Posts by Rick Howard
Filed in: CyberWarfare
A couple of weeks ago, I talked about the DOD's new cyber warfare policy. Deputy Secretary of Defense, William Lynn, rolled out his justification and strategy in an essay published in Foreign Affairs magazine. I gave an evaluation on how far along the DoD is in implementing that policy and gave Secretary Lynn a thumbs up for crafting a cogent plan.
In the Strategy section of the essay, Lynn mentions a concept called active defense. This is a government euphemism for Offensive Cyber Operations. He basically says that you cannot be effective in cyber space if you are only playing defense. Lynn said,
"In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun."
This is a basic tenant of regular warfare (Look up quotes from any famous general or military expert like Napoleon, Clausewitz, McArthur, Patton, etc). To win, you have to take the fight to the enemy. This is not different just because we operate in cyberspace. The basics tenants of warfare do not change simply because you are in a new medium. They are the same on land, in the air and on the sea. If we fight in cyberspace, we have to go on the offense.
This is consistent with what General Alexander, the Army General in charge of the new Cyber Command, said in August when he spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference:
"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."
But developing and deploying a framework for these kinds of operations is hard and must be done in advance. You don't want to be making this stuff up on the fly during a crisis. Working out the legal and civil liberties issues is tough. Lynn agrees,
"The speed at which active defense systems must act means that the rules of engagement governing network defense must be set largely in advance. Devising these protocols is not easy."
Also, just saying the Army will conduct offensive operations sounds so clean and precise. It is not. It will be messy. Unforeseen consequences will happen. The enemy will react. As civilians, we like to think that just because the Army will hit back, the enemy will wither and run away. That will absolutely not happen. It has not happened in Iraq and in Afghanistan, and it will not happen in cyberspace. I had an old commander of mine who always use to say, "The Enemy gets a vote." Most likely he will not vote to quit.
General Alexander and Deputy Secretary of Defense Lynn know this. They have been around the block a few times. They know what is in store when we start down this path. That is why it is imperative that the framework is in place before the crisis occurs. We must have a general game plan in place that is transparent and generally agreed upon before the first cyber digit is fired in anger; transparent to the good guys and yes to the enemy. The enemy must know what we are likely to do before they cast their vote. This will all influence the shape of the battle space.
I believe that all of this is years away, but we have started down the path. The DOD must still negotiate many obstacles; but Secretary Lynn has outlined a strategy and General Alexander has committed to it. It is just a matter of time now.
(No Comments)
Filed in: DoD Policy Lynn Intelligence Policy Trends
William Lynn, the US Deputy Defense Secretary, published an essay in Foreign Affairs magazine last week describing recent US Department of Defense (DoD) policy changes concerning cyber warfare. Although the essay does not present much new information, it is the most cogent description of the issues, challenges and potential solutions on the table that I have read in one easy-to-read article. Here is a summary of Lynn's Justification and Strategy:
Justification
In 2008, hackers - most likely from a foreign government - successfully penetrated DoD networks (both the CLASSIFIED SIPIRNET and UNCLASSIFIED NIPRNET) and exfiltrated large volumes of official documents. This situation instigated the formalization of a US strategy (See below).
Cyberspace is asymmetric and the offense will always have the upper hand.
Cold War deterrence models of assured retaliation do not work because the attribution problem is hard.
Cyber warfare forces will not attack just military targets. They will go after the nation's critical infrastructure and industrial secrets.
Cyber Warfare forces will not always come from the network. They will infiltrate the supply chain, both hardware and software, and attack from within.
