Vulnerabilities in Emergency SMS Broadcasting

There's been a recent test of emergency cell phone alert in the Netherlands -- original article was here -- and while broadcasting supposidly reaches the largest number of people in the surrounding area, timing and countless number of factors also matter :

"Cell phones throughout a downtown hotel beeped simultaneous Tuesday with an alert: there is a suspicious package in the building. It was a drill, run by Dutch authorities testing an emergency "cell broadcasting" system that sends a text message to every mobile phone in a defined area. Representatives from 21 national governments, New York City and the U.S. Federal Emergency Management Agency, or FEMA, watched the signal go out to cell phones throughout the Sofitel hotel in Amsterdam. About half the people in the building then followed instructions and evacuated. "We want to see what worked and what didn't," said David Webb, of FEMA's Urban Search and Rescue Program. "The EU (European Union) is really leading the way with this technology."

What if :

- Even in case that key emergency personal were to use a seperate communication network, radio for instance, broadcasting to anyone accepting could result in significant delays, and even though the message is sent, it doesn't mean it would take advantage of the momentum

- cell phone jammers are often used by hotels to preserve the unique atmosphere and undisturbed conference meetings can prove contradictive, excluding the fact that the parties supposidly plotting the attack don't use one by themselves

- despite the fact that one in five will pick up their mobile during sex, how many obsessively check for newly arrived sms messages?

- how would a tourist know how the successfully authenticate the local authories at the first place, in case of emergencies watch out for an sms from 010101, now I assume you know how easily I can sms you from the same number and impersonate the number

- what should the user be mostly aware of be aware of, mobile malware, SMSishing, or "call this 0 900 or else I won't tell you where's the attack" type of messages

- from a multilingual point of view, will it be using English by default, and how many would be still enjoying their meals while everyone's leaving

Great idea, but it may prove challenging to evaluate the actual results in a timely manner. Sent doesn't mean received or read on time, even actioned upon.

Recommended reading:
SMS disaster alert and warning systems - don't do it !
Revisiting SMS during Disasters
Concept Paper on Emergency Communications during Natural Disasters
Exploiting Open Functionality in SMS- Capable Cellular Networks
The Role of Mobiles in Disasters and Emergencies Continue reading →

Testing Intrusion Prevention Systems

Informative testings results of various IPSs such as Juniper IDP 200, Cisco IPS 4240, eSoft ThreatWall 200, ForeScout ActiveScout 100, McAfee IntruShield 2700.

Here's how they tested :

"In order to create a base environment in which to compare the different appliances, we set up a single system within our test network to be the target of Core Impact’s simulated attacks. We chose a system running the most vulnerable operating system we could think of—Windows 2000 Service Pack 2 with no additional service packs or security updates. We temporarily opened the channels on the test network’s firewall and installed Core Impact on a system outside the network. We then proceeded to detect and “attack” the Windows 2000 system to identify its vulnerabilities. Of the hundreds of attack modules available, we picked 85 of the most applicable. Knowing how our target system was vulnerable and the attacks we could launch against it, we connected each IPS in turn according to its recommended configuration. We then allowed each IPS to function in a real-world network environment for a day or more. Eventually we rebooted the Windows 2000 machine and ran Core Impact to simulate a barrage of intrusions. Finally, we adjusted the security profiles of each IPS and ran the tests one more time. The result was a complete picture of how effective each IPS was at preventing attacks—both out of the box and after fine-tuning. The good news is, we were able to tweak each IPS to completely shut down the Core Impact attacks."

There are, however, hidden costs related to IPSs, and that's increased maintainance and reconfiguration time, possible decline in productivity. The key is understanding the pros and cons of your solution, educating the masses of users, and run a departamental, compared to a comany-wide enforcement at the first place as far as host based IPS are concerned. Network based IPSs sensitivity is proportional to the level of false alerts generated, so figure out how to balance and adapt the solution to your network.

Suspicious system behaviour is such an open topic term to the majority of end users, keep it in mind whatever you do when dealing with HIPS. And do your homework of course.

Continue reading →

Google Anti-Phishing Black and White Lists

Can the world's most effective search engine manage to keep questionable sites away from the search results of its users? Seems like its toolbar users are also warned about such. Google for sure got the widest and most recent snapshot of the Web to draw up conclusions from, and seems like starting from the basics of keeping a black and white list with questionable sites/URLs is still taken into consideration. Googling Google proves handy sometimes and you can stumble upon interesting findings such as Google's Black -- cache version -- and White lists of phishing and possible fraudelent sites -- there's still a cached version of the White list available and the white domains as well.

