Hezbollah's use of Unmanned Aerial Vehicles - UAVs

According to the common wisdom, terrorists -- or let's just say contradictive political fractions -- weren't supposed to be capable of owning the using unmanned aerial vehicles in war conflicts, but be only able to wage guerilla warfare thus balancing the unequal forces in a conflict. Seems like Hezbollah are indeed capable of owning and using UAVs, as Israel recently shot down yet another one :

"Israeli aircraft shot down an unmanned spy plane launched by the Lebanese guerrilla group Hizbollah as it entered Israeli territory on Monday, the Israeli army said. The drone was spotted by the air force's monitoring unit and fighter planes were scrambled to intercept it, an Israeli military spokesman said. The spokesman said a fighter plane shot the drone down 10 km (six miles) off Israel's coast, northwest of the city of Haifa. "The current assessment is that it was headed further south, we do not know exactly for what purpose," the spokesman said. An Israeli military source added that it was an Iranian-made drone with a range of about 150 km."

Go through an in-depth post at DefenseTech, and Eugene Miasnikov's report on Threat of Terrorism Using Unmanned Aerial Vehicles: Technical Aspects, which :

"assesses the technical possibility of UAV use as a delivery means for terrorists. The analysis shows that such a threat does exist and that it will grow. The author also considers areas that require higher attention from government agencies. This report is also targeted at the Russian public. Terrorist activity can be prevented only through the coordinated efforts of the government and civil society. The government cannot efficiently fight terrorists without the active involvement of the population. The first step toward creating such an alliance is to recognize the threat and its potential consequences."

So what's next once reconnaissance is taken care of and timely intelligence gathered? UCAVs in the long term, of course. Nothing's impossible, the impossible just takes a little while! Continue reading →

HP Spying on Board of Directors' Phone Records

Whether a healthy paranoia, or a series of detailed leaks to the press on HP's future long term strategy, it prompted HP's chair woman to hire experts that obtained access to the call histories of its board of directors' home and cell phone communications thinking possible insiders :

"Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors-not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones."

The case highlights that :
- Classification programs type of protection is rarely utilized of companies aiming to balance the trade off of achieving productivity while keep the left hand not knowing what the right is doing when it's necessary -- remember it's the HP way and the management by open spaces that made the company what it is today
- Didn't bother to disinform suspicious parties and decoy them, thus limiting the circle of "suspects"
- Didn't build transparency into the process and that's just starting to make impact
- It's shorthsighted thinking on whether the information defined as leaked wasn't easy to construct through public sources, or that the internal changes weren't already spotted by industry analysts
- They're about to lose their current talanted HR, and the one that was about to join HP. Soft HR dollars are on stake, as I can imagine what will be the faith of a HP blogger if that's how board of directors members threat each other

Here's the article of question, and what provoked this to happen :

"According to the source, HP is considering making more acquisitions in the infrastructure software arena. Those acquisitions would include security software companies, storage software makers and software companies that serve the blade server market. The acquisitions would dovetail with HP's growth plans for its Technology Systems Group, which has already bought companies such as AppIQ for storage management. Hurd has previously said market trends indicate a movement away from mainframe computers and a shift to blade servers, as well as virtualized storage. HP is likely to follow those trends. Meanwhile, in HP's Imaging & Printing Group, the long-term plan to develop commercial printers is likely to continue. "We want to develop the next Heidelberg press," the source said. Of course, HP said basically the same thing back in 2002."

In a previous post, When Financial and Information Security Risks are Supposed to Intersect, I commented on Morgan Stanley's case of knowing who did what, and the growing enforcement of security policies, thus firing employees violating them by forwarding sensitive information to home email accounts. But with the media trying to generate buzz while keeping it objective by mentioning its "sources" and putting the emphasise on "inside company source" no wonder HP is thinking insiders, rather than talkative directors who when asked does the Sun come out in the morning and goes down in the evening, would think twice before answering -- and question the question itself!

Privacy monster courtesy of the EFF.

Related resources and posts:
Espionage
Insider
Wiretapping
Surveillance
Smoking Emails
Insider Competition in the Defense Industry
Espionage Ghosts Busters Continue reading →

Benefits of Open Source Intelligence - OSINT

Surprisingly, Forbes, the homepage for the world's business leaders -- and wannabe ones -- has a well written article on Open Source Intelligence you might find informative :

"How can we use this to reform intelligence? I suggest we create a national Open Source Agency. Half of the money earmarked for the agency would go toward traditional intelligence work. The other half would provide for 50 state-wide Citizen Intelligence Networks, including a 24/7 watch center, where citizens can both obtain and input information. We could establish new emergency intelligence phone numbers--think 119 instead of 911--allowing any housewife, cab driver or delivery boy to contribute to our national security. All they have to do is be alert, and if they see something, take a cell phone photograph and send it in with a text message. If three different people notice the same suspicious person taking photographs of a nuclear plant, for instance, it could be hugely important. The system could even evolve to automatically mobilize emergency workers or warn citizens. Imagine if after people alerted the network about a roadside car bomb, it automatically sent text messages to every phone in the immediate area, warning people to stay away."

Collective intelligence, wisdom of crowds -- Web users were supposed to virtually patrol the U.S border once -- all is driving Web 2.0, trouble is so is paranoia, and all paranoid people need is a platform to spread it further, but the article emphasises on how educated citizens can be the best defense. The benefits of OSINT according the CIA themselves are based on :

Speed: When a crisis erupts in some distant part of the globe, in an area where established intelligence assets are thin, intelligence analysts and policymakers alike will often turn first to the television set and Internet.