Strategy
(My assessment of each plank's completeness in parentheses)
Formally recognize cyberspace as a new domain of warfare (Done)
Put one command in charge of the strategy: Cyber Command (Done)
1). Lead daily defense operations (On-going)
2). Provide an accountable way to marshal cyber warfare resources across the military (On-going)
3). Coordinate with other government bodies and commercial entities (Just Beginning)
Dynamic reaction to Attacks (On-going)
1). Maintain computer hygiene (On-going)
2). Deploy advanced sensors (On-going)
3). Develop an "Active Defense" but protect US civil liberties (Just Beginning)
Define rules of engagement (Just Beginning)
Support broader efforts to protect critical infrastructure (Just Beginning)
Coordinate Signals Intelligence (SIGINT) with allies (On-going)
Bring the commercial sector into the discussion (Just Beginning)
Fund research and development (R&D); focus on superior technology (On-going)
Train and equip the military cyber warrior (Just Beginning)
Streamline the government's procurement process (Just Beginning)
My Observations
Like I said, there is not much new here. Many of the concepts expressed in the justification and in the strategy have been on the table for the last 10 years. That's the bad news. The good news is that they are starting to congeal into something more than just a set of slides in PowerPoint deck.
Regarding the actual 2008 data breach, it is not clear who the actual perpetrators were. The code, agent.btz, had been around for at least 3 years when discovered by the US military skipping through both the classified (SIPRNET) and unclassified (NIPRNET) networks. As reported by our Russian analyst, Kimberly Zenz, in December 2008, a Russian hacker most likely crafted the code, but the attack vector was so lame that it seems unlikely that any nation's cyber espionage program would launch it. Wired Magazine's Noah Shachtman echoed this observation when he interviewed Lynn last week.
Still, Lynn's essay is a signpost in the continuing discussion and developing plans of the US government. It definitely shows the direction the US government is heading. It also supports the notion that iDefense put forward in last year's 2010 Cyber Threats and Trends paper: We are witnessing the incipient stages of a significant shift in the center of gravity away from the commercial enterprise and toward the government in terms of new policy, the amount of money that will be spent on cyber security and what the cyber security professional will look like in terms of skill set.
Whether or not the US government will be successful in executing the above strategy remains to be seen. Lynn has cogently laid out the plan. It is clear what he wants to do. Like we said in last year's trends paper though, the space is likely to be muddled for the next couple of years while government leaders work through the issues.
(No Comments)
Filed in: 2-Tierd Internet
We just published our latest Global Threat Research Report on Russia to our customer base. I have to say, it is a very interesting read; 48 pages of deep-dive intelligence about what is going on in that country. But one thing caught my eye in our Russia report that dovetails nicely with another report written by the National Security Cyberspace Institute (General-Retired-Ron Keys, Charles Winstead and Kendra Simmons). This is the idea of a two tier internet.
A "Two-Tier Internet" is the concept that for day-to-day internet surfing activity (like checking out what Sponge Bob episode is on the cartoon network tonight or whether or not Mel Gibson's wife has released another phone rant by her extremely mad ex), the internet is anonymous and should remain anonymous like it is for the most part today. For official transactions (like banking, ecommerce, government functions, etc), reliable authentication between parties is not just a nice to have feature but a prerequisite for doing business. The NSCI paper explains it this way:
"[...]the bottom layer is the anonymous layer, the place where you can surf the web without anybody knowing who you are. The second tier is the maturity layer; the place where you go when you have to function in the real world: finical transactions, government exchanges, business transactions, etc. In the maturity layer, you must identify yourself with absolute precision."
What caught my eye about the NSCI paper is that the thesis is very similar to what the Russian leadership is advocating within their own country; namely that the internet should be split into two categories: humanities (unrestricted) and economics (restricted). Here we have two similar positions; one advocated by the Russian Government and one advocated by a US conservative think tank.
At first glance, I thought that the motivations between the two advocates (Russia and NSCI) were different. Russian leadership wants to uplift business opportunities within the country through the power of the internet but they are concerned that this increased communication capability will threaten their hold on power. The NSCI authors are not afraid of losing power as much as they are concerned about getting some of it back.
This is not to say that a two tier internet is a bad idea. Indeed, I think it is a great idea. It is a wonderful compromise between privacy rights advocates who think everything should be free and private on the internet and global governments who are ultimately responsible for protecting their citizens wherever they travel, whether that be on land, in the sea, in the air or in cyber space. If you want to watch your Sponge Bob episodes without anybody knowing your geometric and yellow proclivities, use the humanities portion of the internet. But, if you want to do some sort of official transaction, you need to step up and identify yourself with precision. This would be the price of doing business on the internet.
