Arabic Extremist Group Forum Messages' Characteristics

Ever wondered what's the font size of a terrorist forum posting? These guys are really deep into using AI for gathering intelligence on various Cyberterrorism threats, and as you can see they neatly visualize their findings. "Applying Authorship Analysis to Extremist-Group Web Forum Messages" by Ahmed Abbasi and Hsinchun Chen, University of Arizona seem to have found a way, or at least patters of ongoing terrorist communication, and of course propaganda online. What they did was :



"To explore these problems, we modified an existing framework for analyzing online authorship and applied it to Arabic and English Web forum messagesassociated with known extremist groups. We developed a special multilingual model—the set of algorithms and related features—to identify Arabic messages, gearing this model toward the language’s unique characteristics. Furthermore, we incorporated a complex message extraction component to allow the use of a more comprehensive set of features tailored specifically toward online messages. A series of experiments evaluating the models indicated a high level of success in identifying communication patterns."



Social network analysis has a lot of potential, and with data mining it seems to be the perfect match for the recent trouble with NSA's domestic spying program. DearNSA.com and the Patriot Search are aiming to solve the problem for both parties -- efficiently.



There's a lot of propaganda chat going on online all the time, and among the very few limitations that bother me about such web aggregation of open source information are the use of steganography, or plain-simple Dark Web (closed for crawlers with basic/sophisticated authentication in place) communication -- remember there's a lot of noise to sort out through as well. Continue reading →

Espionage Ghosts Busters

In previous posts, "Insider Competition in the Defense Industry", and "The anti virus industry's panacea - a virus recovery button" , I gave examples of insider trading, of malware infecting border-screening computers, or the plain truth on how U.S "manufactured" PCs are actually assembled in China these days.



Obviously, plain old paranoia without solid background still dominates as "Representative Frank Wolf (R-VA) has announced that the State Department has agreed not to use 900 computers purchased from Chinese-owned Lenovo on classified computer networks. The US-China Commission, a bipartisan congressional commission, raised concerns when State announced the purchase of 16,000 desktop computers from Lenovo, with 900 to be used on secret networks connected to the Defense Department's classified SIPRnet (Secret Internet Protocol Router Network). State is changing its procurement process to better track changes in vendor ownership that could impact national security."



There's a common myth that a nation's military uses a specially dedicated networks, ones greatly differing from the standart OSI model the way we know it -- which is wrong as it would limit the usability, and increase the costs of operating. My point is that, even a PC sold by Dell would eventually run a Microsoft OS, thus exposing it to the monocultural insecurity by itself, and the human weaknesses of the person operating the PC itself, not guarding the SIPRnet
perimeter.



It would be easier for Chinese hackers or government entities to take advantage of client side attacks on any of these systems, then to ship them backdoor-ready risking too much in case of possible espionage fiasco. There have been known cases of malware leaking nuclear plant information, or employees P2Peering sensitive/classified information. Be it, hardware keyloggers, logic bombs, BIOS rootkits, given the scrutiny, even a slight ambition might have vanished in the air. Modern spy gadgets are evolving, espionage cases are still happenning and some get even public, but in case you're interested in the true ghost covert operative - stay tuned for the Stand Alone Complex Novel! Continue reading →

Nation Wide Google Hacking Initiative

The idea of doing reconnaissance for the purpose of pen testing or malicious activity through google hacking, has already reached levels of automation -- the problem is how the threat gets often neglected by those that actually suffer from a breach later on. I came across to an article pointing out that :



"Anyone who wants to hack into sensitive information on New Zealand internet sites might be pleased to know it can be as easy as typing keywords into a Google search. Researchers at Massey University’s Albany campus say the country’s websites are more vulnerable to "Google hacking" than anywhere else in the world. University Information and Mathematical Sciences Institute senior lecturer Dr Ellen Rose and graduate student Natalia Nehring recently completed a study into the topic."



Not exactly a type of cyberterrorism exercise such as the most recent DigitalStorm, but it's logical to conclude that if someone takes the time and effort to data mine the web, localize the attack like in this case, a lot will be revealed. In a recent article, CSOonline goes in-depth into the security implications posed by Google. I once had a chat with Johnny Long on many topics, among the "few", of course, was google hacking. He made a good point on saying that it's whatever you actually do with the results that matters most, and how diverse is the threat -- by googling your lights off for instance.


What you should keep in mind is that it isn't Google to blame, the way "Improving the Security of Your Site by Breaking Into it" provoked awareness, and not damage. Think the problem isn't big of a shot -- gather some intelligence by yourself through the Google Hack Honeypot project. Continue reading →

Travel Without Moving - Cheyenne Mountain Operations Center

It's a small world -- and a busy one, this post was supposed to appear the previous week so here it goes. There are certain places you just can't miss on the world's map, and the Cheyenne Mountain Operations Center is one of them. Remember the typical massive gate in the War Games movie, or in pretty much any other military/intelligence thriller you've watched? Try this one. Nuke it, EMP it, it's supposed to stand tall, yet it remains a visible sensitive location for you to enjoy without moving. The other day I came across to a report that I somehow missed in relation to various threats -- if any -- posed by Google Earth. "Google Earth Study: Impacts and Uses for Defence and Security" is worth the read :



"The Google Earth study on the impacts and uses for defence and security is aimed at answering a number of questions. What are the technical features, the reliability and limits of GE data and software, regarding international security regulations? Which confidence in data, real dangers of a pernicious use, or impacts of such an easy access to imagery is there on users or the geographical information market? What are the new applications stemming from GE, which services can be derived from this application, or what are the ways to integrate GE into an information system?"



Stay tuned for the upcoming 0day sights from around the world. Continue reading →

Techno Imperialism and the Effect of Cyberterrorism

It's been a while since I've last blogged about Cyberterrorism, and while many did mentioned the topic in between the recent DRDoS attacks, Cyberterrorism is so much more than simply shutting down the Internet, namely the ability to communicate, research, recruit and use propaganda to achieve goals based on ideological beliefs, or the convergence of Terrorism and the Internet.



Can we argue that cyberterrorism is the direct effect of techno imperialism, or let's use a more friendly word such as IT-dependent society and information infrastructure?





What exactly does cyberterrorism mean? When does an average internet user's malicious activity turns into cyberterrorism ones? Are there clear definitions, or the lack of such as resulting in the in a total misunderstanding for both, the media and the general public. The recently released Google Trends, which I covered in a previous post, doesn't even count Cyberterrorism, so I looked further and came across to a very good research "Fear-mongering or fact: The construction of ‘cyber-terrorism’ in U.S., U.K, and Canadian news media" that aims to emphasize on the common misunderstanding when defining Cyberterrorism and the media's acceptance of the concept. The outcome? Declining media presence with the years, to end up where it is today, but what you should keep in mind is that the concept is still out there.





Trying to seperate Cyberterrorism as a tool for achieving Information Warfare dominance is like on purposely ignoring the the big picture -- that Cyberterrorism, one that sometimes results out of hacktivism tensions is a powerful tool for achieving the full effect of information warfare. Whereas such attacks occur all the time, I can argue that the actual impact of cyberterrorism cannot be easily and quantitatively justified. We all know that it's theoretically logical for terrorists to use the Internet for various cyberplanning and cyber communication, what can we do about it?

Crawling for terrorist web sites clearly associated with different organizations, or trying to spot terrorist symphatizers have been in the execution stage for yers. Projects such as the Terrorism Knowledge Discovery Project, take a very deep look into the subject by introducing Terrorism Knowledge Portal, an aggregated source for intelligence. Moreover, according to a recent article :


"SAIC has a $US7 million Defence Department contract to monitor 1500 militant websites that provide al Qaeda and other militant organisations with a main venue for communications, fund-raising, recruitment and training." It's also interesting to note other initiatives that started back in 2001, such as the Automatic Identification of Extremist Internet Web Sites.



Another concept goes in-depth into Confronting Cyberterrorism with Cyber Deception as "if it is possible to deceive terrorists, then it should also be possible to deceive cyberterrorists. The reliance of cyberterrorists on information technology makes them vulnerable to cyber deceptions. In addition, many of the methods and tools that cyberterrorists would use are similar to those used by other less malicious hackers, so we can plan specific deceptions to use against them in advance." As you can see on the grid above, the actors, the deception target and the level of difficulty provide more insight into the idea, great research!





Steganography embedded images used by terrorists on the public web can be doubtful, but on the Dark Web, why not? According to a research I came across to some time ago :


"In academia, graduate students Niel Provos and Richard Honeyman at the University of Michigan have written a web crawling program to detect steganographic images in the wild. The program has already digested 2 billion JPEG’s on popular sights such as ebay and has so far found only one stego-image in the wild. The detected image was on an ABC web page that dealt with the topic of steganography."





Detecting Steganographic Content on the Internet as a concept has been around for ages, while plain old encryption is the de-facto practice according to a well researched news article :





• Wadih El Hage, one of the suspects in the 1998 bombing of two U.S. embassies in East Africa, sent encrypted e-mails under various names, including "Norman" and "Abdus Sabbur," to "associates in al Qaida," according to the Oct. 25, 1998, U.S. indictment against him. Hage went on trial Monday in federal court in New York.





• Khalil Deek, an alleged terrorist arrested in Pakistan in 1999, used encrypted computer files to plot bombings in Jordan at the turn of the millennium, U.S. officials say. Authorities found Deek's computer at his Peshawar, Pakistan, home and flew it to the National Security Agency in Fort Meade, Md. Mathematicians, using supercomputers, decoded the files, enabling the FBI to foil the plot.





• Ramzi Yousef, the convicted mastermind of the World Trade Center bombing in 1993, used encrypted files to hide details of a plot to destroy 11 U.S. airliners. Philippines officials found the computer in Yousef's Manila apartment in 1995. U.S. officials broke the encryption and foiled the plot. Two of the files, FBI officials say, took more than a year to decrypt.





Among the many cases I am aware of worth mentioning are :





- What are the real risks of cyberterrorism? In 1998, a 12-year-old hacker broke into the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, according to a June Washington Post report. If the gates had been opened, the article added, walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly 1 million.





- Cyberterrorism: How Real Is the Threat? Yonah Alexander, a terrorism researcher at the Potomac Institute—a think tank with close links to the Pentagon—announced in December 2001, the existence of an “Iraq Net.” This network supposedly consisted of more than one hundred websites set up across the world by Iraq since the mid-1990s to launch denial-of-service or DoS attacks against U.S. companies. The concept of botnets wasn't that popular at the time, so that's an example of marginal thinking on acquiring DoS power.





- In the indictment against Zacharias Moussaoui, it states that Moussaoui had among his possessions a flight simulator program, software for reviewing pilot procedures for a Boeing 747 Model 400, and a computer disk of information on aerial spraying of pesticides. The indictment also outlines Moussaoui’s use of e-mail to inquire about flight training.



- For almost two years, intelligence services around the world tried to uncover the identity of an Internet hacker who had become a key conduit for al-Qaeda. The savvy, English-speaking, presumably young webmaster taunted his pursuers, calling himself Irhabi -- Terrorist -- 007. He hacked into American university computers, propagandized for the Iraq insurgents led by Abu Musab al-Zarqawi and taught other online jihadists how to wield their computers for the cause.





I can argue which article is more intriguing compared to BusinesWeek's writeup on catching the ShadowCrew, but anyway all you need to a get a reader's attention is a name such as Abu Musab al-Zarqawi, a point that I feel is totally brainwashed in this paragraph :)





Cyberterrorism is an inseparable part of Information Warfare, and while we would hopefully never witness a catastrophic scenario, that is offensive use of Cyberterrorism, recruitment and propaganda flood the Internet on a daily basis. Just stop being suspicious about everyone, and try to enjoy life in between, can you, as terrorists are not everywhere -- but where we see them at the bottom line! Continue reading →

Insider Competition in the Defense Industry

While there aren't any smoking emails mentioned in this case, where else can we spot insiders if not in the defense industry, an industry where securing government-backed contracts, or teasing military decion makers with the latest technologies ensures the long-term existence of the business itself? From the article :



"Boeing has been under investigation for improperly acquiring thousands of pages of rival Lockheed Martin's proprietary documents in the late 1990s, using some of them to help win a competition for government rocket-launching business. The government stripped Boeing of about $1 billion worth of rocket launches for its improper use of the Lockheed documents."



Boeing and Lockheed Martin remain the key players in the defense industry, ensuring their portfolio of services (cyberwarfare, theater warfare, grid networking compatibility etc.) remain competitive. I once said that during the Cold War, the tensions between the U.S and the Soviet Union used to be the driving force of progress and innovation, these days, terrorism is the driving force and the "excuse" for military and intelligence spending. And while NASA's budget has been decreasing with the time, the next major space innovation wouldn't come from NASA, but from the commercial sector.



What's the bottom line? A minor short-term effect, and long-term business continuity for sure as "Boeing shares fell $1.76, or 2 percent, to $85.25 in morning trading on the New York Stock Excange." Continue reading →

EMP Attacks - Electronic Domination in Reverse

Yesterday, I came across to an updated(April 14, 2006) CRS report - High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments, a topic I covered in a previous post related to asymmetric warfare.



Basically, it outlines critical issues such as, what is the U.S(or pretty much any other country thinking asymmetric warfare) doing to ensure critical civil infrastructure is protected against EMP attacks, how does the vulnerability of EMP attacks encourage other nations to develop such capabilities, and yes, of course the "threat" of terrorist EMP warfare -- in your wildest dreams only. An excerpt :



"However, other analysts maintain that some testing done by the U.S. military may have been flawed, or incomplete, leading to faulty conclusions about the level of resistance of commercial equipment to the effects of EMP. These analysts point out that EMP technology has been explored by several other nations, and as circuitry becomes more miniaturized, modern electronics become increasingly vulnerable to disruption. They argue that it could possibly take years for the United States to recover fully from widespread damage to electronics resulting from a large-scale EMP attack."



Why wouldn't a "reported sponsor of terrorist" nations wage EMP warfare, or even try to over the U.S? Because they would have the U.S in their backyard in less than a day, but the opportunity to balance the powers, or achieve temporary military advantage given the attack remains undetected is a tempting factor for future developments -- the ongoing miniaturization and the fact that intense energy effects can be can be produced without an A-Bomb makes it even worse. Surgical HPM and EMP attacks without fear of retaliation is what possible adversaries could be aiming at, and of course portability :



"Other HPM weapons being tested by the military are portable and re-usable through battery-power, and are effective when fired miles away from a target. These weapons can also be focused like a laser beam and tuned to an appropriate frequency in order to penetrate electronics that are heavily shielded against a nuclear attack. The deepest bunkers with the thickest concrete walls reportedly are not safe from such a beam if they have even a single unprotected wire reaching the surface."



Yesterday I was looking for an article I wrote in 1998 on Nuclear Weapons and seem to have found it -- it makes me smile given my age, and the fact that I had to orally defend the topic, hope you will find it an interesting retro read :) I don't necessarily agree with all the things, it just the way I was perceiving the world back than. For instance, Russia didn't accelerate their scientific efforts, as the A-bomb secret eventually leaked out to them, and with the fall of the Soviet Union and ICBMs available in every corner of the country and its republics, it wasn't hard for other nations to piggyback too.



Did you know that Stalin was aware of the U.S's A-bomb, even before Harry Truman was? -- the consequence of too much secrecy sometimes!



Nuclear Weapons
There has always been war, and will always be though we live in more peaceful world nowadays. It's a long time that nuclear weapons are not the same threat to the world's peace as they were years ago. Despite all the reducement and limitation of nuclear weapons they haven't disappeared yet completely. Today all the nuclear arsenals are able to kill everybody on EARTH, a thousand times, though nobody wants to die even once. One of the greatest scientific and human's achievements - mastering the nuclear energy, is in position both to change the traditional sources of energy, and to move toward the social progress. However, this discovery was used not in people's behalf, but against it.


During Truman's leadership nuclear scientists were working on the project"MANHATTAN" as they were to finish mastering the nuclear energy, but they didn't know that their discovery would change completely the world to worse, demanding death to million people. Americans have always been competing with Russians in each sphere. When Americans discovered the A-BOMB Russians were far from it. Then Truman decided to drive Russia into a corner. But he didn't have the chance, due to Stalin who ostensibly didn't pay attention to the threat. To show his power Truman threw the A-BOMB on Hiroshima on 6 of August at 8 :00 am. It generated a huge amoung of energy when it exploded. Most people died within a few hours. By the end 0f 1945 the estimated number of peole who died as a direct result of the bomb was 140,000. But later it has been concluded that the number of people who died was approximately 200,000, even more. Russia decided that it could't last so long and accelerated the speed of doing their project for the A-BOMB several times. Only for 4 years they worked it out which the Americans succeeded for 20. As Russia's A-BOMB appeared the United State's plans for starting a war and attack Russia made them think.


All their plans went wrong. When the U.S controlled the weapons of mass destruction their strategists used to think about the harmful power of the weapons. Now, the U.S have completely changed their policy line. When a conflict arise anywhere in world they would help. When a disaster damages a country, when a war starts they always stand by the side of the weaker. They mastered outer space and they don't do it just for themselves but for the whole mankind. Now all the people in world develop good relationships. But we live in a troubled world. Our daily cares are increasingly dwarfed by the thought that they may vanish in a flash. People separated by continents and oceans are uneted in their wish to prevent the global nuclear catastrophe. Young people today do not wish war they want peace and love. It's not just a wish, it's a must!



This is eight years ago, and I'm still keeping the spirit I guess :) Continue reading →

Valuing Security and Prioritizing Your Expenditures

I often blog on various market trends related to information security and try to provide an in-depth coverage of emerging or current trends -- in between active comments. In previous posts "FBI's 2005 Computer Crime Survey - what's to consider?", "Spotting valuable investments in the information security market", "Why we cannot measure the real cost of cybercrime?", "Personal Data Security Breaches - 2000/2005" and, "To report, or not to report?" I emphasized on the following key points in respect to data security breaches and security investments :



- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world


- companies and data brokers/aggregators are often reluctant to report security breaches even
when they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting


- the flawed approaches towards quantifyingthe costs related to Cybercrime are resulting in overhyped statements in direct contradiction with security spending


- companies still believe in the myth that spending more on security, means better security, but that's not always the case


- given the flood of marketing and the never ending "media echo" effect, decision makers often find themselves living with current trends, not with the emerging ones, which is what they should pay attention to



It is often mistaken that the more you spend on security, the higher level of security would be achieved, whereas that's not always the case -- it's about prioritizing and finding the most suitable metrics model for your investment.



Here's an article describing exactly the same impression :



"Security breaches from computer viruses, spyware, hacker attacks and equipment theft are costing British business billions of pounds a year, according to a survey released Tuesday. The estimated loss of $18 billion (10 billion pounds) is 50 percent higher than the level calculated two years ago, according to the survey that consultancy PricewaterhouseCoopers conducted for the U.K. Department of Trade and Industry. The rise comes despite the fact that companies are increasing their spending on information security controls to an average 4 percent or 5 percent of their IT budget, compared with 3 percent in 2004."



That's pretty much the situation everywhere, companies are striving to apply metrics to security investments and this is where it all gets blur. Spending more on security might seems to be logical answer, but start from the fact that open networks, thus exposed to a great deal of uncontrollable external factors, undermine the majority of models so far. Bargaining with security, or "Getting paid for getting hacked" remains a daily practice whatsoever. Let's consider various social aspects concerning the participants.



A financial executive often wants to know more on :

- Do I get any return on my investment (ROI) ?
- What % of the risk is mitigated and what are your benchmarking methods?
- What may I lose if I don't invest, and where's the sweet spot?
- How much is enough?
- How do I use basic financial concepts such as diversification in the security world?
- How would productivity be influenced due to the lack of solutions, or even their actual use?



A security consultant on the other hand might be interested in -- How do I convince senior management in the benefits of having a honeyfarm in respect to mitigating the overall risk of having real systems breached into, without using Cyberterrorism as the basis of discussion?



These different school's of though, positions, responsibilities and budget-allocation hungry individuals are constantly having trouble communicating with each other. And while you cannot, and perhaps even should not try to educate your security workforce in to the basics of finance, an understanding of both side's point of view may change things -- what you don't see value in, is often someone else's treasure.



Another recent article on the topic of justifying security expenditure, or mostly assigning value made me an impression :



"So we came up with Value Protection," Larson says. "You spend time and capital on security so that you don't allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That's there. What we need to do now is quantify the value to the business of deploying those technologies." "It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric. For a while, people were just trying to create reasonable security, Schmitt says, "but now you need something more—something that proves the value, and that's what Bruce developed. Plus, as a secondary benefit, it's getting us better visibility from business owners and partners on risks and better ways to mitigate the risks."



Good point on first estimating the usefulness of current technologies, before applying the "latest", or "newest" ones. The rest comes to the good old flaws in the ROSI model, how would you be sure that it would be the $75,000 virus outbreak that will hit your organization, and not the $5000 one? "Return On Security Investment (ROSI) – A Practical Quantitative Model" emphasized on the challenges to blindly assigning the wrong value to a variable :



"The virus scanner appears to be worth the investment, but only because we’re assuming that the cost of a disaster is $25,000, that the scanner will catch 75% of the viruses and that the cost of the scanner is truly $25,000. In reality, none of these numbers are likely to be very accurate. What if three of the four viruses cost $5,000 in damages but one costs $85,000? The average cost is still $25,000. Which one of those four viruses is going to get past the scanner? If it’s a $5,000 one, the ROSI increases to nearly 300% – but if it’s the expensive one, the ROSI becomes negative!"