Quantity: There are far more bloggers, journalists, pundits, television reporters, and think-tankers in the world than there are case officers. While two or three of the latter may, with good agents, beat the legions of open reporters by their access to secrets, the odds are good that the composite bits of information assembled from the many can often approach, match, or even surpass the classified reporting of the few.

Quality: As noted above, duped intelligence officers at times produce reports based on newspaper clippings and agent fabrications. Such reports are inferior to open sources untainted by agent lies.

Clarity: An analyst or policymaker often finds even accurate HUMINT a problem. For example, when an officer of the CIA’s Directorate of Intelligence (DI), reads a report on a foreign leader based on “a source of unproven reliability,” or words to that effect, the dilemma is clear. Yet, the problem remains with a report from a “reliable source.” Who is that? The leader’s defense minister? The defense minister’s brother? The mistress of the defense minister’s brother’s cousin? The DI analyst will likely never know, for officers of the Directorate of Operations (DO) closely guard their sources and methods. This lack of clarity reportedly contributed, for example, to the Iraqi WMD debacle in 2002-03. The DO reportedly described a single source in various ways, which may have misled DI analysts into believing that they had a strong case built on multiple sources for the existence of Iraqi weapons of mass destruction. With open information, sources are often unclear. With secrets, they almost always are.

Ease of use: Secrets, hidden behind classifications, compartments, and special access programs, are difficult to share with policymakers and even fellow intelligence officers. All officials may read OSINT.

Cost: A reconnaissance satellite, developed, launched, and maintained at a cost of billions of dollars, can provide images of a weapons factory’s roof or a submarine’s hull. A foreign magazine, with an annual subscription cost of $100, may include photographs of that factory’s floor or that submarine’s interior

Meanwhile, Intelligence analysts are putting efforts into sharing their data, data mining the web and social networking sites which is both, cost-effective and can greatly act as an early warning system for important events. Despite technological innovations, a blogger in an adversary's country can often unknowingly act as a HUMINT source of first-hand information -- looking for democracy minded individuals breaking through regimes through malware is yet another possibility. Tracking down terrorist propaganda and communications on the Internet has already reached the efficiency level mainly because of the use of open source intelligence and web crawling the known bad neighborhoods ever since 2001.

Related resources and posts:
Intelligence
OSINT
IP cloaking and competitive intelligence/disinformation
Terrorist Social Network Analysis Continue reading →

Stealth Satellites Developments Source Book

You can't hijack, intercept or hide from what you don't see or don't know it's there, and stealthy satellites are going to get even more attention in the ongoing weaponization of space and the emerging space warfare arms race. Here's a huge compilation of articles and news items related to the development of stealthy satellites. An excerpt from an article within :

"The United States is building a new generation of spy satellites designed to orbit undetected, in a highly classified program that has provoked opposition in closed congressional sessions where lawmakers have questioned its necessity and rapidly escalating price, according to U.S. officials. The previously undisclosed effort has almost doubled in projected cost -- from $5 billion to nearly $9.5 billion, officials said. The National Reconnaissance Office, which manages spy satellite programs, has already spent hundreds of millions of dollars on the program, officials said. The stealth satellite, which would probably become the largest single-item expenditure in the $40 billion intelligence budget, is to be launched in the next five years and is meant to replace an existing stealth satellite, according to officials. Non-stealth satellites can be tracked and their orbits can be predicted, allowing countries to attempt to hide weapons or troop movements on the ground when they are overhead. Opponents of the new program, however, argue that the satellite is no longer a good match against today's adversaries: terrorists seeking small quantities of illicit weapons, or countries such as North Korea and Iran, which are believed to have placed their nuclear weapons programs underground and inside buildings specifically to avoid detection from spy satellites and aircraft."

Issues to keep in mind :
- pre-launch leak in today's OSINT world
- synchronization with HUMINT, SIGINT, OSINT gathered data to avoid deception, some developments are right there under your nose
- amateur radio and satellite enthusiasts outwitting the stealthiness as it always happens
- win-win IMINT sharing between countries can often cover the full spectrum, dependability is of course an issue

Related resources and posts:
Defense
Satellite
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems
Open Source North Korean IMINT Reloaded Continue reading →

Zero Day Initiative Upcoming Zero Day Vulnerabilities

Details on a dozen of "upcoming zero day vulnerabilities" are emerging from TippingPoint's Zero Day Initiative :

"Over the past year, the most resounding suggestion from our Zero Day Initiative researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero day vulnerabilities. The following is a list of vulnerabilities discovered by researchers enrolled in the Zero Day Initiative that have yet to be publicly disclosed. The affected vendor has been contacted on the specified date and while they work on a patch for these vulnerabilities, TippingPoint customers are protected from exploitation by IPS filters delivered ahead of public disclosure. A list of published advisories is also available."

Note the time from vulnerability reporting to patch on some vendors:

ZDI-CAN-041 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-042 -- Adobe -- High -- 2006.04.07, 144 days ago
ZDI-CAN-046 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-061 -- Microsoft -- High -- 2006.06.14, 76 days ago

Don't be in a hurry to blame the vendors, as in between having to deal with these zero day vulnerabilities, they're all providing patches to fix the emerging ones, that is those who get the highest publicty and make the headlines so actively that there's no other way but dedicating product development time to quality assurance. Keep in mind that, even though vendors are still working on fixing these, apparently TippingPoint's IPS customers are protected -- they're aware of these exploits. Excluding the vendor dependability issue, and the fact that ZDI is indisputably turning into a HR-on-demand think-tank for vulnerability research, I discussed some of the issues regarding the possible motivation of the vulnerability informediaries and what to keep in mind in a previous post :

- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?

- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?

- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?

- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?

Diversify your infrastructure to minimize the damages due to zero day outbreaks, ensure end users are privileged as much as they need, do your homework, camouflage and implement early warning systems/decoys, and yes, keep track of your assets and ensure they're already protected from what's known to be their vulnerability. Responsible disclosure is the socially oriented approach, trouble is the Internet itself is a capitalistic society with basic market forces.

Related posts:

Was the WMF vulnerability purchased for $4000?!
0bay - how realistic is the market for security vulnerabilities?
Scientifically Predicting Software Vulnerabilities

Continue reading →

Chinese Hackers Attacking U.S Department of Defense Networks

This may prove to be an informative forum, and I feel that the quality of the questions and the discussion faciliator's insights in the topic -- as a matter of fact GCN has proven a reliable source on the topic -- will be my benchmark for a provocative many-to-many discussion.

Here are my questions :

- Despite PRC's growing Internet population and military thinking greatly emphasizing on pros of information/cyber warfare -- the concepts copied from the U.S in between Sun Tzu's mode of thinking and attitude may indeed prove a dangerous combination -- I find it a bit more complex issue as: "Let's don't forget the use and abuse of island hopping points fueling further tensions in key regions and abusing the momentum itself, physically locating a network device in the future IPv6 network space is of key interest to all parties." China's growing Internet population results in lots of already infected malware hosts that could easily act as stepping stones by third-parties.

My point : Is it a geopolitical tension engineering, or an active doctrine already in implementation?

- If it's indeed a Red Storm Rising, what's North Korea's place in the situation, could it be North Korea engineering and impersonating China's cyber forces thus helping the enemies of its enemies?

- What significant is the threat from actual PRC's cyber warfare devisions, compared to utilizing the massess of script kiddies and promoting -- and not prosecuting attacks on foreign adversaries -- hacking activities? Script kiddies pretending to be l33t, or cyber warfare divisions using retro techniques to disinform on the actual state of military preparedness? The rise of intellectual property theft worms that I discussed, especially Myfip has been connected with the Titan Rain attacks on military networks, but this can be so easily engineered to point out wherever you want it to :

"Myfip doesn't spread back out via the Simple Mail Transfer Protocol (SMTP). "There is no code in the worm to do this," the report said. "From certain key headers in the message, we can tell that the attachment was sent directly to [users]." One element that stands out is that Myfip e-mails always have one of two X-Mailer headers: X-Mailer: FoxMail 4.0 beta 2 [cn] and X-Mailer: FoxMail 3.11 Release [cn]. Also, it always uses the same MIME boundary tag:_NextPart_2rfkindysadvnqw3nerasdf. "These are signs of a frequently-seen Chinese spamtool…," the report said. Stewart said his team was easily able to trace the source of Myfip and its variants. "They barely make any effort to cover their tracks," he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the "document collector" hosts, are all based there, mostly in the Tianjin province."

- Where does the real threat come from exactly? Hackers reading unclassified but sensitive clerk's emails thus exposing the network's design and gathering intelligence for the future "momentum", or the use of PSYOPS online? How is the second measured as a key foundation for successful information warfare battle?

- Is it a state sponsored espionage and cyber warfare practices, or mainland hacktivists, perhaps even hired third party guns?

Image courtesy of Chinese hacktivists diversifying their attacks and causing more noise during the U.S/China cyber skirmish.

Related resources and posts:
Cyber Warfare
Information Warfare
Hacktivism Tensions - Israel vs Palestine Cyberwars
Cyber War Strategies and Tactics
Who's who in Cyber Warfare? Continue reading →

The Biggest Military Hacks of All Time

The biggest military hack of all time, the Pentagon hacker, the NASA hacker - hold your breath, it's another media hype or traffic acquisition headline strategy by the majority of online media sites. Who else are we missing? The NASA port scanner, the true walking case study on tweaking NMAP for subconscious espionage purposes, the CIA IRC junkies that managed to talk them into talking with "them", and Bozo the clown chased by the Thought Police for his intentions.

Great examples of buzz generating, deadline-centered news articles you can always amuse yourself with, and feel sorry for the lack of insightful perspectives nowadays -- I'm slowly compiling a list of best of the best news items ever, so let there be less intergalactic security statements, and less flooding web sites with Hezbollah data stories.

In case you've somehow missed Gary McKinnon's story, don't you worry as you haven't missed anything spectacular, besides today's flood of reporters with claimed prehistoric IT security experience -- you must make the different between a reporter, a journalist, and a barking dog thought. Perhaps the only objective action done by an industry representative was the Sophos survey on Gary McKinnon. It would be much more credible to differentiate the severity of the hack, depending on which military or government network was actually breached, don't just go where the wind blows, barely reporting, where's YOUR opinion if ANY?

Was it the NSANet, the Joint Worldwide Intelligence Communications System [JWICS], the Secret Internet Protocol Router Network (SIPRNET), or the Unclassified but Sensitive Internet Protocol Router Network (NIPRNet) actually breached?

Moreover, were the following real-life examples a paintball game or something :

- Solar SunRise
"SOLAR SUNRISE was a series of DoD computer network attacks which occurred from 1-26 February 1998. The attack pattern was indicative of a preparation for a follow-on attack on the DII. DoD unclassified networked computers were attacked using a well-known operating system vulnerability. The attackers followed the same attack profile: (a) probing to determine if the vulnerability exists, (b) exploiting the vulnerability, (c) implanting a program (sniffer) to gather data, and (d) returning later to retrieve the collected data."

- Dutch hackers during the Gulf War
"At least one penetrated system directly supported U.S. military operations in Operation Desert Storm prior to the Gulf War. They copied or altered unclassified data and changed software to permit future access. The hackers were also looking for information about nuclear weapons. Their activities were first disclosed by Dutch television when camera crews filmed a hacker tapping into what was said to be U.S. military test information."

- The Case Study: Rome Laboratory, Griffiss Air Force Base
"However, events really began in 1994, when the two young men broke into an Air Force installation known as Rome Labs, a facility at the now closed Griffiss Air Force Base, in New York. This break-in became the centerpiece of a Government Accounting Office report on network intrusions at the Department of Defense in 1996 and also constituted the meat of a report entitled "Security and Cyberspace" by Dan Gelber and Jim Christy, presented to the Senate Permanent Subcommittee on Investigations during hearings on hacker break-ins the same year. It is interesting to note that Christy, the Air Force Office of Special Investigations staffer/author of this report, was never at Rome while the break-ins were being monitored."

- Moonlight Maze
"It was claimed that these hackers had obtained large stores of data that might include classified naval codes and information on missile guidance systems, though it was not certain that any such information had in fact been compromised."

- Titan Rain
"Titan Rain hackers have gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA."

- Chinese hackers who supposedly downloaded 10 to 20 terabytes from the NIPRNet -- it's like I love you from 1 to 50, and you?

From another perspective, the biggest military hack doesn't have to come from the outside, but from the inside, as soldiers are easily losing their USB sticks on the field. Breaching the SIPRnet from the ouside would be a good example of a big military hack, but then again, insiders are always there to "take care".

If Gary McKinnon did the biggest military hack of all time, why do I still hear Bozo singing - ta ta tararata ta ta rara tata.

UPDATE:
Related posts you might also find informative - North Korea's Cyber Warfare Unit 121, Techno imperialism and the effect of Cyber terrorism, Cyber War Strategies and Tactics, the rest you can Google. Surprised to come across the post at Meneame.net too. Continue reading →

The Walls and Lamps are Listening

And so are the hardware implanted "covert operatives". Continue reading →

Cyber War Strategies and Tactics

Starting from the basic premise that "All warfare is based on deception", the Cyberspace offers an unprecedented amount of asymmetric power to those capable of using it. Cyber wars are often perceived as innocent exchange of "virtual shots" between teenage defacement groups, whereas if one's willing the embrace the rough reality, Hacktivism remains a sub-activity of Cyberterrorism, where Information Warfare unites all these tactics.

Quality techno-thrillers often imply the notion of future warfare battles done in the virtual realm compared to actual spill of blood and body parts -- death is just an upgrade. Coming back to today's Hacktivism dominated mainstream news space, you may find this paper on Cyberwar Strategy and Tactics - An Analysis of Cyber Goals, Strategies, Tactics, and Techniques, and the development of a Cyber war Playbook, informative reading :

"To create a cyberwar playbook, we must first understand the stratagem building blocks or possible moves that are available. It is important to note however that these stratagem building blocks in and of themselves are not strategic. Instead, it is the reasoned application of one or more stratagems in accomplishing higher-level goals that is strategic in nature. We thus need to understand the situations in which the stratagems should be applied and how. We can begin to predict and choose the most effective stratagem for a given situation as we become more experienced. Example stratagems include:

Fortify Dodge
Deceive Block
Stimulate Skirt
Condition Monitor

Stratagems may also have sub-stratagems. Examples are:

Deceive.Chaff --- Block.Barricade
Deceive.Fakeout --- Block.Cutoff
Deceive.Conceal --- Monitor.Eavesdrop
Deceive.Feint --- Monitor.Watch
Deceive.Misinform --- Monitor.Follow

These stratagems are very high level and can be supported through many tactical means. Each building block defines a stratagem and contains one or more possible tactical implementations for that stratagem, including requirements, goals that may be satisfied using the stratagem, caveats, example uses, and possible countermeasures."

No matter the NCW doctrine, UAVs intercepting or hijacking signals, "shock and awe" still dazzles the majority of prone to be abused by cheap PSYOPS masses of "individuals".

Related resources and posts:
Network Centric Warfare basics back in 1995
Information Warfare
Cyber Warfare
Who's Who in Cyber Warfare?
North Korea's Cyber Warfare Unit 121
Hacktivism Tensions - Israel vs Palestine Cyberwars
Achieving Information Warfare Dominance Back in 1962 Continue reading →

Bed Time Reading - Spying on the Bomb

Continuing the Bed Time Reading series, and a previous post related to India's Espionage Leaks, this book is a great retrospective on the U.S Nuclear Intelligence from Nazi Germany to Iran and North Korea.

In-depth review with an emphasis on India's counterintelligence tactics:

"India's success in preventing U.S. spy satellites from seeing signs of the planned tests days to weeks in advance was matched by its success in preventing acquisition of other types of intelligence. India's Intelligence Bureau ran an aggressive counterintelligence program, and the CIA, despite a large station in New Delhi, was unable to recruit a single Indian with information about the Vajpayee government's nuclear plans. Instead, the deputy chief of the CIA station in New Delhi was expelled after a botched try at recruiting the chief of Indian counterintelligence operations. Former ambassador Frank Wisner recalled that `we didn't have... the humans who would have given us an insight into their intentions'." Ambassadors do not keep aloof from the CIA's work, evidently. Their denials are false.

