Is a Space Warfare arms race really coming?

March 20, 2006
In one of my previous posts "Who needs nuclear weapons anymore?" I was emphasizing on another, much more assymentric, still dangerous alternative, EMP weapons. I came across to a recent Boston.com article titled "Pentagon eyeing weapons in space" that's gives a relevant overview of the current state of the U.S's ambitions, an excerpt :



"The Pentagon is asking Congress for hundreds of millions of dollars to test weapons in space, marking the biggest step toward creating a space battlefield since President Reagan's long-defunct ''star wars" project during the Cold War, according to federal budget documents."



as well as some of the projects the request is going to be spent on :



-"One $207 million project by the Missile Defense Agency features experiments on micro-satellites, including using one as a target for missiles. This experiment ''is particularly troublesome," according to the joint report, ''as it would be a de-facto antisatellite test." "
-"A project description says the Air Force would test a variety of powerful laser beams ''for applications including antisatellite weapons."

-"The agency also has asked Congress for $220 million for ''Multiple Kill Vehicles," a program that experts say could be proposed as a space-based missile interceptor."

-"Meanwhile, the Air Force wants $33 million for the Hypersonic Technology Vehicle, envisioned as space vehicle capable of delivering a military payload anywhere on earth within an hour, according to an official project description."



Big government contractors(the majority of and past revenues secured bygovernment contracts) such as Northrop Grumman and Lockhead Martin are more than eager to get hold of implementing these projects and launching them into space.



I highly recommend you to read Space Warfare Foolosophy: Should the United States be the First Country to Weaponize Space? if you want to go through a very good point of view -- it's all about politics and who feels like getting superior. An arms race is slowly emerging, and that's the distrurbing part!



As a matter of fact, SFAM from the CyberpunkReview.com has recently featured a review of one of the best X-files episodes "Kill Switch" where the main characters try to escape an AI playing with leftover Star Wars military orbital lasers .



More resources can also be found at :

Orbital Weaponry
Space Based Weapons
Space Warfare Weapons
SpaceWar.com
Militarization and Weaponization of Space
Space and Electronifc Warfare (ELINT) Lexicon
Gyre's Space Warfare section
Directed Energy Warfare -- Space Age Weapons
Secret Orbiter System Revealed
Military Transformation Uplink: March 2006
Anti-Satellite Weapons
Military Space Programs
Space Weapons For Earth Wars
The Revolution in War (227 pages)
A Political Strategy for Antisatellite Weaponry
Space Weapons - Crossing the U.S Rubicon
Preventing the Weaponization of Space
Space Weapons: The Urgent Debate
Satellite Killers and Space Dominance
The Advent of Space Weapons
US Space Command Vision for 2020
China's Space Capabilities and the Strategic Logic of Anti-Satellite Weapons

U.S. Air Force Plans for Future War in Space - 2004
Space Warfare in Perspective - 1982



Technorati tags :
, , , , , , Continue reading →

"Successful" communication

March 17, 2006
You know Dilbert, don't you? I find this cartoon a very good representation of what is going on in the emerging market for software vulnerabilities, and of course, its OTC trade practices -- total miscommunication and different needs and opinions. While different opinions and needs provoke quality discussion and I understand the point that everyone is witnessing that something huge is happening, "so why shouldn't I?", but at the bottom line, it's so obvious that there isn't any sort of mission or social welfare goal to be achieved, that everyone is commercializing what used to be the "information wants to be free" attitude.



Weren't software vulnerabilities supposed to turn into a commodity given the number of people capable and actually discovering them, where "windows of opportunities" get the highest priority as a con? That is, compared to commercializing vulnerability research, empowering researchers to the skies, and turning vulnerabilities into an IP, totally decentralizing the current sources of information, and fueling the growth of underground models, as it's obvious that for the time being vulnerabilities and their early acquirement seems to be where the $ is. What do you think?



Technorati tags :
, , , , Continue reading →

Getting paid for getting hacked

March 17, 2006
In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article :



"As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The need for cyberinsurance has only increased as hacker move away from general mischief to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party coverage will help companies pay for recovery after an attack or even to pay the extortion for threatened attacks, while third-party coverage helps pay legal expenses if someone sues after a security breach. Demand for insurance is also driven by laws in over twenty states that require companies to notify consumers if a breach compromises their personal data. However, prevention is still the top priority for most companies, since loss of critical data to competitors would do damage beyond the payout of any policy."



Cyber insurance seems to be an exciting business with a lot of uncertainty compared to other industries with more detailed ROIs, as I feel the information security one is missing a reliable ROSI model. I once blogged about why we cannot measure the real cost of cybercrime, and commented the same issue with the "FBI's 2005 Computer Crime Survey - what's to consider?". Don't get me wrong, these are reliable sources for various market indicators, still the situation is, of course, even worse.


But how do you try to value security at the bottom line?



Bargaining with security, and negotiating its cost is projectable and easy to calculate, but whether security is actually in place or somehow improved, seems to be a second priority -- bad bargaining in the long-term, but marketable one in the short one.



Going back to the article, I hope there aren't any botnet herders reading this, especially the first-party coverage point. To a certain extend, that's a very pointless service, as it fuels the growth of DDoS extortion, as now it's the insurer having to pay for it, meaning there're a lot of revenue streams to be taken by the cybergang. While covering the expenses of extortion attempts is very marketable, it clearly highlights how immature the current state of the concept really is. Something else to consider, is that a lot of companies reasonably take advantage of MSSPs with the idea to forward risk/outsource their security to an experienced provider, and most importantly, budget with their security spending. And while the California's SB 1386 is important factor for growth of the service given the 20 states participating, with the number of stolen databases from both, commercial, educational and military organizations, insurers will start earning a lot of revenues that could have been perhaps spent in security R&D -- which I doubt they would spend them on, would they?



UPDATE:
The post has just appeared at Net-Security.org - "Getting paid for getting hacked", as well as LinuxSecurity.com - "Getting paid for getting hacked"



Related resources :

Cyber-Insurance Revisited
Economics and Security Resource Page
WEIS05 WorkShop on Economics and Information Security - papers and presentations
Valuing Security Products and Patches
The New Economics of Information Security
Safety at a Premium
Cyber Insurance and IT Security Investment Impact on Interdependent Risk
Valuing Security Products and Patches
Network Risks, Exposures and Solutions



Technorati tags :
, , , Continue reading →

Old physical security threats still working

March 16, 2006
In "The Complete Windows Trojans Paper" that I released back in 2003 (you can also update yourself with some recent malware trends!) I briefly mentioned on the following possibility as far as physical security and malware was concerned :



"Another way of infecting while having physical access is the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here's an example of the Autorun.inf file that is placed on such CD's:
[autorun]open=setup.exeicon=setup.exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don't know about this CD function they will get infected and won't understand what happened and how it's been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following: Start Button -> Settings -> Control Panel ->System -> Device Manager -> CDROM -> Properties -> Settings"



and another interesting point :


"I know of another story regarding this problem. It's about a Gaming Magazine that used to include a CD with free demo versions of the latest games in each new edition. The editors made a contest to find new talents and give the people programming games the chance to popularise their productions by sending them to the Editors. An attacker infected his game with a new and private trojan and sent it to the Magazine. In the next edition the "game" appeared on the CD and you can imagine the chaos that set in."


Things have greatly changed for the last three years, while it may seem that global malware outbreaks are the dominant trend, slow worms, 0day malware and any other "beneath the AVs radar" concepts seem to be the next pattern.



It's "great" to find out that age-old CD trick seems to be fully working, whereas I can't reckon someone was saying "Hello World" to WMF's back then! TechWorld wrote a great article two days ago titled "Workers duped by simple CD ruse", an excerpt :



"To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. When a user ran the disc, the code on it prompted a browser window that opened a Web site, Chapman said. The site then tried to load an image from another Web site, Chapman said."



While we can argue how vulnerable to security theats and end user is these days, compared to physical security ones, there are lots of cases pointing out the targeted nature of attacks, and the simple diversification of attack methods from what is commontly accepted as current trend. My point is that if you believe the majority of threats are online based ones, someone will exploit this attitude of yours and target you physically.


And while I feel the overall state of physical security in respect to end users and their workstations has greatly improved with initiatives such as ensuring the host's integrity and IPSs, what you should consider taking care of is - who is capable of peeping behind your back and what effect may it have on any of your projects? 3M's Privacy Filters are a necessity these days, and an alternative to the obvious C.H.I.M.P. (monitor mirror). Be aware!



UPDATE - this post recently appeared at LinuxSecurity.com - Old physical security threats still working



More resources on physical security can also be found at :

19 Ways to Build Physical Security into a Data Center
Securing Physical Access and Environmental Services for Datacenters
CISSP Physical Security Exam Notes
Physical Security 101
SANS Reading Room's Physical Security section



Technorati tags :
, , Continue reading →
Subscribe to: Comments (Atom)