ENISA debate in Brussels – some notes and excerpts  21.5.11

Here some of my notes on the ongoing ENISA debate in Brussels.
Currently, there are bunch of proposals in the loop, thrown in by the European Commission. (The parliament itself can still not issue their own initiatives. All they can do or rather: after Lisbon, the parliament can at least alter existing paragraphs, though it can’t add new ones.)

In the loop:


Agency or networks – some thoughts about Europe’s ongoing internet security debates  21.5.11

Well, I shouldn’t make these all-encompassing headlines, after all, forcing me to write way too long texts. Anyhow. I’ve been in Belgium a couple of weeks ago, used the opportunity of proximity for a Brussels visit. The first glaring characteristic of Brussels is the scent of Waffles all over Midi station. It is like any station comes with a little suprise for its passengers. At Luxembourg station, the on which neighbours the European Parliament, the party in control of the facility equipment opted for an acoustic treatment: Abba’s “The winner takes it all.” For sure she does. (Which reminds me of “Mamma Mia”: Meryl Streep has quite a voice, by the way.)

The voices of the European citizens are represented by representatives sitting in offices matching in size those of elaborated knowledge workers in corporate headquarters. A nice quality surplus however […]

Internet principles and security  21.5.11

As Chris Marden puts it:

“So the governments of the West are at least rhetorically in favour of a free Internet…”

Rhetorically. The difference between the Council of Europe and the core of the European Council though is that only the latter is of substantial relevance for immediate political and legislative outcomes outcomes. Plus: a CoE is quite different from the “goverments of the West.” […]

The uber-CERT: Germany’s new cyber-defense centre  2.4.11

I guess when average media consumer hears “cyber-defense centre”, she likely has Star-War-ish control rooms in mind,. Now, starting today, Germany has its National Cyber Defense Centre. It is located in the offices of the Federal Office for Information Security (BSI), which reports to the Federal Minister of the Interior. Not much of a surprise, any Quite some headlines in national media for a 10-persons task-force. (Sources: FAZ, Ministry of the Interior, both in German)


Benkler on Wikileaks, media, distributed models of mutual criticism  23.3.11

Yokai Benkler, A Free Irresponsible Press: Wikileaks And The Battle Over The Soul Of The Networked Fourth Estate, forthcoming Harvard Civil Rights-Civil Liberties Law Review, 66 pages (benkler.org)

It forces us to ask us how comfortable we are with the actual shape of democratization created by the Internet. […]

NATO and its role in internet security – geopolitics of intenet security governance?  20.3.11

“The threat is there to see and if the worst were to happen…” (Donald Rumsfeld, Feb 2003)

Looks like Stuxnet is the best of all electronic Pearl Harbours, so far. The signs on the walls of what could be. The “game changer” (DHS cyber director), the menace that seems to convince politicians, media and the public alike that there is something potentially very threatening. It has taken some fifteen years of fear mongering to achieve that.

Menaces, threats, risks, dangers require responses, yet which? […]

House of Cards  19.3.11

I couldn’t possibly comment:

We’re delighted to tell you that in late 2012 Netflix will be bringing to our members in the U.S. and Canada exclusively “House of Cards,” the much-anticipated television series and political thriller from Executive Producer David Fincher and starring Kevin Spacey. We’ve committed to at least 26 episodes of the serialized drama, which is based on a BBC mini-series from the 1990s that’s been a favorite of Netflix members. (Netflix)

Or, maybe: If you’ve ever wanted the essence of politics, the schemes, the manipulation, the games, the viciousness, condensed into a timeless, enthralling play, enjoy Ian Richardson performance as Francis Urquhart, a modern mix of the Shakespearean figures of Richard III. and Macbeth, who succeeded Margaret Thatcher as Prime Minster. (IMDB)
Some of the political wisdoms the series conveys:

  • Power and its volatileness: “fear that this might be the day we wake to find the magic gone” (youtube)
  • Political loyalty: “a helping hand in these rather trying days” (youtube)
  • Leaking: “beware of an old man in a hurry” (youtube)
  • Social responsibility: “let’s give our young people a chance to learn self discipline, again” (youtube)
  • Power, terrorism and leadership: “Deeper than honour, deeper than pride, deeper than lust, deeper than love is the getting of if all. The seizing and the holding on.Tthe jaw is locked, biting into power and hanging on. Biting and hanging on.” (youtube)
  • Trust and power: ” But they all, all of them, betray us eventually. They love us, but not quite enough. They trust us, but not quite enough. And we trust them to be entirely human, meaning less than trustworthy. Which means we cannot entirely sleep. As the cat’s eyelids flicker, some part of us must stay awake, always, ready, as the coiled spring is ready.” (no link here, alas)
  • Role of a parliamentary majority leader: putting a bit of stick about

“Intensification of civil-military cooperation”. Some comments on the recent Dutch National Cyber Security Strategy on incident response  18.3.11

In February, the Dutch Ministry of Security and Justice released its “National Cyber Security Strategy (NCSS) – Success through cooperation.” (govcert.nl) Section 5.4, “Response capacity for withstanding ICT disruptions and cyber attacks”, is particularly interesting and highlights the ongoing transformation of the organisational landscape. While the strategy’s briefness makes a refreshing change for lazy readers like us, is also raises a couple of questions.

Enter life  6.3.11

The singleton entered the extrauterine sphere on a sunny Wednesday afternoon. She was coloured purple, exhausting awe-inspiring screams with all of her body tensed, her arms raised, moving and shaking wildly and her fingers crampily stretched. After half a minute or so, she quickly quieted down, ignored the blood, slime and what else her body was covered with, relaxed. She began to exertedly glance through the narrow cracks between her eye lids, aiming at grasping the situation and considering her options. Geworfenheit, thrownness, is Heidegger’s term to describe what every human being faces: “There you are, you haven’t been asked, no idea what ‘you’ is, let alone who you are and what ‘there’ is.” Naturally, she quickly went screaming again, coming up with all the strength shrouded in that 4,4 kg and 57 cm body. Positioning her on her mother’s upper part immediately freed her from those unsolvable existentialist contemplations and made her swing into the flow of life.

Some thirty six hours later her skin was overwhelmed with the influx of new hormons, as usual for babies her age. Other than in some thirteen years’ time, she didn’t care about it. Her priorities were different. We were sitting in our bed. She was lying on my legs, her head on my flexed knees, her feet pressing against my underbelly. It was around 4 a.m. She was gazing at us with her steel-blue eyes. For long minutes. Endlessly. Constantly and without interruption. Highly awake. Evaluating her situation. Facing her parents with a piercing glance as if she was pondering the trustworthiness of those whose reproductive instincts have brought her into that situation. Hopefully future will tell that she had not erred when she quietly fell asleep in that night after the first day after her birth.

Links 2011-02-15: HBGary, Anonymous  15.2.11

The saga of disruptive publication platforms vs. intelligence intelligentsia continues. And this latest HBGary chapter is stunning on so many dimension: “Security service” companies sitting on piles of 0-day exploits, US CoC hiring security companies to investigate union’s activities, security service company compromised by social hacking, Anonymous ad-hoc creating a leak website.

“Rarely in the history of the cybersecurity industry has a company become so toxic so quickly as HBGary Federal.” (Andy Greenberg, Forbes)

Nate Anderson, arstechnica, has the story. Spy games: Inside the convoluted plot to bring down WikiLeaks

“Barr was brought in from Northrup Grumman to launch the operation. …  Less than a year into the job, HBGary Federal looked like it might go bust. … And then, unexpectedly, came the hope of salvation. … That law firm was DC-based powerhouse Hunton & Williams,… [They] had a client who wanted to do a little corporate investigative work”

“But it soon became clear what this was about: the US Chamber of Commerce wanted to know if certain groups attacking them were “astroturf” groups funded by the large unions.”

“Palantir would provide its expensive link analysis software running on a hosted server, while Berico would “prime the contract supplying the project management, development resources, and process/methodology development.” HBGary Federal would come alongside to provide “digital intelligence collection” and “social media exploitation”—Barr’s strengths.”

“HBGary had long publicized to clients its cache of 0-day exploits—attacks for which there is no existing patch”

“Ironically, when Anonymous later commandeered Greg Hoglund’s separate security site rootkit.com, it did so through a spear phishing e-mail attack on Hoglund’s site administrator—who promptly turned off the site’s defenses and issued a new password (“Changeme123″) for a user he believed was Hoglund. Minutes later, the site was compromised.”

HBGary’s Barr involuntarily shares details on his intelligence successes, “Final – for me. – Sun, 6 Feb 2011 00:40:11 -0500”

“What I did using some custom developed collection and analytic tools and our developed social media analysis methodology was tie those IRC nicknames to real names and addresses and develop an clearly defined hierarchy within the group. Of the apparent 30 or so administrators and operators that manage the Anonymous group on a day to day basis I have identified to a real name over 80% of them.”

Hackers Reveal Offers to Spy on Corporate Rivals – NYTimes.com

Forbes with an update Revenge Still Sweet As Anonymous Posts 27,000 More HBGary E-Mails – Parmy Olson

“Crowdleaks: HBGary wanted to suppress Stuxnet research”

“HBGary Email Viewer: Portal – AnonLeaks”

The security risk of hierarchies embracing internet security communities  28.1.11

The Baltic TImes reports:

Estonia’s defense minister has said he plans to create a volunteer “cyber defense league”… “We are thinking of introducing this conscript service, a cyber service,” Defense Minister Jaak Aaviksoo said in an interview with NPR. “[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies.”


Malström’s security cure for Europe: “The EU Internal Security Strategy in Action”  30.11.10

Commissioner Cecilia “Censilia” Malmström has launched the European Commission’s EU Internal Security Strategy, “The EU Internal Security Strategy in Action”. One of the five “strategic objectives for internal security” mentioned in the document: “Raise levels of security for citizens and businesses in cyberspace.”

According to her plans, Europe will have a built capabilities to smoothly respond to cyber attacks (contingency plans, sharing and alert systems) by 2013. […]

Mike Elgan on Openness vs. secrecy – the case of Apple vs. Google  30.10.10

Mike Elgan compares the alleged openness of Google an with the notoriously secretive Jobsian empire. Suprising discovery is that every company has its secret sauce, the recipe of which is stored in iron boxes or, modern times, in encrypted databases:

The companies are different, and what they’re “open” about reflects that difference. For example, Trump is very secretive about pending real estate transactions, but would probably be happy to share the details of food served at one of his golf courses. McDonald’s on the other hand, isn’t all that secretive about real estate transactions but they’re very secretive or “closed” about their Secret Sauce.

In other words, companies are very closed, secretive, and controlling about the part of their business that makes the money. (via gruber)

Reminds me of the interesting question who has or wants which secret sauce in the area internet security?

Volker Weber (heise) zur Diskussion über Blackberry-Sicherheit  29.10.10

Die zwei Sicherheiten einer Marke:

RIM verhandelt mit den Regierungen und die Presse berichtet von Erfolgen: RIM werde etwa Indien Tools zur Überwachung der Kommunikation zur Verfügung stellen, heißt es. Andererseits wiederholt die Firma gebetsmühlenartig, dass die Blackberry-Kommunikation sicher sei und niemand, nicht einmal RIM selbst, einen Zugriff auf die Daten habe. Wenn aber RIM selbst keinen Zugriff auf die Nachrichten der Blackberry-Nutzer hat, wie kann das Unternehmen dann den Forderungen nachkommen? … Dieser scheinbare Widerspruch lässt sich auflösen, wenn man zwischen den Blackberry-Diensten BES und BIS unterscheidet. BES ist das Produkt, dass RIM seinen Unternehmenskunden andient, BIS das für Privatkunden.

1&1, Gamballa, botnets, and quantitave internet security research  28.10.10

As mentioned the other day, security provider Gamballa released a study stating that some 11% of global botnet command&control servers were hosted by 1&1 Internet AG. Heise, presumably Germany’s most influential IT related news portal, brought the story, mostly citing the findings of the study. 1&1 was not amused about the journalistic performance. The flaws (de) in Gamballa’s study have been quickly uncovered by Thorsten Kraft of 1&1‘s Anti-Abuse team, which is closely linked to the consumer-focussed German Anti-Botnet advisory centre. Heise released another article explaining the flaws in the Gamballa report, and Gamballa has rightly taken its analysis down. The underlying lapse, according the reports linked above, was that Gamballa had allegedly added both ordinary, non-infected infrastructure servers and sinkhole and honeypot machines to the list of C&C server.


Looks like botnet take-down time: Bredolab, Zeus…  27.10.10

The High Tech Crime Team did the job against the unsophisticated Bredolab Botnet:

The Bredolab botnet has been busted. So said the High Tech Crime Team, part of the National Crime Squad in the Netherlands, on Monday.
According to Dutch authorities, “the botnet network used servers hired in the Netherlands from a reseller of LeaseWeb,” one of Europe’s largest hosting providers, which is working with investigators. All told, 143 servers were seized and disconnected. (informationweek.com)

Further information is provided by the Openbaar Ministerie, the Dutch top prosecution authority.

Global cooperation among police forces in cybercrime cases appears to work way better than two years ago.

dataloss.db  27.10.10

The so-called Open Security Foundation has set up a publicly view- and editable database to collect and share information about, well, data losses:

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.

May it help those virtual runaway bits to come back to their motherships. Such as:

New York breach notification: Bear Sterns – client information accidentally was viewable by 2 unauthorized firms. 442 NY residents potentially exposed.  (Source)

If only Bear Sterns had exposed just those 442 New Yorkers. Anyhow. Data losses are a societal problem, especially when incidents climb up to the dimensions of the Heartland Payment Systems case with their 130,000,000 records or the T-Mobile Germany incident, which affected some 17,000,000 customers.

Anup Ghosh on Zeus malware with inbuilt piracy protection (written back in May)  27.10.10

Cleaning my RSS-feeds inboxes, I found this little gem called “The Reign of Zeus”, written back in May, ages ago on the internet security time scale, by Anup Ghosh:

Zeus is a game changer virus for the financial services industry, and perhaps its most pernicious computer-related threat. It specifically targets banking information by users and will defeat strong multi-factor authentication (MFA) methods used by banks including hardware tokens with one-time random passwords. A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus.

Zeus is an example of the sophisticated crimeware now available to crime syndicates that are focused on illicit financial gains by capturing banking credentials. The toolkit is available for sale in underground markets and the Zeus author has even implemented sophisticated hardware licensing schemes to prevent piracy.

Not sure whether the “DRM is bad for the customer” mantra applies here.

Threat Level has an update on spear-phishing, based on data issued in Symantec’s MessageLabs Intelligence reports.

Eric Schmidt writes in Foreign Affairs, “The Digital Disruption”  27.10.10

You never know with these Foreign Affairs articles, how significant they will be for actual policy making. But they reveal at least what is being discussed in US foreign policy circles. Google’s ties with the US administration and the Department of State became visible for a larger audience in the course of the China-Google showdown earlier this year. The publication of Eric Schmidt’s and Jared Cohen’s article “The Digital Disruption – Connectivity and the Diffusion of Power” in the forthcoming issue of Foreign Affairs only stresses this special relationship.

Foreign Affairs continues its tradition of articles on the strategic usage of information technology for US foreign policy. Back in 1996, Nye/Owens called for an “information umbrella” as a future means to allow the US to further lead an alliance of like-minded states in a post-“nuclear umbrella” world. Schmidt/Cohen discuss in a diplomatically sterile language the effects of “connection technologies” on politics, governments, and the diffusion of power among different actors. They have retained some techno-optimism:

In an era when the power of the individual and the group grows daily, those governments that ride the technological wave will clearly be best positioned to assert their influence and bring others into their orbits. And those that do not will find themselves at odds with their citizens.

But also within Western states, the notion of governance will further flourish:

Instead, governments, individuals, nongovernmental organizations, and private companies will balance one another’s interests.

Looks like multi-stakeholderism gone ubiquitous.

If you don’t want to register with the foreignaffairs.com website, Stefaan Verhulst has the complete article.

Gunter Ollmann (Gamballa) has new figures on Botnet Hosting  26.10.10

World-wide leader in botnet CnC-hosting according to an Gunter Ollmann, VP Research of security provider Damballa, is the German ISP 1&1 Internet AG.

1&1 headquarters will be relieved to read this:

It is important to note that the ISP’s and hosting providers listed in the top-10 do not necessarily conduct criminal practices, but they have found themselves in a position of being “preferred” by the criminals operating the botnets.

It it surprising to see 1&1 spearheading CnC hosting. The data for a study released earlier this year by my TU Delft colleagues Michel van Eeten, Hadi Asghari et al. reveals that 1&1 is among the best ISPs when it comes to dealing with malware and spam. In that perspective, 1&1 has one of the cleanest ASNs, much better than, say, Deutsche Telekom.

I’ve briefly skimmed through some Gambella papers, but I could find a description of their method to detect CnC servers.