NSA's eavesdropping activities did not detect test preparations. "It's a tough problem," one nuclear intelligence expert told investigative journalist Seymour Hersh. India's nuclear weapons establishment would communicate via encrypted digital messages relayed via small dishes through satellites, using a system known as VSAT (very small aperture terminal), "a two-way version of the system used by satellite television companies". Good show. At the end of the day, Americans admitted that even if they had been better informed, they could not have prevented Pokhran II just as they could not deter Pakistan from staging its tests at Chagai."

Was the USSR's tactic of helping the enemies of their enemies, thus ruining the Nuclear-club monopoly by making the A-bomb a public secret, the smartest or dumbest thing they ever did? Monopolies are bad by default, but balance is precious as the "rush must always be tempered with wisdom". How about a nice game of chess instead?

Related resources and posts:
Nuclear
Who needs nuclear weapons anymore?
North Korea's Strategic Developments and Financial Operations
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems Continue reading →

Steganography and Cyber Terrorism Communications

Following my previous post on Cyber Terrorism Communications and Propaganda, I'm continuing to summarize interesting findings on the topic. The use of encryption to ensure the confidentiality of a communication, be it criminals or terrorists taking advantage of the speed and cheap nature of Internet communications, is often taken as the de-facto type of communication. I feel that it's steganographic communication in all of its variety that's playing a crucial role in terrorist communications. It's never been about the lack of publicly or even commercially obtainable steganographic tools, but the ability to know where and what to look for. Here's a brief comment on a rather hard to intercept communication tool - SSSS - Shamir's Secret Sharing Scheme :

"No other medium can provide better speed, connectivity, and most importantly anonymity, given it’s achieved and understood, and it often is. Plain encryption might seem the obvious answer, but to me it’s steganography, having the potential to fully hide within legitimate (at least looking) data flow. Another possibility is the use secret sharing schemes. A bit of a relevant tool that can be fully utilized by any group of people wanting to ensure their authenticity and perhaps everyone’s pulse, is SSSS - Shamir's Secret Sharing Scheme. And no, I’m not giving tips, just shredding light on the potential in here! The way botnets of malware can use public forums to get commands, in this very same fashion, terrorists could easily hide sensitive communications by mixing it with huge amounts of public data, while still keeping it secret."

Intelligence officials/analysts are often confronted with the difficult task of, should they actively work on scanning the entire public Internet, or single partitions of the known chaos, namely the majority of Islamic/Jihadi related web sites. Trouble is, it's heck of a short sighted approach, and way too logical one to actually provide results. Moreover, in all the fuss of terrorists using steganography, even encryption to communicate, the majority of experts -- shooting into the dark -- have totally neglected the very concept of disinformation. To be honest, I'm a little bit surprised on the lack of such, picture the media buzz of a recently found map of key region and encoded messages embedded in public image, continue with the public institutions raising threat levels, vendors taking advantages of this "marketing window" when in between, someone gained access to a third-party's E-identity and used to creatively communicate the real message.

It's a public secret that the majority of already obtained Terrorist Training Manuals on the Web give instructions on primitive, but IT-centered approaches for anonymity such as encryption, use of proxies, and yes, steganography as well. Yet another public secret, these very same training manuals are actual copies of unclassified and publicly obtained Intelligence, Military and Security research documents. Here's a chapter on Secret Writing and Cipher and Codes. Primitive, but still acting as an indicator of the trend.

The most comprehensive Scan of the USENET for steganography was conducted back in 2001, primarily because of the post 9/11 debate on the use of steganography by terrorists. Surprisingly, the experiment didn't find a single hidden image -- out of a dictionary based attack on the JSteg and JPHide positive images of course :

"After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis. A detailed description of the detection framework can be found in Detecting Steganographic Content on the Internet. This page provides details about the analysis of one million images from the Internet Archive's USENET archive. Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS."

Concerns about the invaluable sample :
- Used primarily USENET as a possible source for images
- Excluded music and multimedia files, and the hard to detect while in transmission TCP/IP covert communication channels -- information can indeed move with the speed of an error message
- Cannot scan the Dark Web, the one closed behind common crawlers blocking techniques or simple authentication
- Cannot scan what's not public, namely malware-infected hosts, or entire communication platforms hosted on a defaced web server somewhere, temporary communication dead boxes -- and while taking about such, free web space providers can provide interesting information given you know where and what to look for as always

The bottom line is that if someone really wants to embed something into a commodity data such as video, picture or an MP3 file, they would. Generating more noise when there's enough of it is on the other hand a smart approach I feel is getting abused all the time. How to deal with the problem? Ensure your ECHELON approaches are capable of detecting the patterns of the majority of public/commercial steganography tools. And according to public sources, that seems to be the case already :

"R2051 Steganography Decryption by Distributive Network Attack Develop a distributive network analysis application that can detect, identify, and decrypt steganography in multiple types of files, including commonly used audio, video and graphic file formats.The application must quickly and accurately detect and identify files containing steganography and extract the hidden messages and data from the file. Decryption of any messages or data encoded before the use of a steganography program is not required. The system must allow for easy, low-cost, frequent updating to counter new emerging programs. It must detect, extract, and decrypt messages in any file that has used any currently commercially available steganography programs as well as commonly encountered non-commercial programs. These would include, but are not limited to, the following: Covert.tcp; dc-Steganograph; EzStego; FFEncode; Gzsteg; Hide 4 PGP; Hide and Seek 4.1; Hide and Seek 5.0; Hide and Seek for Windows 95; jpeg-jsteg; Paranoid, Paranoid1.1.hqx.gz; PGE - Pretty Good Envelope; PGPn123; S-Tools : S-Tools 1.0 (Italy, Finland); S-Tools 2.0 (Italy, Finland); S-Tools 3.0 (Italy), Finland); S-Tools 4.0 (Italy, Finland); Scytale; Snow; Stealth, Stealth 2.01 ; Steganos 1.4; Steganos for Windows 95 and upgrade 1.0a; Stego by John Walker; Stego by Romana Machado; Stegodos; Texto; wbStego; WitnesSoft; and WINSTORM"

The rest is making sense out of the noise and OSINT approaches for locating the "bad neighborhoods".