As I often say that the host trying to 6667 its way out of the network today, will be the one sending phishing and spam mails tomorrow, therefore in order to verify I took a random blacklisted host such as http://219.255.134.12/fdic.gov/index.html.html and decided to first test it at TrustedSource, and of course, at the SORBS to logically figure out that the host's has been indeed :

"Spam Sending Trojan or Proxy attempted to send mail from/to from= to="

What's ruining the effect of black and white lists? With today's modular malware -- and DIY phishing toolkits -- the list of IP's currently hosting phishing sites can become a decent time-consuming effort to keep track of, namely black lists can be sometimes rendered useless given how malware-infected hosts increasingly act as spamming, phishing, and botnet participating ones -- if ISPs were given the incentives or obliged to take common sense approaches for dealing with malware infected hosts, it would make a difference. As far as the white lists are concerned, XSS vulnerabilities on the majority of top domains, and browser specific vulnerabilities make their impact, but most of all, it's a far more complex issue than black and white only.

Another recent and free initiative I came across to, is the Real-Time Phishing Sites Monitor, which may prove useful to everyone interested in syndicating their findings.

Third-party anti-phishing toolbars, as well as anti-phishing features build within popular toolbars are not the panacea of dealing with phishing attacks. A combination of them and user awareness, thus less gullible user is the way. Continue reading →

Visualizing Enron's Email Communications

In a previous post "There You Go With Your Financial Performance Transparency" I mentioned the release of Enron's email communications between 2000/2002, mind you, by Enron's ex-risk management provider. Continuing the series of resourceful posts on visualizing terrorists, intelligence data sharing, security and new media, here's Jeffrey Heer's visual data mining of Enron's email communications sample :

"Using the Enron e-mail archive as a motivating dataset, we are attempting the marriage of visual and algorithmic analyses of e-mail archives within an exploratory data analysis environment. The intent is to leverage the characteristic strengths of both man and machine for unearthing insight. Below are a few sketches from a preliminary exploration into the design space of such tools."

And here's how he visualized the social network, invaluable "big picture". Continue reading →

Secret CIA Prisons

It's official, there're indeed (publicly) secret CIA prisons, and a public commitment towards improvement :

"All suspects will now be treated under new guidelines issued by the Pentagon on Wednesday, which bring all military detainees under the protection of the Geneva Convention. The move marks a reversal in policy for the Pentagon, which previously argued that many detainees were unlawful combatants who did not qualify for such protections. The new guidelines forbid all torture, the use of dogs to intimidate prisoners, water boarding - the practice of submerging prisoners in water - any kind of sexual humiliation, and many other interrogation techniques."

I assume operating such facilities in the Twilight Zone is flexible from an interrogation point of view, what makes me wonder though is how justified kidnappings of alleged terrorists by recruiting local intelligence agents are. Guess a guy I had a hot discussion with the other night was right, no more Russian skirmishes in guerilla warfare, the adversary leaders just dissapear and no one, even their forces ever hear anything of them -- spooky special forces stealing the hive's queen.

In case you're also interested in DoD's New Detainee Interrogation Policy, it's already available at the FAS's blog, plus "biographies" of 14 detainees.

However, there's one thing the entire synthetic community would always be thankful to the CIA though, and that's the LSD, a proven "ice breaker" during the decades.

Graph courtesy of Spiegel.de Continue reading →

NSA's Terrorist Records Database

Right on time! Inside sources -- this is a creative spoof -- at the NSA finally coordinated their intelligence sharing efforts with the Patriot Search, and came up with a public database giving you the opportunity to lookup your entire neighborhood for suspicious relations with the Middle East.

What's the bottom line? Keep your friends close, your intelligence buddies closer!

Interested in Anti-Terror tips? Follow these :

- Use email software with strong encryption to prevent terrorists from reading your email
- Encrypt the files on your computer using strong encryption such as PGP to prevent terrorists from accessing your files
- Browse the web using an anonymous proxy to prevent terrorists from seeing what sites you visit
- Insist that electronic voting machines provide you with a traceable paper receipt so you can ensure that terrorists haven't altered the electronic ballot
- Report all behavior, especially if it is suspicious Continue reading →

The Freedom Tower - 11th September 2006

That's of course how it's gonna look like in 2012 -- true leaders never look into the past, they're too busy defining the future. Time goes fast given you're busy and always up to something -- disruption! I still clearly remember the moment when 9/11 happened and realize how much I've changed since then. Mixed thoughts started buzzing around my mind, the type of thoughts Cryptome's Daily Photos smartly emphasises on. Anyway, someone or something always has to, either be the result, the consequence, or the foundation for the next stage. I'll leave it open to interpretations on what interacts with what :

Cold War <=> Defense/Intelligence spending/Innovation <=> Post 9/11 World
Terrorist <=> Ideology <=> War
Foreign policy <=> Terrorism <=> Geopolitical dominance
Terrorism <=> OSINT <=> Intelligence
Civil Liberties <=> Terrorism <=> Surveillance
Poverty <=> G8 <=> Developed world
Space exploration budget cuts <=> Terrorism <=> Alternative energy sources development
Paranoia <=> Terrorism <=> Security services/products market growth

I can keep on going, but that's not the point, the point is how globalisation is acting as a double edged sword, and so is paranoia, still, keep in mind that there're one million other ways to get killed compared to a terrorist attack.

