Fouché is enjoying #Occupy for a snack. The Committee of Public Safety announces:
Hippie global meliorism is Marxism without the House of War. It wills an end that can only be realized through means of violence. Yet they refuse to will the means. If laughter could be projected from an ocean and half a continent away, they’d hear Marx’s disembodied laughter drumming from the British Museum and echoing down their spine with Teutonic clarity. A classical Marxist revolutionary would do something revolutionary. They’d mass at the park, loot the city’s financial district, and then storm the state capital. The hippies did everything backwards: they retreated from the center of political power, abstained from seizing the center of economic power, and massed in an out-of-the-way outdoor drug/farmers market.
Old Karl would die of laughter.
History, but anyhow. Jon Baumgartner, “Computers as Weapons of War”, IO Journal, May 2010, pp. 5-8:
Similar IO attacks could be conducted against nation states that have violated international treaties in order to carry out as uranium enrichment for nuclear weapons. Most of the unauthorized enrichment facilities in these cases are constructed deep underground. Conventional munitions, including bunker busters, could have difficulty penetrating and damaging these hardened structures. Cyber munitions, however, could be used to destroy key equipment used in the enrichment process. One of the primary IO targets would be the gas centrifuges used to create weapons grade uranium. The rotors within these centrifuges operate at extremely high speeds (e.g. 50,000 RPM). A cyber attack that increased the RPMs beyond normal safely levels could result in a catastrophic failure of a single centri- fuge. Implementing this IO attack across thousands of centri- fuges has the potential to disrupt enrichment operations for considerable periods of time.
A couple of months before Stuxnet broke news.
Dan Kaplan, SC Magazine:
In my eyes, this seems to be another step by U.S. officials, without exactly coming out and saying it, to label Anonymous as a cyber terrorist organization, bent on indiscriminate destruction of digital property and infrastructure.
The DHS in the “National Cybersecurity and Communications Integrations Center Bulletin”, A-0020-NCCIC / ICS-CERT –120020110916:
“The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting industrial control systems (ICS). (…) Anonymous’ increased interest may indicate intent to develop an offensive ICS capability in the future.”
Kaplan continues, on Duqu, the alleged Stuxnet offspring:
Which reminds me: I’m waiting for DHS to publish a warning based on a potential real critical infrastructure issue that popped up just yesterday — evidence that the Stuxnet authors are back with new malware. I’m sure the bulletin will arrive any minute now.
Even a year after, Langner sticks to his assessment:
Thinking about it for another minute, if it’s not aliens, it’s got to be the United States.
How could I miss that line in Michael J. Gross’ Stuxnet article in the April edition of Vanity Fair:
Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back.
Nice alteration to recently excavated rhetoric corpse of the Digital Pearl Harbour by the Washington Post. “Hiroshima of cyber-war” is an allegory conveying ideas and association probably not intended by the author:
- The dawn of a new age of geopolitics defined by control over certain technological artefacts.
- The assumption by US security circles that unilateral and sole control over these artefacts equals incontestable geopolitical power, a truly “unipolar moment” (Charles Krauthammer) that should have lasted considerably longer than 1949 when the Soviets managed to assemble their “Fat Man” equivalent.
- The militarisation and secretisation of a potentially benevolent technology.
- The institution of a nuclear umbrella which served as a foreign policy instrument and “provided a cooperative structure, linking the United States in a mutually beneficial way to a wide range of friends, allies, and neutral nations.” (Nye/Owens 1996, p. 26)
A Hiroshima of cyberwar?
The Telegraph:
The Foreign Secretary revealed that Britain has developed new weapons to counter the threat from computer hackers and is prepared to strike first to defend the nation’s infrastructure and businesses. … The Government is investing an extra £650 million to develop deterrents to hostile viruses and hackers.
Joe Grand, grandideastudio.com:
My idealistic view of hacker is someone that is always asking questions, learning and has a thirst for knowledge. A hacker tries things that other people think are impossible and it’s someone that solves problems in a clever way.
Frankfurt Allgemeine Zeitung:
Wie der Staatstrojaner zerlegt wurde: Die Hacker vom Chaos Computer Club haben die Überwachungssoftware gefunden, analysiert – und gehackt.
(Reverse engineering a state trojan: Hackers of the CCC found, analysed and hacked the surveillance software.)
Not much of a surprise, the Occupy Wall Street movement has been infiltrated. A New York-based security consultant called Thomas Ryan and a team of IT security professionals managed to access systems used by the movement.
As part of their intelligence-gathering operation, the group gained access to a listserv used by Occupy Wall Street organizers called September17discuss. On September17discuss, organizers hash out tactics and plan events, conduct post-mortems of media appearances, and trade the latest protest gossip. On Friday, Ryan leaked thousands of September17discuss emails to conservative blogger Andrew Breitbart, who is now using them to try to smear Occupy Wall Street as an anarchist conspiracy to disrupt global markets.
What may much more alarming to Occupy Wall Street organizers is that while Ryan was monitoring September17discuss, he was forwarding interesting email threads to contacts at the NYPD and FBI, including special agent Jordan T. Loyd, a member of the FBI’s New York-based cyber security team. (…) …Loyd cited Occupy Wall Street as an example of a “newly emerging threat to U.S. information systems.”
The incident highlights structural weaknesses of open collaborative platforms in social environments with detrimental perceptions and interests. A group that wants to become a mass movement doesn’t have the choice of operating and planning in secrecy. Nor does it have the means to sanction – from the perspective of the group – anti-social behaviour. At yet another frontier, Generation Openness is learning the hard way that sharing can come with costs. It’ll be interesting to observe the institutional innovations, the OWS movement will inevitably come up with.
The Epoch Times reports:
Although the attacks on Estonia—one of the world’s most wired countries—did not involve physical attack, virtually the whole country came to a standstill as banks, communications, and government fell victim to cyberattacks.
It did not come to a standstill. Whenever an article starts with this meme, enjoy the line of argument ahead. Like this one:
“Just as organized crime groups have hired hackers, it is possible that nation states could hire or distantly support jihad networks and launch cyber-attacks through them,” states an April 17 report from Project Cyber Dawn, part of The Cyber Security Forum Initiative.
I guess the story the author wants to convey is: Botnets can bring down a country (Estonia, Georgia), there is an underground market for botnets, you can rent a botnet from a criminal group or person, you can “weaponize” a botnet, elite hacker groups can consist of jihadists. Hence you can bring down the US or one of its allies by renting a botnet from jihadists.
What you could read is: Estonia was not brought down to a standstill – thanks to the intervention of some capable, mostly local IT experts –, even though it’s a small country with just 1.3 m inhabitants.
Fourteen years ago, the Clinton administration launched the Presidential Commission on Critical Infrastructure Commission. Its 1997 report “Critical Foundations – Protecting America’s Infrastructure” states (Appendix A, Section Summary Report, p. A-26):
Vulnerabilities facing the energy industries include:
* Those created in the operating environment by the rapid proliferation of industry-wide information systems based on open-system architectures, centralized operations, increased communications over public telecommunications networks and remote maintenance
Earlier this week, Terry Zink quoted the following in a blog post:
Despite investments into state of the art technology, a majority of the oil and gas industry remain blissfully unaware of the vulnerabilities, threats and capability of a malicious cyber attack on control systems.
Eric Schmitt and Thom Shanker, NYT:
But administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. …
“We don’t want to be the ones who break the glass on this new kind of warfare,” said James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies, where he specializes in technology and national security. …
“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” said one Obama administration official briefed on the discussions. …
Some officials also expressed concern about revealing American technological capabilities to potential enemies for what seemed like a relatively minor security threat to the United States.
Read: Cyber-attack capabilities are built up in the shadows, quantity and quality unknown, to be used only in conflicts on the ‘vital-interest’-level – or as yet another deterrence (the attribution problem aside).
Micorosft’s Terry Zink sums up his “20 minutes of research“ on Duqu:
On page 18 of that report, they list similarities between Stuxnet and Duqu. But how many generic pieces of malware have those same similarities as Stuxnet? Is this just an example of the Barnum effect (like that one South Park episode where Stan Marsh talked to the dead and John Edward won the BDIU award)? For all I know, half the malware out there can be classified as similar to Stuxnet.
…
Are Stuxnet and Duqu related? I don’t know.
Symantec calls the malware “The precursor to the next Stuxnet“. Good malware analysis marketing.
Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
The unnamed Economist author shares her notes of a prep-conference for the upcoming cyber sec conference in London next month.
A “senior” participant remarked:
“It is so big it does my head in.”
But why? The author notes:
“Because this stuff is all mashed up. The interconnectedness of cyberspace breaks down borders and distinctions around which societies and states are organised.
It mashes up people and geography. …
Cyber mashes up functions. …
Cyber mashes up the trivial and the critical. …
It mashes up weapons. …
Finally, the internet mashes up state and private … “
Release often, release early:
By definition we need international co-operation. … So we should start with something small and build out. I see it as a quilt, a patchwork… The role of NGOs, think-tank and private experts in sensitising governments, without it seeming a form of electronic imperialism, is important.
The role of states:
Whatever the threat, it seems to me that the private sector will be involved in almost all responses. One working group made the point that “knowledge implies more responsibility”.
Indeed, indeed. Operationally, cyber security rests on those who control the components that make up the internet.
In any case, it is hard to translate rules and practices of war. Two examples: – Is private industry ready to be the warfighter? – How do you put red crosses on hospitals and orphanages? Do we have to put them on separate networks, ie, create a “dot.humanitarian” domain? Here we start to move into polders. Should we create “dot.secure” areas? People are willing to give up a lot of privacy in social networking. It seems to me that they would be wiling to do it for security.
Stewart Baker, former official at DHS and NSA, in an article called “Denial of Service” on Foreign Policy:
“We should not wait for our own Prince of Wales moment in cyberspace.”
Now, that’s disturbing. Virtual Pearl Harbour no more. Welcome to: Oh, that I were a bot upon that machine that I might touch that juicy data? Well, I shouldn’t start reading articles at their very last paragraph. The second last comes to rescue.
In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. … It took Japanese bombers 10 minutes to put an end to their fantasy, to the Prince of Wales, and to hundreds of brave sailors’ lives.
Besides that, the message is:
But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.
Therefore, cyber strategies are necessary:
The offense must be powerful enough to deter every adversary with something to lose in cyberspace, so it must include a way to identify attackers with certainty. The defense, too, must be realistic, making successful cyberattacks more difficult and less effective because resilience and redundancy has been built into U.S. infrastructure.
How to identify attackers with certainty without fundamentally altering the architecture of the internet or the ability to enforce collaboration of intermediaries such as ISPs worldwide? The latter could be accomplished in several ways: a) by foreign governments as a proxy, convinced by diplomatic influence ad-hoc or by institutions such as international treaties; or b) by supportive worldwide technical communities.
Tim Lohman, Australian edition of Computerworld, in a piece called “Hacktivism: The fallout from Anonymous and LulzSec”:
While government and industry figures all agree that hacktivism — no matter the colour or stripe — poses a real security threat to organisations, opinion is divided on the motivations, and hence seriousness of groups such as Anonymous and LulzSec. (…) however, two schools of thought have emerged on who these groups really are. The first argues that these groups are simply teenagers doing what teenagers do: Rebel. The other school argues that in line with the digital saturation of the current generation of teens and twenty-somethings these acts of hacking are simply the modern day equivalent of street protests.
If it’s the equivalent of street protest, why is it “a real security threat”?
Australian Federal Police (AFP) High Tech Crime Operations Acting National Manager, Grant Edwards is quoted:
“Hacktivism may be similar to other forms of legitimate demonstration or protest; however it can have significant implications… The AFP and other Australian law enforcement authorities will not tolerate the attempts of hackers to damage or destroy Australian individuals, companies and national infrastructure resources.”
Autralia’s Attorney General office:
the Government does not consider ‘hacktivisim’ or other similar activity that disrupts the confidentiality, integrity or availability of electronic information to be a legitimate form of protest
Human-bot driven DDoS attacks, aka virtual sit-ins. are legal in Germany. They disrupt the availability of electronic information, just as sit-ins have disrupted transactions of nukes to their launching sites and of used nuclear fuel to interim or permanent disposal site. Mass public display of discontent in the physical world always implies the non-availability of some services. Applying the classic computer science definition of ICT security (confidentiality, integrity or availability of data) to the political sphere and to what societies perceive as threats to their security, has great potential to result in a technocratic order.
A little gem for friends of games and strategies. The author:
I…intend to…provide a fresh perspective, hopefully thought provoking, on a key aspect of the movement: the claim of “leaderless resistance”.
My intent, in this note, is to raise context and observations on the nature of “leaderless resistance” as a strategic outlook, and as a tactic. (…)
My intent is a strategic and tactical observation of the “leaderless resistance” concept as applied to “Occupy Wall Street”,
Strategies applied by the police against this “leaderless resistance”?
De-Anonymization:
Like sifting sands for gold, the identification of the logistical leadership is priceless to future intervention. Those targeted should be very vigilant: they are no longer Anonymous.
Counter-intelligence, network analysis:
However, the process of booking is an intelligence coup. Not only are the databases updated, but new items added, biometric data collected, network analysis made. In effect, 700 arrests mean, 70,000 data routes for the average person, who knows 100 people or so. There is overlap, so obviously the number made vulnerable is not 70,000, but it will still be in the five figures. This is a counter-intelligence coup. Yes, we are Anonymous, we never forgive, we never forget. Neither does the State – and its power is underestimated.
Wedging:
The elimination of formal hierarchy doesn’t eliminate informal hierarchy of will, charisma, economic/racial/gender privilege and other such background hierarchies. In effect, counter-intelligence hoists the movement on its own petard in a pragmatic approach.
Criminalisation:
By criminalizing the movement, in other words, by equating active participation with the possibility of being processed criminally, the same “preventative” logic of policing is imposed on political speech. … Leaderless resistance in this sense doesn’t figure at all: no matter what strategic and tactical method is uses, this response will happen.
(via p2pFoundation)
Financial Fraud Action announces:
Total fraud losses on UK cards fell to £169.8 million between January and June 2011 – a 9 per cent reduction compared with losses in the first half of 2010. (…)
Online banking fraud losses totalled £16.9 million during January to June 2011 – a 32 per cent fall on the 2010 half-year figure. (…)
The NFA estimated that fraud in all its guises costs the UK more than £38 billion a year – card and banking fraud accounts for only 1.2 per cent of this figure.
Not that doomed after all?
Computerworld reports:
The criminals have new targets these days, the officials said. Increasingly, they are targeting sectors like retail and hospitality, instead of simply focusing on financial institutions, Martinez said. “Why hack into Citibank and steal 10 million pieces of information when you could hack into restaurants and get the same information and not have a big target, a bulls-eye, on your back?”
Excerpt from an 1995 Oral History Interview with Steve Jobs:
But it pains me because we do know how to provide a great education. We really do. We could make sure that every young child in this country got a great education. We fall far short of that. I know from my own education that if I hadn’t encountered two or three individuals that spent extra time with me, I’m sure I would have been in jail. I’m 100% sure that if it hadn’t been for Mrs. Hill in fourth grade and a few others, I would have absolutely have ended up in jail.
But then, it’s not that hard with these irritating incarceration figures in the U.S.
The EpochTimes on a recent report of the Government Accountability Office:
It found 41,776 cybersecurity incidents in 2010, up from just 5,503 in 2006. The GAO also analyzed the security practices of two dozen federal agencies, and gave recommendations on improving federal cybersecurity in line with the Federal Information Security Management Act of 2002. It noted, however, these implementations were not yet in place.
“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs,” states the report. “As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.”
Margarita Mathiopoulos, “Ein Liberales Manifest”:
Es muss daher vordringliche Aufgabe freidemokratischer Politik sein, einen liberalen Wertekodex der vom Verfall bedrohten bürgerlichen Tugenden – Anstand, Sittlichkeit, Ehrlichkeit, Pflichtgefühl, Großzügigkeit, Disziplin, Fleiß – aufrechtzuhalten, um den Vormarsch der Sünden – Wollust, Gewalt, Betrug, Lüge, Laster, Selbstsucht (das 11. Gebot „du sollst dich nicht erwischen lassen“) Einhalt zu gebieten.
(Gefunden von einem eifrigen VroniPlager)
While German LEAs apparently try to create backholes themselves to wiretap computers, the FBI knocks the doors in Silicon Valley for some backdoors. Evgeny Morozov in his review of Susan Landau’s “Surveillance or Security” book:
To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build “backdoors” into their products.
From a foreign-policy perspective, the Western security-by-surveillance approach is rather shortsighted, Morozov argues:
Foreign-policy interests—a desire not to empower enemies and autocratic regimes—should shape this agenda as well. But most policymakers in Washington don’t incorporate global concerns into highly technical domestic debates about seemingly obscure issues of surveillance law.
Morozov was featured in a pretty interesting, visually innovative TV documentary in late September by Dutch channel vpro.nl. Includes some good rants.
Chaos Computer Club published an analysis and the binaries of the German lawful interception malware intended to intercept computer-based phone calls.
They discovered some unlawful feature bloat, potentially turning the legal eavesdropping malware into an extra-legal full-blown surveillance tool:
The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. (…) [I]t is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.
As so often with malware out there, communication between the malware and the command layer is poorly designed and leaves opportunities for third parties to take over the malware.
The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.
CCC’s 20-pages analysis concludes (translated, orig. German):
“We are highly delighted that no apt expert could be won over for this morally questionable operation…”
Merkel might want to ask Putin next time.
—
FAZ, “Der deutsche Staatstrojaner wurde geknackt”
CCC, “Analyse einer Regierungs-Malware”
Frank Rieger, FAZ, “Anatomie eines digitalen Ungeziefers“