return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ InfoT Public ]

Structural TCP flaw permits simple reset attack

  #

I wonder if naysayers would continue to hurl doubts on Dick Clarke's warnings on the potential of cyber Pearl Harbors. Who is to say that one or more criminal groups or governments had not already discovered the flaw and had put in their quiver for that special moment. Remember that hackers penetrated and, for a period of time, took control of parts of the TeraGrid, a run-up for what could have been a stupendous DDoS attack:

"Experts previously said such attacks could take between four years and 142 years to succeed because they require guessing a rotating number from roughly 4 billion possible combinations. Watson said he can guess the proper number with as few as four attempts, which can be accomplished within seconds."

"Watson predicted that hackers would understand how to begin launching attacks ``within five minutes of walking out of that meeting.''

How's that for operating within our OODA Loop? How many other flaws of equal magnitude are still out there? An in whose quiver? How would we know? When do we get to find out?

Discovery of Internet Flaw Prompts Security Push
By THE ASSOCIATED PRESS
April 20, 2004
Filed at 5:31 p.m. ET

TCP flaw threatens Net data transmissions
By
Robert Lemos
CNET News.com
April 20, 2004, 12:40 PM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Chocolate as a hacking tool

  #

A delicious reminder as to how tender is our perimeter security when passwords can be pried loose for a bar of chocolate -- one of the cheapest social engineering attacks on record. Richard Feynman would be proud both for the simplicity of the attack and the exposure of the risk.

"Surprisingly, 37 percent immediately agreed, while another 34 percent were persuaded to give up their secret access codes when the interviewer commented that it was most likely to be the name of their pet or their child."

I may be stretching but I think the willingness to give up passwords is yet another sign that users are annoyed by their proliferation. Users surveyed certainly wanted a less demanding, uniform means of secure entry.

New hacking tool: chocolate
By
Munir Kotadia
ZDNet (UK)
April 20, 2004, 6:38 AM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Hemorrhaging intellectual property to Asia - Part II

  #

In response to a previous post of 4/20/04, if I may, let me offer another observation.

Outsourcing of key business functionality is (whether on-shore or off-shore) in many ways an "Emperors New Cloths" problem - corporations are chasing short-term economic advantage to bolster stock prices rather than long-term economic advantage to support real value, everyone knows it, but no one will say so. Were corporations (and more importantly their officers) required to be accountable for the value of the corporation for some period of time going forward (say 5 years) the decisions they made would be vastly different.

While at IBM I was very involved with their out-sourcing group at the highest levels. I can tell you that privately they knew that few if any client companies would ever realize the 30+% cost reduction they were promising in an outsourcing (no mater where the activity took place) and in fact most would be hard pressed to realize a true 10% reduction in costs. In fact most clients would experience a significant increase in costs. Why? Because IBM had to make their profits, and very few organizations were so poorly managed that the combination of IBM profits and their cost reductions could provide any economic advantage.

Moreover, every deal was sold based upon the assumption that the client would see their investment pay off in the 3rd and subsequent years. Yes, you read that right. Clients parted with large sums of money in the hopes that even larger sums would be returned in three years. As far as I know, not one single client of IBM has yet realized the promised gains, but none have the ability to resurrect the function they outsourced without extraordinary expense. So, senior management declares the effort a success, explains the short-fall as a function of changing market conditions, and the board nods wisely their approval.

I can also tell you that their calculus never included consideration of loss of competitive advantage, loss of flexibility, loss of innovation, or loss of control. Further, not one client ever performed a "total cost of outsourcing" or. perhaps more important, a "total cost of re-insourcing if it doesn’t' work out" study. It was purely a reduction of cost for currently ongoing activities, while dismantling the entity that could produce competitive advantage.

In many ways, the culprit is the laxity of the SEC in protecting investor interests. The solution may be to modify how the audit industry accounts for these activities. Truth is, if GAAP (Generally Accepted Accounting Practice) is changed to reflect outsourcing risk, many of these activities will change (be eliminated).

Gordon's point regarding the VC community is very well taken. They intend to be out long before blowback can effect them. In the process they may very well have mortgaged our technologic and competitive future.

The most important concept in Sarbanes-Oxley is long-term accountability for senior management. What a concept! When applied to outsourcing decisions our (individual investor and national security) interests will be better protected.



InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  

discussion

  discuss this article

Terrorists that exploit rather than destroy the web

  #

Gabriel Weimann shows that terrorists have gained an effective understanding of using the web equal to, and sometimes surpassing, commercial firms.

I would go so far as to describe the web as an asymmetrical weapon in that its very low cost offers an easily obtainable, flexible C3 (command, control, and communication) capacity to attack its adversaries.

"…terrorist organizations and their supporters maintain hundreds of websites, exploiting the unregulated, anonymous, and easily accessible nature of the Internet to target an array of messages to a variety of audiences."

Most sites contain history, teleology, aims, activities, maps, exploits, biographies, news, and chat rooms. Al Qaeda humint targeting was recently described here. While most do not make explicit references to acts, Hezbollah and Hamas are exceptions in that they provide statistics on operations, slain members, enemies and collaborators -- all the trappings of a model company.

Three target audiences:

  • Current and potential supporters
  • International public opinion, journalists included
  • Enemy publics, i.e., citizens of the states against which the terrorists are fighting

Eight identified uses:

  • Psychological Warfare
  • Publicity and Propaganda
  • Data Mining
  • Fundraising
  • Recruitment and Mobilization
  • Networking
  • Sharing Information
  • Planning and Coordination

Terrorists of all persuasions, "Islamist, Marxist, nationalist, separatist, racist - have learned many of the same lessons about how to make the most of the Internet." The 11 September hijackers used the Internet well and their successors have only improved their skills and raised their presence on the web.  Just as with other western weapons systems, terrorists have adopted the web to good effect for organization, proselytization, and operation.

We’d hire them if we didn’t have to stop them.

www.terror.netHow Modern Terrorism Uses the Internet
SPECIAL REPORT 116
Gabriel Weimann
United States Institute of Peace

PDF here.

Gordon Housworth



Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Berlin Wisdom Model as an intelligence analysis mindset and tool

  #

My exposure to the criteria of the wise man, of wisdom, that has become known as the Berlin wisdom model, rose from readings of psychological studies of the elderly designed to capture the qualities of the wise person. From these articles, I extrapolated their characteristics as the goal for an intelligent knowledge agent/bot.

While the original articles remain fee-based, there is an excellent summary on line at Wisdom: A Metaheuristic (Pragmatic) to Orchestrate Mind and Virtue Toward Excellence (2000).

"Wisdom-related knowledge in life review task" (1992) reviewed research on age and wisdom, proposed a developmental model for wisdom related knowledge, a means to test it, and then compared results across occupational groups. While the results were said to be "largely relevant to psychologists," the jewel was a proposed definition of wisdom.

Distilling a "short form" of the qualities of the wise person as:

  • A fund of general knowledge
  • Procedural knowledge
  • An understanding of the relativity of values
  • An understanding that meaning is contextual
  • Acceptance of change

The original form was:

  • Factual Knowledge: General and specific knowledge about the conditions of life and its variations.
  • Procedural Knowledge: General and specific knowledge about strategies of judgment and advice concerning matters of life.
  • Life Span Contextualism: Knowledge about the contexts of life and their temporal (developmental) relations.
  • Relativism: Knowledge about differences in values, goals, and priorities.
  • Uncertainty: Knowledge about the relative indeterminacy and unpredictability of life and ways to manage.

Baltes defined "wisdom" as "good judgment about important but uncertain matters of life" and argued that there are several key characteristics that promote the development of wisdom, and old age is necessary but not sufficient. Key characteristics were seen as:

  • Older age
  • Open personality
  • Extensive training
  • Well-structured experience
  • Good mentorship in matters of life

What more can one ask of a good intelligence analyst or his or her agents and bots?

"Wisdom-related knowledge in life review task: Age differences and the role of professional specialization"
Staudinger, U., Smith, J & Baltes, P. (1992).
Psychology and Aging, Vol 7, No 2, 271-281.

"People nominated as wise: A comparative study of wisdom-related knowledge"
Baltes, P.B., Staudinger, U.M., Maercker, A., & Smith, J. (1995).
Psychology and Aging, 10,155-166.

Gordon Housworth



InfoT Public  Strategic Risk Public  

discussion

  discuss this article

Weaving together the chatter of intelligence and business

  #

Dan Farber does a fine job of looking past the "constant chatter among businesses and the intelligence community about insufficient budgets, technology complexity and regulatory compliance" to see that it is a distraction that "masks the underlying failure to inculcate a culture that can overcome those problems with a clear and strategic focus on identifying the key business levers and extracting the relevant data."

He goes on to say that the markers of this decline are only rarely of a 9-11 stature but rather an invisible (perhaps 'ignored under the press of daily threats' is a better phrase) accumulation of degrading capability. I concur with his comment that they rise "from the same source-a lack of essential insight and analysis."

As chance would have it, just moments before Farber's article crossed my desk so did a public list comment by Myron Tribus (a superb disciple of Deming and a gifted thinker in his own right):

"When Dr. Deming spoke of the need for an outside agent to cause a transformation, he was referring to the fact that the basic paradigm upon which the people in the system are acting is invisible to them. You have heard the phrase: "The fish is the last to discover water". A system has great difficulty understanding itself. Of course, people within a system can make changes -- that's understood. What they cannot do unaided is transform the system."

Think of Farber's comment applied to our intel agencies:

"Many companies suffer from this plague of data blindness, which ends up producing negative results. It's the major differentiator of the sickly, underperforming companies from those that lead and prosper. The leaders minimize surprises--and the associated reactionary behavior--because they have a better handle on extracting the meaningful information from the terabytes or petabytes of data."

"Without that focus, companies are doomed to live in the past and have a very uncertain future."

I have often said of such companies that, "They live at the sufferance of their competitors." The extension of that idea to our intel agencies, their data fusion, and subsequent dissemination to relevant consumers is not a sanguine thought.

Business blind spots can have devastating consequences
By Dan Farber,
Tech Update
April 16, 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Strategic Risk Public  

discussion

  discuss this article

Hemorrhaging intellectual property to Asia

  #

In response to a comment regarding one's risk detection and amelioration posture when venturing offshore into a region, or an industrial segment, of high value to nations such as France, Israel, Germany, Russia, or the PRC, a private list member noted:

"I truly believe that your analysis applies to the current "outsourcing" outcry. But, the outcry is just about jobs now. It's the future (the USA's) that is in economic peril. Our industrialists don't seem to get it."

Unfortunately the commercial stampede at both the industrial and venture capital level has long been underway and the PRC is harvesting the bounty.

We have painfully learned that at the Venture Capital (VC) level, investors are driving their stable of firms to create product and produce revenue. Risk assessment is very low on their horizon. Private conversations reveal that VCs preach the mantra "to their portfolio companies to outsource hardware development and manufacturing to China or become uncompetitive." Some VCs have already made the next step of forming development groups in the PRC precisely to serve their entire stable of firms. Now the VCs have put a superb target-rich environment under one roof. Unlike established industrial firms that already have revenue streams, VCs have little of value in their stable of firms save their intellectual capital.

On the established industrial side, the OEMs (Original Equipment Manufacturers at the top of their respective supply chains) have been virtually ordering their suppliers explicitly or implicitly to China (a) to produce lower cost products for resale back to the OEM or one of the subsuppliers in the chain, or (b) support OEM plants in-country. The demand for cost reduction is the pole star. Our prediction is that the OEMs, whose hubris leads them to mistakenly feel themselves above the risk horizon, will not protect their suppliers as new Chinese or other low-cost country providers come on line and will shift purchases to those new firms, hollowing out their own industrial infrastructure, even as OEMs press those same suppliers for cost reductions on a year-to-year basis.

I can speak to the means and actors that would gain access to the technologies being developed. It is extreme in its impact on US interests and I think that the VC and industrial communities are blind to it. We are in the process of contacting certain VC and commercial firms to outline the intellectual property (IP) theft being carried out by overt and covert subsidiaries. It is our opinion that the charge of fiduciary breach can be leveled at anyone who callously lets the IP of their stable be stolen.

Certain firms have a sensitivity to risk analysis (Intel, IBM, and HP come to mind), but their horizon has more to do with minimizing time and delivery/availability risk (above and beyond direct costs) in their supply chains. What they almost universally do not do is extend that risk assessment and mitigation to a level that generates legitimate security. It is too often 'feel good' security uniformly applied to all assets instead of a prioritized response against the assets most at risk.

Our experience has shown that there is a lack of tailored, proactive due-diligence and surveillance put in place to identify, and then mitigate. All technology leaks over time. The trick is to degrade and delay that leak. A major component of that is to put in place a process that, in simple terms, drives the bad guys down the street to a less well protected firm.

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Strategic Risk Public  

discussion

  • Please see Hemorrhaging intellectual property to Asia Part II above for addition...more
    - [Jeb]

  read more (1 total)

Had our intelligence analysis only matched our capacity for hubris

  #

The US had the expectation of a quiescent, grateful citizenry that would permit administration on the cheap while criminals were tried and democratic institutions were built from scratch. That assumption coupled with fear of the then Iraqi army may have led to the disbanding of the military. The immediate lack of security in a stroke allowed an already failing infrastructure to be looted to the walls while the failure to sequester vast arms caches allowed Baathists to stockpile arms for the asking. There seemed to be no understanding of the debilitating impact of delay, no jobs, and no visible improvement of daily life.

It is like no one ever read Robert Ruark's book, "Something of Value," set in the Mau Mau revolt of Kenya in the 1950s. The British destroyed the existing infrastructure but substituted nothing to replace it:

"If a people lose their gods, they must replace them with something of value."

That something was the Mau Mau revolt and terrorism. It was the Rwanda of its day.

In retrospect, had we garnered a larger coalition including Turks, Indians, Pakistanis, French and Germans, we'd have had sufficient boots on the ground to instill confidence and forestall looting. A complete postwar breakdown of order drew cries of Iraqis that soon mirrored those of Russians after the fall of Communism: no order, no security, no infrastructure, no gas or goods. Iraqi patience soon faded as clerics and insurgents surged into the vacuum:

"Iraq was held together by the army before, now it's being held together by the mosques."

Former Baathists and jihadists created a destructive cycle of destabilizing attacks, halting reconstruction, Iraqi unhappiness, and rising support for insurgents. Destruction has displaced construction.

Al Sadr's social services network of police, civil services and health care mimic those services provided by Hamas and Hezbollah in Palestine. They also mimic the winning hearts and minds of those organizations who are anything but terrorists in the eyes of their adherents. While oil and electricity production is back at prewar levels, the US-led administration gets no credit.

The US gave the Arab 'news hole' to the Iranian Al Alam, and when it did respond with Al Hurra it was derided for excessive happy talk and hiding issues of pressing interest to Iraqis.

The US may never recover its miscalculation of a pliant Grand Ayatollah Ali Sistani. The abortive process of attempting to create a constitution outside of Iraqi hands smacked of a textbook reading of postwar Japan instead of present day Iraq.

Military theorists (for what happened on the ground) and political analysts (for what happened in Washington) will have a field day for years to come.

Early U.S. Decisions on Iraq Now Haunt American Efforts
Officials Let Looters Roam, Disbanded Army, Allowed Radicals to Gain Strength
Failure to Court an Ayatollah
By FARNAZ FASSIHI, GREG JAFFE, YAROSLAV TROFIMOV, CARLA ANNE ROBBINS and YOCHI J. DREAZEN
Staff Reporters of THE WALL STREET JOURNAL
April 19, 2004; Page A1

Gordon Housworth



InfoT Public  Strategic Risk Public  

discussion

  discuss this article

COTS cruise missiles get easier yet

  #

See parts one and two of "Building a COTS (Commercial Off the Shelf Technology) cruise missile."

AirScooter II, a one-man VTOL helicopter that meets the requirements of Ultralight FAR Part 103 (no pilot's license required), returns to Sikorsky's original coaxial design rotorcraft. Why is coax such a big deal? As one of our regular readers who flew rotary wing can attest, conventional helicopters are complex, tricky things to fly. Coaxial rotor designs dispense with swashplates, collective and cyclic control, offering simple flight controls via motorcycle-style handlebars without pedals or tail rotor. (A paraplegic could fly it.) The engine is also mounted vertically so that the complex right angle drive components are removed.

The AirScooter carries some 350 total pounds of useful payload at 55 knots for two hours of flight time. It will come fully assembled save for rotor blade installation and has pneumatic floats in lieu of skids. Its cost is less than $50K, cheap for a rotary wing of any kind. Not surprisingly, pre-production interest is said to span "military surveillance and mail delivery on military aircraft carriers to police agency and border patrol surveillance applications." The AirScooter is due out later in 2004.

Here's the punch line: it has a much smaller, cheaper UAV sibling using the same coaxial design in flying prototype state.

"The radio control is high-end hobby equipment… This simplified coaxial control system is more than what is required for an observation vehicle and is beyond our expectations. The control system is patent pending. The system response is almost as good as 3D R/C models but yet is easier to fly. Pilot training will be at a minimum and will not be necessary for anyone with R/C helicopter experience."

[UPDATE NOTE: The above AirScooter UAV link is no longer active; All AirScooter UAV material is now here.]

The prototype Airscooter UAV has a dry weight of 37 pounds and a payload approaching 30 pounds at 70 Fahrenheit, sea-level performance. Flight time may be up to three hours. Still earlier in the design state is an electric version to supplement this gas-powered bird.

"Side-ways flight is almost as easy as forward. All directions would be the same if it were not for the small tail fins. These fins provide visual feedback for pilot orientation and assist forward speed stability."

The lead engineer on the AirScooter UAV has over 30 years of aerospace experience with the majority of that in helicopters. "His hobby is model building with emphasis on radio controlled VTOL craft. He established the first FAI world altitude record in 1971 for radio controlled helicopters."

The glide slope to the desktop gets steeper, shorter still.

Updated February 2008

Gordon Housworth



InfoT Public  Weapons & Technology Public  

discussion

  discuss this article

US to put an Iraqi basket on UN's doorstep

  #

Mere weeks ago Lakhdar Brahimi's proposal was downplayed by the US yet now he is the man of the hour and his plan for a caretaker government, the dissolution of the US-appointed council, and a post-transition consultative assembly to advise that caretaker government is being supported by the US will all due speed. I fear that just as with calling in the Iranians to negotiate with al Sadr, that the administration is trying to land Iraq on the UN's doorstep.

The UN, in response, is understandably resisting this newfound US initiative until it is presented with a profile that meets Kofi Annan's requirements that it be "realistic, feasible and advisable." This cannot be made any easier by the mutual distaste of US and UN personnel for one another.

The entire situation is fluid in my mind, not least of all, with the comments by Bob Woodward on 60 Minutes this evening on the apparently unilaternal drive towards war in Iraq, a drive that had the White House briefing 'Bandar Bush' with Top Secret Noforn (no foreign) maps when the Secretary of State had not been informed.

The Spanish are pulling out of Iraq with all due speed and I now wonder about the English due to repercussions over Woodward's book, British fear of a Shiite revote in the south if the US proceeds against al Sadr's forces in Najaf, the general decline in the situation on the ground, and continued US support to Sharon in the face of British and European displeasure .

Al Sadr's spokesman is claiming that the US had made "insuperable obstacles," that discussions are at an end, and that a US assault "will represent the zero hour for the launching of a massive popular revolution." The Iranians have withdrawn their mediation.

The extra-judicial killing of Hamas' Rantisi has inflamed Palestinian and Arab feelings, and has spelled over into Iraq. The killing has provoked condemnations from many nations, but not the US. It saddens me that the administration can presume that its tacit approval of Israeli actions can proceed in a vacuum that does not impact its support elsewhere and its ability to prosecute the wider war on terrorism.

Friends and enemies alike see the UN as the "only institution that can confer immediate global legitimacy" on a US-initiated representative government in Iraq. I do wonder what their proposal will look like and will it be readily "realistic, feasible and advisable" to all. If not, how long will it take and what concessions will the US administration make in an election year.

Recast in Key Iraq Role, U.N. Envoys Are Wary
By WARREN HOGE
April 18, 2004
New York Times

Gordon Housworth



InfoT Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Prev 51  52  53  54  55  56  57  58  [59]  60  61  62  63  64  65  66  67  68  Next

You are on page 59
A total of 68 pages are available.

Items 581-590 of 673.

Pages: [1 - 25] [26 - 50] [51 - 68]


<<  |  August 2019  |  >>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567
view our rss feed