return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Cybersecurity Public ]

In-the-wild attacks against electrical utilities coupled with extortion demands: implications for response to criminal and terrorist action


CIA announced what appears to be the first, documented in-the-wild successful SCADA (Supervisory Control and Data Acquisition) attack against utilities infrastructure. Surely more to follow but with the agency making the announcement, it appears to be a concrete example unlike the staged attack against a captive diesel powered generator (video, text, more text):

US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

Said to be "virulently allergic to hyperbole," Donahue would not have made a public announcement, nor would the agency have granted permission, "if he didn't think the threat was very large and that companies needed to fix things right now."

The UK is reporting that the specific case is Central/South America, lasting short duration:

The CIA has refused to provide further details but intelligence sources say that the cities where the hackers have caused outages were in Central and South American countries including Mexico. The sources said that in no case was a ransom paid and that the outages lasted for only a few minutes. It is not known if the hackers have made any further threats.

Seeing Mexico among the targeted Central and South American states, and being aware of the drug cartels' counterattack against the Calderon government, I think it wise to raise the potential of tunable Just-in-time Disruption in conjunction to extortion revenues within Mexico. This kind of activity is well within the cartels ability to fund.

This could well be as much proof of function, shot-across-the-bow of recalcitrant victims, or both. If one can gain detailed knowledge of the PEMEX pipeline distribution system, they can get similar data on a Latin American electrical grid. A magnificent model, intentional or accidental, for more tunable just in time disruption.

Targeting the power industry is a recent extension of a long-standing extortion practice:

In the past two years, hackers have in fact successfully penetrated and extorted multiple utility companies that use SCADA systems, says Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. "Hundreds of millions of dollars have been extorted, and possibly more. It's difficult to know, because they pay to keep it a secret," Paller says. "This kind of extortion is the biggest untold story of the cybercrime industry."

Paller told in June that he expected those incidents to increase, and warned that a botched extortion attempt could lead to accidental damage. "There's been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems," he said. "That kind of chatter usually precedes bad things happening."

Cyber-extortion and its collateral damage aren't new, says Bruce Schneier... He says that offshore-hosted Web sites, most often offering pornography and gambling, are frequent victims of hacker extortion. Targeting power companies, however, is a new wrinkle, he says.

The ease of penetrating a mixed supervisory control network

I believe that my September 2004 article, Black hat meets white hat in the Idaho desert, describes the effort that produced the Aurora test. (See also Domestic Digital Pearl Harbor driven by offshore criminal and terrorist agents and Pandemic flaws at the architectural and base component level.) But unlike the special conditions permitted in the INL attack that was able to damage the diesel powerplant, but not the electrical generator, attacks against Supervisory Control and Data Acquisition (SCADA) can have pervasive, systemic effects.

Lay readers will not be happy after listening to Ganesh Devarajan merrily describe how easy it is assault SCADA devices, change apparent sensor values, take control of the system, what schematics he has seen terrorist members take an intense interest, et al. See his video at LayerOne 2007 and his slides on PDF.

A former NSA pen tester (penetration tester), Ira Winkler, describes how his team attacks SCADA networks:

There are two primary ways to break into a computer: (1) take advantage of bugs in the software, and (2) take advantage of the way a user or administrator configures or uses the computer...

Some bugs create elevated privileges, provide unauthorized access, or cause information leakage. These are security vulnerabilities. If you can connect to a computer that has not corrected such a vulnerability, you can take it over. It is that simple.

The vulnerability can exist in the operating system, SCADA applications software, Web browser, or any other software on the computer. In the case of SCADA and its supporting systems, power companies are very slow to mitigate the vulnerabilities, and may never do so, because they are afraid that any change can create problems. This is why power grid systems are likely to be more vulnerable to cyber attacks than most other computers.

With regard to taking advantage of configuration problems, even perfectly secure software can be set up insecurely. For example, I have seen many computers where the password on the Administrator account is "administrator." Passwords can otherwise be insecure. Low-level users can be given high-level access. There are also more technical ways to insecurely configure a computer. Again, if you can access a poorly configured computer, you can take it over.

Looking forward

We should expect to see parallel or overlapping attacks by criminal and terrorist groups, each of which could involve swarm attacks against multiple targets or tiers with a utility's network. Now that successful proof-of function interruptions are public knowledge, expect accelerated copycat events, although in the short-term, perpetrators may wait to observe what countermeasures, if any, are taken against them.

Given the interconnected nature of power grids, your network may become collateral damage to an attack on a seemingly distant network. Depending on the nature of an attack, it may be hard to determine if the perpetrator is criminal or terrorist (as terrorists also need funding).

Expect state countermeasures to draw counter-countermeasures from the attacker whomever they might be. Attack patterns will be watched closely as will the attacker watch and respond to the net countermeasures enacted against them. What will they be?

Targets will have to review their temporary power arrangements (many units will actually not start or will not run as long as expected) so as to not adversely impact business continuity. Supply chains will have to be reexamined for weak links due to any interruption of power at any tier on a global basis. (Think Hurricane Katrina and the lessons learned from it.)

How the merger of proprietary control systems and public internet occurred

An Ars Technica forum discussion on US approves standards to keep electric grid hacker-free contained this fine summary of how the power grid control merged with the internet:

Before the rapid adoption of the Internet we know today, these systems were operated in an isolated fashion. PLCs [Programmable Logic Controller] and RTUs [Remote Telemetry Unit or Remote Terminal Unit] in the field (devices monitoring, measuring, and responding to key points throughout the system) communicated using private networks to the control centers. Control centers communicated with the regional operators via private links, etc. The systems used to control the control centers were isolated from outside networks. They were expensive, highly-customized, and were very difficult to replace.

Along comes Unix (later Windows) systems. Control system manufacturers could just leverage common OSes and write their apps to run on those OSes--saving money. These systems were communicating with custom protocols over private networks. The protocols have no authentication/authorization, etc. See, when collecting data monitoring a grid, you need measurements multiple times per second in some cases. Adding 20% overhead for authenticating a packet on your private network was not needed.

Then comes the Internet as we know it. The corporate side of the business is using commodity OSes to operate, and wants to implement, say, a commercial billing system to run on the corporate network and print invoices, etc. That data is in the control center network. The invoice printing operations is in the corporate network. That's when the pressure (cost reductions) comes in to link the two.

There's also the pressure to encapsulate the custom protocols to run inside IP. That way, the systems can use the common network infrastructure (WAN links over ATM, leased lines, and the like) and reduce cost. Keep in mind that the underlying protocols haven't been rewritten to support authentication or encryption.

See, it's a delicate combination of two very different operating paradigms. Control systems folks focus on uptime and speed while corporate IT folks focus on security and control (by giving up uptime for patching, etc). The two networks are run very differently. There exists a division of knowledge about how to operate computer networks. This leads to shoddy divisions of the networks with weak or non-existent firewall policies so that the "grid" isn't affected by the IT staff. Also, understand that the control centers now communicate over the Internet using protocols encapsulated in IP. That's how they keep each other up to date. That's how the delicate balance of generation and demand is kept.

Recently, there has been an increase in awareness (a good thing!) of the brittle nature of the electric infrastructure. I say brittle because a common threat in the corporate environment (a Slammer/Blaster worm) now can have a devastating effect on the availability of the networks, applications, and systems supporting the monitoring of the control system if the two networks aren't properly segmented and controlled.

If a knowledgeable, malicious attacker was to gain direct access to a control system network, they would have the ability to tamper with the data presented to the operators and the software. They could feasibly cause a significant outage. How? Do things like tell the generators that they need to generate more power while at the same time opening some key switches over high voltage lines. Also, be sure to "hide" the real data from the operators and their displays, and they'll never know what's happening. They won't even respond, because their systems say everything is fine. These kinds of attacks are made possible due to the protocols not incorporating encryption or authentication. The data is often sent over IP, so many scanning and packet injection tools can perform this kind of packet injection trickery...

Basically, the cyber security controls and operating procedures of many control systems is 10-15 years behind what corporate IT is today. Putting the two together can often create risk... FERC [Federal Energy Regulatory Commission] [is] trying to establish a very modest baseline of security controls and procedures across the companies out there running their systems in 2008 using 1980's security methodologies...

Ultimately, this problem won't go away anytime soon. We can take steps to minimize the risk of cyber attack and minimize the damage caused by the loss of lines/substations. Our heavy reliance on the grid will always make it a credible target for attack...

Electrical power lags behind petroleum refining in security

Electrical power assets appear to lagging the refining industry in implementing realistic security. Here is one rationale, and given my work in the petroleum sector I can vouch for the attention paid to fire or explosion, but I find it too Pollyannaish in its timetable for bringing electricity current. I continue to wonder if we are talking about something akin to Y2K in the effort to find, fix, replace and (re)integrate the grid's firmware and software. (You only have to kill a few sites to start a cascade among many.):

[Refinery owners] have the resources, knowledge, and sophistication to implement comprehensive security programs. In the mid-tier and smaller refineries, this effort is moving at a slower pace; however, they still have progressed further in security than the power industry. There tends to be a heightened awareness for security in refining because loss of view and control in this industry can lead to greater loss of life and property...

While controls technology in refining is similar to that in the power industry, there are some important differences that may explain the variation in security preparedness:

  • In a refinery, there is more sophistication and discipline with respect to security and network architecture, and more effort put into system hardening.
  • In the power industry, you are more likely to find controls environments in unsecured areas, easily available to anyone who has access to the plant.
  • You may find more technicians working on controls systems in the power industry, while you tend to find more engineers working on controls systems in refining.
  • All of these differences can be reconciled once the power industry moves to proactive security.

I found it interesting that the World Economic Forum's Global Risks 2007 did not include power continuity among its 23 "core" global risks even though those chosen, e.g., "Oil price shock/energy supply interruptions," were said to of "systemic nature: their impacts challenge the integrity of the system. Their consequences are harder to predict, frequently disproportionate, difficult to contain and present challenges to us all." I put this up to the fact that power has not reached the public consciousness of petroleum.

An arduously slow road to 'not enough'

Note the consistent threat verbiage without concerted action:

1998: Jeffrey A. Hunker, then Director of the Critical Infrastructure Assurance Office (CIAO)

"The full support of the private sector" is vital in protecting U.S. critical infrastructures against cyber attack... "The threat that we are facing is a threat that's growing over time... And so we need to respond with a sense of urgency and produce real results very quickly to combat it.... I think that one major measure of success is going to be the extent to which the private sector -- the owners and operators of the electric power grid, and our transportation and our banking and finance sectors -- comes together and, with the government, develops an action plan. We'll be able to measure how that partnership has been formed within the next six months to a year."

2000: Richard Clarke on the assertion that cyberwar is a threat that US government cannot defend solely by federal means:

The owners and operators of electric power grids, banks and railroads; they're the ones who have to defend our infrastructure. The government doesn't own it, the government doesn't operate it , the government can't defend it. This is the first time where we have a potential foreign threat to the United States where the military can't save us.

2003: Interview with Richard Clarke regarding cyber tools by al Qaeda and other entities:

For an organization [that] is looking to leverage its investment, to have the biggest possible damage for the least possible investment, cyberspace is a good bet, because it doesn't cost a lot of money to develop these skills. You could have an effect in a number of places simultaneously, without being in those locations, and you can achieve a certain degree of anonymity and a certain degree of invulnerability to arrest [or] apprehension....

Mountain View [shows] the ease with which people can do virtual reconnaissance from overseas on our physical infrastructure and on our cyber infrastructure, and the difficulty that we have in knowing what is being done...

[Our] electric power companies, both the generating companies and the distribution companies, have paid very little attention to security in cyberspace. It took them a long time to even admit that they were connected to the Internet. Now they know that they are. Now they also know that they're running a control software, SCADA, that is available to our enemies, because it's software that's sold around the world. They are beginning to understand that they need to have security. And the Federal Electric Regulatory Commission is beginning to understand that it needs to regulate that, in order to create an even playing field...

I'd suggest the Federal Electric Regulatory Commission create an even standard for all power-generating companies and all power distribution companies, and a high standard that's achieved in several steps over the course of the next several year...

SCADA systems need to be encrypted. People who have access to them need to do authentication... But we also need to make sure that our control signals -- the signals that we send out over the electric power grid -- are not sent and clear, they're not broadcast on radio, but they're on fiber optic cables that are not connected to the Internet...

Unless power companies are required to do [this] by the federal government, they will never do it, because they're now in competition with each other. They're all willing to do it if they're all forced to do it... no one has competitive disadvantage by proving security...

We, as a country, have put all of our eggs in one basket... It could be that, in the future, people will look back on the American empire, the economic empire and the military empire, and say, "They didn't realize that they were building their whole empire on a fragile base. They had changed that base from brick and mortar to bits and bytes, and they never fortified it."

2005: cyber-security a distant second to physical security:

"People downplay the importance of cyber-security, claiming that no one will ever die in a cyber-attack, but they're wrong," says Richard Clarke... "This is a serious threat."... "An attack on the scale of the Bhopal disaster in India is not impossible"... Despite such a nightmare scenario, federal officials are more immediately focused on the threat of a dual attack... a physical attack and a simultaneous cyber-attack on critical infrastructure"...

Many experts say that DHS is still relatively unprepared to protect America's critical infrastructure against a cyber-attack. "In government, when it came to senior level focus after Sept. 11, 99.9 percent was skewed towards physical protection, and cyber-security took a back seat."...

The industry has a lot to address, Clarke says. "Every time the government has tested the security of the electric power industry, we've been able to hack our way in - sometimes through an obscure route like the billing system."... "Computer-security officers at a number of chemical plants have indicated privately that they are very concerned about the openness of their networks and how easily they might be penetrated."

2007: This author on Cyber Storm:

[It] does not give this author comfort that the first federal cyber war exercise, Cyber Storm, carried out in February 2006 had such a relatively positive outcome. (It is moments like this when I remember the counsel of a skilled practitioner who noted that any exercise presided over by political elites must be designed not to fail lest their stewardship be called into doubt.) Cyber Storm was to provide a "controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance"...

Having spun scenarios without limit, Cyber Storm's "Overarching Lessons Learned" offer painful parallels to each of the TOPOFF series simulating large-scale terrorist attacks involving biologic, chemical and radiological WMDs ("diseases are fearsome, hospitals and first responders are overwhelmed, interagency and intra-agency coordination is pummeled while communications in the form of multiple control centers, numerous liaisons, and increasing numbers of response teams merely complicate the emergency response effort")... Who could be surprised by these lessons learned? They could describe any large bureaucracy under stress, perhaps even their daily environment...

2007: An insufficiently strong standard emerges:

"NERC reliability standards [are] less stringent guidelines than [those offered in the] NIST guidance," said Greg Wilshusen, director of information security issues at the Government Accountability Office. "They do not provide the level of standard, mandatory protection required."

Specifically, NERC standards focus on the bulk power system as a whole, but don't properly address the threat of regional outages or the security of the IT components that support the electric grid, Langevin said. By contrast, the System Protection Profile for Industrial Control Systems developed by NIST in collaboration with private sector organizations presents a cross-industry, baseline set of security requirements for new industrial control systems that vendors and system integrators can use. Government has not yet enforced the adoption of these requirements.

"Why [NERC] would have standards below NIST is beyond me," Langevin said. "This is something we're going to [pay] close attention to; perhaps legislation will be required."

2008: The problem will get worse before it gets better. From a 2005-2007 study of electric utilities' energy management systems, SCADA and distribution management systems:

Linkage to other utility enterprise systems continued to be on the increase on a global scale; despite cyber security concerns. For many sites, the key to remaining secure seemed to be either: (a) the restricted provision of non-real-time access via periodic downloads to authorized requestors or (b) indirect access to and from the control system via historian files. Newton-Evans anticipates some changes in priorities this year, with a likelihood that many U.S. utilities will be implementing a NERC compliance reporting system over the 2008-2010 period.

Examples of flaws and entry points

Rather than asking how safe are the current SCADA and related architectures, better to ask how can such an environment not offer multiple opportunities for mischief? For examples of mischief, Schneier's weblog entry, Staged Attack Causes Generator to Self-Destruct, contained reader comments which I've categorized under two topics: systemic fault opportunities and attack vectors. (While the commentary of many forums is dross, Schneier's readers did a creditable job.)