Among the first things to keep in mind while developing a risk management plan, is to identify the assets, identify the potential attackers, and find ways to measure the threat exposure and current threatscape as well. In a publication I wrote three years ago, "Building and Implementing a Successful Information Security Policy", that as a matter of fact I still find a quality and in-depth reading on the topic, I outlined some ideas on achieving the full effect of the abovementioned practices -- it's also nice to came across it given in assignments and discussed in lectures too. An excerpt on Risk Analysis :

"
As in any other sensitive procedure, Risk Analysis and Risk Management play an essential role in the proper functionality of the process. Risk Analysis is the process of identifying the critical information assets of the company and their use and functionality -- an important (key) process that needs to be taken very seriously. Essentially, it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it."



Identifying the threats and some current threats worth keeping in mind
- windows of opportunities/0day attacks
- lousy assets/vulnerability/patch management
- insecure end users' habits
- sneaky and sophisticated malicious software
- wireless/bluetooth information leakage
- removable media information leakage



How would you go for measuring the risk exposure and risk mitigated factor?



Risk exposure and risk mitigated are both interesting and hard to quantify, should we consider the whole population given we somehow manage to obtain fresh information on the current threats ( through the use of Early Warning System such as Symantec's DeepSight Analyzer, The Internet Storm Center, or iDefense's Intelligence services for instance). Today, it is often based on :



- the number of workstations and network assets divided by the historical occurrence of a particular security event on the network -- the use of mobile agents for the specifics of a company's infrastructure effects is hard sometimes


- on the historical TCO data related to typical breaches/security events



Risk mitigated is often tackled by the use of Best practices -- whether outdated or relevant is something else, Cyber Insurance and the current, sort of, scientifically justified ROSI model are everyday's practice, but knowing the inner workings of your organization and today's constantly changing threatscape and how it(if) affects you is a key practice while prioritizing expenditure. You cannot, and should not deal with all the insecurities facing your organization, instead consider prioritizing your security expenditure, not just following the daily headlines and vendor-released, short-term centered research.



It's hard to quantify intellectual property's value, the way it's hard to quantify TCO loses due to security breaches and it's perhaps the perfect moment to mention the initiative that I undertook in the beginning of this year - a 50/50 security/financial cross-functional team on coming up with a disruptive idea -- more on the current status soon, still, thanks for the time and efforts folks! To sum up, a nice quote by the authors of the research I mentioned : "Most of the problems stem from the fact that security doesn’t directly create anything tangible – rather it prevents loss. A loss that’s prevented is a loss that you probably won’t know about."



At the bottom line, are you making money out of having security, that is thinking business continuity, not contingency planning, and should we keep on trying to adapt financial concepts, and not rethinking them all?



Recommended reading/resources on the topic of justifying security expenditure :
Return on Information Security Investment
Risk - A Financial Overview
Calculated Risk - Guide to determining security ROI
The Return on Investment for Network Security
Analysis of Return on Investment for Information Security
Methodologies for Evaluating Information Security Investments
Risk Assessment for Security Economcis - very informative slides
Economics and Security Resource page
Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
PKI and Financial Return on Investment
Privacy Breach Impact Calculator
Guide to Selecting Information Technology Security Products Continue reading →

Terrorist Social Network Analysis

In previous posts "Visualization, Intelligence and the Starlight project" and "Visualization in the Security and New Media world" I covered various security and intelligence related projects and mostly emphasized on the future potential of visualizing data. Data mining is still everyday's reality -- social networking as well. Just came across this at DefenseTech :



"It'd be one thing if the NSA's massive sweep of our phone records was actually helping catch terrorists. But what if it's not working at all? A leading practitioner of the kind of analysis the NSA is supposedly performing in this surveillance program says that "it's a waste of time, a waste of resources. And it lets the real terrorists run free." Re-reading the USA Today piece, one paragraph jumped out: This kind of data collection from phone companies is not uncommon; it's been done before, though never on this large a scale, the official said. The data are used for 'social network analysis,' the official said, meaning to study how terrorist networks contact each other and how they are tied together. So I called Valdis Krebs, who's considered by many to be the leading authority on social network analysis -- the art and science of finding the important connections in a seemingly-impenetrable mass of data. His analysis of the social network surrounding the 9/11 hijackers is a classic in the field."



It gets even more interesting with a comparison of a Fortune 500 company's network and Al Qaeda's one. Social networks are among the driving forces of Web 2.0, and I find the concept of communication and planning online a very realistic one. And if you really want to know more about social networks in the business world, corporate anthropologist Karen Stephenson - The Organization woman is really up to it, very good article. And of course, Valdis Kreb's blog on smart economic networks. Continue reading →

Travel Without Moving - Scratching the Floor

You don't really need a reconnaissance satellite to spot this, it's precisely the type of "sight" you can see for yourself on daily basis -- but he's still moving isn't he? :) Continue reading →

Pocket Anonymity

While the threats posed by improper use of removable media will continue to make headlines, here's a company that's offering the complete all-in-one pocket anonymity solution -- at least that's how they position it. From the article :



"Last month, a company called Stealth Ideas Inc. of Woodland Hills, Calif., came out with its StealthSurfer II ID Protect. The miniature flash drive lets you surf anonymously from any computer using an integrated browser that runs in an encrypted mode. It comes loaded with several tools, including Anonymizer Anonymous Surfing 1.540 (which has IP masking), RoboForm Pass2Go 6.5.9 (a user ID/password management application) and Thunderbird 1.0.7 (for e-mail access). But before you buy, check to see if the company has upgraded its browser, which, according to company officials at the product’s launch, is Firefox 1.5.0.1. US-CERT and others have warned about significant vulnerabilities in certain versions of Firefox (and Thunderbird, for that matter). The version available as of press time, Version 1.5.0.2, addresses those flaws."



