[SecurityRatty] tag: emerges

NAPA Shows How the Government is Using Web 2.0

Wed, 16 Jul 2008 16:45:37 +0000

Back in April, we attended a session at the FOSE conference that highlighted Web 2.0 usage in the public sector. We also found through a survey of government workers that 65% of government IT workers surveyed said that Web 2.0 tools are important to their operations. The overall message was that all IT, government included, have too many projects they could be taking on for the amount of resources they have. For much of the IT topics we covered in the survey, importance was high but actual deployment was lower.

Dan Munz, project manager of the Collaboration Project commented on the unique work that the National Academy of Public Administration (NAPA) is doing to bring together government leaders. The Collaboration Project seeks to innovate across government not just down the silos and create a safe place for leaders to have discussions around innovation.

ScienceLogic: What is the National Academy of Public Administration?

Dan Munz: The Academy is an independent, non-partisan, non-profit organization dedicated to tackling government’s most complex challenges. We were founded in 1967 by James Webb, the NASA administrator who took us to the moon – he saw that he could consult the National Academy of Sciences for expert technical advice, but had no counterpart in government for expert management advice. That’s been our mission ever since.

ScienceLogic: What is the Collaboration Project? How long has it been around?

Dan Munz: The Collaboration Project is the Academy’s response to two parallel trends we see in government. The first is the government’s need to transform the way it does business. There is a strong demand for change out there driven by a number of challenges that are forcing the government to rethink its mission and structure. Challenges include a public disconnected from government; a multi-sector workforce and increasing reliance on contractors; financial instability; and new types of security threats, just to name a few. More and more, the challenges facing government reach across the traditional boundaries of agency and mission. But government isn’t configured to work that way.

The second trend is the unprecedented opportunity collaborative technology offers to drive transformational change in government. Tools like blogs, wikis, and mashups are changing the way leaders think about problems. They’re focusing not on what they can do just within their offices or agencies, but what voices they need to pull together across government, non-profits, the general citizenry, and other stakeholders to solve these problems. The Collaboration Project’s goal is to encourage this type of thinking and empower leaders committed to use collaborative technology to:

strengthen citizen civic engagement;
enhance government transparency;
improve service delivery and operational efficiency; and
facilitate coordination and innovation within and between agencies.

ScienceLogic: Why focus on Web 2.0 in the government?

Dan Munz: The question of how web 2.0 will impact federal IT departments is a critical one. Our view is that “the era of big systems” is basically over. Things like disk space, bandwidth, and computing power are basically shifting from being assets to being commodities.

There’s also a shift in expectations. People both inside and outside government – especially Gen-X and Gen-Y – are incredibly frustrated by being able to use lightning-fast apps like Flickr, YouTube, and Facebook that don’t even live on their hard drives while the government and other large organizations still operate clunky PCs, space-limited e-mail accounts, and sluggish e-mail servers.

So aside from the opportunity for transformative leadership, the idea of web 2.0 at a government level is very appealing in terms of getting the most out of the IT infrastructure we already have, rather than embarking on costly, large-scale projects in an era of diminishing budgets.

ScienceLogic: How do you build a sense of community at the Collaboration Project?

Dan Munz: Some community feel emerges naturally, from a sense that mass collaboration really is a tool for “doing government” in a whole new way.

The more formal community building mechanisms we have include our web page, where we share insights, news, case studies, and other content – The virtual space serves as an anchor for people, whether they’re experts or beginners, to learn about what we do.

Finally, we are conducting an ongoing series of in-person meetings, usually featuring a leader who has harnessed collaborative technology in what we think is a truly revolutionary new way.

ScienceLogic: How do you hear about cool new government Web 2.0 projects?

Dan Munz: That’s a key question, because part of our mission is to inspire action by finding leaders who have succeeded and highlight their accomplishments. We’ve done that with folks like Kip Hawley, TSA, Molly O’Neill, EPA, and Jim Walker, Alabama DHS.

