VIDEO: Security Threats by the Numbers - Cisco 2013 Annual Security Report

The kind folks at Cisco published their Annual Security Report. What I like about what they did is they chose to publish in a video infographic format. As you can tell, I'm a HUGE fan of infographics. However, if you're a stickler for PDF reports, I'll have a link below the video of the entire report.

Some interesting facts:

• Global cloud traffic will increase sixfold over the next five years, growing at a rate of 44 percent from 2011 to 2016.
• Only one in five respondents say their employers do track their online activities on company-owned devices, while 46 percent say their employers do not track activity.
• 90 percent of IT professionals surveyed say they do indeed have policies that prohibit company-issued devices being used for personal online activity—although 38 percent acknowledge that employees break policy and use devices for personal activities in addition to doing work.
• Cisco’s research shows significant change in the global landscape for web malware encounters by country in 2012. China, which was second on the list in 2011 for web malware encounters, fell dramatically to sixth position in 2012. Denmark and Sweden now hold the third and fourth spots, respectively. The United States retains the top ranking in 2012, as it did in 2011, with 33 percent of all web malware encounters occurring via websites hosted in the United States.

To read more of the report, click here.

Hire Anonymous! - Cyber Threat Summit 2012 by paulcdwyer

Paul C Dwyer President of the ICTTF International Cyber Threat Task Force discusses the concept of identifying talented individuals (hackers) before they seduced into a world of cybercrime. He discussed traits and characteristics in such vulnerable minors such as Aspergers Syndrome and references the case of Gary McKinnon.

HACKED: Anonymous Keeps Its Word and Pwns Westboro Baptist Church

As I reported yesterday, the hacker consortium known as Anonymous has targeted the members of Westboro Baptist Church.  The church announced, after the tragic events of 12/14/2012, it would be picketing the funerals of the victims.  Anonymous, along with the rest of the world, took this a bit personal and announced it would be lashing back.  It began with a release of personal information on Westboro Baptist Church members and leaders.  Most recently they decided to hack the church's spokesperson's Twitter account and the resulting Tweets have provided an insight into how the "hacktivist" organization may have found some redemption.

Check out the "tweets" from @DearShirley - the account hacked by Anonymous.

This account is now being ran by @cosmothegod #UGNazi #oops
— Cosmo (@DearShirley) December 17, 2012

Sorry, Shirley isn't available at the moment. #hehe twitter.com/DearShirley/st…
— Cosmo (@DearShirley) December 17, 2012

@dearshirley @cosmothegod epic hack against some sick fuckers picketing murdered children's funerals. #westborobaptistcunts
— Dave Plank (@PlankDave) December 17, 2012

The internet wins today. @cosmothegod hacked @dearshirley, that horrible woman from WBC. Faith in humanity is slowing returning. Well played
— shannon (@juststay) December 17, 2012

@dearshirley God hates ignorance you ignorant fucks! @cosmothegod thanks for havin a conscience & sense of humor! #fuckWBC #GodSentTheHacker
— Boz (@whodatginga) December 17, 2012

“@dearshirley: This account is now being ran by @cosmothegod #UGNazi #oops" Hahaha I'm not usually a fan, but these guys are growing on me.
— Charles McIntosh (@xWhistlinDixieX) December 17, 2012

They've even called on the White House to declare Westboro Baptist Church a "hate group":

Everyone sign this petitions.whitehouse.gov/petition/legal… #UGNazi
— Cosmo (@DearShirley) December 17, 2012

Even politicians got in the mix:

RT @exiledsurfer Looks like #UGNazi has control of #WBC @dearshirley's twitter account. Oops.twitpic.com/bmqxae
— Rep. Dan Gordon (@_RepDanGordon) December 17, 2012

I'll be checking out the feed some more over the next few things.  It's bound to get even more interesting.

VIDEO: Hacker Consortium, Anonymous, Message to the Members of Westboro Baptist Church

I'm no huge fan of the hacker consortium called Anonymous, but given the tragic events of 12/14/12, I am not entirely surprised by their actions against those who try to exploit the deaths of the victims. Check out their latest message to the members of the infamous Westboro Baptist Church.

Cyber Defense: The facts associated with the hacker mindset

I made a really awesome contact with Terry Beaver, a cyber security expert to say the least.  During a recent conversation on LinkedIn, he directed me to his blog, Cyber Integrity.  I was immediately impressed by the first article I saw.  I've included the link to the article and his blog throughout so you can check him out.  Terry, thanks again for continuing to push innovation in the cyber security realm.

The facts associated with the hacker mindset:

1. Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
2. Information is a commodity and tradeable.
3. What man can conceive – man can and will hack
4. Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
5. Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
6. While this statement was writing, attack vectors were exploited all over the world.
7. In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
8. Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
9. Information has a shelf life and is subject to being exploited for hacker benefit.
10. Intellectual property and sensitive data is a means for me to support my lifestyle.

Postulates of a Hacker:

1. Understanding how things work is an advantage over ignorance.
2. Curiosity and ego are more powerful motivators than money.
3. Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
4. Not all people are rational, therefore choices are not predictable.
5. Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
6. Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
7. There are no borders on the Internet
8. Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.

The Hacker’s conclusions:

1. If you turn it on and connect it, they will come – and try and take it.
2. It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
3. The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
4. Capture the flag is the best paradigm for understanding security.
5. The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
6. Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
7. If someone wants to breach your security seriously or badly enough – they will.
8. The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends.  Hackers sleep only when they need to.
9. Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
10. eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
11. Advancing and emerging hacker technology always defeats information security policies.
12. Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
13. There is no accountability for poor security – only excuses.
14. Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
15. Confidentiality is a function of time and energy.
16. Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.

Cybersecurity | Senator Lieberman speaks before Senate about the need for cybersecurity legislation by JoeLieberman

The U.S. Senate Wednesday rejected a second chance to move forward with critical cybersecurity legislation supported by top-ranking members of the nation's intelligence, national, and homeland security communities. By a vote of 51-47, the Senate failed to approve a procedural motion to end debate on the bill, S. 3414, and move to a final vote. Read the full text of the Senator's statement here: http://www.lieberman.senate.gov/index.cfm/news-events/news/2012/11/senate-rejects-second-chance-to-safeguard-most-critical-cyber-networks-protect-economic-national-security

Senator Feinstein on Cybersecurity by SenatorFeinstein

Senator Dianne Feinstein spoke on the Senate floor on Nov. 12, 2012, about cybersecurity and the need to protect the United States from devastating cyber attacks.

South Carolina Governor Discusses Cyber Intrusion by ThePentagonChannel

South Carolina Governor Nikki Haley talks to TPC anchor SSgt Josh Hauser about South Carolina's recent cyber intrusion and what help is out there for those affected. http://www.dvidshub.net/video/192098/south-carolina-governor-discusses-cyber-intrusion

UPDATE: Lost Drone or Trojan Horse?

So if you've been keeping tabs on the lost UAV in Iranian hands, you've probably read recently the Iranian claims that they brought the bird down with "electronic warfare".  Many experts have pondered on what techniques could have been used to bring down a "stealth" drone.  A popular theory has consistently been that the Iranians have spoofed the Global Positioning Satellite link between the UAV and its base and used that technology to "guide" the aircraft to their base in Iran.    It's even supported by a report done by the US Air Force on UAV vulnerabilities.  In a nutshell, the Iranians and these experts are claiming the Iranians tricked the UAV into believing the Iranians were the American base in Afghanistan in which it was supposed to be landing at.  What would this entail?  One theory I came across, via a comment on Bruce Schneier's original article on the lost UAV, was the Iranians could have used a mixture of high-gain antennas, a microwave link, and two aircraft following at the same speed as the UAV.

I have some issues with this theory from an intelligence standpoint, as it supposes a lot about the Iranians and their capabilities.

1. It would lead you to believe the Iranians have a need to bring down a drone which is simply taking pictures that any high-resolution satellite could pick up albeit not in real-time.  The Iranians have known for quite some time that we've been using our technology to spy on them and what areas we would be "curious" about.  Heck, any fourth grade student whose ever played Call of Duty knows that as well.
2. Second, it presumes the Iranians have the intelligence to know when exactly a UAV is flying and over which area.  Where would they get this type of information?  We have captured ZERO moles inside our government who would/could link sensitive drone technology/intelligence to Iran.  They would require an immense amount of verifiable data for such a project to be undertaken undetected and implemented almost flawlessly such as flight patterns (remember this is a "stealth" aircraft SEVERAL years in the making), satellite data which no other foreign government has used as of yet, real-time drone locations, and types of drones being flown.  Keep in mind the Beast of Khandahar wasn't "discovered" until 2009 at a base in Afghanistan. 
3. Third, that it would have the time to detect and dispatch the necessary equipment to those areas.  Even if it had the intelligence necessary, it has little in the ways of "stealth" technology to test this against let alone test it without raising eyebrows in Washington or Tel Aviv. 
4. Lastly, the Iranians never once thought to employ or use this in their campaign against the United States in Iran.  Seriously, why is this the first time the Iranians have showcased such a bird?  This presumes this is the first "stealth" UAV to fly over Iranian territory.  Surely, if they were as good as some pundits would have you believe, where are the other "stealth" drones?  I know - Iran, now claims to have seven other US drones.  What we know for a FACT is they have one verifiable drone in their custody.  How hard would it be to recreate a mock-up and say they "captured" the others?  Why now has the President requested just this one particular drone?  Because they only had this one and he already got what he wanted when it crashed.
5. Just because something is possible does not make it plausible.  It is possible I could one day become the CEO of Microsoft, but given my lack of experience as the CEO of a major corporation, it is not plausible.  The same can be said of the Iranians.  They are great at many things.  And are a very good adversary.  However, this is a country that had a 7 year war with a country that took us a few months to overrun (barring the pseudo-quagmire that later ensued with the help of our Iranian "friends").  Having such technology could be useful, in many arenas and operational theaters for Iran, yet it only provides "fruit" for them now?

If I were in the business of punditry and consulting for major media networks, I would stick to the "massive intelligence failure" story.  However, I'm just a guy with a blog so I'll stick with what's plausible and wonder how a multi-million dollar "stealth" aircraft flown by the largest intelligence apparatus has a "mechanical failure" over an enemy's territory whose nuclear development program was brought to its knees by a computer virus invented probably by the aforementioned intelligence agency.

Lost UAV or Trojan Horse?

I'm sure you've read all the hoopla about the Iranians capturing a U.S. spy drone.  The news media has asked just about every intelligence "expert" they have on their rosters.  Most have taken the bait and sensationalized the story almost beyond belief.  The other day I heard someone call it a "massive intelligence failure". Others have claimed the Iranians will reverse engineer  this aircraft (actually the Iranians said this) and use its "stealth" technology.  Some have even lauded the "success" of Iran's first unmanned bombing drone also supposedly equipped with "stealth" technology.  You would think these guys were Romulans.

Al Shabaab vs The Security Dialogue: Let the Twitter War Begin!!

I'm not necessarily a person who goes "looking for a fight" but I do detest bullies.  Moreover, I hate it when people take something "good" and distort into something more perverse.  So when I had a chance to confront the Somali Al Qaeda franchise - Al Shabaab, I couldn't resist but to get a few good jabs in.

It all started, when I learned they had their own Twitter profile.  One could say, I went looking to start a fight:

It would also be safe to say the boys from Al Shabaab were feeling the heat from all over the Twittersphere throughout Somalia (thanks Kenya):

It didn't help matters that I could have cared less:

I was little worried they didn't want to continue this any longer until....

So naturally I said:

The link I provided above is an article describing how
Al Shabaab has denied foreign aid access to Somalia's worst
hit famine areas.

I'm not sure how far I'll take my bantering with these guys.  All I know is they (the writer) is much more articulate with his English vernacular than I originally assumed.  For terrorists, they do seem to be a bit "thin-skinned".  I'm waiting for an actual tweet back from Al Shabaab.  I know they're busy waging jihad (shame it's the lesser jihad as pronounced by Muhaamad) but I'm beginning to wonder how they expect to win the propaganda war if they let something like my desire to pester them get in their way.  Stay tuned - this could get interesting.

For more on Al Shabaab, feel free to visit any of the links below:

1. http://www.nctc.gov/site/groups/al_shabaab.html
2. http://www.aljazeera.com/news/africa/2009/08/20098432032479714.html
3. http://www.meforum.org/2486/somalia-al-shabaab-strategic-challenge
4. http://csis.org/files/publication/110715_Wise_AlShabaab_AQAM%20Futures%20Case%20Study_WEB.pdf
5. http://csis.org/publication/al-shabaab
6. http://csis.org/files/ts110524_Sanderson.pdf
7. http://www.reuters.com/article/2011/11/28/us-somalia-aid-idUSTRE7AR0N720111128

Here are some aid groups which do work in Somalia (I HIGHLY encourage you to check them out and DONATE):

1. http://doctorswithoutborders.org/news/allcontent.cfm?id=68
2. http://care.org/
3. http://www.mercycorps.org/
4. http://www.unicefusa.org/work/emergencies/horn-of-africa/?gclid=CKTynZ-2kKoCFQHu7QoddxOsxw
5. http://www.icrc.org/
6. http://www.edesiaglobal.org/
7. Save the Children   
8. The World Food Programme  
9. World Vision  
10. The International Rescue Committee

HOT!!:: FREE ONLINE CRYPTO CLASS AT STANFORD

So when Ivy League schools give FREE classes in cryptography, I don't waste any time in signing up.  Looks like Stanford University is doing just that.

Here's some info direct from the FAQ section:

When does the class start?
The class will start in January 2012.

What is the format of the class?The class will consist of lecture videos, which are broken into small chunks, usually between eight and twelve minutes each. Some of these may contain integrated quiz questions. There will also be standalone quizzes that are not part of video lectures, and programming assignments. There will be approximately two hours worth of video content per week.

Will the text of the lectures be available?
We hope to transcribe the lectures into text to make them more accessible for those not fluent in English. Stay tuned.

Do I need to watch the lectures live?No. You can watch the lectures at your leisure.

Can online students ask questions and/or contact the professor?Yes, but not directly There is a Q&A forum in which students rank questions and answers, so that the most important questions and the best answers bubble to the top. Teaching staff will monitor these forums, so that important questions not answered by other students can be addressed. 

Will other Stanford resources be available to online students?No.

How much programming background is needed for the course?The course includes programming assignments and some programming background will be helpful. However, we will hand out lots of starter code that will help students complete the assignments. We will also point to online resources that can help students find the necessary background.

What math background is needed for the course?
The course is mostly self contained, however some knowledge of discrete probability will be helpful. Thewikibooks article on discrete probability should give sufficient background.

How much does it cost to take the course?Nothing: it's free! 

Will I get university credit for taking this course?No.

The course is being taught by Professor Dan Boneh who heads the applied cryptography group at the Computer Science department at Stanford University. Professor Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, web security, security for mobile devices, digital copyright protection, and cryptanalysis. He is the author of over a hundred publications in the field and a recipient of the Packard Award, the Alfred P. Sloan Award, and the RSA award in mathematics. Last year Dr. Boneh received the Ishii award for industry education innovation. Professor Boneh received his Ph.D from Princeton University and joined Stanford in 1997.

Here's another look at the link for the class:

http://www.crypto-class.org/

My, how times have changed....Haven't they????....

Saw this gem on Twitter......Can't remember from whom (sorry)......Makes you wonder how far we've come with our perceptions of hackers and the threat they pose......

Ummm...I think it's safe to say someone might get fired for this one....

Boys and girls, this is something you should NEVER EVER EVER EVER do.....During tonight's Redskins' post-game interviews, this little gem was revealed by one of Fox News' cameras....And blasted all over Twitter.....Safe to say, someone probably got fired....

Chinese Really Dig Cyberwarfare...You Think?

My ultra-favorite security magazine Security Management has written an articlle detailing the testimony of certain government officials and contractors before the U.S.-China Economic and Security Review Commision. They informed the panel "that the Chinese government has embraced cyberwarfare and is directing its intrusions at U.S. government and critical infrastructure networks." According to Colonel Gary D. McAlum, director of operations for the Joint Task Force for Global Network Operations,

"The People's Republic of China has concentrated primarily on cyber-reconnaissance, particularly data mining, rather than cyberattacks."

What about all of the attacks originating from China we've been reading about? Don't fret. The Chinese have set a goal of 2050 to achieve "electronic dominance" through attacks on information infrastructure.

The DoD won't come out and say the world's second largest econoomy is vying for supremacy through hacking, it did note "a 31percent increase in malicious activity on its networks from 2006 to 2007." What attraction does cyberwarfare have fo such a country as China? It provide anonymity and an "asymetrical advantage", according to Dr. James Mulvenon, director of advanced studies and analysis for Defense Group, Inc..

Commission Co-chairman Peter T.R. Brookest cited attacks last spring on Estonia recalling that it wanted to evoke the collective defense clause of the NATO Charter and said "this is a question of escalation" moving from non-conventional to conventional, i.e. military, responses.

Mulvenon said there's no reason why the United States should restrict itself to trying to deter cyberattacks electronically. His next remark should sound familiar.

"We should ... begin with the premise that we have all the tools of ... national power, and in many cases it might not be to the U.S. advantage to respond to an electronic or cyberintrusion or cyberattack simply in that realm," he said. "We may, in fact, want to take advantage of escalation dominance that we have in other elements of national power, whether it’s military or economic."

CyberCommand anyone? What about this little tidbit from the article?

Michael R. Wessel said he fears that the perimeter security methods such as routers and firewalls used to protect against network intrusion are produced overseas, increasingly in China." Can we in fact have a secure perimeter," he wondered, "if in fact the Chinese are helping to build that perimeter?"

The nasty Cisco routers are keep creeping back into the blogosphere. For more information from Security Management, click here.