In the interest of helping you cope with the "APT" hype, I thought I'd offer a few observations and ideas about things you can do that might actually help. After all, it's too easy to point and shout "hype" - the truth is that there is a problem, and system and network administrators who are concerned with security do have to worry about long-term embedded penetrations in their network.

There are two primary approaches to Intrusion Detection and they both work. But, they work against different threats, for different reasons. One is the 'classical' IDS approach: know what attack looks like, and look for the attack. That's what most of the signature-based IDS do, and they're good at it and therefore they are useful. The second is the 'analytical' approach (what Richard Bejtlich, in his excellent books, calls "network security monitoring"): know what your network and systems usually do, and begin an investigation if you see them suddenly start doing something new. As with everything, there are trade-offs. Some people would say that the first approach has a problem of "too many false positives" although, seriously, if your network is carrying such a large amount of apparently hostile traffic that your IDS is constantly ringing off the hook, I think you've already got a serious problem. The second approach has the problem that "start an investigation" may be outside the purview, skill set, or energy level of many system/network managers - especially now that the typical system/network admin is chief cook, busboy, and bottle-washer all rolled up in one.

BERLIN/ZURICH (Reuters) - A Swiss lawmaker likened German attempts to buy data on cross-border tax evaders to bank robbery on Tuesday and the Swiss banking lobby said Berlin was acting as a receiver of stolen goods.

Reference: Swiss lawmaker accuses Berlin of "bank robbery"

This could be the start of an interesting trend: targeting information for theft and disclosure. We've already seen that the underground is willing to monetize data leakage, but if governments get involved we'll see organizations getting penalized on both sides: you're fined for leaking the data, and the data is used against you when it does get leaked.

In the next 5 years or so, we can expect to see the data leakage problem come to a head; I think that our law-makers, regulators, and 'the powers that be' still haven't realized the extent of how exposed and distributed our sensitive data has become. We're in the early stage of the game and I believe that the problem has gotten worse - faster - than almost anyone is willing to admit. What is going to happen? It's too late to put the worms back into the can, but putting them back in the can is the only option that actually would work. The next decade is going to see a fascinating collision between reality and fervently held wishes.

Title: Critical Infrastructure Computer Systems Under Constant Attack

Date: January 28 & 29, 2010

According to a report from The Center for Strategic and International Studies, utility companies’ and other critical infrastructure components’ computer systems are constantly under attack worldwide. The report, which was commissioned by McAfee, compiles information gathered from 600 IT and security executives at companies around the world. More than half of respondents believe that their countries’ laws are not effective in deterring cyber attacks, and nearly half believe that their countries do not have the ability to prevent cyber attacks.

Sources: Global Critical Infrastructure Networks Regularly Under Attack , Government's Cybersecurity Role Gets Mixed Reaction, Study Finds Growing Fear of Cyberattacks

Wow, did you realize that if you connect to the internet, you might come under attack?

Once again, we see the reality disconnect that is computer security. Are we to infer from the article that executives expect their government to somehow protect their internet connected systems from so many attacks? It's starting to sound like it's time to put the signs back up that read "Must be _ this tall to ride this ride." It is now and has always been the case that:

• Anyone connecting to the internet should expect to be attacked
• You pretty much can't "do anything" about the attacks
• The attacks will appear to come from someplace you have no jurisdiction over

The bottom line is as it's always been: it's your job to defend yourself, and you're crazy if you expect any kind of help from anyone. You're on your own, in other words. Of course your country's laws aren't going to deter cybercriminals - the people who are causing your problem aren't subject to your laws. Of course your government isn't going to be able to help you - the people who are causing your problem do not fear your government. It's that simple: you must be this tall to ride this ride.

Besides, the best that the government can do for anyone, at this point, is write an official harsh letter.

Since the cyberattack hype bandwagon is in full swing, I figured it wouldn't take long before corporations started looking for a cybersecurity bail-out; remember how much money was going to be saved by remote-linking those power-grid nodes over the Internet? Maybe it was a false saving after all. A couple of months ago I was chatting with a pretty clueful fellow who had worked on some of the power-grid systems, and he was bemoaning how much it was going to cost to beef up the security and flog the deeply embedded hackers out - "the customers are not going to want to foot the bill for this one!" he said. I couldn't help but reply, "well, why can't the power companies pay for it from the money that they saved by using the internet instead of private dedicated links?"

Here's another prediction for you: the corporations will be next in line with their hands out for a cybersecurity bail-out. And, let me tell you another trade secret of how to be an industry "thought leader": predict things that are already happening,

A couple of months ago, when I started tracking the "Chinese cyberwar" kerfuffle I said that it sounded like budget pumping, to me, and I stand by what I said. The recent announcement that the U.S. Navy has established a "cybercommand" like the other branches of the DoD, and thanks to the new red scare the budget faucet is flowing merrily.

ABA Recommends Using Dedicated PC for Online Banking

Date: January 1 & 4, 2010

Synopsis: The American Bankers' Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions. Of special note is the recommendation that businesses use a dedicated PC that is never used for email or web browsing to conduct online banking transactions.

Sources: Online banking warning surprises some experts, Businesses warned about online banking

This particular bit of news seems to have gotten disproportionate attention. On one hand, people see it as "ABA tells home users to use a dedicated PC!" and on the other it's business as usual.

But, it's not business as usual - what ABA is doing is recommending a specific response to a deeper problem. The problem is not "online banking" or anything like it; what we're seeing here is an implicit statement that endpoint trust is finally beginning to matter, as cybercriminals are increasingly attacking the shoddy operating systems that everyone seems to use for general purposes.

I recently attended the San Francisco IANS Security Forum, where Hart Rossman and I facilitated several of the roundtable sessions. I thought I'd summarize a few of the "take-aways" and useful comments from each.

Afterbites is a blog segment in which Marcus Ranum provides more in-depth coverage and analysis of the SANS NewsBites newsletter. This week Marcus will be commenting on the following article:

Gartner Report Says Two-Factor Authentication Isn't Enough
(December 14, 2009)

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.

References: 2-Factor Authentication Falling Short for Security, Gartner Says & Strong Authentication Not Strong Enough

I found this article interesting because it typifies, for me, the end result of the "whack-a-mole" approach to computer security. Certain technologies are sold as "security enablers" but customers don't seem to understand (and/or aren't informed) of the reality: security is a top-to-bottom problem that doesn't have any single place where you can add a widget that'll magically make you safe.

Marcus presents an awesome story about the Internet, software, and security. Watch as he goes into detail on how protocols work, problems with FTP, HTTP, and much more! The purpose was to show how small mistakes made in the design of software and the Internet have shaped the security industry. You can watch the full version of the talk below:

You can also find a full size high quality version of the above video on YouTube's site.

At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it here, on the TED site. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.

November, 1951

Machine Log #1

In past columns here and elsewhere, I've been pretty derisive of the notions of "cyberterror" and "cyberwar." Most particularly, I think cyberwar is probably not a useful adjunct to the toolbox of statecraft. But, in discussions about cyberterror, I've always admitted that I'm puzzled by how little creativity has been shown in that arena. That may be about to change, and for the weirdest of reasons.

The full story hasn't been told, yet, but apparently AT&T decided that the amount of traffic/amount of attacks/general tastelessness/whatever of 4chan was just too much to bear, and began blocking traffic to a few of the 4chan servers.

AT&T Blocks 4chan, Stirs Internet Hornet's Nest
http://www.pcworld.com/article/169079/atandt_blocks_4chan_stirs_internet_hornets_nest.html

What everone at AT&T appears to have forgotten is that the people who hang out at 4chan are amused by, and capable of, a great deal of creative mayhem. Example: it didn't take very long at all before there was a fake press release on Digg, announcing the death of AT&T CEO.

AT&T CEO Randall Stephenson was found dead in his multimillion dollar beachfront mansion, say official sources. 
http://digg.com/tech_news/AT_T_CEO_Dead_outside_his_home_iReport_com?OTC-kff

Disinformation, coupled with a "meat cloud" to diggbot the fake report, and it's possible that AT&T's stock will take a hit. When you're a publicly-traded company, a little hit can equate to a lot of bleeding. As I said, this is going to get interesting. It's already, by far, a vastly more intellectually sophisticated attack than the usual "let's get a big botnet and do some DDOS" nonsense. As of right now, the attack doesn't appear to have worked.

A few years ago, some of us were discussing the potential for using asymmetric attacks to produce a "death of a thousand cuts"-style campaign. This could be the beginning of a very interesting chain of events.

The Story:

--US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)
A variant of MyDoom is believed to be behind the distributed denial-of-service (DDoS) attacks that took down US and South Korean government, military and private industry websites last week. Some reports have speculated that North Korea may be behind the attacks, which have been described as unsophisticated and "a nuisance." Brian Krebs of the Washington Post reports that the virus that is causing PCs to attack these sites will overwrite the files (including the operating system) of the infected computers.
http://isc.sans.org/diary.html?storyid=6757
http://voices.washingtonpost.com/securityfix/2009/07/pcs_used_in_korean_ddos_attack.html?wprss=securityfix
http://www.nextgov.com/nextgov/ng_20090708_6262.php
http://www.computerworld.com/s/article/9135279/
Updated_MyDoom_responsible_for_DDOS_attacks_says_AhnLab?taxonomyId=17 ...

Once again, we have a "cyberwar" that only registers as a blip on the radar screen for most of us. Other than that, it's an inconvenience for government or commercial sites that didn't think about capacity when they built out their internet connections. It's far from a disaster; in fact, it's hardly news-worthy. It's only remotely interesting because, once again, the cyberwar pundits attempted to link the attacks to state sponsorship. Like with the attacks on Estonia in 2007, ("Russia accused of unleashing cyberwar against Estonia") will it turn out to be a few civilians operating under their own initiative? Another way of phrasing that question is "is the North Korean intelligence service a bunch of wimps?"

The Story:

--Pentagon Official Charged with Espionage Conspiracy
(May 13 & 14, 2009)
A Pentagon official has been charged with espionage conspiracy for
allegedly leaking confidential documents to a Chinese government
operative. James Wilbur Fondren Jr. has been on administrative leave
from his job as Deputy Director, Washington Liaison Office, US Pacific
Command (PACOM) since February 2008. Fondren was allegedly able to
access the sensitive information through his security clearance. If he
is convicted of the charges against him, he could face five years in
prison and a fine of US $250,000.
http://www.nextgov.com/nextgov/ng_20090514_7707.php
http://www.scmagazineus.com/Defense-Department-insider-charged-with-espionage/article/136743/
http://www.usdoj.gov/opa/pr/2009/May/09-nsd-469.html
[Editor's Note (Northcutt): Limiting access rights based on roles is essential.]

My comment on this (which didn't get posted along with Northcutt's) was: "

Is this where I get to say "I told you so"??

The Story:

EU Commissioners Call For Expanding Consumer Protection Laws to Software

(May 9, 2009) - European Union Commissioners Viviane Reding and Meglena Kuneva have proposed that the EU Sales and Guarantee Directive, which applies tophysical products, be extended "to cover licensing agreements of products like software" as well. The directive requires that products carry a two-year guarantee. Kuneva said that the change would give customers a broader choice and software companies would be held to a higher standard of accountability. Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance disagreed, saying that it would in fact limit consumers' choices. He said that "creators of digital goods cannot predict with a high degree of certainty both the product's anticipated uses and its potentialperformance," and that it could lead to decreased interoperability between products if manufacturers decide to limit how much of their code could be accessible to third-party developers.

