Communications during Natural Disasters
Exploiting Open Functionality in SMS- Capable Cellular Networks
The Role of Mobiles in Disasters and Emergencies
Here's how they tested :
"In order to create a base environment in which to compare the different appliances, we set up a single system within our test network to be the target of Core Impact’s simulated attacks. We chose a system running the most vulnerable operating system we could think of—Windows 2000 Service Pack 2 with no additional service packs or security updates. We temporarily opened the channels on the test network’s firewall and installed Core Impact on a system outside the network. We then proceeded to detect and “attack” the Windows 2000 system to identify its vulnerabilities. Of the hundreds of attack modules available, we picked 85 of the most applicable. Knowing how our target system was vulnerable and the attacks we could launch against it, we connected each IPS in turn according to its recommended configuration. We then allowed each IPS to function in a real-world network environment for a day or more. Eventually we rebooted the Windows 2000 machine and ran Core Impact to simulate a barrage of intrusions. Finally, we adjusted the security profiles of each IPS and ran the tests one more time. The result was a complete picture of how effective each IPS was at preventing attacks—both out of the box and after fine-tuning. The good news is, we were able to tweak each IPS to completely shut down the Core Impact attacks."
There are, however, hidden costs related to IPSs, and that's increased maintainance and reconfiguration time, possible decline in productivity. The key is understanding the pros and cons of your solution, educating the masses of users, and run a departamental, compared to a comany-wide enforcement at the first place as far as host based IPS are concerned. Network based IPSs sensitivity is proportional to the level of false alerts generated, so figure out how to balance and adapt the solution to your network.
Suspicious system behaviour is such an open topic term to the majority of end users, keep it in mind whatever you do when dealing with HIPS. And do your homework of course.
As I often say that the host trying to 6667 its way out of the network today, will be the one sending phishing and spam mails tomorrow, therefore in order to verify I took a random blacklisted host such as http://220.127.116.11/fdic.gov/index.html.html and decided to first test it at TrustedSource, and of course, at the SORBS to logically figure out that the host's has been indeed :
"Spam Sending Trojan or Proxy attempted to send mail from/to from=
What's ruining the effect of black and white lists? With today's modular malware -- and DIY phishing toolkits -- the list of IP's currently hosting phishing sites can become a decent time-consuming effort to keep track of, namely black lists can be sometimes rendered useless given how malware-infected hosts increasingly act as spamming, phishing, and botnet participating ones -- if ISPs were given the incentives or obliged to take common sense approaches for dealing with malware infected hosts, it would make a difference. As far as the white lists are concerned, XSS vulnerabilities on the majority of top domains, and browser specific vulnerabilities make their impact, but most of all, it's a far more complex issue than black and white only.
Another recent and free initiative I came across to, is the Real-Time Phishing Sites Monitor, which may prove useful to everyone interested in syndicating their findings.
Third-party anti-phishing toolbars, as well as anti-phishing features build within popular toolbars are not the panacea of dealing with phishing attacks. A combination of them and user awareness, thus less gullible user is the way.
Tuesday, September 12, 2006
"Using the Enron e-mail archive as a motivating dataset, we are attempting the marriage of visual and algorithmic analyses of e-mail archives within an exploratory data analysis environment. The intent is to leverage the characteristic strengths of both man and machine for unearthing insight. Below are a few sketches from a preliminary exploration into the design space of such tools."
And here's how he visualized the social network, invaluable "big picture".
Monday, September 11, 2006
"All suspects will now be treated under new guidelines issued by the Pentagon on Wednesday, which bring all military detainees under the protection of the Geneva Convention. The move marks a reversal in policy for the Pentagon, which previously argued that many detainees were unlawful combatants who did not qualify for such protections. The new guidelines forbid all torture, the use of dogs to intimidate prisoners, water boarding - the practice of submerging prisoners in water - any kind of sexual humiliation, and many other interrogation techniques."
I assume operating such facilities in the Twilight Zone is flexible from an interrogation point of view, what makes me wonder though is how justified kidnappings of alleged terrorists by recruiting local intelligence agents are. Guess a guy I had a hot discussion with the other night was right, no more Russian skirmishes in guerilla warfare, the adversary leaders just dissapear and no one, even their forces ever hear anything of them -- spooky special forces stealing the hive's queen.
In case you're also interested in DoD's New Detainee Interrogation Policy, it's already available at the FAS's blog, plus "biographies" of 14 detainees.
However, there's one thing the entire synthetic community would always be thankful to the CIA though, and that's the LSD, a proven "ice breaker" during the decades.