Systemic fault opportunities

Still designing for efficiency, not security, and allowing connection of systems designed for closed proprietary systems onto the web:

1, The [SCADA] systems are designed by engineers with only one [aspect] in mind to control complex systems (oil platforms etc)... The problem with 1 is that security was never ever a consideration in the design. And like Unix most SCADA systems will do as they are told irespective of the consiquences.

2, [Management] no longer want to pay to have people on site any longer just on call from home or some other office in the world... The problem with 2 is that the Internet is the cheapest solution...

The result is systems that have no built in safe guards appearing on the internet with minimal security...

[More] and more of the old electrical mechanical relay logic controls [in electrical utilities] have been replaced by PLCs, RTUs and bay level controllers, combined with SCADA. Yes, the majority of SCADA systems used run on commodity hardware and Windows OS...

In most cases, the new Ethernet based control protocols are secret... (the exception being Modbus/TCP). The companies which own them provide binary drivers in a format known as "OPC". OPC runs only on Windows, so a customer pretty much has to use Windows to run their SCADA system whether they want to or not.

The field devices which are controlled by these protocols are not very sophisticated and will accept commands from anywhere without requiring any sort of authentication. The assumption is that if you are on the network, you are not going to do anything malicious...

Cost reduction:

SCADA vendors want to cut their costs and only support one platform. We initially were told by our SCADA vendor that we would have to go all Windows, HMI [Human-Machine Interface] workstations & servers, if we wanted to upgrade to the latest version of their system...

Every penny saved is another penny in the vendor's pocket... It doesn't matter how good your design is because the customers will demand arbitrary price cuts. This is standard purchasing department tactics during the negotiation of any purchase...

[US] utilities used to pay into EPRI [Electric Power Research Institute] to get research done for the common good. EPRI would have been the logical party to deal with these problems. After deregulation [many] of these companies are not willing to pay for research anymore...

Cost-benefit analysis driving out dedicated networks:

[These] systems were networked, usually over a fairly slow wire, so it is all in allowing the control systems to do more than monitor and control devices over the specialized SCADA network, since the remote devices [may] be speaking IP... but, in Power/Gas/etc networks, there's a lot of equipment that would be considered obsolescent (Anyone remember Visicode switches? PDMs?) but, if they work, won't be scrapped.

 Employ new application/use case without redesign:

 A system used in a way or in an environment for which it was not designed is a potential problem... SCADA systems were largely designed to not be connected to the Internet. Simply connecting them without significant redesign is a recipe for serious problems.

Aging, unpatched equipment. See the incongruity in this polar pair:

- SCADA systems are built using off the shelf components (on the human interface side), MS Windows is common.
- The systems are seldom patched, in some cases, the software vendor will not support systems that have 'unapproved' patches.
- The systems are built with life expectancies measured in decades...

The only thing which has kept this from being a major problem so far is that most plant equipment is old so equipment with this capability is in the minority. The only practical solution is to put the plant on an isolated network with some sort of intermediary security box between the plant and the office which only allows limited information to pass each way. Trying to secure every individual valve and other plant device is unrealistic...

20-year old technology? That is sometimes the newer equipment in the generation plants and substations. Dial-up accessible? Absolutely. Modems left enabled? More often than you would think. And, yes, the newer hardware is IP accessible, not always securely installed and configured...

Human error in procedure and programming:

In one incident a contracter anxious to complete his installation connected 2 completely [separate] parts of our banking network together totally compromising our security. We only discovered it days later when we could contact servers we should not have been able to. Another was 100 servers rolled out with their C: drives open to anonymous and undetectable attacks because of one configuration error. Again this was in a sector that you would expect to be secure however it was not. On yet another occasion I went to a shared PC to fix it and written in pencil around the edges of the monitor where all the usernames and passwords of all the people that used this particular PC to access the banks systems.

Complexity of equipment and their controllers:

Newer GE gas turbine control systems use PCs with Windows for the MMI [Man Machine Interface]. They have discontinued their own MMI system, and currently sell a re-branded product from someone else... MMI is what you use to control the equipment. If you control the MMI, you control the equipment. The equipment control system itself has protective relays and other over rides, but the MMI system still has a lot of factors and parameters that are set at commissioning which can damage the equipment if set incorrectly. You can also of course, simply shut down the system by issuing a shutdown command...

GE is a mixed bag with regards to their offerings... last I had heard they had 13+ different SCADA systems depending on the division you were working with. But I can say authoritatively that their Energy Management System offerings are UNIX, same with Siemens. I do seem to remember that they had a smaller Distribution Mgmt. System that was windows based, but those systems typically don't have [a] generation control, merely routing at the street level.

[For] the bigger electric systems like , Southern California, NYC, Southern NJ, etc... cost of computing hardware was not a concern... Some smaller rural utilities may see that cost reduction from running Windows make a significant change to the overall price of an a new control system...

Embedded systems face problems akin to SCADA:

[M]ore and more critical control functions in things like electrical generation, chemical production, and so on are handed over to embedded systems, because they can be, and because it makes things like maintenance and troubleshooting easier. And again, in service of convenience for management and maintenance, it's all getting networked, with everything from 9600 baud modems over POTS (who said wardialing was dead?) to the latest fiberoptics and even short-range wireless in some cases.

The fundamental problem is that your average embedded guy doesn't know much of anything about network security, and isn't hooked into social or professional networks that might tell him. OTOH, he's got an advantage over your average programmer, because embedded systems have to be much more tightly built in the first place, i.e. unhandled cases are unacceptable in general, and critical bugs tend to get fixed quickly, because the consequences are potentially catastrophic in a way that crashing your computer simply isn't. The software is also immensely simpler and more rigid than your average network application. The first step is to convince embedded programmers and their managers that malicious attack is as real and urgent a potential failure as any of the others that the software must handle.

Attack vectors

Insider attack:

A malicious or inattentive operator at the plant in the middle of the night could do the same thing. Nothing "cyber" is necessary for this attack.

Insiders, often foreign, hired without proper checks:

It's very hard to background check an engineer when you have so very few of them, and the pool of replacements is mostly from overseas. In the old days, you didn't have to -- the engineering schools knew that they were putting lives in these men's hands, so verifying the diploma was good enough.

The most disturbing trend I have seen in background checks is to preferentially hire recent immigrants from overseas (with background check waivers are in effect) as opposed to U.S. citizens with no criminal record but spotty credit or other risk factors. Sometimes this is a H1B issue.

More often, it's a product of laziness in not conducting real backgrounds on people born outside the USA. Unless DHS is doing really, really good checks prior to allowing these people into the USA (which takes a lot of money), this is a serious vulnerability with respect to international terrorism.

Access network assets indirectly:

[Power system component] systems are not typically "connected to the internet". They are, however, interfaced to most companies business networks, through some type of firewall, in order for operational data to make it to "the business", and for maintenance staff to access diagnostic information. This connectivity, however, can safely be managed following fairly standard methods of defense in depth, and implementing reasonable security practices.

War dialing remains a valid attack:

Modems are still a relevant attack vector... Everything from PBXs, manufacturing gear, even an accounting system.

Look for an overlooked access point:

[Hack] into control of the transmission / distribution system - look around some pole tops, there are radio controlled switches everywhere.

Affect a cascading overload:

[A] "cascading overload" is one where a local problem caused by any local event propergates out of the local area into other areas that are not at fault... In previous times suppliers put sufficient and well thought out safegaurds into their networks and introduced changes in a managable fashion... Unfortunatly the modern drive to maximise efficiency and return makes the likleyhood of such propergating faults all the more common.

Insert common worms and viruses:

Older SCADA systems used to run on proprietary hardware or on UNIX workstations. Newer ones are using PCs with Windows for display, monitoring, alarm display and data logging. On the more sophisticated systems control though is often still through proprietary hardware, but on the cheaper ones control is done on the same PC as display. The industry has gone this way to take advantage of cheaper PC hardware. There are a few vendors basing their systems on Linux instead of Windows, but these ones specialise in the more sophisticated end of the market. Wonderware, Citec, WinCC, Rockwell, etc. however all use Windows.

[A] worm or virus could DDOS or send undesirable commands to pretty much any newer control system if it can get access to the network. The SCADA networks are getting connected to the business networks because the business side wants real time reporting and production scheduling. This means that if viruses and worms are a realistic threat to office PCs, they are a realistic threat to the plant as well.

Issue simple, directed on/off commands:

[The] potential for "script kiddie" or "wrench-in-the-works" type attacks [in which] Simple 'If-it's-on-turn-it-off, if-it's-off-turn-it-on' type of "button pushing" could really raise havoc on a wide scale... All this takes is system level access and rudimentary programming skills.

Insert bad data:

[All] command and control information is passed between sensors..., control units..., and actuators... Over a bus. Airplane manufactures went digital for many reasons: to save money [and] to make the equipment more reliable... [S]ystems will eventually distribute sensory, control and actuator functionality over a network. That means that the sensory data upon which the control function operates will be vulnerable to attack as well as the commands to actuators, engines, valves, &etc. Can every electronic device in every system have its own security front-end to protect its data communications? If not, could one bring down, say, a power network by simply faking data values from a remote transformer farm saying "Hey! I'm overloaded!" and let the control function (over-) react?

This is probably the way that any attack would be carried out. Operators that use remote system implicitly trust the reading on their instruments. One of the most efficient ways to disable a system is to supply bogus readings and watch the operators crash their own systems. Do it at 3:00am when peoples decision making is at its worst and it could be serious.

Try the default passwords:

Of course Iran (and China, Pakistan, N. Korea, etc.) know the passwords. It is amazing how many times the default password is not changed. [There are not] that many vendors out there to choose from and the manuals are available on the 'net.

Affect phase mismatch via manipulation of the power grid configuration and/or load balancing equipment (LBE):

If a key point on the power grid could be closed, then two legs of the grid would become connected. If these two legs are of different [wave] length, then there would be a phase difference between them. A difference in length of the two legs of just a few miles would cause a slight phase difference that would cause serious trouble on a megavolt power line.

While the power grid is designed to provide dynamic control of this phase difference, as well as phase compensators (switchable capacitive and inductive loads to compensate for the phase difference), if one could rapidly switch in and out several legs in the power grid, the dynamics of such a rapid change in power load and phase would be very difficult to compensate for. Weak spots in the grid would overload or burn out as they dissipated the heat developed by the current from the phase mismatch.

Pick an easy entry point to remove a node:

[Many local substations can] be unmanned, secluded, and guarded only by a chain-link fence and some barbed wire. Most of the gear and lines appears uninsulated... you could raise a whole lot of havoc with a good arm and a roll of heavy-duty aluminum foil.

This is not far off the mark. The US first used the BLU-114/B special-purpose munition, containing reels of "chemically treated carbon graphite filaments, to attack to attack the Serbian power grid in 1999, virtually terminating Serbian power generation and distribution by shorting out the system. (This link also has an informative 'Electrical Distribution System Overview' written from the viewpoint of disruption.)

Time to affect repair is often sufficient damage or a causal condition for another default:

it's not how much damage an insider could do (enormous!) but how long it would take to fix. Some of the equipment used in the power distribution system is manufactured only a few places in the world; spare parts inventory does not exist; lead time for replacement is measured in months not weeks; and transportation of these larger than 8'x8'x40' components is a real hassle under 'ordinary' conditions.

Is your data center prewired to be able to use rental generators for weeks or months if necessary? Do you have ironclad contracts with multiple sources of said generators? Did you think to strike the 'act of God' clause regarding nonperformance in the event of natural or man-made disaster?

If not, you're kidding yourself about maintaining uptime in a disaster. The fastest way to find out that your on-site generators haven't been properly maintained is to run them for a week and watch them fail . . . In a real disaster, your emergency generators are a temporary bridge to some other power source. Unless you thoughtfully lay hands on a generator technician you employ, a large spare parts inventory, and ridiculous amount of diesel fuel storage well in advance.

CIA: Hackers Shook Up Power Grids (Updated)
By Noah Shachtman
Danger Room
January 19, 2008 | 2:58:00 PM

CIA launches hunt for international computer hackers threatening to hold cities ransom by shutting off power
Daily Mail
Last updated at 23:33pm on 18th January 2008

Hackers Cut Cities' Power
Andy Greenberg
01.18.08, 7:00 PM ET

Title is error as text states outside the US:
CIA official: North American power company systems hacked
By Jill R. Aitoro
January 18, 2008

SANS Flash: CIA Confirms Cyber Attack Caused Multi-City Power Outage
The SANS Institute
SANS NewsBites Vol. 10 Num. 5
Fri Jan 18 14:59:14 2008

US approves standards to keep electric grid hacker-free
By Nate Anderson
Ars Technica
Published: January 18, 2008 - 02:17PM CT

Analyzing Energy Sector Security Preparedness
Ken Miller
Energy Pulse

An apparently unrelated but interesting snippet on Indian targeting:
Hackers targeting Tier-II cities: Symantec
Business Daily from THE HINDU group of publications
Our Bureau
Nov 03, 2007

Tighter security over power plant computer systems urged
By Jill R. Aitoro
October 18, 2007

Video Shows Eerie Effectiveness of Power System Hack
By Ted Bridis and Eileen Sullivan
09/27/07 9:44 AM PT

US Improperly Releases Threat Details
Associated Press
Sep 27, 2007 5:45 PM EDT

CRITICAL INFRASTRUCTURE PROTECTION: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain
Statement of Gregory C. Wilshusen Director, Information Security Issues
Testimony Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives
October 17, 2007

How to Take Down the Power Grid
by Ira Winkler
Internet Evolution

Staged Attack Causes Generator to Self-Destruct
by Bruce Schneier
Crypto-Gram Newsletter
October 15, 2007

LayerOne 2007 - Ganesh Devarajan - SCADA Systems
Conference: LayerOne 2007
Topic: SCADA System Fuzzing
Ganesh Devarajan
May 5-6, 2007

SCADA Protocol Fuzzer & The Next generation of Inline Devices
SCADA Systems
Ganesh Devarajan
LayerOne 2007
May 5-6, 2007

Aurora Generator Test
Raw Video: Simulated Attack on Power Grid
March 4, 2007

Global Risks 2007
A Global Risk Network Report
World Economic Forum Report in collaboration with Citigroup, Marsh & McLennan Companies (MMC), Swiss Re, Wharton School Risk Center
World Economic Forum
REF: 150107
January 2007

Minimizing Risk Of Attack On Electric Grid
by Meredith Mackenzie
Boston (UPI) Mar 09, 2006

Diagnostic Tools to Estimate Consequences of Terrorism Attacks Against Critical Infrastructure
Rae Zimmerman, Carlos Restrepo, Nicole Dooskin, Jeremy Fraissinet, Ray Hartwell, Justin Miller and Wendy Remington
Institute for Civil Infrastructure Systems (ICIS)
New York University

New York University's Institute for Civil Infrastructure Systems (ICIS) for the Center for Risk and Economic Analysis of Terrorism Events (CREATE) at the University of Southern California
December 2007

New focus on cyber-terrorism
At risk: computers that run power grids, refineries.
By Nathaniel Hoopes
The Christian Science Monitor
from the August 16, 2005 edition

Avoiding Grid Lock
By Robert MacMillan
Washington Post
August 16, 2005; 9:09 AM

AIRDATE: April 24, 2003

Interview: Richard Clarke

From MAD (Mutual Assured Destruction) to MUD (Multilateral Unconstrained Disruption): Dealing with the New Terrorism
by Stephen Gale and Lawrence Husick
Foreign Policy Research Institute (FPRI)
Volume 11, Number 1
February 2003

Steven A. Hildreth
Specialist in National Defense
Foreign Affairs, Defense, & Trade Division
CRS Report for Congress
Updated June 19, 2001

Cyber War
Steve Croft with Admiral Herbert Brown
60 Minutes
April 9, 2000
[No direct citation]
mirror for quote

Frequently Asked Questions (FAQ) About the Y2K Problem

An interview with Dr. Jeffrey A. Hunker
Director of the Critical Infrastructure Assurance Office
USIA, U.S. Foreign Policy Agenda
November 1998

Gordon Housworth

Cybersecurity Public  InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Operational analysis of Chinese 'cyber army' penetration and recovery techniques


The PowerPoint China Cyber Army documents a classic, highly organized Chinese IP attack/phishing pattern that we have seen previously but China Cyber Army is the first specific unclass description that we've seen on the recent spate of Chinese attacks against France (also here), UK (also here), Germany, the US, but to name a few.

A Taiwanese-American working in the US IT sector who graduated the same year in Taiwan as did the likely author, Chung-Ping Chen, or Charlie Chen, now at National Taiwan University, and has a number of Stanford and Taiwanese friends coming from the same class as Chen had this to say about the PPT: "Those are interesting slides, and probably a known secret for a lot of Taiwanese." These foils (slides) will come as bracing news to too many complacent US and EU corporations and defense entities who believe that they are not at risk at their desk on home soil.

Readers will gain background from:

Global context

It is helpful to place China Cyber Army within the context of rising state on state cyber ops. The third annual VIRTUAL CRIMINOLOGY REPORT, CYBERCRIME: THE NEXT WAVE, points out three trends for 2008 and beyond:

  • [G]rowing threat to national security as Web espionage becomes increasingly advanced, moving from curiosity probes to well-funded and well-organized operations out for not only financial, but also political or technical gain...
  • [I]ncreasing threat to online services because of the growth in sophistication of attack techniques. Social engineering, for example, is now being used in conjunction with phishing techniques-making the situation even more complex and posing an increasing threat to public confidence in the Internet.
  • [E]mergence of a sophisticated market in software flaws that can be used to carry out espionage and attacks on critical government infrastructure networks. The findings indicate a blurred line between legal and illegal sales of software vulnerabilities.

The states most at risk as cybertargets "are those countries which are heavily networked and reliant on the Internet as well as those countries with an unstable political environment."

The commercial and government sector seems to be unaware that a cyber cold war is underway:

The Chinese have publicly stated that they are pursuing activities in cyber-espionage and government white paper, as read by McAfee Avert Labs, they speak of technology being a large part of war in the future. The United States, United Kingdom, Germany and several other countries are likely targets for political, military, economic and technical espionage.

And other nations may have similar plans to conduct online spying operations.

"There are signs that intelligence agencies around the world are constantly probing other governments’ networks looking for strengths and weaknesses and developing new ways to gather intelligence," said Peter Sommer, an expert in information systems and innovation at the London School of Economics.

"Everybody is hacking everybody," said Johannes Ullrich, an expert with the SANS Technology Institute, pointing to Israeli hacks against the United States and French hacks against European Union partners. But it is aspects of the Chinese approach that worry him. "The part I am most afraid of is...staging probes inside key industries. It’s almost like having sleeper cells, having ways to disrupt systems when you need it if it ever came to war."

And with an estimated 120 countries working on their cyberattack commands, in 10-20 years experts believe we could see countries jostling for cyber supremacy."

Sommer warns that countries are undoubtedly gearing themselves up to launch international all-out online attacks. The present political environment is one in which countries are testing the waters to gauge the potential influence (and risks) of such assaults...

"The Chinese were first to use cyberattacks for political and military goals," said James Mulvenon, an expert on China’s military and director of the Center for Intelligence and Research in Washington. "Whether it is a battlefield preparation or hacking networks connected to the German chancellor they are the first state actor to jump feet first into the 21st century cyber warfare technology. This is becoming a more serious and open problem."

High-tech crime is no longer just a threat to industry and individuals...

China Cyber Army architecture and operation

China Cyber Army describes eight discrete operating groups placed in Beijing/TienJing, SiAnn, ShangHai, SiChuan, HuBei, JianSu, FuJian,and GuoDong. As Jun is the word for military troop, an individual group would be known as, say, HuBei Jun. (Unlike official state responses which have been reticent to name Chinese state assets as perpetrator, China Cyber Army pointedly labels China as the relevant actor.) The purpose of the groups is said to be commercial and military espionage as opposed botnet herding or site defacement. No surprise that "Motivation" is said to be "Political Control, Military Operation, and High Tech intelligent properties." Group membership is said to be drawn from university, military, criminal sources and what I would describe as global for-hire hackers, notably from Taiwan.

Hacker group roles are delineated as:

  • Attacker : scan, exploit attack, get control of way-station
  • Mailer: using free mail box or mass mail sender tool on way-station
  • Collector: backdoor master, get useful data from victim, somehow play as internal attack via victim machine
  • Operator: Stable, continuous maintain the latest data from victim
  • Analyzer: depends on language

These hacker groups demonstrate intense organization. A rigorous summer operating schedule of two shifts is described for this cyber army: Start work at 0750 GMT+8, primarily entry hacking and launching data collect commands; lunch at 1200 GMT+8; recover data from the morning effort; break at 1700 GMT+8; first shift ends at 1900 GMT+8 and is replaced by second shift. Attacks are said to be "everyday" which may be interpreted as a seven day week. Encryption keys are "arranged by area," group members employ "the same tool not common seen in the public internet," Chinese military signatures are seen in the tools and extensive use is made of language experts and machine translation.

Prime human targets are in government, defense, military, foreign affairs, media plus any site containing potentially sensitive information. Data target comprise the usual suspects: contact lists, mailbox contents, databases, passwords and keys, MS Office files, Acrobat PDFs, images and internal system settings. Once this data is gathered, relationship databases are constructed, key personnel are identified to receive email Trojans and phishing attacks, malware is inserted at key points, ID-passwords and keys are examined for subsequent targeting, while potentially useful data is routed to language analyzers (machine translation).

The Chinese employ three different attack and recovery processes described as "Type 1: Direct reverse Connect, Type 2: Relay Connect, Type 3: Switching Connect." From the diagrams in the PPT and a fair use PDF:

Direct reverse Connect

Hacker to Way Station Relay Program:

(1) Hacker change the DN
(2) Remote Control the WS through 3389 (TS) or other back door
(3) Open the backdoor controller on WS for victim on 80,53,443,1863

Way Station Relay Program to Victim:

(1) Backdoor on victim, Query the Domain Names or IP
(2) Connect to the way station through normal Ports like 80,53,443,1863 etc.

Relay Connect

Hacker to Way Station Relay Program:

(1) Hacker change the DN mapping to Way-Station
(2) Start the Relay Program on WS
(3) Open the backdoor controller on Hacker’s PC listening

Way Station Relay Program to Victim:

(1) Backdoor on victim, Query the Domain Names or IP
(2) Connect to the way station through normal Ports like 80,53,443,1863 etc.

Switching Connect

Hacker to Way Station Relay Program:

(1) Hacker change the DN mapping to Way-Station
(2) Start the Switching Program on WS
(3) Start the backdoor controller & Connect to WS
(4) Pick the Victim Connection , build a tunnel * Not all the flow will pass to hacker

Way Station Relay Program to Victim:

(1) Backdoor on victim, Query the Domain Names or IP
(2) Connect to the way station through normal Ports like 80,53,443,1863 etc.
(3) Waiting For Select!

Great efforts are taken to prevent discovery and shield attack source: multiple Way Stations, "Leveling" steps involving checking importance of victims and inserting new backdoors, dynamic domain name shifting, and parallel channels for downloads.

An "independent defense analyst," Cheng Ta-chen, was quoted in translation from Taipei Times regarding China's "cyber army":

It is reliant on imports for most of its computer hardware and software. More than 90 percent of the computer operating system used by China's government and military is imported from the US. The overall security of China's informatics and Internet is lacking and it does not have security controls for imported technology and equipment. Also, economic relations between China and the US are becoming more entertwined, so if the cyber army were to wage war on the US economy, it would easily create problems for China. None of these factors are beneficial to the development of China's cyber warfare.

A state of war, or peace, is merely a cost benefit analysis:

Economic and military threads are warp and weft of the same cloth, yet too many continue to believe the fallacy that nations that trade together do not war with one another. The reality is that they trade so long as their national cost-benefit analysis tells them to continue doing so. Tipping points exist. The key is to recognize their immergence and be prepared to prosecute them. Short of that, business must address the uncertainties as their governments jostle for advantage.

Obscured provenance and unusual release mechanism

The content of China Cyber Army is as interesting as its provenance is obscured. The anonymous poster used the name DeepThroat. The poster's join date to Slideshare was October 2007 and has only shared this one slideshow. I'd conclude that this alias came up with the express purpose of posting the cyber set. There are no introductory or closing foils (pages). The foils are atypically clean, i.e., they are not burdened by the typically overwrought graphics that the feds and the military employ.

Many of the foils have rather dodgy spellings and word constructions that are not bad enough, or consistent enough, to be a machine translation but appear to be the hand of a non-native English speaker. (Certain word constructs are tantalizing and cry out for clarification.) The "Asian fan" is the background is not something that an Occidental would generally use, but when I have seen a fan the subject is Japan rather than China. There is a nice touch in having a slide transcript as footer to the foils.

We found it interesting that DeepThroat used a "no download, view only" PPT format as the release mechanism instead of a PDF posted to one of many widely read security forums. As we thought the material of value and were uncertain how long the PPT would remain active, a full screen capture was made of each foil as individual jpg files, rolled into a PDF for better examination and portability, and then posted under a fair use guideline as China Cyber - Fair Use.

At the time of capture, DeepThroat listed only one contact in Slideshare, Jonathan Boutelle, a cofounder of Slideshare. A number of us found it curious that a phantom poster elected to cite Boutelle as a linked friend. For a variety of reasons, I'd first assumed that Boutelle was DeepThroat and had bought some room for plausible denial. I queried Boutelle with the courtesy note that I would cite his response in a forthcoming weblog entry. Boutelle replied:

Not me. But you can message that person through slideshare. Just go to their slidespace and click "send a private message". Regards, Jon [email]

Deciding against a voluntary appeal to DeepThroat to uncloak, I researched the PowerPoint text strings which led me to Charlie Chung-Ping Chen, or Charlie Chen, now at National Taiwan University.

Author search for China Cyber Army

Search for the author of China Cyber Army has focused on Associate Professor Charlie Chung-Ping Chen, or Charlie Chen, recently at University of Wisconsin-Madison and now at the Graduate Institute of Electronics Engineering, National Taiwan University, Taipei. (See personal data in the ICS Group.) Chen has potential motive and certainly has means and opportunity.

Taiwanese by birth, thereby open to an anti-mainland Chinese sentiment, Chen took a BS in computer science and information engineering from the National Chiao-Tung University, Hsinchu, Taiwan, in 1990. Moving to the US, Chen matriculated his doctorate in computer science from University of Texas, 1998.

Between 1997-1999 he was with the Intel Corporation as a senior CAD engineer with Strategic CAD Labs. He was in charge of several important interconnect and circuit synthesis projects in his microprocessor group.

Then assistant professor in the Electrical and Computer Engineer Department, University of Wisconsin-Madison, followed by the Graduate Institute of Electronics Engineering, National Taiwan University.

Searching the Chinese language blog, X-Solve, I found a likely source from an article, China Cyber Army~A!, describing Chinese predation on UK and French networks

The first response to this item is by a "Charlie Chen":

Internet Espionage: The China Cyber Army

Since 2003 Spet, we have found first big scale intrusion event, the victim
is the National Police Agency, attacked by at least 2 groups of china hackers,
from HuBei and JianSu.

2003 Oct. Taiwan Military Missile Plan Leakage. (Lw)
2004 Jan. Executive Yuan 300+ PC compromised.
2004 Apr. Fake Official Dept. E-mail with Trojan found
2004 Sep.
Ministry of Foreign Affairs and embassy compromised.()
2004 Nov.
DPP compromised. (Mh)
2005 May. Big scale: Gov, High-Tech,on-line banking, Science Park(200+ companies compromised)
2005 Jul. Taiwan,
Ministry of Foreign Affairs again.()
2005 Sep. Taiwan, National Security council compromised. ()
2005 Nov. Taiwan, Military Central Command compromised.()
2006 Mar. Taiwan,
Legislative Yaun, Reporters compromised. ()
2007 Apr. Military Operation plan leakage due to USB data collect backdoor. (h

The seventh response is by 'Tomato X' who cites a reply made by Charlie Chen to a Securuty Focus post:

Tomato X - 11th, 2007 at 6:59

The story is on going everyday
Charlie Chen

While Lemos' originating article in Security Focus is quite short:

China on hot seat over alleged hacks
Robert Lemos
SecurityFocus 2007-09-04

Fresh allegations surfaced on Monday that China's military has hacked other nation's networks to nab sensitive data, charges that the country denied for the second time in two weeks.

Charlie Chen's reply is fulsome with both the content and curious English phrasing reminiscent of the PPT:

the story is on going everyday 2007-09-10
Charlie Chen
Security Focus
Sept 10, 2007

Link to this comment:

There are a least 8 China Hacker Groups. we call them as HuBei Jun(Jun for military troop)

ShangHai Jun, Beijing/TienJing Jun, GuoDong Jun, FuJian Jun, SiChuan Jun, JianSu Jun, SiAnn Jun.

Through incidents handling and investigation with law enforcements, we found some evidences to prove the china hackers (targeted attack/ spearing phishing) were come from government (military,intelligent dept and public security).

We have inspect the tools, from the begining trojaned e-mail, backdoor, and realy tools in the way stations.

At first, using Microsoft word (*.doc) file with exploit, to drop backdoors or download spyware from other way stations.And the backdoor connect back to way station, when hacker came from China (fixed IP or ADSL) to remote controlling victims.

What they want is to collect the contact list files (outlook, MSN ...) to build a huge database about relationships for future use,from the contact list, hackers can send a 'well-make' trojaned mail to the others in the contact list, then victims will trust the e-mail's subject and fake e-mail source, open it and been compromised. And, periodically jump back to collect the latest documents in all file types. Even steal your mail account to have a copy of your mail boxes.

From the official document shows, the cyber operation was directly sponsored or supported by General Staff Department Sec. Four. And the evidences shows they:

(1) Organized: have principle, formal check-in/out time,

in our domain name (used by backdoor) observations, they start to work at 0700 GMT+8 Round 1, 1150 Lunch, 1400 Round 2, 1730 Take a break,

then, depends on group, have night team, to hack foreign countries.

(2) the Tools. not common seen in public Internet .some hacker groups using the same military produced/purchased hacking tools.

(3) the source IP we sniffer from incident handling, can be directly mapping to military regions of China.

A quick search on Charlie Chen includes Charlie Chung-Ping Chen, also known as Charlie Chen, at University of Wisconsin-Madison (his most recent position posting to National Taiwan University is far more obscure but still points to the Extended home page at Wisconsin). While there are other Charlie Chen's about, this is the only one online with the pedigree to perform the analysis shown in China Cyber Army:

Chen's posting at National Taiwan University is currently listed as on "leave of absence." The attack profile is familiar but Chen is one of the few that is writing a (semi) public analysis of recent attacks. There must be a network beyond Chen as his Security Focus comment talks about 'we' and working with the authorities. Sounds like a Baker Street Irregular group with symbiotic ties to the defense sector.

Chen is not keeping a sufficiently low profile when, with modest digging, I can get to this point. If the mainland is interested, they know this much and far more. Two emails to Chen to learn more about his research efforts in this area have yet to be answered.

US looks to military to take on cyber threats
Command centre to be offensive and defensive
Tom Young
10 Jan 2008

Researchers map China’s underground cybercrime economy
Posted by Larry Dignan @ 4:20 am
December 6, 2007

Cybercrime agency faces cuts as computer raid threats grow
Rhys Blakely and Sean O'Neill
From The Times
December 4, 2007

Studying Malicious Websites and the Underground Economy on the Chinese Web
Jianwei Zhuge, Thorsten Holz, Chengyu Song, Jinpeng Guo1 Xinhui Han, and Wei Zou
Peking University Institute of Computer Science and Technology Beijing, China
University of Mannheim Laboratory for Dependable Distributed Systems Mannheim, Germany
Reihe Informatik. TR-2007-011
December 3, 2007

Secrets of Shell and Rolls-Royce come under attack from China’s spies
James Rossiter
From The Times
December 3, 2007

World faces "cyber cold war" threat
By Peter Griffiths
Nov 29, 2007 8:37am EST


Cyber war to escalate in 2008
120 countries developing ways to attack computer networks
Andrea-Marie Vassou
29 Nov 2007

Nations must defend against cyber warfare
Problem is getting worse as technology improves methods of attack
Tom Young
29 Nov 2007

By Ian Brown, Oxford Internet Institute; Lilian Edwards, Institute for Law and the Web (UK); Eugene Spafford et al from CERIAS center at Purdue University (US)
The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts
Commissioned by McAfee

Chinese Spying No. 1 Threat To U.S. Manufacturing
By Foster Klug, Associated Press
November 15, 2007

Panel: China's Spying Poses Threat to U.S. Tech Secrets
By David Cho and Ariana Eunjung Cha
Washington Post
November 15, 2007; 11:57 AM

Cyber war moves up Nato agenda
Increasingly co-ordinated assaults are alarming defence ministers
Tom Young
01 Nov 2007

China behind daily internet attacks on Germany
"Chinese cyber war" looking to bridge corporate and scientific gap
Matt Chapman
23 Oct 2007

Malicious code infects Chinese security site
Chinese Internet Security Response Team's Web site is rigged with a malicious hidden window that can allow code to run on a visitor's PC
By Jeremy Kirk
IDG News Service
October 03, 2007

China Cyber Army
October 2007

China says it's a cyberattack victim, not villain
Published on ZDNet News
Sep 22, 2007 1:15:00 PM

Beware lurking PRC cyber army
By Cheng Ta-chen
Translated by Anna Stiggelbout
Taipei Times
Sep 12, 2007

France blames China for hack attacks
Chinese whispers
By John Leyden
The Register
Published Wednesday 12th September 2007 15:49 GMT

France joins Chinese hacking row
Fourth country points the finger at Chinese hackers following breaches
Matt Chapman
10 Sep 2007

Chinese hacking row escalates
UK government accused of cover up
Iain Thomson
06 Sep 2007

CIO Magazine on IP Theft
Posted by Richard Bejtlich at 19:17
Tao Security
August 08, 2007

Gordon Housworth

Cybersecurity Public  InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Protecting mobile information in your possession and transiting to/from you


Most encryption approaches have failed due to the delta between the security level that a firm's management seeks to instill and the overhead that their employees are willing to endure. As a PGP user since rev 3 (DOS-based), I can sympathize, but once PGP migrated to Windows and Outlook allowed a toolbar add-in, it has become almost easy.

Many now see the issue as protecting mobile machines and their still shrinking, easily mislaid or stolen flash drives. I submit that users must also protect materials transiting to and from them while they are deployed.

Transparent whole data volume encryption

I recommend Schneier's short item on protecting data on a PC, laptop or otherwise, and associated mass storage items such as jump sticks. Not only is Schneier's approach practical and easy to employ, it is now essential, given the number of mobile computers in use and the rising number of opportunistic and premeditated predators, for virtually any firm:

PGP Whole Disk Encryption locks down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system, and swap files. The encryption is transparent to the user, automatically protecting data.

There are added features such as preboot authentication, anti-key logging and one-time use emergency passphrase. A removed disk cannot be booted when inserted into another computer, nor is there any modification to Windows.

Schneier recommends a two-tier encryption strategy:

Encrypt anything you don't need access to regularly -- archived documents, old e-mail, whatever -- separately, with a different password. I like to use PGP Disk's encrypted zip files, because it also makes secure backup easier (and lets you secure those files before you burn them on a DVD and mail them across the country), but you can also use the program's virtual-encrypted-disk feature to create a separately encrypted volume.

Use multiple tiered passphrases

I go beyond Schneier's two tier strategy to use a tiered set of passphrases, one for PGP transmissions, another for full disk encryption and a third or more for reference volumes so that one passphrase does not reveal all.

Know how to turn off your laptop fast

Know how to quickly turn off your laptop and, if you have to hold down a key or key combination to do it, how long it takes. You may not wish to endure bodily harm before surrendering a laptop, such as in a coffee shop theft, but holding onto it long enough to power it down will not leave the PC on and any volumes in use vulnerable to attack.

Minimize data stores on any mobile device, PC or jump drive

Take note of Schneier's comment to not have excess data on the disks to begin with, i.e., why have to encrypt or risk legal or physical demands to decrypt data:

minimize the amount of data on your laptop. Do you really need 10 years of old e-mails? Does everyone in the company really need to carry around the entire customer database? One of the most incredible things about the Revenue & Customs story is that a low-level government employee mailed a copy of the entire national child database to the National Audit Office in London. Did he have to? Doubtful. The best defense against data loss is to not have the data in the first place.

Use 'transit addresses' wherever you are reasonably at risk

I realize that data scrubbing will be considered too great a trouble for most, and certainly those whose laptop has long become their roving desktop machine, but here is one essential process that I urge, especially for those bound to locals where in-transmission capture is possible/probable: use a 'transit address' when you are travelling that only receives a filtered subset of one's normal traffic.

While enroute to, or within, certain countries, by prearrangement with home office, I only look at the transit address traffic and even that transit traffic may be encrypted. (I also reset my email passphrase.) All mail continues to go to my usual address but then pertinent items are flagged and forwarded (often with abstraction) to the transit address, i.e., if you don't send it, they have more difficulty in intercepting it. I alert colleagues that I am deployed for a time window and am only looking at transit traffic.

You cannot imagine the traffic that flows to and from senior executives and senior technical personnel; they effectively make no differentiation between home office and fragile in-transit and deployed locations where key-logging and other government mandated monitoring efforts are in effect. I say again, you can imagine the volume of traffic laid open to collection. Just capturing email addresses of traffic to and from the target lays a trusted group open to targeted phising attacks. See Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets.

Don't do dumb things

Even the best encryption systems will not protect you if Homo Boobus takes over the keyboard, doing things such as leading your cyphertext with the cleartext title from the subject line, using key words from the text in the subject line, or pasting the encrypted cyphertext above or below the cleartext. I have gotten too many of those from amateurs.

Never, ever send or receive faxes. If it is worth sending, encrypt it and send via email.

But do carry any keys on separate media on your person 24/7, carry the laptop with you 24/7 to prevent physical attack with a Linux boot disk, frequently send random encrypted blocks of text to blunt traffic analysis, etc. People's eyes usually glaze when they hear this but intel collectors and criminals depend upon that resistance.

Putting it all together

One client's staff followed the rules such that we had emcon (emission control) to the point that our Asian hosts grew increasingly frustrated in negotiations. (Our presumption was that our host was not getting the expected level of background information needed to design their response to the client.) Turning the tables a bit, well past the halfway point in the visit I had the client announce that we were going to take the last day off for a special sightseeing tour. Now it was our hosts who had to work under compressed timelines.

Plausibly deniable encryption

For the few that must endure the likelihood of coercive interrogation that would force the prisoner to disclose any and all passphrases, there is plausibly deniable cryptography that clouds the very existence of encrypted volumes:

Encrypted filesystems fail against the Rubberhose Attack [because] traditional encrypted filesystems leak information. While the Bad Guy doesn’t know what the encrypted data is, he is able to see that there -is- encrypted data. Thus, he can beat our spy until all encrypted data has been decrypted.

Most processes by which one hides a data volume so that an inquiring police or immigration officer sees nothing to demand access thereto is usually not for the technical faint of heart. The system that I used, Rubberhose, is no longer supported and its creator is not the speediest in responding. The level of effort is higher on the install side but if you are likely to face coercive interrogation, it has its merits:

Deniable cryptography allows a captive or defendant that does not wish to disclose the plaintext corresponding to their cyphertext to be able to that there is more than one interpretation of the encrypted data, i.e., an investigator will likely know that encrypted material exists on the drive, but will not know how much as so there is an opportunity to keep the existence of the most essential data hidden. Designed by Julian Assange, co-author of The Underground, Rubberhose is named after the decryption tactic it attempts to defeat: Rubberhose Cryptanalysis, in which suspects are exposed to repeated beatings or torture until their password is surrendered.

The best product extant in this area appears to be TrueCrypt but if this cloaked approach is necessary, your systems specialists should evaluate its ability to withstand the expected level of forensic analysis for the hostile states through which you expect to travel.

For most commercial environments, disk and associated data volume encryption, a fast off-switch, transit address usage and excising unnecessary data from the mobile unit will stand you in good stead.

How Does Bruce Schneier Protect His Laptop Data? With His Fists — and PGP
Bruce Schneier
11.29.07 | 12:00 AM
Mirrored as:
How to Secure Your Computer, Disks, and Portable Drives
Bruce Schneier
Schneier on Security
December 04, 2007

Deniable File System
Bruce Schneier
Schneier on Security
April 18, 2006

Defending against Rubberhose Attacks
Christopher Soghoian
JHU Systems Seminiar
March 9 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Intellectual Property Theft Public  


  discuss this article

US IT infrastructure is as, likely more, vulnerable to active and passive cyberattack than Estonia


'Cyber-collection' versus cyberterrorism

The ongoing organized cyberattack on Estonian state and commercial IT infrastructure is the clearest example of a "cyber Pearl Harbor" - an active attack to disrupt or degrade the capacity of a state to function, to conduct commerce, to defend itself - yet as instructive, even attention grabbing to the thoughtful few, as this active attack is, it is among the smaller risk category of IT cyber risk; The greater risk is the wholesale 'passive' probing and intrusion efforts to reconnoiter infrastructure and steal proprietary/classified information.

Between FY 2005 and 2006, federal assets showed a marked rise in activities involving unauthorized access, improper usage, scans/probes attempted access, investigation, even denial of service, yet a decrease in malicious code (a condition I believe is due more to spear phishing and other, more intelligent exploits than to lessened activity).

In their fiscal year 2006 financial statement audit reports, 21 of 24 agencies indicated that they had significant weaknesses in information security controls. [The] weaknesses persist in major categories of controlsincluding, for example, access controls, which ensure that only authorized individuals can read, alter, or delete data, and configuration management controls, which provide assurance that only authorized software programs are implemented. An underlying cause for these weaknesses is that agencies have not yet fully implemented agencywide information security programs, which provide the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. Until agencies effectively and fully implement agencywide information security programs, federal data and systems will not be adequately safeguarded to prevent unauthorized use, disclosure, and modification.

Without a systemic application of a Design Basis Threat (DBT) analysis, I cannot see federal or commercial systems staying ahead of the growing number of attackers and recon efforts; money and attention will be squandered for "feel good security" rising from false practices and vendors' siren recommendations of their particular wares as plugging the gap. See:

Furthermore, most systems are Brownfield legacy or if they are Greenfield they have critical links/access to Brownfield systems. Atop that, most systems are not designed with security in mind. From The defender's dilemma: common threads in exploiting commercial supply networks:

The problem is that the commercial production environment, in this case the "defender," is supremely exploitable as commercial supply chains are designed around economic efficiency and manufacturing efficiency rather than exploitation security. [Terrorist supply chains, or asymmetrical attacker Supply chains, are not built for commercial efficiency but for detection avoidance at least until the attack is in progress.] Cost and risk rise to the commercial defender as they try to backfill security needs atop a commercial structure. In this situation, it tracks with the difficulty in countering IP theft and diversion unless the process is built in from the onset. In all such environments, it is too easy to ask how often [the target will be attacked] as opposed to if or when?

Readers are encouraged to review my 2005 Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets that highlighted the Chinese Titan Rain intrusion efforts and confirms "our experience that 'cyber-collection' far outranks cyberterrorism":

The black hat community attacking commercial and military targets is as large as it is diverse and global:

  1. State espionage against foreign commercial and military targets
  2. Criminal enterprises focused on money over fame or ideology
  3. Stateless terrorism and its associated criminal money raising campaigns (phishing for example)
  4. "Outsourced" smaller criminal enterprises in low cost, permissive cultures (who can fabricate exploits too labor intensive for more established criminal groups)
  5. Cracker groups selling exploits to groups 1, 2, and 3 directly or through brokers

The Chinese enshrined informationalization, the best definition of which is from the Double Tongued Dictionary, into its military doctrine in 2004:

Subsequent analysis has shown that the People's Liberation Army (PLA) pursues a similar outsourcing strategy in its IT (Information Technology) and IP (Intellectual Property) harvesting by using Chinese commercial entities as proactive agents, i.e., your contract engineering house or supplier is also the collector of your proprietary information [private briefing to clients].

In a DOD background briefing for the 2007 Military Power of the People’s Republic of China, a question was raised on "informationization, which sounds quite a bit like our network-centric. Would that be a correct assumption?"

DEFENSE DEPT. OFFICIAL: I would be hesitant to draw a direct parallel, but I think that certainly China's ideas on what informationization is would be informed by their understanding of network-centric warfare. I think when they say informationization, it's really their understanding of how information technology is now a pretty significant component of the modern battlefield. So it's, you know, intelligence, surveillance, reconnaissance, precision strike. So it's the role of information, information systems, information technology. So I'd probably say it's not a direct parallel.

Target Estonia, and only Estonia

Estonia ranks with Scandinavian states in its level of internet integration:

One of the most wired societies in Europe… Estonia has a large number of potential targets. The economic success of the tiny former Soviet republic is built largely on its status as an "e-society," with paperless government and electronic voting. Many common transactions, including the signing of legal documents, can be done via the Internet...

A massive DDoS (Distributed Denial of Service) attack against such a state had the potential to cripple it, incurring costs and interruptions, and raising the risk calculus of potential partners who might do business with it going forward. With Estonian-Russian relations already strained at best, an Estonian action to relocate a Soviet war memorial, the "Bronze Soldier," on 27 April triggered just such a series of attacks within hours. This attack is unique for its lack of criminal motive and the presence of a direct and identifiable nationalistic motive.

While specific Estonian ISPs have been under DDoS attack for months by the Allaple virus, the motive for those attacks are unclear. The April-May DDoS attacks, in contrast, are massive, immediately tied to causal condition and perpetrator(s). In a stroke, a state's electronic infrastructure was raised to the same level as its sovereign territory and airspace. Estonia's infrastructure - government, banking, ISPs, telecommunications and news agencies - was driven offline, almost completely outside of the Baltic states and Scandinavia.. The Estonian defense ministry ranked the attack on the nation as comparable to 11 September.

There was also precision in the attacks. While Estonia is both a NATO alliance member and an EU member, no NATO systems in Estonia were attacked.

Attack characteristics

Described as a "common-size attack" of 100-200 megabits per second, the Estonian attack is analogous to the Apolo Ohno attack in both size and nationalistic impetus; and similar in size to the 2006 rogue DNS server attack. "Multiple botnets and tools--both botnet-related and not botnet-related" were employed.

Though Estonia is generally cyber-wise, this attack demands substantial numbers of skilled technicians. Estonian ISPs are working with their international ISPs "that give them inbound traffic as well as the attack traffic" in order to push out traffic interdiction, identify root cause and isolate them. Expect changes in botnet locations and sources to retain attack vibrancy; Expect variations in sources, traffic and packet types.

Another 'characteristic' of the Estonian attack is its success; For a modest investment in botnets, the attacks have degraded Estonian commercial and governmental operations, registering an effective and highly visible protest. Governments, factions and corporations should expect copycat events. Much larger attacks, blended with multiple payload characteristics, are quite possible.

Stateless quality of active and passive cyber attacks

"If a member state's communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber-attack?" NATO Official

The better DDoS attacks and penetration attacks share a condition common to terrorist groups, namely statelessness, and with it the ambiguity of identifying the culpable state actor and the risk of targeting the innocent. A peer-to-peer botnet can go far in camouflaging its controller. Whereas the first wave of attacks on Estonia largely emanated from Russian servers, including those government, the second, larger series emanated from a global array of servers.

This stateless nature, in addition to the newness of active statewide cyber attacks, raises many questions that have yet to be codified in international law:

  • What is the cyber equivalent for the death of a nation's citizen?
  • How many of those units constitute grounds for cyber or military retaliation?
  • What is the variance between a cyber and military threshold response?
  • What level of proof is needed to secure international approval?
  • If an attack emanated from within a state, is it a sanctioned state action or a rump action by groups of its or other nationals?
  • What is the appropriate level of response, in kind or otherwise?
  • When does a cyber attack become indistinguishable from a conventional attack? (One might well ask when this question will be considered quaint and rendered moot.)