We also feel that the Academy’s position as a “safe space” for leaders means that we’re a place people can turn to when they hear about an emerging trend or project and want some help making sense of it.

ScienceLogic: What are the most innovative uses of Web 2.0 technology you’ve seen in the government?

Dan Munz: It’s important to distinguish between agencies that are simply adjusting to the reality of web 2.0, and those that are “using” it. Getting a YouTube account for your agency, or putting some photos on Flickr, is a great first step, but we want to inspire leaders to really transform their normal ways of doing business. At the moment a few that come to mind are the EPA Puget Sound Mashup, ODNI’s Intellipedia, TSA IdeaFactory, the PTO Peer-to-Patent Project, and Virtual Alabama, to name a few.

The TSA launched the IdeaFactory in February 2008. TSA set up a collaboration platform with commenting, voting, etc. to form communities in a way to bring people to consensus and offer ways to improve the agency’s performance.

ScienceLogic: Do you see a difference between state and local versus federal adoption of Web 2.0?

Dan Munz: That’s a hard generalization to make – at all levels you see leaders who recognize the potential in this technology to bring new voices into the governance process.

ScienceLogic: What are the obstacles to Web 2.0 adoption by government agencies?

Dan Munz: The three main challenges that we see are in the areas of technology, culture, and policy/governance.

The technology issue is probably the simplest to solve – it’s important to choose a technology that fits the problem you’re trying to solve, but these technologies are usually inexpensive and almost never very complex.

The question of culture is harder, particularly given the way that baby boomers, gen-xers, and millenials are beginning to interact in the workforce. How do you gain acceptance and buy-in among groups that have very different comfort levels with collaborative tools and environments?

Finally, the most daunting challenge might be the questions of policy and governance, if only because those are the things that most commonly prevent leaders from even dipping a toe in the waters of collaboration. Most of the policies, regulations, and statutes governing the way government does business don’t anticipate things like wikis, blogs, or instant messaging. One of our most important missions is helping leaders who just want to get to action navigate these obstacles.

ScienceLogic: Is there any advice you can give to government employees getting started with Web 2.0? Or any places you would point them to for more info?

Dan Munz: It’s shameless plug time! I’d of course point them to our web page, collaborationproject.org, where, among other things, we’ve collected a case library of over 40 instances of collaborative technology being used in the government and non-profit sectors. The library is growing every day and is a sort of “database of record” for what is and isn’t working in terms of collaborative government. I think that would be a great place to start for anyone looking to get started but not really knowing the way.

In terms of advice, the best thing to say is that, once you’ve settled on a problem you want to solve and an audience you want to reach out to, just do it! We believe strongly that there are a lot of organizational and leadership issues that still need to be addressed regarding collaboration in government, but our biggest mantra is about getting leaders to action. The most successful projects we’ve seen are ones that try something daring and new, and discover the true power of what they’ve done as it catches on more and more widely.

ShareThis

Terror on the Internet - Conflict of Interest

Tue, 18 Mar 2008 16:58:23 +0000

Insightful article by Greg Goth, discussing various aspects of the pros and cons of monitoring cyber jihadist sites next to shutting them down, as well as mentioning my analysis of the Mujahideen Secrets encryption tool v1.0 and v2.0. Terror on the Internet: A Complex Issue, and Getting Harder :

"Indeed, politicians around the world call at regular intervals for terrorist websites to be removed from their host sites’ servers or for search engines to block access to them. They also call for laws that would make posting instructions on how to kill or maim people or destroy property punishable by law. Franco Frattini, the European Commission’s Vice President for Freedom, Justice, and Security, called for a prohibition on websites that post bomb-making instructions in September 2007. And just as quickly, he rushed to announce that in doing so he was not trying to impinge on freedom of speech or information access or to inhibit law enforcement agencies from monitoring sites."

There're three perspectives related to cyber jihad, should the virtual communities be shut down, monitored, or censored so that they cannot be accessed by people who would potentially get radicalized and brainwashed by the amazingly well created propaganda in the form of interactive multimedia? Given the different mandates given to different intelligence services and independent researchers, is where the conflict of interest begins. Moreover, don't forget that independent researchers sometimes come up with the final piece of the puzzle to have an intelligence agency come up with the big picture in a cost-effective and timely manner, given they actually believe in OSINT and trust the source of the intell data of course. Now, picture the situation where an intelligence agency is shutting down cyber jihadist sites on a large scale not believing in the value that the intelligence data they they could provide, another one given a mandate to censor cyber jihadist communities compiling reports stating that someone's shutting them down before they could even censor them, and a third one who would have to again play cat and mouse game the locate them once they've shut down by the first intel agency already. Ironic or not, different mandates and empowerment is where the contradiction begins. Let's discuss the three mandates and go in-depth into the pros and cons of each of them to come up with a philosophic solution to the problem, as I belive it's perhaps the only way to provoke some thought on the best variant.

Shutting the communities down -

Before shuting them down you need to know where they are, their neighbourhood of supporters who will indirectly tip you on the their latest location once they have their previous domain shut down. Personal experience and third party research indicates that over 90% of the cyber jihadist communities/blogs are hosted by U.S based not owned companies. And with the lack of real-time intell sharing between the agencies themselves, the first who picks up the community will be responsible for its faith, literally. But in reality, preserving the integrity of a cyber jihadist community, and convincing the right people that balanced monitoring next to shutting it down is more beneficial, remains an idea yet to be considered. Back in 2007, I did an experiment, namely I crawled ten cyber jihadist forums and blogs and extracted all the outgoing links from these communities to see their preferred choice for online video and files hosting. A couple of months later, the communities got shut down, so when the same thing happened while I was crawling the Global Islamic Media Front's, and Inshallahshaheed's web presence, it became clear that while some are crawling, and others censoring, third parties are shutting them down.

The bottom line - shutting them down doesn't mean that they'll dissapear and will never come back, exactly the opposite. Personal experience while handling the Global Islamic Media Front is perhaps the perfect and best hands-on experience on the benefits of shutting them down, given you've built enough convidence in your abilities to locate their new location. If you think that the cyber jihadist site or community you're currently monitoring is a star, look above, it's full of starts everywhere, once you start drawing the lines between them, a figure of something known emerges, in this case once a cyber jihadist community is shut down, its most loyal and closely connected cyber jihadist communities will expose their intimate connection not by just starting to promote their new location online, but even better, you'll have them use the second cyber jihadist community to directly reach their audience by the time they set up the new location and resume the propaganda and radicalization.

There's no shortage of cyber jihadist blogs, forums and sites, and personal experience shows that upon having a cyber jihadist community shut down, they re-appear at another location. It's shut down again, it re-appears for a second time. I've seen this situation with Instahaleed and GIMF, and each and every time they had their blogs and sites removed from their hosting providers, mainly because it's rather disturbing that the majority of such communities are hosted on U.S servers, it's this short time frame which will either lead you to their new location, you risk loosing their tracks. However, the vivid supporters of PSYOPs are logically visionary enough to understand what does undermining their audiences' confidence in the community's capability to remain online means.

Monitoring the communities -

In order to reach the "shut it down or monitor it" stage in your analysis process, you really need to know where the cyber jihadists forums and sites are, else, you will be wasting your time, money and energy to create fake cyber jihadist communities in the form of web honeypots for jihadist communication. Monitoring is tricky, especially when you don't know what you're looking for, don't prioritize, don't have a contingency plan or an offline copy of the communitiy and wrongly building confidence in its ability to remain online. Moreover, monitoring for too long results in terrabytes of noise, and from a psychological perspective sometimes the rush for yet another fancy social networking graph to better communicate the collected data, ends up in the worst possible way - you miss the tipping point moment.