Graph courtesy of Spiegel.de
What's the bottom line? Keep your friends close, your intelligence buddies closer!
Interested in Anti-Terror tips? Follow these :
- Use email software with strong encryption to prevent terrorists from reading your email
- Encrypt the files on your computer using strong encryption such as PGP to prevent terrorists from accessing your files
- Browse the web using an anonymous proxy to prevent terrorists from seeing what sites you visit
- Insist that electronic voting machines provide you with a traceable paper receipt so you can ensure that terrorists haven't altered the electronic ballot
- Report all behavior, especially if it is suspicious
Cold War <=> Defense/Intelligence spending/Innovation <=> Post 9/11 World
Terrorist <=> Ideology <=> War
Foreign policy <=> Terrorism <=> Geopolitical dominance
Terrorism <=> OSINT <=> Intelligence
Civil Liberties <=> Terrorism <=> Surveillance
Poverty <=> G8 <=> Developed world
Space exploration budget cuts <=> Terrorism <=> Alternative energy sources development
Paranoia <=> Terrorism <=> Security services/products market growth
I can keep on going, but that's not the point, the point is how globalisation is acting as a double edged sword, and so is paranoia, still, keep in mind that there're one million other ways to get killed compared to a terrorist attack.
There've always been and will always be "bad guys", "good guys", and "greyhat guys" -- barking dogs of course -- trouble is knowing whom to trust at a particular moment in time. I can easily argue that during the past five years, all the "bad guys" had to do was to go through the press and come up "future long term strategies" perceptional enough to shock and awe "the infidels". My point is that, OSINT is also a double edged sword, useful and dangerous to both parties. As far as the infidels are concerned, I'm not one - I believe in myself!
Underestimating an adversary is much worse than overestimating it, just cut using terrorism as the excuse for everything you do, or are about to do, which is as subjective as China's economy taking over the world -- something neither the "bad guys" nor China would do.
Data mining, terrorism and security
Terrorist Social Network Analysis
Benefits of Open Source Intelligence - OSINT
Visualization, Intelligence and the Starlight project
Cyber terrorism - don't stereotype and it's there!
Cyber terrorism - recent developments
Arabic Extremist Group Forum Messages' Characteristics
Tracking Down Internet Terrorist Propaganda
Cyber Terrorism Communications and Propaganda
Steganography and Cyber Terrorism Communications
Friday, September 08, 2006
Yesterday, Danezis Cvrcek and Matyas Kumpost released an interesting study on The Value of Location Privacy :
"This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment."
While there're indeed privacy issues related to mobile devices, in the age of malware authors purchasing commercial IP Geolocation services to get a better grasp of the infected sample, and Google's growing concern on the use of networks such as Tor mimicking possible malicious bahavior you should ask yourself, what is it that you're trying to achive, Anonymity or Privacy preservation online and go for it without feeling like a hostage.
Malware is already averaging 1 piece in 600 social networking pages, which isn't surprising and is greatly proportional with the rise of web application vulnerabilities. Compared to personal data security breaches capable of providing the freshest and most recent emails of the parties involved, thus reseting a spammer's activities lifecycle, web email harvesting is still a rather common event.
Thankfully, there're already scaled initiatives such as the Distributed Spam Harvester Tracking Network making an impact :
"Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.
To participate in Project Honey Pot, webmasters need only install the Project Honey Pot software somewhere on their website. We handle the rest — automatically distributing addresses and receiving the mail they generate. As a result, we anticipate installing Project Honey Pot should not increase the traffic or load to your website."
Some current project statistics:
- Spam Trap Addresses Monitored - 1,354,582
- Total Spam Received - 1,464,090
- Total Spam Servers Identified - 499,310
- IPs Monitored - 611,368
- Total Harvesters Identified - 10,653
Donate a MX record, or get yourself an account and start contributing. On the other hand, the host that's web crawling for fresh emails today, will definitely match with the one found in a phishing email at a later stage -- the growing transparency and the pressure put on spammers inevitably results in the Ecosystem I mentioned in my Malware - Future Trends research.