Answering these questions will not be easy as the international community has yet to formulate responses to lesser levels of cyber crime and terrorism, much less a massive cyber attack; Neither NATO or the EU have yet defined what constitutes a cyber attack.

US ability to withstand a major active cyber attack

If the federal government is seriously contemplating a 'cyber Pearl Harbor' threat, the unclass reporting and current asset deployment does not reflect it. Quite the opposite, the current US cyber warfare strategy is seen as "dysfunctional" and a "complete secret to everybody in the loop" by General James Cartwright, US Strategic Commander. Cartwright made this assessment:

  • Cyber warfare strategy divided among three groups: Net Warfare (attack and reconnaissance), Joint Task Force for Global Network Operations (network defense and operations) and Joint Information Operations Warfare Center (electronic warfare)
  • Groups operate independently with poor information sharing
  • Present DOD approach "developed ad-hoc" based on terminal defense, commences action "only after an attack, and takes weeks for a response
  • Result is a "passive, disjointed approach that undermines the military's cyberspace operations"
  • US not developing cyber intellectual capital at the required rate to address a tiered hierarchy of "hackers, criminals, and nation-states"
  • "DOD must move away from a network defense-oriented cyber architecture [while] cyber reconnaissance, offensive, and defensive capabilities must be integrated and leveraged for maximum effect"

As Cartwright was opining in early 2007, it does not give this author comfort that the first federal cyber war exercise, Cyber Storm, carried out in February 2006 had such a relatively positive outcome. (It is moments like this when I remember the counsel of a skilled practitioner who noted that any exercise presided over by political elites must be designed not to fail lest their stewardship be called into doubt.)

Cyber Storm was to provide a "controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance" affecting "Energy, Information Technology (IT), Telecommunications and Transportation infrastructure sectors." My lack of comfort was not improved by the choice of attacker, a group of "anti-globalization radicals and peace activists" called the Worldwide AntiGlobalization Alliance (WAGA) instead of a substantive Hezbollah or al Qaeda effort, or better yet, the expected swarm attack of a Chinese or Russian cyber offensive. See Informationalization in Chinese military doctrine affects foreign commercial and military assets.

Were the stakes not so high, this lighthearted review might be funny:

The attack scenario detailed in the presentation is a meticulously plotted parade of cyber horribles led by a "well financed" band of leftist radicals who object to U.S. imperialism, aided by sympathetic independent actors… Apparently, no computers were harmed in the making of Cyber Storm. "There were no actual attacks on live networks, no Red Team," the presentation notes. "Players reacted to situation and incident reports according to their regular/normal SOPs." So it was more of a paper exercise. A referee points at someone and yells, "You! Your website is defaced. What do you do?" -- and the organization responds accordingly… And on it goes, with over 800 scenario "injects" over four action-packed days.

Having spun scenarios without limit, Cyber Storm's "Overarching Lessons Learned" offer painful parallels to each of the TOPOFF series simulating large-scale terrorist attacks involving biologic, chemical and radiological WMDs ("diseases are fearsome, hospitals and first responders are overwhelmed, interagency and intra-agency coordination is pummeled while communications in the form of multiple control centers, numerous liaisons, and increasing numbers of response teams merely complicate the emergency response effort"). See Bioterrorism Drill TOPOFF 2 -- Failing to think like al Qaeda & relearning old lessons and Katrina as an "incident of national significance" puts the lie to DHS scenario planning for terrorist event preparation.

Who could be surprised by these lessons learned? They could describe any large bureaucracy under stress, perhaps even their daily environment:

  • Correlation of multiple incidents is challenging at all levels:
    • Within enterprises / organizations
    • Across critical infrastructure sectors
    • Between states, federal agencies and countries
    • Bridging public private sector divide
  • Communication provides the foundation for response
  • Processes and procedures must address communication protocols, means and methods
    • Collaboration on vulnerabilities is rapidly becoming required
    • Reliance on information systems for situational awareness, process controls and communications means that infrastructures cannot operate in a vacuum
  • Coordination of response is time critical
    • Crosssector touch points, key organizations, and SOPs must be worked out in advance
    • Coordination between publicprivate sectors must include well articulated roles and responsibilities

A way forward

USAF (Air Force) is undertaking what I believe is some long overdue consolidation, removing all ISR (intelligence, surveillance and reconnaissance) from the operations community and consolidating them under the intelligence directorate (A2), and standing up a Cyber Command based on 8th Air Force infrastructure capable of seeing "Cyberspace [as] a fighting domain where the principles of war do apply."

If the US was confronted with a major cyber attack against critical IT infrastructure, DoD is said to be "prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source" but I am not sanguine. "The primary group responsible for analyzing the need for any cyber counterstrike is the National Cyber Response Coordination Group (NCRCG)" whose key members are US-CERT, DoJ and DoD. But it appears that a coordinated response remains a work in progress:

The NCRCG's three co-chairs acknowledge it’s not simple coordinating communications and information-gathering across government and industry even in the best of circumstances, much less if a significant portion of the Internet or traditional voice communications were suddenly struck down. But they asserted the NCRCG is "ready to stand up" to confront a catastrophic cyber-event to defend the country.

I think it accurate to say that interagency coordination and response, together with coordination with the private sector who manages much of US IT infrastructure, has yet to be tested; Cyber Storm's next event should inject realism over rainbow scenarios. At the moment, US Strategic Command will issue a counterattack recommendation to POTUS:

In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the [US] would consider launching a counterattack or bombing the source of the cyberattack [but] the preferred route would be warning the source to shut down the attack before a military response.

Given that initiating a cyber counter-counterattack will currently violate the Computer Fraud and Abuse Act, we have a long road ahead.

Double Tongued Dictionary
Note: The Double-Tongued Dictionary is useful to readers of Asian issues in particular as it "records undocumented or under-documented words from the fringes of English, with a focus on slang, jargon, and new words [that are] absent from, or are poorly covered in, mainstream dictionaries."

War Fears Turn Digital After Data Siege in Estonia
New York Times
May 29, 2007

Cyberattack in Estonia--what it really means
Arbor Networks' Jose Nazario takes stock of the denial-of-service attack against the Baltic nation--and the wider implications.
By Robert Vamosi

May 29, 2007, 4:00 AM PDT

Air Force examines its vulnerability to cyberattack
BY Sebastian Sprenger
May 29, 2007

Feds take 'cyber Pearl Harbor' seriously
BY Jason Miller
Published on May 28, 2007

China Crafts Cyberweapons
The Defense Department reports China is building cyberwarfare units and developing viruses.
Sumner Lemon
IDG News Service
May 28, 2007 10:00 AM PDT

DoD: China seeking to project military power
By William H. McMichael - Staff writer
Marine Times
Posted : Friday May 25, 2007 16:11:31 EDT

DoD Background Briefing with Defense Department Officials at the Pentagon
Presenter: Defense Department Officials May 25, 2007
[No attribution, comments for background only]
[Subject was the 2007 China Military Power Report]
News Transcript On the Web
Office of the Assistant Secretary of Defense (Public Affairs)
US Department of Defense
May 25, 2007

Military Power of the People’s Republic of China
Office of the Secretary of Defense

Cyber Assaults on Estonia Typify a New Battle Tactic
By Peter Finn
Washington Post
May 19, 2007

Estonian DDoS Attacks - A summary to date
by Jose Nazario
Security to the Core
Posted on Thursday, May 17, 2007

NATO concerned over cyber attacks on Estonia, possible impact on alliance
Associated Press/IHT
May 17, 2007

Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks
AFP/Sydney Morning Herald
May 16, 2007 - 12:05PM

Russia accused of unleashing cyberwar to disable Estonia
· Parliament, ministries, banks, media targeted
· Nato experts sent in to strengthen defences
Ian Traynor in Brussels
May 17, 2007
The Guardian

A cyber-riot
The Economist
May 10, 2007

INFORMATION SECURITY: Persistent Weaknesses Highlight Need for Further Improvement
Testimony Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives
Statement of Gregory C. Wilshusen and David A. Powner
April 19, 2007

Black Hat: Botnets Go One-on-One
Kelly Jackson Higgins
Dark Reading
FEBRUARY 22, 2007

Cartwright: Cyber warfare strategy ‘dysfunctional’
BY Josh Rogin
Published on Feb. 9, 2007

RSA - US cyber counterattack: Bomb one way or the other
Ellen Messmer
vrijdag 9 februari 2007

Blue Force Tracker for cyberspace?
BY Josh Rogin
Jan. 25, 2007

Air Force to reorganize intell community
BY Josh Rogin
Published on Jan. 12, 2007

When Hippies Turn to Cyber Terror
By Kevin Poulson
Wired Blog 27B Stroke 6
August 15, 2006 | 12:27:58 AM

Report: Hackers engage in vulnerability auctions
BY Rutrell Yasin
July 12, 2006

National Cyber Exercise: Cyber Storm
National Cyber Security Division
New York City Metro ISSA Meeting
June 21, 2006

Military Power of the People’s Republic of China
Office of the Secretary of Defense

Risk management critical for FISMA success
Experts say IGs, execs must agree on common enforcement and audits
BY Michael Arnone
March 13, 2006

China Investing in Information Warfare Technology, Doctrine
By Kathleen T. Rhem
American Forces Press Service
July 20, 2005

The Military Power of the People’s Republic of China
Office of the Secretary of Defense

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Informationalization in Chinese military doctrine affects foreign commercial and military assets


Informationalization, the computerization of business, industry, and military, has entered Chinese military thinking in earnest, affecting both foreign commercial and military assets. US and EU commercial assets have already suffered serious predation from Chinese military assets and Chinese commercial assets operating under military direction.

In the absence of a US counter-cyber warfare strategy, Chinese IT technologists enter all but the most secure US systems, exceeding the limits of passive examination and surveillance. Naval Network Warfare Command (Netwarcom) and others observe:

  • Chinese attacks "far outstrip other attackers in terms of volume, proficiency and sophistication, [the conflict having] reached the level of a campaign-style, force-on-force engagement"
  • "Motives of Chinese hackers run the gamut, including technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD networks for future action"
  • Chinese employ complex, parallel attacks including using a virus plant "as a distraction and then come in "slow and low" to hide in a system while the monitors are distracted... spear phishing, sending deceptive mass e-mail messages to lure DOD users into clicking on a malicious URL, [and innovative implementations] of more traditional hacking methods, such as Trojan horse viruses and worms"
  • Attacks are so deliberate, "it's hard to believe it's not [Chinese] government-driven"

Shifting from 'passive' to active cyberwarfare, the PRC intends to "be able to win an "informationized war"" by 2050. Where technology continues to outstrip policy, the advantage goes to the agile able to pierce regulatory and technical barriers.

In reverse order, I have gathered together the pertinent information warfare snippets from the 2007, 2006 and 2005 annual Military Power of the People's Republic of China that outline the significant leaps made by China in both conceptual thinking and implementation:


The 2007 Military Power of the People's Republic of China cites active and passive Chinese cyberwarfare in two chapters:

Chapter Four, Force Modernization Goals and Trends:

Information Warfare. There has been much writing on information warfare among China's military thinkers, who indicate a strong conceptual understanding of its methods and uses. For example, a November 2006 Liberation Army Daily commentator argued:

[The] mechanism to get the upper hand of the enemy in a war under conditions of informatization finds prominent expression in whether or not we are capable of using various means to obtain information and of ensuring the effective circulation of information; whether or not we are capable of making full use of the permeability, sharable property, and connection of information to realize the organic merging of materials, energy, and information to form a combined fighting strength; [and,] whether or not we are capable of applying effective means to weaken the enemy side's information superiority and lower the operational efficiency of enemy information equipment.

The PLA is investing in electronic countermeasures, defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators), and computer network operations (CNO). China's CNO concepts include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to achieving "electromagnetic dominance" early in a conflict. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term "Integrated Network Electronic Warfare" to prescribe the use of electronic warfare, CNO, and kinetic strikes to disrupt battlefield network information systems.

The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.

Chapter Six, Force Modernization and Security in the Taiwan Strait:

Beijing's Courses of Action Against Taiwan

Limited Force Options. A limited military campaign could include computer network attacks against Taiwan's political, military, and economic infrastructure to undermine the Taiwan population's confidence in its leadership. PLA special operations forces infiltrated into Taiwan could conduct acts of economic, political, and military sabotage. Beijing might also employ SRBM, special operations forces, and air strikes against air fields, radars, and communications facilities on Taiwan as "nonwar" uses of force to push the Taiwan leadership toward accommodation. The apparent belief that significant kinetic attacks on Taiwan would pass below the threshold of war underscores the risk of Beijing making a catastrophic miscalculation leading to a major unintended military conflict.


This is consistent with the 2006 Military Power of the People's Republic of China which described Chinese IT warfare preparation as follows:

Chapter Five, Force Modernization Goals and Trends:

Formation of Information Warfare Reserve and Militia Units

The Chinese press has discussed the formation of information warfare units in the militia and reserve since at least the year 2000. Personnel for such units would have expertise in computer technology and would be drawn from academies, institutes, and information technology industries. In 2003, an article in a PLA professional journal stated "coastal militia should fully exploit its local information technology advantage and actively perform the information support mission of seizing information superiority."

Militia/reserve personnel would make civilian computer expertise and equipment available to support PLA military training and operations, including "sea crossing," or amphibious assault operations. During a military contingency, information warfare units could support active PLA forces by conducting "hacker attacks" and network intrusions, or other forms of "cyber" warfare, on an adversary's military and commercial computer systems, while helping to defend Chinese networks.

The PLA is experimenting with strategy, doctrine, and tactics for information warfare, as well as integrating militia and reserve units into regular military operations. These units reportedly participate with regular forces in training and exercises.

Exploiting Information Warfare

The PLA considers active offense to be the most important requirement for information warfare to destroy or disrupt an adversary's capability to receive and process data. Launched mainly by remote combat and covert methods, the PLA could employ information warfare preemptively to gain the initiative in a crisis.

Specified information warfare objectives include the targeting and destruction of an enemy's command system, shortening the duration of war, minimizing casualties on both sides, enhancing operational efficiency, reducing effects on domestic populations and gaining support from the international community.

The PLA's information warfare practices also reflect investment in electronic countermeasures and defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators.

Computer Network Operations. China's computer network operations (CNO) include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to seize the initiative and achieve "electromagnetic dominance" early in a conflict, and as a force multiplier. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term "Integrated Network Electronic Warfare" to outline the integrated use of electronic warfare, CNO, and limited kinetic strikes against key C4 nodes to disrupt the enemy's battlefield network information systems. The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. The PLA has increased the role of CNO in its military exercises. For example, exercises in 2005 began to incorporate offensive operations, primarily in first strikes against enemy networks.


The 2005 Military Power of the People's Republic of China identified Informationalization as a key element of Chinese Military Doctrine in all its aspects:

Developments in Chinese Military Doctrine

  • China's latest Defense White Paper deployed authoritatively a new doctrinal term to describe future wars the PLA must be prepared to fight: "local wars under conditions of informationalization." This term acknowledges the PLA's emphasis on information technology as a force multiplier and reflects the PLA's understanding of the implications of the revolution in military affairs on the modern battlefield.
  • The PLA continues to improve its potential for joint operations by developing a modern, integrated command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) network and institutional changes.
  • During 2004, the PLA began to integrate military and civilian suppliers in the procurement system and outsourced a number of previously military jobs to civilian industry. The PLA is placing greater emphasis on the mobilization of the economy, both in peacetime and in war, to support national defense...

Perceptions of Modern Warfare and U.S. Defense Transformation

China observes closely foreign military campaigns and defense modernization initiatives. The United States factors heavily in these observations as a model of how a modern military engages in modern warfare. China draws from U.S. military operations by adopting or emulating lessons in some areas, and in others, by identifying exploitable vulnerabilities in potential high-tech adversaries. In addition, U.S. defense transformation, as demonstrated by recent U.S. operations, has highlighted to China the expanding technological gap between modern military forces and those of developing countries. The 2004 Defense White Paper identifies the "technological gap resulting from the revolution in military affairs" as having a "major impact on China's security." These concerns have prompted China's leaders, including President Hu Jintao, to order the PLA to pursue "leap ahead" technologies and "informationalized" capabilities to increase the mobility, firepower, and precision of PLA weapons and equipment.

Operation DESERT STORM (1991) was a primary motivator behind China's efforts to prepare for future warfare. The PLA noted that the rapid defeat of Iraqi forces revealed how vulnerable China would be in a modern war. The Gulf War drove the PLA to update doctrine for joint and combined operations to reflect modern warfare and to accelerate reform and modernization. The Gulf War also spurred PLA debates on the implications of the revolution in military affairs, and led China to seek modern C4ISR and to develop new information warfare, air defense, precision strike, and logistics capabilities...

Observations of Operation IRAQI FREEDOM
In May 2003, PLA Deputy Chief of the General Staff Xiong Guangkai authored an article assessing the broad implications of Operation IRAQI FREEDOM for Chinese assessments of modern war. Some of his more salient observations follow:
-- On gleaning lessons from coalition operations: ". . . the trend of new military changes is developing rapidly in the world, and the recent Iraq war has reflected this trend. We should not only profoundly research and analyze this trend but also actively push forward military changes with Chinese characteristics according to our country's actual conditions." ...

Dougle Tongued Dictionary
Note: The Double-Tongued Dictionary is useful to readers of Asian issues in particular as it "records undocumented or under-documented words from the fringes of English, with a focus on slang, jargon, and new words [that are] absent from, or are poorly covered in, mainstream dictionaries."

China Crafts Cyberweapons
The Defense Department reports China is building cyberwarfare units and developing viruses.
Sumner Lemon
IDG News Service
May 28, 2007 10:00 AM PDT

DoD: China seeking to project military power
By William H. McMichael - Staff writer
Marine Times
Posted : Friday May 25, 2007 16:11:31 EDT

DoD Background Briefing with Defense Department Officials at the Pentagon
Presenter: Defense Department Officials May 25, 2007
[No attribution, comments for background only]
[Subject was the 2007 China Military Power Report]
News Transcript On the Web
Office of the Assistant Secretary of Defense (Public Affairs)
US Department of Defense
May 25, 2007

Military Power of the People's Republic of China
Office of the Secretary of Defense

Cyber officials: Chinese hackers attack 'anything and everything'
BY Josh Rogin
Published on Feb. 13, 2007

Military Power of the People's Republic of China
Office of the Secretary of Defense

The Military Power of the People's Republic of China
Office of the Secretary of Defense

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Generic elements and process of a Design Basis Threat (DBT) protection system


Part 1, Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering

An international design basis threat (DBT)

The aftermath of the 11 September attack brought renewed urgency to US, EU and Russian efforts to strengthen physical protection of nuclear materials and all nuclear facilities, power and weapons. While Sandia's Jim Blankenship noted that a "Design Basis Threat (DBT) has been used by the United States since the 1970s as the basis for the design and evaluation of a nuclear facility’s physical protection system and as a standard for comparison as the threat changes", the DBT was too often scenario-based rather than procedural - a condition not challenged until the Khobar Towers attack. From Multisourcing: belated recovery of forgotten first principles, part 2:

Scenario-based responses are dangerously omissive, driving clients to extraordinary cost and diversion, often without merit, but is prevalent in part because it is simple. It requires no procedural rigor or grounding in fact, only the ability to ask "What if?" endlessly, yet is virtually ineffective for deferring, deflecting, or interdicting an adversary's preparation.

Witness the events of the July 2005 mass transit bombings in London where the UK had had a thirty-year history of dealing with a variety of terrorist attacks and bombings, the "scenario" and "lessons learned" from the earlier transit attacks in Madrid, Spain, were well-known, yet proved little benefit to the British in interdicting the London attacks of July 2005.

Scenario-spinning has no logical end and provides no threat assessment, vulnerability assessment, or risk assessment that would normally be enshrined in a firm’s Governance Model.

Scenarios were an Army staple until the terrorist truck bomb attack along the northern perimeter of Khobar Towers, Dhahran, Saudi Arabia, on June 25, 1996. (Khobar Towers was a facility housing U.S. and allied forces supporting Operation SOUTHERN WATCH, coalition air operations over Iraq.) The report by Wayne A. Downing, General, U.S. Army (Retired) which has become known as the Downing Report (Introductory Letter, Preface and Report), reinvigorated the uphill effort to substitute procedurally consistent threat and vulnerability analyses in place of scenario generation.

Without guiding bounds, scenarios proliferate endlessly, often crippling most well-intended, protective efforts (paralysis by analysis). Defenders must define a coherent view of their risk tolerance before they can craft a response strategy that can reasonably and consistently respond to the threats on offer.

Rising from efforts at Sandia, DoE and the NRC, the "IAEA desired an international approach for a DBT methodology that could be offered to all Member States." By 2002 member states had agreed upon a DBT "international standard model" that reconciled varying approaches as to where "risk" was accommodated.

The DBT has become the basis for the design of the physical protection system (PPS), the evaluation of a PPS under assault and the means to document and absorb future threats. Within this framework, each state can modify "the DBT process to better accommodate their culture, the technical resources of their facilities and authorities, and their regulatory frameworks."

Blankenship paints the need for DBT in bold relief:

  1. If the facility does not know who the adversaries may be and what the adversaries’ resources may be, then the design of the [protection system] probably is inaccurate...
  2. Without a DBT, the evaluator has no objective measure for evaluating the effectiveness of the  [protection system]. This lack could lead to inconsistent evaluations...
  3. [Changes] could not be documented, and in fact might not even be noticed, if there were not a standard DBT created at some point in time, against which the future threats are compared...

Nine steps were recommended for developing, using, and maintaining a DBT:

  1. Identify Roles and Responsibilities of all Organizations
  2. Develop Operating Assumptions for Use with the DBT
  3. Identify the Range of Potential Generic Adversary Threats
  4. Identify an Extensive List of Threat Characteristics
  5. Identify Sources of Threat-related Information
  6. Analyze and Organize Threat-related Information
  7. Develop Threat Assessment and Gain Consensus
  8. Create a National DBT
  9. Introduce the DBT into the Regulatory Framework

The outcome of the first six steps [is] the Threat Assessment (TA) document, which contains a description of the full range of credible threats to the nuclear facilities in the State… This TA is then sent to the competent authority, which implements the State’s regulatory framework and sets policy for the physical security provisions in the State. The competent authority evaluates the risks associated with the DBT, the consequences of a successful attack by the DBT, and the probability of such an attack. The agency knows the State resources that are available or could be made available to counter the DBT. This agency then reduces the threat assessment document to incorporate the risk that the state is willing to accept. This produces a Design Basis Threat (DBT) statement against which the facilities must protect and against which they will be evaluated by the State competent authority.

Redrawing Blankenship's model for added clarity:

Generic elements of a DBT protection system

Axel Hagemann, a GRS (Gesellschaft für Anlagen und Reaktorsicherheit mbH) representative to IAEA undertook a description of DBT for IAEA member states in DBT - Basis for developing a European physical protection concept. Hagemann's DBT procedural descriptions for a state implementation are noted in its appendix which I have attempted to generalize for a corporate setting without losing Hagemann's original presentation model.

The result of Blankenship's threat assessment enters in box 1, having documented an analysis of the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences:

Generic Elements of a DBT Protection System

The consequences represented in box 2 are defined as the potential level of impact on the interests of the public, nation, key interest groups, and possibly the international community. Consequences could be defined in relation to the class of event derived from end-items. The concern on potential consequences will influence policy of the decision making process in the development of a DBT. This decision making process is represented in diamond 3, which represents the Governance committee’s responsibility to decide with the definition of a DBT on the level of protection. The decision making process represented by diamond 3 can include technical, resource, administrative and political concerns. This reduces the influence of emotions on the concern and opens provides opportunities to adjust existing definitions of the DBT.

The key elements in the creation of a DBT are threat assessment and decision making considering potential consequences. Threat assessment and decision-making are separate and different processes even though in practice they may be carried out simultaneously. The threat assessment process, and the document that describes the conclusions, scopes all the realistic and credible threats that the Governance committee needs to consider.

Some threats may not be manageable in terms of a DBT because some aspects of the protection system fall outside the responsibility of the Governance committee. These threats are described as being out of scope of the DBT, i.e., "Outside DBT" does not necessarily describe a magnitude of threat above that described in the DBT, but can describe threats that are inappropriate to include in a DBT.

Those threats still need to be accounted for and either ruled out of scope or other competent authorities need to be involved to define a response. The diamond 13 represents this additional decision making process for which the Governance committee is responsible. The decisions symbolized by diamond 13 could be of high relevance if new concepts emerge that were not included in the design basis. The goal is to achieve a process which results in achieving acceptable risk, box 14. The Governance committee can, as available, draw on external agencies for provide intelligence and data to support creation of the Threat Assessment and maintenance of the DBT.

The protection definition shown in box 6 must be designed against the DBT and will be evaluated by the Governance committee using the definition of the DBT. Protection objectives will be specific for the items transiting the system. The security functions in box 8, detection, deter, deflect, defend and recovery must be defended against the DBT.

Responses may be graded or immediate depending upon the current evaluation of the threat, the relative attractiveness and potential of items and the potential consequences associated with diversion of that item. The requirements on the security function "Deter" can vary depending on the desired response time, response capability and method.

Process steps

Threat assessment (box 1): An analysis documenting the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences from diversion of end-items. The result of the threat assessment process describes the credible threats.

Consequences (box 2): The potential level of impact on the interests of the public, nation, key interest groups, and possibly international community.

Decision process (diamond 3): Consideration of the results of the threat assessment, the consequences and the policy leads to definition of the DBT. The corporate Governance committee coordinates the development of a DBT and is responsible for its maintenance.

Outside DBT (box 4): Describes those threats identified in the Threat Assessment that will not be included in the DBT, but still remain as a credible threat. Threats outside the DBT must be considered and ruled out of scope and indefensible or an external authority must be involved to complete the mediation required by the DBT.

Design Basis Threat – DBT (box 5): Describes the attributes and characteristics of potential insider and external adversaries who might attempt acquisition of items deemed sensitive, and against whom a protection system has been designed and evaluated.

Protective envelope (box 6): Describes the total protection against unauthorized acquisition or diversion and will likely require a design that includes procedures, facility design, and hardware.

Specific protection objectives (box 7): Describes the means of protecting items that are moving through the system, and all other items defined as having some risk.

Specific responses (box 8): Describes methods to "Detect" or "Defer" an acquisition of an item or to invoke emergency containment responses as appropriate under the DBT.

Vulnerability assessment and capacity evaluation (box 9): A test of the system’s ability to respond to both the DBT and ongoing threats "in the wild".

Decision process (diamond 10): Represents internal decisions made during the design or evaluation of the protection process to include an evaluation as to whether the specific objectives are achieved. This decision box includes any decision regarding improvement, redesign or post damage crisis management.

Crisis management (box 11): Describes an internal post-incidence damage control in response to an undesired acquisition of an item.

Internal emergency response (box 12): Describes actions required to mitigate an inadvertent breach or loss of control of an item.

Decision process (diamond 13): Describes a process under which the Governance committee achieves an acceptable level of risk for all items in the DBT.

Acceptable Risk (box 14): Defines acceptable risk in which the term "risk" is used as the likelihood that a threat will be able to affect an undesirable consequence. Risk can be reduced but not eliminated. All the judgments and decisions imply an acceptance of a degree of risk.

External competent authority (diamond 15): Describes how to respond to credible threats not included in the DBT. (The DBT may be revised or extended in this process.)

External authority responsibility (box 16): Describes a class of external action, protection or assistance taken by external authority.

External authority response (box 17): Describes external authority response in support of the corporation.

External security (box 18): Describes measures taken by external authority in support of corporation that acknowledge a credible threat as External to the DBT. Any such measures are made in concert with internal emergency response measures.

Use of Design Basis Threat at Department of Energy

It is instructive to consider one of the best practitioners of the Design Base Threat and Vulnerability Assessment process, the Department of Energy (DOE). DOE is also remarkable in its rigor, and among the few in and out of government that reject a scenario based ‘threat’ definition.

The key component of DOE’s risk-based security practices is the DBT, a classified set of characteristics of potential threats to DOE assets. The DBT traditionally has been based on the Postulated Threat, a classified, multi-agency intelligence community assessment of potential terrorist threats. The DOE DBT considers external threats that include terrorists, criminals, psychotics, disgruntled, employees, violent activists, and spies. The DBT also considers internal threats by insiders who have authorized unescorted access within DOE facilities and programs. These insiders may operate alone or in concert with an adversary group, and are routinely considered to provide assistance to a terrorist group noted in the DBT. The DOE generally considers the threat of terrorist groups to be the most demanding threat contained in its DBT.

For over a decade, DOE has employed a risk management approach that seeks to direct resources to its most critical assets (Category I special nuclear material) while mitigating the risks to these assets to an acceptable level. Levels of risk are derived from a mathematical equation that compares a terrorist group’s capabilities with the overall effectiveness of the crucial elements of the site’s protective forces and systems, and then assigned classified numerical values.

DOE counters its terrorist threats noted in the DBT with a multilayered protective system. While specific measures may and do vary among sites, all DOE protective systems at the most sensitive sites employ a in-depth defense that includes sensors, physical barriers, hardened facilities and vaults, and heavily armed paramilitary protective forces equipped with such items as automatic weapons, night vision equipment, body armor, and chemical protective gear. The effectiveness of the protective system is formally and regularly examined through vulnerability assessments.

A vulnerability assessment is a systematic evaluation process in which qualitative and quantitative techniques are applied to detect vulnerabilities and arrive at effective protection of specific assets. To conduct these assessments, DOE uses subject matter experts (SMEs), computer simulated attacks, and force-on-force performance testing in which the site’s protective forces undergo simulated attacks by a group of mock terrorists.

Assessment results are documented at each site in a classified document known as the Site Safeguards and Security Plan which, in addition to identifying known vulnerabilities, risks, and protection strategies for the site, it formally acknowledges how much risk the contractor and DOE are willing to accept.

Historically, DOE has strived to keep its most critical assets at a low risk level and may insist on immediate compensatory measures should a significant vulnerability develop that increases risk above a low risk level. Through a variety of complementary measures, DOE ensures that its safeguards and security policies are being complied with and are performing as intended, e.g., identified high and moderate risks require corrective actions and regular reporting. Response measures can go so far as to curtail operations until the asset can be better protected.

While contractors must perform regular self-assessments and are encouraged to uncover any problems themselves, DOE requires its field offices to comprehensively survey contractors’ operations for safeguards and security annually. All deficiencies identified during surveys and inspections require the contractors to take corrective action.

The DOE’s May 2003 DBT reflecting a post-September 11 environment by identifying a larger terrorist threat than did the 1999 DBT and expanding the range of terrorist objectives to include radiological, biological, and chemical sabotage. Notable issues of the 2003 DOE DBT included an expansion of terrorist characteristics and goals, and an increase in the size of the terrorist group threat:

Expansion of terrorist characteristics and goals: "The 2003 DBT assumes that terrorist groups are the following: well armed and equipped; trained in paramilitary and guerrilla warfare skills and small unit tactics; highly motivated; willing to kill, risk death, or commit suicide; and capable of attacking without warning. Furthermore, according to the 2003 DBT, terrorists might attack a DOE facility for a variety of goals, including the theft of a nuclear weapon, nuclear test device, or special nuclear material; radiological, chemical, or biological sabotage; and the on-site detonation of a nuclear weapon, nuclear test device, or special nuclear material that results in a significant nuclear yield. DOE refers to such a detonation as an improvised nuclear device."