There've always been and will always be "bad guys", "good guys", and "greyhat guys" -- barking dogs of course -- trouble is knowing whom to trust at a particular moment in time. I can easily argue that during the past five years, all the "bad guys" had to do was to go through the press and come up "future long term strategies" perceptional enough to shock and awe "the infidels". My point is that, OSINT is also a double edged sword, useful and dangerous to both parties. As far as the infidels are concerned, I'm not one - I believe in myself!

Underestimating an adversary is much worse than overestimating it, just cut using terrorism as the excuse for everything you do, or are about to do, which is as subjective as China's economy taking over the world -- something neither the "bad guys" nor China would do.

Related posts:
Terrorism
Data mining, terrorism and security
Terrorist Social Network Analysis
Benefits of Open Source Intelligence - OSINT
Visualization, Intelligence and the Starlight project
Cyber terrorism - don't stereotype and it's there!
Cyber terrorism - recent developments
Arabic Extremist Group Forum Messages' Characteristics
Tracking Down Internet Terrorist Propaganda
Cyber Terrorism Communications and Propaganda
Steganography and Cyber Terrorism Communications Continue reading →

A Study on The Value of Mobile Location Privacy

Right in between Flickr's introduction of geotagging, the term stalkerazzi got its necessary attention, then again it entirely depends on you to evolve as a Web 2.0 user and add more value to the ongoing folksonomy, or realize the possible privacy implications.

Yesterday, Danezis Cvrcek and Matyas Kumpost released an interesting study on The Value of Location Privacy :

"This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment."

While there're indeed privacy issues related to mobile devices, in the age of malware authors purchasing commercial IP Geolocation services to get a better grasp of the infected sample, and Google's growing concern on the use of networks such as Tor mimicking possible malicious bahavior you should ask yourself, what is it that you're trying to achive, Anonymity or Privacy preservation online and go for it without feeling like a hostage. Continue reading →

Email Spam Harvesting Statistics

Web application email harvesting has always represented an untapped threat, and it's not the basics of parsing or web application vulnerabilities I have in mind, but the already stored, in-transit, and saved contacts by infected people and their (insecure) platforms.

Malware is already averaging 1 piece in 600 social networking pages, which isn't surprising and is greatly proportional with the rise of web application vulnerabilities. Compared to personal data security breaches capable of providing the freshest and most recent emails of the parties involved, thus reseting a spammer's activities lifecycle, web email harvesting is still a rather common event.

Thankfully, there're already scaled initiatives such as the Distributed Spam Harvester Tracking Network making an impact :

"Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.

To participate in Project Honey Pot, webmasters need only install the Project Honey Pot software somewhere on their website. We handle the rest — automatically distributing addresses and receiving the mail they generate. As a result, we anticipate installing Project Honey Pot should not increase the traffic or load to your website."

Some current project statistics:
- Spam Trap Addresses Monitored - 1,354,582
- Total Spam Received - 1,464,090
- Total Spam Servers Identified - 499,310
- IPs Monitored - 611,368
- Total Harvesters Identified - 10,653

Donate a MX record, or get yourself an account and start contributing. On the other hand, the host that's web crawling for fresh emails today, will definitely match with the one found in a phishing email at a later stage -- the growing transparency and the pressure put on spammers inevitably results in the Ecosystem I mentioned in my Malware - Future Trends research.

Related posts:
The Beauty of the Surrealistic Spam Art
Real-Time PC Zombie Statistics
The current state of IP spoofing
Dealing with Spam - The O'Reilly.com Way Continue reading →

Benchmarking and Optimising Malware

With the growth and diversity of today's malware, performance criteria for a malicious code is reasonably neglected as a topic of interest, but that shouldn't be the case, as "the enemy you know is better than the enemy you don't know". As information warfare and malware often intersect for the purpose of balancing asymmetric forces, or conducting espionage, there're already research initiatives for multi-platform, multi-communication-environment code.
José M. Fernandez and Pierre-Marc Bureau constructively build awareness on how "the best is yet to come" in their research on Optimising Malware :

"In this paper, we address and defend the commonly shared point of view that the worst is very much yet to come. We introduce an aim-oriented performance theory for malware and malware attacks, within which we identify some of the performance criteria for measuring their “goodness” with respect to some of the typical objectives for which they are currently used. We also use the OODA-loop model, a well known paradigm of command and control borrowed from military doctrine, as a tool for organising (and reasoning about) the behavioural characteristics of malware and orchestrated attacks using it. We then identify and discuss particular areas of malware design and deployment strategy in which very little development has been seen in the past, and that are likely sources of increased future malware threats. Finally, we discuss how standard optimisation techniques could be applied to malware design, in order to allow even moderately equipped malicious actors to quickly converge towards optimal malware attack strategies and tools fine-tuned for the current Internet."

