Tag Archives: Islamic Terror

dannyl_sax_shablul

The best cybersecurity strategy may be counter-terror

Threat modeling, , ,

Danny Lieberman  suggests that a demand-side strategy with peer-review may work best  for cyber-security.

A conventional military paradigm does not work for cyber-security

Government cyber  security policy, molded by the military; traditionally frames cyber-security in the context of a defensive strategy based on intelligence gathering, threat analysis,  modeling and  monitoring  with  deployment of defensive network security technologies such as  firewalls, DDOS protection, intrusion prevention and honey-pots.

The problem with a defensive cyber-security strategy is that it does not address the root cause of threats.

 Combating cyber-terror  with offensive strategies by using anti-terror techniques to dismantle terrorist infrastructures and social fabrics is a highly effective alternative to a defensive strategy.

Attacking social networks of hackers

Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet, even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker. We can learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.

Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.

Since cyber attacks on Israel is a form of terrorism – I believe that this strategy could be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.

While an interesting idea – the key barrier to this strategy is deploying it where hackers operate and obtaining the cooperation of local law enforcement.

It’s clear that cooperation with other countries and a variety of partners inside and outside the Israeli government is a critical success factor for an offensive cyber-security strategy.

Getting more eyeballs on the problem

A cyber-security strategy that is not reviewed by outside people cannot correctly evaluate the economic effectiveness of cyber-security measures since political considerations will always override common sense.

 Representatives from the newly formed Israeli Cyber Command need to work closely with private industry and share information about threats and vulnerabilities – since in most cases – privately held technology security developers and analysts have better and more up-to-date knowledge than government agencies who may have better intelligence.

The effort to defend Israel in cyberspace will only succeed if it is coordinated across the government, with allies, and with partners in the commercial sector combining high-quality intelligence with deep understanding of evolving threats and peer review of the security measures.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Tahrir square – the high-tech version

News, Risk Assessment, ,

From Wired

The revolt that started a year ago today in Egypt was spread by Twitter and YouTube, or so the popular conception goes. But a group of Navy-backed researchers has a more controversial thesis:Egyptians were infected by the idea of overthrowing their dictator.

Using epidemiological modeling to chart the discussions and their trajectory online is an interesting idea, I don’t think that they are the first ones to do it.  It’s a different approach to social network analysis which analyzes social phenomena through the properties of relations between and within units instead of the properties of these units themselves. This approach apparently considers trajectories of content combined with natural language analysis to determine what people in certain regions, of certain age groups, genders, or any number of other demographics, are discussing.

We’ve seen how content interception, classification and analysis has had success in the enterprise information security space – in particular with identifying data leaks by trusted insiders and unauthorized disclosure of intellectual property. Doing it on a national or global scale, is much more than computing power.  It’s also understanding the political milieu and intent of the subjects, a powerful challenge for any intelligence organization.

I’m not sure how they collect the actual demographics, handle historical data, deliberate disinformation or feedback effects or even if their model is a good fit for the problem but it’s thought provoking.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Ehud Barak, information leaks and political activism

Physical security, , , , , ,

What do Anat Kamm, Ehud Barak and Meir Dagan have in common?

Ehud Barak is current Israeli Minister of Defense, former IDF Chief of Staff and former Prime Minister  that led the disastrous withdrawal from Lebanon that fomented Intifada II and then Lebanese War II.  Barak is famous for quotes like “If I was a Palestinian, I would also be a suicide bomber” or “If I was an Iranian, I would also build nuclear weapons“.

During her military service as an assistant in the Central Command bureau Anat Kamm secretly copied over 2,000 classified documents, copied the documents to a CD and leaked it to the Israeli Haaretz journalist Uri Blau. Kamm  was recently convicted of espionage and leaking confidential information without authorization and sentenced to 4.5 years in prison after a plea bargain.

Former Mossad chief Meir Dagan has recently voiced unrestrained criticism of the current administration’s defense policy in the service of his political activism; criticism which is supposedly based on his inside knowledge from the Mossad.

Meir Dagan, together with Gen. Gabi Ashkenazi (former chief of staff), Gen. Amos Yadlin (former head of military intelligence), and Yuval Diskin (former head of Shin Bet), opposed an attack on Iran. While in office (they all retired between November 2010 and May 2011), the Gang of Four successfully blocked attempts by Netanyahu and Barak to move forward on the military option.

Of the four, only Dagan has spoken openly, after leaving office, about what he considers to be the folly of an attack on Iran —  and openly criticized Netanyahu and Barak for irresponsibly pushing Israel to an unnecessary war, relying on his former position of responsibility as chief of intelligence as as implying that what he said must be true.