This in no way describes how we might go about establishing a two-tier internet. That path is fraught with engineering design geekiness that just might insert more security holes into the system then we have already. But if we could do it, I think it might go a long way in making the internet a safer place.
Am I worried that I am coming down on the side of the Russian Government when it comes to internet monitoring? Ok, I'll admit it. It does worry me a little. But, I do not normally discard ideas just because I am concerned. If it makes it easier for me to watch my Sponge Bob episodes, I think it is worth giving it a try.
(No Comments)
Filed in: APT
I just visited the US International
Trade Commission. They invited me to discuss what iDefense knows about
intellectual property theft in cyberspace; in other words, what is going
on
with the "Advanced Persistent Threat" (APT)? Just this past year, it
seems like
the APT acronym has really emerged as the catch-phrase for the security
industry. We use to call this activity "cyber espionage." I guess
old-timers
like me still call it that, but the cool kids call it APT.
This year there have been three very
public demonstrations of large APT-styled attacks: Google,
the
Indian Government and the US Oil Industry. iDefense sources tell us that the actual target numbers, the
ones that are not being reported, are in the thousands. The point I am trying
to make is that, thanks to Google going public with its incident, a lot of
organizations are now aware of this style of threat. They were ignorant about
it before and didn't understand that these kinds of activities have really been
going on for the past decade.
That's the good news. The more people that understand the
threat, the better we can all protect our enterprises. The bad news is that
there is not a lot of consensus about what we are supposed to do about it.
Some of my friends jump right to detection. They think
the most important thing you can do to defend yourself against the APT is to
detect and eradicate the activity on your network. I don't disagree that we all
should be doing that, but I would like to make an argument for putting some
significant effort into prevention. If it is true that the number of victims
that have been penetrated by some APT group is in the thousands, shouldn't we
pretty much assume that we can all be had by these players and that we all
might have something useful that they want? If thousands of victims exist,
doesn't that mean that our traditional cyber security defenses are not working?
Off the top of my head, here are some things network
defenders should consider. Assuming that some APT organization is attacking
your enterprise, what do they want? Two things come to mind: they want the
secret sauce that makes your company unique and they want leverage in any
contract deal that is currently underway. To protect both of these "crown
jewels," here is a list of things I would add to my standard network defenses:
1. Physical separation between the corporate network, the
secret sauce, any Merger & Acquisition (M&A) groups and any contract
deals. I would go as far as physically separating each contract group and
M&A group into its own network. Defend the walls of these networks
rigorously.
2. Ruthlessly enforce the "Need to Know" rule for each
separate network. If you do not need to know about an M&A Deal, you don't
get into that network.
3. Encrypt everything in transit and at rest. This
included data on your smartphone.
4. If you are traveling in foreign countries. Use
throw-away laptops and phones (You still have to encrypt them though).
5. Label all documents and e-mail with the appropriate
data classification. Do not allow designated classifications out of each
separate network. For the exceptionally paranoid, install beacons in all
documents; small snippets of code layered into headers or footers that call
home every time a user opens them.
I know these remedies are not as sexy as catching the APT
groups in the act. Sometimes, the least sexy remedies are the
most effective. In addition, I'll admit, these remedies seem a little paranoid;
however, if the victim list is in the thousands, isn't it time to be a little
paranoid?
(1 Comment)
Filed in: iPad
Recently I
have been giving electronic readers a working test (Kindle, iPad).
iDefense pushes volumes of written intelligence products to our
customers. Sometimes it is a struggle to keep up with it all. Like most
security practitioners, I fill downtime gaps (traveling, the 30-minute
gap between two three-hour meetings, lunch, listening to my wife, etc.)
with reading. Most of what I read comes in three forms: PDFs, Websites
and books. It turns out that the iPad is the perfect device for this
endeavor. The Kindle is great for books (so is the Kindle reader on the
Blackberry and iPhone), but it just does not handle PDFs that well and
it has no mechanism at all for reading Websites. The iPad does all that
with ease and it does it in color. I am sold.
