The facts associated with the hacker mindset:
- Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
- Information is a commodity and tradeable.
- What man can conceive – man can and will hack
- Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
- Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
- While this statement was writing, attack vectors were exploited all over the world.
- In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
- Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
- Information has a shelf life and is subject to being exploited for hacker benefit.
- Intellectual property and sensitive data is a means for me to support my lifestyle.
Postulates of a Hacker:
- Understanding how things work is an advantage over ignorance.
- Curiosity and ego are more powerful motivators than money.
- Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
- Not all people are rational, therefore choices are not predictable.
- Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
- Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
- There are no borders on the Internet
- Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.
The Hacker’s conclusions:
- If you turn it on and connect it, they will come – and try and take it.
- It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
- The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
- Capture the flag is the best paradigm for understanding security.
- The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
- Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
- If someone wants to breach your security seriously or badly enough – they will.
- The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends. Hackers sleep only when they need to.
- Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
- eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
- Advancing and emerging hacker technology always defeats information security policies.
- Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
- There is no accountability for poor security – only excuses.
- Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
- Confidentiality is a function of time and energy.
- Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.
Thursday, December 13, 2012
Cyber Defense: The facts associated with the hacker mindset
Monday, October 3, 2011
My, how times have changed....Haven't they????....
Thursday, May 22, 2008
Chinese Really Dig Cyberwarfare...You Think?
"The People's Republic of China has concentrated primarily on cyber-reconnaissance, particularly data mining, rather than cyberattacks."
What about all of the attacks originating from China we've been reading about? Don't fret. The Chinese have set a goal of 2050 to achieve "electronic dominance" through attacks on information infrastructure.
The DoD won't come out and say the world's second largest econoomy is vying for supremacy through hacking, it did note "a 31percent increase in malicious activity on its networks from 2006 to 2007." What attraction does cyberwarfare have fo such a country as China? It provide anonymity and an "asymetrical advantage", according to Dr. James Mulvenon, director of advanced studies and analysis for Defense Group, Inc..
Commission Co-chairman Peter T.R. Brookest cited attacks last spring on Estonia recalling that it wanted to evoke the collective defense clause of the NATO Charter and said "this is a question of escalation" moving from non-conventional to conventional, i.e. military, responses.
Mulvenon said there's no reason why the United States should restrict itself to trying to deter cyberattacks electronically. His next remark should sound familiar.
"We should ... begin with the premise that we have all the tools of ... national power, and in many cases it might not be to the U.S. advantage to respond to an electronic or cyberintrusion or cyberattack simply in that realm," he said. "We may, in fact, want to take advantage of escalation dominance that we have in other elements of national power, whether it’s military or economic."
CyberCommand anyone? What about this little tidbit from the article?
The nasty Cisco routers are keep creeping back into the blogosphere. For more information from Security Management, click here.Michael R. Wessel said he fears that the perimeter security methods such as routers and firewalls used to protect against network intrusion are produced overseas, increasingly in China." Can we in fact have a secure perimeter," he wondered, "if in fact the Chinese are helping to build that perimeter?"
Tuesday, May 20, 2008
A new kind of war to fight....
Looks like the US Air Force Cyber Command is looking to establish the same level of superiority the Air Force has in the skies as it wants in cyberspace. The Cyber Command wants a new set of "hacker" tools to engage in both offensive and defensive attacks against cyber-based threats which pose a risk to American interests. No word yet on where the headquarters will be. As we hear more and more in the news about the growing murky criminal/hostile terrain that exists online, I suspect we'll see more justification for such units to exists. China has their own unit dedicated to this. Why not us?
Sunday, March 16, 2008
Book Review - The Art Of Deception
Well....I finally did it. I finally finished Kevin Mitnick's book, The Art Of Deception. This was perhaps one of the most compelling books I've read in a very long time. It covers ways into which many of our corporations and government agencies are vulnerable. It details what was once thought of as "old-school" techniques in which information thieves gain insight into the very workings of these organizations such as dumpster diving and pretexting.
The book is 352 pages of real-life examples of Mitnick's former operation and those of his former comrades. I particularly liked his ideas about how we can protect from these attacks. Some would think this would be an opportunity for Mitnick to brag and thumb his nose at his former adversary, the US government. But it isn't. It is certainly a guide into some very low-tech means in which these guys operate and exploit.
This book is a must-read for anybody who cares about security. I would suggest this for any reader who wants to protect themselves or their organizations. If you think you're not vulnerable, hire an outside firm to do a penetration test on your people not your systems and see where your vulnerabilities are. I can tell you from my experience, the best way to defend yourself is to protect your people. Your systems need people to operate and maintain them. If your folks fail to perform the basic due diligence when dealing with anyone seeking information or access (either physical or virtual) into your organization, then you better get them doing it ASAP. If you're in charge of security for any corporation, I HIGHLY suggest this book.