It was unclear why Dagan would speak of plans best left undisclosed. Unclear, at least until last week, when Dagan announced his plans for a movement to change the method of Israeli government, leaving his options to enter politics in the future open.

I wish Dagan luck.  I’m not happy with his way of publicizing his political activism at the risk of treading the thin line of information leak. It places him on the same slippery slope as Anat Kam who lamely attempted to justify her actions as an act of political protest.

In comparison with Dagan, Barak is circumspect (despite his unfortunate quotes and bad decisions).

Barak was asked about the possibility of making a decision on attacking Iran in the Israeli daily Ha’aretz.

In my various posts I’ve already seen all the possible permutations, as long as one thing remains constant: the role of the military is to prepare the plans. It is important that the political echelon listen very carefully to what the operational and intelligence echelons have to say, but at the end it is the political echelon that has the responsibility for the decision.
More here on Israeli defense minister Ehud Barak on Iran, U.S., and war
Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

A cyber-terror derivatives market?

Compliance, ,

I first heard the idea about hedging risk against actual future disasters (man-made or natural) around the time of Hurricane Katrina.

The essay below by professor Avinash Persaud considers the creation of a terrorism futures market. The ideas are particularly timely in the context of the unrest in Libya and the uptick in oil prices.

Right now, the closest thing we have to “terrorist futures” are crude oil futures. One way of looking at them is as a loose proxy for the sell-by date on the Saudi monarchy. For example, oil prices above $99 would be a function of geopolitical instability, and not just the supply-demand dynamic.

Futures prices convey information in its raw form. They tell you what individual participants are betting on and how they’re evaluating risk.  They tell us something about Quaddaffi. Even if Libya is not a major oil producer, Muamer Quaddaffi is a major source of instability.

Can a Country Take out Financial Insurance Against Macro-Risks Like Currency Instability or Global Terrorism?
by Professor Avinash Persaud

Good evening, ladies and gentlemen. I would like to begin today by discussing the link between the personal insurance you and I take out every day and financial futures markets. I will then turn to a proposal to establish a terrorism futures market and how that would work. I will address the moral objections to such a market and its possible benefits to our democracy. It should be a thought-provoking tour.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Paying the price for peace

Risk mitigation, Threat modeling,

An exceptional post by Lilac Sigan “To bad it doesn’t pay to be a nice guy” suggests that Israel may be better off in the long term with its relations with Turkey by demanding a quid-pro-quo (The Turks are demanding reparations and an official apology from Israel for boarding the now infamous Gaza flotilla boat – the Marmara).

There is a larger issue that Israel has with foreign policy and that is constantly being defensive.    I believe that the root cause of Israel’s perennial problems with public relations is the “need to be loved and be thought a nice guy by the rest of the world”.  This in itself, is rooted in 2,000 years of being a minority in the Diaspora, having to keep a low profile in order to stay alive.

An interesting corollary that may be derived from the post is the notion of the price to be paid for peace and who pays the price. Conventional wisdom is that the Americans and the Israelis need to pay the Arabs for peace.   The fact that this wisdom has no basis in reality or history is immaterial.  But – the same conventional wisdom states that Israel is the key to peace in the Middle East. If so, then it follows that the question should be not how much Israelis should pay but how much the Arab and Palestinian nations should pay Israel for peace.

Just like being assertive is important on a personal and business level, the world will think better of Israel when Israels leaders stop being defensive and attempting at being the perennial “nice guy”.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Has the threat of cyberwar been grossly exaggerated?

Anti-Fraud, Compliance,

Bruce Schneier writes that The Threat of Cyberwar Has Been Grossly Exaggerated

Not unpredictably – the essay yielded a lively discussion,  I agree with Bruce – especially because of all the hype around Stuxnet. On one hand – the locals in Israel more or less know, or guess who worked on the project and on the other hand – there are clumsy attempts at disinformation – Shai Blitzbau is trying to claim that it is not military code, but didn’t do his homework regarding WinCC ( a Siemens Windows application for industrial command and control, not a special version of Windows for SCADA systems as Blitzbau wrote).

Software Requirements
WinCC V6.2 is released for the following operating systems:

Windows XP Professional Service Pack 2 (client / single-user station)

  • Windows 2000 Professional Service Pack 4 (client / single-user station)
  • Windows Server 2003 Service Pack 1 (client / single-user station / server)
  • Windows Server 2003 R2 (client / single-user station / server)

Microsoft SQL Server 2005 SP1 is used as the database and is supplied with WinCC Version 6.2. The SQL Server system administrator password can be assigned by the user and supports adherence to company password conventions.

