Tom Olzak

Posts Tagged ‘cyberwarfare’

Nyuh-uh… wasn’t me…

In Business Continuity, China, Computers and Internet, Critical Infrastructure, Cyber Espionage, Cyber-warfare on February 20, 2013 at 18:48

Read this article first. Unit In China’s PLA Behind Massive Cyber Espionage Operation: Report | SecurityWeek.Com.

Now we can talk…

It should come as no surprise that China is aggressively hacking into anything it can.  In 2009, Gurmeet Kanwal wrote in the Journal for Defence Studies,

“The Chinese call their pursuit of information warfare and other hi-tech means to counter Washington’s overwhelmingly superior conventional military capabilities “acupuncture warfare”, a term that first surfaced in a 1997 PLA National Defense University publication entitled “On commanding Warfighting under High-Tech Conditions.”  Acupuncture warfare (also called “paralysis warfare”) was described as ‘Paralysing the enemy by attacking the weak link of his command, control, communications and information as if hitting his acupuncture point in kung fu combat.'”

So the Chinese have hacked, wheedled, and otherwise slunk into our national infrastructure.  They seem to be expanding on their initial acupuncture approach with theft of information needed to catch up with or impede Western technical and financial progress.  Of course, the Chinese deny they are anything but victims.

Yes, it is naive to believe we aren’t just as aggressively going after the Chinese.  However, public and private organizations still fail to understand the threat.  In China, the government has no problem applying pressure where needed to protect national infrastructure.  In fact, it is highly probable the Chinese government can disconnect China from the Internet on command.  In both areas, Western nations are at risk.

The path we must take in the West is to force government, financial institutions, utilities, healthcare organizations, and other critical service providers to secure their networks or face severe sanctions.  After all, we can do little about what China sees as behavior in support of its national security.  What we can do is remove the vulnerabilities it exploits and closely monitor for what is obviously continuous malicious activity.  We’ve waited long enough for government and private management to do the right thing.  It’s now time to pick up Teddy’s big stick and domestically whack some heads.

Executive Order: Improving Critical Infrastructure Security

In Control Systems, Critical Infrastructure, Cyber Espionage, Cyber-warfare, Government, Regulation on February 15, 2013 at 21:03

President Obama issued an executive order (12 Feb 2013) addressing the need for a cybersecurity framework to protect the critical infrastructure of the United States.  You can read the order here...  In theory, it’s what we need.  In practice, how long will it take before politicians weaken the order’s intent to the point that it becomes a meaningless script for staging a ” We really do care” position?

The order includes a directive for information sharing but leaves it to the various departments to decide who to notify, what to declassify, etc.  Based on how slowly our bureaucrats move on anything, an attack will be long over and China will be manufacturing the stolen designs before a notice goes to the potential targets.  Nothing in the order specifies process or technology needed to give timely notifications.  Given how long it has taken the government to understand it has a security problem, the delays in achieving the president’s expected outcomes will likely last far into the next administration… where its eventual demise is highly probable.

The administration is looking for incentives to encourage critical infrastructure owners and operators to carry out recommendations the NIST is requested to formulate.  Incentives?  Incentives for public utilities, for example, will need to be a kick in the pants and the threat of jail time.  If the operators of critical infrastructure really cared, we wouldn’t find ourselves in this mess.  It wasn’t yesterday that security became an issue for anyone with a computer.  There is no excuse for our current situation except heavy lobbying and political career survival practices.

I do hope there is progress on the president’s plan, but I’m not hopeful.  My faith in business and government doing the right thing left the station long ago.

 

 

Bad software can be tortuous… in a very bad way

In Application Security, Cyber Espionage, Hacking, Network Security, Risk Management on September 16, 2010 at 10:35

It isn’t any surprise that Iranians and other people using the Internet in information-restricted countries need a way to “break out.”  It is also no surprise that someone would try to build a software solution to meet this challenge.  What is a surprise is the alleged lack of due diligence applied by the creators of Haystack, an application that seemed to promise anonymity for Iranians trying to circumvent government controls.

According to the Haystack website,

“Haystack is a computer program that allows full, uncensored access to the internet even in areas with heavy internet filtering such as Iran. We use a novel approach to obfuscating traffic that is exceptionally difficult to detect, much less block, but which at the same time allows users to security use normal web browsers and network applications.

[…]

Haystack hides traffic to any from the internet at large inside traffic that looks like perfectly normal web connections to innocuous sites. The Haystack client connects to our servers which in turn talk to websites on behalf of our users.”

This sounds like a great idea.  Think of the uses for a product that allows Iranians–and maybe eventually Chinese, North Koreans, etc.–to access uncensored opinion and news.  Of course, it would have to do this without government officials being able to see what users are accessing.  And although Haystack was supposed to do this, it apparently fails miserably.

According to a tweet by security researcher Jacob Appelbaum,

“Haystack is the worst piece of software I have ever had the displeasure of ripping apart. Charlatans exposed. Media inquiries welcome.”

In other words, if you are living in Iran and hoping freely to to surf the Web AND stay out of an Iranian prison, this is probably not the software for you.  So the Censorship Research Center (CRC) pulled the product.  Probably a good idea…

So what went wrong?  The main developer of Haystack resigned publicly and sent a letter to the Liberationtech mailing list.  In the letter, Daniel Colascione takes a lot of the responsibility for releasing what was supposed to be a test application–maybe closer to a proof of concept.  According to Colascione, it was not intended for public distribution or use by people who might put their physical freedom in jeopardy.  However, hype prevailed at the CRC, launching the product into public view and setting unreasonable and incorrect expectations.

Dan Goodin writes in a 14 September 2010 article in The Register,

The Guardian, for instance, named Censorship Research Center Executive Director Austin Heap the the 2010 Innovator of the Year and called Haystack “a key technology used by Iranians to disseminate information outside the country in the protests that followed the disputed election result in June 2009.” Newsweek, the BBC, Forbes, Salon.com, and The Atlantic have also lauded the project, even though Heap now says it never made it out of development and wasn’t widely used.

At this time, no one really knows if anyone put themselves in danger by using the software.  But let’s be honest; when something is hyped this much, it inevitably makes it to users’ desktops.  Based on on my quick research into this incident, this seems more like mismanagement than the intended release of really bad software.  It looks like the CRC was carried away on the tide of growing acclaim and took the public along for the ride.  Another instance of the media getting carried away?

In any case, I think there are at least two lessons to learn from this event.

  1. Never let potentially prison-causing software out of its cage until it is fully tested by numerous security researchers trying very hard to break it.
  2. Never get carried away by the hype surrounding a new product.  Do you own research into the product and its capabilities.  We can’t rely on much of the media responsibly to do this.

But Congress hasn’t stuck its collective finger in it yet…

In Business Continuity, Cyber Espionage, Cyber Terrorism, Cyber-warfare, Cybercrime, Government on April 15, 2010 at 12:24

In a recent article, U S Cyber Command Nominee Discusses Policies, an army three-star general commented on cyber-war preparation.  While I agree with the military’s approach–what they will discuss, given the classified nature of their planning–I don’t believe Congress will be able to keep their hands out of this.  By the time our elected officials finish debating, filibustering, or holding hearings, our electricity, water supply, and financial institutions  will all have converted to Chinese as their official language…

And by the way, who taught the alleged soldier int the photo how to salute?  And what’s with the strap hanging down from his helmet?  Ok, Ok.  I know.  I was a sergeant way too long…  I’ll let it go.

White House Blowing Smoke?

In China, Cyber Espionage, Cyber-warfare, Government on April 7, 2010 at 11:45

A little something I wrote about recent comments by White House Cybersecurity Coordinator Howard Schmidt.

White House Blowing Smoke?.

%d bloggers like this: