The Biggest Military Hacks of All Time

The biggest military hack of all time, the Pentagon hacker, the NASA hacker - hold your breath, it's another media hype or traffic acquisition headline strategy by the majority of online media sites. Who else are we missing? The NASA port scanner, the true walking case study on tweaking NMAP for subconscious espionage purposes, the CIA IRC junkies that managed to talk them into talking with "them", and Bozo the clown chased by the Thought Police for his intentions.

Great examples of buzz generating, deadline-centered news articles you can always amuse yourself with, and feel sorry for the lack of insightful perspectives nowadays -- I'm slowly compiling a list of best of the best news items ever, so let there be less intergalactic security statements, and less flooding web sites with Hezbollah data stories.

In case you've somehow missed Gary McKinnon's story, don't you worry as you haven't missed anything spectacular, besides today's flood of reporters with claimed prehistoric IT security experience -- you must make the different between a reporter, a journalist, and a barking dog thought. Perhaps the only objective action done by an industry representative was the Sophos survey on Gary McKinnon. It would be much more credible to differentiate the severity of the hack, depending on which military or government network was actually breached, don't just go where the wind blows, barely reporting, where's YOUR opinion if ANY?

Was it the NSANet, the Joint Worldwide Intelligence Communications System [JWICS], the Secret Internet Protocol Router Network (SIPRNET), or the Unclassified but Sensitive Internet Protocol Router Network (NIPRNet) actually breached?

Moreover, were the following real-life examples a paintball game or something :

- Solar SunRise
"SOLAR SUNRISE was a series of DoD computer network attacks which occurred from 1-26 February 1998. The attack pattern was indicative of a preparation for a follow-on attack on the DII. DoD unclassified networked computers were attacked using a well-known operating system vulnerability. The attackers followed the same attack profile: (a) probing to determine if the vulnerability exists, (b) exploiting the vulnerability, (c) implanting a program (sniffer) to gather data, and (d) returning later to retrieve the collected data."

- Dutch hackers during the Gulf War
"At least one penetrated system directly supported U.S. military operations in Operation Desert Storm prior to the Gulf War. They copied or altered unclassified data and changed software to permit future access. The hackers were also looking for information about nuclear weapons. Their activities were first disclosed by Dutch television when camera crews filmed a hacker tapping into what was said to be U.S. military test information."

- The Case Study: Rome Laboratory, Griffiss Air Force Base
"However, events really began in 1994, when the two young men broke into an Air Force installation known as Rome Labs, a facility at the now closed Griffiss Air Force Base, in New York. This break-in became the centerpiece of a Government Accounting Office report on network intrusions at the Department of Defense in 1996 and also constituted the meat of a report entitled "Security and Cyberspace" by Dan Gelber and Jim Christy, presented to the Senate Permanent Subcommittee on Investigations during hearings on hacker break-ins the same year. It is interesting to note that Christy, the Air Force Office of Special Investigations staffer/author of this report, was never at Rome while the break-ins were being monitored."

- Moonlight Maze
"It was claimed that these hackers had obtained large stores of data that might include classified naval codes and information on missile guidance systems, though it was not certain that any such information had in fact been compromised."

- Titan Rain
"Titan Rain hackers have gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA."

- Chinese hackers who supposedly downloaded 10 to 20 terabytes from the NIPRNet -- it's like I love you from 1 to 50, and you?

From another perspective, the biggest military hack doesn't have to come from the outside, but from the inside, as soldiers are easily losing their USB sticks on the field. Breaching the SIPRnet from the ouside would be a good example of a big military hack, but then again, insiders are always there to "take care".

If Gary McKinnon did the biggest military hack of all time, why do I still hear Bozo singing - ta ta tararata ta ta rara tata.

UPDATE:
Related posts you might also find informative - North Korea's Cyber Warfare Unit 121, Techno imperialism and the effect of Cyber terrorism, Cyber War Strategies and Tactics, the rest you can Google. Surprised to come across the post at Meneame.net too. Continue reading →

The Walls and Lamps are Listening

And so are the hardware implanted "covert operatives". Continue reading →

Cyber War Strategies and Tactics

Starting from the basic premise that "All warfare is based on deception", the Cyberspace offers an unprecedented amount of asymmetric power to those capable of using it. Cyber wars are often perceived as innocent exchange of "virtual shots" between teenage defacement groups, whereas if one's willing the embrace the rough reality, Hacktivism remains a sub-activity of Cyberterrorism, where Information Warfare unites all these tactics.

