[SecurityRatty] tag: censor

The Cyber Storm II Cyber Exercise

Thu, 03 Apr 2008 08:29:03 +0000

I first blogged about the "Cyber Storm" Cyber Exercise aiming to evaluate the preparedness for cyber attacks of several governments two years ago, and pointed out that :

"Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other."

And while I'm still sticking to this statement, a year later I also pointed out that :

"In a nation2nation cyber warfare scenario, the country that's relying on and empowering its citizens with cyber warfare or CYBERINT capabilities, will win over the country that's dedicating special units for both defensive and offensive activities, something China's that's been copying attitude from the U.S military thinkers, is already envisioning."

Morever, Taiwan, too, copycating the U.S, performed a cyber warfare exercise codenamed "Hankuang No. 22" (Han Glory) in 2006 as well, fearing cyber warfare attacks from China.

The new "Cyber Storm" Cyber Exercise, is particularly interesting, especially the initiative to measure the response time to an OPSEC violation in the form of sensitive information leaking on blogs. A very ambitious initiative, given the many other distribution channels, which when combined in a timely manner make it virtually impossible to shut down and censor, the leaked material. What if it gets spammed? Moreover, what's a leak to some, is transparency into the process for others. Cyber Storm II is already a fact whatsoever :

"At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans. 'The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,' said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise. Cyber Storm planners say they intend to throw a simulated Internet outage into this year's exercise, but beyond that they are holding their war game playbooks close to the vest."

The main issue with this type of cyber exercises is that starting with wrong assumptions undermines a great deal of the developments that would follow. Cyber warfare is just an extension of the much broader information warfare as a concept, namely, Lawfare, Econonomic Warfare, PSYOPS, to ultimately end up in an unrestricted warfare stage. Subverting the enemy without fighting with him, that's what offensive cyber warfare is all about, even if you take people's information warfare concept as an example. It's a government tolerated/sponsored activity, whereas the government itself is suverting the enemy without fighting him, but forwarding the process to their collectivism minded citizens. The strong lose, since the adversary is abusing the most unprotected engagement point, thereby underminig the investments made into securing the most visible touch points. A couple of key points to consider in respect to the cyber exercise modelling weakness :

- White hats pretending to be black hats simply doesn't work

- Frontal attack against critical infrastructure is pointless, insiders are always there to "take care"

- Passive cyber warfare such as gathering OSINT and conducting espionage through botnets

- Cyber warfare tensions engineering through the use of stepping stones

- Stolen and manipulated data is more valuable than destroyed data

- Lack of pragmatic blackhat mentality scenario building intelligence capabilities

- Unrestricted Warfare must be first understood as a concept, than anticipated as the real threat

From a strategic perspective, securing and fortifying what you have control of is exactly what the bad guys would simply bypass in their attack process, among the first rules of unrestricted warfare is that there're no rules with the idea to emphasize on the adaptation and going a step beyond the adversary's defense systems in place.

Blogging for the sake of blogging

Sat, 22 Mar 2008 22:09:33 +0000

So I guess all of this back and forth on the NAC market and Lockdown has some people getting a little emotional. First, founder #4 (I wasn't even aware there was a founder #4) of Lockdown, Daevid comments on my last post taking me to task for having the audacity to moderate my comments, even after I require people to put in their name and email address in order to comment. I think Daevid is under the impression that I wouldn't publish comments critical of me and that this is cowardly of me. He thinks that this somehow gives me the courage to speak my mind.

Wow. First of all I guess Daevid has never had a blog before, so is not aware of the blog spam problem that forced many of us bloggers to install moderated comments. As I am sure most of you are aware, but for Daevid's benefit, I don't censor any comments to my blog, in fact I encourage them. I just won't allow spammers to use my blog. It has nothing to do with my courage or cowardice, it is more to do that I think blogs should be two way conversations. It makes blogging fun. It goes to blogging for the sake of blogging, something I am not sure Daevid quite understands. I do understand that this is a difficult time for Daevid. No one likes to see something they helped start not be successful. I am sure he thinks that I was not sensitive enough to the situation there. But anyone who has read my blog for a period of time knows that my views on Lockdown Networks have been pretty consistent for a long time. I am sorry if that ruffles his feathers, but I do blog for the sake of blogging and say what I think. One thing though, if I say something, I always have the courage to say I said it and put my name to it. Whether to your face or on this blog, I am pretty straight forward and don't hide behind anything.