Figure courtesy of Bauer 2002 at the FBI's Overview of Steganography for the Computer Forensics Examiner. Continue reading →

Microsoft's OneCare Penetration Pricing Strategy

In a previous post, Microsoft in the Information Security Market, I commented on Microsoft's most recent move into the information security market, and the anti-virus market segment. Moreover, several months earlier I pointed out 5 things Microsoft can do to secure the Internet and why it wouldn't, namely,

- Think twice before reinventing the security industry
- Become accountable, first, in front of itself, than, in front of the its stakeholders
- Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities
- Introduce an internal security oriented culture, or better utilize its workforce in respect to security
- Rethink its position in the security vulnerabilities market

Recently, the much hyped debate on whether Microsoft's Anti Virus would take a piece of the anti virus market seem to have finally materialized with the help of basic pricing strategies :

"Helped by low pricing, Microsoft's Windows Live OneCare landed the number two spot in sales at US stores in its debut month, according to The NPD Group. The antivirus and PC care package nabbed 15.4 per cent of security suite sales at retailers such as Best Buy and Amazon.com, according to NPD's data. The average price was $29.67, well below Microsoft's list price of $49.95. Online at Amazon.com, OneCare is available for only $19.99."

Ya-hoo? Not so fast since stats like these exclude the hundreds of licensing deals, co-branding, ISPs affiliation and resellership positions, as well as shipped-ready PCs with software from the rest of the vendors :

"Symantec noted that NPD covers retail sales only, and does not include consumer sales through internet service providers and PC makers, for example. "We just had a record June quarter in consumer sales, said Mike Plante, a marketing director at the company. You can't really draw market share conclusions from the NPD data alone, particularly with just a month of data."

I wonder what would Microsoft's strategy consist of by the time their offering reaches the growth stage, and starts maturing, perhaps bargaining by offering software discounts and one-stop-shop services. I've once pointed out on another anti virus market statistics concern, namely Panda Software's -- private company, no SEC or stockholders to bother about -- stated earnings right next to the rest of publicly traded companies. My point is that, if Gartner were to offer a better grasp of this vibrant market segment, they'd better have used F-Secure which is a publicly traded anti virus vendor, as it would greatly improve an analysts confidence in the provided data, wouldn't it?

Penetration pricing is all about gaining market share, and Microsoft's case reminds of how RealNetworks were ready to lose cents on each and every song sold through their digital music service, but to offer, at least temporary, a competitive alternative to iTunes.

Security cannot be bought, a false sense of security can though. Whereas risk exposure and risk mitigation define a scientific approach going beyond a visionary security management, it's arguable which one dominates, as marketing and branding often do the job -- if (true) advertising does its job, millions of people keep theirs. Case in point, Symantec which currently has the largest market share -- greatly depends on the geographical area and number of anti virus products included -- is indeed the market leader, but it doesn't necessarily mean it offers the "leading" product. Exactly the opposite, the most popular, available, one that usually comes with Norton's powerful and well known brand offering.

Why wouldn't Microsoft want to license Kaspersky's, F-Secure's or Symantec's technology for instance? Because that would have been like a Chinese growth syndrome so to speak. The Chinese economy is shifting from a source of raw materials, to an actual manufacturer, a little bit of vertical integration given you have something to offer to the market at a particular moment in time and start counting the new millionaires. The higher proportion of the business machine you own, the greater the profits at the end of quarter, and with the key regions across the world still getting online, malware is only going to get more attention from both sides of the front.

From a business point of view, you can twist a user's actual wants so successfully you can make it almost impossible to remember what was needed at the first place -- long live the sales forces! It is often arguable whether anti virus software has turned into a commodity the way media players did, but for the end user -- the one with the powerful bandwidth available -- price and availability speak for themselves. Controversial to some recent comments on why the most popular anti virus products don't work, mostly because malware authors are testing their "releases" on these products, they actually do it on all anti virus products the way pretty much everyone aware is testing suspicious files, or evaluating vendors' response times.

Don't get surprised if next time you buy a cheeseburger, the dude starts explaining the basics of zero day protection, and offer you a ZIP-based discount if any on an anti virus solution -- with up to three licenses for your wired family. Co-branding, licensing and industry outsiders are on the look for fresh revenues, and with malware representing the most popular threat as well as security "solution" bought, stay tuned a McDonald's Anti Virus "on-the-go". Hopefully one using a licensed technology from a vendor with experience and vision.