The Beauty of the Surrealistic Spam Art
Real-Time PC Zombie Statistics
The current state of IP spoofing
Dealing with Spam - The O'Reilly.com Way
José M. Fernandez and Pierre-Marc Bureau constructively build awareness on how "the best is yet to come" in their research on Optimising Malware :
"In this paper, we address and defend the commonly shared point of view that the worst is very much yet to come. We introduce an aim-oriented performance theory for malware and malware attacks, within which we identify some of the performance criteria for measuring their “goodness” with respect to some of the typical objectives for which they are currently used. We also use the OODA-loop model, a well known paradigm of command and control borrowed from military doctrine, as a tool for organising (and reasoning about) the behavioural characteristics of malware and orchestrated attacks using it. We then identify and discuss particular areas of malware design and deployment strategy in which very little development has been seen in the past, and that are likely sources of increased future malware threats. Finally, we discuss how standard optimisation techniques could be applied to malware design, in order to allow even moderately equipped malicious actors to quickly converge towards optimal malware attack strategies and tools fine-tuned for the current Internet."
They've successfully distinguished the following generic and specific aim-oriented performance criteria :
- Number of hosts
- Amount of information
- Host location
- Upstream bandwidth
- Upstream bandwidth
- Host location
- Host Location
Taking into consideration the OODA loop concept -- Observation, Orientation, Decision, Action -- the characteristics would get definitely improved with the time.
Related resources and recent posts:
Virus Outbreak Response Time
Malware Bot Families - Technology and Trends
Malware Statistics on Social Networking Sites
Thursday, September 07, 2006
"Google hacking is a term to describe the search queries that find out security and privacy flaws. Finding vulnerable servers and web applications, server fingerprinting, accessing to admin and user login pages and revealing username-passwords are all possible in Google with a single click. Google can also reveal secrets of cryptography applications, i.e., clear text and hashed passwords, secret and private keys, encrypted messages, signed messages etc. In this paper, advanced search techniques in Google and the search queries that reveal cryptographic secrets are explained with examples in details."
Comments on : Hashed passwords, Secret Keys, Public Keys, Private Keys, Encrypted Files, Signed Messages -- external comments on packed binary patterns, malware functions, and the malware search engine itself.
Google is so not the root of the problem, althrough at least theoretically malicious web crawling is indeed possible. Seems like patterns come useful to both sides of the front -- and everyone in between.
Wednesday, September 06, 2006
"Israeli aircraft shot down an unmanned spy plane launched by the Lebanese guerrilla group Hizbollah as it entered Israeli territory on Monday, the Israeli army said. The drone was spotted by the air force's monitoring unit and fighter planes were scrambled to intercept it, an Israeli military spokesman said. The spokesman said a fighter plane shot the drone down 10 km (six miles) off Israel's coast, northwest of the city of Haifa. "The current assessment is that it was headed further south, we do not know exactly for what purpose," the spokesman said. An Israeli military source added that it was an Iranian-made drone with a range of about 150 km."
Go through an in-depth post at DefenseTech, and Eugene Miasnikov's report on Threat of Terrorism Using Unmanned Aerial Vehicles: Technical Aspects, which :
"assesses the technical possibility of UAV use as a delivery means for terrorists. The analysis shows that such a threat does exist and that it will grow. The author also considers areas that require higher attention from government agencies. This report is also targeted at the Russian public. Terrorist activity can be prevented only through the coordinated efforts of the government and civil society. The government cannot efficiently fight terrorists without the active involvement of the population. The first step toward creating such an alliance is to recognize the threat and its potential consequences."
So what's next once reconnaissance is taken care of and timely intelligence gathered? UCAVs in the long term, of course. Nothing's impossible, the impossible just takes a little while!
"Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors-not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones."
The case highlights that :
- Classification programs type of protection is rarely utilized of companies aiming to balance the trade off of achieving productivity while keep the left hand not knowing what the right is doing when it's necessary -- remember it's the HP way and the management by open spaces that made the company what it is today
- Didn't bother to disinform suspicious parties and decoy them, thus limiting the circle of "suspects"
- Didn't build transparency into the process and that's just starting to make impact
- It's shorthsighted thinking on whether the information defined as leaked wasn't easy to construct through public sources, or that the internal changes weren't already spotted by industry analysts
- They're about to lose their current talanted HR, and the one that was about to join HP. Soft HR dollars are on stake, as I can imagine what will be the faith of a HP blogger if that's how board of directors members threat each other
Here's the article of question, and what provoked this to happen :
"According to the source, HP is considering making more acquisitions in the infrastructure software arena. Those acquisitions would include security software companies, storage software makers and software companies that serve the blade server market. The acquisitions would dovetail with HP's growth plans for its Technology Systems Group, which has already bought companies such as AppIQ for storage management. Hurd has previously said market trends indicate a movement away from mainframe computers and a shift to blade servers, as well as virtualized storage. HP is likely to follow those trends. Meanwhile, in HP's Imaging & Printing Group, the long-term plan to develop commercial printers is likely to continue. "We want to develop the next Heidelberg press," the source said. Of course, HP said basically the same thing back in 2002."
