Tired Of All The Whining About China

I don't know about you, but I am so tired about all the whining about China. 

- They are stealing our intellectual property. 

- They are hacking into our systems. 

- They are unfairly forcing us to transfer technology to them.

- They aren't opening up their market to us. 

OMG stop the complaining already!

If you don't like what they are doing, then do something about it. 

Tariffs are a start, but just a small one. 

Seriously, if you can't incentivize them to stop the harassment and unfair trade practices by adding them to the World Trade Organization, investing in them, and partnering with them, then you need to actually compete with China. 

- They steal our sh*t--you help yourself to a generous serving of theirs.  

- They break into our systems--you find your way into their systems.

- They try to unfairly take away our markets and jobs--you take away theirs big time.  

Everyone knows that to deal with bully, you must fight back!

The more we are scared into inaction, the worse it gets.

This doesn't mean that we should get into a military exchange with China, but we do need to get into a confrontation over what economic and global partnership should mean and look like. 

China is an old and truly great nation and their people should be highly respected.

However, the USA should also be treated right, and if that means it's time for a heart to heart and some evening up of the playing field then that is what has to happen. 

We have to restore respect to America, not by becoming bullies ourselves, but by standing up to them when we are being taken advantage of.  ;-)

(Source Photo: Andy Blumenthal)

Tired Of All The Whining About China

Why Can't We Keep Our Secrets

Well after the now notorious email scandal and other information security mishaps galore, this advertisement in Washington, DC is really quite the rage. 

"Keeps classified data classified."

As parents tell their children about keeping private things private:

"If you can't keep it a secret, then how do you expect the other kids to keep it to themselves?"

There are lots of secrets in DC, but there are also a lot of big mouths, security negligence, and even corruption. 

This gives our adversaries the opportunities they need to get our countries vital information. 

We work too hard to develop the best intellectual property for national security and our economy as well as the critical policies for advancing human rights and democracy around the world to let it just be easy fodder for others to help themselves too. 

Technology won't solve the gap in certain big mouths and sloppy Joes around town. 

Only vigilant, smart people can protect the nations vital information that is the fuel for our success and survival. ;-)

(Source Photo: Andy Blumenthal)

Why Can't We Keep Our Secrets

When GPS Takes You Down The Wrong Path

Mashable is reporting that a team of university students from University of Texas at Austin were able to spoof the GPS receivers on an $80 million yacht with false signals and make it veer off course without anyone even noticing!

I remember a couple of years ago, I was heading to an offsite meeting for work. 

It was planned for a location that I wasn't extremely familiar with.

Of course, I turned on my GPS device in the car and set the destination.

It was a cold snowy day--the roads were iced--and it was already treacherous driving. 

But I followed the GPS directions to a T.

I ended up in someone's backyard--at a dead end--practically in the middle of a cornfield. 

I'm thinking to myself Crap!--what type of crazy GPS is this? 

Thank G-d, I had my smartphone in my pocket and I opened up the GPS app on it and set the destination again. 

Sure enough, it takes me off and running to the meeting location--about 10 minutes away!

Some things I learnt:

1) OMG, we are so very dependent on our technology; with technology gone wrong, I was stuck in nowhere land USA; with it right--I got out of there and to the correct location and thank G-d. 

2) GPS is a capability that is critical for everything from getting us to where we need to go to getting our missiles to hit on target. Take away or mess with our GPS and we end up missing the mark--potentially big time and with devastating consequences. 

3) Always have a backup, plan B. One GPS can be wrong as in this case, while the other GPS was correct. Redundancy and contingency planning is a must have, period. 

4) When you're heading down the wrong road (or you're off course in international waters), man up and admit it and make a course correction. You don't win any brownie points for continuing to drive into the cornfields. ;-)

(Source Photo: Andy Blumenthal)

When GPS Takes You Down The Wrong Path

Emergency Alert Or R U Kidding?

BBC News Technology (9 July 2013) reports on how the U.S. Emergency Alert System (EAS) was hacked. 

The EAS is a program of the Federal Emergency Management Agency (FEMA) and was set up "to allow the president to talk to the entire country within 10 minutes of a disaster." It also provides the public with alerts on local weather emergencies, such as tornados and flash floods. 

EAS replaced the Emergency Broadcast System (EBS) in 1997 and with it came security weaknesses.

Earlier this year, those vulnerabilities were tested and exploited when the Montana Television Network was hacked with an alert of a zombie attack.

And it provided advice on how to survive--"Do not approach or apprehend these bodies as they are considered extremely dangerous."

This is reminiscent of the hoax in 1938 when over the radio came a warning that a meteorite had smashed into New Jersey and aliens were attacking New York--an adaptation of H.G. Wells "War of the Worlds."

Well yesterday it was aliens, today it's zombies, and tomorrow it could be an phony announcement of an invasion by country XYZ or perhaps a imminent detonation of a thermonuclear warhead somewhere over the continental U.S. 

Imagine the panic, confusion, and potential loss of life and property from the ensuing chaos. 

It goes without saying that this is not a way to inspire confidence by the citizens in case of a true national emergency. 

If we cannot count on the systems meant to survive an emergency then how can we be expected to survive the emergency itself? 

The EAS may interrupt your regularly scheduled programming with those loud and annoying tests, but what can really ruin you day is a cyber attack on the system that broadcasts something much nastier and more ominous--and you don't really know whether it's the real thing or just another hack. ;-)

(Source Photo: here with attribution to UWW ResNet)

Emergency Alert Or R U Kidding?

Malware Through A Charger

Who would've thought you can get cyber attacked this way...

Forbes is reporting that Georgia Tech researchers have discovered an exploit where malware could be introduced to your computer through the plug in AC power charger. 

Based on their proof of concept, when you connect your computer and electrical plug, you could get more than an electrical charge to your Apple iOS computer--you could get hacked! 

The malicious charger has been named Mactans and in the future could be put together by inserting a miniature computer board (e.g. a BeagleBoard) right into the base of a charger plug (larger than the one shown above).

The hack attack is enabled by the USB port which is used for charging and doubles as a data port so that the malicious code would be surreptitiously inserted into your computer. 

So be careful what you plug into, because when you think you're just powering up your battery, you may end up powering down your whole computer device.

This sort of reminds me of the shoe bomber that forever changed how we view seemingly innocuous shoes at the airport.

A shoe may not just be for walking, and a AC charger may not be just a power source anymore.  ;-)

(Source Photo: here with attribution to Lee Bennett)

Malware Through A Charger

Taking Down The Internet--Not A Pipe Dream Anymore

We have been taught that the Internet, developed by the Department of Defense Advanced Research Projects Agency (DARPA), was designed to survive as a communications mechanism even in nuclear war--that was its purpose.

Last year, I learned about studies at the University of Minnesota that demonstrated how an attack with just 250,000 botnets could shut down the Internet in only 20 minutes. 

Again last month, New Scientist (11 February 2012) reported: "a new cyberweapon could take down the entire Internet--and there is not much that current defences can do to stop it."

Imagine what your life would be like without Internet connectivity for a day, a week, or how about months to reconstitute!

This attack is called ZMW (after its three creators Zhang, Mao, and Wang) and involves disrupting routers by breaking and reforming links, which would cause them to send out border gateway protocol (BGP) updates to reroute Internet traffic.  After 20 minutes, the extreme load brings the routing capabilities of the Internet down--" the Internet would be so full of holes that communication would become impossible."  

Moreover, an attacking nation could preserve their internal network, by proverbially pulling up their "digital drawbridge" and disconnecting from the Internet, so while everyone else is taken down, they as a nation continue unharmed. 

While The Cybersecurity Act of 2012, which encourages companies and government to share information (i.e. cybersecurity exchanges) and requires that critical infrastructure meet standards set by The Department of Homeland Security and industry are steps in the right direction, I would like to see the new bills go even further with a significant infusion of new resources to securing the Internet.  

An article in Bloomberg Businessweek (12-18 March 2012) states that organizations "would need to increase their cybersecurity almost nine times over...to achieve security that could repel [even] 95% of attacks."

Aside from pure money to invest in new cybersecurity tools and infrastructure, we need to invest in a new cyberwarrior with competitions, scholarships, and schools dedicated to advancing our people capabilities to be the best in the world to fight the cyber fight. We have special schools with highly selective and competitive requirements to become special forces like the Navy SEALS or to work on Wall Street trading securities and doing IPOs--we need the equivalent or better--for the cyberwarrior.

Time is of the essence to get these cyber capabilities to where they should be, must be--and we need to act now. 

(Source Photo of partial Internet in 2005: here, with attribution to Dodek)

Taking Down The Internet--Not A Pipe Dream Anymore

Big Phish, Small Phish

Phishing is an attack whereby someone pretends to be a trustworthy entity, but is really trying to get your personal information in order to steal from you or an organization.

Phishing is a type of social engineering where fraudsters try to deceive and spoof their victims by sending email or instant messages (or even by calling) and pretending to be a legitimate private or public sector organization. They then either request personal information, provide links to fake websites, or even create unauthorized pop-ups from legitimate websites to get you to give them your personal data.

Additionally, phishing emails can contain attachments that infect recipient's computers with malware, creating a backdoor to control or compromise a system and its information.

In all of these cases, the intent of phishing is impersonate others and lure consumers into providing information that can be used to steal identities, money, or information.

The word phishing alludes to the technique of baiting people and like in real fishing, fooling at least some into biting and getting caught in the trap. 

In this fraudulent type, perpetrators pretend to be legitimate financial institutions, retailers, social media companies, and government agencies in an attempt to get you to divulge private information like date of birth, social security numbers, mother maiden names, account numbers, passwords and more.

Once criminals have this valuable information, they can commit identity theft, break into your accounts, and steal money or information.

Spear-phishing is a derivative of this scam that is targeted on specific people, and whaling is when the scam is perpetrated on organization executives or other high profile targets,  which can be especially compromising and harmful to themselves or the organizations they represent.

The first recorded phishing attack was in 1987.  Over the years, the prevalence of these attacks have steadily increased. According to the Anti-phishing Working Group (APWG), there were some 20,000-25,000 unique phishing campaigns every months through the first half of 2011, each targeting potentially millions of users.  Additionally, as of March 2011, there were as many as 38,000 phishing sites.  The most targeted industry continues to be financial services with 47% of the attacks.

There are a number of ways to protect yourself against phishing attacks.

1. Delete email and messages that are unwarranted and ask for personal information
2. Do not click on links, instead go directly to a website by using a search engine to locate it or copying the link and pasting it into the browser
3. Configure your browser to block pop-ups
4. Use anti-virus, firewalls, and anti-spam software
5. Set up automatic security updates
6. Input personal information only into secure sites, such as those that begin with "https"
7. Only open attachments when you are expecting them and recognize where they are coming from
8. Check financial statements upon receipt for any fraudulent activity
9. If you are caught in a phishing scheme, notify law enforcement and credit reporting authorities immediately
10. Always be cautious in giving out personal information

Whether you consider yourself a big fish or a small fish, beware of those trying to catch you up on the Internet--hook, line, and sinker.

Big Phish, Small Phish

SCADA Beware!

In case you thought hacking of our critical infrastructure and SCADA systems only happens in the movies, like with Bruce Willis in Live Free or Die Hard, watch these unbelievable videos of what Max Corne seemingly does to the energy, maritime infrastructure, and highway transportation systems.


Max apparently is able turn off (and on) the lights in entire office towers--one and then another, control a drawbridge (up and down)--and has people and cars waiting and backed up, and even changes traffic signals--from speeds of 50 to 5 as well the message boards to motorists. 

While I understand some have questioned the validity of these videos and have called them hoaxes, the point that I come away with is not so much whether this guy is or is not actually hacking into these computer and control systems as much as that the people and organizations with the right skills could do these things.


And rest assured that there those out there that can perform these hack attacks--reference the Stuxnet worm that attacks Siemen industrial control systems such as those used in the nuclear industry (June 2010).


I also heard a story that I don't know whether it is true or not, about how a cyber expert personally dealt with a very loud and unruly neighbor who was playing Xbox 360 at 3 AM and keeping him awake. So the cyber expert simply hacked into his neighbor's Xbox game over the Internet and set off a program that whenever his neighbor tried to play it, a timer would automatically turn the Xbox back off again (neighbor turns it on again, hack turns it off again....), until at one point, the cyber expert heard the neighbor pick something up (presumably the Xbox) and throw it against the wall. 


In this story, the damage was limited, in other cases as the Max Corne videos demonstrate (in terms of the realm of the possible), when hackers attack our critical infrastructure and control systems, the results can truly be life threatening, majorly disruptive, and can cause widespread chaos.


Every day, there are digital natives (in terms of their advanced computer skills) that are proving what they can do to bypass our firewalls, antivirus protection, intrusion detection systems, and more.


While in the case of the hack attack on the Xbox, that was the end of the problem for the loud playing neighbor keeping this other guy up at night, but in general, the unbelievable ability of some hackers to break into major systems and manipulate controls systems and disrupt critical infrastructure is certainly no game, no laughing matter, and something that should keeps us up at night (Xbox playing or not). 


The takeaway is that rather than demonize and discourage those who have the skills to figure this "stuff" out, we should actually encourage them to become the best white hat hackers they can be with it, and then recruit them into "ethical hacking" positions, so that they work for the good guys to defeat those who would do us all harm. 

SCADA Beware!

Cyber War - The Art of The Doable

CBS 60 Minutes had a great episode this past June called Cyber War: Sabotaging The System.

The host Steve Kroft lays the groundwork when he describes information or cyber warfare as computers and the Internet that is used as weapons and says that "the next big war is less likely to begin with a bang than with a blackout."

This news segment was hosted with amazing folks like Retired Admiral Mike McConnell (former Director of National Intelligence), Special Agent Sean Henry (Assistant Director of the FBI's Cyber Division), Jim Gosler (Founding Director of CIA's Clandestine Information Technology Office), and Jim Lewis (Director, Center for Strategic and International Studies).  

For those who think that cyber war is a virtual fantasy and that we are safe in cyberspace, it's high time that we think again.  

Here are some highlights:

- When Retired Admiral McConnel is asked "Do you believe our adversaries have the capability of bringing down a power grid?"  McConnell responds "I do." And when asked if the U.S. is prepared for such an attack, McConnell responds, "No."

- Jim Gosler describes how microchips made abroad are susceptible to tampering and could "alter the functionality" of let's say a nuclear weapon that needed to go operational, as well as how they "found microelectronics and electronics embedded in applications that shouldn't be there." 

- Special Agent Henry talks about how thieves were able to steal more than a $100 million from banks in less than half a year, not by holdups but through hacking. 

- Jim Lewis tells of the "electronic Pearl Harbor" that happened to us back in 2007, when terabytes of information were downloaded/stolen from our major government agencies--"so we probably lost the equivalent of a Library of Congress worth of government information" that year and "we don't know who it is" who broke in.  

The point is that our computers and communications and all the critical infrastructure that they support--including our defense, energy, water, transportation, banking, and more are all vulnerable to potentially lengthy disruption.

What seems most difficult for people to grasp is that the bits of bytes of cyberspace are not just ephemeral things, but that thy have real impact to our physical universe.   

Jim Lewis says that "it doesn't seem to be sinking in. And some of us call it 'the death of a thousand cuts.' Every day a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody. And it's like little drops.  Eventually we'll drown. But every day we don't notice."

Our computer systems are vulnerable and they control virtually all facets of lives, and if the enemy strikes at our cyber heart, it is going to hurt more than most of us realize.  

We are taking steps with cyber security, but we need to quickly shift from a reactive stance (watching and warning) to a proactive posture (of prevention and protection) and make cyber warfare a true national priority.

Cyber War - The Art of The Doable

Decloaking The Adversary

Yes, we lost a drone in Iran and they won't give it back--that stinks!
Initially, the word coming out was it was a mishap, an accident, but the Iranians claimed otherwise--that they brought it down.
Who believed that they could actually do that?
Then there was word that the craft being displayed by the Iranians was a fake, a mock-up, only to reversed with a confirmation, as reported in Christian Science Monitor, that the drone "is almostly certainly the one lost by U.S. forces."
Well now, InformationWeek is reporting (16 December 2011) that Iran really did bring down the stealth drone as well as how they claim to have done it.
First they jammed the communications of the RQ-170 Sentinel, so that with its command, control, and communications (C3) no longer intact, it was forced to go into autopilot and rely on GPS signals to find its way.
Then, the Iranians spoofed the GPS signal making the Sentinel think it was landing at a U.S. base rather than right into hostile territory.
If this is true, then not only is all the captured sensitive technology aboard the craft (such as radar, fuselage, coating, and electronics) in jeopardy of being comprised by reverse engineering, but also as the article states, the Iranians may have demonstrated the means to be able to literally "divert any GPS-guided missiles launched at targets inside its borders."
Quite a scary thought when according to Reuters reports, Iran is less than a year from going nuclear!
So what is the truth and what is misinformation (PsyOps) to confuse or outwit the enemy and how much does any of that really matter if the Iranians have possession of our advanced technology along with the time and the nefarious partners to study it and use it against us?
Or perhaps, this is a great ruse by us and we intended for the Iranians to get the drone--tick, tick, tick... ;-)
We live in a new sophisticated world of electronic and cyber warfare and that combined with nukes makes for some truly dangerous scenarios.
Finally, we should never underestimate the capabilities or intent of our adversaries--surprise may be the the most potent enemy of them all.
(Source Photo: here)

Decloaking The Adversary