07.08.11
Posted in Cyberterrorism at 9:27 pm by George Smith
Moment of unintentional hilarity from a Congressional hearing:
Confirming years of warnings from government and private security experts, a top Homeland Security official has acknowledged that computer hardware and software is already being imported to the United States preloaded with spyware and security-sabotaging components …
[Congressional question to functionary from DHS]: “Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?”
[Answer: Hesitant, stumbling “yes”.]
Pre-loaded junkware and smart devices manufactured overseas have been obvious sitting duck targets for computer criminals for years.
And how does one absolutely distinguish the threat of suspiciously malicious junkware from stuff so full of holes and bugs it’s not fit for any purpose?
Its just deserts when the corporate bottom line, outsourcing and anything that detracts from instantaneous easy do-nothing profits on services and digital goods trumps everything else.
Related:
Google’s malware app store.
Permalink
Posted in Cyberterrorism at 3:00 pm by George Smith
As seen on the TV Google News tab.
That’s mine, right under the lameness from TIME.
A TIME blog, called TechLand, muses on a scripted routine now fifteen years old.
And that’s because you can walk right in off the street at such places and be uninformed and incurious. Today this is an asset because a grasp of history and the vast sprawl of the issue gets in the way.
Read this, the usual journalism split-the-difference thing, including the usual arguments from authority (Eek! Very important Congressmen wrote you need to be afraid in the Washington Post today!):
Online security risks have become increasingly prevalent with the likes of Anonymous and LulzSec continuing to expose the sorry state of corporate network security, and policymakers are clamoring to “do something??? to address the threat. Unfortunately, there is a tendency in Washington to employ the rhetoric of war when talking about cybersecurity, which is a very dangerous tendency.
For example, in a Washington Post op-ed today, Senators Lieberman, Collins and Carper argue for cybersecurity legislation, saying, “The alternative could be a digital Pearl Harbor — and another day of infamy.???
“Electronic Pearl Harbor, electronic Pearl Harbor, electronic Pearl Harbor, ad nauseum.
I quote from the Federation of American Scientist’s Secrecy Bulletin. In 1998:
“I certainly agree that the notion of an electronic Pearl Harbor specifically, and more generally of information warfare, has been hyped to the point of nausea,” said the vice president of one intelligence contractor that has multi- billion dollar annual revenues from its work in information technology. “This is but the latest of many fads in ‘the Community’,” he told S&GB, “and like most of its predecessors, [it] has just enough substance to require that serious attention be paid, but not nearly as much substance as the Cassandras of the Community would have us believe.”
Quite a bit has changed in the intervening period. It’s not a fad anymore, it’s a way of life.
And billions on-line are now confronted daily with malicious software and criminal activity. In 1998, the average citizen’s exposure to such things was orders of magnitude less.
Another big change has been the total decoupling of national security interests, including computer security, from virtually anything have to do with the great mean — the middle class — in this country.
Now, the entire public debate is basically high-button threatre designed to convince everyone of the need to protect the plutocrats from the paupers in cyberspace.
And here is a piece I wrote a couple weeks ago, which said just that, is reprinted again today at Globalsecurity:
A cursory reading of [the historical record] of beware-of-electronic-Pearl-Harbor notices since the late Nineties reveals their sameness. All of them are ultimately based on the simplistic idea that unknown enemies on the other side of the world can overturn substantial portions of the US by flicking a few software switches.
This is essentially the result of two things: Now way-old American national security infrastructure near psychotic paranoia over magical technological surprise that never occurs and now way-old methodology on massaging the national treasury for funding.
The other bits in the current arguments about cybersecurity and cyberwar are the warnings that the financial system could be hit …
The argument that the US financial system ought to be protected from electronic Pearl Harbor would, if all Americans actually knew of it, strike them as ridiculous.
It’s easily observable that people are much more interested in protection from the racket that’s the American financial system. Cyberwar and hack attacks on it, when compared to the damage inflicted by Wall Street misbehavior, are absurdly small things.
Permalink
07.05.11
Posted in Bioterrorism, Cyberterrorism, War On Terror at 10:30 am by George Smith
We continue with our quality programming in a moment. Help keep it that.
DD blog needs your help. I’m not too proud to beg.
The economic crash of 2008 has been as hard here as everywhere else.
Since stepping into cyberspace in the early Nineties everything written has been provided largely pro bono. And this is the first fundraiser of any kind that I’ve held.
