Showing posts with label Insider. Show all posts

$960M and the FBI's Art of Branding Insecurity

July 06, 2006
In previous posts "Are cyber criminals or bureaucrats the industry's top performer?", and "Insiders - insights, trends and possible solutions" I emphasized on how bureaucracy results in major insecurities, and provided further info on various issues related to insiders and risk management solutions -- ones the FBI is obviously far from implementing given the access control issues they have in place. It seems like two years ago, a Consultant Breached FBI's Computers :

"A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused."

How he did it? With access to hashes and 90 days password expiration period, he had all the time in the world, excluding the fact that according to the article a FBI agent even game him his password.

Passwords are a hot topic, and so are the insecurities posed by them. Moreover, spending near $1B for a non-existent case system, while dealing with access control issues is rather unserious for thought to be serious institution -- have you guys considered an open source alternative? You wouldn't come across lots of developers with top-secret clearances applying for the top, but obviously a top-secret clearance cannot prevent insider behavior as well. Continue reading →

BBC under the Intelligence Shadow

July 03, 2006
Nothing is impossible, the impossible just takes a little while. A relatively typical practices for the ex-USSR, namely controlling the media and profiling the journalists including the readers, seem to have been going on in London during the same period as well. According to the Sunday Telegraph, the BBC let intelligence agents vet staff :

"Confidential papers obtained by the Sunday Telegraph reveal that the British Broadcasting Corp. allowed intelligence agents to investigate the backgrounds and political affiliations of thousands of its employees, including newsreaders, reporters and continuity announcers. The files, which shed light on the BBC's hitherto secret links with the counter-espionage service known as MI5, show that at one stage it was responsible for vetting 6,300 BBC posts -- almost a third of the total work force. The procedure was phased out in the late 1980s. The files also show that the corporation maintained a list of "subversive organizations" and that evidence of certain kinds of political activity could be a bar to appointment or promotion."

If you can spell the name of the party while sleeping, and have subscribed to its periodical propaganda, only then you have the chance to unleash your career potential. I guess what they were worried about was an undercover Red reporter, taking advantage of live events and directly broadcasting a subvertive message -- remember when a guy invaded Truman's world in the "Truman show", and tried to warn the little kid he's on TV all the time? The interesting part is how even the spouses of applicants were subject to scrutiny.

There you go with the freedom of the press, I guess China must have had something in mind when blocking access to the BBC's web site. Continue reading →

Where's my Fingerprint, Dude?

June 06, 2006
Personal data security breaches continue occurring, and with the trend towards evolving to a digital economy, it's inevitably going to get ever worse. In a recently revealed case "Lost IRS laptop stored employee fingerprints", from the article :

"A laptop computer containing fingerprints of Internal Revenue Service employees is missing, MSNBC.com has learned. The computer was lost during transit on an airline flight in the western United States, IRS spokesman Terry Lemon said. No taxpayer information was on the lost laptop, Lemon said. In all, the IRS believes the computer contained information on 291 employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth."

For the time being the largest accommodator of fingerprints in the world is the U.S.A, and this fact affects anyone that enters the U.S. My point is that, given the unregulated ways of classifying, storing, transfering and processing such type of information would result in its inavitable loss -- bad in-transfer security practices or plain simple negligence.

As we're also heading to a biometrics driven society, the impact of future data security breaches will go way beyond identity theft the way we know it -- lost and stolen voice patterns, DNAs, and iris snapshots would make the headlines. You might also be interested in knowing how close that type of "future scenario" really is given the modest genetic database of 3 million Americans already in existence.

Things are going to get very ugly, and it's not the privacy issue that bothers me, but the aggregation of such type of data at the first place, and who will get to steal it. It's perhaps the perfect market timing moment to start a portable security solution provider, or resell ones know-how under license, of course. Continue reading →

Insider Competition in the Defense Industry

May 16, 2006
While there aren't any smoking emails mentioned in this case, where else can we spot insiders if not in the defense industry, an industry where securing government-backed contracts, or teasing military decion makers with the latest technologies ensures the long-term existence of the business itself? From the article :



"Boeing has been under investigation for improperly acquiring thousands of pages of rival Lockheed Martin's proprietary documents in the late 1990s, using some of them to help win a competition for government rocket-launching business. The government stripped Boeing of about $1 billion worth of rocket launches for its improper use of the Lockheed documents."



Boeing and Lockheed Martin remain the key players in the defense industry, ensuring their portfolio of services (cyberwarfare, theater warfare, grid networking compatibility etc.) remain competitive. I once said that during the Cold War, the tensions between the U.S and the Soviet Union used to be the driving force of progress and innovation, these days, terrorism is the driving force and the "excuse" for military and intelligence spending. And while NASA's budget has been decreasing with the time, the next major space innovation wouldn't come from NASA, but from the commercial sector.



What's the bottom line? A minor short-term effect, and long-term business continuity for sure as "Boeing shares fell $1.76, or 2 percent, to $85.25 in morning trading on the New York Stock Excange." Continue reading →

In between the lines of personal and sensitive information

April 26, 2006
In a previous post, "Give it back!" I mentioned the ongoing re-classification of declassified information and featured some publicly known sources for information on government secrecy. Today I came across to a news item relating to the topic in another way, "States Removing Personal Data from Official Web Sites", more from the article :



"At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."



That's an interesting way to fight the problem from the top of it, namely personal data security breaches that never stop growing, but I wish they came up with the practice either by default years ago, or understand today's dynamics of the threat. Even if they start implementing this on a wide scale, it doesn't mean identity theft would stop occuring, or that phishing attacks wouldn't trick them into giving the complete details. Having implemented a process for securely storing, accessing and trasfering such sensitive customers' bank data, often results in complexities, but using "redaction software" when you can actually take advantage of a risk management solution, isn't the smartest move here -- yet again that's the effect of today's dynamics and ever-changing attack vectors. What's the point of putting so much efforts into sanitizing the data before going online with it, when an outsourcer, or an employee whose responsibilities include working with it will somehow expose it?


Wait, forgot the naive customer who's still taking all the phishing emails received "personally". Don't think SSNs and bank accounts "redaction", but insiders and storage/database security.

In respect to removing sensitive information from the Web, I feel the unability of successfully classifying information and balancing the accountability in front of society to a certain extend, generates contradictive responses. If you try to take down a document that has been somehow listed on the Internet or available in digital format, what you're doing is actually inspiring people to disseminate it, that include news agencies as well, so make sure it doesn't appear there at the first place. Recent cases such as these :

"DOD removes missile defense system report from Web site"
"NORAD orders Web deletion of transcript"
"Air Force One data removed from Web Site revealed details of security measures on president's jets"
"Leaks of Military Files Resume"



bring more insights on the issue. It is well known that the entire Chinese information warfare doctrine is backed up by the NCW visions of U.S's military -- they still have Sun Tzu's legacy though -- and that Al Qaeda's manuals actually quote U.S military's documents. If you know what exactly you're looking for, you will find it one way or another, just make sure information-sharing doesn't end up as an information leakage event.



Going beyond achieving the balance between usability, accountability, and secrecy, I also feel that disinformation and deception are reasonably taking place as well, given the reader is actually identified and consequently influenced. Continue reading →

Insider fined $870

April 05, 2006
Insiders still remain an unresolved issue, where the biggest trade-off is the loss of productivity and trust in the organizational culture. According to the Sydney Morning Herald :



"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."



So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.



While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450.


Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.



Technorati tags:
, , Continue reading →

A top level espionage case in Greece

February 08, 2006
Starting shortly after the Olympic games in 2004 and up to March 2005, the mobile phones of : Prime Minister Costas Caramanlis, minister of foreign affairs, defense, public order and justice, top military officials, a number of journalists, and human rights activists (hmm?) have been tapped by an unknown party though the installation of "spy software" (that's too open topic) , mind you, Vodafone's central system, and were diverted to a pay-as-you-go mobile phone.

At the bottom line, who's behind it? Interested parties within the Greek government, or external ones? To me this is the job of a dead insider's job or someone who had the incentive to Vodafone's security, which I doubt. Though, it is disturbing how easily these mobile numbers could be obtained as the majority of media representitives already have them! My point is that you should count them as the weakest link, besides accessing a mobile provider's database and other sources. UPDATE : Vodafone's statement UPDATE 2 : Cryptome featured more info on the The Greek illegal wiretapping scandal: some translations and resources.

Another recent spy case was the rock transmitter found in a Moscow park and while the Russian president Putin is cheering the discovery and keeping it diplomatic, the FSB (a successor to the KGB) is taking a note on this one. You can actually go through a collection of videos and references on the case.

I guess it's the silence that's most disturbing in the "Silent War".
Technorati tags :
Continue reading →

Insiders - insights, trends and possible solutions

December 19, 2005
A recent research of the content monitoring market, and the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" I've recently read, prompted me to post an updated opinion on this largely unsolved issue.

I have been keeping an eye on the insider problem for quite some time, in fact, I have featured a short article entitled “Insiders at the workplace - trends and practical risk mitigation approaches” in Issue 18 of the monthly security newsletter you can freely subscribe yourself to!

Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual become an insider even when thinking about it, or turns into such prior to initiating an action defined as insider’s one? The same way, can someone be defined as a “cheater” just for thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When does one become the other, and is this moment of any importance to tackling the problem?

The biggest trade-off as far as the insider’s problem is concerned is between dealing with the problem while ensuring productivity, and that the company’s work environment isn’t damaged -- exactly the opposite. And while productivity is extremely important, the direct, or most often indirect and long-term loss of intellectual property theft is currently resulting in a couple of billion dollar unmaterialized revenues for nations/enterprises across the globe.