Quality techno-thrillers often imply the notion of future warfare battles done in the virtual realm compared to actual spill of blood and body parts -- death is just an upgrade. Coming back to today's Hacktivism dominated mainstream news space, you may find this paper on Cyberwar Strategy and Tactics - An Analysis of Cyber Goals, Strategies, Tactics, and Techniques, and the development of a Cyber war Playbook, informative reading :

"To create a cyberwar playbook, we must first understand the stratagem building blocks or possible moves that are available. It is important to note however that these stratagem building blocks in and of themselves are not strategic. Instead, it is the reasoned application of one or more stratagems in accomplishing higher-level goals that is strategic in nature. We thus need to understand the situations in which the stratagems should be applied and how. We can begin to predict and choose the most effective stratagem for a given situation as we become more experienced. Example stratagems include:

Fortify Dodge
Deceive Block
Stimulate Skirt
Condition Monitor

Stratagems may also have sub-stratagems. Examples are:

Deceive.Chaff --- Block.Barricade
Deceive.Fakeout --- Block.Cutoff
Deceive.Conceal --- Monitor.Eavesdrop
Deceive.Feint --- Monitor.Watch
Deceive.Misinform --- Monitor.Follow

These stratagems are very high level and can be supported through many tactical means. Each building block defines a stratagem and contains one or more possible tactical implementations for that stratagem, including requirements, goals that may be satisfied using the stratagem, caveats, example uses, and possible countermeasures."

No matter the NCW doctrine, UAVs intercepting or hijacking signals, "shock and awe" still dazzles the majority of prone to be abused by cheap PSYOPS masses of "individuals".

Related resources and posts:
Network Centric Warfare basics back in 1995
Information Warfare
Cyber Warfare
Who's Who in Cyber Warfare?
North Korea's Cyber Warfare Unit 121
Hacktivism Tensions - Israel vs Palestine Cyberwars
Achieving Information Warfare Dominance Back in 1962 Continue reading →

Bed Time Reading - Spying on the Bomb

Continuing the Bed Time Reading series, and a previous post related to India's Espionage Leaks, this book is a great retrospective on the U.S Nuclear Intelligence from Nazi Germany to Iran and North Korea.

In-depth review with an emphasis on India's counterintelligence tactics:

"India's success in preventing U.S. spy satellites from seeing signs of the planned tests days to weeks in advance was matched by its success in preventing acquisition of other types of intelligence. India's Intelligence Bureau ran an aggressive counterintelligence program, and the CIA, despite a large station in New Delhi, was unable to recruit a single Indian with information about the Vajpayee government's nuclear plans. Instead, the deputy chief of the CIA station in New Delhi was expelled after a botched try at recruiting the chief of Indian counterintelligence operations. Former ambassador Frank Wisner recalled that `we didn't have... the humans who would have given us an insight into their intentions'." Ambassadors do not keep aloof from the CIA's work, evidently. Their denials are false.

NSA's eavesdropping activities did not detect test preparations. "It's a tough problem," one nuclear intelligence expert told investigative journalist Seymour Hersh. India's nuclear weapons establishment would communicate via encrypted digital messages relayed via small dishes through satellites, using a system known as VSAT (very small aperture terminal), "a two-way version of the system used by satellite television companies". Good show. At the end of the day, Americans admitted that even if they had been better informed, they could not have prevented Pokhran II just as they could not deter Pakistan from staging its tests at Chagai."

Was the USSR's tactic of helping the enemies of their enemies, thus ruining the Nuclear-club monopoly by making the A-bomb a public secret, the smartest or dumbest thing they ever did? Monopolies are bad by default, but balance is precious as the "rush must always be tempered with wisdom". How about a nice game of chess instead?

Related resources and posts:
Nuclear
Who needs nuclear weapons anymore?
North Korea's Strategic Developments and Financial Operations
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems Continue reading →

Steganography and Cyber Terrorism Communications

Following my previous post on Cyber Terrorism Communications and Propaganda, I'm continuing to summarize interesting findings on the topic. The use of encryption to ensure the confidentiality of a communication, be it criminals or terrorists taking advantage of the speed and cheap nature of Internet communications, is often taken as the de-facto type of communication. I feel that it's steganographic communication in all of its variety that's playing a crucial role in terrorist communications. It's never been about the lack of publicly or even commercially obtainable steganographic tools, but the ability to know where and what to look for. Here's a brief comment on a rather hard to intercept communication tool - SSSS - Shamir's Secret Sharing Scheme :

"No other medium can provide better speed, connectivity, and most importantly anonymity, given it’s achieved and understood, and it often is. Plain encryption might seem the obvious answer, but to me it’s steganography, having the potential to fully hide within legitimate (at least looking) data flow. Another possibility is the use secret sharing schemes. A bit of a relevant tool that can be fully utilized by any group of people wanting to ensure their authenticity and perhaps everyone’s pulse, is SSSS - Shamir's Secret Sharing Scheme. And no, I’m not giving tips, just shredding light on the potential in here! The way botnets of malware can use public forums to get commands, in this very same fashion, terrorists could easily hide sensitive communications by mixing it with huge amounts of public data, while still keeping it secret."