Censoring the communities -

I often come across wishful comments in the lines of "blocking access to bomb and poison making tutorials", missing a very important point, namely, that these very same manuals, and jihadist magazines are not residing in a cyber-jihad.com/bomb-making-guide.zip domain and file extension form, making the process a bit more complex to realize. Unless of course the censorship systems figures out ways to detect the content in password encrypted archive files served with random file names and hosted on one of the hundreds free web space providers. Then again, given the factual evidence that cyber jihadists are encouraging the use of Internet anonymization services and software, your censorship efforts will remain futile.

As I'm posting this overview of various ways of handling cyber jihadist communities, yet another community is starting to attract cyber jihadists, thanks to their understanding of noise generation by teaching the novice cyber jihadists on the basics of running and maintaing such a community. What's perhaps most important to keep in mind is that, what you're currently analyzing, trying to shut down or censor whatsoever, is the public web, the Dark Web, the one closed behind authentication and invite-only access yet remains to be located and properly analyzed. If cyber jihad is really a priority, then there's nothing more effective than the combination of independent researchers and intelligence analysts.

Related posts:
Inshallahshaheed - Come Out, Come Out Wherever You Are
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain"
Wisdom of the Anti Cyber Jihadist Crowd
Cyber Jihadist Blogs Switching Locations

Internet PSYOPS - Psychological Operations

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

A Botnet of Infected Terrorists?
Infecting Terrorist Suspects with Malware
The Dark Web and Cyber Jihad
Cyber Jihadist Hacking Teams
Cyberterrorism - don't stereotype and it's there
Tracking Down Internet Terrorist Propaganda
Arabic Extremist Group Forum Messages' Characteristics
Cyber Terrorism Communications and Propaganda
Techno Imperialism and the Effect of Cyberterrorism
A Cost-Benefit Analysis of Cyber Terrorism
Current State of Internet Jihad
Characteristics of Islamist Websites
Hezbollah's DNS Service Providers from 1998 to 2006
Full List of Hezbollah's Internet Sites
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities
A List of Terrorists' Blogs
Jihadists' Anonymous Internet Surfing Preferences
Samping Jihadist IPs
Cyber Jihadists' and TOR
A Cyber Jihadist DoS Tool
GIMF Now Permanently Shut Down
Steganography and Cyber Terrorism Communications

Logs: Parsing, Tokenizing or Extracting?

Mon, 10 Mar 2008 22:54:00 +0000

As you know, I have long been on a quest to save the world from having to write long and ugly regular expressions (regexes) for log analysis. Back in 2005 (post, big discussion that ensued) and later in 2007 (post, another big discussion that again ensued), I have tried to poll people for approaches that convert logs into useful information without messing with massive quantities of regular expressions as well as performed some research on my own. In all honesty, I didn't notice a major breakthrough.

Until now? Here ("prequel" here and follow-up here) is what looks like an interesting and major development along that line. Indeed, one can automate the processing of some "self-describing" log formats (name=value pairs, comma/tab delimited with descriptive header, sequential names and values [yuck!], XML, etc) to obtain a semblance of structured data (not just a flow of text logs) from logs without any human involvement.

But is that an endgame, that "holy grail" of log analysis or yet another step towards it? First, bad logs break it (e.g. with space in names or values with spaces and without quotes) and thus call for a return of a human logging expert to write an even fancier regex that can deal with it (then again, bad logs often break human-written rules as well). Second, there is a more important issue that I will bring up. So, if logs contain "user=jsmith" we can certainly learn a new piece of info (that the "user" was probably "jsmith"). But what if they contain "bla_bla=huh_huh" - and we don't know what "bla_bla" and "huh_huh" mean? Do we really have more information at hand if we tokenize it as "object called 'bla_bla' has the value of 'huh_huh'" compared to just having a single blurb of text "bla_bla=huh_huh." I personally don't think so - but I've been known to be wrong before :-)

So, let's review what we have: I decided to organize the current approaches to logs in the form of this table (hoping to start a discussion!)