Source: http://news.cnet.com/8301-1001_3-10237212-92.html

This has been tried before and - it should come as no surprise to anyone - the software industry has some mighty powerful lobbyists. Indeed, some of them speak out in this little tidbit. I think it would have been more honest if Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance had said "Good luck, bwaaaahaaahaaahaaaa!" instead of hewing the ridiculous party line that the software industry has been spouting for decades. I like intellectual honesty when I encounter it.

The story:

Spies Penetrate Pentagon's Joint Fighter-Jet Project (April 21, 2009)
Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighter project. Similar breaches have been found in the Air Force's Air Traffic Control System. The attacks began as far back as 2007 and continued into 2008. The spies encrypted the data that they stole, making it difficult for investigators to know exactly what data was taken. The fact that fighter data was lost to cyber spies was first disclosed by U.S. counterintelligence chief Joel Brenner. Brenner also expressed concern about spies taking control of air traffic control systems, saying there could come a time when "a fighter pilot can not trust his radar."
http://online.wsj.com/article/SB124027491029837401.html

I've touched before on the topic of data leakage and national security; now it seems that the national security establishment is banging the same drum, albeit louder than I ever could. Such an embarrassing "slip" would normally be deeply buried - the fact that it's being outed by the  "U.S. Counterintelligence Chief" ought to tell you something: this is part and parcel of the government's new "yellow terror" cybersecurity red scare. I don't know about you, but I'm on the fence about this - part of me wants to be happy that cybersecurity is being taken seriously, whereas the other part of me remembers the disastrous Department of Homeland Security and War On Terror. I detect a distressing pattern of our government saying "be afraid, be very afraid. and, oh, yeah, pull out your wallet."

(PDF version of this is available from my personal website, PDF of Powerpoint handouts from Source Boston 2009)

Introduction: Truth

Since I started in security, 20 years ago, "they aren’t taking security seriously" has been the constant complaint of the security expert. Even in organizations where security is taken seriously, it has been at the expense of living in a constant relationship of opposing management or other business units. Some of us enjoy the strife; most don’t. In fact, most of us enjoy being employed more than we enjoy being right.

The original article:

 --Judge Says Man Must Decrypt Drive
(February 26 & March 3, 2009)
A federal judge has ruled that a man suspected of having child
pornography on an encrypted drive on his laptop computer is not
protected by the Fifth Amendment. US District Judge William Sessions
ruled that Sebastien Boucher surrendered those rights when he allowed
his laptop to be searched the first time, and ordered Boucher to provide
the court with an unencrypted version of the drive in question. The
ruling reverses an earlier decision in which a judge ruled that Boucher
was protected from incriminating himself under the Fifth Amendment. The
original request from the US department of Justice had been to make
Boucher surrender his encryption passwords; the appeal asked only that
he decrypt the drive in view of the grand jury. Boucher's laptop was
searched in December 2006 while crossing the border into the US from
Canada. Agents claim to have seen the offending content, then shut down
the computer. When they tried to access the images after Boucher's
arrest, they were unable to because of his PGP program.
http://news.cnet.com/8301-13578_3-10172866-38.html?tag=pop
http://www.theregister.co.uk/2009/03/03/encryption_password_ruling/
http://www.wcax.com/Global/story.asp?S=9909241

There are several things about this particular article that really bother me - and they're all about the rights of citizens to be free of government interference.

I need to preface this with a disclaimer: I am not criticizing SANS for carrying the article. It's instructive, and that's always useful. I wish, however, that technology journalists were a bit more skeptical or clueful - and - as they say, "that's our story."

The article:

Reports of Cyber Incidents on the Rise
(February 17, 2009)
The number of cyber security incidents at federal civilian agencies reported to the US Department of Homeland Security's US-CERT has tripled since 2006. In fiscal 2008, 18,050 incidents were reported, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006.
Agencies are required to report cyber security incidents under the Federal Information Security Management Act (FISMA); such incidents include unauthorized access, denial of service, malicious code, improper use, scans, probes and attempted unauthorized access. The significant increase over the last several years can be attributed to both an increase in malware and a heightened awareness of and ability to detect incidents.
http://fcw.com/Articles/2009/02/17/CERT-cyber-incidents.aspx
http://www.usatoday.com/news/washington/2009-02-16-cyber-attacks_N.htm

And

Small Businesses Want Centralized Cyber Incident Reporting Organization
(February 19, 2009)
A report from the Federation of Small Businesses says that 54 percent of small businesses have experienced fraud or cyber crime over the last year. Although more than one-third of respondents do not report the incidents to police or to banks because they believe it would not make a difference, 53 percent of those surveyed would like specific information about how and where to report the incidents. Eighty-five percent of respondents said that they would make use of organizations established specifically to gather the information and use it to combat fraud. The average annual cost of cyber crime and fraud to small businesses in the UK is GBP 800 (US $1,140).
http://www.scmagazineuk.com/Small-businesses-hit-by-cybercrime-do-not-intend-to-report-it/article/127576/
http://www.theregister.co.uk/2009/02/19/cybercrime_small_business_survey/

Let's start with the second article first, because it's less interesting. The headline should have said "UK small businesses" but that's a minor detail. Does this set off your stealth marketing alarm? It pegged the needle on mine; so I'd like to make a prediction: someone is out beating the bushes, right now, to start up that reporting center. Let's see if I'm right and, within the next year, someone announces that they're either member-funded (in which case they will quickly vanish) or government-funded and are offering that capability. Those of you who've been around information security since the early 1990's will remember the spectacular rise and fall of break-in reporting in the US, with attrition.org, CERT, and CSI/FBI publishing various statistics that meant - uh - various things. Usually, what they meant, to me, was "security reporting is a hard problem."   ... And that's the topic of the first article.

