Cyber Defense: The facts associated with the hacker mindset

I made a really awesome contact with Terry Beaver, a cyber security expert to say the least.  During a recent conversation on LinkedIn, he directed me to his blog, Cyber Integrity.  I was immediately impressed by the first article I saw.  I've included the link to the article and his blog throughout so you can check him out.  Terry, thanks again for continuing to push innovation in the cyber security realm.

The facts associated with the hacker mindset:

1. Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
2. Information is a commodity and tradeable.
3. What man can conceive – man can and will hack
4. Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
5. Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
6. While this statement was writing, attack vectors were exploited all over the world.
7. In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
8. Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
9. Information has a shelf life and is subject to being exploited for hacker benefit.
10. Intellectual property and sensitive data is a means for me to support my lifestyle.

Postulates of a Hacker:

1. Understanding how things work is an advantage over ignorance.
2. Curiosity and ego are more powerful motivators than money.
3. Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
4. Not all people are rational, therefore choices are not predictable.
5. Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
6. Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
7. There are no borders on the Internet
8. Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.

The Hacker’s conclusions:

1. If you turn it on and connect it, they will come – and try and take it.
2. It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
3. The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
4. Capture the flag is the best paradigm for understanding security.
5. The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
6. Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
7. If someone wants to breach your security seriously or badly enough – they will.
8. The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends.  Hackers sleep only when they need to.
9. Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
10. eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
11. Advancing and emerging hacker technology always defeats information security policies.
12. Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
13. There is no accountability for poor security – only excuses.
14. Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
15. Confidentiality is a function of time and energy.
16. Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.

My, how times have changed....Haven't they????....

Saw this gem on Twitter......Can't remember from whom (sorry)......Makes you wonder how far we've come with our perceptions of hackers and the threat they pose......

Chinese Really Dig Cyberwarfare...You Think?

My ultra-favorite security magazine Security Management has written an articlle detailing the testimony of certain government officials and contractors before the U.S.-China Economic and Security Review Commision. They informed the panel "that the Chinese government has embraced cyberwarfare and is directing its intrusions at U.S. government and critical infrastructure networks." According to Colonel Gary D. McAlum, director of operations for the Joint Task Force for Global Network Operations,

"The People's Republic of China has concentrated primarily on cyber-reconnaissance, particularly data mining, rather than cyberattacks."

What about all of the attacks originating from China we've been reading about? Don't fret. The Chinese have set a goal of 2050 to achieve "electronic dominance" through attacks on information infrastructure.

The DoD won't come out and say the world's second largest econoomy is vying for supremacy through hacking, it did note "a 31percent increase in malicious activity on its networks from 2006 to 2007." What attraction does cyberwarfare have fo such a country as China? It provide anonymity and an "asymetrical advantage", according to Dr. James Mulvenon, director of advanced studies and analysis for Defense Group, Inc..

Commission Co-chairman Peter T.R. Brookest cited attacks last spring on Estonia recalling that it wanted to evoke the collective defense clause of the NATO Charter and said "this is a question of escalation" moving from non-conventional to conventional, i.e. military, responses.

Mulvenon said there's no reason why the United States should restrict itself to trying to deter cyberattacks electronically. His next remark should sound familiar.

"We should ... begin with the premise that we have all the tools of ... national power, and in many cases it might not be to the U.S. advantage to respond to an electronic or cyberintrusion or cyberattack simply in that realm," he said. "We may, in fact, want to take advantage of escalation dominance that we have in other elements of national power, whether it’s military or economic."

CyberCommand anyone? What about this little tidbit from the article?

Michael R. Wessel said he fears that the perimeter security methods such as routers and firewalls used to protect against network intrusion are produced overseas, increasingly in China." Can we in fact have a secure perimeter," he wondered, "if in fact the Chinese are helping to build that perimeter?"

The nasty Cisco routers are keep creeping back into the blogosphere. For more information from Security Management, click here.

A new kind of war to fight....

Looks like the US Air Force Cyber Command is looking to establish the same level of superiority the Air Force has in the skies as it wants in cyberspace. The Cyber Command wants a new set of "hacker" tools to engage in both offensive and defensive attacks against cyber-based threats which pose a risk to American interests. No word yet on where the headquarters will be. As we hear more and more in the news about the growing murky criminal/hostile terrain that exists online, I suspect we'll see more justification for such units to exists. China has their own unit dedicated to this. Why not us?

Book Review - The Art Of Deception

Well....I finally did it. I finally finished Kevin Mitnick's book, The Art Of Deception. This was perhaps one of the most compelling books I've read in a very long time. It covers ways into which many of our corporations and government agencies are vulnerable. It details what was once thought of as "old-school" techniques in which information thieves gain insight into the very workings of these organizations such as dumpster diving and pretexting.

The book is 352 pages of real-life examples of Mitnick's former operation and those of his former comrades. I particularly liked his ideas about how we can protect from these attacks. Some would think this would be an opportunity for Mitnick to brag and thumb his nose at his former adversary, the US government. But it isn't. It is certainly a guide into some very low-tech means in which these guys operate and exploit.

This book is a must-read for anybody who cares about security. I would suggest this for any reader who wants to protect themselves or their organizations. If you think you're not vulnerable, hire an outside firm to do a penetration test on your people not your systems and see where your vulnerabilities are. I can tell you from my experience, the best way to defend yourself is to protect your people. Your systems need people to operate and maintain them. If your folks fail to perform the basic due diligence when dealing with anyone seeking information or access (either physical or virtual) into your organization, then you better get them doing it ASAP. If you're in charge of security for any corporation, I HIGHLY suggest this book.

