E-Jihad

The U.S. government has notified U.S. private financial services of a
call by the al-Qaida terrorist network for a cyber attack against U.S.
online stock trading and banking Web sites
beginning Friday, officials
said.

I smell Zapatistas.

If there is one set of institutions that tends to take cyber security seriously it is financials. Unlike any number of government institutions (most recently the Naval War College) there isn’t a hole or back door around every byte. Terrorist cyber capability, while potentially formidable, has yet to move beyond propaganda and the most basic attack methodologies (stuff that is pushing a decade in age – which is like fighting F-18s with Sopwith camels).

Hey, they could surprise us, but I wouldn’t count on it.

If they really wanted to be taken seriously, they’d leverage insiders, but since that’s the most dangerous and least understood problem of them all (political issues notwithstanding) of course there is little or no serious defense.

Preparing for the “Wake Up Call”

Despite the emphasis placed on IT security in
recent years, federal agencies are not testing their security controls
with any consistency or timeliness, and as a result may not realize
their systems’ weaknesses, a new General Accounting Office report has found.

Chinese in the wire, AQ running loose online, laptops walking off, annual report cards consistantly in D and F territory and the 800 lb simian in the corner is the insider problem. NCW? IO? Land Warrior? Not if someone else owns the systems. The wake-up call has been made; we just keep hanging up.

DOE Security Lapse Update

The latest compromise of nuclear weapons secrets occurred at the Los Alamos National Laboratory after a worker stole design information she downloaded onto a removable computer flash drive, U.S. officials said.

The secrets were discovered during a drug raid last month.

I know of no national security organization that allows users to introduce removable media to “secure” systems . . . except for the one that controls nuclear weapons . . .

The More Things Change…

With regard to hard problems:

Fifty years ago today the Soviet Presidium overturned its earlier decision to pull its troops out of Hungary in the face of a popular uprising, yet the CIA–with only one Hungarian-speaking officer stationed in Budapest at the time–failed to foresee either the uprising or the Soviet invasion to come, according to declassified CIA histories posted on the Web by the National Security Archive at George Washington University.

Describing the several days in early November 1956 when it seemed the Hungarian Revolution had succeeded (before the Soviet tanks rolled in on November 4), a CIA Clandestine Service History written in 1958 commented: “This breath-taking and undreamed-of state of affairs not only caught many Hungarians off-guard, it also caught us off-guard, for which we can hardly be blamed since we had no inside information, little outside information, and could not read the Russians’ minds.”

Hey, don’t blame us, we were clueless. Unfair? You’d think that with even one man on the ground current events would have been slap-in-the-face obvious, but apparently not. Now fast-forward to current hard problems (pre-war Iraq, Iran, North Korea) where the manpower issue is as bad or worse, and begin to understand just how dim the light is under which we are forced to make decisions.

History, repeat thyself . . .

FID: Fear, Incompetence & Doubt

Dr. Stephen
Haag spends upwards of 80 hours each week on his computer, mapping out
terrorist attacks.

Haag, an expert in emerging technologies, believes the next attack on the U.S. will come not in the form of bombings or military movements, but from terrorists armed with computer keyboards, credit cards and Social Security numbers.

A calculated cyber identity strike could erase or manipulate the identities of millions of Americans, effectively closing the financial markets and crippling the economy. ATMs would fail, airports would shut down, banks would close–all transactions would cease, says Haag, 45, an associate dean at the Daniels College of Business at the University of Denver. […]

Read the rest if you must but the gist is this: terrorists buy stolen personal
identifying information (from, say someone who steals a Department of Veteran’s
Affairs laptop); they craft some code that would render your personal
information unrecognizable to computer systems; so now your credit cards don’t
work, you driver’s license comes up invalid, etc.; and the end result is that
everything shuts down because “the system” thinks you don’t exist.

I honestly
thought we had past the point where wackiness like this was even on the table.
I mean, how many ways can we tweak “weapons of…” to fit someone’s money-making
scheme?

Some
reality:

 

  • The
    average American has multiple credit cards that are processed by a variety of different
    card processors (not many, but several)
  • There
    are 50 different DMVs
  •  There
    is the Department of State (passport)
  •  There
    are umpteen institutions of higher learning that all issue their own IDs
  •  Etc.,
    etc., etc. . . .

This is my wheelhouse. Terrorists haven’t moved past the defacing web pages stage of
technical threat and suddenly they’re going to be producing uber-code that in
one fell swoop zaps you from virtual existence? The airports will shut down
because 1 in 10 IDs are invalid? Last time I checked the rent-a-cop looks at
your picture, the name on the license, the name on the boarding pass and if
they match off you go. 

If you’ve
got the skill to zap multiple, complex systems – whether it is with insiders or
from afar – you’re not going to waste your time targeting Johnny Citizen; it’s
called “the war on terror” not “the war on inconvenience.”

9/11 Redux

A nice analysis of the airborne terror threat then and now by Shane Harris in National Journal. The broad point to take away is the value of defense-in-depth, or layers of security that (hopefully) are designed to catch those bits that fall through the cracks. For you INFOSEC folks this is nothing new, but all too often on the physical side it is hard but brittle shell covering a soft and mushy inside. There are plenty of gaps in each existing layer, but making the most of these gaps all at once should be readily detected (one would think).