Thursday, March 13, 2008
Integrating Physical and IT Security
According to their release:
Most respondents indicated increased interaction between their security and IT functions:Why the integration? Some might say the better question is why has it taken so long. Well, it turns out many of the respondents feel a vulnerability in either fields could bring about a breach in another. Take a look at this data:
* 63 percent said their security and IT organizations “had a formal coordination mechanism”
* 10 percent stated the two functions are run as one entity within their organizations
* 52 percent noted their security functions had a formal working relationship with their audit and compliance functions, while 11 percent said those functions are combined
* 91 percent of the responding companies showed an increase in security investment
* 75 percent of which said those investments increased by more than eight percent
* 31 percent suggested a greater than 12 percent rise
“This study reinforces that companies are increasingly concerned with protecting their information assets as well as their physical assets, and they recognize that integrating once-disparate systems can be effective in addressing threats,” said Jim Ebzery, senior vice president of Identity and Security Management at Novell, which recently collaborated with Honeywell to develop a converged physical-IT security system. “How they choose to implement convergence varies on a number of factors including internal roles and overall attitudes about its effectiveness.”
With all this talk of integration, the question which must be asked is "Who's in charge in regards to an a coordinated attack on both systems?".
* 34 percent said there isn’t a single internal contactThe study’s margin of error is plus/minus 2 percent.
* 27 percent said the Director of Security is responsible
* 14 percent said a single CSO deals with the threats
* 14 percent said the Crisis Management Group is ultimately responsible
If you're considering this as a career, it behooves you to get "smart" on both sides. What sense does it make to build a multi-tiered surveillance system using network infrastructures if you're not knowledgeable on the risks you face. I would hate to be you if an incident occurs on the IT side and it affects your cameras or alarms. I'm sure your boss is going to ask what measures did we have in-place and how were they defeated. He/she will be looking at you to communicate with IT to find out.
Tuesday, March 4, 2008
UK Card Readers Hack
The University of Cambridge discovered the PIN entry device (PED) vulnerabilities allow an attacker to wiretap a reader and collect enough data from cards and the PIN pad to create counterfeit cards.
For those of you unfamiliar with the UK's debit and credit setup, I'll explain. Let's say I go to a restaurant and purchase a dinner for two costing a certain amount of money. The waitress brings out a portable card reader in which instead scanning, she can take your debit or credit card from a UK bank and place the card which is embedded with a chip inside the reader. Then the transaction proceeds like it does everywhere else. The readers then transmit the card information through a wireless connection. Catch where I'm going with this? If not, continue reading and you'll get it eventually.
According to SecurityFocus, the researchers stated the vulnerabilities in a paper to be published at the IEEE Symposium on Security and Privacy in May.
"The vulnerabilities we found were caused by a series of design errors by the manufacturers," Saar Drimer, a researcher at UC's Computer Laboratory and an author of the paper, said in a statement. "They can be exploited because Britain's banks set up the Chip & PIN in an insecure way ... A villain who taps this gets all the information he needs to make a fake card, and to use it."This is not just UK-only vulnerability. There are all sort of vulnerabilities with card readers all over the world. If the card information isn't encrypted on the merchant, purchaser, and bank ends, then there will always be a vulnerability.
Saturday, March 1, 2008
Google Hacking Tool
According to SM, "The new web auditing tool is known as Goolag Scanner, which uses Google's search engine to scour the Web for passwords and security holes."
A hacking group calling itself cDC or Cult of the Dead Cow (cDc). This is the same group who created a little program called "Back Orifice". Sounds a tad bit perverted, but I can assure you the IT departments and users this little software caused grief didn't think it was some laughing matter. "Back Orifice" created a "back door" for hackers to remotely control any computer they gained access to.
Scared yet? Well, don't go calling IT in a panic yet. It turns out that this tool just uses Google to sniff out information you and I could find ourselves through Google. Now it would take us a lot longer. Why is this something not to worry about? Because this program can tell you what hackers may already know about your setup or what you don't. What is that exactly - How secure is your website?
According to cDc, they realize this threat and its the reason they created it. "It's no big secret that the Web is the platform," said cDc spokesmodel Oxblood Ruffin. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."
It turns out DHS was made aware of the vulnerability a few weeks ago according to Ruffin. Security experts are now taking a look at the software to ascertain where they're vulnerable.
For now, let's make sure you're doing the same. Check out the article here. InformationWeek's article can also be found here as well.