Integrating Physical and IT Security

On Wednesday, Honeywell released a press release revealing many companies are integrating physical security measures with their IT security systems. They interviewed over 50 CIO's, CSO's, and CI&SO's of major US-based global companies.
According to their release:

Most respondents indicated increased interaction between their security and IT functions:

* 63 percent said their security and IT organizations “had a formal coordination mechanism”
* 10 percent stated the two functions are run as one entity within their organizations
* 52 percent noted their security functions had a formal working relationship with their audit and compliance functions, while 11 percent said those functions are combined

Why the integration? Some might say the better question is why has it taken so long. Well, it turns out many of the respondents feel a vulnerability in either fields could bring about a breach in another. Take a look at this data:

* 91 percent of the responding companies showed an increase in security investment
* 75 percent of which said those investments increased by more than eight percent
* 31 percent suggested a greater than 12 percent rise

“This study reinforces that companies are increasingly concerned with protecting their information assets as well as their physical assets, and they recognize that integrating once-disparate systems can be effective in addressing threats,” said Jim Ebzery, senior vice president of Identity and Security Management at Novell, which recently collaborated with Honeywell to develop a converged physical-IT security system. “How they choose to implement convergence varies on a number of factors including internal roles and overall attitudes about its effectiveness.”

With all this talk of integration, the question which must be asked is "Who's in charge in regards to an a coordinated attack on both systems?".

* 34 percent said there isn’t a single internal contact
* 27 percent said the Director of Security is responsible
* 14 percent said a single CSO deals with the threats
* 14 percent said the Crisis Management Group is ultimately responsible

The study’s margin of error is plus/minus 2 percent.

If you're considering this as a career, it behooves you to get "smart" on both sides. What sense does it make to build a multi-tiered surveillance system using network infrastructures if you're not knowledgeable on the risks you face. I would hate to be you if an incident occurs on the IT side and it affects your cameras or alarms. I'm sure your boss is going to ask what measures did we have in-place and how were they defeated. He/she will be looking at you to communicate with IT to find out.

UK Card Readers Hack

According to SecutrityFocus, an e-zine which focuses on electronic security issues, UK merchants have a problem. It sounds like a pretty significant problem with their card readers. SecurityFocus' article says the when credit cards are scanned through the readers the information is not encrypted and thus readable by anyone with access to the data stream from that reader.

The University of Cambridge discovered the PIN entry device (PED) vulnerabilities allow an attacker to wiretap a reader and collect enough data from cards and the PIN pad to create counterfeit cards.

For those of you unfamiliar with the UK's debit and credit setup, I'll explain. Let's say I go to a restaurant and purchase a dinner for two costing a certain amount of money. The waitress brings out a portable card reader in which instead scanning, she can take your debit or credit card from a UK bank and place the card which is embedded with a chip inside the reader. Then the transaction proceeds like it does everywhere else. The readers then transmit the card information through a wireless connection. Catch where I'm going with this? If not, continue reading and you'll get it eventually.

According to SecurityFocus, the researchers stated the vulnerabilities in a paper to be published at the IEEE Symposium on Security and Privacy in May.

"The vulnerabilities we found were caused by a series of design errors by the manufacturers," Saar Drimer, a researcher at UC's Computer Laboratory and an author of the paper, said in a statement. "They can be exploited because Britain's banks set up the Chip & PIN in an insecure way ... A villain who taps this gets all the information he needs to make a fake card, and to use it."

This is not just UK-only vulnerability. There are all sort of vulnerabilities with card readers all over the world. If the card information isn't encrypted on the merchant, purchaser, and bank ends, then there will always be a vulnerability.

Google Hacking Tool

Now, I'm all for Google. I mean they've given me a blog and all sorts other cool things like unlimited mail and an awesome task/reminder service. But there are moments when their technology, well sort of, scares the heck out of me. My membership with ASIS has proven invaluable once again. An article written in Security Management talks about another tool hackers have come up with to make find vulnerabilities that much easier.

According to SM, "The new web auditing tool is known as Goolag Scanner, which uses Google's search engine to scour the Web for passwords and security holes."

A hacking group calling itself cDC or Cult of the Dead Cow (cDc). This is the same group who created a little program called "Back Orifice". Sounds a tad bit perverted, but I can assure you the IT departments and users this little software caused grief didn't think it was some laughing matter. "Back Orifice" created a "back door" for hackers to remotely control any computer they gained access to.

Scared yet? Well, don't go calling IT in a panic yet. It turns out that this tool just uses Google to sniff out information you and I could find ourselves through Google. Now it would take us a lot longer. Why is this something not to worry about? Because this program can tell you what hackers may already know about your setup or what you don't. What is that exactly - How secure is your website?

According to cDc, they realize this threat and its the reason they created it. "It's no big secret that the Web is the platform," said cDc spokesmodel Oxblood Ruffin. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."

It turns out DHS was made aware of the vulnerability a few weeks ago according to Ruffin. Security experts are now taking a look at the software to ascertain where they're vulnerable.

For now, let's make sure you're doing the same. Check out the article here. InformationWeek's article can also be found here as well.