Wednesday, March 20, 2013

Data Exhaust: Cyberwar Heating Up

Several of my Quantum Leap Buzz "tripwire" alarms went off today. Without boring you with the details, several factoids combine to reveal a seriously escalating pattern of warfare:

  1. North Korea is the least vulnerable country and therefore the country with nothing to lose in a cyberwar escalation. Their attack on South Korea's infrastructure (see Time Mag story here) could be repeated in the US with much more dire consequences.
  2. Computerworld reports that 3G and 4G USB modems are a security risk (see story here). Wonder why? Maybe it's because most of those branded modems are manufactured by Huawei and ZTE (yeah, do a search in the box on the left and you can see my previous postings about these companies). And as further data exhaust…
  3. Most of the security appliances sold by so-called rock-solid security companies aren't so rock solid (see CIO story here). This is especially relevant given the still-unreported story of Anonymous hacking the RSA show with bogus USB thumb drives (see story here). My favorite quote in the CIO article reads:
There have been some voices that said Chinese networking vendor Huawei might be installing hidden backdoors in its products at the request of the Chinese government, Williams said. However, with vulnerabilities like these already existing in most products, a government probably wouldn't even need to add more, he said.
The final bit of "data exhaust" that proves how head-in-the-sand we are comes again from Time Magazine story on the creation of a "cyberwar rules of engagement manual" (see story here). Rules? For, like, fighting fair? Give me a break! You think Dennis Rodman's dwarf BFF in North Korea gives a hoot about rules of cyberwarfare? Or the scriptkiddies who attacked Brian Krebs (see my previous post here)?

If someone really wants to cause some damage, Katie bar the door. Spoofing a 911 call from Brian Krebs home could have been orchestrated to cause some real damage. Just about the time the SWAT team showed up, someone could have piloted a few remote control helicopters over the men with guns and dropped cherry bombs in their midst. That would have started some real shooting.

I still can't get over the utter laughability of publishing Rules for Cyber Attacks. There is only one set of rules that might come close to working in today's environment. I've drafted them and invite comments, criticisms, edits, etc. You can read my Cyber Privateer Code at…duh…www.CyberPrivateer.com.

Selah.

Saturday, March 16, 2013

Brian Krebs Is Now A Superstar

I've said before that Brian Krebs is "the real deal" when it comes to reporting on Internet security (see my post from two years ago here). He's been the trusted "go to" guy shining the flashlight on the criminal underground cockroaches. In the last twenty-four hours, the cockroaches have overplayed their hand. As reported by Brian in his security blog (read it here), not only did they launch a cyber attack against him, but they spoofed a 911 call as if it were coming from his home, resulting in armed police drawing a bead on Mr. Krebs as he stepped out the front door. So how did the cockroaches misplay their hand?

Simply, the news of this incident could well turn Brian Krebs into a media superstar. Which means that his valued opinions on what should be done might mitigate the otherwise stupid course of some well-meaning but completely inept politicians. In other words, we might actually get an effective cybercrime/cyberwar police. And that is something the cockroaches really don't want to see. Because it's bad for business.

I learned how to spoof caller ID some years ago, and often fantasized (but never EVER acted on those fantasies) about displaying "WHITE HOUSE" on someone's cell phone. "This is the White House calling. The President of the United States would like to speak to you…etc." Find a Barack Obama sound-alike and have some real fun. I don't know why it never occurred to me in those fantasy scenarios that one might spoof a 911 call and actually put someone's life in danger. I'm more inclined toward comedy. What happened to Brian is no joke.

So, way to go Brian. I'm going to stick to writing fiction. You forge ahead fighting on the real battlefield.

Best to you and yours,

Rick Bennett

Wednesday, March 13, 2013

Alien Architecture: Hijacking (Hacking) "Earth Day"

Just a bit of what I call "displacement activity" for your consideration. Under the topic of "Black Box Portability" ( see Perfect Virus Principle #7 here), there are "social engines" that can be hacked by The Perfect Virus. One of those popular engines is the Frank Herbert-inspired Earth Day (do a search on the left-hand box to see my posts on "Frank Herbert") celebrated every year on April 22nd. If you have an environmental agenda and want to co-opt some Earth Day festivities for fun and profit, why not reserve one available domain that I'm frankly amazed no one has snapped up?
www.Apr22nd.com
The Earth Day folk obviously have not played rhetorical wargames (an art taught to me by the legendary Dick Morris—read about Dick here). A rhetorical wargame has all your best and brightest sitting in a room, wondering how you might be hacked, hijacked, subverted, infiltrated, etc. Then you put defensive/offensive ploys into play that would prevent or seriously discourage such actions.

Apr22nd.com is available, along with a lengthy list of other domains that the Earth Day folk should have picked up. But I'll keep those to myself. After all, I have quite a few friends who are fanatically serious about sustainable ways to protect the environment.

Yahoo!, The Gift That Just Keeps On Giving

With security Swiss cheese like Yahoo! on the planet, we're pretty well guaranteed that the population of botnet nodes will only increase. I get enough phishing spam that I know NOT to open attachments or click on hyperlinks even from people I know, and especially if they come from Yahoo! accounts. But my wife and her friends, now that's another story. They get a little note from a dear friend, chances are pretty good they'll click on a link. This morning, both my wife and I got such an email. I read mine first and cc'd everyone on the list that they shouldn't open the attachment. Unfortunately, my wife reads her email sequentially and clicked on her attachment before reading my email advising people NOT to click on the attachment. Lucky for her our virus protection and sandboxed browser raised a warning flag. My guess, though, is that the other ladies on the list are now hosts for little self-propagating alien beasts. Thanks, Yahoo! Yeah, I see why you have an exclamation point after your name.

Friday, March 8, 2013

Captain of My Cyber Privateer Fantasy League Team Larry Ellison is World's 5th Richest Man

According to the Forbes "billionaires list" (see the list here), Larry Ellison, who I named captain of my Cyber Privateer Fantasy League team (click on the link to the right, or click here to see my team), is the world's 5th richest man. In the technology world, Larry is 2nd, behind Bill Gates. Gates is the world's 2nd Richest man, although he's at the top of the technology list. Given that Bill Gates is in "give away all my stuff" mode, and that Larry is still on his quest for world domination, I predict here and now that Larry will not only pass Mr. Gates, but he'll become #1 on the overall list within the next decade.

Tuesday, March 5, 2013

Suggestion For China Image Upgrade

With due respect to my Chinese readership (who popped into #2 only behind U.S. eyeballs last week), I admit I've been pretty hard on…Hu (see my post of two years ago here). My humor probably doesn't translate well, and I really do consider my Chinese friends among my best. Heck, my wife and I teach a Sunday class of five-year olds and we have a weekly "date" to visit our local dollar store to pick up gifts for the kids that illustrate our lesson topic. Almost 100% of our gifts come from you wonderful people. For example, this next week we're teaching about faith and have purchased pinwheels to give each child (3 pinwheels for a dollar isn't a bad price). What makes the pinwheel turn when you blow on it? Wind, right? Prove it. You can't see the wind. But you can see its effects. It takes faith. You get the idea. Which brings me to your country's low ranking as cyber citizens. 

The just-completed RSA conference in San Francisco had almost everyone blowing the "Protect ourselves from China" wind. You've got to admit that that anti-China technology crowd is whipping up quite a storm, perhaps on a level with the Y2K entrepreneurship gold mine. I think you need to get ahead of this thing and become the champion of good. How, Hu might ask (sorry, I couldn't resist the pun)?

You could become the source for licensing cyber privateers. They would naturally have to be bonded by an independent entity. The Morgan Doctrine website contains all the legal justifications as well as a good deal of the mechanics necessary for legitimizing the effort. And if the cyber privateers followed The Cyber Privateer Code of conduct (click on the right or go to www.cyberprivateer.com), you would achieve several goals:
  1. You would reserve cyberwar for governments (one can almost see your logic in building national defensive AND offensive cyber capability, just in case), while …
  2. …completely putting a stop to cyber criminal activity (see my article on the guaranteed deterrent effect here).
  3. Your "cut" of cyber privateering profits would be a goldmine for China, and
  4. You would take the "moral high ground" in the battle to protect the Internet. As Larry Ellison said to Steve Jobs, "That moral high ground is pretty expensive real estate." Number 3 above pretty well pays for that real estate and collects rent from the rest of the world. Call it "a first-mover advantage" that ties up all the pricey hotels in our cherished capitalist game of Monopoly.
Notwithstanding my saber rattling about cyber privateering and the currently undeclared cyberwar now taking place, my internal value system really does believe that "Blessed is the peacemaker." I hope you'll at least consider the possibilities. Before somebody else ties up that moral-high-ground real estate.


Friday, March 1, 2013

Breaking News: Anonymous Hacks RSA 2013 And Nobody Covers It!

Good grief but the news media is lazy or just plain incompetent. The news story I got from RSA 2013 was the Network World story (read it here) of the TOP 10 SECURITY STARTUPS. Too bad "the best and brightest" had a major hack going on right under their noses. My Quantum Leap Buzz alarms (get your own here) went off with the simple @Anonymous_RSA "op in progress" tweet and a bunch of other tweets asking why RSA was all about China and why nobody was covering the Anonymous hack of RSA 2013. Seems like they dropped off a bunch of freebie branded USB devices that the security-conscious geniuses snapped up like kids on Halloween night. Geeze Louise, but this is going to be a really fun year.

Taman Shud.