They've successfully distinguished the following generic and specific aim-oriented performance criteria :

Generic
- Number of hosts
- Persistence
- Anonymity

Fraud
- Money
- Credibility

Information theft
- Penetration
- Stealth
- Amount of information
- Host location

Access sale
- Upstream bandwidth
- Security

Destruction
- Propagation
- Upstream bandwidth
- Host location
- Damage

Information Warfare
- Speed
- Host Location
- Damage
- Exposure

Taking into consideration the OODA loop concept -- Observation, Orientation, Decision, Action -- the characteristics would get definitely improved with the time.

Related resources and recent posts:
Malware
Virus Outbreak Response Time
Malware Bot Families - Technology and Trends
Malware Statistics on Social Networking Sites Continue reading →

Google Hacking for Cryptographic Secrets

Interesting perspective, for sure could prove handy on a nation-wide scale. The concept of googling for private keys has been around for quite a while, and here's an informative paper emphasising on how Google can Reveal Cryptographic Secrets taking the topic even further :

"Google hacking is a term to describe the search queries that find out security and privacy flaws. Finding vulnerable servers and web applications, server fingerprinting, accessing to admin and user login pages and revealing username-passwords are all possible in Google with a single click. Google can also reveal secrets of cryptography applications, i.e., clear text and hashed passwords, secret and private keys, encrypted messages, signed messages etc. In this paper, advanced search techniques in Google and the search queries that reveal cryptographic secrets are explained with examples in details."

Comments on : Hashed passwords, Secret Keys, Public Keys, Private Keys, Encrypted Files, Signed Messages -- external comments on packed binary patterns, malware functions, and the malware search engine itself.

Google is so not the root of the problem, althrough at least theoretically malicious web crawling is indeed possible. Seems like patterns come useful to both sides of the front -- and everyone in between. Continue reading →

Hezbollah's use of Unmanned Aerial Vehicles - UAVs

According to the common wisdom, terrorists -- or let's just say contradictive political fractions -- weren't supposed to be capable of owning the using unmanned aerial vehicles in war conflicts, but be only able to wage guerilla warfare thus balancing the unequal forces in a conflict. Seems like Hezbollah are indeed capable of owning and using UAVs, as Israel recently shot down yet another one :

"Israeli aircraft shot down an unmanned spy plane launched by the Lebanese guerrilla group Hizbollah as it entered Israeli territory on Monday, the Israeli army said. The drone was spotted by the air force's monitoring unit and fighter planes were scrambled to intercept it, an Israeli military spokesman said. The spokesman said a fighter plane shot the drone down 10 km (six miles) off Israel's coast, northwest of the city of Haifa. "The current assessment is that it was headed further south, we do not know exactly for what purpose," the spokesman said. An Israeli military source added that it was an Iranian-made drone with a range of about 150 km."

Go through an in-depth post at DefenseTech, and Eugene Miasnikov's report on Threat of Terrorism Using Unmanned Aerial Vehicles: Technical Aspects, which :

"assesses the technical possibility of UAV use as a delivery means for terrorists. The analysis shows that such a threat does exist and that it will grow. The author also considers areas that require higher attention from government agencies. This report is also targeted at the Russian public. Terrorist activity can be prevented only through the coordinated efforts of the government and civil society. The government cannot efficiently fight terrorists without the active involvement of the population. The first step toward creating such an alliance is to recognize the threat and its potential consequences."

So what's next once reconnaissance is taken care of and timely intelligence gathered? UCAVs in the long term, of course. Nothing's impossible, the impossible just takes a little while! Continue reading →

HP Spying on Board of Directors' Phone Records

Whether a healthy paranoia, or a series of detailed leaks to the press on HP's future long term strategy, it prompted HP's chair woman to hire experts that obtained access to the call histories of its board of directors' home and cell phone communications thinking possible insiders :

"Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors-not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones."

