return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ InfoT Public ]

Finding your financial information on the web


In a security environment where 'feel good' security focuses too quickly on the "easy and obvious" you can be assured the terrorists and criminals will have their ID in order.

Given that trafficking in confidential personal and financial information is commonplace on the web, the only thing astonishing about identity theft is that it is not more common (but Dick Clarke expects it to ramp). I can only assume that determined identity thieves prefer to cut a middleman and so reduce detection by dumpster-diving your trash and mail and phishing you online. While recent complaints over accessing personal information with regards to security screening have focused on federal requests to airlines and other commercial databases, we must not overlook the ease by which criminals and terrorists can buy an identity with which they can, say, board an aircraft or run up a tab.

Your social security number, bank balances, and, to a reasonable degree, stock portfolios, can be purchased online from a number of firms for under a thousand dollars, sometimes a few hundred. The only curiosity is the source of the provider's information, e.g., direct from financial institutions, through direct and indirect sharing arrangements, or illegal means.

Given that a drivers license is increasingly seen as a general form of identification and can be used to board a domestic airline and make a Canadian or Mexican border crossing by car or foot, the gaping security holes at state DMVs nationwide makes ID theft and production of a seemingly valid drivers license a ridiculously easy event. The Center for Democracy and Technology (CDT) is spotlighting security problems nationwide in the issuance of the licenses. In 2003, CDT found more than 20 cases in 15 states where bribery or lax security at state DMV offices had resulted in fraudulent issuance of driver's licenses. CDT also warned that adding more biometric information to driver's licenses will not make them reliable as a de facto national ID card, yet we are spending monies exactly in that direction.

The CDT report, "Unlicensed Fraud: How bribery and lax security at state motor vehicle offices nationwide lead to identity theft and illegal driver's licenses" has policy recommendations worth reading.

Forget your bank balance? It's available on the Internet is a typical example as to how easy it is to harvest your personal and financial information.

Yes, only days after this Boston Globe article, a Massachusetts court obtained an emergency court order temporarily barred the Ohio firm selling the data from obtaining or selling personal financial information belonging to Massachusetts residents, but that was only one seller among many, and only one state.

Forget your bank balance? It's available on the Internet
Consumers' financial details easy pickings on the Net
By Bruce Mohl, Globe Staff, 1/4/2004
Boston Globe

Gordon Housworth

InfoT Public  Infrastructure Defense Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Holding our attention span long enough to support an unpalatable task


Holding the attention of any US administration and its traditionally parochial electorate long enough to complete a "generation of rebuilding" needed to set Iraq and the Middle East on a new course is a massive, almost impossible task, especially when that rebuilding is not performed to our script or timing.

Speaking of our attention to Iraq, Howard Kurtz offered one of the better stat sets that I have seen on the transient attention of the news, or what I like to call "the lens of the news, a brilliant white dot that crawls an otherwise blacked out room."

By 26 April, Lycos Search reported that SARS was the most requested search term, followed by Kazaa, tattoos, Dragonball and the NFL. The Iraq war fell to 17th on their list, as searches for information about the conflict dropped 40 percent. Al-Jazeera and Saddam Hussein fell off the list after five weeks.

The First Gulf War is indicative: Iraq disappeared from daily coverage within six months of the end of the war. Network reporting was down to 48 minutes in August 1991 from a high of 1,177 minutes at war's outbreak in January 1991. Afghan coverage is down to 1 minute from 28 minutes in February 2002 and 306 minutes in November 2001.

And of course you remember Peru, Haiti, Grenada, Panama, Somalia, East Timor, and Aceh, don't you? Surely Northern Ireland? Unremitting famine and AIDS in Africa? And this attention span is going to bring us the political and financial will to remake the Middle East? You say things will be different now, now that we have suffered September 11. I say that I have some exquisite beachfront Arctic property to show you.

For Media After Iraq, A Case of Shell Shock
Battle Assessment Begins For Saturation Reporting
By Howard Kurtz
Washington Post Staff Writer
Monday, April 28, 2003; Page A01

Gordon Housworth

InfoT Public  Strategic Risk Public  


  discuss this article

US-European inconsistency in dealing with Bantustan states in Palestine


As I reflect on the many reports of Wall building or, say, the infrastructure destruction of Jenin in 2002, I have had to question my own lens for judging the situation. My emotional center is not skewed to sectarian hatred -- even as a late teenager, my psychological profile noted that I was "inclusive of others, even to the point of forcing others to be inclusive of others [whom they might dislike]."

I am forced to conclude that, despite the rhetoric, the Israeli state has escaped centuries of persecution only to establish its own over a series of Bantustan statelets, that it continues to expropriate Arab lands and destroy their means of livelihood even as Israel proffers an ever shrinking Gerrymandered remnant to the Palestinians.

The destruction leveled on these Bantustan states, the Palestinian enclaves if you will, may not match the destruction of Hama by Assad, or the destruction of the Kurds and "Reed Arabs" by Hussein, yet it is this destruction by Sharon that is buying another generation of hate, that has destroyed the ability of Palestinians to have any measure of pride, self-reliance, and hope for the future, that continues to make partition and even the expulsion of the Palestinians and Arafat a self-fulfilling prophecy. Israel has edged into the behavior of a rogue state given the impact that it has wreaked upon the greater Mideast region and US interests at large.

I offer the observation, not a condemnation, that Israel is treating the Palestinians as the former Afrikaans government in Pretoria treated its "Afs" (black Africans). If you were for any reason exercised over Apartite and cantonization in South Africa, why would you look with benevolence upon it in Palestine? I maintain that if you can make such a distinction that you will have accomplished some interesting mental gymnastics in the process.

My thrust here is consistency in assumptions that guide intentions and actions. For example, I drew no distinction in Pretoria’s actions and the actions of virtually any other African states. The sole "problem" was that the Pretorian government was White and the oppressed were Black whereas in all other African countries the oppressed and oppressors were of one color even if they were of different tribes and religions. I maintain that Anglo-European white guilt led it to attack Pretoria while ignoring predations elsewhere in Africa (and I have a fair amount of data to support this view).

I believe that a similar exception is being made here in the Levant. Were this one Arab nation or tribe oppressing another, we would take no specially notice, unless, of course, they possessed petroleum stocks. The "problem" in this case is that Israel is a Jewish state and its regional counterparts are various forms of Islam. The repercussions of that problem will dog us painfully and increasingly so.

Gordon Housworth

InfoT Public  Strategic Risk Public  


  discuss this article

Why steal COTS products or processes?


Building on What are they stealing now? 

"Foreign collectors most likely settled for commercial products after learning that their [clandestine] collection efforts failed and were not worth pursuing."

Targeting countries appear to wait for a successful US commercial application of a technology before seeking to acquire it as the kernel of capability for military use is often contained in the commercial variant. An airborne IR sensor is a good example that applies to all dual-use technologies.

I would stress that "failed" applies to collectors' time horizon and that the early securing of a commercial variant will act as a "gap filler" in both their defense and commercial posture and will act as a development seed in their research institutions.

As developed countries suffer legacy drag as we do, preferring not to change computer systems when an upgrade is needed, they target absorbable enhancements. Not so encumbered developing countries will attempt quantum leaps in capacity by acquiring newer, more advanced systems.

Everything is at risk to someone. In the early 80s I went to the Pentagon to make a deposition as to how the Soviets were buying English PCB (printed circuit board) CAD systems en masse in order to make LSI (Large Scale Integration) chips.  The military attendees were stunned when I described a simple sectoring process in which a chip's logic could be broken up in segments absorbable by the PCB systems and then stitched together.  The "commercial loss" of silicon was unimportant in comparison to the ability to achieve high density chip architecture.  That was a year after I watched the Shanghai Institute of Metallurgy hand-tape (manually apply pull-off and paste decals to represent components) its first 1K RAM chip.  The attendees were not aware of that either.

At times, the collection attempts are not directly military (but will ultimately have a military bump) as even moderately capable nations want to stay apace of the US, avoid dependency on external contractors, lower their maintenance costs, improve availability, and embed capacity in their local production.

  1. Complimentary and redundant set of attack vectors are common. Acquisition attempts vary from simple, passive info requests to sophisticated multi-spectrum collection efforts, but it is rare to receive a single attack vector. At a previous firm, we used to joke that, "The Indians are the greatest paper collectors on the planet."
  2. It is more common for your firm (but not you) to receive multiple probes, the responses from which tailor or redirect the probes that follow. Japanese firms with whom I had previously worked peppered my company from programmer to senior executive -- often six or seven requests on the same day on the same issue. There was great distress when I stipulated that all messages came to me for a single integrated, controlled reply -- and then distributed the reply internally as the 'rule.'
  3. Every nation has a pattern or preference that, while it will change over time, has very recognizable characteristics through the medium term. Technical ability, culture, polity, and business practices merge with need and so help paint any country's attack profile. (The Chinese affection for humint is a good example.)
  4. Collection plans seek the greatest ROI and the greatest OpSec (operational security) for the collectors' assets and means.

Next we'll look at why a country gets on the FBI's New Security Threat List, and then who gets on this porous, ostensibly classified list, and who gets left off for reasons of political sensitivity.

Gordon Housworth

InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  


  discuss this article

Sliding Chalabi over the side


It is my opinion that removing Chalabi is at least one error that the US is rectifying. The term Carpetbagger came to mind whenever I heard Chalabi mentioned. My concern is for the valiant members of the IGC, some of whom have already paid with their lives, that I fear we will abandon with equal fervor. My comments of Sept & Dec 2003 from the private list are pertinent:

Comment of 26 Sept 03

Last weekend a list member asked my opinion as to the state of Iraq. I replied that it was going to get far worse before it got better. That led to a discussion why the situation was deemed 'worse' rather than 'par' or 'better than expected.' Quickly overtaking Afghanistan as the primary focus of the region's Islamic militants, US coalition forces in Iraq have further become a lighting rod for ordinary Iraqis infused with a potent mix of nationalism and religious pride. All this comes atop a depleted -- looted -- infrastructure that put paid to all the care of precision bombing. Little wonder the place in is an uproar.

Where are those teeming throngs of grateful Iraqis? Yes, they were there in modest pockets in the early stages and, yes, some are certainly cowed by new threats or displeased with the pace of recovery, but it still seems fewer than expected. And while we're at it, where did the view of Iraq as a willing American filling station spring? The US is generally known for careful military planning in the post-Viet Nam. So where did we get the impression of grateful multitudes that would not immediately loot the place and start shooting up one another? Our discussion over open source materials boiled down to Ahmad Chalabi, leader of the Iraqi National Congress (a London-based exile group).

Just months ago, Chalabi was on every news screen. Even as he sought to assume a post-Saddam leadership role, he was criticized for being out of touch with present-day Iraqi problems and politics -- Chalabi had been outside Iraq since 1958. Yet his London-based group is close to the American government and he has been closely involved in US attempts to establish an interim Iraqi authority. We think that much of the rose colored view, however it has been amplified by members of the administration, sprang from Chalabi.

It is so like Americans to gravitate to someone that looks like us and talks like us when we go to distant places regardless of what their competence might be. (Remember who we plucked up and set down in Afghanistan.) The unspoken presumption is that we can 'communicate' better and learn from those individuals over others that demand more effort on our part. The reality is that it is just sloppiness and lack of due diligence on our part. I watched it happen time and time again, both in government and commercial settings.

Since last weekend's discussion, Aquila al-Hashimi, a vibrant member of the Iraqi Governing Council (IGC) destined to become Iraq's new UN ambassador, died from her assassins' wounds. She was the third prominent Iraqi killed after being seen as sympathetic to the U.S. occupation. Before her, Shiite cleric Ayatollah Mohammad Baqir al-Hakim, whose movement has a seat on the IGC, was killed in a car bomb attack in An Najaf in August, and Sheikh Abd al-Majid al-Khoei was killed in An Najaf in April, shortly after his return from the UK.

More IGC members are likely to be targeted as the security situation deteriorates (and all have been issued death threats as traitors). The IGC must now rely more heavily on US protection even as it must demand more authority and independence from the US to demonstrate that it is not a lackey.

So among all the actors in the guerrilla-style insurgency that target US and UN personnel and their Iraqi allies, we have to contend with seemingly ordinary Iraqis united in piety and nominally unafraid to die. Wonder what kind of questions we are putting to Chalabi now.

Comment of 29 Sept 03

The DIA's assessment appears cast a rather somber opinion of Chalabi and his defector sources. But it must have been so easy to interrogate in tony London, to be handed sources on a plate without your own need for footwork -- especially after your own (CIA) efforts were turned or wiped out by Saddam's counterintel.

Comment of 23 Dec 03

It does make my gorge rise when I see Ahmed Chalabi railing the Coalition Provisional Authority (CPA) in favor of taking a hard line against former Baathists working in the Iraqi government. This is the same gerbil that told the DoD that Iraqis would great US forces with perpetual open arms and helped DoD push State's much more realistic assessments aside.

U.S., U.N. Seek New Leaders For Iraq
Chalabi and Others Coalition Relied on May Be Left Out
By Robin Wright and Walter Pincus
Washington Post Staff Writers
Saturday, April 24, 2004; Page A01

Gordon Housworth

InfoT Public  Strategic Risk Public  


  discuss this article

What are they stealing now? Or do you just hand it to them?


"You might as well sell this to us. We are going to get it anyway."

Not the best justification for sale but it is indicative of the size of the problem.

Commercial firms are at a disadvantage in that most are driven respectively by cost, cost, and cost while the skilled few are driven by cost, time, and risk (the latter two being other forms of cost). Only the very rare firms and the military look at risk, time, and cost.

How is a company to know what is valuable and to whom? Yes, all 18 of the MCTs (Military Critical Technologies) are consistently targeted but many commercial firms, if they think about it at all, think that it must apply to someone other than themselves.

It helps to see one’s products and services within the consistent themes that have emerged over the past six years:

  • Dual-use technologies
  • Components over complete systems
  • Unclassified technologies

‘Whoops, that could be me after all’ and indeed it is. Interest in dual-use items is self-explanatory -- they improve commercial and military areas equally. Components are less obvious but they face far less scrutiny to secure and are easier to integrate once obtained.

The "unclassified" category is vast; including both ITAR and EAR administered items. About 90 percent of all technology targeted by foreign assets in 2002-2003 was unclassified.

It is hard not to find your company in the "diverse assets of the energy, agriculture, automotive, machining, and environmental sectors."

Delving deeper, you may be providing standalone or embedded computer and chip technologies, semiconductors, biotechnology, biometrics, nanotech/miniaturization, pharmaceuticals, public security technologies, manufacturing processes, public safety systems, and patent rights.

Highest MCT categories are:

  • information systems (anything for C4IR - Command Control Communication Computer Intelligence Recognition)
  • Sensors and lasers
  • Armaments and energetic materials
  • Electronics

Later we'll deal with who is after you and how do they do it.

Gordon Housworth

InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Strategic Risk Public  


  discuss this article

Glacial yet essential improvements in software security and assurance


While Security holes force firms to rethink coding processes was peripherally cited in Risk amelioration for software creation, subversion, and diversion, it deserves independent mention. Likewise the authors of the EE Times article, "Linux: unfit for national security?" deserve mention to add gravitas to their comments:

  • Eugene Spafford, Purdue University, and executive director of the Center for Education and Research in Information Assurance and Security
  • Cynthia Irvine, Naval Postgraduate School, Monterey, professor of computer science and an expert on information warfare

Spafford responded as a SANS guest editor to a dissent:

"Security is more than the apparent lack of obvious buffer overflows or the ease with which an experienced programmer can apply a patch. It includes fundamental issues of design, including (for instance) separation of privilege, user interfaces, minimalism of function, fail-safe defaults, and freedom from deadlock. Large, complex systems written for general environments are not designed to these principles. Furthermore, the majority of those systems have been developed and maintained by personnel whose skills, motives, and loyalties are not necessarily known. As such, these systems should not be used in mission-critical systems, sensitive embedded applications, or systems with high assurance needs. Those people arguing the dogma of "Linux is better" or "Windows is better" are missing the point -- both are inadequate for these needs. Unfortunately, we have too many people making decisions about security and high assurance who do not really understand the fundamentals."

Some software vendors, perhaps even Microsoft, realize that salvation in not in patches, but in processes and tools that trap problems in development. Microsoft has instituted a buddy system between security experts and programmers (though security folks are vastly outnumbered). In addition to its own tools, MS has added independent review of its products. Some of those outside firms are hiring yet other firms to vet their tools and processes.

Yet much security review remains manual art, though automation for application and source-code analysis is becoming more available -- some for near real-time/daily analysis. Some firms are rising above the programmer to provide tools for "those with responsibility for understanding where risks are" such as CIOs and chief security officers.

Those are very good trends, late but good. This is the article that alluded to Foundstone's forthcoming report that an "apples-to-apples study comparing the history of flaws discovered in several versions of Linux to Microsoft software, "Linux is worse" with about 10% more flaws uncovered."

I still maintain that Microsoft can best Linux by providing more secure products, not by more geek goodies. Save for good, secure groupware, of course.

Security holes force firms to rethink coding processes
This story appeared on Network World Fusion
By Ellen Messmer
Network World, 04/19/04

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

3rdGen COTS robot teams for collaborative sensing, exploration, mapping, and independent team coordination


More commercial off the shelf (COTS) wonders. While each technology contributes something to the collective Scout team, I find the software architecture able to render effective teamwork among inanimate objects to be the most intriguing.

The team leader is named MegaScout, "a 15-inch-long sibling of the smaller Scout which can carry larger sensors, a manipulator arm (for opening doors, lifting Scouts and similar tasks) and the processing power to control the Scout team in the field."

The lesser Scouts "incorporate a video camera, three infrared range finders, two light sensors and a pyroelectric sensor (for sensing body heat)plus a two-way remote-control system that supports frequency hopping and signal encryption" and do it in about the size of "cardboard tube inside a roll of toilet paper."

They are designed to work as a team using a combination of sensing devices under instruction from the MegaScout who communicates back to a human operator.

It's only a matter of time before anti-handling devices are installed and then on to offensive roles far from disaster recovery.

While a sophisticated teaming version may not be fielded by terrorists, you can expect smaller solitary versions.

It is worth visiting the site to see how small these items are.

Turning Robots into a Well-Oiled Machine
Robot teams to help emergency responders in the trenches
NSF PR 04-046 - April 12, 2004

Gordon Housworth

InfoT Public  Weapons & Technology Public  


  discuss this article

Barcelona club chips (as in RFID implants) its VIP members


It has become a truism that many individuals will surrender privacy and permit intrusion in exchange for comfort, convenience, and pleasure.

Rarely is this more true in the case of Spanish club that is chipping its VIP members. As I was rather hoping that the news reports were a hoax, I visited the Spanish site for the Baja Beach Club and clicked on the 'Original Baja VIP' link. Sure enough, part of the spanish text matched the translation: "We are the first discotheque in the world to offer the VIP VeriChip. Using an integrated (imbedded) microchip, our VIPS can identify themselves and pay for their food and drinks without the need for any kind of document (ID)."

It seems tailor made for an SNL skit when one reads that, "He himself was implanted at the media launch of the VIP implant system along with stars from the Spanish version of the TV Show, "Big Brother," (called "Grand Hermano" in Spain)."

Poking around the Euro-scene, I found an 18 March 2004 notice on BarcelonaConnect heralding the club's 7th Anniversary party with a "spectacular skyshow, the Grand Opening of the new Champagne bar and the introduction of new technologie "The VIP Verichip". (Famous people will have an implantation in Baja Beach club)"

Found an interview of Conrad Chase, director of BBCI, by Alex Jones of in which Chase states that VeriChip informed him that Italy was intent on chipping all government workers -- and that the chip plant was in China.

I do hope to see this pop up on an urban legend site. Soon.

Conversely, were I a terrorist, I could hardly wait for my targets to be conveniently ID'd as so many cattle in a feed lot.

As noted previoulsy in RF networks under assault, I feel that RFIDs are complicit assassination tools as a "pre-scanned and identified RFID chip in a credit card, vehicle, or other device known to be on or near the targeted individual" can trigger a device when the target comes into range.  If the RFID is inside the target's body, so much the better.

Other delights come to mind, for example, if a country or a company chips their employees, will you as a visitor have to be chipped to gain entry? Who will assume liability for complications in removal?

Baja Beach Club in Barcelona, Spain Launches Microchip Implantation for VIP Members
Violet Jones/ | April 7 2004

Gordon Housworth

InfoT Public  Weapons & Technology Public  


  discuss this article

Risk amelioration for software creation, subversion, and diversion


Software design for weapons systems -- who does it, where do they do it, what tools do they use under what design rigor -- is a consistent concern in our supply chain infrastructure risk assessment.

With the Telrad (Israeli) penetration of the White House phone system never far from mind, the presence of foreign contractors in the F-35 Joint Strike Fighter aircraft is a concern and the prime's (Lockheed Martin) contention that "98 percent of the F-35's software was "U.S.-sourced" and two percent came from abroad" offers no solace when a few lines of malicious code can prejudice aircraft stability, avionics, or weapons.

What good does it do to have an aircraft that can turn sideways on a dime if someone can turn off its fly-by-wire system. It would be the singular software trapdoor of a future air superiority engagement. Were I a bad guy, it would rank high on my penetration list.

An excellent, and highly recommended, article on inappropriateness of Linux (along with Windows and Solaris) for "control systems for tanks, bombs, missiles and defense aircraft" drew my attention as one of its salient charges is that Linux contains "many elements of unknown origin," and that just a few lines of subversive code could "cause a major malfunction." What goes for operating systems goes for suppliers.

"Software subversion," in which adversaries add a few lines of code that can cause a major system to malfunction, is a concern of security experts... In such applications, developers need to use "high-assurance" operating systems with the smarts to prove that subverting code doesn't exist. Linux is not one of them."

As an aside, the "many eyes" concept of open-source development and peer review is not sufficient for national security apps as a "subtle flaw could be included in the system and missed by all those eyes, because they may not have the training or motivation to look for the right problems." (Remember that an attempt to deliberately add a security flaw to Linux was only recently averted and both the Unix and Linux kernels have had serious flaws.) A forthcoming independent security report will show that ""Linux is worse" [than Microsoft software] with about 10% more flaws uncovered."

With a history of diverting US technology, Israel recently joined the eight JSF full partner countries as a lower "security cooperation participant" (SCP).  As late as mid-2002, the US was still resisting Israeli participation requests due to concern that classified technology might be leaked to unfriendly countries, notably the PRC. 

"Unlike the other full partners, Israel will not be able to impact JSF requirements or have a presence in the JSF program office. However, Israeli industry will be able to compete for SDD [system development and demonstration] work on the JSF like the other full partners."

While the researchers' Congressional testimony focused on software, their comment that the programming community must "get past issues of cost, corporate politics and technological "religion" when dealing with matters of national security" has wide applicability:

"The problem occurs when a vendor decides to adopt software because of cost or because of familiarity to their current programmers," he said. "They end up making a decision that involves risk, and they don't have the appropriate background to make that decision."

That should apply to every vendor across the JSF supply chain. It is no longer enough to deal with direct cost, time, and delivery/availability risk. The risk amelioration for creation is not enough to address the risks of subversion and diversion. Yes, there will be an added direct cost to dealing with these longer range risks, but we forego it at our peril.

Linux: unfit for national security?
By Charles J. Murray, EE Times
April 19, 2004 (11:29 AM EDT)

U.S. lawmakers to weigh Pentagon's foreign-software use
Reuters, 01.08.04, 2:15 PM ET
By Jim Wolf

FBI Probes Espionage at Clinton White House - suspected telecommunications espionage

by J. Michael Waller,  Paul M. Rodriguez

Insight on the News

May 29, 2000

Original scrolled off


Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

Prev 51  52  53  54  55  56  57  [58]  59  60  61  62  63  64  65  66  67  68  Next

You are on page 58
A total of 68 pages are available.

Items 571-580 of 673.

Pages: [1 - 25] [26 - 50] [51 - 68]

<<  |  January 2020  |  >>
view our rss feed