Tom Olzak

Archive for the ‘Cyber Espionage’ Category

MIT Report Troubling

In Business Continuity, China, Cyber-warfare, Government, Risk Management on March 1, 2013 at 18:17

In a recent report (MIT Report: U.S. Manufacturing Hits a Wall When It’s Time to Scale), Curt Woodward writes that a group of MIT researchers discovered an almost impassable chasm when looking for investment dollars.  The investment dollars were for needed for 150 production companies wanting to move to full-scale production, and they were only available from foreign investors or if moved off-shore.

Why is this a security issue?  Because it has been clear for a long time that no one wants to build manufacturing plants in the US.  I’m not talking about steel mills; rather, the 150 companies (many started or supported by MIT students, professors, etc.) focused primarily on hi-tech products.  Just what we need… move all hi-tech production–the kind of production that is crucial to our economy and our national security–off-shore or make it vulnerable to the whims of foreign investors.

I don’t care whose fault this is; we spend far too much time in this country pointing fingers when we should be sitting down together to solve problems.  China is laughing is collective butt off as it steals our intellectual property and increasing builds our technology.  I just don’t think it’s that funny…

Nyuh-uh… wasn’t me…

In Business Continuity, China, Computers and Internet, Critical Infrastructure, Cyber Espionage, Cyber-warfare on February 20, 2013 at 18:48

Read this article first. Unit In China’s PLA Behind Massive Cyber Espionage Operation: Report | SecurityWeek.Com.

Now we can talk…

It should come as no surprise that China is aggressively hacking into anything it can.  In 2009, Gurmeet Kanwal wrote in the Journal for Defence Studies,

“The Chinese call their pursuit of information warfare and other hi-tech means to counter Washington’s overwhelmingly superior conventional military capabilities “acupuncture warfare”, a term that first surfaced in a 1997 PLA National Defense University publication entitled “On commanding Warfighting under High-Tech Conditions.”  Acupuncture warfare (also called “paralysis warfare”) was described as ‘Paralysing the enemy by attacking the weak link of his command, control, communications and information as if hitting his acupuncture point in kung fu combat.'”

So the Chinese have hacked, wheedled, and otherwise slunk into our national infrastructure.  They seem to be expanding on their initial acupuncture approach with theft of information needed to catch up with or impede Western technical and financial progress.  Of course, the Chinese deny they are anything but victims.

Yes, it is naive to believe we aren’t just as aggressively going after the Chinese.  However, public and private organizations still fail to understand the threat.  In China, the government has no problem applying pressure where needed to protect national infrastructure.  In fact, it is highly probable the Chinese government can disconnect China from the Internet on command.  In both areas, Western nations are at risk.

The path we must take in the West is to force government, financial institutions, utilities, healthcare organizations, and other critical service providers to secure their networks or face severe sanctions.  After all, we can do little about what China sees as behavior in support of its national security.  What we can do is remove the vulnerabilities it exploits and closely monitor for what is obviously continuous malicious activity.  We’ve waited long enough for government and private management to do the right thing.  It’s now time to pick up Teddy’s big stick and domestically whack some heads.

Executive Order: Improving Critical Infrastructure Security

In Control Systems, Critical Infrastructure, Cyber Espionage, Cyber-warfare, Government, Regulation on February 15, 2013 at 21:03

President Obama issued an executive order (12 Feb 2013) addressing the need for a cybersecurity framework to protect the critical infrastructure of the United States.  You can read the order here...  In theory, it’s what we need.  In practice, how long will it take before politicians weaken the order’s intent to the point that it becomes a meaningless script for staging a ” We really do care” position?

The order includes a directive for information sharing but leaves it to the various departments to decide who to notify, what to declassify, etc.  Based on how slowly our bureaucrats move on anything, an attack will be long over and China will be manufacturing the stolen designs before a notice goes to the potential targets.  Nothing in the order specifies process or technology needed to give timely notifications.  Given how long it has taken the government to understand it has a security problem, the delays in achieving the president’s expected outcomes will likely last far into the next administration… where its eventual demise is highly probable.

The administration is looking for incentives to encourage critical infrastructure owners and operators to carry out recommendations the NIST is requested to formulate.  Incentives?  Incentives for public utilities, for example, will need to be a kick in the pants and the threat of jail time.  If the operators of critical infrastructure really cared, we wouldn’t find ourselves in this mess.  It wasn’t yesterday that security became an issue for anyone with a computer.  There is no excuse for our current situation except heavy lobbying and political career survival practices.

I do hope there is progress on the president’s plan, but I’m not hopeful.  My faith in business and government doing the right thing left the station long ago.

 

 

YAWN!!!!

In Application Security, Business Continuity, Cyber Espionage, Cyber-warfare, Cybercrime, Government, Network Security, Regulation, Security Management on February 10, 2013 at 19:44

Another article from AP today about the U.S. vulnerability to cyber attacks.  No longer news, this kind of information is simply depressing.  Mike Rogers, a member of the House of Representatives, believes that 95% “of private sector networks are vulnerable and most have already been hit.”  Maybe, but nowhere does the article offer actual statistics or source research.  Further, no mention is made of the porous security protecting government agencies.  Figures…

Rogers contends that all the government has to do is share classified threat information and all will be well.  What is he smoking?  Everyone already knows what is needed to protect our national infrastructure.  This looks like a good copout by Republicans: protecting business by doing something useless while convincing the gullible they are doing something worthwhile.  Compromising national security isn’t necessary; all we have to do is start forcing the slackers to meet minimal security requirements.  The Feds should start with their own minimal security guidelines included in FIPS PUB 200.

In my opinion, this grandstanding by legislators needing another law passed to prove their value (God knows something has to) is not helpful.  What is helpful is applying meaningful efforts to identify weaknesses–can anyone say public utilities–and apply the necessary pressure to remove them.  This must happen without whining about cost to affected businesses and industries.  My MBA helps be understand the business side, but my common sense and sense of insecurity drive me to scream, “ENOUGH!!”

Government Dysfunction Strikes Another Blow for Insecurity

In Access Controls, Business Continuity, China, Cyber Espionage, Government, Hacking, Network Security, Password Management, Policies and Processes, Risk Management, Security Management, Vendor Management on October 12, 2010 at 12:51

For many years, even before the Internet, changing default access codes, passwords, and other vendor assigned information was considered a basic no-brainer.  And I understand normal people (non-IT) not getting it.  After all, if it wasn’t a good password, why would a vendor assign it…?  And who wants to argue with a support guy on the phone who can’t understand why you changed it?  I get it.  However, when our government doesn’t see the value in the change, we have a big problem.

According to an article last week in the New York Times,

[University of Michigan researchers] infiltrated the District of Columbia’s online voting system last week. They changed all votes for mayor to Master Control Pro and elected HAL 9000 the council chairman. The blaring University of Michigan fight song played whenever a new ballot was successfully cast” (Wheaton, 8 Oct 2010).

To be fair, this is a pilot project by the District’s Board of Elections.  However, I always thought “pilot’” meant seeing how it works in the real world.  So it should also mean setting security for testing system trust.  One reason why this is necessary was included in the same article:

“[Professor J. Alex Halderman] said he also saw signs that computer users in Iran and China were trying to crack the system’s master password — which his team obtained from an equipment manual. (Network administrators had never changed the four-character default password.) He said that the foreign hackers were probably not specifically trying to break into the District’s voting system, but that they represented a threat nonetheless” (ibid.)

In addition to immediate attempts by our “enemies” to hack into the system, we decided to practice global good will by leaving the vendor password in place for anyone who wanted into our system.  What a novel idea regarding how to meet the cyber-crime and warfare challenges we increasingly face.

In case you haven’t yet gotten the message across to your network engineers or internal support personnel, this might be something you can use as an attention-getter (instead of the bat you’ve placed strategically next to your filing cabinet.

This is just one more example of the dysfunction of our government information handling capability.

%d bloggers like this: