[SecurityRatty] tag: recruit

Obama, Al Qaeda recruit for Rustock

Thu, 24 Jul 2008 20:00:00 +0000

Barack Obama has left the presidential campaign trail and joined George W Bush, Al Qaeda and Microsoft to recruit zombies for the world's second largest botnet, Rustock.

Chinese Cyber Attacks

Mon, 14 Jul 2008 03:08:18 +0000

The popular media conception is that there is a coordinated attempt by the Chinese government to hack into U.S. computers -- military, government corporate -- and steal secrets. The truth is a lot more complicated. There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time. These hacker groups seem not to be working for the Chinese government. They don't seem to be coordinated by the Chinese military. They're basically young, male, patriotic Chinese citizens, trying to demonstrate that they're just as good as everyone else. As well as the American networks the media likes to talk about, their targets also include pro-Tibet, pro-Taiwan, Falun Gong and pro-Uyghur sites. The hackers are in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States. And the money comes from several sources. The groups sell owned computers, malware services, and data they steal on the black market. They sell hacker tools and videos to others wanting to play. They even sell T-shirts, hats and other merchandise on their Web sites. This is not to say that the Chinese military ignores the hacker groups within their country. Certainly the Chinese government knows the leaders of the hacker movement and chooses to look the other way. They probably buy stolen intelligence from these hackers. They probably recruit for their own organizations from this self-selecting pool of experienced hacking experts. They certainly learn from the hackers. And some of the hackers are good. Over the years, they have become more sophisticated in both tools and techniques. They're stealthy. They do good network reconnaissance. My guess is what the Pentagon thinks is the problem is only a small percentage of the actual problem. And they discover their own vulnerabilities. Earlier this year, one security company noticed a unique attack against a pro-Tibet organization. That same attack was also used two weeks earlier against a large multinational defense contractor. They also hoard vulnerabilities. During the 1999 conflict over the two-states theory conflict, in a heated exchange with a group of Taiwanese hackers, one Chinese group threatened to unleash multiple stockpiled worms at once. There was no reason to disbelieve this threat. If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse. Without central political coordination, they're likely to take more risks, do more stupid things and generally ignore the political fallout of their actions. In this regard, they're more like a non-state actor. So while I'm perfectly happy that the U.S. government is using the threat of Chinese hacking as an impetus to get their own cybersecurity in order, and I hope they succeed, I also hope that the U.S. government recognizes that these groups are not acting under the direction of the Chinese military and doesn't treat their actions as officially approved by the Chinese government. This essay originally appeared on the Discovery Channel website.

A Niche to a Niche is Still Hard to Staff

Thu, 10 Jul 2008 08:59:36 +0000

I’ve touched on this about a bazillion times, let me start today with a very simple statement: due to the scale of the US Government, we cannot find enough skilled security people.

Part of the problem is that good security people need to know the following skills:

IT technology: since the data more often than not is in a computer, you need to understand them
People technology: policies and procedures for managing people
Business sense: understanding that you’re supporting business goals
And for Government: politics

Back when I was PFC Rybolov, my battalion commander told me something along the lines of “The intelligence world is a hard job, you have to be able to out-infantry the infantry, out-mechanic the mechanics, out-radio the radio guys, and you need to know a language.” Security is pretty much the same thing–you have to out-techie the techies, out-business the MBAs, and out-jerkify the auditors. =)

Sound complicated? Yes, it is, and it’s hard to find people who can do all this. IT is an employment niche, IT security is a niche to a niche. And there isn’t enough people who have the experience to do it.

So how do we mitigate the staffing shortage? Here is what we are doing today in the Government:

CyberCorps scholarship program for undergrads and graduate students with a minimum government service obligation.
Using other career fields in “crossover roles”–yes, accountants can be used for some light security tasks. Some things that we think of as security are really Quality Assurance and Change Control jobs that we have a vested interest in making work.
Using contractors in some roles such as ISSO, ISSM, etc.
Automation as much as possible. Technical is easier, the policy and procedures side takes longer. What you’ll find out eventually is that good IT management is good security management.
Hanging on methodologies to “automate” the process side of security.

Now this is cool and all, but it’s hard to sustain and really hard to justify as a long-term solution. In order to support the Government, we need to create more people. Cybercorps is a start, but the need is so much larger than the supply that we have to consider better ways to create Government security dweebs.

Do we need Security Awareness and Training? Yes we do, but much more than what is being provided (think system administrator training and procurement specialist training, not end-user training), and as an internal recruiting pipeline. Still, I don’t think that we can recruit enough people to “the dark side” and that we need to look outside the Beltway for people. Problem is that DC is such an insular community and we don’t speak the same language as the rest of the world.

Bookmark to:

Marines Land in Afghanistan -- with Biometrics

Thu, 22 May 2008 18:30:00 +0000

A year ago this June, Taliban fighters streamed into the remote town of Chora in southern Afghanistan expecting an easy victory over impoverished villagers. Instead, they met heavy resistance from scores of uniformed Afghan men.

Those so-called Afghan National Auxiliary Police (ANAP), all formerly in the service of local warlords, had received two months of training by Dutch and American soldiers and were now the first line of defense against the Taliban.

Arming tribesmen was a risky idea. True, this sort of tribal initiative had been effective in Iraq. But NATO commanders feared that Afghan loyalties to their warlords ran too deep. NATO was “arming people who were not necessarily in line with the [Afghan] government,” U.S. Brig. Gen. Robert Cone told Wired.com.

So, last month, NATO fired the auxiliary cops and scrapped the tribal strategy, leaving gaping holes in Afghanistan's defenses. The fix? Marines, of course, armed with fingerprint pads, iris scanners and electronic databases.

With these biometric tools, the Marines are planning to recruit new cops who have no ties to tribal warlords. “We know there are some shadow police and some militia-type police,” Lt. Col. Ray Hall, the Marine commander, said. “Once we go through the vetting process, we'll have everybody screened … so that problem should go away.”

That means scanning every new recruit's unique iris “eye prints,” logging their thumb prints and feeding it all into a growing, but still very spotty, national database linked to criminal and intelligence records. If a cop has any known warlord ties, he's disqualified from serving.

CIA teams used FBI biometrics while hunting for known Al Qaeda operatives in Afghanistan in 2001, and since then, the military has gathered data on almost every Afghan it comes in regular contact with.

There's one more problem. Not all the military databases can talk to one another. “We haven't standardized,” said Larry Schneider, a Northrop Grumman VP who last year was working on collapsing many biometrics systems into just one.

Until everyone is looking at the same data, seditious Afghan cops will probably keep falling through the cracks.

Which IT security skills are most important?

Mon, 12 May 2008 20:00:00 +0000

I often hear from IT executives that it is hard to recruit and retain “good security people.” Many lament the shortage of skills in this area and cannot reconcile the skills offered with the positions that need to be filled. Is there really a shortage of good security people? Or just a mismatch in the skills and the jobs?

Do you listen to your users?

Fri, 04 Apr 2008 17:18:17 +0000

On Friday 10th August, the House of Lords Science and Technology Committee published results of their inquiry into "Personal Internet Security". Richard Clayton, who served as the "Specialist Adviser" to the committee, has written a great introduction to the report highlighting recommendations such as increasing ISPs' responsibility, obliging banks to bear e-fraud losses, introducing data breach notification laws and software liability.

As part of their investigation, the Committee engaged a multitude of experts ranging from e.g. PayPal CISO Michael Barrett to Prof. Ross Anderson, Bruce Schneier to Robert Littas, Head of Fraud Management in Visa Europe. Both the report and evidence (submitted in writing and during interview sessions) are available from the Parliament's web site and are a must read for every security professional.

Amongst renowned security experts and executives of multi-billion companies, Ilkley Computer Club - a local community support group in a small town (population 13,828) in the north of England (UK), was asked to submit their views on the subject. They did so with the following introduction:

Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th & 6th Formers from local schools. Today, the majority of members are “silver surfers” who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions. The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge – or lack of it – may aid understanding.

Like every other witness the Club was asked to suggest ways of "tackling the problem" and provided 6 recommendations. What I could not fail to note is that the Committee adopted 5 out of 6 suggestions made by the Club. The following excerpts from the report illustrate this.

Club: "There must be positive Government guidance pushed to users;"

Committee:

8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)

Club: "Government advice must be from a single point of contact;"

Committee:

8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects.
(6.46)

Club: "Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc);"

Committee:

8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)

Club: "Software produces must take more care when writing software to avoid bugs in the first place;"

Committee:

8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)

8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Club: "If washing machines can be “kite marked” to EU or UK standards, why not computers?"

Committee:

8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)

Everyone might have their own interpretation of how the suggestions of ordinary computer users ended up being so spot-on as far as the Committee's conclusions are concerned, but undoubtedly it is a fascinating result. Perhaps, "users don't know what they want" is not as true as many vendors tend to believe and users can not only help to identify problems but also to develop solutions?

Military Report: Secretly Recruit or Hire Bloggers

Mon, 31 Mar 2008 20:30:00 +0000

U.S. Special Ops undergoes a clandestine effort to establish its own blogging arm.

Cyber Jihadist Hacking Teams

Mon, 17 Dec 2007 17:03:29 +0000

These groups and fractions of religiously brainwashed IT enthusiasts utilizing outdated ping and HTTP GET flooding attack tools, represent today's greatly overhyped threat possed by the cyber jihadists whose cheap PSYOPS dominate, given the lack of strategical thinking, and the lack of sustainable communication channels between them, ruined all of their Electronic Jihad campaigns so far. Religious fundamentalism by itself evolves into religious fanaticism, and with the indoviduals in a desperate psychological need for a belonging to a cause, ends up in one of the oldest and easiest methods for recruitment - the one based on religious beliefs.

The teams, and the lone gunmen cyber jihadists in this post are : Osama Bin Laden's Hacking Crew, Ansar AL-Jihad Hackers Team, HaCKErS aLAnSaR, The Designer - Islamic HaCKEr and Alansar Fantom. None of these are known to have any kind of direct relationships with terrorist groups, therefore they should be considered as terrorist sympathizers.

_Osama Bin Laden's Hacking Crew
OBL's Hacking Crew are anything but cheap PSYOPsers trying to teke advantage of outdated conversational marketing approaches to recruit more members, for what yet remains unknown given the lack of any kind of structured formulation of their long-term objectives. They're also promoting the buzz word "E-MUJAHID" to summarize all the possible taska and objectives one would have. This is how they define E-JIHAD :

"JIHAD is the term used for struggle against evil. Electronic jihad or simply, E-JIHAD, is the jihad in cyberspace against all the propagandas and false allegations against the message of truth. E-JIHAD is the struggle in cyber space against all false and evil disciplines, ideology and forces of evil. Have you ever think what is the need of army? To defend the freedom and liberty of a territory and defend it from the attacks of evil intruders. similarly , E-jihad is the battle in the field of cyber space, against all false believes, and to defend the truth against the false and mean propagandas and cults. It is as necessary as a regular army, to defend the ideological borders of a nation. It is said, “ it is not the gun, it is man behind the gun “. Do you ever think what makes a “man “? Nothing, but just the faith and ideology. Without faith and ideology, there is no man and definitely , we then have gun , but without any man ."

These are the tips provided for "defending the ideological borders" :

- They have created anti-Islamic web sites, which are full of everything except the truth. They are full of mean and vulgar allegations against our HOLY QURA’AN, HOLY PROPHAT MOHAMMAD (PEACE BE UPON HIM) and our teachings. We must defend our teachings and fight against the evils. We have to create Islamic web sites, eGroups, Forums, Message boards, & we must support our Mujahideen brothers in Iraq, Afghanistan, Palestine, Kashmir and elsewhere.

- Many non-Muslims specially jews, Christians and hindus are working in different web groups and communities (like yahoo groups and msn communities) and spreading propaganda against us Muslims. There is a strong need to join such groups and try to refute them. At the moment, the cyber space is free of their opponents. Try to join and refute them, defend your HOLY TEACHINGS OF ISLAM and bring before everyone, nothing but just the truth.

- One of the most dangerous enemies is those who impersonate themselves as a Muslims but they are not Muslims infact. They are Islamic cults. They are usually qadyanis/ahmadis/mirzais and bahais. some are jews and christians. They are all non Muslims but they impersonate as a Muslim and try to misguide others. They are spreading non-Islamic believes. It needs to be taken care of, we have to fight them. Otherwise, you can imagine how disastrous this situation can be for Muslims. These culprit groups even tried to spread a copy of their teachings in the name of HOLY QURA’ AN. but ALLAH has promised that HE will keep HOLY QURA’AN preserved. That’s why, their attempt failed. What is our job? We must fight with these muslim cults and have to tell others the difference between Muslims and muslims cults.

- You can even make your own groups and communities to send mails having Muslim news and Islamic teachings. It is a time convenient method because if you have 500 members in your group, by sending a single mail in the group, your message will be in the inboxes of 500 users, and it takes hardly 1-2 minutes. Isn’t it a time saving technique?

- Many non-Muslim specially Americans, Israelis and Indian hackers always attack our web sites, which are refuting their falsehood and spreading the truth of Islam, the truth that is the only reality. To defend us against such “satanic groups “, we have to organize teamwork, consists of team of Muslim Hackers. Diamond cuts a diamond, to fight with hackers, we need hackers who will defend our sites and make it sure to convey uninterrupted messages to refute the evil and to spread the truth.

_Ansar AL-Jihad Hackers Team and HaCKErS aLAnSaR

Both of these are actually the same, and the group's popularity comes from the al-jinan.net and the al-jinan.org Electronic Jihad campaigns, yes, the failed ones. The original message from Al-jinan's first campaign back in 2006 :

Objective : Will be updated automatically in the main program and the extra room in the conversation. Date : Saturday, 26 /8/2006 - Hours are from 6 pm to 10 Mecca Time - Jerusalem-Cairo. From 3 pm until 7 Time 05:00 Enter chat http: al-jinan.org/chat. Will work only half an hour before the attack. Leadership decided to use only the major programme in the attack, Lltali follows : The programme operates in the same manner but more strongly Durrah, Member faced many problems in the modernization Durra because of their Alcockez, and the present quality, The programme is designed to automatically update speeds.

Their "pitch" :

"We note that our enemies Zionists have such groups in order to eliminate sites and sites of resistance Islamic profess. The notes on the Internet that many of the sites Mujahideen are taking place and the closure of sites and this immoral act of brotherhood pigs. Under such a senseless war on Lebanon and Palestine, the Zionists any target in any area. The factors that are responsible for targeting this will affect them and Ihabtahm and create terror in the hearts of God."

_The Designer - Islamic HaCKEr

A defacer going by the handle of The Designer - Islamic HaCKEr was a vivid hacktivist for a while, than switched handles and continued to deface spreading cyber jihadist PSYOPS such as the following message courtesy of one of his defacements :

"Muslims are not Terrorists and U.S.A & Israel & europa are Terrorists. america and israel and europa they terrorists and we moslems not is terrorists . and It was hacked because you are supporting the war in Iraq, palestine and Afghanistan, and it was hacked because you are killing our people and our kids in Iraq, palestine and Afghanistan , and It was hacked because they invaders our land and they vandals our homes and hacked your sites is our solution."

_Alansar Fantom

In direct coordination with The Designer and Al-Ansar Hackers Team, basically a low-profile script kiddie that's also involved in spreading the campaign message and the flood tools to be used in eh Electrnic Jihad campaign.

Offensive cyber terrorism on behalf of terrorists in the sense of cyber mujahideens is overhyped if they're to do it on their own given the factual based evidence of their current state of technical know-how, with the Electronic Jihad program among the most recent such overhyped threats. Defensive cyber terrorism as an extension of cyber jihad in an asymmetric nature, is what is going on online for the time being, and has been going on for the last couple of years.

The bottom line, script kiddies cyber jihadists dominate, PSYOPS fill the gaps where there's zero technical know-how, mentors are slowly emerging and providing interactive tutorials to reach a wider audience, localization of knowledge from English2Arabic is taking place the way propaganda is also localized from Arabic2English, and there's also an ongoing networking going on between cyber jihadists and Turkish hacktivists converting into such on a religious level. Case in point - MuslimWarriors.Org defacement campaigns with "anti-infidel" related messages.