While Blitzbau is probably trying to link-bait some headlines with  contrarian opinion –  500MB of well written code by a large multi-disciplinary team looks and smells like cyber war no matter what languages the developers speak and use.

Nonetheless – cyber war is overhyped.

I found it significant that Schneier’s article and the resulting discussion thread – skimmed over the obvious:  namely that:

In real war (as defined by soldiers of one state fighting soldiers of another state) or real terror (as defined by bad people who kill civilians) – real people get killed.

As an Israeli – I find the American fixation on cyber terror and cyber war somewhat amusing.

Although I understand that it is fundamentally a way of generating more business for the Raytheons of this world – the American fixation on cyber-war and cyber terror goes beyond DoD and Pentagon turf wars.

For many Americans, cyber war must seem like a safe way of vicariously participating in some kind of a cool war effort without having to pay the physical and emotional price of dealing with losing friends and families to real world terrorists or soldiers.

Perhaps – if I might speculate – it is possible that the President Obama has not declared war on Afghanistan because it runs contrary to his liberal weltanschaung of “lets solve conflicts by talking to everyone since everyone are created equal”.

Cyber war and cyber terror are proofs of the inequality of life and the inequality of war.

While the DHS, NSA, FBI, CIA would have difficulty producing a single example of a real person being murdered by a piece of targeted malware – any Israeli you meet – including yours truly, has close friends or family who were killed by real wars and real terrorist.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow
Cyber warfare pentagon cyberwar

Why Pentagon cyber strategy is divorced from reality.

Information security, , , , , ,

From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Facebook disclosure cancels raid on terrorists

Information security, , , , , , ,

I want to challenge the effectiveness of top-down, monolithic security frameworks (ISO 27001/PCI DSS) – I submit that rapidly changing threats – social networking, cyberstalking, social engineering, cyber-stalking and custom spyware are threats that exploit people and system vulnerabilities but are not readily mitigated by a top down set of security countermeasures.

The recent case of the Opsec security violation on Facebook in Israel reported by the Jerusalem Post, is a good example of how a hierarchical organization (Army) is threatened by a flat social network. The good news was that the security countermeasure was found the social network itself – herein lies the lesson.

The IDF was forced to cancel a recent arrest operation in the West Bank after a soldier posted information about the upcoming raid on his Facebook page.The operation was scheduled to take place several weeks ago in the Binyamin region. The soldier, from an elite unit of the Artillery Corps, posted on his Facebook page: “On Wednesday, we are cleaning out [the name of the village] – today an arrest operation, tomorrow an arrest operation and then, please God, home by Thursday.”

The status update on the soldier’s page was revealed by other members of the soldier’s unit. His commanders then updated Judea and Samaria Division commander Brig.-Gen. Nitzan Alon, who decided to cancel the operation out of concern that the mission had been compromised.

Organizations need to leave the static top down control frameworks a few times a year and look outside the organization for links and interdependencies – and talk to the soldiers in the trenches in customer service, field sales and field service.

The information you will get from people outside your firm and from people with dirty hands is far more valuable than rehashing the ISO27001 check list in an audit.

The most valuable data is from questions you haven’t asked yet – not from a checklist in an Excel spreadsheet in the hands of a junior auditor from KPMG.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Dissonance is bad for business

Anti-Fraud, Compliance, Data leakage, Information security, , , , , ,

In music, dissonance is  sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

Resolving dissonance in your business is key to getting actionable intelligence in order to reduce risk and improve compliance Why should I care? After all – for this we have security, risk and compliance specialists.
According to the Verizon Business Report, 285 million records were breached in 2008;  32% of the cases implicated business partners.

Information assurance of third parties that have access to your business assets is crucial for contract due diligence, complying with best practices, internal and external audit and regulation.

Due diligence of third parties that work with your business requires actionable intelligence.

Remember Madoff?

Actionable risk and compliance intelligence requires breaking down silos and recycling commonalities instead of fragmenting activities and duplicating resources.

Learn how to make that happen at our next  online workshop on security management coming this Thursday October 29, 2009,
10:00 Eastern 14:00 GMT, 16:00  in Israel and Central Europe 17:00 MT.

Go green by recycling policies and controls.

Don’t make any of the 10 data security mistakes

Register today for this free online workshop.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data. Data security is a war – when the attackers win, you lose.  We will help you win more.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Reducing risk of major data loss events

Physical security, Risk Assessment, Risk management, Risk mitigation, , , , , ,

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow