return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Cybersecurity Public ]

Clarke's vision of securing the net


It appalls me that we have overlooked Richard Clarke's recommendations in cybersecurity as we have in other areas.  I would agree with all of Vamosi's comments in Richard Clarke: He could have secured the Net save for his disagreement over the potential for a digital Pearl Harbor

I think that something with at least a small "p" is possible -- and that opinion rises if I consider a concentrated attack on one critical element, given that the 2003 Federal Computer Security Report Card (9 December, 2003) scored the critical 24 federal agencies into an overall D grade from an F -- after four years of scoring, and that the those still getting an F are the departments of Homeland Security, Energy, State, Justice, Health And Human Services, Interior, Agriculture, and Housing And Urban Development.  (Defense got itself into the D category along with Transportation, GSA, Treasury, Office Of Personnel Management, and NASA.)

"Had Clarke's proposals been taken seriously, all broadband users would have antivirus and firewall protection, and we might not have endured the MSBlast worm meltdown in August of 2003 nor be dealing with these pesky e-mail viruses right now. Microsoft might also be talking about releasing a version of Windows XP that had been independently proven to be secure (instead of us just taking the company's word that it's secure). In retrospect, we're no better off today, and perhaps we're actually worse off, than before the [National Strategy to Secure Cyberspace] existed."

Clarke further suggested that the government procure "only computer products certified by the National Intergovernmental Audit Forum (NIAF) testing program," but it was dropped as excessive regulatory intrusion.

With Clark and his former reports departed, we now have no one with the breath and vision needed to craft and lead a cybersecurity mandate.  DHS is in disarray.  As Peter G. Neumann observed:

"Technology alone does not solve management problems. Management alone does not solve technology issues. Reducing risks is a beginning-to-end, end-to-end system problem where the systems include all of the relevant technology, all of the relevant people, and all of the dependencies on and interactions with the operating environment, however flawed and complicated. But those flaws and complexities must be addressed systemically."

Not an easy thing to achieve on the best of days.

See 2003 Federal Computer Security Report Card

and IT Security Gets First Passing Grade — Barely
Published: December 15, 2003
Federal Times

Also these -- what might be called Clarke's legacy:

The National Strategy to Secure Cyberspace

National Strategy for Physical Protection of Critical Infrastructures and Key Assets

Richard Clarke: He could have secured the Net
By Robert Vamosi: Senior Associate Editor, Reviews
Friday, March 26, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Networked sensor cloud of trailing, ever-present data


In 2015: sensors everywhere, computers invisible describes a Gartner prediction that:

"[By] 2015, passive tags would begin to inhabit every non-trivial object, and every thing could be identifiable and located. Active, intelligent wireless networking and sensing devices will cost less than 50 cents. The sensors would run low power CPUs, have wireless and sensor chips, ad hoc networking algorithms, and gain power from the electromagnetic spectrum. In addition, the majority of computers will be invisible and disposable."

My experience with Gartner predictions, as with most predictions, is that the implementation glide slope is rarely as quick as predicted (often for societal drag in adoption as much as technology maturation) and that the development slope is not uniform across all technologies (some items hit snags, technical and regulatory, while others accelerate).

As long as one keeps this in mind and never forgets George Box's admonition that, "All models are false, but some models are useful" the prediction has merit. For my part I use a technology food chain analysis over time to see what items are advancing and which are bogging down (and where a "fix" is often in an unstudied, unrelated technology not under examination in the lagging segment).

In this case, the intelligent network tipping points are said to be "the availability of smaller, cheaper sensors, as well as two new breakthrough networking technologies: ultrawideband and WiMax (802.16). Ultrawideband creates a fast wireless connection that consumes about 10-4 the power of a cell phone, and WiMax promises 70 megabits per second across a 30-mile range."

While this article speaks to the fact that "[n]etworks have very long memories," creating a trailing cloud of data "that never gets deleted and gets backed up," it does not speak to the more malicious security aspects to which terrorism and 'garden variety' espionage can exploit the network.

