[SecurityRatty] tag: thinkers

DC Young IT Scene Growing

Tue, 02 Sep 2008 14:45:14 +0000

The late 90’s IT boom represented everything great about the American dream. If you had a brilliant idea, knew how to put it into production and had some idea on how to market said idea, you could make it and many were indeed making it big in Silicon Valley.

This chance to “get rich quick” prompted many talented young entrepreneurs and IT specialists to move to the Valley, and in turn helped establish the area as a hip young center for the most talented people in the field.

The Beltway, (a.k.a. Washington, DC area) has always been known as a home for those wanting to enter into public service, or at least a career in grand gestures, however with the rapid growth of government-based IT needs, and the success of many IT companies in the area, it is slowly transforming into an IT hub of its own.

[Note: Dave and Julia disagree with my perspective on the slow growth of DC as a tech hub. In their opinions, it always has been with many great IT companies founded and run out of the DC area, including AOL, UUnet, and The Motley Fool, to name a few. The area was properly positioned as the “Silicon Valley of the East” in the 90’s and was able to successfully cultivate a large and prominent IT culture. BUT it’s interesting that Silicon Valley dominates in terms of popular perception, as I believe and so do many friends I’ve discussed this with.]

But perhaps that is changing. Dave wrote an earlier post about the lack of local tech coverage in the Washington Post. Recently, however, we’re seeing more relevant articles in the paper that highlight the growing DC young IT scene. Case in point, this article about LaunchBox, a DC tech incubator that will hopefully only serve to grow and enrich the community with more talented young IT professionals and big thinkers.

The question that remains is how the culture in this very traditional area will change with this growth.

The Cyber Storm II Cyber Exercise

Thu, 03 Apr 2008 08:29:03 +0000

I first blogged about the "Cyber Storm" Cyber Exercise aiming to evaluate the preparedness for cyber attacks of several governments two years ago, and pointed out that :

"Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other."

And while I'm still sticking to this statement, a year later I also pointed out that :

"In a nation2nation cyber warfare scenario, the country that's relying on and empowering its citizens with cyber warfare or CYBERINT capabilities, will win over the country that's dedicating special units for both defensive and offensive activities, something China's that's been copying attitude from the U.S military thinkers, is already envisioning."

Morever, Taiwan, too, copycating the U.S, performed a cyber warfare exercise codenamed "Hankuang No. 22" (Han Glory) in 2006 as well, fearing cyber warfare attacks from China.

The new "Cyber Storm" Cyber Exercise, is particularly interesting, especially the initiative to measure the response time to an OPSEC violation in the form of sensitive information leaking on blogs. A very ambitious initiative, given the many other distribution channels, which when combined in a timely manner make it virtually impossible to shut down and censor, the leaked material. What if it gets spammed? Moreover, what's a leak to some, is transparency into the process for others. Cyber Storm II is already a fact whatsoever :

"At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans. 'The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,' said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise. Cyber Storm planners say they intend to throw a simulated Internet outage into this year's exercise, but beyond that they are holding their war game playbooks close to the vest."

The main issue with this type of cyber exercises is that starting with wrong assumptions undermines a great deal of the developments that would follow. Cyber warfare is just an extension of the much broader information warfare as a concept, namely, Lawfare, Econonomic Warfare, PSYOPS, to ultimately end up in an unrestricted warfare stage. Subverting the enemy without fighting with him, that's what offensive cyber warfare is all about, even if you take people's information warfare concept as an example. It's a government tolerated/sponsored activity, whereas the government itself is suverting the enemy without fighting him, but forwarding the process to their collectivism minded citizens. The strong lose, since the adversary is abusing the most unprotected engagement point, thereby underminig the investments made into securing the most visible touch points. A couple of key points to consider in respect to the cyber exercise modelling weakness :

- White hats pretending to be black hats simply doesn't work

- Frontal attack against critical infrastructure is pointless, insiders are always there to "take care"

- Passive cyber warfare such as gathering OSINT and conducting espionage through botnets

- Cyber warfare tensions engineering through the use of stepping stones

- Stolen and manipulated data is more valuable than destroyed data

- Lack of pragmatic blackhat mentality scenario building intelligence capabilities

- Unrestricted Warfare must be first understood as a concept, than anticipated as the real threat

From a strategic perspective, securing and fortifying what you have control of is exactly what the bad guys would simply bypass in their attack process, among the first rules of unrestricted warfare is that there're no rules with the idea to emphasize on the adaptation and going a step beyond the adversary's defense systems in place.

Securing cyberspace among top technological challenges of 21st century, panel says

Mon, 18 Feb 2008 21:00:00 +0000

A National Academy of Engineering panel of big thinkers, including Google co-founder Larry Page, has identified 14 top technological challenges for this century and securing cyberspace is among them.

The Austin Project

Mon, 21 Jan 2008 19:45:39 +0000

Two days ago I found myself reading something written by one of my readers about something I had written. Unfortunately, it not only completely missed the point of what I had talked about, but some dramatic and ultimately incorrect assumptions were drawn due to complete lack of technical understanding on this reader’s part. I’m not going to out this person, because I don’t think it’s productive. But it was pretty upsetting to me, because I do want people like this person to be able to learn from this site. This site is super tricky to run. On one hand I have some of the most technically competent people in the web security community visiting regularly. For them, some of the most complex topics I cover make perfect sense, and there is very little confusion. For the non-techies the technical posts are either misread or left unread. Either way, that’s not good for the sake of learning.

A huge chunk of why I started this site was for my own testing. I wanted to learn on a site that I controlled completely. That works great if you’re a guy like me, who’s already been in the web space for well over a decade. But for people who are either new, or are shifting their interests from some other area of security, the web space is highly complex and deep. So herein lies the second reason I started this site. I wanted a place where I could teach people what I know. Call it altruism, call it wanting a sanity check on my own thoughts, but here we are, 2 years and 20,000 visitors a day later and things have changed.

I’m ultimately troubled by the fact that there are so many people out there who are in every way smart but are only in web application security because they have fallen into it, for whatever reason, and now are trying to play catch up with guys like us. I feel like there is a huge gap of knowledge out there, and I feel like there is a lot that I could share with people given enough time. A one hour speech isn’t enough time. It’s barely enough time to gloss over a topic, let alone go down to any level of detail that would allow someone to think they are proficient in a topic. I really feel like I could share a lot more of what I know to a willing participant if we made it a week long course. So that’s what I did.

I’m going to be offering a week long course that I am dubbing The Austin Project. The goal of the project is to get a group of likeminded people who are interested in talking about and learning more about web application security from yours truly. Honestly, I just feel like there’s a lot more I can talk about in a week’s time than I could ever cover in a series of blog posts, especially because in an intimate class it is far easier to communicate.

So I will be inviting five people to fly in and stay for five days. No cell phones, no computers, no distractions - just talking webappsec. I attended an invite only conference of this format before and it worked great, where the only open computer was the one operating the projector. Being off the grid really helps people focus. Everyone will sign non disclosure agreements so people can talk freely about problems they are concerned with without having to worry about it getting out. There will be eventual outputs from the classes, but they will be discussed only with people who attend. Days will be spent talking about webappsec, nights will be spent with me in downtown Austin, visiting the local nightlife and probably talking about webappsec some more. My goal is not to make myself the grand leader of a group of five people who are webappsec gods, but rather, build a collaborative group of people who change their way of thinking and come out of it with the knowledge on how to fix their little slice of the Internet.

I’m just not scalable, and while the blog has been a great conduit for sharing some of my ideas, it’s clear to me that people just aren’t getting the value out of it that they could in another format (I guess you get what you pay for, as this site is free!). It turns out I just have a lot more to say than I put on this site. That became apparent today when I started chatting with someone about a specific web application flow. It took me ten minutes to explain some of the esoteric nuances to watch out for and I suddenly realized I had never talked about it before on the site, and I probably never would have because I ultimately consider a lot of that stuff to be “the basics” (even though apparently not a lot of people know about it). I usually try to skirt around the basics as to avoid alienating the experts who frequent this site. How would anyone know about the esoteric gotchas if I didn’t talk about it? Well, now is your chance to come ask me. Not that I will just be covering basics - oh no, why come to me for the basics? But this will be your chance to get me to slow down and explain things to you in a virtually one on one environment.

My goal isn’t to get the best of the best and put them in a room together (although if I wind up with a bunch of people who are experts I will build a class specifically for them). The main goal of The Austin Project is to get people who want to learn but are otherwise starved for information. I want to help those people and bring them to the next level, so that they go off and eventually help others and so on. I firmly believe education at this level will help our industry, help us start developing better applications, better strategies, and ultimately will make all our lives better.

This isn’t like most training. There will be no CPE credits (although I’m sure you could convince someone it should count), no class of 40 people, no canned demonstrations. This is just a chance for you to sit with me for a week and talk about whatever it is you want to talk about in an collaborative environment. I don’t want five people from the same company showing up. That’s not the goal here. The goal is for you to meet other people with other problems and work through them together as much as it is to hear from me. Why? Because other people have interesting problems that relate to our industry that you should think about too! I want to facilitate the correct thought process, which is so much more important than me just solving your problems for you. I want to make people into the big thinkers (not just technologists) that this industry needs. I want the participants to build relationships that they can use to better themselves and their careers. Big goals for such a little class!

Anyway, if we wind up with way more than five people who are interested, we can separate the classes into groups, but I have no idea how many people will be interested. I don’t want to go over five people and I don’t want it smaller than that or it would defeat the goal of building a team, so I may actually turn people away if we don’t hit a critical mass. This is just as much an experiment for me as it is for anyone who would attend. I also may turn people away if I think they couldn’t benefit from this - which is why I’ll be asking for a resume from each of the people who are interested. If you have no experience, this isn’t the class for you. If you have been doing this longer than I have, this isn’t the class for you. If you just want to come to the class to heckle me, well, it’s an expensive prank, but it’s your money. So if you are at all interested, check out The Austin Project web-page for the specifics and send your contact information through the form.

Combating Unrestricted Warfare

Sat, 15 Dec 2007 06:08:23 +0000

It's February, 1999, and two senior colonels from China's PLA, namely Qiao Liang and Wang Xiangsui depressed the world's military thinkers by coming up with a study on the future developments and potential of asymmetric warfare in a surprising move next to the overall discussion always orbiting around symmetric warfare. The study itself entitled "Unconventional Warfare" is an ugly combination of Sun Tzu's 3D perspective on warfare in combination with guerilla approaches to achieve one of Sun Tzu's most insightful quotes - "One hundred victories in one hundred battles is not the most skillful. Seizing the enemy without fighting is the most skillful." Here's a summary of the study :

"Two senior PLA Air Force colonels wrote "Unrestricted Warfare", presented here in summary translation, to explore how technology innovation is setting off a revolution in military tactics, strategy and organization. "Unrestricted Warfare" discusses new types of warfare which may be conducted by civilians as well as by soldiers including computer hacker attacks, trade wars and finance wars."

During the years, and especially since 9/11, the tipping point acting as the wake up call that asymmetric warfare is also getting embraced by the bad guys, many other niche research papers were published in the context of information warfare and cyber warfare such as :

Chinese Information Warfare: A Phantom Menace or Emerging Threat?

Information Warfare: Its Application in Military and Civilian Contexts

The Spectrum of Cyber Conflict From Hacking to Information Warfare

Globalization and Asymmetrical Warfare

Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States

Each of these is a visionary reading by itself, but perhaps it was the need for setting a new milestone into such warfare thinking that prompted the public release of the Unrestricted Warfare Symposium Proceedings Book in 2006 and in 2007. An excerpt from the introduction of the 2006 edition :

"To compensate for their weaker military forces, these actors will employ a multitude of means, both military and nonmilitary, to strike out during times of conflict. The first rule of unrestricted warfare is that there are no rules; no measure is forbidden. It involves multidimensional, asymmetric attacks on almost every aspect of the adversary’s social, economic, and political life. Unrestricted warfare employs surprise and deception and uses both civilian technology and military weapons to break the opponent’s will."

Moreover, the 2007 edition is covering in-depth such popular asymmetric threats posed by jihadists (pages 135/143) debunking the use of WMD as a priority, and the cyber dimension (pages 251/297) with some remarkable analogies post Cold-War strategies applied to modern digital threats :

"Technology alone is never going to solve the IA problem. We have no informed national defensive strategy in this area. The situation is starting to change and improve, in large part because visionaries like General Cartwright are in key slots. But we do not have a lot of time. The intelligence community is not sufficiently engaged in conducting, analyzing, and reporting those issues. During the Cold War, we analyzed Soviet capabilities exhaustively. We did everything possible to understand our adversary and manage that gap. We need to do the same thing today. The bottom line is that it is dangerous to underestimate the capabilities of our adversaries. They do whatever it takes to win. Good adversaries know our strengths and weaknesses. They develop surprising partners that sometimes do not even know they are partners—they will give someone an honorarium to talk at a conference and ask that person for information on associates. They play by a different set of rules. They see offense as a systems problem, while our defense is fragmented."

All of these reports and Ebooks are highly recomended bedtime reading, and so is the last but not least one, namely "Victory in Cyberspace" released October, 2007. Besides generalizing cyberspace war activities, it includes a comprehensive summary of the events that took place in Estonia during the DDoS attacks.

Related posts:

People's Information Warfare Concept

China's Cyber Espionage Ambitions

North Korea's Cyber Warfare Unit 121

Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Overperforming Turkish Hacktivists

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

DDoS on Demand VS DDoS Extortion

The Biggest Military Hacks of All Time

Inside the Chinese Underground Economy

Sun, 09 Dec 2007 19:34:23 +0000

Here's a very detailed, and recently released event-study on Malicious Websites and Underground Economy on the Chinese Web, and this is how they assessed the high activity at the underground related forums :

"Unlike the US or EU blackhats communities, Chinese blackhats are typically not familiar with IRC (In-ternet Relay Chat). They typically use bulletin board systems on the Web or IM software like QQ tocommunicate with each other. Orthogonal to a study on the underground black market located within IRC networks, we measure the Chinese-specific underground black market on the Web. We focus onthe most important part located at post.baidu.com, the largest bulletin board community in China. We crawled the portal and stored all posts and replies posted on some certain post bars which are all dedicated for the underground black market on this particular website. The post bars we examined include Traffic bar, Trojans bar, Web-based Trojans bar, Wangma bar (acronyms of Web-based Trojans inChinese), Box bar, Huigezi bar, Trojanized websites bar, and Envelopes bar."

What's the big picture on the Chinese IT Underground anyway? It's a very curious perspective next to China's economy self-awareness from a supplier of the parts that make up the products, to the independent manufacturer of them in real life. In cyberspace, the people driving the Chinese Underground tend to borrow malicious know-how from their Russian colleagues by localizing the most popular web malware exploitation kits such as Mpack and IcePack to Chinese, as well as benefiting from the proven capabilities of an open source DDoS-centered malware by also localizing it to Chinese and porting it to a Web interface. And so once they've localized the most effective attack approaches by making them even easier to use, the start adding new features and functionalities in between coming up with unique tools by themselves.

The bottom line - China's IT Underground is indirectly monitored and controlled by China's Communist Party, with the big thinkers realizing the potential for asymmetric warfare dominance as the foundation for economic espionage, and the largest cyberwarriors buildup in the face of people's information warfare armies driven by collectivism sentiments.

Here's a very interesting article detailing some of perspectives of the China Eagle Union, the Hacker Union of China, and the Red Hacker's Alliance :

"The Chinese red hackers have their own organizations and websites, such as the Hacker Union of China (www.cnhonker.com/), the China Eagle Union (www.chinaeagle.org/), and the Red Hacker's Alliance (www.redhacker.org). The Hacker Union of China (HUC) was founded on December 31, 2000, and is the largest and earliest hacker group in China. It had 80,000 registered members at its peak, and reportedly has 20,000 members after regrouping in April 2005."