The case highlights that :
- Classification programs type of protection is rarely utilized of companies aiming to balance the trade off of achieving productivity while keep the left hand not knowing what the right is doing when it's necessary -- remember it's the HP way and the management by open spaces that made the company what it is today
- Didn't bother to disinform suspicious parties and decoy them, thus limiting the circle of "suspects"
- Didn't build transparency into the process and that's just starting to make impact
- It's shorthsighted thinking on whether the information defined as leaked wasn't easy to construct through public sources, or that the internal changes weren't already spotted by industry analysts
- They're about to lose their current talanted HR, and the one that was about to join HP. Soft HR dollars are on stake, as I can imagine what will be the faith of a HP blogger if that's how board of directors members threat each other

Here's the article of question, and what provoked this to happen :

"According to the source, HP is considering making more acquisitions in the infrastructure software arena. Those acquisitions would include security software companies, storage software makers and software companies that serve the blade server market. The acquisitions would dovetail with HP's growth plans for its Technology Systems Group, which has already bought companies such as AppIQ for storage management. Hurd has previously said market trends indicate a movement away from mainframe computers and a shift to blade servers, as well as virtualized storage. HP is likely to follow those trends. Meanwhile, in HP's Imaging & Printing Group, the long-term plan to develop commercial printers is likely to continue. "We want to develop the next Heidelberg press," the source said. Of course, HP said basically the same thing back in 2002."

In a previous post, When Financial and Information Security Risks are Supposed to Intersect, I commented on Morgan Stanley's case of knowing who did what, and the growing enforcement of security policies, thus firing employees violating them by forwarding sensitive information to home email accounts. But with the media trying to generate buzz while keeping it objective by mentioning its "sources" and putting the emphasise on "inside company source" no wonder HP is thinking insiders, rather than talkative directors who when asked does the Sun come out in the morning and goes down in the evening, would think twice before answering -- and question the question itself!

Privacy monster courtesy of the EFF.

Related resources and posts:
Espionage
Insider
Wiretapping
Surveillance
Smoking Emails
Insider Competition in the Defense Industry
Espionage Ghosts Busters Continue reading →

Benefits of Open Source Intelligence - OSINT

Surprisingly, Forbes, the homepage for the world's business leaders -- and wannabe ones -- has a well written article on Open Source Intelligence you might find informative :

"How can we use this to reform intelligence? I suggest we create a national Open Source Agency. Half of the money earmarked for the agency would go toward traditional intelligence work. The other half would provide for 50 state-wide Citizen Intelligence Networks, including a 24/7 watch center, where citizens can both obtain and input information. We could establish new emergency intelligence phone numbers--think 119 instead of 911--allowing any housewife, cab driver or delivery boy to contribute to our national security. All they have to do is be alert, and if they see something, take a cell phone photograph and send it in with a text message. If three different people notice the same suspicious person taking photographs of a nuclear plant, for instance, it could be hugely important. The system could even evolve to automatically mobilize emergency workers or warn citizens. Imagine if after people alerted the network about a roadside car bomb, it automatically sent text messages to every phone in the immediate area, warning people to stay away."

Collective intelligence, wisdom of crowds -- Web users were supposed to virtually patrol the U.S border once -- all is driving Web 2.0, trouble is so is paranoia, and all paranoid people need is a platform to spread it further, but the article emphasises on how educated citizens can be the best defense. The benefits of OSINT according the CIA themselves are based on :

Speed: When a crisis erupts in some distant part of the globe, in an area where established intelligence assets are thin, intelligence analysts and policymakers alike will often turn first to the television set and Internet.

Quantity: There are far more bloggers, journalists, pundits, television reporters, and think-tankers in the world than there are case officers. While two or three of the latter may, with good agents, beat the legions of open reporters by their access to secrets, the odds are good that the composite bits of information assembled from the many can often approach, match, or even surpass the classified reporting of the few.

Quality: As noted above, duped intelligence officers at times produce reports based on newspaper clippings and agent fabrications. Such reports are inferior to open sources untainted by agent lies.

Clarity: An analyst or policymaker often finds even accurate HUMINT a problem. For example, when an officer of the CIA’s Directorate of Intelligence (DI), reads a report on a foreign leader based on “a source of unproven reliability,” or words to that effect, the dilemma is clear. Yet, the problem remains with a report from a “reliable source.” Who is that? The leader’s defense minister? The defense minister’s brother? The mistress of the defense minister’s brother’s cousin? The DI analyst will likely never know, for officers of the Directorate of Operations (DO) closely guard their sources and methods. This lack of clarity reportedly contributed, for example, to the Iraqi WMD debacle in 2002-03. The DO reportedly described a single source in various ways, which may have misled DI analysts into believing that they had a strong case built on multiple sources for the existence of Iraqi weapons of mass destruction. With open information, sources are often unclear. With secrets, they almost always are.

Ease of use: Secrets, hidden behind classifications, compartments, and special access programs, are difficult to share with policymakers and even fellow intelligence officers. All officials may read OSINT.