	Text Indexing	Field Extraction (Algorithmic)	Rule-based Parsing (Manual)
Pros	Easy - no human effort needed: just collect the logs and go	Easy - no per-log effort on behalf of the log analyst (but some creative code needs to be written)	Hard - an expensive logging expert must first understand the logs and then write the rules; normalization across devices implies having a uniform data store for logs
Cons	Output is low quality information; rather, a flow of raw data (needs more analysis)	Mixed - some new information emerges, but not in all cases (and you can't predict when) In general, no cross-device analysis is enabled ('user' is not the same as 'usr' in other log)	High-quality output: tables, graphics, summaries and easy correlation across diverse log sources (highly useful information!)

So, what can we conclude? It is too early to retire the human-written rules (so people will still have '\s' and '\w' coming up in bad dreams... :-)), but this automated approach should definitely be used on the logs that will "allow you to do it to them." :-) Personally, I am also very happy that somebody is thinking about such matters ...

Comment away!

Technorati tags: logging, log analysis, log management

Unprofessionally Piggybacking on my Research

Wed, 05 Mar 2008 10:32:05 +0000

Why did I bother to send this message to Full-Disclosure last night, despite that I already posted it here? Because I knew that this would happen, it's happened before, and it will happen in the future, so having dates and hours to prove what you see on the top of each and every blog post here, namely the real-time situational awareness objective, is what I wanted to achieve. And I did. Thankfully, there're Sophos, TrendMicro, McAfee and Commtouch realizing that corporate blogging evolved from hard selling and the basics of marketing, to a complex PR platform, and therefore quote and link to my blog, to have me link back, so that a conversation emerges. Redefining the process of rephrasing so that my creative commons license per post is not violated? Find the ten differences between my post yesterday, its title, and today's statements:

"Continuing, Chia says that: “Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these iFRAME-ed results in the first few pages of the search results. And the objective? To get the unsuspicious user to click on the link”."

So, my original post went online yesterday, TeMerc reposted it, so did Paul, I sent it to Full-Disclosure, and as it looks like F-Secure's Wing Fei Chia seems to read, either Full-Disclosure, or my blog to come up this post, 24 hours later. Anyway, SecurityFocus, again covers the incident in an article entitled "Fraudsters piggyback on search engines", quoting me, this time professionally.

Powerful new antiphishing weapon emerges

Sun, 10 Feb 2008 21:00:00 +0000

Some of the Internet’s most powerful companies -- including Yahoo, Google, PayPal and AOL-- are brandishing a new weapon in the ongoing battle against e-mail fraud. It is called DKIM, an emerging e-mail authentication standard developed by the Internet Engineering Task Force, and it allows an organization to cryptographically sign outgoing e-mail to verify that it sent the message.

Fundamental Principles of Network Security	Advertisement
Protect the organization. Learn the 'Need To Know' aspects of network security. Free paper from APC.

The Shark3 Malware is in the Wild

Thu, 31 Jan 2008 16:10:57 +0000

Life's too short to live in uncertainty, the stakes are too high. A month ago, I indicated the upcoming release of the third version of the script kiddies favorite Shark Malware. Despite that after the negative publicity of the malware that's actually promotd as a RAT, the authors supposedly abondoned the malware, they seem to have logically resumed its development. And so, the Shark3

malware is continuing its development.

What's new? Anti-debugger capabilities in particural against - VmWare, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box etc.