But the chatter around the water cooler at iDefense is not so sure. You
have to remember, most of the people here at iDefense are deep water
geeks. What I mean by that is that on the scale of smart people, we
have:
Smart People
|
Nobel Prize Winners
|
Geeks
|
|
|
|
|
iDefense Geeks
In other words, you may not want these guys and gals to set any fashion
trends, but when it comes to figuring out cyber issues, they have an
opinion or two.
And they hate the idea of the iPad.
They hate it because it is a closed system. As you can imagine, these
folks love gadgets (like the LINUX operating system and the Android
phone to name two) because there are an infinite number of ways for
geeks to configure them. They will spend hours manipulating one of these
devices to automatically download toast recipes from the Internet daily
and run home-grown python scripts that engage steam-punk cooking
apparatus in an effort to have a new variety of toast prepared before
they wake up each morning. They don't do this because they need it. They
do it because it is cool. (And I have to say, having a steam punk
apparatus making my toast in the morning would be very cool indeed.)
But they can't do that with the iPad because Apple maintains a strangle
hold on how the system works. Geeks can not configure it. Oh, you can
probably buy a steam-punk application for the iPad that will make your
toast for you, but that is not the same thing. Geeks want the ability
and power to do it themselves. And that is where the problem lies.
If the geeks of the world have the power to endlessly configure their
toys, the bad-guy geeks of the world will leverage that. In fact, they
have been doing that for the past 20 years.
The simple fact is that most Internet users do not need all of that
power. Most do not even know what a steam punk engine is. I know. It is
hard to imagine, but it is sadly true. Most are like my mother-in-law:
consumers of information. They want to read their e-mail, read a Website
or two, play Farmville and exchange pithy one-liner status messages
with their friends on their social network of choice. Why would they
need all of that power that is inherent in an Android smart phone? The
answer is that they don't.
I am not saying that Apple's iPad is the device that everybody should
use. I am not even saying that the iPad is hacker proof. What I am
saying is that devices like the iPad are the safest and most secure
device today that will work for the largest Internet using population.
If my mother-in-law is using an iPad device and a banking application
designed for it by the bank that she uses (a closed system), she is much
less likely to get owned by a bad-guy-geek then if she did using the
latest incarnation of the windows operating system (relatively an open
system).
But the good-guy-geeks of the world will complain that they can't
configure it. That is OK. Besides being smart, the other thing that
geeks are good at is complaining. So, if I am king for a day, I would
give the geeks their toys to play with, but I would also give my
mother-in-law an iPad to protect herself.
(No Comments)
Filed in: CyberWarfare
I attended the Intelligence Squared debate on Cyber Warfare on June 8, in Washington, DC.
Those of you who read my blogs regularly know that I am an avid podcast listener (I have a one-hour commute each way to work). One of the podcasts in my regular rotation is the Intelligence Squared debates. The organizers use an Oxford-style format where two sides debate an issue and the audience decides the winner. Before the debate, the organizers ask the audience to vote on the motion. After the debate, the organizers ask the audience to vote again. The winner is the team that changed the most votes. Intelligence Squared has debated many interesting issues during the last year: "Organic Food is Marketing Hype," "America cannot and will not succeed in Afghanistan," and "Blame Washington more than Wall Street for the Financial Crisis," just to name three.
The debate itself was a hoot. It was a beautiful night in the capital and the debate was well attended even though it was competing with several high-end entertainment extravaganzas at the same time including the Washington National's debut of their phenom pitcher Stephen Strasberg and a family concert by Carly Simon and her son Ben Taylor.
This was the motion: The Cyber War Threat has been grossly exaggerated.
On the left side of the stage (for the motion) was Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) and Bruce Schneier, my former boss and general pundit for the security community.
On the right side of the stage (against the motion) was Jonathan Zittrain, co-founder of the Berkman Center for Internet & Society and Mike McConnell, executive vice president for Booz Allen Hamilton and a former US Director of National Intelligence (DNI).