Following this prediction to its conclusion makes the TSA's current CAPPS II effort seem quaint by comparison, but that is not to say that this particular level of data acquisition is acceptable as any nominally free society sanctions a certain level of approval, a willingness perhaps, to be knowingly monitored.

What I do see continuing is that commercial firms will continue to pursue data harvesting and analysis strategies that will be in turn harvested by government. Government can or will, depending upon your point of view, then integrate its own technology food chain.

In 2015: sensors everywhere, computers invisible
By Dan Farber,
Tech Update
March 30, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Intelligently restoring sequestered governmental geospatial information to public access


The lessons drawn from America's Publicly Available Geospatial Information: Does It Pose a Homeland Security Risk? extend beyond the vast number of libraries removed from federal and state agencies and into documentation that is, and will be, captured in Sarbanes-Oxley compliance efforts. Federal agencies have restricted considerable, formerly publicly available geospatial information, especially that available by the net. (In the case of public utilities and power producers, a portion of their Sar-Ox compliance documentation will be part of the same body of materials removed from view.)

RAND notes that while "publicly available geospatial information on federal Web sites and in federal databases could potentially help terrorists select and locate a target, attackers are likely to need more detailed and current information -- better acquired from direct observation or other sources" such as textbooks, street maps, non-governmental web sites, and trade journals. (Remember last year's FBI warning to police with regards to possession of almanacs.)

"Fewer than 6 percent of the 629 federal geospatial information datasets examined appeared as though they could be useful to meeting a potential attacker’s information needs. Furthermore, the study found no publicly available federal geospatial datasets that might be considered critical to meeting the attacker’s information needs (i.e., those that the attacker could not perform the attack without). Additionally, most publicly accessible federal geospatial information appears unlikely to provide significant (i.e., useful and unique) information for satisfying attackers’ information needs (i.e., less than 1 percent of the 629 federal datasets examined appeared both potentially useful and unique). Moreover, since the September 11 attacks these useful and unique information sources are no longer being made public by federal agencies. In many cases, diverse alternative information sources exist. A review of nonfederal information sources suggests that identical, similar, or more useful data about critical U.S. sites are available from industry, academic institutions, nongovernmental organizations, state and local governments, foreign sources, and even private citizens."

RAND notes that an analytical, rather than wholesale, examination process needs to be instituted to identify sensitive geospatial information and offers a starting point for assessing the Homeland Security sensitivity of publicly available geospatial information by filters for usefulness, uniqueness, societal benefits, and costs.

For more complete information, see the larger document: Mapping the Risks: Assessing the Homeland Security Implications of Publicly Available Geospatial InformationChapters Two and Three are of great interest:
  • What Are the Attackers’ Key Information Needs?
  • What Publicly Available Geospatial Information Is Significant to Potential Attackers’ Needs?
Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Detect your "serial openers" prone to social engineering attacks


As I read Security breaches: Blame the new guy I thought why not test who is prone to social engineering breaches by sending an internal spoof 'virus' that has no payload save for a counter of offenses? Of course, firms that would launch it would capture names and email addresses but that is acceptable so long as any penalty is reserved for repeat performances.

"Independent research conducted on behalf of SurfControl has revealed that almost half the HR and IT departments surveyed believe it is junior positions which expose the company to the greatest threat."

"... junior and temporary staff doesn't often feel the same degree of responsibility at work "mostly because they haven't been allowed and encouraged to share it.""

The untrained, inexperienced, and the guileless are the equivalent to the "serial buyer" prized by spammers and, formerly, telemarketers. These "serial openers" and proto-openers may or may not be the new hire or the pedestrian positions. Why not test to find out? Send out different style 'simulants' to see who responds to what.  I think that many firms will be surprised, especially when it comes to those who frequent P2P sites.

Security breaches: Blame the new guy
Will Sturgeon
March 26, 2004, 11:25 AM PT

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

McLuhan Tetrad & technology food chain analysis


As I read RFID chips watch Grandma brush teeth, I had the thoughts that I so often have about RFID:

How will the story read above the fold in the New York Times?

What are the secondary effects?

What is the latency or persistency of a feature that was 'good' but can later morph into something 'bad' -- or the reverse?

What user perception issues will overdrive purely technical issues?

Where is the point of confluence where a group of tags takes on a very different capability, or threat, or completely new application?

The Marshall McLuhan "tetrad" analysis comes again to mind as a predictive tool to gauge the impact of emerging information technologies. I use the tetrad in a wide variety of applications in conjunction with technology food chain analysis. I think that the process has great merit to emerging RFID.

This pair of approaches has good application in any series of technology fields, either a fast moving field or a 'stagnant' field in which you are looking for a 'flip condition' to make something old very relevant. I used it to good effect for Japanese firms seeking an early, low/no risk point to invest in US firms:

RFID chips watch Grandma brush teeth
11:50 17 March 04 news service

Tiny computer chips that emit unique radio-frequency IDs could be slapped on to toothbrushes, chairs and even toilet seats to monitor elderly people in their own homes.

Data harvested from the RFID chips would reassure family and care-givers that an elderly person was taking care of themselves, for example taking their medication. Unusual data patterns would provide an early warning that something was wrong.

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Comment: 'Security product to strike back at hackers'


Responding to a colleague's comments on 'Security product to strike back at hackers':

+++ It sounds to me that in many cases its use would be illegal, not to mention the liability for hurting ISPs and clogging routers in the process.

I quite agree that it would be illegal and be open to civil liability as well as being seen as an aggressor's "info war," but then states regularly engage in acts that would illegal if performed by a non-state asset. No question. That will not deter states from pursuing it but rather drive them to seek increasingly covert means to carry it off.

+++ Vigilante justice in the US went out a while ago.

Interesting thought as I wonder if it exists in different guise in response to different threats. Vigilantism rose in response to a lack of perceived authority and control, as in the case of San Francisco. There, as in other areas employing it, it is ultimately suppressed as a majority of citizens come to feel that a 'state' alternative can again handle the matter. In most cases the vigilante, victim, criminal, and bystander are all in the same judicial or political region. Things become far less clear when the perp is in another state, and where in that state he or she may not be seen as a perp at all, e.g. if the irregulars are on our side, they are freedom fighters; if on their side, a terrorist; and if we're undecided, a guerrilla.

Much of the growth of SOCOM (special operations) troops as humint & intel gatherer, recon, combatant, resistance organizer, and infrastructure builder/stabilizer could be seen as projecting a vigilante presence behind the lines of a foreign state. I do think that the SoCom focus is needed and ultimately caused far less casualties, collateral damage, and secondary effects than do larger operations. Yet I am still waiting for a German commando team to come into the US and wipe out some of the Neo-Nazi sites that globally peddle things online that are verboten in Germany. (The Germans regularly protest and we regularly deny based upon our first amendment rights.) It will be a good litmus test of our support of extraterritoriality.

While I separate extraterritoriality into two parts, the statute law part in which, say, the EU accuses the US of attempting to export its legal system and the covert war part, I see both linked by what is called 'globalism' in that a state or stateless actor, weapon, construction technology, component, or operational tradecraft can quickly move across the globe such that the actual "theater of operations" transcends traditional borders. 'Local' takes on a new meaning and the global legal system has yet to adapt to it.

Covert force projection, even preemption, are practiced by many states but the US drew fire by formalizing what had been a de facto condition. Interestingly, no one is taking on the Russians who have long made no bones about their willingness to do so, up to and including the doctrinaire pre-placement of nuclear landmines and depot level busters, the first use of BW agents, et al at the very onset of war.

We are in a new state of war and we will be discussing how to negotiate it for years to come.

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Social-engineering attacks bypass more than your virus checker


The following is good tradecraft and good countermeasures. Nothing new per se, but something that needs constant training and vigilance. (3M, for example, long ago got on the band wagon and has been hard to penetrate in this manner.) Just as with virus attacks which depend upon Homo Boobus being lured to open the attachment, this penetration attack bypasses the network by working the people manning it.

Understand that it is human nature to want to help others (and you often train for this very behavior) but that this instinct can sidestep your security practices. As a security consultant wisely observed, there is "No common sense without common knowledge." Until your employees, contractors, and even suppliers, are aware of the dangers in leaking seemingly trivial corporate information, outsiders will be able to wangle through to areas you thought them barred.

FYI, the 'janitor' link takes you to the Winter 94-95 issue of 2600-The Hacker Quarterly. The article is "Janitor Privileges." We are not dealing with new things here.

Insure that your security policy includes social-engineering attack prevention. And if you put in place a corporate alert system using a simple e-mail address (#10 below), please be sure to have someone actively monitoring it for response. You would not believe how many of those lines never answer or draw a response:

Why firewalls aren't always enough
By Robert Vamosi: Senior Associate Editor, Reviews
Friday, March 12, 2004

Like con men and grifters, criminal hackers (a.k.a. crackers) are talented people. The infamous Kevin Mitnick, for example, conducted most of his corporate intrusions by using the telephone, relying on the gullibility and friendly helpfulness of real people to gain access to corporate networks.

Such "social-engineering attacks"--often precursors to computer-network attacks--are still real threats, which is why they were a hot topic at this year's RSA Conference in San Francisco. That's why I thought it would be good to further explain what social-engineering attacks are and offer some pointers on how to protect yourself from them.


ASIDE FROM using the telephone, Winkler cited other ways crackers score information. Among them: good old dumpster diving, shoulder surfing (literally reading typed passwords over someone's shoulder, say, on the train), outright theft (stealing a backup tape, a notebook, a PDA, or a prototype model), and finally, getting hired into a low-level job at the company. It's common, said Winkler, for criminal hackers to apply for jobs as janitors or mailroom assistants within a targeted company.


(1) Activate caller ID at work. Calls within my company, for example, display the name of the person calling.

(2) Set your company's outbound caller ID to display only the front desk's phone number, not individual phone extensions.

(3) Implement a company call-back policy. If someone calls asking for information about the company, say you'll call them back, then dial the number from within your corporate directory or go through their company's switchboard operator.

(4) Be mindful of information posted in out-of-the-office messages. For example, don't leave the full name of your supervisor. A skilled cracker could now call another department and say that your supervisor is on his back because you're out on vacation and the cracker really, really needs access to this one particular account. In this case, a little knowledge can go a long way.

(5) Never allow anyone you don't know to piggyback physical access into a room on your security ID card.

(6) Confront strangers. Ask if you can take them to someone's office or help escort them outside.

(7) Get to know your IT support staff. That way, if someone else calls saying they're from IT and needs your network password, which you should never give out anyway, you can say no and hang up with confidence.

(8) Never write down your network password on a Post-it Note or tape it to the bottom of your keyboard; crackers, if inside the building, know where to look.

(9) Periodically perform a Google search on your company and scrutinize whether sensitive company information is available outside your corporate firewall.

(10) Institute a companywide security alert system. Have anyone who receives a suspicious phone call report it to a simple e-mail address, something like securityalert@company.

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

RF networks under assault


The use of cell phones as a remote detonator noted in the WSJ Terror's Latest Trigger: Cell phones is only the beginning of a wave of impacts from a variety of devices with embedded microprocessors. While authorities are focused on cell phones, terrorists can move on to, say, PDAs, pagers, and PCs at a WiFi hot spot. GPS-enabled phones and devices could be triggered when they arrive at the right place regardless of the time. The telematics installations in vehicles could be engaged so that a device could be triggered either by a phone call, timer, or position -- or even altitude.

The critical path remains available RF spectrum. Should nations move to the unlikely prospect of disabling their cell phone networks, the perpetrators can just move on to WiFi. The very reasons that these RF enabled tools are so popular make them an ideal trigger in a soft target areas such as a coffee shop or a stadium.

"But short of shutting down a country's cell phone network, there isn't much that can be done to reduce this risk. Indeed, the proliferation of radio devices -- in everything from cell phones to garage openers to hand-held devices that remotely unlock car doors -- means much of the modern world is virtually blanketed with wireless radio-wave technology."

If nations can not respond or suppress, how will local sites respond? Many facilities have already responded with illegal jammers, albeit for non-terrorist related reasons.

Many offices, hospitals, secure and/or military installations, places of public entertainment, and -- in Scotland -- hotels, are using illegal jammers to overpower a base station over a tunable spectrum. Some jammers are sophisticated enough to produce an interfering signal long enough to disable and then shut down. Others simulate a base station in order to establish communications with a phone with instructions to go to an inactive channel. The upshot is that the phone cannot communicate with the original base station.

Legal passive cell phone detectors can scan cellular-frequency bands and sound an alarm on detecting a cell-phone signal. The facility can then restrict entry if it so desires.

Note that the jammers themselves can be a target, i.e., if I want your facility as opposed to one next door, I get the device close enough to detect your jamming signal as a trigger.

A good primmer on jammers is Jam that ringing cell phone? by Warren Webb, EDN.

The impact on commerce, on the very backbone of enabled RF devices is mind boggling. We could see individual buildings or stores elect to take themselves out of the net(s) creating dark pockets in RF networks. A decade of infrastructure has been built to embed RF technology in every aspect of our life.

When I think of RFID tags, I think of assassination tools that detect the pre-scanned and identified RFID chip in a credit card, vehicle, or other device known to be on or near the targeted individual. The device is triggered when the target comes into range, and as that is generally a few meters, lethality is almost assured.

While there have been notable successes, such as in Switzerland, the sale of untraceable cell phones and SIM cards continues to climb outside the US where "almost 90% of users have contracts that require extensive application processes, including a credit check." Outside the US it is easy to obtain cell phones via prepaid subscription systems.

Using cell phones as triggers is only the beginning of an unpleasant and prolonged collision of our modern infrastructure with terrorists.

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Terrorism Public  


  discuss this article

List Introduction

This list commences the public side of an impromptu list that started immediately after 11 September when colleagues were asking ‘What is Islam?’ What started as a brief history of Islam, the schism between Sunni and Shia, moderate and conservative, and their respective views towards the West morphed into a list on terrorism and infrastructure defense.
Save for a minority, there was an ‘information hole’ on interpreting current events. While that hole is much smaller now, I have continued to comment on events that strike my interest. I enjoy making people think, question their assumptions, and gain a window to global issues that make them more effective world citizens.
In the spirit of full disclosure, you should know that I write as a US national, holding US interests paramount, and am comfortable with a Geopolitik outlook. I lean to the opinion that, “We have no permanent allies, only permanent interests.” It is immaterial to me if a foreign state is secular or religious, and if religious, whether it is Jewish, Muslim, Hindu or Christian. I only measure the effect of their actions on US interests.
If the reader has strong loyalties, be it religious, tribal, cultural or geographic, that work to the opposite, then a gap will exist that no datum or argument will resolve.
I agree with Sir Harold Nicholson’s description of diplomacy as “the understanding that for intractable problems there are only adjustments and not solutions.” Americans are resistant to that idea and too often paint a scenario into black and white, seeking a single, lasting, and implicitly moral solution. Other than by force-of-arms, it’s difficult to find such a solution that works for diverse stakeholders, overcomes a history of accumulated slights and resentments, and engenders a negotiation process that’s not resented by one or more stakeholders.
Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  Weapons & Technology Public  


  discuss this article

Prev 1  2  3  4  5  6  7  8  [9]  Next

You are on page 9

Items 81-89 of 89.

<<  |  May 2020  |  >>
view our rss feed