Increase in the size of the terrorist group threat: "The 2003 DBT increases the terrorist threat levels for the theft of the department’s highest value assets—Category I special nuclear materials—although not in a uniform way. Previously, under the 1999 DBT, all DOE sites that possessed any type of Category I special nuclear material were required to defend against a uniform terrorist group composed of a relatively small number of individuals. Under the 2003 DBT, however, the department judged the theft of a nuclear weapon or test device to be more attractive to terrorists, and sites that have these assets are required to defend against a substantially higher number of terrorists than are other sites. For example, a DOE site that, among other things, assembles and disassembles nuclear weapons, is required to defend against a larger terrorist group. Other DOE sites, such as an EM site that stores excess plutonium, only have to defend against a smaller group of terrorists. However, the number of terrorists in the 2003 DBT is larger than the 1999 DBT number. DOE calls this a graded threat approach."

The moral of DBT: a living instrument

The moral is that a DBT must be a continuously maintained instrument as "Things Change" as David Mamet so wittily showed in his film of the same name: New attackers with expanded characteristics and goals will appear. Attacker group size may swell unexpectedly - and that includes swarms of seemingly unrelated attackers operating against different parts of one's organization. Higher authority may mandate extended protective strategies. Corporate environments can weakened under stress, sometimes degraded imperceptibly, due to issues of financial pressure, takeover, expansion, new roll-outs or other restructuring.

A Russian Perspective on Cooperation Threat Reduction
Dmitry Kovchegin
BCSIA Discussion Paper 2007-04, Kennedy School of Government,
Harvard University, April 2007

Systems Security Engineering: An Updated Paradigm
John W. Wirsbinski
INCOSE Enchantment Chapter
November 8, 2006

Nuclear Security: DOE Needs to Resolve Significant Issues Before It Fully Meets the New Design Basis Threat
Report to the Chairman, Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives
April 2004

Using Bilateral Mechanisms to Strengthen Physical Protection Worldwide
Nuclear Terrorism and International Policy
Dr. Edwin Lyman
Union of Concerned Scientists
Institute of Nuclear Materials Management, 2004

Approaches to Design Basis Threat in Russia in the Context of Significant Increase of Terrorist Activity
Dmitry Kovchegin
Presented at the INMM 44th Annual Meeting, Phoenix, Arizona. Conference Paper, 2003

DBT - Basis for developing a European physical protection concept
Axel Hagemann
EUROSAFE, Towards convergence of technical nuclear safety practices in Europe, Paris
Nuclear material security, Seminar 5, p. 59-68
25-26 November 2003

Protection against Sabotage of Nuclear Facilities: Using Morphological Analysis in Revising the Design Basis Threat
Stig Isaksson, Tom Ritchey
Swedish Nuclear Power Inspectorate and Swedish Defence Research Agency
Adaptation of a Paper delivered to the 44th Annual Meeting of the Institute of Nuclear Materials Management - Phoenix, Arizona, July 2003

Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

List of Papers
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

COMBATING TERRORISM: Threat and Risk Assessments Can Help Prioritize and Target Program Investments
Report to Congressional Requesters
General Accounting Office
April 1998

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering


Industry absorption of effective metrics for realistic threat and risk analysis in IT is moving far too slowly. A 2003 article, Information security: why the future belongs to the quants, contained a useful metric, Business-adjusted risk (BAR), "for classifying security defects by their vulnerability type, degree of risk, and potential business impact." The BAR used Risk of exploit ("how easily an attacker can exploit a given defect") and Business impact ("the damage that would be sustained if the defect were exploited"). The BAR's use of "relative ratings for both likelihood of occurrence and business impact [allowed it to behave] similarly to insurers’ annual loss expectancy calculations."

Four years on, the quants are still waiting while scenario spinning and FUD continue to flow from the unskilled or the commercially craven; Too many members of management, IT included, are among the former while too many security vendors populate the latter. A co-author of that 2003 piece, Andrew Jaquith, has recapitulated and expanded his work in security metrics in Security Metrics: Replacing Fear, Uncertainty, and Doubt, providing a one-stop shop for defining and implementing IT metrics for risk. It has merit to me as the metrics can form inputs to a Design Basis Threat (DBT) calculation for IT in place of the fear mongering from certain security firms. (Expansion for special nuclear material here.) There are threats, numerous and growing, but often not the threats solvable by the security products on offer. Worse, too many firms, Symantec among them, sell products that are consumptive of system resources while providing attack windows in their own code. Enterprise clients are generally deprived of a realistic means of identifying and interdicting realistic, often trivial, penetrations of their infrastructure.

I refer readers to The danger of confusing terrorist interdiction with the consequences of terrorist action for the perils inherent in pursuing scenario-based responses, and, as a start, to FEMA 452 - Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks for its introduction to assessment of threat, asset value, vulnerability and risk.

I fear that Jaquith's efforts have been ignored in the main as Escaping the Hamster Wheel of Pain which forms the first chapter of Security Metrics has been around since May 2005 as has his criticism of Symantec (easily 2005) and a useful but overlooked The Vulnerability Supply Chain (also 2005).

Useful metrics have been out there but have not been picked up en masse, but then neither has DBT, especially in its pure form used on the weapons side of DoE as opposed to the scenario laden approach on the nuclear power side. The combination of effective metrics shorn of histrionics with the Design Basis Threat process offers a realistic means to enterprises needing to formulate a cost effective and sustainable defense posture. We are among the few that have successfully applied DBT to Intellectual Property (IP) threats and remediation.

It cannot be overemphasized that the solution to this problem is NOT an Information Technology (IT) solution but IS primarily a Counterterrorism (CT) and Counterintelligence (CI) solution applied to corporate infrastructure, augmented by IT as the CT/CI process demands. Were it solely an IT solution, then one might suppose that this class of problem could be solved at least as often as major IT applications succeed (which depending upon whose statistics one chooses to accept, some 40 to 60% of large IT solutions either fail, are withdrawn, or at best suboptimal in their performance). The solution path can only be hinted at in this brief survey and the requisite CT/CI practionership and its understanding of an asymmetric attacker takes years to develop (which is one of the reasons that it occurs in so few instances and why the market tolerates so many pretenders as the clients cannot properly estimate the skill set needed to address the problem).

It is also a substantial systems analysis problem. In asking Scott Borg for a current copy of the Cybersecurity Checklist, I noted that I refer clients to his PPT, The New US-CCU Cyber-Security Check List, and its flagged need to address both physical and IT/cybersecurity, but add the following to it:

  • (First I have to describe Ackoff's three laws of systems - people can grasp the first two but the third floors them)
  • Systems fail at their boundaries, and that includes boundaries between components and clusters of components that act as subsystems.
  • Physical and cyber are two of those subsystems; there are many more, all interacting to Ackoff's third law.
  • A check list is a still frame from a motion picture, but people rip the frame, losing the underlying assumptions and context in the process.
  • A check list without a date/time stamp is useless, even dangerous.
  • Process-based threat and vulnerability assessment are key in defining appropriate levels of protection; remediation steps are then pulsed to insure that they deliver against the threats.
  • Scenario-based defense, while useful in estimating consequences of a particular scenario, is dangerous as it spins out of control, usually missing the fatal payload.
  • Good security is process-based rather than hardware-based (process is 10:1 over hardware, and process comes first as it will define the needed hardware).
  • Defenders never see themselves as attackers do, especially asymmetrical attackers, and so rarely protect the right mix against legitimate threats.
  • Defenders too often look for "peer attackers" instead of a simple asymmetric.

Scott's reply mirrors our own experience:

You are right in pointing out how hard it is for most people to think in terms of dynamic systems and processes.  I like the way you have formulated the problem in your e-mail.  We have been struggling with many of the same issues when it comes to getting people to understand the problems they will increasingly face.

The following is derived from an unclass analysis, Asymmetric Threat Detection in the Material Security Environment, we performed for a DLA unit in 2005. Seasoned practitioners will easily envision frontloading Jaquith's metrics into the threat side of DBT.

Evolving Nature of Threats

Technological surges in many sectors, so many as to effectively shield the collective effect from many investigators, coupled with globalization, the availability of WME (weapons of mass effect) has changed the risk landscape, most notably in the means to effectively address low-probability, high-consequence threats.

Too many fail to properly differentiate threat from risk, i.e., a threat is a source of harm (loss) whereas a risk is the estimation of the likelihood of that harm occurring coupled with the potential impact from its occurrence. Threat assessment is only one aspect of a larger and more complex risk analysis process, yet too many remain fixated on threat analyses as the sole basis of applying protective measures without sufficient attention paid to precision or control in their application.

Too many designs for low-probability, high-impact threat sources tend to skew the design of the security plan to costly countermeasures when precision could have provided cohesion and freed up resources. Too often, an organization adopts what it assumes is an extremely ‘secure’ system that either cannot be implemented, cannot be sustained, is impractical for its users or overlooks active threat paths because finite resources are fully engaged elsewhere.

Threat Levels

A threat can be defined as the intended potential to cause an undesirable consequence. The result of a threat assessment documents the result of an analysis of the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences... The threat level provides a current estimate of ongoing risk to personnel, facilities, or interests from terrorist attack. Analyses deriving threat levels at Department of Defense (DoD) are commonly performed by the intelligence staff at each command level, and resulting threat levels can differ by echelon. Threat Levels range from Negligible to Critical, are based on a systematic analysis of the factors of existence of terrorism, terrorist capability, history of terrorism, intentions of terrorist groups, and targeting by terrorist groups. The system is not perfect but can be effective in a relatively contained risk environment, as it inherently allows for a concentration of resources for periods of elevated risk, conserving those resources in the process.

Threat Analysis

To supplement a risk responsive approach, such as in the use of threat levels, ICG prefers to create a risk matrix for each identified threat group so as to perform a more precise capabilities analysis. ICG prefers this more extensive version -- as it allows greater ability to profile the group under examination and to create a baseline for ongoing comparative analysis, a means to capture outlier data that may indicate an emerging threat:

Variant 2: Threat Analysis Factors

Factor must be Present: X; Factor may or may not be Present: O


































In response to threat levels, companies or commands adopt or change Force Protection Conditions (FPCONs), which are measures to protect people and facilities from the postulated current threat. Each FPCON potentially entails increasingly stringent security measures. A nominal DoD matrix contains intelligence assessments, warning reports, spot reports and law enforcement reports. The Department of State (DoS) adds broader factors, such as political violence which encompasses terrorism, counterintelligence, anti-U.S. technical intelligence, and activities against the U.S. community in determining its threat levels.

Risk is a function of threat, likelihood, consequence, vulnerability, and asset value. Impact is a function of:

  • Resources (the adversary's resources to execute and the defender's resources to defend, respond and recover post-attack)
  • Unexpected Methods by the adversary
  • Adversary's understanding of our infrastructure and the means to achieve exploitation
  • Defender's vulnerabilities
  • Effect Multipliers -- Where typical effect multipliers are:
    • Disruption of cyber infrastructure
    • Prevention or reduction of response and retaliation
    • Decrease or suppression of initiative to respond politically
    • Employment of psychological operations (Psyops)
    • Generation of fear and indecision
    • Introduction of WME (Weapons of Mass Effect)

Asymmetrical Rules Base (Attacker Rules)

Crafted from the 'success' of an earlier World War I static defensive war, the French Maginot Line failed under the newer concept of a mobile mechanized infantry. Accordingly, current defenses will fail under attack by the small-scale, high-impact operations of an asymmetrical attacker employing unexpected, non-traditional and broadly applicable methods unless we learn the current methods of the adversary and adopt simple effective measures.

Threat assessment must include the ability to impute an asymmetrical rules base as part of the threat definition so as to permit the defender to think more like a terrorist (as opposed to a defender) in defining a realistic threat posture, i.e., act without the self-imposed rules and limitations of the defender so as to view the risk calculation through the eyes of any number of threat groups, be they Muslim fundamentalists, Patriot right, Millennialists, single-interest terrorists such as the Earth Liberation Front (ELF), or various groups aggrieved at US actions. Each threat group has 'rules' such as preferences in targets and timing, varying motives for action, specific means or technical capability for action, and the later the threat detection the greater the threat group’s opportunity for action.

Asymmetric adversaries employ very different variables in their calculations for risk than the defender where the adversary is essentially interested in forestalling detection and accomplishing mission fulfillment. As previously noted in threat definition, a study of each category of attacker and, in specific cases, individual adversary groups, will identify a typology of action such that we can view risk and reward through the eyes of the asymmetric attacker. Without that view, much of successful defense is happenstance.

Introduction to Design Basis Threat (DBT)

The successful approach to defer (delay hostile efforts), deflect (move hostile intent to another target) or defend (interdict an incipient hostile attack) against an asymmetric attacker is almost all proactive process with a modest amount of strategically placed hardware that adds specific and reliable value to the process.

The core of that process is the Design Basis Threat (DBT) that will capture and formulate risk management objectives that balance commercial and security objectives, providng a means to evaluate threats over time. The DBT becomes an integral, inseparable part of corporate governance. The DBT becomes the mechanism that informs management of the types of threats it may face over time and allows them to define the threats that are in or out of scope, the response level that will be committed to each threat, and the cost for that response level.

The DBT absorbs the 5-Step Risk Management Process of FM 100-14, Risk Management, which is the commander’s principal risk reduction process to identify and control hazards and make informed decisions:

  • Identify hazards
  • Assess hazards
  • Develop controls and make risk decisions
  • Implement controls
  • Supervise and evaluate

The DBT, just as all sound risk management, does not:

  • Inhibit the commander’s and leader's flexibility and initiative
  • Remove risk altogether, or support a zero defects mindset
  • Require a GO/NO-GO decision

The DBT will include threat assessment, a safety-oriented hazard assessment, asset value assessment and an asset risk assessment that draw upon technical insights and the results of internal and external pattern detection. Where the best DBT implementations differ from almost all conventional DBTs is that the DBT must NOT be a scenario-based risk process but rather a rigorous procedural analysis. As noted above, a solution to IT risk identification and remediation is not solely an IT solution but rather the application of a CT/CI approach to a firm's infrastructure, augmented by IT as required. The DBT process is used to assess risk more effectively, enshrining speed to flag rising risk for inspection and action.

The DBT process can be used also to identify security guidelines that should be migrated across supplier relationships on both the buy (outsourcing) and make (manufacturing) side. Upstream outsourcing is a too often overlooked failure point. See Multisourcing: belated recovery of forgotten first principles, parts 1 and 2.

If history is any guide, integration, implementation and wider adoption of IT metrics DBT will be slow while phishers and penetrators will lunge ahead (here and here), but at least the path is there.

Part 2, Generic elements and process of a DBT protection system

Security Metrics
Posted by samzenpus on Wednesday May 16, @03:35PM
May 16, 2007

8 Questions For Uncovering Information Security Vulnerabilities
Tips for testing information security vulnerability hypotheses with questions designed to head off potential problems.
By Andrew Jaquith
16 May, 2007

Google: 10 percent of sites are dangerous
By Tom Espiner,
Published on ZDNet News
May 15, 2007, 7:56 AM PT

Do you know what’s leaking out of your browser?
Posted by Ryan Naraine @ 11:22 am
Zero Day
May 14, 2007

Using Metrics to Diagnose Problems: A Case Study
When initially deploying transactional financial systems it's wise to make sure perimeter and application defenses are sufficient.
By Andrew Jaquith
11 May, 2007

Models for Assessing the Cost and Value of Software Assurance
John Bailey, Antonio Drommi, Jeffrey Ingalsbe, Nancy Mead, Dan Shoemaker
Software Engineering Institute,
Carnegie Mellon University
Last modified 2007-05-10 10/07 4:38:24 PM

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Andrew Jaquith
Addison-Wesley Professional; March 26, 2007
ISBN-10: 0321349989

ebook: ISBN: 0321509471
File Size: 4393 kb
Released online for download: 03-03-2007

Making the Business Case for Software Assurance
Nancy R. Mead
Software Engineering Institute,
Carnegie Mellon University
2007-02-06 12:30:16 PM

Victor-Valeriu PATRICIU, Iustin PRIESCU, Sebastian NICOLAESCU
Department of Computer Engineering
Military Technical Academy, Bucharest, Romania
Journal of Applied Quantitative Methods
JAQM, Vol 1, No. 2, Winter 2006

Rational Choice of Security Measures via Multi-Parameter Attack Trees
Ahto Buldas, Peeter Laud, Jaan Priisalu, M¨art Saarepera, and Jan Willemson
In J. Lopez, ed.
Proc. of 1st Int. Wksh. on Critical Information Infrastructures Security, CRITIS '06 (Samos Island, Aug./Sept. 2006), pp. 232-243. Univ. of the Aegean, 2006

NOTE: The following PDF of a PPT presentation by Buldas et al is useful for stepping a reader through the attack tree process under discussion:

Rational Choice of Security Measures via Multi-Parameter Attack Trees
Ahto Buldas, Peeter Laud, Jaan Priisalu, M¨art Saarepera, Jan Willemson
August 30 – September 2, 2006, Samos Island, Greece

Checklist outlines new cyberthreats
BY Michael Arnone
Published on April 26, 2006, updated at 5 p.m. May 5, 2006

The New US-CCU Cyber-Security Check List
Scott Borg
GSC-11 Chicago

The Vulnerability Supply Chain
by Andrew Jaquith
6 December, 2005
last changed on 00:06 07-Dec-2005

Asymmetric Threat Detection in the Material Security Environment
With Initial Recommendations Regarding Disposition of WMD-Related End-Items For Defense Reutilization and Marketing Service
Prepared by Intellectual Capital Group LLC
21 September, 2005

The Symantec Threat Report: Read Between the Lines
by Andrew Jaquith
September 20, 2005
last changed on 09:51 22-Sep-2005

A Few Good Metrics
Information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements—and effective ways to present them.
By Scott Berinato
July 2005

Escaping the Hamster Wheel of Pain
By Andrew Jaquith
4 May, 2005
Last changed on 11:56 04-May-2005

The Metrics Quest
Under pressure from the CFO to quantify security benefits, a CSO finds measures that matter
November 2004

Nuclear Security: DOE Must Address Significant Issues to Meet the Requirements of the New Design Basis Threat.
Testimony Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives
GAO-04-773T, General Accounting Office (GAO)
May 11, 2004

Collecting Effective Security Metrics
By Chad Robinson
Robert Frances Group
April 09, 2004

Information security: why the future belongs to the quants
Daniel Geer Jr, Kevin Soo Hoo, Andrew Jaquith
Security & Privacy Magazine, IEEE
Volume 1, Issue 4, July-Aug. 2003 Page(s): 24 - 32
Posted online: 2003-08-11 14:23:28.0
ISSN: 1540-7993


Risk Management
FM 100-14
Field Manual Headquarters
No. 100- 14 Department of the Army
Washington, DC, 23 April 1998

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

To the Panda Software article plant effort: this is not the article that you were hoping for


Panda Software's SEARCH FOR EXCELLENCE apparently has not reached its its plant program attempting to seed articles favorable to its Infected or Not campaign to Highlight the Prevalence of Malware. Today I received an email to our blog info address from an that is worthly of being reproduced in full as it is a very straight forward request to plant an article favorable to Panda, and even offering sample texts from which to adapt.

The fact that Panda Software is based in Bilbao and Madrid, Spain, with substantial Latin and other subsidiaries, will gain pertinence as the reader proceeds.

 I am not the only recipient as Daniel Davenport's think d2c received a comment note from the same gmail Erika to his Mobile TV advances on 18 April:

Erika said...

Hi! Sorry for trying to contact you through the comments section of your blog but I have an offer that might interest you. Please, contact me in

Here is the email item that I received from this same Erika at 4/20/2007 8:59:32 AM (and all of Erika's emails have been retained for our records):

From: Erika Email: Subject: 70% of the computers are infected! And you can be part of the solution Message: Hi,

My name is Erika Brown and I am currently working on an awareness campaign called Infected Or Not.

Let me tell you a little bit about it. The whole story of this campaign began with a report from a Panda Software project. On that report, PandaLabs stated that in 2006 more malware was received than in the previous 15 years combined.

The spread of malware infections was huge and it is now getting worse and worse. And that’s why Panda Software decided to launch their Infected Or Not campaign.

The campaign is based on the web site. On that site, people can quickly check if their computers are infected by any form of malware and, at the same time, they are providing useful information that is collected and used to present prevalence statistics.

So the real value of the campaign is not in the test drive of the upcoming Panda detection tools, but in the stats collected by these tests (stats that are also displayed daily on the web site). So far, the numbers have beenereally impressive: almost 70% of the scanned computers are infected. That is precisely why we need awareness.

Now, This is what I want to ask you: I would like you to publish an article in your web site about this campaign. I can even send you one of several different articles written by other people working on this campaign. Any mention about "Infected Or Not" from any web site is, subsequently, commented and seen by hundreds of thousands of people in our own web site. I guess the free publicity couldn’t hurt you.

I know it doesn’t sound like a great deal for you but, if you think about it, we would provide you with relevant (and rich in keywords) content, and you would be taking part on this awareness effort.

If you want to collaborate with me, just write back and let me know. I will send you the article ASAP.

Thanks for your time and I look forward to hearing from you soon.

Best regards

Switching into honeypot mode, I invited items for review at 20 April, 2007 11:55 with the comment "Have looked at IoN site. Please send items for review."

Almost by return, I received Erika's response at 20 April, 2007 12:00:

Thank you very much for your collaboration to this awareness campaign, I really appreciate it.

Here I send you an article about You won't be disappointed.

Please feel free to tell me if there is any way I can help you adapt the content to your web site or if you have any other question or suggestion.

One last favor, could you please send me the article's URL?



Attached was a short derivative document, infected1, whose properties page states its authorship at "Pablo Diaz" from "SX Networks." There is an SX Networks in Montevideo, Uruguay, and a Pablo Díaz Rigby in Montevideo whose CV states that he is a "Media Executive" devoted to "Online advertising campaigns management" and that he is a "Spanish Native speaker" that is "Fluent in written and Spoken English."

I think it sad that a nominally respected firm in a very necessary field would stoop to this, even using the sham plausibility of denial by a separate address. Other readers may share my opinion of "Shields Up!" and suspicion of all further Panda missives until it repudiates the plant effort and zero times its initiative.

UPDATE: 23 April

Coincident to the original posting, I reported "Erika" to Gmail. Their reply arrived 23 April. "Erika" had spoofed a gmail address:

From: []
Sent: Monday, 23 April, 2007 19:30
To: Gordon Housworth
Subject: Re: [#139428718] Account Status


Thank you for your report. We apologize for any inconvenience this may have caused.

The message you refer to did not originate from Google. Instead, it appears to have been sent by someone who has faked the address so that it falsely appears to be from Gmail. This practice is commonly called 'spoofing.'

We are very concerned about this conduct. We have forwarded the information you provided to the appropriate team for investigation.

Please note that Google will never send unsolicited mass messages asking for your password or personal information, or messages containing executable attachments.

You can also help stop these individuals by sending a copy of such unlawful messages to the Federal Trade Commission at

We appreciate your understanding.


The Google Team

Mobile TV advances
Daniel Davenport
think d2c
Wednesday, April 18, 2007

Panda Launches ‘Infected or Not?’ Campaign to Highlight the Prevalence of Malware

Gordon Housworth

Cybersecurity Public  InfoT Public  Risk Containment and Pricing Public  


  discuss this article

Don't open any 'storm' attachments - or other socially engineered gems


Don't open any 'storm' attachments - or other socially engineered gems as "U.S. Secretary of State Condoleezza..." and "A killer at 11, he's free at 21 and..."

For readers following European weather, you know that hurricane force winds have battered Europe, killing many (also here). Into this breach poured a botnet Trojan masquerading as a storm update. It spread rapidly across Europe but by the time it hit the US in significant numbers, the major AV vendors had added it to their watch list. But many individuals live in a highly connected world and so had already received the tainted traffic from Europe.

In the US, the storm worm is circulating under titles referring to SecState Rice and murdering juveniles. The worm's key, especially in its storm and Rice variants, is its close coupling to current events. You WANT to click that link...

Johannes Ullrich, chief technology officer of the SANS Institute, said that virus writers capitalizing on current media events is not necessarily unique to the Storm Worm. He pointed out that a Saddam-related virus began to spread in the wake of the former dictator's execution. That virus popped up in e-mail inboxes only two days after his death with what appeared to be video of his hanging... [Virus] writers have begun responding more quickly to top news headlines, rather than using sex and celebrity as a means to ensure their viruses get activated.

An easy prediction and two observations:

  1. Bank on the next major storm or shattering political event in the US to see this Trojan re-released here, but with a different signature.
  2. THINK BEFORE you click! - If it is something you know is designed to short circuit your good judgment, you are likely right.
  3. Remember that you already have news feeds that are unlikely to be taken over by spoofers. Use them, not something that you get in an attachment. Even from me.

As I was adapting this item from an earlier internal note to colleagues and clients, the prediction came quickly true:

Joining only two previous states, the US and USSR, the PRC "successfully carried out its first test of an antisatellite weapon" by downing "an aging Chinese weather satellite" in low earth orbit - the same orbit that many US reconnaissance satellites inhabit. With a potential "antisatellite arms race" in the offing, we shortly received two satellite-related items on Friday evening:

Chinese missile shot down Russian satellite
Mathilda V. Lloyd []
Friday 19 January, 2007 19:42
No message save for attached file "video.exe"

Russian missle shot down USA satellite
participant []
Friday 19 January, 2007 23:07
No message save for attached file "Full Video.exe"

While Senator Mark Dayton (D-MN) is in the news as he leaves the Senate and mulls a run for governor, he is not dead. That did not prevent us from receiving two notes, same title, different apparent senders, claiming that terrorists had attacked the Supreme Court and that Dayton was dead on Saturday morning:

The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Carroll Cordelia []
Friday 20 January, 2007 06:09
No message save for attached file "Read More.exe"

The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Woodard Olivia []
Friday 20 January, 2007 06:10
No message save for attached file "Full Text.exe"

And on Saturday evening, this misspelled item:

The commander of a U.S. nuclear submarine lunch the rocket by mistake.
Alexander []
Friday 20 January, 2007 20:43
No message save for attached file "Read News.exe"

All had that sense of urgency and great events. All had the worm payload. See Déjà vu and A rather significant outbreak.

New 'Storm Worm' Pummels PCs
By Lindsay Martell
January 20, 2007 10:00AM

Storm Worm' rages across the globe
By Dawn Kawamoto, CNET
Published on ZDNet News, January 19, 2007, 8:15 AM PT

Hurricane-Force Winds Hit Northern U.K.
Hurricane-Force Winds and Heavy Downpours Hammer Northern Europe, Killing 27 People
LONDON Jan 19, 2007 (AP)

Europe reels as storms kill at least 47
POSTED: 1:28 p.m. EST, January 19, 2007

Flexing Muscle, China Destroys Satellite in Test
New York Times
January 19, 2007

Déjà vu
Authentium Virus Blog
Authentium Malware Information Exchange Portal
January 19th, 2007

A rather significant outbreak
Authentium Virus Blog
Authentium Malware Information Exchange Portal
January 18th, 2007

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

4GW Iraqi insurgents Using Google Earth to target, then mortar, 2-3GW UK conventional forces


In a set piece example of a smaller, more nimble 4GW asymmetric attacker using Commercial Off the Shelf (COTS) tools to surprise a larger, conventional 2-3GW defender, Iraqi insurgents used Google Earth to conduct 'aerial reconnaissance' of the British Royal Green Jackets, then used the Google data to mortar the English positions.

The only surprise was that the British could possibly be uncertain if it was happening:

The British security services are concerned that terrorists will be able to examine in detail sensitive infrastructure such as electricity stations, military basis, and their own headquarters in London.

and that the British could think that they could restrain the open source leveling increasingly available to asymmetrical attackers:

Soldiers from the Royal Green Jackets based at the Basra Palace base said they had considered suing Google Earth if they were injured by mortar rounds that had been directed on the camp by the aerial footage.

The British has only to review Google Earth 4.0 becomes a poor man's surveillance and targeting tool, 7/9/2006:

Google Earth 4.0 has become a poor man's surveillance and targeting tool, offering to an individual or a small distributed group what was once the purview of a few nation states. Within a month of releasing this as a private advisory last June [2006], clients advised me that they were able to significantly improve their defensive analysis and their external surveillance…

Benefits that accrue to real estate, architectural engineering and state and local planning applications also accrue to the asymmetric attacker. Military and homeland defense assets that rarely venture beyond their classified, multi-spectrum battlefield Command & Control (C2) systems will forget that the asymmetrical attacker now has a "good enough" C2 targeting and surveillance system available courtesy of the global web browser interface. For those who doubt, in Google's own words…

And before that, Improving COTS availability of open source mapping, imagery and GPS data, 10/21/2005, painted the improving access to overhead and oblique imagery:

Imagery that was historically limited to a few nations is now increasingly available on demand, at your PC, at little or no cost. (While there is dedicated imagery available for purchase from US, Russian and European sites, it comes at a price and with potentially traceability.) Imagery that offers a general overhead view of a desired facility in concert with GPS coordinates is available for operational planning purposes. The Register pointed out naval facilities, airfields (and here), airfields and revetments, intelligence, command and chemical facilities, boomers (nuclear ballistic missile submarines) at dockside, nuclear facilities and aircraft carriers at dockside. States such as India and South Korea have protested Google Earth "on the grounds that the globetrotting online service shows sensitive military installations laid bare in a way which might benefit North Korea."

Expect targeting information to be increasingly available as Google forges more commercial sharing relations such as that proposed with commercial real estate's largest data provider, CoStar Group, who "tracks more than 200 bits of data on commercial buildings in the 80 or so biggest markets in the United States and plans to expand to the top 200 markets… sends out teams in specially equipped vans to photograph buildings and use lasers to measure them and calculate their exact centers for mapping… [and using a Google map] drill down into specific information on a given building, not just see it on a map.'' CoStar holds "tenant information [that] includes details on who they are, what they do, how much they pay in rent, when their leases expire and all the phone numbers in buildings."

Interestingly, the same week that saw insurgents targeting the British, Google Earth appeared prominently in the Alaska Volcano Observatory's dynamic monitoring of active volcanoes and the EPA's publishing of "areas known or suspected of releasing contaminants, pollutants and other hazardous substances.

Mankind made maps because they were one of the richest ways in which to transmit dense information. Topographic maps made elevation and depth possible while retaining relative position. Thematic maps added means with which to interpret unique characteristics, and so forth. Google Earth and its brethren have extended both richness and analytic possibilities of geospatial information.

The combination of graphics mapping programs such as Google Earth, commercially available imagery, GPS data, and other forms of geospatial and alphanumeric information, often combined in mashups to achieve a particular analysis, have brought the capacity of a working C2 - and in combination with the web and IRC chat lines, a working C3 - system into the hands of even a neighborhood adversary, much less a determined asymmetrical attacker.

The only surprise is not that asymmetricals are using Google Earth, but that semi-custom C2-C3 mashups have not been produced for distribution among insurgents and jihadists. By standardizing the underlying databases, 4GW opponents can exchange 'battlefield' imagery and information.

It is this lack of imagination and familiarity with COTS capabilities and dual-use applications that leave conventional military forces constantly vulnerable to asymmetrical attack.

Find toxic wastelands via Google Earth
EPA takes first step in effort to make data about polluted sites more accessible to online mapping applications and the public at large.
By Anne Broache
January 17, 2007, 3:18 PM PST

Volcanoes Erupt on Google Earth
By Elizabeth Svoboda
02:00 AM Jan, 17, 2007

Terrorists 'use Google maps to hit UK troops'
By Thomas Harding in Basra
Telegraph (UK)
Last Updated: 2:06am GMT 13/01/2007

Commercial-Off-The-Shelf (COTS): A Survey
Prepared by: Maurizio Morisio and Nancy Sunderhaft
Contract Number SP0700-98-D-4000
Data & Analysis Center for Software
Prepared for: Air Force Research Laboratory, Information Directorate (AFRL/IFED)
December 2000

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Prev 1  [2]  3  4  5  6  7  8  9  Next

You are on page 2

Items 11-20 of 89.

<<  |  May 2020  |  >>
view our rss feed