Now, that leads me to a comment I read on another blog involved here. A really brave guy who signs himself in as James Kirk, leaves a comment and urges another vendor/blogger on NAC to "try and be as neutral to the industry as possible" and not be a new blogger "that blogs for the sake of blogging". He goes on to say some other things that my own paranoia makes me pretty sure he is talking about me. The neutral thing though is a bit naive, don't you think. If someone is blogging on a company blog, don't you think they are going to try and put their company in the best light and not be just neutral? Come on Kirk, you should have learned that in your first day at Starfleet Academy. You as the reader should be the arbiter of what is true, partially true or false. But the naievite of that comment pales in comparison to the second quote. Don't blog for the sake of blogging. James Kirk, to quote one of your friends, that is not logical. Why else should you blog, but for the sake of blogging? Bloggers blog because they want to hear themselves and they want the world to hear them as well. Blogging is singularly an ego-driven sport. Your total lack of understanding of this fact makes it clear why you did not have the courage to use your real name. You just don't get it. James Kirk maybe you should stick to fighting Romulans and leave the blogging to us.

Terror on the Internet - Conflict of Interest

Tue, 18 Mar 2008 16:58:23 +0000

Insightful article by Greg Goth, discussing various aspects of the pros and cons of monitoring cyber jihadist sites next to shutting them down, as well as mentioning my analysis of the Mujahideen Secrets encryption tool v1.0 and v2.0. Terror on the Internet: A Complex Issue, and Getting Harder :

"Indeed, politicians around the world call at regular intervals for terrorist websites to be removed from their host sites’ servers or for search engines to block access to them. They also call for laws that would make posting instructions on how to kill or maim people or destroy property punishable by law. Franco Frattini, the European Commission’s Vice President for Freedom, Justice, and Security, called for a prohibition on websites that post bomb-making instructions in September 2007. And just as quickly, he rushed to announce that in doing so he was not trying to impinge on freedom of speech or information access or to inhibit law enforcement agencies from monitoring sites."

There're three perspectives related to cyber jihad, should the virtual communities be shut down, monitored, or censored so that they cannot be accessed by people who would potentially get radicalized and brainwashed by the amazingly well created propaganda in the form of interactive multimedia? Given the different mandates given to different intelligence services and independent researchers, is where the conflict of interest begins. Moreover, don't forget that independent researchers sometimes come up with the final piece of the puzzle to have an intelligence agency come up with the big picture in a cost-effective and timely manner, given they actually believe in OSINT and trust the source of the intell data of course. Now, picture the situation where an intelligence agency is shutting down cyber jihadist sites on a large scale not believing in the value that the intelligence data they they could provide, another one given a mandate to censor cyber jihadist communities compiling reports stating that someone's shutting them down before they could even censor them, and a third one who would have to again play cat and mouse game the locate them once they've shut down by the first intel agency already. Ironic or not, different mandates and empowerment is where the contradiction begins. Let's discuss the three mandates and go in-depth into the pros and cons of each of them to come up with a philosophic solution to the problem, as I belive it's perhaps the only way to provoke some thought on the best variant.

Shutting the communities down -

Before shuting them down you need to know where they are, their neighbourhood of supporters who will indirectly tip you on the their latest location once they have their previous domain shut down. Personal experience and third party research indicates that over 90% of the cyber jihadist communities/blogs are hosted by U.S based not owned companies. And with the lack of real-time intell sharing between the agencies themselves, the first who picks up the community will be responsible for its faith, literally. But in reality, preserving the integrity of a cyber jihadist community, and convincing the right people that balanced monitoring next to shutting it down is more beneficial, remains an idea yet to be considered. Back in 2007, I did an experiment, namely I crawled ten cyber jihadist forums and blogs and extracted all the outgoing links from these communities to see their preferred choice for online video and files hosting. A couple of months later, the communities got shut down, so when the same thing happened while I was crawling the Global Islamic Media Front's, and Inshallahshaheed's web presence, it became clear that while some are crawling, and others censoring, third parties are shutting them down.

The bottom line - shutting them down doesn't mean that they'll dissapear and will never come back, exactly the opposite. Personal experience while handling the Global Islamic Media Front is perhaps the perfect and best hands-on experience on the benefits of shutting them down, given you've built enough convidence in your abilities to locate their new location. If you think that the cyber jihadist site or community you're currently monitoring is a star, look above, it's full of starts everywhere, once you start drawing the lines between them, a figure of something known emerges, in this case once a cyber jihadist community is shut down, its most loyal and closely connected cyber jihadist communities will expose their intimate connection not by just starting to promote their new location online, but even better, you'll have them use the second cyber jihadist community to directly reach their audience by the time they set up the new location and resume the propaganda and radicalization.

There's no shortage of cyber jihadist blogs, forums and sites, and personal experience shows that upon having a cyber jihadist community shut down, they re-appear at another location. It's shut down again, it re-appears for a second time. I've seen this situation with Instahaleed and GIMF, and each and every time they had their blogs and sites removed from their hosting providers, mainly because it's rather disturbing that the majority of such communities are hosted on U.S servers, it's this short time frame which will either lead you to their new location, you risk loosing their tracks. However, the vivid supporters of PSYOPs are logically visionary enough to understand what does undermining their audiences' confidence in the community's capability to remain online means.

Monitoring the communities -

In order to reach the "shut it down or monitor it" stage in your analysis process, you really need to know where the cyber jihadists forums and sites are, else, you will be wasting your time, money and energy to create fake cyber jihadist communities in the form of web honeypots for jihadist communication. Monitoring is tricky, especially when you don't know what you're looking for, don't prioritize, don't have a contingency plan or an offline copy of the communitiy and wrongly building confidence in its ability to remain online. Moreover, monitoring for too long results in terrabytes of noise, and from a psychological perspective sometimes the rush for yet another fancy social networking graph to better communicate the collected data, ends up in the worst possible way - you miss the tipping point moment.

Censoring the communities -

I often come across wishful comments in the lines of "blocking access to bomb and poison making tutorials", missing a very important point, namely, that these very same manuals, and jihadist magazines are not residing in a cyber-jihad.com/bomb-making-guide.zip domain and file extension form, making the process a bit more complex to realize. Unless of course the censorship systems figures out ways to detect the content in password encrypted archive files served with random file names and hosted on one of the hundreds free web space providers. Then again, given the factual evidence that cyber jihadists are encouraging the use of Internet anonymization services and software, your censorship efforts will remain futile.

As I'm posting this overview of various ways of handling cyber jihadist communities, yet another community is starting to attract cyber jihadists, thanks to their understanding of noise generation by teaching the novice cyber jihadists on the basics of running and maintaing such a community. What's perhaps most important to keep in mind is that, what you're currently analyzing, trying to shut down or censor whatsoever, is the public web, the Dark Web, the one closed behind authentication and invite-only access yet remains to be located and properly analyzed. If cyber jihad is really a priority, then there's nothing more effective than the combination of independent researchers and intelligence analysts.

Related posts:
Inshallahshaheed - Come Out, Come Out Wherever You Are
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain"
Wisdom of the Anti Cyber Jihadist Crowd
Cyber Jihadist Blogs Switching Locations

Internet PSYOPS - Psychological Operations

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

A Botnet of Infected Terrorists?
Infecting Terrorist Suspects with Malware
The Dark Web and Cyber Jihad
Cyber Jihadist Hacking Teams
Cyberterrorism - don't stereotype and it's there
Tracking Down Internet Terrorist Propaganda
Arabic Extremist Group Forum Messages' Characteristics
Cyber Terrorism Communications and Propaganda
Techno Imperialism and the Effect of Cyberterrorism
A Cost-Benefit Analysis of Cyber Terrorism
Current State of Internet Jihad
Characteristics of Islamist Websites
Hezbollah's DNS Service Providers from 1998 to 2006
Full List of Hezbollah's Internet Sites
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities
A List of Terrorists' Blogs
Jihadists' Anonymous Internet Surfing Preferences
Samping Jihadist IPs
Cyber Jihadists' and TOR
A Cyber Jihadist DoS Tool
GIMF Now Permanently Shut Down
Steganography and Cyber Terrorism Communications

Beware of regulatory reflexes and Metcalfian moles when you launch new Web 2.0 applications

Wed, 09 Jan 2008 19:02:38 +0000

Stephen J. Murdoch is a graduate student at Cambridge, and a prolific writer of papers regarding Internet security. He recently wrote article and article (click HERE) on censorship and shifting Internet borders. The piece reflects on how various jurisdictions have attempted to control or censor content deemed “offensive”, and how it has changed as the [...]