Explaining Computer Security Through the Lens of Boston

Events surrounding the attack at the Boston Marathon, and the subsequent manhunt, are on-going as this is being drafted. Details may change, but the conclusions should not.

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach (which is trivial by comparison), merely an attempt to use current events in the physical world – which people tend to understand more readily – to help make sense of computer security – a complicated and multi-faceted problem few understand well.

  1. You are vulnerable to attack at any time. From an attacker’s perspective the Boston Marathon is a great opportunity (lots of people close together), but a rare one (only happens once a year). Your business on-line however, is an opportunity that presents itself 24/7. You can no more protect your enterprise against attack than the marathon could have been run inside of a giant blast-proof Habitrail. Anyone who tells you different is asking you to buy the digital equivalent of a Habitrail.
  2. It doesn’t take much to cause damage. In cyberspace everyone is atwitter about “advanced” threats, but most of the techniques that cause problems online are not advanced. Why would you expose your best weapons when simple ones will do? In the physical world there is a complicating factor of the difficulty of getting engineered weapons to places that are not war zones, but like the improved explosives used in Boston, digital weapons are easy to obtain or, if you’re clever enough, build yourself.
  3. Don’t hold out hope for closure. Unless what happens to you online is worthy of a multi-jurisdictional – even international – law enforcement effort, forget about trying to find someone to pay for what happened to you. If they’re careful, the people who attack you will never be caught. Crimes in the real world have evidence that can be analyzed; digital attacks might leave evidence behind, but you can’t always count on that. As I put fingers to keyboard one suspect behind the Boston bombing is dead and the other the subject of a massive manhunt, but that wouldn’t have happened if the suspects had not made some kind of mistake(s). Robbing 7-11s, shooting cops and throwing explosives from a moving vehicle are not the marks of professionals. Who gets convicted of computer crimes? The greedy and the careless.

The response to the bombings in Boston reflect an exposure – directly or indirectly – to 10+ years of war. If this had happened in 2001 there probably would have been more fatalities. That’s a lesson system owners (who are perpetually under digital fire) should take to heart: pay attention to what works – rapid response mechanisms, democratizing capabilities, resilience – and invest your precious security dollars accordingly.

More IO: the Internet (again)

Via Drudge:

America’s top intelligence officer overseeing Iraq and Afghanistan says terrorists have made the Internet their most important recruiting tool. Brig. Gen. John Custer tells Scott Pelley that terrorist groups like Al Qaeda are influencing Islamic youth to join their cause through Websites devoted to jihad, or religious war.

“I see 16, 17-yr.-olds who have been indoctrinated on the Internet turn up on the battlefield. We capture them, we kill them every day in Iraq, in Afghanistan,”says Custer. “Without a doubt, the Internet is the single-most important venue for the radicalization of Islamic youth,” he tells Pelley.

Potential recruits can be lured to sites that offer news or information that contain links to other sites featuring violence against people the terrorists say are enemies of Islam. Those sites often show American soldiers being killed and military vehicles blown up, as well as journalists and contractors being murdered or shown in captivity. Custer says the sites can convince potential recruits that American soldiers are on the run. “It’s a war of perceptions.They don’t have to win on the tactical battlefield. They never will. No platoon has ever been defeated in Afghanistan or Iraq, but it doesn’t matter.” […]

The Internet allows terrorists to use increasingly sophisticated methods, such as music videos distributed by media organizations, to reach more potential recruits with more effective messages. “Now they are able to distribute… anything they want anywhere they want. …

And the military’s response is this asymmetric threat is to shut down soldier blogs and give short shrift to citizen-embeds (it would be unfair to insert a Custer-related joke here, it isn’t his policy).

This is not news to my colleagues or me, but it is a bit of redemption for all those years we languished in obscurity, those “computer geeks” who didn’t really study “real” threats. It is also a touch of reality for those who keep harping on how you can’t go from the couch to the battlefield by playing virtual Jihadist online.

At some point a clueless pol is going embarrass him or herself by talking about shutting down the inter-tubes in order to defend the nation. Likewise someone will push the boundaries of metaphor by  . . . wait, I already talked about that.

For a better idea of how to move forward, read on.

Update: Don’t get complacent on the home front.

New Intel Sharing Paper

Money quote from the Author’s Note:

The unavoidable conclusion is that the U.S. government cannot continue to allow a collecting agency to make unilateral originator control determinations regarding the intelligence it collects. … I hope to explain why they are not in position to make the best “need to know” determinations – that decision must be made by an independent body.

I argue that collection agencies should have their analytic capabilities removed for similar reasons. Restrictive classification or handling caveats are more often than not tools to minimize the ability of others to steal your thunder. Of course by seeking institutional glory in this fashion agencies are hindering effective exploitation and analysis of collected data; the agency best suited to use a given piece of information could very well be an agency that doesn’t have “permission” to use it.

PS: Just finished. Very well done. Research into the security aspects of this problem are instructive for both pros and laymen alike. Reading the many “what could have been” moments in the piece will alternately make you weep or pound the table in fury. There are of course legitimate concerns on this front, but by and large it is pure selfishness. The idea of having a honest broker and not collectors determine NTK is interesting, though care would have to be taken as far as who is chosen for the job (ideally, cleared outsiders who don’t have misguided loyalties to a home office).

(Global) Guerrillas in our Midst?

I was a little slow to catch this item:

U.S. law enforcement and intelligence officials say they are taking steps to monitor and combat the possible spread of Islamic extremism and support for a violent holy war against the West among a “Pepsi jihad” generation of young Muslims in the United States.

At a hearing last week, officials from the CIA, FBI and the Department of Homeland Security told lawmakers that the United States had less of a problem with potential “homegrown” Islamic terrorists than Europe did, because of its history as a nation of immigrants.

But despite that, Phillip Mudd from the FBI’s National Security Branch, added that the ideology of extremist Islam — and its attendant support for violent jihad against the West in general and the United States in particular — was spreading even here.

A very brief and seriously culled extract, the full story deserves your attention.

So of course I start doing the math: what could aspiring, self-radicalized terrorists do if they were so inclined?

  • Conduct reconnaissance and basic tradecraft (Google earth, myriad books)
  • Buy, train in the use of, and employ small arms (remember they’re domestic and “clean”)
  • Design, build and employ IEDs (numerous resources though validity of some is questionable – requires testing)
  • Intercept the communications of those who are hunting him (no shortage of police scanner resources)
  • Jam navigation systems and systems that might be used to track him (see this GPS World story – H/T Global Guerrillas)
  • Communicate securely and anonymously (ppd phones, onion routing, G/PG/P, etc.)
  • Raise substantial amounts of funds to support operations (start with online cc-fraud and go from there)

Assuming our aspiring Keffiyeh Mafia have day jobs of some sort, we’re probably talking tens of weeks if not months before an initial operating capability is established; longer than it would take them to get to the point where they’d actually contemplate building the skill set.

Of course there are nay-sayers:

“It’s ridiculous to think that the U.S. or any other military would do its training over the Internet,” said analyst and author Peter Bergen, arguing al-Qaida was just as professional in its approach. “Radicalization is one thing, having operational cells with the capacity to launch attacks is something else entirely.

“That basically means people who have been through one of the (terrorist training) camps.”

Bergen might have amusing footage that could be used for “UBL’s Funniest Home Videos” but he’s apparently never heard of the Army’s long-time use of computer-based training, combat-training video games (adopted by Hezbollah no less), and this little thing called Future Combat System, which is basically the Army.com. Still, he does hit one in the park:

The exception, [Bergen] said, was the Islamic extremist cell which had sprung up in southern California jails last year. As hardened criminals, the individuals involved in that group, he said “had some hands-on experience.” [emphasis mine]

When the IEDs go off no one is going to care about where they received their training, only that they got it, which makes ‘location, location, location’ irrelevant.

Bright points of the day included Charlie Allen, who as usual recognizes a good thing when he sees it and applies resources accordingly:

… Allen, the head of intelligence for the Department of Homeland Security, said the department had reorganized its intelligence analysts late last year and “created a branch focused exclusively on radicalization in the homeland (which) is studying the dynamics of individual and organizational radicalization.”

Dismissing a potentially explosive problem by claiming cultural differences seems like a high-handed way to marginalize some important points. Simply playing the numbers culturally obtuse Britain reportedly has 200 known networks of evil doers on the loose. We might have a greater tradition of inclusiveness, but in case you haven’t noticed goodly numbers of immigrant Muslims in this country aren’t assimilating. We’re five-times larger than the UK population-wise, so whatever “savings” we get by being a melting pot would seem to be nominal if any. Culturally speaking, even if you are born here and have all the advantaged you’re not a lock for citizen of the year, as the OK City bombers and pretty much every school shooter attests to. Besides, we’re at or rapidly approaching the point where numbers don’t matter all that much.

Methinks the biggest problem outside of the issues related to mentorship, is the lack of understanding of just how long, hard, and complicated it is being a covert operative. Even if you’re not all that deep, just having a meeting can be a multi-day affair and even professionals with years of training and experience under their belts get lax on occasion.

I’ll withhold further judgment until Charlie’s folks issue a report on radicalization on the home front (begin holding breath . . . now!).

Similar thoughts on future attack size and methodology at OPFOR.

Gamers Miss Real World Developments

Gamers quibble over trees while missing a forest:

Was an elite congressional intelligence committee shown video footage from an off-the-shelf retail game and told by the Pentagon and a highly-paid defense contractor that it was a jihadist creation designed to recruit and indoctrinate terrorists?

It’s looking more and more like that is the case.

The bizarre story began to unfold last week when Reuters reported that the House Permanent Select Committee on Intelligence was shown video footage of combat action which was represented as a user-modified version (or “mod”) of Electronic Art’s best-selling Battlefield 2, a modern-day military simulation which features combat between U.S. forces and those of the fictitious Middle East Coalition (MEC) as well as the People’s Republic of China.

Reuters quoted a Pentagon official, Dan Devlin, as saying, “What we have seen is that any video game that comes out… (al Qaeda will) modify it and change the game for their needs.”

The influential committee, chaired by Rep. Peter Hoekstra (R-MI), watched footage of animated combat in which characters depicted as Islamic insurgents killed U.S. troops in battle. The video began with the voice of a male narrator saying, “I was just a boy when the infidels came to my village in Blackhawk helicopters…”

Several GP readers immediately noticed that the voice-over was actually lifted from Team America: World Police, an outrageous 2004 satirical film produced by the creators of the popular South Park comedy series.

In the rush to prove their worth it is entirely conceivable that a contractor ran off without double checking details – the video’s creator does after all go by the nickname “Sonic Jihad” is Moroccan-Dutch and loves the genteel sounds of NWA and Public Enemy – though one has to wonder where the COTR and government project manager were on the days preceding their appearance on the Hill . . .

Regardless, while this particular video may not have been created by Jihadists, its value as a recruiting tool is undiminished. Let us also not forget the broader theme here of terrorists adopting the computer-based training approach, which has been going on for some time.