return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ InfoT Public ]

This exploit tool is fearsome. It should be on your box

  #

Remember my comment that hackers are increasingly able to act (exploit script definition to loose in the wild) inside our OODA Loop? Now a loop trip of a matter of days and hours may be reduced to minutes,  From Security tool more harmful than helpful?:

"A recent report by market research firm Forrester into software security threats found that attacks "explode after unscrupulous hackers build scripted versions." Many critics agree, saying such exploit-testing scripts--which turn a highly technical vulnerability into code that can be run with a few commands--allow far too many people to become online attackers."

"The updated framework, known as Metasploit Framework 2.0, enables people to create standardized plug-ins for the tool so that they can legally hack into computers by manipulating the latest security holes. The tool already has 18 exploits and 27 different possible payloads."

Doomed you say? Suppress 'the tool' you say? Useless for you as even if this (legitimate) Metasploit tool were suppressed, the concept is now known and code is now being used. If Metasploit were suppressed, one or more illegitimate, perhaps covert, tools would take its place. The genie cannot be squeezed back into the bottle.

I submit the exact opposite: A tool such as Metasploit should be a common as a disk utility or a defragger. If a virus detection manufacturer were on their toes, they should incorporate this tool into their subscription service such that exploit signature (if it lands on your box) morphs into exploit detection (is my box vulnerable):

"Beyond those people, Lindstrom said, the tool could allow thousands of others to become hackers."

Yes, and you should be among them, instantly hacking your own system. And what happens if there is no cure yet available for the disease in question? Awareness is the first step to curing root cause. It won't take too many occurrences for large customers and ISPs to begin to demand corrections, first in code and then in design prior to an app's release, the exploit is run by the app's manufacturer before the app is ever released. It should become part of their QA process.

It could be added into a Sarbanes-Oxley compliance process, and I hope that it is, for if a risk is identified and documented and then not ameliorated, the officers of the firm could be open to suit for fiduciary breach.

"...anyone can already buy such a product from a handful of security companies. However, he acknowledges that the widespread use of such software may make some network administrators' jobs harder. If (you are) a system admin that only patches boxes, of course you aren't going to want to see any new exploit code," Moore said. But that doesn't mean the problem is going away, he added. "We can do anything we want to curb exploit releases--make it illegal in America--but they will still get released."

Metasploit should be a common as a vaccination. Firms will have to work out interim means of protection, which could entail automatically taking the system under attack off line. I would like to see automatic, redundant backup tools that at least protect my data and are resistant to hacking so that at least my data is safe. Then we are operating at or inside the OODA loop of the bad guys:

Security tool more harmful than helpful?
By
Robert Lemos
CNET News.com
April 8, 2004, 4:43 PM PT

Gordon Housworth


Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Applied competitive behavior: "The Battle of Algiers"

  #

Certain films and books so capture a feeling or describe an event that they transcend what textbooks have to say about the subject. If you want to understand the eviscerating, incapacitating terror that a guerilla group can instill in a local population, you only have to read Jim Corbett's slim work, "The Man eating Leopard of Rudraprayag." Killing over 120 people in eight years, a single leopard paralyzed a region, forcing the British to offer massive rewards, send in a Gurkha army, and employ all manner of hunters, traps and poisons - all to no avail - until Corbett bagged it in 1926. Every special ops guy to whom I recommended the Leopard has treasured it.

If you want to understand the ruthless, no quarter growth and suppression of an insurrection and guerilla war, you have only to watch Gillo Pontecorvo's "The Battle of Algiers." While I admit to a love of the films of Pontecorvo and Constantin Costa-Gavras as few other have so well painted political oppression and fascist states, I first saw Algiers after returning from Asia. While everyone else in the audience seemed to be a war protester that had 'yet to go,' I had come back having already made my uneasy peace with tactical necessity. The film was like an exquisite text and resonates with me still today.

Reprising a private note of Sept 2003, "I think it inspired that someone in the Pentagon recently had Algiers screened for a group of serving officers as we slip into such an insurgency in Iraq. The open, easy US soldier attitude of the first few weeks has vanished thanks to the attacks, succeeding in the first goal of isolating "us" from "them" so that corrosion commences on both sides. Demonization is soon to follow. We only have to watch for the equivalent of zips, slops, slants, and gooks and we are there."

Mercifully I do not hear those words, but the conflict has become increasingly grisly. The French plan succeeded tactically but ultimately lost the war. DeGaul ended it by withdrawing the French forces but was nearly assassinated for his trouble and French society, politics, and the military were riven for years. I can attest to the allure of tactical means in dealing with clandestine terrorists and what I used to call "the art of interviewing those who desperately don't want to be interviewed."

"During the last four decades the events re-enacted in the film and the wider war in Algeria have been cited as an effective use of the tactics of a "people's war," where fighters emerge from seemingly ordinary lives to mount attacks and then retreat to the cover of their everyday identities. The question of how conventional armies can contend with such tactics and subdue their enemies seems as pressing today in Iraq as it did in Algiers in 1957. In both instances the need for on-the-ground intelligence is required to learn of impending attacks. Even in a world of electronic devices, human infiltration and interrogations remain indispensable, but how far should modern states go in the pursuit of such information?"

If it at all possible for you to see Algiers, I recommend that you should. This is a "low-intensity war" or "asymmetrical warfare" in the flesh with both sides at once human and monster. You can gain an understanding of how a guerilla operates, what a patient al Qaeda operative looks and waits for, and how a conventional force attempts to counter and subdue it when the high tech tools of the day do not yield an easy fix. Unless we can engineer a better solution -- and I am not advocating withdrawal -- folks will indeed start to say 'I have men down, worse, in pieces, no one will know, and this guy can tell us what we need to know.'

Note that while Kaufman's original article has scrolled off to archives, the text is mirrored in many locations such as here and a useful Battle of Algiers study guide here.

What Does the Pentagon See in 'Battle of Algiers'?
By MICHAEL T. KAUFMAN
September 7, 2003
New York Times

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Declassifying the 6 August PDB

  #

Declassifying a PDB is not, and should not be, a trivial event as it is the net summary, what I call a still frame from a motion picture, containing both the donut and the hole (what we are looking at and what we aren't), of the priorities of the day based upon accumulated prior tasking. There is drag-along in these docs above the specifics on content.

Complicate that with political survival and the matter becomes increasingly sticky. As one colleague mentioned offline, the White House "was simply thinking run and they got pass." In the case of this PDB, some of whose particulars were mentioned in newspaper articles in May 2002, a House-Senate inquiry into intelligence failures in July 2003, and has been summarized, still in classified form, for some of the 9/11 commissioners, it may contain both predictive as well as historical (called 'analytic' in this context) information.

As Von Drehle noted in "Zeroing In on One Classified Document" (W Post), "When the Washington investigative machinery gets rolling, it takes a major event to stop it. National security adviser Condoleezza Rice's defense of the Bush anti-terrorism effort at yesterday's hearing before the 9/11 commission was not enough." Von Drehle commented that it was insufficient as it did not quell the second of Clarke's two claims:

(1) Administration ignored of Clarke's plans for disrupting al Qaeda in early 2001
(2) "[Top] officials, including Bush and Rice, were listless in the face of the summertime "threat spike.""

I submit that Rice's testimony, beyond not countering the second claim, raised the bar for an administration that will lose more political capital, as it did in delaying Rice's sworn public testimony, until this PDB is released in full - at least those portions having to do with al Qaeda. Yes, the administration will have the task of managing hindsight analysis in a political year, but only when it is released will we be able to see what material was reasonably predictive and what was analytic -- and from that draw an opinion as to the level of effort being done to obtain predictive information.

I have the rising fear that on this issue, the White House 'might have been thinking time out and they got pass.' I want to see that PDB and I want to hear good intel folks comment on it to put it in the context of the day. I submit that further delay, national security matters aside, is a self-inflicted wound.

Briefing on Al Qaeda Included Specifics
White House Says Declassification of Pre-9/11 Document Will Be Delayed
By Walter Pincus and Dan Eggen
Washington Post Staff Writers
Saturday, April 10, 2004; Page A05

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Strategic Risk Public  

discussion

  discuss this article

The administration would gain much by listening to James Heskett

  #

Who is James Heskett, you ask, as you rifle through your list of authorities on defense and strategy?

Forget defense and think services and service delivery. Heskett, in concert with Sasser and Schlesinger, are acknowledged masters in the field of services. And what is government if not a services providers to its customers aka citizens who must periodically renew their subscription service, i.e. vote.

Where do I want to start? Customer recovery. Clients want flawless service but they are generally realists and understand that things break periodically. What is essential in retention is how the seller recovers -- how well and how fast. Heskett has said, "Customer retention results from customer satisfaction, which is determined largely by the value the customer perceives."

I maintain that people only buy, and keep buying, for two reasons; to make themselves happy, or to remove themselves from fear or want. If I don’t do either in sufficient numbers, why would anyone "buy" from me? In a 1997 article, I wrote that, "Customer dissatisfaction measures can be more revealing than satisfaction measures. Customer retention rates, repurchase rates, and defection rates are critical as leading indicators of future customer behavior."

Whether you agree or disagree with the current administration, I will 'lead the witness' by suggesting there is a sufficient amount of dissatisfaction that could result in a change of service provider. Heskett often remarks that poor service is by design, that "[most] service failures are not failures… They have been designed into the system by choices senior management have made [creating] a self-reinforcing system that establishes a cycle of failure. The current administration inherited much from it predecessors and can but with difficulty make sweeping changes. The best that it can hope for is a laser-like attention to items that reflect the needs of the time.

This is where I submit that the president needs Heskett more than he needs Rove. If you read Tom Friedman, you know where I am going: Apologize, say what you have learned, what you will do differently, i.e., recover, and move on. Americans are a reasonably forgiving lot.

Where is an apology needed? If you read either Jeffrey Record or Dick Clarke, it is that al Qaeda was not a top concern for the White House. (I listened sympathetically to Condoleezza Rice's testimony and heard nothing new in this respect.) Second, some of the president's direct reports guessed wrong as to what was the correct priority order for administration attention. Terrorism as we now know it was not in the five top issues of the administration.

For me, the central theme of Rice's testimony was what I would call an "infrastructure defense," that it was the infrastructure that failed a sitting president. Were I a Democratic advisor I would be overjoyed at the prospect of using this to beat the administration. How? Simply because in any failed or uncommunicative infrastructure, corporate or government, it is precisely the ability to "shake the trees" over a critical issue that knocks enough heads together to allow actionable information to flow. But if you did not choose the right reason for tree shaking, or did not shake at all, then that could be construed as a fundamental lapse in vision or leadership.

I wish this were not an election year as I fear that a knee-jerk attack or defense of the sitting president will muffle or distort recommendations that must, must, change the way that our internal (FBI et al) and external (CIA et al) intel assets function.

If any of you have read the Western human target manifesto that has risen on al Qaeda sites, you might surmise that, here and abroad, you and I need all the help we can get.

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Applied competitive behavior: al Qaeda humint targeting

  #

Memo outlines al-Qaida terror plans and Al Qaida planning memo excerpts offer a grim forecast of target priorities against Western individuals -- not infrastructure -- here and abroad. Signed by the al Qaeda leader in Saudi Arabia, Abdulaziz Al-Mukrin, the list appeared in a webzine frequented by al Qaeda militants. While there is some tradecraft, the bulk of the note is a very personal list that goes beyond infrastructure and religious targets to include specific nationalities and occupations.

For example, 'Christian' targets are prioritized as Americans, British, Spanish, Australians, Canadians, and Italians; while 'category' targets are businessmen, diplomats, politicians, scholars, analysts, scientists, military, and tourists. This becomes personal if you are within reach.

Should this escalation hold, what will be our response under Gresham's Law of Competitive Behavior? This could be Pontecorvo's "The Battle of Algiers" writ large as the excerpts detail:

  • Targets Inside Cities - "Targets inside the cities are considered a sort of military diplomacy. Normally, this kind of diplomacy is written with blood and decorated with body parts and the smell of guns."
  • Faith Targets - Missionaries in Islamic countries, any Moslem religious scholar who cooperates with the enemy.
  • "The purpose of these [individual] targets is to destabilize the situation and not allow the economic recovery such as hitting oil wells and pipelines that will scare foreign companies from working there and stealing Moslem treasures."
  • Human Targets - "We have to target Jews and Christians. We have to let anybody that fights God, his prophet or the believers know that we will be killing them. There should be no limits and no geographical borders."
  • The Purpose for Human Targets - "To stress the struggle of the faiths… To show who the main enemy is. To get rid of the renegades and to purify the land and to use them as examples for others. To spread fear in enemy lines… To lift the morale of the Islamic nation. To destroy the image and stature of the targeted government."

On one hand, there is nothing specific in the targeting so that the note joins the "chatter" background; on the other it provides guidance and esprit to the jihadists thus moving some events forward and reordering priorities.

Memo outlines al-Qaida terror plans
Document lists preferred economic, religious and individual targets

By Lisa Myers
Senior investigative correspondent
NBC News
Updated: 11:29 p.m. ET April 01, 2004

Al Qaida planning memo excerpts
Note details priority list of human targets for terrorists

Updated: 8:10 a.m. ET April 02, 2004

Gordon Housworth



InfoT Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Gresham's Law of Competitive Behavior

  #

I coined Gresham's Law of Competitive Behavior years ago as a corollary to Gresham's Law. Economic policy gave rise to Gresham's Law (Bad money drives out good money), now generalized to 'Inferior goods, services, or behavior drive out the good goods, services, or behavior.'

My corollary became Gresham's Law of Competitive Behavior: "You must descend to the behavior of your adversary to defeat him."  If that law is true, it poses some somber questions in dealing with either conventional or asymmetrical terrorist threats. 

In a private note, 'Weaponized anthrax, preemption, and other sticky thoughts,' I cited Richard Preston’s visceral description of weaponized anthrax in "The Cobra Event" and then asked readers to consider someone wanting to bring that to our shores and how they would react to preempt had they the chance. My point was that their answer would concentrate their mind one way or the other as to where they wanted to fight the battle and to the degree to which they wanted to fight it.

In response to aggressive measures by ASEAN states -- Singapore's aggressive Internal Security Act first among equals -- to halt a terrorist effort to create a regional Islamic state, I asked those who disdain aggressive interrogation and police powers to consider that most likely the only reason that 10 to 12 US flag airliners did not drop into the Pacific was an intense Philippine search and subsequent interrogation that flushed the details of the plot.

We then moved to the general argument over preemptive use of deadly force occasioned by an unmanned CIA Predator drone strike (forgetting that a man is controlling the drone from a ground station) in Yemen that killed six al-Qaeda suspects including a US national. Under what conditions will the US initiate lethal operations away from a recognized battlefield? What is a recognized battlefield these days? Under whose authority can such an attack be issued? Does Director CIA now have an automatic license to kill? Can US nationals lose their constitutional protections, possibly their life, on an agency’s decision?

Pam Hess wrote that the attack "may not have violated the U.S. ban on assassinations, but the Bush administration's new rules on America's right to self-defense in the uncertain battlefield of the war on terrorism need to be sharply defined, according to former intelligence officials and experts." Condoleezza Rice said that, "I can assure you that no constitutional questions are raised here. The President has given broad authority to US officials in a variety of circumstances to do what they need to do to protect the country" and he is "well within the balance of accepted practice and the letter of his constitutional authority."

At the time, I commented that, "We are going to have to make increasingly difficult decisions to resolve the survival of our national wellbeing and polity in the face of increasing aggressive adversaries armed with potent weaponry and waging a war unlike any that we have experienced." I returned to this theme in a later private note, "Life is indelicate when one’s continued existence is at odds with one’s ethics, especially when the foe is assuredly not a Geneva signatory and feels that he can torture and kill you at will to achieve his aims. And better to fight it there than here -- and enlist the governments in question to assist lest they themselves fall."

We are now on the eve of what appears to be a systematic massed human target attack by al Qaeda.  I feel that if we were not then, we are now firmly on the glide slope of Gresham’s Law of Competitive Behavior and that the art will be to recover a larger humanity if and when it is over.

Gordon Housworth



InfoT Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Defining an acceptable level of personal information capture

  #

Too much information, too little trust has value in defining a 'glide slope" of increasingly rich information about us regardless of our wishes. It definitely has value to us as we are engaged in some data mining activities for commercial and federal clients. If we exceed society's acceptable 'rate of descent' on the glide slope, our clients can find themselves in a JetBlue, NW Airlines, or DARPA pickle barrel. If we stay on the glide slope then our client is OK. It is useful for us to know what the slope is and advise accordingly. If the client then wishes to push the stick over, the crash is on their hook.

"Everything will be recorded by 2009. It's been estimated that within three years the density of cell phones with cameras will be about 400 per metro city block. Your life will be held in bits stored somewhere, and the only meaningful restriction on how that data will be combined and used will be regulation," Hunter said.

In addition, over the next decade billions of smart sensors embedded in buildings, clothing, everyday objects and almost anything with which you interact will be passing information that can be connected and combined in logs documenting your personal data trail.

Clearly it will become increasingly difficult to prevent data fusion from painting an increasingly personal portrait of each of us.

"Most companies are too aggressive in gathering information about customers. An estimated 70 percent of users abandon a site when they are asked for personal information as a condition of using a site, Hunter said. More than 10 percent provide false data."

That's me. And when I don't abandon, I have a host of aliases, a group of personas such as a juvenile female from Minnesota, use obscure zip codes from rural areas of the US for address validation, and enter email addresses that will validate but are not mine.

"…but companies need to make clear why the information is being collected and how it will be used. Hunter recommends gathering only as much information as is needed to work with a customer within an established relationship. As the relationship expands and a notion of trust evolves, more data can be harvested."

People surrender much greater information in the name of convenience, utility and perceived value. Witness the new service from EarthCam online-camera network that allows people to broadcast live video for others to view on Web-enabled cell phones. The concept is to allow folks to view imagery from home security cams, nanny-cams and other webcams without taking along a laptop. It may later harvested to undesirable ends, but perceived value and sustained trust will start and keep it flowing.

Readers will no doubt find many other levels of applicability for which they will surrender personal information.

Too much information, too little trust
By Dan Farber,
Tech Update
April 5, 2004

Gordon Housworth



InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Worldwide maritime interception, search, and destroy

  #

The recent classified order on maritime interceptions that permits US naval forces to globally board and, if necessary, sink ships suspected of harboring terrorists or WMD is a quantum, but not unexpected, extension of the 2003 Proliferation Security Initiative that allows the US and mostly NATO allies to search suspicious vessels and aircraft and seize illegal weapons or missile technologies.

This extension of the right of self-defense to the high seas has legal authority under Article 51 of the UN Charter that recognizes the "inherent right of individual or collective self-defense if an armed attack occurs against a Member." Means are also being taken to both permit Coast Guard assets to quickly support Naval forces in our territorial waters and allow US naval assets to support global Coast Guard assets that already have the authority to board suspicious ships worldwide.

We’re on the verge of an overdue maritime NORAD under Northern Command (NORTHCOM) that tracks all vessels that enter US and Canadian territorial waters. While the US can already board a ship in US territorial waters or one flagged by a state that has a bilateral boarding agreement with the US, we do not track everything that enters our "seaspace."

While it is feasible to have each vessel entering a maritime NORAD to transpond their position, crew and cargo identification, corporate details and recent port calls, we will still have no cooperation from illegitimate vessels (criminal or terrorist) nor do we have a handle on the global audit trail from port of embarkation through stops en route, cargo loaded and put ashore at each port of call, etc.

Global maritime security is complicated in that too much of the world’s bottoms are effectively untracked in any continuous, effective manner. Even though US intel agencies have set up databases to track ships, cargo, and crew in an attempt to spot anomalies that might point to a dangerous vessel, crew, stowaways, or cargo, vast holes remain among a fleet of 120,000 merchant vessels not counting smaller vessels.

Passing in and out of those holes is an al Qaeda ‘ghost fleet’ that has varied between 12 and 50 "ships of concern" carrying conventional commodity cargo, operatives, and explosives. Gaps in surveillance coupled with new names, registries, hull numbers, and paint allow these vessels to periodically slip away.

The International Ship And Port Facility Code (ISPS) and SOLAS additions are still a work in progress. Add to that the as yet unresolved semi-criminalized registration process of "flag of convenience" nations, some of which ask for virtually no data from shipping firms and even permit email registration, and no wonder that the task is Augean in its proportion and that nautical attacks have risen worldwide as allies have hardened their airports and critical infrastructure.

It is this enormous nautical threat both in coastal and international waters that has been taken so seriously in some parts of government, yet leaves me wondering why in other parts, notably the major TopOff 2 terrorist attack exercise, the littoral threat component in simulated attacks in Seattle and Chicago was ignored.

Gordon Housworth



InfoT Public  Infrastructure Defense Public  Strategic Risk Public  

discussion

  discuss this article

Crushing those who sacrifice to defend us

  #

Low pay squeezes FBI agents and perhaps U.S. security resonates with us as we are close to a young man, married, with a young child, with superb credentials that has recently started as an analyst for the federal government and is in a similar predicament in one of the high cost of living areas. I still find it horrifying that we can treat our finest, most earnest and committed young men in this fashion. I was in disbelief when I first heard of the annual figure, but it is accurate.

I am as grumpy over the bureau's pay structure as I am the proposed "resolution," i.e., send new agents to remote postings where it is cheap.  Better that they be posted, properly compensated, to 'hive centers' such as NYC, so that they can work with their elders, absorbing and passing along hard learned lessons that will protect them as well as us.

I wonder how long these young families can withstand the stress.  I can hope that plentiful, loud, and immediate exposure can help resolve this shameful bureaucratic muddle.

Low pay squeezes FBI agents and perhaps U.S. security
By Kevin Johnson and Toni Locy, USA TODAY

Gordon Housworth



InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Staged Air Force DC flyover: triumph of PR over safety

  #

The four passes over the capitol mall that included a pair of F-16s noted in Staged Air Force Flyover Stirs Curiosity would certainly have gotten my attention. With all manner of tourists out viewing the cherry blossoms and no public coordination, one is moved to ask, What were they thinking?

It seemed that the Air Force checked with everyone but the citizenry of DC. I can see some diligent folks going down a security checklist that just didn't have 'news media' or the PIO (public information officer) on it.

The resulting video clip may ultimately play well nationally but I think that it will be remembered a bit differently by DC residents.

Staged Air Force Flyover Stirs Curiosity
F-16 Fighters Part of Promotional Photo Shoot
By Liz Seymour
Washington Post Staff Writer
Tuesday, April 6, 2004; 3:18 PM

Gordon Housworth



InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Prev 51  52  53  54  55  56  57  58  59  60  61  [62]  63  64  65  66  67  68  Next

You are on page 62
A total of 68 pages are available.

Items 611-620 of 673.

Pages: [1 - 25] [26 - 50] [51 - 68]


<<  |  October 2019  |  >>
SunMonTueWedThuFriSat
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789
view our rss feed