The article:

 Number of Banks Affected By Heartland Breach: 160 and Growing
(February 6 & 12, 2009)
According to the Bank Information Security website, nearly 160
financial institutions have acknowledged that they were affected by
the Heartland Payment Systems data security breach. Banks in 40 US
states as well as in Canada, Bermuda and Guam have reported that
some of their customers' cards were exposed. It is not known how
many card accounts were compromised; Heartland says it processes 100
million transactions a month.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127822&source=rss_topic17
http://www.bermudasun.bm/main.asp?SectionID=24&SubSectionID=270&ArticleID=40389&TM=28150.45
http://www.theregister.co.uk/2009/02/12/heartland_data_breach_latest/
http://www.bankinfosecurity.com/articles.php?art_id=1200&opg=1

One of the underlying realities of computer security is the problem of transitive trust.

The article:

 --German Magazine Says Armed Forces Establishing Cyber Warfare unit
(February 9, 2009)
German magazine Der Spiegel Reports that the country's armed forces are
in the process of establishing a unit dedicated to cyber warfare. The
unit will take on responsibility for protecting German IT infrastructure
from attacks as well as conduct reconnaissance and interventions on
foreign and "enemy" computer networks.
http://www.heise-online.co.uk/news/Report-claims-German-armed-forces-setting-up-cyberwar-unit--/112595

I'm sure there are lots of countries setting up "cyberwar" units. Why? Because they're so very, very l33t!

(This column is one of what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space to rant at length, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

Parking Tickets as Cyber Attack Social Engineering Vector
(February 4 & 5, 2009)

Cyber criminals in Grand Forks, North Dakota planted phony parking
violation notices on cars. The notices direct the users to a website
for more information, which leads the users through a set of links
that downloads malware onto their computers. That malware then urges
users to download an anti-virus scanner that is worthless.
http://www.techweb.com/article/showArticle?articleID=213200005&section=News
http://news.bbc.co.uk/2/hi/technology/7872299.stm
http://isc.sans.org/diary.html?storyid=5797

A few years ago, I was sitting in a hotel bar at a security conference, matching my tequila-drinking skills against all comers, when we got to discussing the next generations of identity theft attacks. One of the ideas I suggested was related to what we see above, and I'm really unhappy to see that The Bad Guys are showing no sign of stopping their creative engines.

(This column commences what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space, nor would it be appropriate for the editors to engage in hand-to-hand combat, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

 --London Hospitals' Worm Infection "Entirely Avoidable"
(February 2, 2009)
A review of the worm infection that affected three London hospitals last
November found that the incident was "entirely avoidable." The Mytob
worm infected 4,700 PCs at St. Bartholomew's, the Royal London Hospital
in Whitechapel and The London Chest Hospital; as a result, some
ambulances were rerouted and some recordkeeping had to be done with pen
and paper. While administrative systems were running again within three
days, it took two additional weeks to scan all the machines to ensure
they were clear of infection. The review determined that the initial
infection resulted from misconfigured anti-virus software and spread so
widely due to a decision by administrators to disable security updates
because they had caused some computers to reboot while surgery was
underway.
http://www.theregister.co.uk/2009/02/02/nhs_worm_infection_aftermath

There is so much wrong with this picture, that it's hard to know for sure where to start. "Ambulences rerouted" could be extremely unpleasant if you were, say, waiting patiently for help after a car crash, or something. "Recordkeeping with pen and paper" is, perhaps, a useful survival drill. The part that makes my blood run cold is "caused some computers to reboot while surgery was underway." I know that if I were a patient and heard the distinctive "cdrom-whirr, beep" of a computer rebooting, I would leap off the table and make a bloody trail toward the taxi stand, if I had working legs.

Tenable's CSO, Marcus Ranum, was recently interviewed on the PaulDotCom Security Weekly podcast. They discussed a wide range of topics regarding penetration testing, secure coding, Marcus's "6 Dumbest Ideas" in computer security and much more.

• Full PaulDotCom show notes.
• Direct link to the show's MP3 audio recording.
• Tenable podcast and slides on Marcus's "6 Dumbest Ideas in Computer Security" presentation from from 2006.
• Very cool image of Marcus Ranum demonstrating cutting edge computer security practices.

Tenable's Chief Security Officer, Marcus Ranum, was recently interviewed by CSO Online for their "What Happens Next" security predictions series. Previous interviews included Whit Diffie, Chris Hoff and many other security experts. Read the full interview here.

Hello again!

In my last column, we looked at cyberterror and puzzled aloud about "if it's so horrible, why isn't it happening?" In this episode, we're going to tackle the most straightforward aspect of cyber-badness: espionage. While it's straightforward, it scares me more than any of the other cyber-badness.

This series of columns is based on a set of talks I gave as the keynote for IDC's CEMA Security Roadshow in 2008, with additional material and commentary. As always, I welcome constructive feedback at mjr@tenablesecurity.com.

---

CyberEspionage

Perhaps the salient point about espionage - all espionage - is that destroying or damaging the target is self-defeating. The effective spy is a parasite; they embed themselves somewhere they can see, hear and collect data unobtrusively. Espionage is a strategic activity, not a tactical one: you want to have your spies in place in deep cover for a long time, so that they can provide strategy-building information during peacetime and carefully selected tactical information during wartime. We're all probably familiar with the famous story of ULTRA during WWII - Churchill had to allow a convoy to fall prey to a U-boat wolf pack because if the convoy changed course the German Naval command might have realized their codes had been compromised. Converting strategic espionage assets into tactical assets almost always increases the chance they will be compromised or the enemy will change their procedures.

Imagine, if you will, a planning meeting between cyberwarriors and cyberspies. It would not go well. The cyberwarrior thumps his fist on the table and announces, "At 2:15am tomorrow, we launch the attack and collapse the enemy's command/control network!" The cyberspy, horrified, rejoins, "If you do that, you'll completely blind half our assets at the most critical moment in the battle. Thanks, you big idiot!"

Historically, armed forces have tactical intelligence-gathering capabilities, as well as strategic intelligence capabilities directed toward likely foes. In the US, the Pentagon has the Defense Intelligence Agency (DIA) which is separate from the former strategic intelligence agency, the Central Intelligence Agency (CIA).(1) This compartmentalization is useful for preventing exactly the kind of problems I'm describing - parallel organizations working at cross-purposes may not be as efficient but it gives security. So, how does cyberespionage fit in? Simple: it's just another form of "espionage as usual." Competent spies will adopt The Internet as a convenient replacement for dead drops and will find it's a lot easier to copy data onto a thumb-drive than to photograph it with a miniature camera - but that's nothing new.

Aldrich Ames, the KGB's mole in the CIA, carried Top Secret data home on floppy disks and CDROMs; does that make him a cyberspy? I don't think that's a worthwhile distinction.

The CyberEspionage Kerfluffle

Recently there has been a great deal of news-play about supposed Chinese cyberespionage "attacks" against US Government agencies and defense-related firms. The entire situation puzzles me greatly, because none of the players involved are acting the way I would expect them to act if they were performing competently. Both the FBI and CIA have had spokespeople make public comments about penetration attempts originating from China - but no credible evidence (other than "the IP address came from over there!") has been presented.

Since the FBI's charter, as a law-enforcement organization and part of The Department of Justice, is to build cases and collect evidence, you'd expect something better than "we could tell you, but then we'd have to kill you" smoke-blowing. Anyone who has worked the computer security field for more than a couple of years knows that claims from federal agencies that are backed by "...but we can't talk about it" are 99.9% likely to be false. If someone actually knows something they "can't talk about" they won't say anything on the topic at all; that's just introductory-level tradecraft. And if someone from law enforcement throws around public accusations without presenting evidence, they're skating on very thin ice, indeed.(2) Worse, in this case, it represents a potential incident between superpowers armed with nuclear weapons - throwing around unsubstantiated accusations amounts to posturing while lives are at stake.

Meanwhile The Chinese do not appear to be acting competently, either, if they are actually involved in what's going on. Surely, the Chinese cyberespionage agency (if one exists) is competent enough to launder their connections through someplace else. In fact, I would think that laundering connections would be the first thing you'd learn in introductory cyberspy school. Since cyberspies aimed at the US would need to read American English fluently, I'd expect their internal chatting would be carried out in the target language, as well. None of this matches the rumors we hear of "Chinese chatter in hacker chat rooms" or "connections from universities in China." Do you really expect that professional cyberspies would use hacker chat rooms or a university connection? It's plausible, but only if you're willing to assume that the Chinese are stupid. I'm not.

Whenever I make these observations publicly, I invariably get Emails from people saying, "yeah, but - if you knew what I know..." And, invariably, they're touting myths that I've heard before.

Just to give you an example: one fairly well-known security practitioner who has fallen for the whole "China cyberspy" story started quoting an anonymous government source to me about how they were uncovering "Blacknet." You've got to laugh - Blacknet(3) was a fictional concept-piece written to illustrate how anonymous remailers and e-currency could be used to build a covert information exchange economy. The Blacknet document was written in the early 1990s and I actually ran across it being taken seriously at a meeting at The White House, when it was handed to me by a highly placed member of US law enforcement that was investigating it. When I explained it was a USENET posting he asked me "What is USENET?" For all I know, the government has a Blacknet task force out there, somewhere, wasting taxpayers' dollars chasing a fiction. Jumping at shadows is what you do when you're dangerously ignorant.

Considering how utterly terrible our federal agencies are with anything to do with computer security, I wouldn't believe anything they said unless it was backed with hard evidence. Right now cyberwarfare/cybersecurity/cyberespionage remains a coveted hot potato in federal circles. A coveted hot potato is one that everybody wants but can't hold. How many federal agencies, today, are vying for the position of coordinating cybersecurity? Everyone wants the budget and the prestige but they are all just empty shells made out of PowerPoint decks and staffed by contractors.

Now, Let's Think

Imagine that we were setting up a cyberespionage capability for a rival superpower. How would we do it if we were professionals? Well, first off, we would recognize that cyberespionage was just a sub-discipline (or a footnote, really) of regular espionage, so we'd simply create a core team of technically savvy operators that existed to facilitate computer-related activity within our espionage agency. In other words, they'd be primarily just another data source that would feed into our analysts. They'd develop bits of custom code as well as useful technologies for our normal field operators. The field operators would be "plain old spies" and they'd target the outsourcing agencies that manage the US Government's IT infrastructure. Since we're talking about a strategic intelligence capability, it would be built over a long period of time, quietly and carefully. The last thing we'd ever do is an amateurish "smash and grab" attempt at some government agency's firewall. Why would we do something that silly, when the firewall administrator works for a contractor and we've got one of our people in the contractor's NOC? Why would we bother wasting the bandwidth to suck files out through the firewall, when the guy who makes the backups works for us? The last thing we'd want to do is rock the boat by having our victim think they were being penetrated by professionals!

I suppose it might be fun to watch the target waste its money and efforts trying to figure out what hijinks the hacker kids are getting up to. Simply by choosing to prosecute severely any hackers going against our government systems (in China, hackers have been sentenced to death) we would be implicitly encouraging them to target their efforts someplace else. Let an army of "useful idiots" keep the target busy and, perhaps they might turn up something useful. The ultimate form of asymmetric warfare is when you have something that costs you nothing but costs your opponents millions and millions of dollars while making them look stupid and feel outclassed.

See what I'm getting at? The public scenarios of cyberespionage are mostly laughable movie scripts. The reality could be much more sobering.

Next, we'll look at cyberwarfare. Of all the threats we're looking at, it's the only one that's just flat-out silly.
Stay tuned,
mjr.

---

(1) I choose my wording very carefully here. The CIA's failures as a strategic intelligence-gathering force are manifest. If the US had a real strategic intelligence capability, we would not have been conned into believing there was a "missile gap" or surprised by the introduction of Soviet missiles into Cuba. Nor would the collapse of the Soviet Union have been a surprise. Instead of a strategic intelligence capability, the CIA evolved into "the foreign department of dirty tricks" Readers with further interest in this topic should read Mark Reibling's
"Wedge" http://www.amazon.com/Wedge-Secret-War-Between-FBI/dp/0679414711
and Tim Weiner's "Legacy of Ashes"
http://www.amazon.com/Legacy-Ashes-History-Tim-Weiner

(2) The FBI has a long history of smearing its own face with egg by doing this. Wen Ho Lee, Richard Jewell, and Stephen Hatfill, could all tell you. The FBI's announcing Hatfill as a "person of interest" resulted in the taxpayers paying Hatfill $5.8 million in damages. Jewell recovered millions from The FBI and CNN, and Wen Ho Lee's lawsuits will cost the news media and taxpayers millions by the time it's all over.

(3) http://cypherpunks.venona.com/date/1998/01/msg00436.html

Hello again!

In my last column, we looked at cybercrime and how its dynamics are subtly different from real-world crime. In this episode we're going to tackle a much tricker topic - namely cyberterror. Of all the cyber-badness that's out there, cyberterror is the most puzzling: if it's so gosh-darned lethal a threat, why haven't we seen any of it, yet?

This series of columns is based on a set of talks I gave as the keynote for IDC's CEMA Security Roadshow in 2008, with additional material and commentary. As always, I welcome constructive feedback at mjr@tenablesecurity.com.

---

CyberTerror

It's impossible to have worked in the information security arena in the last decade without running across someone who was encouraging you to be afraid of cyberterrorists. This, in spite of the fact that there hasn't - yet - been anything worthy of being considered "terror." Is cyberterror just a myth that's being trumpeted in order to generate cash-flow for security consultants, or is the threat real? As Dogbert used to say "that's not an 'or' question!" - perhaps the fear of cyberterror is a cash cow and there's a real danger.

"Terrorism" is typically defined as "the attempt to change a target's political process through fear and intimidation." It differs from crime because it's ideological and the terrorist's agenda is furthered by publicity. A cybercriminal does not want CNN to cover "the threat of bank scams" whereas the modern terrorist fails if they don't get media coverage. Other than fear, another agenda of the terrorist is to separate the people from their government, by demonstrating that the government can't keep up its side of the social contract. Since a government (in theory) is to protect its people, the terrorist's victory is all but assured when it can drive a wedge between the government and the governed. That's how the media serves to amplify the effect of a terrorist's strike - every time some talking head asks, "how could the government screw up so badly..?" the terrorists win a little bit.

So, you'd think cyberterror would be a splendid weapon: it's a venue that's utterly ripe with government screw-ups waiting to happen. Instead of death and destruction, so far we've been treated to "cyberterror" attacks that hardly qualify as more than "cyberannoyance." In 2001, when I researched the topic for my book on homeland security, the most significant cyberterror event I could find was one government agency that had been flooded with millions of Emails - not even bush league terror; closer to comedy. Today, we have the example of the cyberterror attacks against Estonian government sites. Initially, it was reported as if it was likely to be sponsored by the Russian government, but later it turned out to be a single disgruntled hacker. DDOS attacks such as the Estonian attacks are within the reach of most mid-level or advanced hackers. So, why isn't it happening more? Simply put: it's not particularly scary. And, in fact, once it happens a few dozen times it'll no longer be newsworthy. Remember: terrorists feed media attention, which means that they need to be scarier than Britney Spears' latest personal crisis and more damaging than the stunts on "Jackass."

The Cyberterror Paradox

Here's the odd thing about cyberterror: whenever a bunch of my friends and I get together at a conference, and pass the bottle while conjuring up cyberterror scenarios - we manage to scare the bejeezus out of ourselves. I find it hard to imagine that I'm more evil(tm) than all the terrorists in the world, but if a couple of half-sloshed computer programmers can plot a roadmap to ruin for a superpower, surely Bin Laden's buddies can, too. So what's going on?

One possibility is that terrorists are really nowhere near as sophisticated as the media (and the government) make them seem. Of course, when I consider how computer-security literate and sophisticated the media/government are, the fact that Al Quaeda owns laptops probably elevates them to the status of "power user terrorists." Never mind that they haven't figured out the most rudimentary kinds of encryption or communications security. Simply: these are not the kind of guys I'd vote as "most likely to hack into and destroy something important." Terrorists, to me, seem disappointingly unimaginative - they come up with a trick and then use it over and over until it's played out. Fortunately for us, that plays well with the security establishment's horrible tendency to try to protect against the last attack. It's as if the good guys and the bad guys have synchronized their decision/response(OODA)loops. The real fireworks happen when one side or the other shows a bit of innovation.

In the past I've been very critical - even to the point of outright scoffing - of the concept of cyberterror. But I have to admit that the potential is real. In the last few years I've learned things about SCADA networks that I wish I could forget. Yes, there is very real potential for horrific attacks and damage. Is there some twisted hacker out there, right this moment, about to sign up and change the face of 21st century terrorism? Perhaps all that's been sparing us, so far, is that most IT-savvy young men do not have the requisite feelings of disenfranchised hatred. Have we been saved by stock options?

As with serious, high-end, cybercrime I think we've been spared the worst scenarios because of set-up time required for deeply destructive attacks. Most of the time, when I read the scenarios offered by cyberterror pundits, they're assuming a cyber- component combined with a physical attack, either as an enabler or an amplifier. I think that what has saved us, there, is that terrorists have not demonstrated any penchant for long-term deep-cover operations. I shouldn't play armchair psychologist, but deep-cover operations don't seem to fit with a mindset that is hate-filled and action-oriented. Terrorists don't seem to be strong on long-term strategy other than survival. I don't think that terror has had its Napoleon Bonaparte, yet, and we should all be thankful for it. Do you think that energy companies, chemical companies, amtrak, trucking companies, and shipping companies do deep background checks on their employees? What about on the companies that provide basic services such as security, janitorial, and telephone to critical infrastructure? If you think about it for a bit, and imagine that you were able to plot on a 5-year timescale instead of 6 months, you ought to be able to really scare yourself. Is it simply a focus on short-term damage and rewards, or are they stupid and utterly clueless about tradecraft?

Ease of Abuse

I think the most likely reason terrorists have ignored cyberspace is because the skills necessary to launch real-world attacks are lower and willing soldiers are easier to recruit. Until such time as there is a massively successful (i.e.: horribly destructive) cyberterror event, terrorists will likely want to stick with the tactics to which they have already acculturated the media. Once again, it's easier for CNN to understand a suicide bomber - for now - than a mysterious refinery explosion that may have been caused by computers. The tipping point, unfortunately, would happen once the media started to conclude that anything that went wrong was likely to have been caused by cyberterrorists. If that were to happen, we could expect the United States to head-butt itself into insensibility with an overreaction such as we saw post-9/11. You can easily imagine a deliberate strategy of getting one's opponent to waste money through overreaction. Look at how much the United States has spent on the Transportation Security Administration, throwing away liquids and gels, and removing our shoes. Here's where the terrorist can always win: the worst part of asymmetric warfare is that the expense is asymmetric, too.

If the target does not respond to an attack, they are vulnerable to more of the same. If they do respond, the attacker can simply focus someplace else and repeat the process all over again. It's because of this dynamic that I've changed my views about cyberterror: it seems like a great way for an attacker to get the United States to spend ridiculous amounts of money. The more we spend to protect our physical systems, the more attractive a target we make our virtual systems. And vice-versa. The worst part about the mere threat of cyberterror is that it can drive costs up for higher-tech nations, at nearly no cost to lower-tech nations or independent actors.

Necessary For The Future

All of this brings me to the future. It's fairly safe to predict that sooner or later, there will be a significant cyberterror event. Before that happens, the United States needs to clearly establish a public doctrine regarding how we will respond to such events. This is especially important if you consider the question of whether the event is state-sponsored or the perpetrators are being sheltered by a state. Lately there has been a great deal of rumbling - rumbling I consider irresponsible, since evidence has not been presented - about alleged Chinese-sponsored cyber-espionage against United States and European powers. We need to encourage the international community to start thinking about this topic: at what point is a cyber-(whatever) attack an act of war, or a serious provocation? What kind of proofs and evidence are adequate to link a state sponsor to an event?

I know that these questions seem a bit over-the-top, but I'd hate to see wars and killing as a result of poorly-thought-out reactions to someone's exploiting a misconfigured firewall! It's a plausible scenario, unfortunately, and it's made more plausible by security practitioners' horrible tendency to worry inordinately about problems that take us by surprise. At this point, our computing infrastructure may be so poorly secured that it's not cost-effective for us to try to lock it down. We're going into a future for which we are clearly unprepared.

Next, let's look at espionage. If you think cyberterror is a depressing problem, just wait!
See you soon,
mjr.

Greetings!

In this column, and in subsequent columns, I am going to develop a set of themes about cyber-stuff. We've all heard a great deal of kerfluffle about cyberterror or cyberwar, but - what, really, is it? It turns out that the terms are being bandied about very loosely and are often used interchangeably in ways that are advantageous to the speaker and confusing to the listener.

This series of columns are written based on a set of talks I gave as the keynote for IDC's CEMA Security Roadshow in 2008, with additional material and commentary. I welcome your constructive feedback at mjr@tenablesecurity.com

---

CyberCrime

Criminal enterprises have been a persistent threat throughout human history. We could almost dispatch the topic of cybercrime with this observation: it will never go away. But, as always, there's more to it than that. Cybercrime has some interesting properties that make it a more significant problem than "normal" crime:

• Automation
• Low infrastructure cost
• Trans-nationality

Firstly, cybercrime invents a whole new form of criminal enterprise. Typically, if a criminal wants to steal $1,000,000 he needs to steal it all from a small number of places. But with cybercrime, you have the potential of automating attacks, so that the criminal might steal $1 from one million people. That changes the dynamics of crime because human institutions have adopted fairly effective controls on large amounts of valuable items - but historically that has been at the expense of worrying less about "petty" crimes. An individual losing $1 will probably shrug it off as unworthy of attention, whereas nobody is going to write off $1,000,000. Because of the loss-levels involved in cybercrime, the burden of paying attention to the crime transfers to society as a whole - no single individual is hurt enough to care, yet it represents a massive drain on an economy. There are a few things that fall out from this: insurance models don't make sense if you're worrying about such small losses, and classical models of having the wronged individual ("plaintiff") carrying a complaint about the criminal no longer make sense. It doesn't make sense to mount a million-member class action suit against a spyware seller.