Intelligence officials/analysts are often confronted with the difficult task of, should they actively work on scanning the entire public Internet, or single partitions of the known chaos, namely the majority of Islamic/Jihadi related web sites. Trouble is, it's heck of a short sighted approach, and way too logical one to actually provide results. Moreover, in all the fuss of terrorists using steganography, even encryption to communicate, the majority of experts -- shooting into the dark -- have totally neglected the very concept of disinformation. To be honest, I'm a little bit surprised on the lack of such, picture the media buzz of a recently found map of key region and encoded messages embedded in public image, continue with the public institutions raising threat levels, vendors taking advantages of this "marketing window" when in between, someone gained access to a third-party's E-identity and used to creatively communicate the real message.

It's a public secret that the majority of already obtained Terrorist Training Manuals on the Web give instructions on primitive, but IT-centered approaches for anonymity such as encryption, use of proxies, and yes, steganography as well. Yet another public secret, these very same training manuals are actual copies of unclassified and publicly obtained Intelligence, Military and Security research documents. Here's a chapter on Secret Writing and Cipher and Codes. Primitive, but still acting as an indicator of the trend.

The most comprehensive Scan of the USENET for steganography was conducted back in 2001, primarily because of the post 9/11 debate on the use of steganography by terrorists. Surprisingly, the experiment didn't find a single hidden image -- out of a dictionary based attack on the JSteg and JPHide positive images of course :

"After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis. A detailed description of the detection framework can be found in Detecting Steganographic Content on the Internet. This page provides details about the analysis of one million images from the Internet Archive's USENET archive. Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS."

Concerns about the invaluable sample :
- Used primarily USENET as a possible source for images
- Excluded music and multimedia files, and the hard to detect while in transmission TCP/IP covert communication channels -- information can indeed move with the speed of an error message
- Cannot scan the Dark Web, the one closed behind common crawlers blocking techniques or simple authentication
- Cannot scan what's not public, namely malware-infected hosts, or entire communication platforms hosted on a defaced web server somewhere, temporary communication dead boxes -- and while taking about such, free web space providers can provide interesting information given you know where and what to look for as always

The bottom line is that if someone really wants to embed something into a commodity data such as video, picture or an MP3 file, they would. Generating more noise when there's enough of it is on the other hand a smart approach I feel is getting abused all the time. How to deal with the problem? Ensure your ECHELON approaches are capable of detecting the patterns of the majority of public/commercial steganography tools. And according to public sources, that seems to be the case already :

"R2051 Steganography Decryption by Distributive Network Attack Develop a distributive network analysis application that can detect, identify, and decrypt steganography in multiple types of files, including commonly used audio, video and graphic file formats.The application must quickly and accurately detect and identify files containing steganography and extract the hidden messages and data from the file. Decryption of any messages or data encoded before the use of a steganography program is not required. The system must allow for easy, low-cost, frequent updating to counter new emerging programs. It must detect, extract, and decrypt messages in any file that has used any currently commercially available steganography programs as well as commonly encountered non-commercial programs. These would include, but are not limited to, the following: Covert.tcp; dc-Steganograph; EzStego; FFEncode; Gzsteg; Hide 4 PGP; Hide and Seek 4.1; Hide and Seek 5.0; Hide and Seek for Windows 95; jpeg-jsteg; Paranoid, Paranoid1.1.hqx.gz; PGE - Pretty Good Envelope; PGPn123; S-Tools : S-Tools 1.0 (Italy, Finland); S-Tools 2.0 (Italy, Finland); S-Tools 3.0 (Italy), Finland); S-Tools 4.0 (Italy, Finland); Scytale; Snow; Stealth, Stealth 2.01 ; Steganos 1.4; Steganos for Windows 95 and upgrade 1.0a; Stego by John Walker; Stego by Romana Machado; Stegodos; Texto; wbStego; WitnesSoft; and WINSTORM"

The rest is making sense out of the noise and OSINT approaches for locating the "bad neighborhoods".

Figure courtesy of Bauer 2002 at the FBI's Overview of Steganography for the Computer Forensics Examiner. Continue reading →

Microsoft's OneCare Penetration Pricing Strategy

In a previous post, Microsoft in the Information Security Market, I commented on Microsoft's most recent move into the information security market, and the anti-virus market segment. Moreover, several months earlier I pointed out 5 things Microsoft can do to secure the Internet and why it wouldn't, namely,

- Think twice before reinventing the security industry
- Become accountable, first, in front of itself, than, in front of the its stakeholders
- Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities
- Introduce an internal security oriented culture, or better utilize its workforce in respect to security
- Rethink its position in the security vulnerabilities market

Recently, the much hyped debate on whether Microsoft's Anti Virus would take a piece of the anti virus market seem to have finally materialized with the help of basic pricing strategies :

"Helped by low pricing, Microsoft's Windows Live OneCare landed the number two spot in sales at US stores in its debut month, according to The NPD Group. The antivirus and PC care package nabbed 15.4 per cent of security suite sales at retailers such as Best Buy and Amazon.com, according to NPD's data. The average price was $29.67, well below Microsoft's list price of $49.95. Online at Amazon.com, OneCare is available for only $19.99."

Ya-hoo? Not so fast since stats like these exclude the hundreds of licensing deals, co-branding, ISPs affiliation and resellership positions, as well as shipped-ready PCs with software from the rest of the vendors :

"Symantec noted that NPD covers retail sales only, and does not include consumer sales through internet service providers and PC makers, for example. "We just had a record June quarter in consumer sales, said Mike Plante, a marketing director at the company. You can't really draw market share conclusions from the NPD data alone, particularly with just a month of data."

I wonder what would Microsoft's strategy consist of by the time their offering reaches the growth stage, and starts maturing, perhaps bargaining by offering software discounts and one-stop-shop services. I've once pointed out on another anti virus market statistics concern, namely Panda Software's -- private company, no SEC or stockholders to bother about -- stated earnings right next to the rest of publicly traded companies. My point is that, if Gartner were to offer a better grasp of this vibrant market segment, they'd better have used F-Secure which is a publicly traded anti virus vendor, as it would greatly improve an analysts confidence in the provided data, wouldn't it?

Penetration pricing is all about gaining market share, and Microsoft's case reminds of how RealNetworks were ready to lose cents on each and every song sold through their digital music service, but to offer, at least temporary, a competitive alternative to iTunes.

Security cannot be bought, a false sense of security can though. Whereas risk exposure and risk mitigation define a scientific approach going beyond a visionary security management, it's arguable which one dominates, as marketing and branding often do the job -- if (true) advertising does its job, millions of people keep theirs. Case in point, Symantec which currently has the largest market share -- greatly depends on the geographical area and number of anti virus products included -- is indeed the market leader, but it doesn't necessarily mean it offers the "leading" product. Exactly the opposite, the most popular, available, one that usually comes with Norton's powerful and well known brand offering.

Why wouldn't Microsoft want to license Kaspersky's, F-Secure's or Symantec's technology for instance? Because that would have been like a Chinese growth syndrome so to speak. The Chinese economy is shifting from a source of raw materials, to an actual manufacturer, a little bit of vertical integration given you have something to offer to the market at a particular moment in time and start counting the new millionaires. The higher proportion of the business machine you own, the greater the profits at the end of quarter, and with the key regions across the world still getting online, malware is only going to get more attention from both sides of the front.

From a business point of view, you can twist a user's actual wants so successfully you can make it almost impossible to remember what was needed at the first place -- long live the sales forces! It is often arguable whether anti virus software has turned into a commodity the way media players did, but for the end user -- the one with the powerful bandwidth available -- price and availability speak for themselves. Controversial to some recent comments on why the most popular anti virus products don't work, mostly because malware authors are testing their "releases" on these products, they actually do it on all anti virus products the way pretty much everyone aware is testing suspicious files, or evaluating vendors' response times.

Don't get surprised if next time you buy a cheeseburger, the dude starts explaining the basics of zero day protection, and offer you a ZIP-based discount if any on an anti virus solution -- with up to three licenses for your wired family. Co-branding, licensing and industry outsiders are on the look for fresh revenues, and with malware representing the most popular threat as well as security "solution" bought, stay tuned a McDonald's Anti Virus "on-the-go". Hopefully one using a licensed technology from a vendor with experience and vision.

Related posts:
Look who's gonna cash for evaluating the maliciousness of the Web
Spotting valuable investments in the information security market
Valuing Security and Prioritizing Your Expenditures
Budget Allocation Myopia and Prioritizing Your Expenditures Continue reading →