Cost: A reconnaissance satellite, developed, launched, and maintained at a cost of billions of dollars, can provide images of a weapons factory’s roof or a submarine’s hull. A foreign magazine, with an annual subscription cost of $100, may include photographs of that factory’s floor or that submarine’s interior

Meanwhile, Intelligence analysts are putting efforts into sharing their data, data mining the web and social networking sites which is both, cost-effective and can greatly act as an early warning system for important events. Despite technological innovations, a blogger in an adversary's country can often unknowingly act as a HUMINT source of first-hand information -- looking for democracy minded individuals breaking through regimes through malware is yet another possibility. Tracking down terrorist propaganda and communications on the Internet has already reached the efficiency level mainly because of the use of open source intelligence and web crawling the known bad neighborhoods ever since 2001.

Related resources and posts:
Intelligence
OSINT
IP cloaking and competitive intelligence/disinformation
Terrorist Social Network Analysis Continue reading →

Stealth Satellites Developments Source Book

You can't hijack, intercept or hide from what you don't see or don't know it's there, and stealthy satellites are going to get even more attention in the ongoing weaponization of space and the emerging space warfare arms race. Here's a huge compilation of articles and news items related to the development of stealthy satellites. An excerpt from an article within :

"The United States is building a new generation of spy satellites designed to orbit undetected, in a highly classified program that has provoked opposition in closed congressional sessions where lawmakers have questioned its necessity and rapidly escalating price, according to U.S. officials. The previously undisclosed effort has almost doubled in projected cost -- from $5 billion to nearly $9.5 billion, officials said. The National Reconnaissance Office, which manages spy satellite programs, has already spent hundreds of millions of dollars on the program, officials said. The stealth satellite, which would probably become the largest single-item expenditure in the $40 billion intelligence budget, is to be launched in the next five years and is meant to replace an existing stealth satellite, according to officials. Non-stealth satellites can be tracked and their orbits can be predicted, allowing countries to attempt to hide weapons or troop movements on the ground when they are overhead. Opponents of the new program, however, argue that the satellite is no longer a good match against today's adversaries: terrorists seeking small quantities of illicit weapons, or countries such as North Korea and Iran, which are believed to have placed their nuclear weapons programs underground and inside buildings specifically to avoid detection from spy satellites and aircraft."

Issues to keep in mind :
- pre-launch leak in today's OSINT world
- synchronization with HUMINT, SIGINT, OSINT gathered data to avoid deception, some developments are right there under your nose
- amateur radio and satellite enthusiasts outwitting the stealthiness as it always happens
- win-win IMINT sharing between countries can often cover the full spectrum, dependability is of course an issue

Related resources and posts:
Defense
Satellite
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems
Open Source North Korean IMINT Reloaded Continue reading →

Zero Day Initiative Upcoming Zero Day Vulnerabilities

Details on a dozen of "upcoming zero day vulnerabilities" are emerging from TippingPoint's Zero Day Initiative :

"Over the past year, the most resounding suggestion from our Zero Day Initiative researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero day vulnerabilities. The following is a list of vulnerabilities discovered by researchers enrolled in the Zero Day Initiative that have yet to be publicly disclosed. The affected vendor has been contacted on the specified date and while they work on a patch for these vulnerabilities, TippingPoint customers are protected from exploitation by IPS filters delivered ahead of public disclosure. A list of published advisories is also available."

Note the time from vulnerability reporting to patch on some vendors:

ZDI-CAN-041 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-042 -- Adobe -- High -- 2006.04.07, 144 days ago
ZDI-CAN-046 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-061 -- Microsoft -- High -- 2006.06.14, 76 days ago

Don't be in a hurry to blame the vendors, as in between having to deal with these zero day vulnerabilities, they're all providing patches to fix the emerging ones, that is those who get the highest publicty and make the headlines so actively that there's no other way but dedicating product development time to quality assurance. Keep in mind that, even though vendors are still working on fixing these, apparently TippingPoint's IPS customers are protected -- they're aware of these exploits. Excluding the vendor dependability issue, and the fact that ZDI is indisputably turning into a HR-on-demand think-tank for vulnerability research, I discussed some of the issues regarding the possible motivation of the vulnerability informediaries and what to keep in mind in a previous post :

- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?

- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?

- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?

- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?

Diversify your infrastructure to minimize the damages due to zero day outbreaks, ensure end users are privileged as much as they need, do your homework, camouflage and implement early warning systems/decoys, and yes, keep track of your assets and ensure they're already protected from what's known to be their vulnerability. Responsible disclosure is the socially oriented approach, trouble is the Internet itself is a capitalistic society with basic market forces.

Related posts:

Was the WMF vulnerability purchased for $4000?!
0bay - how realistic is the market for security vulnerabilities?
Scientifically Predicting Software Vulnerabilities

Continue reading →

Chinese Hackers Attacking U.S Department of Defense Networks

This may prove to be an informative forum, and I feel that the quality of the questions and the discussion faciliator's insights in the topic -- as a matter of fact GCN has proven a reliable source on the topic -- will be my benchmark for a provocative many-to-many discussion.

Here are my questions :

- Despite PRC's growing Internet population and military thinking greatly emphasizing on pros of information/cyber warfare -- the concepts copied from the U.S in between Sun Tzu's mode of thinking and attitude may indeed prove a dangerous combination -- I find it a bit more complex issue as: "Let's don't forget the use and abuse of island hopping points fueling further tensions in key regions and abusing the momentum itself, physically locating a network device in the future IPv6 network space is of key interest to all parties." China's growing Internet population results in lots of already infected malware hosts that could easily act as stepping stones by third-parties.

My point : Is it a geopolitical tension engineering, or an active doctrine already in implementation?

- If it's indeed a Red Storm Rising, what's North Korea's place in the situation, could it be North Korea engineering and impersonating China's cyber forces thus helping the enemies of its enemies?

- What significant is the threat from actual PRC's cyber warfare devisions, compared to utilizing the massess of script kiddies and promoting -- and not prosecuting attacks on foreign adversaries -- hacking activities? Script kiddies pretending to be l33t, or cyber warfare divisions using retro techniques to disinform on the actual state of military preparedness? The rise of intellectual property theft worms that I discussed, especially Myfip has been connected with the Titan Rain attacks on military networks, but this can be so easily engineered to point out wherever you want it to :

"Myfip doesn't spread back out via the Simple Mail Transfer Protocol (SMTP). "There is no code in the worm to do this," the report said. "From certain key headers in the message, we can tell that the attachment was sent directly to [users]." One element that stands out is that Myfip e-mails always have one of two X-Mailer headers: X-Mailer: FoxMail 4.0 beta 2 [cn] and X-Mailer: FoxMail 3.11 Release [cn]. Also, it always uses the same MIME boundary tag:_NextPart_2rfkindysadvnqw3nerasdf. "These are signs of a frequently-seen Chinese spamtool…," the report said. Stewart said his team was easily able to trace the source of Myfip and its variants. "They barely make any effort to cover their tracks," he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the "document collector" hosts, are all based there, mostly in the Tianjin province."

- Where does the real threat come from exactly? Hackers reading unclassified but sensitive clerk's emails thus exposing the network's design and gathering intelligence for the future "momentum", or the use of PSYOPS online? How is the second measured as a key foundation for successful information warfare battle?

- Is it a state sponsored espionage and cyber warfare practices, or mainland hacktivists, perhaps even hired third party guns?

Image courtesy of Chinese hacktivists diversifying their attacks and causing more noise during the U.S/China cyber skirmish.

Related resources and posts:
Cyber Warfare
Information Warfare
Hacktivism Tensions - Israel vs Palestine Cyberwars
Cyber War Strategies and Tactics
Who's who in Cyber Warfare? Continue reading →

The Biggest Military Hacks of All Time

The biggest military hack of all time, the Pentagon hacker, the NASA hacker - hold your breath, it's another media hype or traffic acquisition headline strategy by the majority of online media sites. Who else are we missing? The NASA port scanner, the true walking case study on tweaking NMAP for subconscious espionage purposes, the CIA IRC junkies that managed to talk them into talking with "them", and Bozo the clown chased by the Thought Police for his intentions.

Great examples of buzz generating, deadline-centered news articles you can always amuse yourself with, and feel sorry for the lack of insightful perspectives nowadays -- I'm slowly compiling a list of best of the best news items ever, so let there be less intergalactic security statements, and less flooding web sites with Hezbollah data stories.

In case you've somehow missed Gary McKinnon's story, don't you worry as you haven't missed anything spectacular, besides today's flood of reporters with claimed prehistoric IT security experience -- you must make the different between a reporter, a journalist, and a barking dog thought. Perhaps the only objective action done by an industry representative was the Sophos survey on Gary McKinnon. It would be much more credible to differentiate the severity of the hack, depending on which military or government network was actually breached, don't just go where the wind blows, barely reporting, where's YOUR opinion if ANY?

Was it the NSANet, the Joint Worldwide Intelligence Communications System [JWICS], the Secret Internet Protocol Router Network (SIPRNET), or the Unclassified but Sensitive Internet Protocol Router Network (NIPRNet) actually breached?

Moreover, were the following real-life examples a paintball game or something :

- Solar SunRise
"SOLAR SUNRISE was a series of DoD computer network attacks which occurred from 1-26 February 1998. The attack pattern was indicative of a preparation for a follow-on attack on the DII. DoD unclassified networked computers were attacked using a well-known operating system vulnerability. The attackers followed the same attack profile: (a) probing to determine if the vulnerability exists, (b) exploiting the vulnerability, (c) implanting a program (sniffer) to gather data, and (d) returning later to retrieve the collected data."

