I can barely imagine the panic with a non-responding -- can it respond when it's not there? -- plane in the sky, at least by the time a visual confirmation reveals the truth. In the post 9/11 world, airports were among the first strategic targets to get the funding necessary to protect against the threats fabricated in a think-tank somewhere. Money are wasted in this very same fashion on a daily basis, with no clear ROI, just established social responsibility and common sense security. Disinformation can always happen in sky, as "Flaw may lead to air chaos". From the article :
"Hackers armed with little more than a laptop could conjure up phantom planes on the screens of Australia's air traffic controllers using new radar technology, warns Dick Smith. The prominent businessman and aviator claims to have found another serious security flaw in the new software being introduced into the air traffic control system. He has challenged Transport Minister Warren Truss to allow him to set up a demonstration of the problem at a test of the technology in Queensland to show how hackers could exploit the automatic dependent surveillance broadcasting (ASD-B) system to create false readings on an air traffic controller's screen. The air space activist says he was told of the flaw by US Federal Aviation Administration staff."
Compared to a speculation I described in a previous post "Why's that radar screen not blinking over there?", these practices are highly natural to ELINT planes/warfare, and in the capabilities of experienced staff members as pointed out in the article. Everything is buggy, and so is the ASD-B system for sure, but the problem from my point of view, is the possibility for a "talkative leakage", and the procedures, if any, to internally report bugs like these, and get them fixed of course.
Phantom Warhawk image courtesy of Les Patterson.
Tuesday, June 06, 2006
Phantom Planes in the Skies
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Where's my Fingerprint, Dude?
Personal data security breaches continue occurring, and with the trend towards evolving to a digital economy, it's inevitably going to get ever worse. In a recently revealed case "Lost IRS laptop stored employee fingerprints", from the article :
"A laptop computer containing fingerprints of Internal Revenue Service employees is missing, MSNBC.com has learned. The computer was lost during transit on an airline flight in the western United States, IRS spokesman Terry Lemon said. No taxpayer information was on the lost laptop, Lemon said. In all, the IRS believes the computer contained information on 291 employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth."
For the time being the largest accommodator of fingerprints in the world is the U.S.A, and this fact affects anyone that enters the U.S. My point is that, given the unregulated ways of classifying, storing, transfering and processing such type of information would result in its inavitable loss -- bad in-transfer security practices or plain simple negligence.
As we're also heading to a biometrics driven society, the impact of future data security breaches will go way beyond identity theft the way we know it -- lost and stolen voice patterns, DNAs, and iris snapshots would make the headlines. You might also be interested in knowing how close that type of "future scenario" really is given the modest genetic database of 3 million Americans already in existence.
Things are going to get very ugly, and it's not the privacy issue that bothers me, but the aggregation of such type of data at the first place, and who will get to steal it. It's perhaps the perfect market timing moment to start a portable security solution provider, or resell ones know-how under license, of course.
"A laptop computer containing fingerprints of Internal Revenue Service employees is missing, MSNBC.com has learned. The computer was lost during transit on an airline flight in the western United States, IRS spokesman Terry Lemon said. No taxpayer information was on the lost laptop, Lemon said. In all, the IRS believes the computer contained information on 291 employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth."
For the time being the largest accommodator of fingerprints in the world is the U.S.A, and this fact affects anyone that enters the U.S. My point is that, given the unregulated ways of classifying, storing, transfering and processing such type of information would result in its inavitable loss -- bad in-transfer security practices or plain simple negligence.
As we're also heading to a biometrics driven society, the impact of future data security breaches will go way beyond identity theft the way we know it -- lost and stolen voice patterns, DNAs, and iris snapshots would make the headlines. You might also be interested in knowing how close that type of "future scenario" really is given the modest genetic database of 3 million Americans already in existence.
Things are going to get very ugly, and it's not the privacy issue that bothers me, but the aggregation of such type of data at the first place, and who will get to steal it. It's perhaps the perfect market timing moment to start a portable security solution provider, or resell ones know-how under license, of course.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Sunday, June 04, 2006
Skype as the Attack Vector
It's often hard to actually measure the risk exposure to a threat, given how overhyped certain market segments/products' insecurities get with the time. Gartner, and the rest of the popular marketing research agencies seem to be obsessed with Skype as the major threat to enterprises, while Skype isn't really bad news, compliance is, in respect to VoIP, P2P, IM and Email communications retention or monitoring. From the article :
"The most recent bug in Skype is another clue to enterprises that they should steer clear of the VoIP service, research firm Gartner recently warned. Two weeks ago, Skype patched a critical vulnerability that could let an attacker send a file to another user without his or her consent, and potentially obtain access to the recipient's computer and data. This vulnerability follows three in 2005 (two high-risk, one low-risk) and highlights the risk of not establishing and implementing an enterprise policy for Skype," wrote Gartner research director Lawrence Orans in an online research note. "Because the Skype client is a free download, most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."
There's a slight chance an enterprise isn't already blocking Skype, using both, commercial and public methods wherever applicable. Moreover, it would be much more feasible to consider the fact that, if the enterprise -- assuming a U.S one -- isn't blocking the use of Skype, it must somehow monitor/retain its use in order to comply with standard regulations. Skype poses the following problems :
- inability for the enterprise to retain the IM and VoIP sessions in accordence with regulations
- wasted bandwidth costing loss productivity and direct cash outflows, slowdown for critical network functions
- covert channels possibilities
Several months ago, Skype was also discussed as a command'n'control application for botnets, while steganography based communications and plain-simple encrypted/stripped IRCd sessions remain rather popular. Malware authors are actively looking for ways to avoid IRC given the popularity it has gained and the experience botnet hunters have these days.
Skype is the last problem to worry about, as in this very same way the recent vulnerabilities in major market leading AVs would have had a higher risk exposure factor as there's a greater chance of occurrence of malware, than a Skype vulnerability. It's the vulnerabilities in software in principle you have to learn how to deal with, and third-party applications that somehow make it on your company's network.
More resources :
Skype Security Evaluation
Silver Needle in the Skype
Skype Security and Privacy Concerns
Impact of Skype on Telecom Service Providers
"The most recent bug in Skype is another clue to enterprises that they should steer clear of the VoIP service, research firm Gartner recently warned. Two weeks ago, Skype patched a critical vulnerability that could let an attacker send a file to another user without his or her consent, and potentially obtain access to the recipient's computer and data. This vulnerability follows three in 2005 (two high-risk, one low-risk) and highlights the risk of not establishing and implementing an enterprise policy for Skype," wrote Gartner research director Lawrence Orans in an online research note. "Because the Skype client is a free download, most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."
There's a slight chance an enterprise isn't already blocking Skype, using both, commercial and public methods wherever applicable. Moreover, it would be much more feasible to consider the fact that, if the enterprise -- assuming a U.S one -- isn't blocking the use of Skype, it must somehow monitor/retain its use in order to comply with standard regulations. Skype poses the following problems :
- inability for the enterprise to retain the IM and VoIP sessions in accordence with regulations
- wasted bandwidth costing loss productivity and direct cash outflows, slowdown for critical network functions
- covert channels possibilities
Several months ago, Skype was also discussed as a command'n'control application for botnets, while steganography based communications and plain-simple encrypted/stripped IRCd sessions remain rather popular. Malware authors are actively looking for ways to avoid IRC given the popularity it has gained and the experience botnet hunters have these days.
Skype is the last problem to worry about, as in this very same way the recent vulnerabilities in major market leading AVs would have had a higher risk exposure factor as there's a greater chance of occurrence of malware, than a Skype vulnerability. It's the vulnerabilities in software in principle you have to learn how to deal with, and third-party applications that somehow make it on your company's network.
More resources :
Skype Security Evaluation
Silver Needle in the Skype
Skype Security and Privacy Concerns
Impact of Skype on Telecom Service Providers
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Travel Without Moving - KGB Lubyanka Headquarters
Yet another hot spot in this week's Travel Without Moving series - this time it's Lubyanka Square's KGB Headquarters. There are still lots of Cold War sentiments in the air among yesterday's and today's super powers and you just can't deny it. Today's FSB, the successor to the KGB, is taking a very serious approach towards counter-intelligence, and offensive scientific intelligence practices in a much more synergetic relationship with the academic world compared to years ago. While the CIA is undisputably the most popular foreign intelligence agency, and more of a front end to the NSA itself from my point of view, the KGB still remains reponsible for very important and "silent" moments in the world's history.There were moments in the very maturity of the Cold War, when both, the CIA, and the KGB were on purposely disinforming their operatives in order to keep them motivated and fuel the tensions even more, but compared to the CIA with its technological know-how, KGB's HUMINT capababilities didn't get surpassed by technologies. Among the key success factors for the intelligence agency was the centralized nature of the command of chain, total empowerment, common and obsessive goal, and clear enemy.
Today's trends mostly orbit around :
- information sharing, that is less complexity among different departments and agencies
- win-win information sharing among nations
- offensive and defensive CYBERINT, harnessing the power, or protecting against the threats posed by the digital era
- automated and efficient mass surveillance practices- eliminating "safe heavens"
In case you really want to go in-depth into what has happened during the last couple of decades, Vasilli Mitrohih's KGB Archives are worth reading. And the true-retro gamers can take the role of "Captain Maksim Mikahilovich Rukov, recently transferred to the Department P from the GRU after three years' duty to investigate possible corruption inside the KGB (after a former agent turned private eye was found murdered). However, as the plot progresses, Rukov finds himself investigating a party hardliner anti-perestroika plot that threatens the life of General Secretary Mikhail Gorbachev" while playing KGB - Conspiracy game.
Today's trends mostly orbit around :
- information sharing, that is less complexity among different departments and agencies
- win-win information sharing among nations
- offensive and defensive CYBERINT, harnessing the power, or protecting against the threats posed by the digital era
- automated and efficient mass surveillance practices- eliminating "safe heavens"
In case you really want to go in-depth into what has happened during the last couple of decades, Vasilli Mitrohih's KGB Archives are worth reading. And the true-retro gamers can take the role of "Captain Maksim Mikahilovich Rukov, recently transferred to the Department P from the GRU after three years' duty to investigate possible corruption inside the KGB (after a former agent turned private eye was found murdered). However, as the plot progresses, Rukov finds himself investigating a party hardliner anti-perestroika plot that threatens the life of General Secretary Mikhail Gorbachev" while playing KGB - Conspiracy game.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)