Originally, I went under the rubric of the old electronic Crypt Newsletter, an e-zine devoted to hacker culture, specifically that centered on the worldwide network of young computer virus-writers.
For years, well before the web was what it is today, Crypt Newsletter was hosted on a server administered by the Dept. of Critical Criminology studies at Northern Illinois University. Here it is in the Wayback machine, the last update spanning content from 1996-2004.
Much of the work published through it was aimed at increasing public understanding of issues in cybersecurity and the hype-laden subjects of cyberterrorism and cyberwar. That continues to this day.
In 1994 some of the earliest published content was used in The Virus Creation Labs, a book on the old computer virus underground published by American Eagle. Interesting side fact: While the book is now technically out of print, the publisher decamped to Central America before 2000, convinced the country would overturn or that hyperinflation would come about as the result of the Millennium Bug.
By 2004 I had moved to a slightly different place at GlobalSecurity.Org, still doing pro bono public research on various security topics.
This work moved into the domain of poison recipes, specifically those for ricin and alleged home-made chemical and biological weapons, which had originated in the American survivalist extremist fringe during the Eighties. By the Nineties these tracts had been migrated to the Internet and simultaneously translated into Arabic.
As a result, almost purely by serendipity, I was consulted by the defense for the now famous London ricin trial. That work, which was the first of its kind in this country, is archived here at GlobalSecurity.
In terms of practical things, this was one of the first places you could see at least one of the claims made by the US government, delivered by Colin Powell in his address to the UN Security Council, on reasons for war in Iraq, shot to pieces.
The London ricin ring as a link between Saddam Hussein and al Qaeda had been part of Powell’s presentation and the material published at Globalsecurity destroyed it.
At the time, the US news media largely ignored this but the work could not be erased. History had its way. (Examples of the news on the ricin trial in the US news media are here, at the Washington Post; and from Newsweek.)
Around 2006, the public work was formally moved to Dick Destiny blog.
Material published through here pushed back against mainstream and government claims that al Qaeda had capability in biological chemical weapons and that documents found on the Internet conferred equal capabilities to any jihadis interested in them.
While unpublicized that effort has been a success.
With the help of others the official public position was modified. One example was the grudging concession in the 2008 report from the US Commission on the Prevention of WMD Proliferation and Terrorism: “We accept the validity of intelligence estimates about the current rudimentary nature of terrorist capabilities in the area of biological weapons … ” (Page 39.) Those intelligence estimates were not furnished by the US government’s analytical apparatus. They came from the work of outsiders, from here and analysis provided by colleagues.
Other proof is the anecdotal evidence that mainstream news is no longer littered with scare pieces insisting that al Qaeda men in some broken down hideout can make WMDs because of global access to terror capabilities granted by the Internet. Still, occasionally I have to issue burn notices on retired CIA men who resist getting the message. One example of such, from last year, is here.
Not bad for a blog.
Since then regular readers know I’ve kept up the fight while expanding into system domestic problems of economy and inequality which threaten the nation’s security in ways foreign threats during the war on terror never could.
This short history touches upon why the work has mattered. And so I ask for your help in keeping it moving forward and vital. Please help spread the word.
Donations are taken through PayPal. And you can still contribute without a designated PayPal account. Just page down to “Don’t have a PayPal account?” and click “continue.”
Permalink
Posted in Cyberterrorism at 8:08 am by George Smith
From the Philly News by way of the NY Times News Service:
Robert Morris, 78, a cryptographer who helped develop the Unix computer operating system, which controls an increasing number of the world’s computers, died Sunday in Lebanon, N.H.
The cause was complications of dementia, his wife, Anne Farlow Morris, said.
Known as an original thinker in computer science, Mr. Morris also played an important clandestine role in planning what was probably the nation’s first cyberwar: the electronic attacks on Saddam Hussein’s Iraqi government in the months leading up to the Persian Gulf War of 1991.
In 1986, Mr. Morris went to work for the National Security Agency in protecting government computers and in projects involving electronic surveillance and online warfare.
It’s worth adding that “probably the nation’s first cyberwar” went totally unnoticed. Minor embellishment to ancient history or not, cyberwars — if they actually occurred — never had any visible impact on Saddam Hussein.
There is, however, the hoax/April Fool’s joke that the Iraqi Gulf War printer virus story. (Alert readers may note that’s my by-line at the top of the pile.)
Two years after Robert Morris. joined the NSA, his son — Robert Tappan Morris, unleashed what became known as the Morris worm on the Internet. The younger Morris was a student at Cornell at the time.
The Morris worm incident spurred the creation of CERT, the Computer Emergency Response Team, at Carnegie-Mellon.
Permalink
06.29.11
Posted in Bioterrorism, Cyberterrorism, War On Terror at 12:52 pm by George Smith
DD blog needs your help. I’m not too proud to beg.
The economic crash of 2008 has been as hard here as everywhere else.
Since stepping into cyberspace in the early Nineties everything written has been provided largely pro bono. And this is the first fundraiser of any kind that I’ve held.
Originally, I went under the rubric of the old electronic Crypt Newsletter, an e-zine devoted to hacker culture, specifically that centered on the worldwide network of young computer virus-writers.
For years, well before the web was what it is today, Crypt Newsletter was hosted on a server administered by the Dept. of Critical Criminology studies at Northern Illinois University. Here it is in the Wayback machine, the last update spanning content from 1996-2004.
Much of the work published through it was aimed at increasing public understanding of issues in cybersecurity and the hype-laden subjects of cyberterrorism and cyberwar. That continues to this day.
In 1994 some of the earliest published content was used in The Virus Creation Labs, a book on the old computer virus underground published by American Eagle. Interesting side fact: While the book is now technically out of print, the publisher decamped to Central America before 2000, convinced the country would overturn or that hyperinflation would come about as the result of the Millennium Bug.
By 2004 I had moved to a slightly different place at GlobalSecurity.Org, still doing pro bono public research on various security topics.
This work moved into the domain of poison recipes, specifically those for ricin and alleged home-made chemical and biological weapons, which had originated in the American survivalist extremist fringe during the Eighties. By the Nineties these tracts had been migrated to the Internet and simultaneously translated into Arabic.
As a result, almost purely by serendipity, I was consulted by the defense for the now famous London ricin trial. That work, which was the first of its kind in this country, is archived here at GlobalSecurity.
In terms of practical things, this was one of the first places you could see at least one of the claims made by the US government, delivered by Colin Powell in his address to the UN Security Council, on reasons for war in Iraq, shot to pieces.
The London ricin ring as a link between Saddam Hussein and al Qaeda had been part of Powell’s presentation and the material published at Globalsecurity destroyed it.
At the time, the US news media largely ignored this but the work could not be erased. History had its way. (Examples of the news on the ricin trial in the US news media are here, at the Washington Post; and from Newsweek.)
Around 2006, the public work was formally moved to Dick Destiny blog.
Material published through here pushed back against mainstream and government claims that al Qaeda had capability in biological chemical weapons and that documents found on the Internet conferred equal capabilities to any jihadis interested in them.
While unpublicized that effort has been a success.
With the help of others the official public position was modified. One example was the grudging concession in the 2008 report from the US Commission on the Prevention of WMD Proliferation and Terrorism: “We accept the validity of intelligence estimates about the current rudimentary nature of terrorist capabilities in the area of biological weapons … ” (Page 39.) Those intelligence estimates were not furnished by the US government’s analytical apparatus. They came from the work of outsiders, from here and analysis provided by colleagues.
Other proof is the anecdotal evidence that mainstream news is no longer littered with scare pieces insisting that al Qaeda men in some broken down hideout can make WMDs because of global access to terror capabilities granted by the Internet. Still, occasionally I have to issue burn notices on retired CIA men who resist getting the message. One example of such, from last year, is here.
Not bad for a blog.
Since then regular readers know I’ve kept up the fight while expanding into system domestic problems of economy and inequality which threaten the nation’s security in ways foreign threats during the war on terror never could.
This short history touches upon why the work has mattered. And so I ask for your help in keeping it moving forward and vital. Please help spread the word.
Donations are taken through PayPal. And you can still contribute without a designated PayPal account. Just page down to “Don’t have a PayPal account?” and click “continue.”
Permalink
06.27.11
Posted in Cyberterrorism, Decline and Fall at 2:26 pm by George Smith
I get one or two interview requests a week on cybersecurity lately.
The conversations always hinge on matters of absolutely no interest to the American middle class. Most popular now: “What would a cyberwar look like?”
I usually don’t answer such questions with predictions or go-alongs.
