[SecurityRatty] tag: enemies

Defense Spooks: Let's Control Enemy Minds

Sat, 16 Aug 2008 09:03:00 +0000

Rather than developing performance-enhancing drugs for soldiers, defense agents want to study performance-degrading drugs for our enemies. A report recommends investment in neuroscience research that could reveal ways to eliminate our enemies' motivation to fight and get them to obey our commands.

Schneier Misquote

Sat, 02 Aug 2008 06:44:25 +0000

There's a quote attributed to me here:

Well-known author and expert on security, Bruce Schneier, born in 1963, maintains "Terrorists can only take my life. Only my government can take my freedom."

I don't think I've ever said that. It certainly doesn't sound like something I would say. It's not in any of my books. It's not in any of the essays I've written.

So I Googled the quote. Here it is being used as a sig in December 2001, without attribution. The real source must be at least as old as that. The immediate source might be this blog. Possibly, it might come from this comment to my blog, reworded and attributed to me:

Surely the man who trades freedom for security theatre deserves both freedom and security less than the first man!
I like that quote, "we must remember that we have more power than our enemies to worsen our fate". Terrorists can, at most, take away my life. They can never take away my freedom. Only my government has the power to do that.

Anyone have any better theories?

Kill Switches and Remote Control

Tue, 01 Jul 2008 02:48:37 +0000

It used to be that just the entertainment industries wanted to control your computers -- and televisions and iPods and everything else -- to ensure that you didn't violate any copyright rules. But now everyone else wants to get their hooks into your gear. OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment. Microsoft is doing some of the most creative thinking along these lines, with something it's calling "Digital Manners Policies." According to its patent application, DMP-enabled devices would accept broadcast "orders" limiting capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class. The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards. Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override? How do we prevent this from being abused? Can a burglar, for example, enforce a "no photography" rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get "superuser" devices that cannot be limited, and do they get "supercontroller" devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands? It's comparatively easy to make this work in closed specialized systems -- OnStar, airplane avionics, military hardware -- but much more difficult in open-ended systems. If you think Microsoft's vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we've seen over the years. That's a similar capabilities-enforcement mechanism, albeit simpler than these more general systems. And that's the key to understanding this system. Don't be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good "manners" on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music to a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible. "Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure -- or more polite. This essay originally appeared in Wired.com.

Security Matters: I've Seen the Future, and It Has a Kill Switch

Thu, 26 Jun 2008 00:00:00 +0000

OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment.

Microsoft is doing some of the most creative thinking along these lines, with something it's calling "Digital Manners Policies." According to its patent application, DMP-enabled devices would accept broadcast "orders" limiting capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class.

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.

Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

How do we prevent this from being abused? Can a burglar, for example, enforce a "no photography" rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get "superuser" devices that cannot be limited, and do they get "supercontroller" devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands?

It's comparatively easy to make this work in closed specialized systems -- OnStar, airplane avionics, military hardware -- but much more difficult in open-ended systems. If you think Microsoft's vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we've seen over the years. That's a similar capabilities-enforcement mechanism, albeit simpler than these more general systems.

And that's the key to understanding this system. Don't be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good "manners" on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible.

"Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure -- or more polite.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Backdoording Cyber Jihadist Ebooks for Surveillance Purposes

Wed, 25 Jun 2008 13:06:38 +0000

It appears that cyber jihadists are striking back at the academic and intelligence community, by binding their propaganda Ebooks with malware, then distributing them across different forums, thanks to a recently analyzed Ebook entitled "The Al-Qaeda network's timely entrance in Palestine" distributed by the Global Islamic Media Front - hat tip to Warintel.

If it were posted by a newly joined forum member, it would have logically raises the suspicion that it's in fact intelligence agencies spreading malware infected Ebooks around cyber jihadist forums, but it's since this one in particular is being distributed by what looks like a hardcore cyber jihadist, it brings the discussion to a whole new level.

What are they trying to achive? Abuse the already established trust of their readers and cyber jihadist supporters in order to snoop on their Internet activities, or it's the academic and intelligence community they are trying to monitor? In times when botnets can be rented and created on demand, they seem to be more interested in infecting their enemies. Moreover, I suspect that prior to the forum posting, private messages and emails were automatically sent to notify members whose number of posts at the forum greate outpace those of average observers, perhaps the target in such an attack.

The malware is detected by 9 out of 33 antivirus scanners as Trojan.Midgare.gra. Consider reading a previous post on "Terror on the Internet - Conflict of Interest" as well as through the related posts summarizing all the cyber jihadist research I've conducted so far.

Attack Vector

Mon, 23 Jun 2008 02:23:17 +0000

A new report on security breaches leads Frank Hayes to conclude that your company's business partners should be treated like worst enemies.

A coward exposes personal information on 40% of Chileans

Fri, 16 May 2008 09:56:50 +0000

Technorati Tag: Security Breach

Date Reported:
5/10/08

Organization:
Chilean Government

Contractor/Consultant/Branch:
None

Victims:
Chilean residents

Number Affected:
~6,000,000

Types of Data:
"names, addresses, telephone numbers and taxpayer identification numbers"

Breach Description:
"An anonymous hacker has posted personal data about 6 million Chilean residents on the Internet, highlighting wider privacy problems in the country. The data was posted early Saturday morning on Fayerwayer.com, a popular Chilean technology blog."