Let me just say that the Zittrain/McConnell team spanked the Rotternberg/Schneier team and the star of the show was Zittrain. He was funny and articulate and every time the Rotternberg/Schneier team tried to make a point, Zittrain bumped them right back into their corner. Here are the results:
Before the Debate:
For the Motion (Rotternberg/Schneier): 24 percent
Against the Motion (Zittrain/McConnell): 54 percent
Undecided: 22 percent
After the Debate:
For the Motion (Rotternberg/Schneier): 23 percent
Against the Motion (Zittrain/McConnell): 71 percent
Undecided: 6 percent
Like I said, this was a spanking. Throughout the debate, the Rotternberg/Schneier team never debated the issue. They were more concerned about what the US Intelligence apparatus might do to US citizens' privacy rights if the US government ever considered the threat of Cyber War to be real. Rottenberg repeatedly came back to the point that the NSA has been trying to take control of the Internet since the early 1970s and this is just the latest salvo in that effort. The Zittrain/McConnell team challenged this argument by agreeing that it was a concern, but it does not really address the question at hand.
Schneier pointed out that Cyber War is a theatrical metaphor similar to other metaphors we use to add emphasis to important issues; like the war on drugs or the war on terrorism. The Zittrain/McConnell team countered with the idea that this is not a metaphor; that it is possible to disrupt and destroy in cyber space just like it is in the real world and that we should prepare to defend against those contingencies. McConnell explained that the US economy is annually valued at $14 trillion. In just one day, two high-end US banks transfer more than $8 trillion alone. If a nation state made it impossible for bankers to track that dollar flow, the result would ruin the country. From my point of view, we can all come up with our pet "Doomsday" scenarios that a nation state might use against our respective countries. If we went to war with another country, do we really think that the other side would not use cyber space as a vector? The Rotternberg/Schneier team said yes; they did not think that another nation state would use Cyber War as a vector.
The Rotternberg/Schneier team also denied the two examples that everybody trots out, including me, to prove the point that cyber war is real: Estonia and Georgia. They said they were done by kids and therefore not an act of war and they failed to see how denying access to government websites qualifies as a war. The Zittrain/McConnell team countered with the fact that, at least in the Georgia incident, the attacks were deliberate, rehearsed and executed with impeccable timing. For my part, I would make the argument that anything that adds to your adversary's "Fog of War" only helps your cause. If you can't communicate with your staff electronically just before the tanks roll across your border, I'd say your pucker factor would rise exponentially. Moreover, just as an aside, kids conduct many of the conflicts going on today; it does not make them any less lethal.
In the end, both sides agreed that the policies the US adopts around cyber warfare should be open to everyone; that there should be no secret planks hidden in the bowels of the Pentagon. McConnell suggested that we need to get the law right before there is a crisis. Everybody agreed.
From my perspective, this is a no-brainer. Of course there will be a cyber warfare component in any future war. It is the great leveler. For relatively little cost, a small country could easily compete with a big country in terms of affect in cyber space. Compare that to trying to outspend the US in building an aircraft carrier fleet that can travel unopposed in five oceans. Does the press over hype the phrase "cyber warfare" sometimes? Absolutely. Does that make the threat of cyber warfare grossly exaggerated? I don't think so. I am not the only one who thinks that either. The debate audience definitely thought that at the end of the festivities, but so do a lot of governments around the world. In iDefense's 2010 Trends Paper, published in December 2009, we talked about a shift in the center of gravity away from enterprise IT departments and toward governments in terms of cyber security policy, money spent on cyber security programs and the cyber security personnel that governments hire. Part of that shift concerns itself with cyber warfare.
In the end, I had a great time. I got to see some cyber security super stars square off on a very important issue and witnessed the crowd shift their viewpoint from one side to the other. I'll admit, it was a little geeky, but hey, the geeks of the world need entertainment extravaganzas too.
(1 Comment)
Filed in: Gonzalez
A couple of weeks ago I presented at the annual
FS-ISAC (Financial Sector - Information Sharing and Analysis Center) conference held in Saint Petersburg Florida. I know. It is a tough gig. Somebody has to do the hard jobs around here.
