Benefits of Open Source Intelligence - OSINT

Surprisingly, Forbes, the homepage for the world's business leaders -- and wannabe ones -- has a well written article on Open Source Intelligence you might find informative :

"How can we use this to reform intelligence? I suggest we create a national Open Source Agency. Half of the money earmarked for the agency would go toward traditional intelligence work. The other half would provide for 50 state-wide Citizen Intelligence Networks, including a 24/7 watch center, where citizens can both obtain and input information. We could establish new emergency intelligence phone numbers--think 119 instead of 911--allowing any housewife, cab driver or delivery boy to contribute to our national security. All they have to do is be alert, and if they see something, take a cell phone photograph and send it in with a text message. If three different people notice the same suspicious person taking photographs of a nuclear plant, for instance, it could be hugely important. The system could even evolve to automatically mobilize emergency workers or warn citizens. Imagine if after people alerted the network about a roadside car bomb, it automatically sent text messages to every phone in the immediate area, warning people to stay away."

Collective intelligence, wisdom of crowds -- Web users were supposed to virtually patrol the U.S border once -- all is driving Web 2.0, trouble is so is paranoia, and all paranoid people need is a platform to spread it further, but the article emphasises on how educated citizens can be the best defense. The benefits of OSINT according the CIA themselves are based on :

Speed: When a crisis erupts in some distant part of the globe, in an area where established intelligence assets are thin, intelligence analysts and policymakers alike will often turn first to the television set and Internet.

Quantity: There are far more bloggers, journalists, pundits, television reporters, and think-tankers in the world than there are case officers. While two or three of the latter may, with good agents, beat the legions of open reporters by their access to secrets, the odds are good that the composite bits of information assembled from the many can often approach, match, or even surpass the classified reporting of the few.

Quality: As noted above, duped intelligence officers at times produce reports based on newspaper clippings and agent fabrications. Such reports are inferior to open sources untainted by agent lies.

Clarity: An analyst or policymaker often finds even accurate HUMINT a problem. For example, when an officer of the CIA’s Directorate of Intelligence (DI), reads a report on a foreign leader based on “a source of unproven reliability,” or words to that effect, the dilemma is clear. Yet, the problem remains with a report from a “reliable source.” Who is that? The leader’s defense minister? The defense minister’s brother? The mistress of the defense minister’s brother’s cousin? The DI analyst will likely never know, for officers of the Directorate of Operations (DO) closely guard their sources and methods. This lack of clarity reportedly contributed, for example, to the Iraqi WMD debacle in 2002-03. The DO reportedly described a single source in various ways, which may have misled DI analysts into believing that they had a strong case built on multiple sources for the existence of Iraqi weapons of mass destruction. With open information, sources are often unclear. With secrets, they almost always are.

Ease of use: Secrets, hidden behind classifications, compartments, and special access programs, are difficult to share with policymakers and even fellow intelligence officers. All officials may read OSINT.

Cost: A reconnaissance satellite, developed, launched, and maintained at a cost of billions of dollars, can provide images of a weapons factory’s roof or a submarine’s hull. A foreign magazine, with an annual subscription cost of $100, may include photographs of that factory’s floor or that submarine’s interior

Meanwhile, Intelligence analysts are putting efforts into sharing their data, data mining the web and social networking sites which is both, cost-effective and can greatly act as an early warning system for important events. Despite technological innovations, a blogger in an adversary's country can often unknowingly act as a HUMINT source of first-hand information -- looking for democracy minded individuals breaking through regimes through malware is yet another possibility. Tracking down terrorist propaganda and communications on the Internet has already reached the efficiency level mainly because of the use of open source intelligence and web crawling the known bad neighborhoods ever since 2001.

Related resources and posts:
Intelligence
OSINT
IP cloaking and competitive intelligence/disinformation
Terrorist Social Network Analysis

Stealth Satellites Developments Source Book

You can't hijack, intercept or hide from what you don't see or don't know it's there, and stealthy satellites are going to get even more attention in the ongoing weaponization of space and the emerging space warfare arms race. Here's a huge compilation of articles and news items related to the development of stealthy satellites. An excerpt from an article within :

"The United States is building a new generation of spy satellites designed to orbit undetected, in a highly classified program that has provoked opposition in closed congressional sessions where lawmakers have questioned its necessity and rapidly escalating price, according to U.S. officials. The previously undisclosed effort has almost doubled in projected cost -- from $5 billion to nearly $9.5 billion, officials said. The National Reconnaissance Office, which manages spy satellite programs, has already spent hundreds of millions of dollars on the program, officials said. The stealth satellite, which would probably become the largest single-item expenditure in the $40 billion intelligence budget, is to be launched in the next five years and is meant to replace an existing stealth satellite, according to officials. Non-stealth satellites can be tracked and their orbits can be predicted, allowing countries to attempt to hide weapons or troop movements on the ground when they are overhead. Opponents of the new program, however, argue that the satellite is no longer a good match against today's adversaries: terrorists seeking small quantities of illicit weapons, or countries such as North Korea and Iran, which are believed to have placed their nuclear weapons programs underground and inside buildings specifically to avoid detection from spy satellites and aircraft."

Issues to keep in mind :
- pre-launch leak in today's OSINT world
- synchronization with HUMINT, SIGINT, OSINT gathered data to avoid deception, some developments are right there under your nose
- amateur radio and satellite enthusiasts outwitting the stealthiness as it always happens
- win-win IMINT sharing between countries can often cover the full spectrum, dependability is of course an issue

Related resources and posts:
Defense
Satellite
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems
Open Source North Korean IMINT Reloaded

Zero Day Initiative Upcoming Zero Day Vulnerabilities

Details on a dozen of "upcoming zero day vulnerabilities" are emerging from TippingPoint's Zero Day Initiative :

"Over the past year, the most resounding suggestion from our Zero Day Initiative researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero day vulnerabilities. The following is a list of vulnerabilities discovered by researchers enrolled in the Zero Day Initiative that have yet to be publicly disclosed. The affected vendor has been contacted on the specified date and while they work on a patch for these vulnerabilities, TippingPoint customers are protected from exploitation by IPS filters delivered ahead of public disclosure. A list of published advisories is also available."

Note the time from vulnerability reporting to patch on some vendors:

ZDI-CAN-041 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-042 -- Adobe -- High -- 2006.04.07, 144 days ago
ZDI-CAN-046 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-061 -- Microsoft -- High -- 2006.06.14, 76 days ago

Don't be in a hurry to blame the vendors, as in between having to deal with these zero day vulnerabilities, they're all providing patches to fix the emerging ones, that is those who get the highest publicty and make the headlines so actively that there's no other way but dedicating product development time to quality assurance. Keep in mind that, even though vendors are still working on fixing these, apparently TippingPoint's IPS customers are protected -- they're aware of these exploits. Excluding the vendor dependability issue, and the fact that ZDI is indisputably turning into a HR-on-demand think-tank for vulnerability research, I discussed some of the issues regarding the possible motivation of the vulnerability informediaries and what to keep in mind in a previous post :

- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?

- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?

- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?

- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?

Diversify your infrastructure to minimize the damages due to zero day outbreaks, ensure end users are privileged as much as they need, do your homework, camouflage and implement early warning systems/decoys, and yes, keep track of your assets and ensure they're already protected from what's known to be their vulnerability. Responsible disclosure is the socially oriented approach, trouble is the Internet itself is a capitalistic society with basic market forces.

Related posts:

Was the WMF vulnerability purchased for $4000?!
0bay - how realistic is the market for security vulnerabilities?
Scientifically Predicting Software Vulnerabilities

Chinese Hackers Attacking U.S Department of Defense Networks

This may prove to be an informative forum, and I feel that the quality of the questions and the discussion faciliator's insights in the topic -- as a matter of fact GCN has proven a reliable source on the topic -- will be my benchmark for a provocative many-to-many discussion.

Here are my questions :

- Despite PRC's growing Internet population and military thinking greatly emphasizing on pros of information/cyber warfare -- the concepts copied from the U.S in between Sun Tzu's mode of thinking and attitude may indeed prove a dangerous combination -- I find it a bit more complex issue as: "Let's don't forget the use and abuse of island hopping points fueling further tensions in key regions and abusing the momentum itself, physically locating a network device in the future IPv6 network space is of key interest to all parties." China's growing Internet population results in lots of already infected malware hosts that could easily act as stepping stones by third-parties.

My point : Is it a geopolitical tension engineering, or an active doctrine already in implementation?

- If it's indeed a Red Storm Rising, what's North Korea's place in the situation, could it be North Korea engineering and impersonating China's cyber forces thus helping the enemies of its enemies?

- What significant is the threat from actual PRC's cyber warfare devisions, compared to utilizing the massess of script kiddies and promoting -- and not prosecuting attacks on foreign adversaries -- hacking activities? Script kiddies pretending to be l33t, or cyber warfare divisions using retro techniques to disinform on the actual state of military preparedness? The rise of intellectual property theft worms that I discussed, especially Myfip has been connected with the Titan Rain attacks on military networks, but this can be so easily engineered to point out wherever you want it to :

"Myfip doesn't spread back out via the Simple Mail Transfer Protocol (SMTP). "There is no code in the worm to do this," the report said. "From certain key headers in the message, we can tell that the attachment was sent directly to [users]." One element that stands out is that Myfip e-mails always have one of two X-Mailer headers: X-Mailer: FoxMail 4.0 beta 2 [cn] and X-Mailer: FoxMail 3.11 Release [cn]. Also, it always uses the same MIME boundary tag:_NextPart_2rfkindysadvnqw3nerasdf. "These are signs of a frequently-seen Chinese spamtool…," the report said. Stewart said his team was easily able to trace the source of Myfip and its variants. "They barely make any effort to cover their tracks," he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the "document collector" hosts, are all based there, mostly in the Tianjin province."

- Where does the real threat come from exactly? Hackers reading unclassified but sensitive clerk's emails thus exposing the network's design and gathering intelligence for the future "momentum", or the use of PSYOPS online? How is the second measured as a key foundation for successful information warfare battle?

- Is it a state sponsored espionage and cyber warfare practices, or mainland hacktivists, perhaps even hired third party guns?

Image courtesy of Chinese hacktivists diversifying their attacks and causing more noise during the U.S/China cyber skirmish.

Related resources and posts:
Cyber Warfare
Information Warfare
Hacktivism Tensions - Israel vs Palestine Cyberwars
Cyber War Strategies and Tactics
Who's who in Cyber Warfare?