Reference URL:
Fayerwayer.com Alert
ABC News
The Tech Herald
International Herald Tribune
vnunet.com

Report Credit:
JI Stark, Fayerwayer.com

Response:
From the online sources cited above:

ORIGINAL POST TEXT GOOGLE TRANSLATED
Something really horrible has just come to our comments. Moments after writing about the purchase of Inquisitor by Yahoo, an anonymous comment left three links to download two files that contain databases in CSV of public and private institutions where there is sensitive information of millions of Chileans, like RUN - Role purely national identification number Chilean -, socio-economic data, electoral, educational, addresses, and telephone numbers individuals, among others.

We urge that these files if they see us please not download or disseminated by any electronic means.

It is extremely dangerous what can happen - and what can happen to you, as the only disseminate is an offence punishable by law - in the case that such senstive data failling to the hands unscrupulous. It seriously.

Update 02:46 AM (GMT -4): The team of FireWire is doing everything in its power at this time to cooperate and ensure that this situation is resolved as soon as possible.

Update 03:25 AM (GMT -4): The topics in our forums with links to the files were deleted. The FireWire forums require registration, so that data - although most likely false, including IP's mask - will be put in the hands of the authorities.

Update 04:45 PM (GMT -4): The Cybercrime Brigade of the Investigative Police of Chile already contacted us, told us about the progress of the investigation that is already under way and we extend all cooperation that is within our grasp.

END OF ORIGINAL POST TEXT

A hacker has obtained the personal details of around six million Chileans from government and military servers and posted them on a technology blog.
[Evan] "Anonymous Coward" posted the information in the comments of the purchase of Inquisitor by Yahoo posting on www.fayerwayer.com. href="http://www.fayerwayer.com.%3C/span%3E%3Cbr%3E%3Cbr%3EThe">

The hacker, who calls himself "Anonymous Coward," posted three compressed files of data that included names, addresses, telephone numbers and taxpayer identification numbers for Chilean residents, said Leo Prieto, Fayerwayer.com's director.

The data was taken early Friday from servers at the Education Ministry, the electoral service and the military

it was first reported to police early Saturday by Leo Prieto, the administrator of a local technology-oriented Internet site who discovered links to the information online.

Among the data was a list of students who receive preferential public transportation rates, including one of President Michelle Bachelet's two daughters

Despite the information's prompt removal from the Internet, some people may have downloaded it "and it may still be around on the Internet,"

over the following days the files started popping up on other sites including Google's Blogger
[Evan] You can't un-disclose confidential information. Once the confidentiality of information has been compromised, it is always going to be compromised.

Reports claim that the hacker performed the stunt to highlight poor levels of data protection in Chile.
[Evan] What idiot would pull such a stunt and claim such a ridiculous justification?

In a note accompanying the files, Anonymous Coward said he posted the databases to draw attention to the poor data protection measures in the country
[Evan] This is the worst way to draw attention to poor data protection. What "Anonymous Coward" did was create 6,000,000+ enemies and put his/her very well being at risk. He/she caused an extraordinary amount of harm to almost 40% of Chile's population and made a complete ass out of him/herself.

El Mercurio reported that it had access to some of the data, including a file in which the hacker said he intended "to demonstrate how poorly protected the data in Chile is, and how nobody works to protect it."

The files include tips on what to do with the data and how best to access it.

"Chile may be on the other side of the world, but the scale of this data breach should not be ignored," said Graham Cluley, senior technology consultant at security firm Sophos.

"No matter how moral or ethical the motive, this prank was irresponsible and has left almost 40 per cent of Chile's population at risk of identity theft."

Cluley added that all organisations around the world should see this as a wake-up call and ensure that all personal and sensitive information is stored securely.
[Evan] You would think that the 94,000,000 credit card numbers stolen from TJX, or the 26,500,000 Social Security numbers on the stolen Veterans Affairs laptop, or the 25,000,000 personal records lost on CDs from HM Customs and Revenue would wake organizations up. There is still this illogical thought in organizations that "this will never happen to us". It DOES and IT WILL. I'm not even going to get into information security personnel that lack skill and have business leaders fooled into thinking that they are doing the right thing(s).

"Whether or not the loss results in a fine is almost irrelevant; the consequences of falling victim to such an attack can mean irreversible damage to reputation and customer confidence."
[Evan] I couldn't agree with Mr. Cluley any more. This is a guy that "gets it".

Commentary:
Unbelievable. The evil in some people. So let's say that "Anonymous Coward" is caught (I think chances are better that 50/50). Now what? How do you punish someone whose actions put 6,000,000 people at risk of losing their identities. These people will live with some level of fear for a very long time. Punishment will be severe, but how severe is enough? This will be an interesting story to follow.

Let's not lose sight of another issue with this breach. What is the Chilean government doing to protect confidential information and what does it intend to do in response to this breach? Obviously the government needs to secure information better, but how will they respond to 40% of their residents being exposed to fraud and all that comes with it? I don't know what can be done short of re-assigning government issued identifiers to Chilean residents. This breach (or series of breaches) could be very costly to residents, the Chilean economy and the government.

Past Breaches:
Unknown

Air Force Colonel Wants to Build a Military Botnet

Mon, 12 May 2008 13:30:00 +0000

The U.S. military ponders creating its own zombie army to flood enemies with junk packets. Can Air Force phishing attacks and 4-19 scams be far behind?

DARPA Wants Matrix-style Virtual World for Cybergeddon

Sun, 11 May 2008 08:15:00 +0000

The US military's famed scientific wingnut farm, DARPA*, has released full details of its planned "National Cyber Range" - a mighty network which could be configured to simulate the cyberspace battlefields of the future. This would allow America's fighting nerds to train for the net conflicts of tomorrow, mounting attacks on simulated enemies..

Log Haiku #3

Thu, 24 Apr 2008 04:40:00 +0000

Enemies are approaching
Logs can help!
Deleted? Oh, life is pity...