The FS-ISAC is one of several ISACs "mandated" by the US Government to facilitate information sharing between companies within the same business sector. Other prominent
ISACs are the IT-ISAC and the Multi-State ISAC.
During the talk, I got to the part where I was discussing the Albert Gonzalez case. If you have been sleeping under a rock for the past year, Gonzalez is the guy that masterminded the TJX breaches. The US Government just recently sentenced him to 20 years for his efforts. It turns out though that he was also involved in some of the most nefarious cyber activity of the past decade in one shape or another.
For example, he was the snitch used by the USSS (United States Secret Service) in Operation Firewall back in 2004 where the feds snatched some 28+ underground carders. He was also a member of the infamous Darkmarket forum; the forum where FBI Agent Mularski infiltrated for two years and resulted in the arrest of some 56 underground carders. It is iDefense speculation that Gonzalez used Darkmarket to exchange credit card numbers with one of his main TJX accomplices: Maksym Yastremskiy. The USSS used Yastremskiy as the linchpin in the case to tie everything back to Gonzalez.
At this point in the presentation, I was telling the part of the story where the feds were paying Gonzalez an annual salary to be a "consultant" for them. You see, they did not know that he was secretly going behind their backs to do the TJX job while he earned $70K a year for being an informant. That was not a typo. They paid Gonzalez $70K a year.
But that is not the good part. This is the good part.
At this point in the presentation, one of the FS-ISAC leaders stopped me cold and said that he wanted to make an announcement. In the interest of full disclosure, he wanted the audience to know that, in fact, Albert Gonzalez presented at this very same conference not five years ago as part of his federal consultancy gig. The USSS brought him in to give the FS-ISAC membership a view from the hacker's mind. This was about the same time that Gonzalez was launching his TJX scheme.
How cool is that?
As you might imagine, this little nugget of information brought the house down. I was almost wiping tears from my eyes because I was laughing so much. I could not have planned it better if I was making it all up.
(2 Comments)
Filed in: Cyber Espionage India Google
I just finished reading the paper called, "Shadows in the Cloud" published by our friends over at the Information Warfare Monitoring Group and the Shadowserver Foundation around the beginning of April. The folks in the Information Warfare Monitoring Group are the same guys that published the Ghostnet paper last year regarding cyber espionage attacks against the Dalai Lama, In fact, this most recent paper is based on leads not pursued by the original research.
This is really a well written paper. It does not go off half cocked like many other research efforts of the same ilk. The authors make it very clear that although the attacks originated from the Peoples Republic of China (PRC), the researchers have absolutely no evidence linking the Chinese government to the attacks. In other words, there is no smoking gun. They also do a very thorough job outlining their methodology.
The report suggests that although the attackers targeted victims from around the world, they were most interested in government officials in India. Places like
- The Indian National Security Council Secretariat
- Any and all Indian Diplomatic Missions
- Indian Military Engineer Services
... just to name three.
They propose two interesting hypotheses that they admit do not have enough evidence to prove, but seem intriguing.
The first is that "political espionage networks may be deliberately exploiting criminal kits, techniques and networks both to distance themselves from attribution and to strategically cultivate a climate of uncertainty."
iDefense has no proof of this either but I think it is highly likely. In fact, another security research group called Damballa suggested that the Google Aurora attacks were nothing more then a cyber criminal attack based solely on the techniques used by the attackers. Here at iDefense, we disagree. Our hypothesis has always been that the tools of the trade are the same regardless of what malicious activity you are pursuing. But we should consider this hypotheses from the "Shadows in the Crowd" report. It may not be a matter of convenience but a distinct choice for cyber espionage groups to use criminal kits as a way to hide in the noise.
Their 2d hypothesis is the idea of Collateral Compromise. The researchers say that "there is a high probability for collateral compromise in any malware network because of mutual dependencies between targeted victims and their associations in Social networks."
I'd say this is highly likely too. It has been my experience over the years that cyber espionage groups throw a large net out initially to see what is there. Then they seek targets of opportunity as they are discovered. This is what happened here in India. The bad guys went after the Dalai Lama and eventually found their way over to Indian Government officials through mutual social networking connections.
The researchers also outline attack methodologies in this report that iDefense has documented in other cyber espionage attacks for the past decade: essentially, attackers compromise machines using .PDF, .PPT, and .DOC file formats exploits and exfiltrate any documents found on the hard drive back to another region of the world. That region usually has no extradition treaties with the west.
One interesting intelligence nugget that is very similar to the Google incident is the conjecture that there were at least two, and possibly three, different hacking groups involved in the Shadow Network attacks. Our own iDefense sources say that there may have been multiple groups within Google too and they did not know about each other until Google went public. In my line of work, there is no such thing as a coincidence. What it means exactly is not clear. It could mean that that perpetrators contracted multiple hacker groups to go after the same targets on purpose or it could mean that the perpetrating organization is so large that they don't know what everybody is doing. Regardless, the fact that two separate, highly publicized cyber espionage attacks in two completely different regions of the world involved multiple hacking groups at the same time that may or may not have known about each other is very interesting indeed.
It's inconclusive who is behind the latest intrusions into India and the researchers are certainly not ready to lay blame. However, the report is fascinating and well worth a read.
(No Comments)
Filed in: Kirllos Facebook
A couple weeks ago, iDefense got a lot of press for reporting an anomaly found while conducting research on the criminal buying and selling of PII (Personal Identifiable Information). A hacker named "Kirllos" claimed that he had 1.5
million Facebook accounts to sell. That was interesting enough. Most underground sellers of PII don't sell in bulk like that. It causes too much attention; which this did. As the press would say, it had legs. It seems like every press outlet in the world picked up the story; which was not a story really, it was more of an observation.
The second anomaly was with Kirllos himself. iDefense analysts had high
confidence that he was at least a native Russian speaker based on his
language skills used in the forums and it was likely that he lived in
Eastern Europe. The reason this is an anomaly is that we have not seen
many Russian speakers selling Facebook accounts. They tend to stick to
their own regional sites like the VKontakte social networking site that
is popular in Russia, Belarus and Ukraine. This is not to say that
Russians do not sell Facebook accounts, it is just that it does not
occur too often and definitely not in that volume.
So there you are; two pieces of data that don't really mean that much but kind of makes you say hmmmm, that is interesting. To be clear, we never said that these were valid accounts. We made no effort to prove it. The thing that was interesting to us was the volume advertised and the location of origin. At first glance, Kirllos seemed like a valid seller at the time. Before the press got a hold of him, he was a seller in good standing on the forum where we noticed him.
Enter Facebook.
The Facebook security team reached out to me after reading the press
accounts. As one might suspect, they were all over this Kirllos fellow.
They had been following him for some time and knew exactly what his
capabilities were. I use the word "were," the past tense, on purpose.
This entire episode crippled Kirllos' fledging carrier using the Kirllos
alias. Once the iDefense "observation" hit the press, many other
underground buyers, including the Facebook security team, attempted to
contact him to buy the accounts. Kirllos ignored them. Either he did not
have the accounts to sell or he was afraid that law enforcement was
onto him. Most likely, it was both. Regardless, many underground forums
banned Killros from the space.
Facebook's assessment of Killros is that he is a low-level player and
that he had nowhere near the 1.5 million accounts he advertised. Most
likely, he had a few hundred accounts most of which he likely created
himself. Through some interesting and impressive forensic work, the
Facebook security team identified the real Facebook accounts owned by
Kirllos, reset the passwords, and notified the account owners. Awesome!
The bad news is that iDefense's reporting on a simple "observation"
created quite a media frenzy for Facebook. Unfortunately, even though
iDefense never claimed to have verified the accounts as real, most
stories suggested that they were.
The good news for iDefense is that we now have a new security research
collaboration partnership with Facebook. I look forward to exchanging
information with Facebook's security team in the future. As Rick says in
my favorite movie, "Louis, I think this is the beginning of a beautiful
friendship."
(1 Comment)
Filed in: PowerPoint Ranger
I have been looking back through some of my previous blogs these past few weeks and I just happened to notice that I seemed to be on a minor rant about how security personnel present security information (in this
blog and this
blog). I told myself that I would pick another topic this week to avoid seeming like a broken record. Then, this story popped up in the New York
Times called "
We Have Met the Enemy and He Is PowerPoint." It is about how some of the leaders in the US military hate the use of PowerPoint as the default way to convey information up and down the chain of command. This quote sums the article well:
"The amount of time expended on PowerPoint, the Microsoft presentation program of computer-generated charts, graphs and bullet points, has made it a running joke in the Pentagon and in Iraq and Afghanistan." According the article, most junior officers fill their time building slide decks for one meeting or another, with many affectionately referring to them as PowerPoint Rangers. (Full disclosure: When I was in the service, I was a qualified PowerPoint Ranger myself. Since I retired, I have upgraded my skills to PowerPoint Ninja.)
I love the New York Times quotes from the generals (especially the McMaster quote):
"It's dangerous because it can create the illusion of understanding and the illusion of control. Some problems in the world are not bullet-izable."-- Brig. Gen. H. R. McMaster 
"When we understand that slide, we'll have won the war."-- General Stanley A. McChrystal referring to this
slide that tries to convey the complexity of the Afghanistan war (I want to meet the Captain that put that slide together - he must have had a lot of time on his hands).
"PowerPoint makes us stupid."-- Gen. James N. Mattis of the Marine Corps. It seems that these military leaders are of like mind with Doctor Edward Tufte.
From my
blog at the end of March:
"You will be interested to know that Dr. Tufte hates PowerPoint; at least the default way that most people use it: Title, 3-5 bullets of text, spinning doughnuts that have nothing at all to do with the presentation. In his seminar, Dr. Tufte does not use it. His famous example-- how NASA's engineers might have failed to prevent the Challenger Space Shuttle catastrophe in 1986 because a badly designed slide deck did not convince NASA leadership to scrub the launch-- is bone chilling."
Alas, PowerPoint is not to blame here. Presentation software, like PowerPoint and other software packages are merely presentation tools. Where the military, NASA, the commercial sector and, of course, the security community fail is how we all use the tool.
For what is PowerPoint good? It is good for conveying ideas to a large group of people - it is actually quite good at that.
For what is it not good? Summarizing very complex ideas - at least in its default use (reams of slides filled with indented bullet lists). Presenters can use the tool for good summaries, but the creator needs to back up the work with a longer narrative. This is similar to what we do at iDefense with our written products that cover the same topic at different lengths: Long Papers, Minis, Executive Summaries and One-Page Bullet Lists.
Where we all have failed is using the tool as the only vehicle to construct an original thought. PowerPoint has no method that I know of to convey subtlety or complexity; indeed, its creators did not intend for it to do so. I have come to believe that most PowerPoint decks should point back to a larger body of work or should accompany a resident expert. In most cases, the deck should not stand alone. How many times have you requested a copy of the slides used for a briefing that you thought was outstanding, but by the time you got around to reading them again, you found that you could not remember why you thought they were so good?
The bottom line is that many people are tempted to use PowerPoint as their only vehicle for organizing their thoughts. As General Mattis says, that "makes us stupid." Here is my recommendation for all the security geeks out there. If you are trying to convey your idea, before you resort to slide decks, write it out. Talk to your friends about it. Draw it on the white board or a handy bar napkin or your passed-out buddy's bald head. When done, write it out again and look for holes in your thinking. When you are done with all of that, you might be ready to pull out the PowerPoint program and work on your Ranger tab.
Actually, the
slide that General McChrystal denounced in the New York Times article is the perfect slide that the presenter should have used. With one slide, General McChrystal instantly understood how complex the Afghanistan problem is. If that were the author's intent, then hoorah - the meeting would have been over! Doctor Tufte would be proud.
(No Comments)