This is because the term “cyberwar” has been so abused and overused it’s effectively meaningless.
Its only utility is to rivet a reader’s attention. And while it still merits discussion there’s no capacity for conducting any kind of thoughtful debate on it in the national media. Or the halls of Congress or anywhere that’s not behind walls of secrecy.
Anyway, cybersecurity and cyberdefense, like much national security, is now almost totally split away from the interests of average people.
The American economy, which has turned on the middle class, is the foremost consideration in life. Not whether or not the CIA’s website is taken down or defense contractors and banks are invaded by hackers.
Last week, a new story arose, inspired by fear of LulzSec, which has since allegedly disbanded out of boredom.
Banks, it was said, wanted to be protected in cyberspace. Not out of any sudden realization that cybersecurity adds value and is a good thing to practice but because said banksters were worried about the cyber-paupers getting into their stuff and the scandal and momentary public embarrassment that entails.
And in this they show what can be seen when people lose all faith in corporations and government institutions. There’s no sympathy for the defense contractor or giant financial multinationals that are hacked.
If you find anything at all, it’s something closer to “they had it coming.”
Which leads into a long story on national cybersecurity from AP.
I extract the only parts worth saving, those having to do with protecting the top tier in US corporate society from cyber-ruffians. The “they’re coming for out stuff” argument dressed up as a pressing reason to develop extreme national policy.
The excerpts:
Lynn and others also say the Pentagon must more aggressively protect the networks of defense contractors that possess valuable information about military systems and weapons’ designs. In a new pilot program, the Defense Department has begun sharing classified threat intelligence with a handful of companies to help them identify and block malicious cyber activity on their networks.
Over time, Lynn said, the program could be a model for the Homeland Security Department as it works with companies that run critical infrastructure such as power plants, the electric grid and financial systems.
[The bold-faced objective is of absolutely zero value to average Americans. No one will see any benefit, ever, on whether or not the Lockheed Martins of the US are protected from hacker breeches by the Pentagon. Lockheed Martin’s financial and proprietary business interests are the only things served
Another paradox here is that Lockheed Martin has very aggressively marketed its cyber-defense arm to the US government and military. Commercials are not hard to find in which the company portrays mock cyber-attacks being warded off by their brave and canny cyber-defenders..]
At a recent Capitol Hill hearing, incoming Pentagon chief Leon Panetta, the outgoing CIA director, said the U.S. must be aggressive in offensive and defensive countermeasures.
“I’ve often said that there’s a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems,” he said.
Panetta is the hero of the hunt for Osama bin Laden. But that does not mean he is a whiz-bang in all matters.
The “electronic Pearl Harbor” trope in reference to cyber-attack is now about fifteen years old.
You can do a Google search on it here.
In the first page list is something I wrote back in 1997 entitled “Electronic Pearl Harbor — Not Likely.”
A great deal has changed since them. But my title, as one of the few predictions I have ventured, remains solid.
Routinely, as one sees if one scans up the search page, are many many trivial writers declaring how “electronic Pearl Harbor” may have already happened. (Or what it would look like.)
The original Pearl Harbor, it’s worth noting, was impossible to overlook.
A cursory reading of these beware-of-electronic-Pearl-Harbor notices since the late Nineties reveals their sameness. All of them are ultimately based on the simplistic idea that unknown enemies on the other side of the world can overturn substantial portions of the US by flicking a few software switches.
This is essentially the result of two things: now way-old American national security infrastructure near psychotic paranoia over magical technological surprise that never occurs and now way-old methodology on massaging the national treasury for funding.
The other bits in the current arguments about cybersecurity and cyberwar are the warnings that the financial system could be hit.
The world economy was put in a tailspin by Wall Street financial systems in 2008. It has yet to recover.
And while Wall Street has done nicely since then, Main Street America has not. And by all accounts, no significant protections against Wall Street’s predations have been put in place in the intervening period.
The argument that the US financial system ought to be protected from electronic Pearl Harbor would, if all Americans actually knew of it, strike them as ridiculous.
It’s easily observable that people are much more interested in protection from the racket that’s the American financial system. Cyberwar and hack attacks on it, when compared to the damage inflicted by Wall Street misbehavior, are absurdly small things.
.