In a previous post, When Financial and Information Security Risks are Supposed to Intersect, I commented on Morgan Stanley's case of knowing who did what, and the growing enforcement of security policies, thus firing employees violating them by forwarding sensitive information to home email accounts. But with the media trying to generate buzz while keeping it objective by mentioning its "sources" and putting the emphasise on "inside company source" no wonder HP is thinking insiders, rather than talkative directors who when asked does the Sun come out in the morning and goes down in the evening, would think twice before answering -- and question the question itself!
Privacy monster courtesy of the EFF.
Related resources and posts:
Insider Competition in the Defense Industry
Espionage Ghosts Busters
Tuesday, September 05, 2006
"How can we use this to reform intelligence? I suggest we create a national Open Source Agency. Half of the money earmarked for the agency would go toward traditional intelligence work. The other half would provide for 50 state-wide Citizen Intelligence Networks, including a 24/7 watch center, where citizens can both obtain and input information. We could establish new emergency intelligence phone numbers--think 119 instead of 911--allowing any housewife, cab driver or delivery boy to contribute to our national security. All they have to do is be alert, and if they see something, take a cell phone photograph and send it in with a text message. If three different people notice the same suspicious person taking photographs of a nuclear plant, for instance, it could be hugely important. The system could even evolve to automatically mobilize emergency workers or warn citizens. Imagine if after people alerted the network about a roadside car bomb, it automatically sent text messages to every phone in the immediate area, warning people to stay away."
Collective intelligence, wisdom of crowds -- Web users were supposed to virtually patrol the U.S border once -- all is driving Web 2.0, trouble is so is paranoia, and all paranoid people need is a platform to spread it further, but the article emphasises on how educated citizens can be the best defense. The benefits of OSINT according the CIA themselves are based on :
Speed: When a crisis erupts in some distant part of the globe, in an area where established intelligence assets are thin, intelligence analysts and policymakers alike will often turn first to the television set and Internet.
Quantity: There are far more bloggers, journalists, pundits, television reporters, and think-tankers in the world than there are case officers. While two or three of the latter may, with good agents, beat the legions of open reporters by their access to secrets, the odds are good that the composite bits of information assembled from the many can often approach, match, or even surpass the classified reporting of the few.
Quality: As noted above, duped intelligence officers at times produce reports based on newspaper clippings and agent fabrications. Such reports are inferior to open sources untainted by agent lies.
Clarity: An analyst or policymaker often finds even accurate HUMINT a problem. For example, when an officer of the CIA’s Directorate of Intelligence (DI), reads a report on a foreign leader based on “a source of unproven reliability,” or words to that effect, the dilemma is clear. Yet, the problem remains with a report from a “reliable source.” Who is that? The leader’s defense minister? The defense minister’s brother? The mistress of the defense minister’s brother’s cousin? The DI analyst will likely never know, for officers of the Directorate of Operations (DO) closely guard their sources and methods. This lack of clarity reportedly contributed, for example, to the Iraqi WMD debacle in 2002-03. The DO reportedly described a single source in various ways, which may have misled DI analysts into believing that they had a strong case built on multiple sources for the existence of Iraqi weapons of mass destruction. With open information, sources are often unclear. With secrets, they almost always are.
Ease of use: Secrets, hidden behind classifications, compartments, and special access programs, are difficult to share with policymakers and even fellow intelligence officers. All officials may read OSINT.
Cost: A reconnaissance satellite, developed, launched, and maintained at a cost of billions of dollars, can provide images of a weapons factory’s roof or a submarine’s hull. A foreign magazine, with an annual subscription cost of $100, may include photographs of that factory’s floor or that submarine’s interior
Meanwhile, Intelligence analysts are putting efforts into sharing their data, data mining the web and social networking sites which is both, cost-effective and can greatly act as an early warning system for important events. Despite technological innovations, a blogger in an adversary's country can often unknowingly act as a HUMINT source of first-hand information -- looking for democracy minded individuals breaking through regimes through malware is yet another possibility. Tracking down terrorist propaganda and communications on the Internet has already reached the efficiency level mainly because of the use of open source intelligence and web crawling the known bad neighborhoods ever since 2001.
Related resources and posts:
IP cloaking and competitive intelligence/disinformation
Terrorist Social Network Analysis