Going through 2004's “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage”, a major trend needs to be highlighted as I greatly believe it’s a global one, namely, private enterprises efforts to obtain access to sensitive technologies in unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy more on one another than governments do, but is this truly accurate? I don’t think so! The use of freelancers, among them ex-intelligence officers or experienced detective agencies to conduct national funded economic espionage is a growing trend, and the lines in this area are so blur, we should therefore try to grasp the big picture when it comes to national competitiveness -- both companies and nations directly/indirectly benefit from possible economic/industrial espionage, and you can’t deny it!

Yet another important fact to keep in mind, is the unusually high success of the oldest, and most common sense social engineering attack -- asking!! In certain cases a social engineer will inevitably establish contact with customer-service obsessed personnel taking care of you all your requests! A certain organization’s members may experience troubles differentiating sensitive and secret information, not taking the first one as serious as they should. Even worse -- U.S Secret Service and CERT’s “Insider threat Study : Illicit Cyber Activity in the Banking and Finance sector” reveal that,”83% of the insider threat cases took place physically from within the insider’s organization, and another 70% in all cases, the incidents took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and in this case, the lack of detected security incidents posed by insiders, means they are already happening!

Though, I have always looked at the insider’s issue, from both negative and positive point of view. Can an insider be of any use for the good of a free speech organization or a government? Yes, it can if you take into account the U.S government’s efforts to locate democratically minded individuals living in countries with restrictive regimes, or active Internet censorship efforts.
Now given, you are truly interested in the democratization of this particular region, and not another successful PSYOPS operation, being able to locate, establish, and actually, maintain contact with these individuals will prove crucial in case of a objective picture of what exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, and focusing on locating insiders within rogue states has been a common practice for years.

Is there a market for protecting from intellectual property theft and sensitive information leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is not sacrificed for the sake of protecting the company’s resources? Mind you, the current solutions scratch only the surface of the issue -- creating digital signatures of data and trying to spot it leaving the network. While a commonly accepted approach, it’s like one way authentication(passwords) when it comes to access control-- the first line of defense, but among the many other!

The insiders’ problem is far more broader one and given the today’s complexity and connectivity, a possible insider’s actions will most often constitute of normal daily activities. But what is the market up to anyway?

Currently, the content monitoring market is steadily growing fueled by the need of ensuring information marked as sensitive, or intellectual property doesn’t leave the company’s premises, or is alerted when someone attempts to transfer it, due to negligance or on purposely!

The main players are : Vontu, Tablus, Reconnex, and Vericept.
Whereas these solutions are a great concept,they all mainly rely on content analysis,and sensitive information signatures,monitoring multiple exit point)(email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while sophisticated insider’s actions may remain hidden due to covert channels or 0day vulnerabilities in the vendor’s product for instance!

Something else to consider, is should a IP(intellectual property) trap be considered as a benchmark for insider tensions?! In other words, should you consider an employee that has been on purposely sent a link containing company information he/she isn’t supposed to have access to, but has clicked to obtain it? Stanford thinks – yes! The University suspended potential candidates for obtaining info on their admission process only by following a link..you are either a one or zero, right?

Honeypots targeting insiders have also been discussed a long time ago by Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look for patterns defined as malicious behavioral based mostly.
From an organization’s point of view, take into consideration the following :
- Clearly communicate the consequences, both individual and career, in case an insider is somehow identified, based on the company’s perception of the problem
- Ensure the momentum of negative attitude towards the organization is minimized to the minimum to ensure the lack of to-be-developed post-effect negative sentiments
- Do no fell victim of the common misunderstanding that technology is the key to the solution. Insiders are the people your technology resources empower to do their daily tasks, technology is as often happens, the faciliator of certain actions
- Does system identification accountability have any actual effect? My point, does as user’s loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the data could be shared, on purposely exposed, sold, pretended to be stolen etc.
- Building active awareness towards the company’s efforts and commitment to fighting the problem will inevitably discourage the less motivated wannabe insiders, or at least make them try harder!

From a nation’s point of view, the following issues should be taken into consideration :
- In today’s increasingly transparent and based on digital flow of information marketplace, open source intelligence capabilities played a leading role in the development of cost-effective competitive intelligence solutions. Even though, nations or their companies are very interested in exploiting today’s globalized world.
- Ensuring the adequate security level of the private and academic sectors’ infastructure(where research turns into products and services, or exactly the opposite) through legislations, or further incentives, will improve the national competitiveness, while preserving the current R&D innovations, as secret as necessary.
- Outsourcing should be considered as a important factor contributing to information leakage, and the individuals involved, or the company’s screening practices, should be carefully examined.
- A fascinating publication that I recently read is “Quantifying National Information Leakage” describing the implications of the Internet’s distributed nature, namely to what extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s habit or lack of efficient alternative of plain-text communications can prove tricky if successfully exploited. Of course, this doesn’t include conspiracy scenarios of major certificate authorities breached into.

The insiders’ problem will remain an active topic for discussion for years to come given its complexity and severity of implications. Insiders’s metrics are a key indicator for patterns tracking, whereas their creativity shouldn’t be understimated at any cost!

In case you are interested in various recommended reading, statistics, and other people’s point of view, try this research :
Continue reading →
Subscribe to: Comments (Atom)