Thursday, February 27, 2014

A Modest Proposal for Salesforce Response

For the Second time in as many weeks, it was reported that Zeus-like trojans were targeting Salesforce customers through less-than-secure clients and not using any deficiency in Salesforce systems themselves (see The Register story here). The reasons I put Salesforce founder and CEO Marc Benioff on my Cyber Privateer Fantasy League team:

  1. He was mentored by Larry Ellison.
  2. He has proved himself on the corporate battlefield.
  3. His "death star" should be more easily defended than companies that need to train and enforce security principles in every one of their enterprise customers' settings.
I'm still having trouble getting my brain around why someone would want to steal CRM data, as it would seem exceptionally hard to monetize. One high-probability answer is that this is a government-initiated attack, maybe by China, designed to give them a leg up as they compete worldwide with the clients of Salesforce. Whether or not this is the case, if I were in charge of Marc Benioff's crisis response efforts, I would run this ad on the front page of the Wall Street Journal for a few weeks:
Selah Marc. Selah.

Wednesday, February 26, 2014

Dumb and Dumber at RSA

Never in my long history of dealing with mega-moguls the likes of Larry Ellison and Marc Benioff have I heard of anyone say something as quite as stupid as RSA's chairman Art Coviello (read The Register's littany of Coviello's stupidity here). One exceptionally blithering statement stands out. I unknowingly rebutted it in my analysis yesterday (read it here), before I saw the The Register story last night:
First, [Coviello] said, governments around the world need to renounce the use of offensive cyberweapons, and through treaties and mutual agreements make them as forbidden as nuclear, chemical, or biological weapons.
Whoever is giving the RSA chairman PR advice should probably reevaluate his career choice. Break up the NSA to make sure we play defense only? Treat cyberweapons the same as nuclear weapons? The Register reports that "…Coviello has come out fighting over claims that his firm is colluding with the NSA…" The characterization of his tactic as "fighting" is generous. The word "braying" is more appropriate. I leave it up to the reader to complete the metaphor.

Tuesday, February 25, 2014

Cyberweapons are Not the Same Debate as Nuclear Weapons

Today's New York Times article on the debate over cyberweapons (read it here) has one telling article that indicates the military is still in the nuclear weapons mind set:
It is a question Mr. Obama has never spoken about publicly. Because he has put the use of such weapons largely into the hands of the N.S.A., which operates under the laws guiding covert action, there is little of the public discussion that accompanied the arguments over nuclear weapons in the 1950s and ’60s
As I've carped on numerous occasions, the cyberweapons debate is far different than the nuclear proliferation debate. Why? Again, Grasshopper, it's because nuclear weapons require government-level critical mass to develop, whereas cyberweapons require just one man, just one connected computer, and a smattering of genius. We have a whole new ball game, foretold by such science fiction authors as Frank Herbert (see one of my many posts here). The tripwire alarm has already sounded, where one highly motivated individual can—at a minimum—seriously inconvenience large numbers of people. And to continue my carping—carpe diem—the solution is to make any type of cyber incursion overwhelmingly risky to the offender. Licensed and bonded cyber privateers, working under constraints of my Cyber Privateer Code (see it here), are the only rational answer.

And if you want to see the havoc just one individual could wreak, check out Daddy's Little Felons (here).

Wednesday, February 19, 2014

Data Exhaust: Jihadists Turn from Sochi to Kiev?

Given the realization that the Russians would probably overreact to a Sochi terrorist incident, I'm reading between the lines of my analytics feed and wondering if a few jihadists are somehow a catalyst in Kiev. I had a buddy once who could walk into a bar and provoke a massive slugfest without himself ever throwing a punch. I called him The Human Catalyst. What better way to embarrass Putin and Russia than foment a blowup 800 miles away from Sochi? My BUZZ analysis of the social media for the last week indicates that this is indeed the case. Since the first story is seldom the right story, I'm anxious to see if the next few days or weeks will reveal a Jihadist Catalyst in Kiev. There are enough "smoking guns" there. Now, lets dig a little deeper.

On January 29th (see it here), I posted the story of my friend Bob Berger as he climbed Mt. Elbrus in the Caucasus mountains not far from Sochi. An Iranian videographer taunted the American climbers with, "Amereeekans. Amereeekans. Say something to the  pipple of Irrraaaann."

My very diplomatic friend (who by the way reached the summit of Mt. Everest in 2012), walked up to the Iranian and said, "Go solar. We'll all be better off."

Bob then reported that the man put down his camera, shook his hand, and said, "Thank you Amereeekan. You are right."

I promised Bob I'd post the photo of the Iranian if he could cull it from his box of mementos, and he sent it to me:
Iranian taunting Bob Berger is second from right. Bob is taking the man's photo.
I included Bob's story again because the social media is absolutely polarized with rhetoric. Maybe we need a few less one-liner zingers motivated by agenda-laden rhetoric, and a few more Bob Bergers leapfrogging today's problems with tomorrow's solutions.

We now return to my agenda-laden denunciation of our defense-only cybersecurity mentality. Hint:  Buy my novel Daddy's Little Felons and privatize world peace.


Tuesday, February 18, 2014

Data Exhaust: Proof that Only Playing Defense is a Recipe for Doom

Proof that our current cybersecurity defense-only strategy is doomed can be found in today's Wall Street Journal. Three stories on the front page, the front page, mind you:
  1. Hackers can obtain medical and payment records from health-care providers.
  2. Crowdfunding powerhouse Kickstarter was hacked.
  3. Iran's infiltration of the U.S. Navy computer network is "more extensive than had been previously thought…"
My being right on this issue is small consolation.

Thursday, February 13, 2014

A New Virus Report Card: Stuxnet/ZeuS/Duku and Now Mask/Careto

Exactly three years ago (February 7, 2011), I published a Virus Report Card (see it here). Earlier this week, I received an inquiry from a senior member of the cyber threat analytics team of a major financial institution. He asked if I intended to update that information. I confessed that I had no plans in particular to update it, "although that could change as new intelligence comes to me from some security insiders with whom I stay in touch." I also confessed to this individual that my interest in The Perfect Virus was as a backup to my fictional endeavors, and that the real virus-tracking guru was Brian Krebs.

Then Krebs came out with this assessment of the technology used in the highly publicized attack on Target customers (see Brian's article here). Net net, the tool used in the attack appears to be a "derivative of the ZeuS banking trojan." Then came the Kaspersky analysis of what is almost certainly a government/state entity, the Mask/Careto virus that has penetrated the following targets:

  • Government institutions
  • Diplomatic / embassies
  • Energy, oil and gas
  • Private companies
  • Research institutions
  • Private equity firms
  • Activists
Okay, it's time to update my three-year-old Virus Report Card. I have inferred the capabilities of Mask/Careto from the excellent Kaspersky report (read the report here). So here ya go with a new matrix:

Data exhaust suggests that Mask/Careto is:

  1. A false-flag operation trying to point to Spanish-speaking creators, when in fact it is most likely a Chinese or Russian operation.
  2. A government or state-financed operation.
  3. Capable of more advanced Oversight (principle #1), Feral Fertility (#2), Openness (#8), Stratification (#13), Stealth (#14) and Defense (#21).
My closing comment to the individual who originally contacted me kind of says it all: "Thanks for your note. Too bad U.S. cyber law has you playing with one hand tied behind your back."

Wednesday, February 12, 2014

Larry Ellison, The Captain of My Cyber Privateer Fantasy League Team, Talks About Children

Almost a week ago, The Register carried a story (read it here) reporting on the negative effect of technology on today's children. Commenting on the movie Her, produced by his daughter Megan Ellison, Larry Ellison net-netted the truth about our magic age: "I think the impact of technology on children right now…is sometimes fabulous and sometimes terrible."

To see some more pithy (albeit less focused on our human condition) quotes from Larry, click here.