Is the Anonymizer behind the idea, or is it a middleman trying to add value to the Anonymizer's existing offer, and harness the brand powers of Firefox and Hushmail all in one? Wise, but the entire idea of anonymity is based on the Anonymizer's service, when anonymity still can be freely achieved to a certain extend. Very portable idea, the thing is there are already free alternatives when it comes to pocket anonymity and that's TorPark: Anonymous browsing on a USB drive, and I think I can live without the enhancements. Continue reading →

Is Bin Laden Lacking a Point?

If I were to name the masters of PSYOPS, that would be terrorists, who without a super power's financial capabilities still manage to achieve the "media echo" effect they seem to be so good at. As you will eventually read in case you haven't though about it before, to me Al Jazeera always seems to be the launching platform given its strategic position in the region, and the rest of the world's media are the disseminators -- anything fresh and terrorism related increases raitings.



Yesterday, I came across to a translated version of Bin Laden's most recent "State of Jihad" speech April 23, 2006, and I feel blaming the "infidels" for whatever goes around the world, or taking anything against Islam personally, is a very weak point. From the article :



"One more time Al Jazeera pomotes an Usama Bin Laden speech. After airing portions of the Bin Laden audiotape al Jazeera posted large fragments of the “speech” on its web site. This was the longest version possible we were able to have access to. After careful reading, my assessment of the “piece” got reinforced: This is not just another audiotape or videotape of a renegade in some cave.


Regardless of who is the speaker and his whereabouts, the 30 minutes long read statement is a declaration, probably as important as the February 1998 declaration of war against America, the Crusaders and their allies. Imagine yourself as an Arab viewer: The speech was repeated endlessly throughout the day. Bin Laden didn't have his 20 minutes of shine, but 24 hours at least. The Bin Laden audiotape wasn't played one or two times but until every word was sinking deep in the minds of the attentive viewers. However the most powerful part of the speech wasn't restricted to its content: Al Jazeera lined up the best of its "experts on Islamist groups" to react instantly to the audiotape and throughout the day, and add "more details and substance."



At the bottom line, religion still remains the opium of the masses and an excuse for not taking care of your own destiny but expecting "someone else" to. Continue reading →

Pass the Scissors

Counterfeiting U.S currency is a profitable business given its stability and actual valuation, and so is money printing! It's just that sometimes there are too much legally printed money as well, and the Fed is raising the interest rates for the sixteenth time during the last two years -- which doesn't stop it from making a buck in between.


Did you know you could get Uncut Currency sheets "of fresh crisp new $1.00, $2.00, $5.00, $10.00 and $20.00 greenbacks right off the press will delight someone special in your life. They make an especially unique gift for that "hard-to-buy-for" person."


While I always joke that availability stands for temptation, that's a "process utilization" worth envying, but too much money available isn't always a good thing. Continue reading →

Snooping on Historical Click Streams

In a previous post "The Feds, Google, MSN's reaction, and how you got "bigbrothered"? I gave practical advices on how can easily do your homework on the popularity of certain search terms and sites, without the need of issuing a subpoena. The other day, AlltheWeb (Yahoo!) introduced their Livesearch feature, seems nice, still it basically clusters possible opportunities. Now the interesting part, on the next day Google launched Google Trends which is :



"builds on the idea behind the Google Zeitgeist, allowing you to sort through several years of Google search queries from around the world to get a general idea of everything from user preferences on ice-cream flavors to the relative popularity of politicians in their respective cities or countries."

This is what I've been waiting for quite some time, and you can easily make very good judgements on key topics based on regions, languages, even cities -- marketers get yourself down to business!



Antivirus, Malware, Spyware, NSA, Censorship, Privacy



What's next, the rise of MyWare and its integration on the Web? Give a try to Yahoo!'s Buzz, and PacketStormSecurity's instant StormWatch as well. Continue reading →

Wiretapping VoIP Order Questioned

There's been a lot of buzz recently on the FCC's order requiring all VoIP providers to begin compliance with CALEA in order to lawfully intercept VoIP communications by the middle of 2007 . Yesterday, a U.S judge seems to have challenged the order, from the article :



"The skepticism expressed so openly toward the administration's case encouraged civil liberties and education groups that argued that the U.S. is improperly applying telephone-era rules to a new generation of Internet services. "Your argument makes no sense,'' U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. ''When you go back to the office, have a big chuckle. I'm not missing this. This is ridiculous. Counsel!' The Justice Department, which has lobbied aggressively on the subject, warned in court papers that failure to expand the wiretap requirements to the fast-growing Internet phone industry ''could effectively provide a surveillance safe haven for criminals and terrorists who make use of new communications services.''



What's worth mentioning is that on a wide scale VoIP services are often banned in many countries, ISPs don't tend to tolerate the traffic which on the other hand directly bypasses their VoIP offers, and even China, one of the largest telecom market continues to have concerns about VoIP. Companies also seem to be revising their practices while trying to block Skype, among the most popular VoIP applications. Rather interesting, T-Mobile just announced that it would ban VoIP on its 3G network, but is it inability to achieve compliance or direct contradiction with their business practices?