- Dutch hackers during the Gulf War
"At least one penetrated system directly supported U.S. military operations in Operation Desert Storm prior to the Gulf War. They copied or altered unclassified data and changed software to permit future access. The hackers were also looking for information about nuclear weapons. Their activities were first disclosed by Dutch television when camera crews filmed a hacker tapping into what was said to be U.S. military test information."

- The Case Study: Rome Laboratory, Griffiss Air Force Base
"However, events really began in 1994, when the two young men broke into an Air Force installation known as Rome Labs, a facility at the now closed Griffiss Air Force Base, in New York. This break-in became the centerpiece of a Government Accounting Office report on network intrusions at the Department of Defense in 1996 and also constituted the meat of a report entitled "Security and Cyberspace" by Dan Gelber and Jim Christy, presented to the Senate Permanent Subcommittee on Investigations during hearings on hacker break-ins the same year. It is interesting to note that Christy, the Air Force Office of Special Investigations staffer/author of this report, was never at Rome while the break-ins were being monitored."

- Moonlight Maze
"It was claimed that these hackers had obtained large stores of data that might include classified naval codes and information on missile guidance systems, though it was not certain that any such information had in fact been compromised."

- Titan Rain
"Titan Rain hackers have gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA."

- Chinese hackers who supposedly downloaded 10 to 20 terabytes from the NIPRNet -- it's like I love you from 1 to 50, and you?

From another perspective, the biggest military hack doesn't have to come from the outside, but from the inside, as soldiers are easily losing their USB sticks on the field. Breaching the SIPRnet from the ouside would be a good example of a big military hack, but then again, insiders are always there to "take care".

If Gary McKinnon did the biggest military hack of all time, why do I still hear Bozo singing - ta ta tararata ta ta rara tata.

UPDATE:
Related posts you might also find informative - North Korea's Cyber Warfare Unit 121, Techno imperialism and the effect of Cyber terrorism, Cyber War Strategies and Tactics, the rest you can Google. Surprised to come across the post at Meneame.net too. Continue reading →

The Walls and Lamps are Listening

And so are the hardware implanted "covert operatives". Continue reading →

Cyber War Strategies and Tactics

Starting from the basic premise that "All warfare is based on deception", the Cyberspace offers an unprecedented amount of asymmetric power to those capable of using it. Cyber wars are often perceived as innocent exchange of "virtual shots" between teenage defacement groups, whereas if one's willing the embrace the rough reality, Hacktivism remains a sub-activity of Cyberterrorism, where Information Warfare unites all these tactics.

Quality techno-thrillers often imply the notion of future warfare battles done in the virtual realm compared to actual spill of blood and body parts -- death is just an upgrade. Coming back to today's Hacktivism dominated mainstream news space, you may find this paper on Cyberwar Strategy and Tactics - An Analysis of Cyber Goals, Strategies, Tactics, and Techniques, and the development of a Cyber war Playbook, informative reading :

"To create a cyberwar playbook, we must first understand the stratagem building blocks or possible moves that are available. It is important to note however that these stratagem building blocks in and of themselves are not strategic. Instead, it is the reasoned application of one or more stratagems in accomplishing higher-level goals that is strategic in nature. We thus need to understand the situations in which the stratagems should be applied and how. We can begin to predict and choose the most effective stratagem for a given situation as we become more experienced. Example stratagems include:

Fortify Dodge
Deceive Block
Stimulate Skirt
Condition Monitor

Stratagems may also have sub-stratagems. Examples are:

Deceive.Chaff --- Block.Barricade
Deceive.Fakeout --- Block.Cutoff
Deceive.Conceal --- Monitor.Eavesdrop
Deceive.Feint --- Monitor.Watch
Deceive.Misinform --- Monitor.Follow

These stratagems are very high level and can be supported through many tactical means. Each building block defines a stratagem and contains one or more possible tactical implementations for that stratagem, including requirements, goals that may be satisfied using the stratagem, caveats, example uses, and possible countermeasures."

No matter the NCW doctrine, UAVs intercepting or hijacking signals, "shock and awe" still dazzles the majority of prone to be abused by cheap PSYOPS masses of "individuals".

Related resources and posts:
Network Centric Warfare basics back in 1995
Information Warfare
Cyber Warfare
Who's Who in Cyber Warfare?
North Korea's Cyber Warfare Unit 121
Hacktivism Tensions - Israel vs Palestine Cyberwars
Achieving Information Warfare Dominance Back in 1962 Continue reading →