Detection rate : Result: 15/31 (48.39%) - Backdoor.Win32.Shark.if

File size: 3104768 bytes

MD5: e3a6758f5c90b39b59c6cd7551224d52

SHA1: 25f025f31560a28275aab006e04aace828e012ea

Some key points regarding Shark :

- its do-it-yourself nature, just like many of the malware tools I've covered before is empowering script kiddies with advanced point'n'click capabilities

- built-in spyware functionaly, namely "aggressive service" which resets the start-up values when they're delted, yet another indication that what's pitched as a RAT is in fact malware

- once released in an open source form, a community emerges around it one that starts innovating and coming up with new features

Locked Call Boxes and Banned Geiger Counters

Fri, 18 Jan 2008 04:44:31 +0000

According to Fire Engineering magazine, one reason for the slow response to the Great Chicago Fire of 1871 was that fire alarms were kept locked to prevent false alarms:

Q: Prior to 1870, street corner fire alarm pull boxes were kept locked. Why were they kept locked and how did a person gain access to 'pull the box?'
A: They were kept locked due to false alarms. Nearby shopkeepers or beat cops carried the keys.

Here's Robert Cromie, writing in The Great Chicago Fire (Thomas Nelson: 1994), page 33:

William Lee, the O'Leary's neighbor, rushed into Goll's drugstore, and gasped out a request for the key to the alarm box. The new boxes were attached to the walls of stores or other convenient locations. To prevent false alarms and crank calls, the boxes were locked, and the keys given to trustworthy citizens nearby.
What happened when Lee made his request is not clear. Only one fact emerges from the confusion: No alarm was registered from any box in the vicinity of the fire until it was too late to do any good.

Apparently, Lee said that Goll refused to give him the key because he'd already seen a fire engine go past; Goll said he actually did pull the alarm, twice, but if so it must not have worked.

(There's more about what sounds like a really bad communications failure, but it's a little too hard for me to read on the Amazon website.)

Here's more:

But did you know that the fire burned for over half an hour before an alarm was ever sounded? Alarm boxes were actually kept locked in those days, to prevent false alarms!
When the first alarm box was finally opened and the lever pulled, the alarm somehow did not get through. The fire dispatcher was playing a guitar for a couple of girls at the time and he kept on serenely strumming, completely unawares. After the fire had been growing and blazing for nearly an hour a watchman screamed at the dispatcher to sound an alarm, which he did, and the first three engines, two hose wagons, and two hook and ladders were sent out -- but in the wrong direction!

At first the dispatcher refused to sound another alarm, hoping to avoid further confusion.

Compare this with a proposed law in New York City that will require people to get a license before they can buy chemical, biological, or radiological attack detectors:

The legislation — which was proposed by the Bloomberg administration and would be the first of its kind in the nation — would empower the police commissioner to decide whether to grant a free five-year permit to individuals and companies seeking to "possess or deploy such detectors." Common smoke alarms and carbon monoxide detectors would not be covered by the law, the Police Department said. Violations of the law would be considered a misdemeanor.
Why does the administration think such a law is necessary? Richard A. Falkenrath, the Police Department’s deputy commissioner for counterterrorism, told the Council’s Public Safety Committee at a hearing today, "Our mutual goal is to prevent false alarms and unnecessary public concern by making sure that we know where these detectors are located and that they conform to standards of quality and reliability."

The law would also require anyone using such a detector -- regardless of whether they have obtained the required permit -- to notify the Police Department if the detector alerted them to a biological, chemical or radiological agent. “In this way, emergency response personnel will be able to assess threats and take appropriate action based on the maximum information available,” Dr. Falkenrath said.

False positives are a problem with any detection system, and certainly putting Geiger counters in the hands of everyone will mean a lot of amateurs calling false alarms into the police. But the way to handle that isn't to ban Geiger counters. (Just as the way to deal with false fire alarms 100 yeras ago wasn't to lock the alarm boxes.) The way to deal with it is by 1) putting a system in place to quickly separate the real alarms from the false alarms, and 2) prosecuting those who maliciously sound false alarms.

Cyber espionage seen as growing threat to business, government

Wed, 16 Jan 2008 21:00:00 +0000

Cyber espionage is getting renewed attention as fresh evidence emerges of online break-ins at U.S. research labs and targeted phishing against corporations and government agencies here and abroad.