Whatever the reason, VoIP communications aren't everyone's favorite, but represent a revolution in cheap, yet reliable communications. The more easily a network is made wiretap-ready, the easier for attackers in both, the short, and the long-term to abuse the backdoored idea itself, so don't. You can actually go through the 2005's Wiretap Report and figure out the cost of wiretapping, limiting it by promoting insecure networks isn't going to solve anything, given you actually know what you're looking for at the bottom line.



Image courtesy of EFF's "Monsters of Privacy" Animation.



Related resources :
VoIP, FCC, CALEA
Communications Assistance for Law Enforcement Act and Broadband Access and Services
Secure VoIP - Zfone
Sniffing VoIP Using Cain
Oreka VoIP Sniffer Continue reading →

The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking

I've once mentioned various privacy issues related to mobile devices, the growing trend of "assets tracking", and of course, cell phones tracking. Yesterday I came across to great summary of the current situation -- privacy groups make a point of it. From the article :



"Real-time tracking of cell phones is possible because mobile phones are constantly sending data to cell towers, which allows incoming calls to be routed correctly. The towers record the strength of the signal along with the side of the tower the signal is coming from. This allows the phone's position to be easily triangulated to within a few hundred yards. But the legal grounds for obtaining a tracking order is murky -- not surprising since technology often outpaces legislation. The panel agreed that Congress should write rules governing what level of suspicion cops need to have before tracking people through their cell phones."



While on the other hand, there's also an ongoing commercialization of the service by the industry itself, if the government were to start using practices like these with grey subpoenas, it would undermine the customers' trust in the industry and BigBrother is going to get even bigger. Enthusiasts are already experimenting with DIY cell phone tracking abilities, so if you worry about being tracked through your phone, you should also start worrying about having an extra one in your bag. Physical insecurities such as digital forensics on cell phones, even counter-offerings are today's reality, while flexible lawful wiretapping may still be taking one way or another -- I guess the NSA got all the attention recently, with their domestic spying program.



As the Mindmaker pointed out, we must assume that we are trackable wherever we go, but I think this dependence would get even more abused in the future by the time proposed laws match with the technology. Continue reading →

Shaping the Market for Security Vulnerabilities Through Exploit Derivatives

In a previous post "0bay - how realistic is the market for security vulnerabilities?" I gave a brief overview of the current market infomediaries and their position, listed various research I recommend you to go through, and speculated on an auction based market model.


During April, at the CanSecWest Security Conference "Groups argued over merits of flaw bounties" some quotes :

"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them." - Michael Sutton



"What I can give people who find vulnerabilities is a small amount of fame. iDefense can give them $10,000." - Darius Wiles



"As a civil rights issue, selling vulnerabilities is just fine. As a keeping-the-customers safe issue, it's junk." - Novell director of software engineering Crispin



"If I come to you and offer to sell you a vulnerability in your product, I am going to be cuffed and arrested," he told the representatives of software makers on the panel." - Matthew Murphy



And the discussion is reasonably pretty hot with a reason. Back in January Microsoft expressed their opinion on the informediaries based market model like :



"One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, a spokesperson for Microsoft, based in Redmond, Wash., said paying for flaws is not the best way to secure software products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the spokesperson said in a statement sent to eWEEK. "



and while Microsoft talks about responsible disclosure, that's exactly the type of model I don't really think exist anymore. Peter Mell made a good point that "I don't support this activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or product. It does not help security in the industry," Mell said in an interview with eWEEK." -- but it still offers the opportunity to bring order into the chaos doesn't it?



The WMF vulnerability apparently got purched for $4000 and I among the few scenarios that I mentioned were on vendors purchasing vulnerabilities and requested vulnerabilities, or a reverse model :



"requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?"



Coming across 0day vulnerabilities for sale, I also came across Rainer Boehme's great research on various market models, among them exploit derivatives. Have you ever though of using exploit derivatives, on the called "futures market"? I think the idea has lots of potential, and he described it as :



"Instead of trading sensitive vulnerability information directly, the market mechanism is build around contracts that pay out a defined sum in case of security events. For instance, consider a contract that pays its owner the sum of 100 EUR on say 30 June 2006 if there exists a remote root exploit against a precisely specified version of ssh on a defined platform."



The OS/Vendor/Product/Version/Deadline type of reverse model that I also mentioned is a good targeted concept if it were used by vendors for instance, and while it has potential to have a better control over the market, the lack of common and trusted body to take the responsibility to target Windows and Apple 50/50 for istance, still makes me think. The best part is how it would motivate researchers at the bottom line -- deadlines result in spontaneous creativity sometimes.

More on the topic of security vulnerabilities and commercializing the market, in a great article by Jennifer Granick (remember Michael Lynn's case?) she said that :



"I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others. Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem."



Who should be empowered at the bottom line, the informediaries centralizing the process, or the security researchers/vulnerability diggers starting to seek bids for their reseach efforts?

On the other hand, I think that the current market model suffers from a major weakness and that is the need for achieving faster liquidity if we can start talking about such.


Basically, sellers of vulnerabilities want to get their commissions as soon as possible, which is where the lucrative underground market easily develops. While I am aware of cases where insurers are already purchasing vulnerabilities to hedge risks until tomorrow I guess, anyone would put some effort into obtaining a critical MS vulnerability given a deadline and hefty reward, but who's gonna act as a social planner here? Continue reading →

The Current State of Web Application Worms

Remeber the most recent Yahoo! Mail's XSS vulnerabilities, or the MySpace worm? I just read through a well written summary on Web Application Worms by Jeremiah Grossman, from WhiteHat Security, "Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense", an excerpt :



"Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal--browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. In this white paper we will provide an overview of XSS; define XSS worms; and examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their websites."



It provides an overview of Cross-Site Scripting (XSS), Methods of Propagation, comments on the First XSS Worm, a worst case scenario, and of course protection methods, nice graphs and overview of this emerging trend. In my "Future Trends of Malware" research I indeed pointed out on its emergence :



"How would a malware author be able to harness the power of the trust established between, let’s say, ComScore’s top 10 sites and their visitors? Content spoofing is the where the danger comes from in my opinion, and obvious web application vulnerabilities, or any bugs whose malicious payload could be exposed to their audiences. In case you reckon, a nasty content spoofing on Yahoo!’s portal resulted in the following possibility for driving millions of people at a certain URL, if I don’t trust what I see on Yahoo.com or Google.com, why bother using the Net at all is a common mass attitude of course. Any web property attracting a relatively large number of visitors should be considered as a propagation vector, for both, malware authors, and others such as phishers, or botnet brokers for instance."



Monetizing mobile malware is among the other trends I also indicated, and the RedBrowser seems to be the most recent example of this as it randomly chooses a premium-rate number from the following list, and sends a SMS message generating revenue for the attacker : 08293538938, 08001738938, 08180238938, 08229238938, 08441238938, 08287038938, 08187938938, 08189038938, 08217838938, 08446838938.



I summarized the key points back than as :

"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."



Among the first folks to discuss the topic of web application malware was Robert from CGISecurity.com in his "Anatomy of Web Application Worm" paper back in 2002, and with the easy and speed of discovering web application vulnerabilities in major portals it's up to the imagination of the attacker -- as the paper points out Samy only wanted to make 1 million friends, what if he wanted to do something else?



"Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense" also argues on Samy being the fastest worm, though single-packet UDP worms, according to a research on the "Top Speed of Flash Worm" by "Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line" rates.



Is it the speed or the size of the infected targeted group that matters, and what if Web 2.0 worms can achieve exactly the two of these?



More resources on the topic in case you are interested :
Web-based Malware & Honeypots - phpBB bots/worms
New MySpace XSS worm circulating
Description of a Yahoo! Mail XSS vulnerability
Evolution of Web-based worms
The Latest in Internet Attacks: Web Application Worms
Web Application Worms : Myth or Reality?
Analysis of Web Application Worms and Viruses
Paros - for web application security assessment Continue reading →

Travel Without Moving - Typhoon Class Submarines

In previous posts "Security quotes : a FSB (successor to the KGB) analyst on Google Earth", "Suri Pluma - a satellite image processing tool and visualizer", "The "threat" by Google Earth has just vanished in the air" I talked about various issues related to satellite imagery and security.


Moreover, I'm also actively covering various emerging Space Warfare issues, and with the recent speculation that the Okno ELINT complex in Tajikistan is becoming Russian and different "schools of thought", there's a lot to come for sure. Google Maps/Earth did not only restart the real estate industry, it made the world a smaller place, a more competitive one, and hopefully a safer one if security counts here.



As of today, I decided to start posting a weekly section, the "Travel Without Moving" series, presenting interesting and publicly obtained imagery of sights that somehow made me an impression. The other day I came across to a (perhaps scraped by now) Typhoon Class Submarines at GoogleSightseeing.com -- the largest and quietest types of submarines.



That's perhaps the perfect moment to mention the cool pictures of a Soviet Underground Submarine Base in the Nuclear Submarine Base that "Until the collapse of the Soviet Union in 1991 Balaklava was one of the most secret towns in Russia. 10km south eas of Sevastopol on the Black Sea Coast, this small town was the home to a Nuclear Submarine Base." Take a tour for yourself! Continue reading →

Biased Privacy Violation

This is a very interesting initiative, going beyond the usual MySpace's teen heaven privacy issues, but directly exposing the mature audience in a way I find as a totally biased one. Girls writing stories on men that supposedly chated on them. DontDateHimGirl.com aims to :



"DontDateHimGirl.com is an online resource for women who have shared the experience of dating a no-good man! Browse our search engine of alleged cheaters, liars and cads right now! This controversial site has been featured on MSNBC, the Today Show, ABC News, CNN and Entertainment Tonight! There is finally a way for women to check a guy out BEFORE dating, marrying or otherwise committing to him! Warn other women about the men who have cheated, lied or used you! Register and become a member today! You'll receive our free newsletter and other valuable goodies! It's fast, easy and best of all, it's free! You'll be doing your sisters around the world an invaluable service! Don't Date Him Girl!"



Basically stuff like, "post a cheating man", "search for a cheating man", or browse through the 3593 ones already "categorized" as cheaters with personal stories and photos whenever available. What I feel they shouldn't do, is aggregate that kind of community powered personal details for third-parties, and making it searchable. Some stories are pretty fun and average enough to make you think :



"Quite a charmer in the beginning, as all guys tend to be. Called me beautiful, gorgeous.. kissed my forehead.. He did all the right things. He could do no wrong. We "dated" for a good 6 months, and things seemed to be going good. He was the love of my life. Lots of firsts with him, then he did a total 180. He stopped calling and didn't respond to my phone calls and/or messages. I was so distraught. I thought I did something to fuck things up. "



Perhaps she did, didn't she?! Still, that's entirely between them given they actually respect each other.


Don't get me wrong, there are pathological polygamists, but what's next, Local Google Maps to pin point the cheating areas around town?



To balance the powers, and make it even worse there's even a DontDateHerMan.com coming along, but try not to bring your personal life stuff to such an end, or is it just me? :) Continue reading →