Related posts:
Look who's gonna cash for evaluating the maliciousness of the Web
Spotting valuable investments in the information security market
Valuing Security and Prioritizing Your Expenditures
Budget Allocation Myopia and Prioritizing Your Expenditures Continue reading →

Futuristic Warfare Technologies

The future of warfare will definitely have to do with technologies and convergence, at least the near one. Some logical developments such as, remote sensing intercontinental UAVs, autonomous warfare, remotely controlled forces, network centric warfare, higher reliance on AI probability and decision-making scenarios, are just warming up the major innovations we're about to witness -- whether defensive or offensive is an entirely different topic. In the very long term though, Nano warfare, Robot wars and Cyber wars reaching the levels of VR warfare, are among the fully realistic scenarios. Very informative slides on the Future Strategic Issues/Future Warfare [Circa 2025], and here are some important key points that made me an impression :

Technological Ages of Humankind
- Hunter/Killer groups [ Million BC 10K BC]
- Agriculture [ 10K BC 1800 AD]
- Industrial [1800-1950]
- IT [1950-2020]
- Bio/NANO [2020?]
- Virtual

The developments
- Chem/bio Antifunctionals/Anti fauna
- Binary agents distributed via imported products (Vitamins, Clothing, Food)
- Blast Wave Accelerator - global precision strike "On the Cheap"
- Bio/Chem/Molec./Nano Computing
- Ubiquitous Optical Comms
- Micro/Nano/Ubiquitous Sensors
- BioWeaponry
- Volumetric weaponry
- Cyber/Artificial Life (Beyond AI) -?
- Transoceanic UUV's, UAV's -- Boing's X45 series
- Spherical Submarines to deal with the accoustics issue

To sum up, the best warriors win their battles without waging war -- or at least not against themselves. Continue reading →

Face Recognition At Home

In a previous post, Biased Privacy Violation I mentioned two web sites, DontDateHimGirl.com, DontDateHerMan.com and the associated privacy implications out of these. Just came across to MyHeritage.com whose face recognition feature works remarkably well -- for relatives and everyone in between varying on the sample.

"Recognizing faces is done by algorithms that compare the faces in your photo, with all faces previously known to MyHeritage Face Recognition, through photos and meta-data contributed by yourself and other users. So the more photos added to the system, the more powerful it becomes. If people in your photos are not recognized well, it is likely that MyHeritage.com has never encountered them before. By adding these photos to MyHeritage.com and annotating the people in the photo manually, MyHeritage.com will "learn" these faces and will be able to recognize them in future photos, even in different ages of the same person's life. Note: the algorithms used by MyHeritage Face Recognition are likely to find relatives of people in your photo, due to the genetic-based facial similarities that exist between relatives. You can use this to form connections between people whom you never even knew were related."

Face recognition @home just got a boost and so did the obvious privacy implications out of the ever-growing families database, and its natural abuse by interested (third) parties. Continue reading →

Cyber Terrorism Communications and Propaganda

Further expanding the previous discussion on Tracking Down Internet Terrorist Propaganda, and patterns of Arabic Extremist Group Forum Messages' Characteristics, there've also been some recent developments on Hezbollah's never-ending use of U.S hosting companies as a media/communication/fund raising/recruitment/propaganda platform:

"Hezbollah used the Broadwing Communications fiber-optic network to deliver its Al-Manar web site to the world last week after finding a weakness in a Broadwing customer's connection. When that happened, Hezbollah television's web site was suddenly hosted, of all places, in Texas. When Broadwing discovered what had happened, they cut the T1 connection to their customer until the customer resolved the problems on its end, and the Al-Manar site disappeared back into the ether—only to pop up a few hours later on a server in India. Hezbollah's tactics are laid out in a brief Time article that also discusses the people trying to shut Hezbollah down. And it's not the people you might think. Those in the war and security business are no doubt involved, but some of the work is done by amateurs, as well. Volunteers from the Society for Internet Research track jihadi websites and tactics across the Internet, then alert domain registrars and web hosting companies to the presence of potentially illegal material on their servers."

Al Manar TV has long been known for delivering Hezbollah's PSYOPS through constantly relocating its stream, but information warfare capable enemies seem to be able to hijack the signal as it recently happened. Moreover, according to Haganah's most recent Table of American Internet Service Providers of Hezbollah -- detailed analyses -- Register.com remains a popular choice.

Cyber terrorism is a complex and often misunderstood term that originally emerged as the direct effect of Techno Imperialism sentiments, and, of course, the balancing power of the Internet when it comes to cyber warfare capabilities. In another great research Cyber Terrorism: A Study of the Extent of Coverage in Computer Security Textbooks, the author summarized the most commonly encountered Cyber Terrorism categories and keywords, and discussed the different explanations of the term. As for Cyber terrorism, the first issue that comes to the mind of the average expert are the SCADA systems whose IP based connectivity remains a growing concern for governments utilizing these. Which is exactly the least issue to worry about, today's Cyber terrorism is still maturing, tomorrow's Cyber terrorism will be taking advantage of cyber warfare capabilities on demand or through direct recruitment/blackmailing practices of individuals capable of delivering them. Here's a neat table representing the maturity/evolution of Cyber terrorism.

For the time being, propaganda and recruitment are so far the most indirect and popular practices, whereas the concept itself is truly maturing thus becoming even more evident. Thankfully, various researchers are already actively combining AI and various web crawling approaches while analyzing the presence of terrorists on the web -- and here's a good starting point.

Related resources and posts:
Cyber Terrorism
Hacktivism
Information Warfare
Cyberterrorism - don't stereotype and it's there!
Cyberterrorism - recent developments
The Current, Emerging, and Future State of Hacktivism
Terrorist Social Network Analysis
Hacktivism Tensions - Israel vs Palestine Cyberwars Continue reading →

Virus Outbreak Response Time

In a previous posts I discussed various trends related to malware families, and mentioned CipherTrust's Real Time PC Zombie Statistics. You might also be interested in IronPort's Virus Outbreak Response Times for the last 24 hours which currently tracks, IronPort themselves, Sophos, Trend Micro, Symantec, and McAfee. Although vendor's bias often exist, let's just say that self-serving statements can easily be verified by doing a little research on your own -- it doesn't cost a fortune to run a geographically diverse honeyfarm. However, what bothers me is the vendors' constant claims on exchanging malware samples for the sake of keeping the E in front of E-Commerce, whereas response time "achievements" often get converted into marketing benchmarks to be achieved. Protecting against known malware is far more complex than it seems, and it is often arguable whether zero day malware, or known malware has the highest impact when infecting both, corporate, and home PCs. Basically you have powerful end users getting themselves infected with months old malware and later on collectively becoming capable of causing damage on a network that's already aiming at achieving the proactive protection level. Ironic isn't it? If detailed statistics truly matter, VirusTotal has the potential to dominate the analysts community without bias.

Response times used to matter once, now it's all up to proactive protection approaches, and, of course, revenue generation from both sides. Moreover, sometimes even a signature based approach doesn't work, especially when it comes to packet based or web application based malware. Avoid the signatures hype and start rethinking the concept of malware on demand, open source malware, and the growing trend of malicious software to disable an anti virus scanner, or its ability to actually obtain the latest signatures available.

At the bottom line, achieving ROSI when it comes to false malware positives is yet another growing concern for the majority of enterprises wisely spending their security dollars. Continue reading →

U.S Air Force on MySpace

Seems like the U.S Air Force is joining MySpace:

"The Air Force profile will show users five video clips that the Recruiting Service says gives them “a behind-the-scenes look at the extraordinary things airmen accomplish every day,” according to a press release. Users will be able to view longer videos of airmen as they fly jets, call in air strikes, navigate satellites and jump out of airplanes, the service said. They also can vote on which commercial will kick off the Air Force’s new “Do Something Amazing” advertising campaign, scheduled for Sept. 18 during the FOX network’s “Prison Break” television show."

It's like using a Yahoo Group mailing list to break the ice and keep it teen-friendly. Now, teens all over the U.S know which buddy to avoid. I'm sure Privacy advocates will pick this up shortly, given "someone" isn't already data mining MySpace profiles for targeted propositions -- of course they are. Continue reading →

North Korea's Strategic Developments and Financial Operations

Catching up with the latest developments at the hottest -- at least from a national security point of view -- zone in Asia. North Korea seems to be taking external provocations rather seriously, and feeling endangered for the colapse of its regime is actively working on its nuclear test sites development, disinformation in between for sure. According to a recent article at Reuters, North Korea may be preparing nuclear bomb test :

"ABC reported the activity at the suspected test site included the unloading of large reels of cable outside an underground facility called Pungyee-yok in northeast North Korea. It said cables can be used in nuclear testing to connect an underground test site to outside observation equipment. The intelligence was brought to the attention of the White House last week, the report said. Fears about North Korea's nuclear ambitions were exacerbated when Pyongyang defied international warnings and fired seven missiles into waters east of the Korean peninsula on July 5."

Excluding an opinionated Weapons of Mass Deception expert's interest in developments like these, speculations remain a powerful driving force for everyone involved. Consider a basic principle in life, it is often assumed that gathering together a bunch of handicapped people is the best solution for their "fragile" situation, compared to actually trying to integrate instead of isolate them. I find the same issue as the cornerstone when dealing with countries on purposely isolating themsleves, thus limiting the international accountability and ensuring the continuity of the twisted reality.

Meanwhile, the U.S is actively working on closing down North Korean bank accounts, and worsening its relations with major financial institutions worldwide, in reseponse to which North Korea is diversifying and openning accounts at 23 banks in 10 countries :

"North Korea has opened accounts at 23 banks in 10 countries following the U.S. imposition of financial sanctions on a bank in Macau last year, a Japanese newspaper reported Saturday. The Sankei Shimbun said on its Web site the 10 countries include Vietnam, Mongolia and Russia, quoting sources familiar with North Korean affairs. In September, the United States banned all American financial institutions from transacting with a Macau-based bank, Banco Delta Asia, accusing it of aiding North Korea in circulation of counterfeit U.S. dollars allegedly printed in the communist state. The U.S. also confirmed last month that the Bank of China, a major Chinese lender, had frozen all of its North Korean accounts suspected of being connected with the North's alleged counterfeiting activities."

And while China is realizing its growing economic potential, thus complying with such efforts as well, helping the enemies of your enemies still remain a fashionable concept in the silent war.

Related resources and posts:
Satellite Imagery of Pre-Launch and Post-Launch at the Taepodong Launch Facility and Affected Vegetation
A-Bomb North Korean Propaganda
North Korea - Turn On the Lights, Please
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems
Open Source North Korean IMINT Reloaded
North Korea's Cyber Warfare Unit 121 Continue reading →

On the Insecurities of Sun Tanning

You definitely don't need a CISSP certificate to blog on this one, just make sure you don't forget that there should be a limit on everything, even the hugs on the beach. Continue reading →

AOL's Search Queries Data Mined

While one of AOL's searchers was publicly identified, enthusiasts are tweaking, and randomly scrolling the then leaked, now publicly available search queries data. Here's someone that's neatly data mining and providing relevant summary of the top result sites, and the top keywords. SEO Sleuth :

"was created out of the recently released AOL search data. Welcome to the AOL Keyword Analyser. This tool provides insights that have never before been publically available on the web. I claim: First tool on the web as far as I know that allows you to view what keywords people searched for it in search engines. First time you can see how much organic traffic each site gets from a search engine. First opportunity the public can see how many clicks individual SERPs get."

Surprising results speaking for the quality of the audience by themselves. Meanwhile, the EFF is naturally taking actions.

Related posts:
Data mining, terrorism and security
Shots From the Wild - Terrorism Information Awareness Program Demo Portal Continue reading →