This all sounds very theoretical, so far, but there are significant issues that societies need to recognize. Namely, that the current mechanisms of justice simply are not tuned to handle cybercrime effectively. We see proof of this in the way that enforcement attempts are currently aimed at highly active criminals. Law enforcement decides "Let's bust this one guy and maybe it'll 'send a message' to the rest." Here's a hint: when law enforcement is only capable of trying to send a message then the situation is out of hand and they are signalling defeat.

It will only get worse

The low infrastructure cost of becoming a cybercriminal makes it extremely attractive. A friend of mine was involved in a case a 6 years ago in which they discovered a group of cybercriminals who had a fairly substantial IT set-up, all stolen goods purchased on Ebay with compromised PayPal accounts. Nowadays, it's not even necessary to have an infrastructure at all; the criminal can take advantage of online service providers, paid with stolen credit cards. An example of this transition is a nigerian bank scam spammer that was caught in London - he was operating entirely from a local cybercafe, commissioning spams through bot-herders, and harvesting his Email through Yahoo! and Hotmail. The criminal owned, literally, no IT infrastructure beyond a USB memory stick on which he kept track of his "customers."

Compare the cost of being a cybercriminal, and combine with it the near-zero likelihood of getting caught, and it's an incredibly attractive enterprise. This is why it will get worse - possibly dramatically - over the next decade. If you're a stick-up artist and you rob a convenience store, you need a gun and a car and you're running the very real risk of catching a bullet. The typical convenience store robbery nets between $1000 and $2000 for the criminal - compare that to the far larger potential profits of cybercrime and the lack of physical risk and I predict that the current state of affairs is just the tip of the iceberg we're going to have to deal with in the next 20 years.

I know that what I am about to say is not "politically correct" but: the current generation of young people, who do not recognize pirating music or videos online as a form of theft, are going to incubate the next generation of cybercriminals - and they will be truly horrible to deal with.

Cybercrime is trans-national; it respects no boundaries. In fact, the smarter criminals take advantage of this already by recognizing that the cost of international prosecution gives them a safe "ground cover" under which they can operate with impunity.

I predict that the trans-national nature of cybercrime is going to have a number of possible outcomes. The most likely short-term outcome is that trans-national money transfer systems will come under pressure. It will become increasingly difficult to use payment tools across national boundaries. In some cases, this is already happening - I attempted to pay for some Ebay winnings with PayPal from my laptop in a cybercafe in Poland and was surprised (and then pleased, once I thought about it) when PayPal blocked the transaction. Online banks and payment systems are going to increase in complexity in order to deal with this, I predict. In fact, it can't happen soon enough! I would dearly love to be able to go to my credit card company's website and tick off the countries I will be travelling to in the next month and "unlock" them for that month - in return for nobody else being able to use my card outside of this country. Similarly, I predict we will see things like being able to indicate that your card should only be used to pay for goods that are shipped to your billing address, etc. Right now, our defensive techniques are lagging dramatically behind the offensive techniques that the criminals are inventing! We need creativity and innovation on the defensive side - not another 3 digit PIN-code added to our credit card number.

Another longer-term outcome of the trans-national nature of cybercrime is that sometime in the next decade or two, we can expect a unified international response to the problem. It seems unlikely, now, but remember that I'm predicting cybercrime will get a whole lot worse, first. Eventually we will have a standard set of trans-national practices for dealing with online criminals. There will be no extradition, there will be a seamless process whereby trans-national crimes are prosecuted evenly based on where the crime was committed from instead of who the crime was committed against. There are a lot of tricky issues to sort out, but if the costs of cybercrime continue to skyrocket, there will be a coordinated response eventually.

The final point I'd like to make on cybercrime is that the current set of problems show us nothing about how bad it can possibly get. The current crop of cybercriminals are the equivalent of pickpockets and smash-and-grab artists. They are moving up the scale of sophistication, but they are, still, not very sophisticated. At a certain point, you move up-scale from the Reservoir Dogs and to professional gangs that are willing to invest the time and energy to infiltrate targets and take advantage of "insider" positions. We've recently seen the kind of damage that a trusted insider can do with the huge losses incurred at France's Societe Generale - nobody is asking themselves whether an insider could appear to make some incompetent trades while actually lining the pockets of a group of co-conspirators. And, if they were, how could we tell? The potential for insider-based high dollar cybercrimes is vast and the perpetrator does not need to be in a conspicuous position of trust to carry them out. A system administrator, or an operator at an outsourcer, has potential insider information on every aspect of a business. It simply takes a little creativity to figure out how to "monetize" the information. The next obvious step from that is to attempt to hire into a position with the specific intent of monetizing a specific data item. Make the right move and sell the correct copy of the right backup tape, and you could retire comfortably by age 25. What scares me is the suspicion that this could already be happening - most of the systems I've seen are woefully under-capable at backtracking and understanding such a crime, let alone detecting it.

Your future

If you're part of an organzation that does business online, cybercrime is going to be part of your personal future, for the forseeable future. How's that for a cheery prediction? Worse, still, your opposition is completely non-ideological and cannot be dissuaded or negotiated with.

---

Next up, we will take a look at Cyberterror. Cybercrime is the "boring stuff" and now we've gotten it out of the way.

Let's talk soon,
mjr.