Permalink
06.22.11
Posted in Cyberterrorism, Made in China at 7:01 am by George Smith
China Radio International cybersecurity segment. L to R: CRI host Tom; Li Hong, Secretary General, China Arms Control and Disarmament Association; CRI host Qinduo. Obviously, lads, I’m not in this picture.
A one hour talk on cybersecurity and cyberwar with yours truly and others on China Radio International’s Wednesday morning Beyond Beijing news show is here. (Stream or as iPhone mp3 download.)
Permalink
06.21.11
Posted in Cyberterrorism, Made in China at 1:26 pm by George Smith
On state-run radio, at least. Ten AM Wednesday, Beijing time — or 7 pm tonight, I thin’.
I’ll be on China Radio International English Service to talk about world cybersecurity and cyberwar and hacktivism and …
All things considered [cue harmonica noise].
Permalink
06.20.11
Posted in Cyberterrorism at 1:34 pm by George Smith
From the wire:
Professional hacker Nicholas Percoco received an unusual request from a major financial institution this week: How can you help us avoid becoming the next Citigroup Inc?
Amid a wave of cyber attacks on Citi, the International Monetary Fund and other institutions, Percoco and his team at security firm Trustwave Holdings Inc are fielding more and more calls from banks wanting to stress-test their online defenses.
Again, cybersecurity is wanted by the halves — the plutocrat US multinationals — not because they’re thinking ahead about it being sound business. But now because they don’t like the cyber-paupers being into their stuff. Particularly when it’s embarrassing big news.
It’s another aspect of the detaching of security interests from the national welfare. Security, from the US military down to the grass roots of the Internet, is for protecting the haves from the have-nots.
It does not preserve or make better prospects for average Americans. Bombing paupers doesn’t promote living standards and boost wages for anyone not directly connected to that industry. And securing Vikram Pandit doesn’t even remotely chip away at unemployment.
A year ago I found intrinsically hilarious the argument, used by cyberwar and cyberdefense salesmen, that the American financial system had to be protected at all costs.
Most Americans, around the same time, were feeling (and still feel) a bit different. They think, justifiably, that they need protection from the American financial sector.
Long range, this brings into view the problem of what to do when there’s no popular interest in defending you, even if it’s — like — against the law to break into giant banks and multi-national businesses via cyberspace. What happens when more people believe in “you had it coming” than the rule of law?
Your security problems intensify, if only because the paupers in your organization, the people you’ve beggared through wage compression and outsourcing, no longer have total interest in defending the turf they work on. And they may be some of your IT staff.
You can always hire mercenaries. But it’s not a perfect solution. You’re always going to be looking over your shoulder.
For example, it’s now not hard to find a certain Schadenfreude, perhaps even outright glee, over the problems of Citi or Sony at the hands of hacking groups.
As contempt and dismay spread through the empire’s network it becomes even more difficult to secure. One of the symptoms of the disease of decline and fall is when security is only called for and dearly important when the wealthy want it to keep others from taking bits of their stuff and causing public humiliation.
The stories on the Bitcoin speculator who couldn’t keep the malware from stealing part of his wealth.
Permalink
06.12.11
Posted in Cyberterrorism at 10:34 pm by George Smith
Wikiwars: The Mission of Julian Assange aired on CNN this weekend.
It was narrated by an ex-Navy SEAL named Kaj who looks like a wimp, one on the small side, with vaseline in his hair.
It contains no revelations being entirely a rehash of old news. Watch it if you want to see Nick Davies of the Guardian and Adrian Lamo, the ex-criminal hacker snitch who turned in Bradley Manning.
Lamo appears in a trench coat. Between that and an obvious nervous tic which manifests as weird blinking before the camera, he’s a sight. If you need someone who genuinely looks the part of a squealer for a budget movie or tv show, Lamo is someone to consider. (It can’t be ruled out that this was all stagily contrived.)
CNN digs up a US military man to interpret the Collateral Murder video and the damage Assange has allegedly done to the US. He’s so wan and obviously from stock upright military man talent booking you won’t be able to remember the guy’s name or what he said. Except that WiliLeaks is bad.
Footage of Newt Gingrich, looking like a hippo, calling Assange an information terrorist is aired.
Ironically, the special aired the weekend news broke that the US wants to make Internet-in-suitcases available to nations where the citizens wish to revolt against their leaders. This is being done using the argument that transparency is critical in giving voice to those who wish to shed light on their corrupt governments.
Wikiwars — not recommended.
Permalink
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »