When I first started in cyber security we looked to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) as the gold standard for how to keep a system secure. It had two things going for it (1) Incentive: it was the transfer of money and money was always a target (2) Good Policy: policy that was followed with high standards. Given the happenings of late, we can wonder about that system. Syed Zain Al-Mamood and Katy Burne wrote today of the discovery of a second theft from the state-owned Sonali Bank in 2013. This is, of course, on top of the $81 million in the current investigation of the Bangladesh central bank.
The comment I loved the most was this: "A senior Sonali Bank official said the bank had informed Swift about the breach of its system in June 2013. Abu Muhammad Mustafa Kamal, secretary of the Anti-Corruption Commission, which investigated the Sonali Bank theft, said his agency “hadn’t been asked” to share information on the incident. The investigation found that the passwords of the Swift server were hacked, he said." That is not the way SWIFT is supposed to work. It means there are a lot more thefts that have gone undetected, or unreported. Somebody is making billions off of this and it isn't SWIFT.
There is time for a reconing. The international banking system cannot afford this kind of theft. It leads to the instability of the whole banking infrastructure, something the countries harboring these people really need. Maybe they don't think so, but no country can live with the inability to trade and finance through international banks.
Friday, May 27, 2016
Wednesday, May 25, 2016
Russian Agents Traded for Nadiya Savchenko
If it happens, this will be a story with a happy ending for the woman tried by a Russian kangaroo court for her role in fighting against Russian separatists in the Ukraine. It might not be so joyous for those being traded, but that remains to be seen.
Reuters has two reports that are worth reading, if you want to know the facts and not the buzz from RT. Maria Tsvetkova's story in 2015 [http://www.reuters.com/article/us-ukraine-crisis-captured-specialreport-idUSKBN0OE0YE20150529 ] about the two captured Russians who were "contract soldiers" sent on a special operation. The Russian Embassy calls them "Russian citizens detained in the Luhansk region”. They could be tourists by that description, but both of them claim to be members of the Russian Army, sent by Russia for a secret mission but disavowed by them after their capture. Putin says there are no Russian soldiers in Ukraine. As I described in my third book, The New Cyberwar, these troops have been used to selectively disrupt communications and destroy sensitive sites, as any covert soldier does.
Today's story by Maria and Dmitry Solovyov [http://www.reuters.com/article/us-ukraine-crisis-savchenko-idUSKCN0YG0U8] gives good descriptions of Nadiya Savchenko and her trial in Russia, her election to the Ukrainian Parliament while a captive, and the trade that is soon to take place. She will no doubt be a hero on her return. The other two will not be.
Reuters has two reports that are worth reading, if you want to know the facts and not the buzz from RT. Maria Tsvetkova's story in 2015 [http://www.reuters.com/article/us-ukraine-crisis-captured-specialreport-idUSKBN0OE0YE20150529 ] about the two captured Russians who were "contract soldiers" sent on a special operation. The Russian Embassy calls them "Russian citizens detained in the Luhansk region”. They could be tourists by that description, but both of them claim to be members of the Russian Army, sent by Russia for a secret mission but disavowed by them after their capture. Putin says there are no Russian soldiers in Ukraine. As I described in my third book, The New Cyberwar, these troops have been used to selectively disrupt communications and destroy sensitive sites, as any covert soldier does.
Today's story by Maria and Dmitry Solovyov [http://www.reuters.com/article/us-ukraine-crisis-savchenko-idUSKCN0YG0U8] gives good descriptions of Nadiya Savchenko and her trial in Russia, her election to the Ukrainian Parliament while a captive, and the trade that is soon to take place. She will no doubt be a hero on her return. The other two will not be.
Monday, May 23, 2016
Taiwan New Target
If you want to know why the Chinese are building up their forces in the South and East China Sea, the answer lies in Taiwan. Several press outlets have picked up the story of Tsai len-wen, about to be the new leader of Taiwan. The central government is not happy with her speech which has "left out" some very important discussion of the relationship between the two. Perhaps Tsai's mother taught her not to speak ill of the big neighbor to the North. Better to say nothing.
The Chinese have already started on their constant drum beat about the 1992 Consensus. The Consensus was an agreement between representatives of the two countries that Taiwan is part of the geography of China but that both parties may think of this arrangement in their own way. In diplomatic-speak, this is a way of saying, "Taiwan is our territory, but you can think of it as yours - for now." It isn't like this is a treaty, or a formal recognition that this is the state of being between the two, but China uses it to describe what it sees as the basis of the relationship between the two. And, as we have seen recently, what China sees as the relationship is all they will accept. They are going to cut off Taiwan's few formal lines of communications, and probably much more, before this is over. That will change, of course, if she just says the words. This is the logic that prisoners of war face with their captors, which fits the situation better than we would like.
The Chinese saw how Crimea worked for the Russians, and have moved towards a slow and deliberate takeover of Taiwan. They are just a lot more patient than the Russians. They waited 50 years for the takeover of Hong Kong, and are in no big hurry to do much there either. Just a little here and a little there.
The Chinese have already started on their constant drum beat about the 1992 Consensus. The Consensus was an agreement between representatives of the two countries that Taiwan is part of the geography of China but that both parties may think of this arrangement in their own way. In diplomatic-speak, this is a way of saying, "Taiwan is our territory, but you can think of it as yours - for now." It isn't like this is a treaty, or a formal recognition that this is the state of being between the two, but China uses it to describe what it sees as the basis of the relationship between the two. And, as we have seen recently, what China sees as the relationship is all they will accept. They are going to cut off Taiwan's few formal lines of communications, and probably much more, before this is over. That will change, of course, if she just says the words. This is the logic that prisoners of war face with their captors, which fits the situation better than we would like.
The Chinese saw how Crimea worked for the Russians, and have moved towards a slow and deliberate takeover of Taiwan. They are just a lot more patient than the Russians. They waited 50 years for the takeover of Hong Kong, and are in no big hurry to do much there either. Just a little here and a little there.
Friday, May 20, 2016
Tariffs on Steel 500%+
Yes, it is hard to believe the U.S. would want to raise tariffs on anything by 500%, but the Obama Administration has done just that for cold-rolled steel. A number of news outlets carried this story a couple of days ago, some rightly mentioning that 256% of the total is an anti-dumping tariff, although the Chinese are not going to matter very much about what we call it. We only buy 2% of their steel, so it wasn't such a big market impact that anyone really cares.
The dire predictions of the trade war with China that are prompted by the U.S. elections candidates saying how unfair China has been with the U.S. are about to be tested. We shall see what the Chinese do with the such a tariff, besides denying they "dump" on the world markets. They could easily raise tariffs on 2% of U.S. goods, and if history repeats itself, that is what they will do. That isn't going to cause a trade war.
But the Chinese are not going to "learn a lesson" about dealing with the U.S. on trade from this kind of action. Rolled steel is not one of the things we have to worry about doing without. There is plenty of it around and we could get it from other countries if we had to. It might make a better point to do that. In too many places, the Chinese have been allowed to compete unfairly with the U.S. but this is not one of them.
The dire predictions of the trade war with China that are prompted by the U.S. elections candidates saying how unfair China has been with the U.S. are about to be tested. We shall see what the Chinese do with the such a tariff, besides denying they "dump" on the world markets. They could easily raise tariffs on 2% of U.S. goods, and if history repeats itself, that is what they will do. That isn't going to cause a trade war.
But the Chinese are not going to "learn a lesson" about dealing with the U.S. on trade from this kind of action. Rolled steel is not one of the things we have to worry about doing without. There is plenty of it around and we could get it from other countries if we had to. It might make a better point to do that. In too many places, the Chinese have been allowed to compete unfairly with the U.S. but this is not one of them.
Wednesday, May 18, 2016
DNI Talks Campaign Hacks
I have to admit I like this Director of National Intelligence because he has never been one to shy away from the truth as he sees it. That is refreshing in Washington D.C. Because it is so unusual.
This time, he has struck out on something that has come up before, the hacking of Presidential candidates during an election. Only this time China was not mentioned directly, when the previous times it came up, China was behind it. ABC is speculating, perhaps wishfully thinking, that Anonymous will take up cyber weapons against Donald Trump [http://abcnews.go.com/Politics/intelligence-chief-presidential-campaigns-cyber-targets/story?id=39200335 ]. I can't imagine anyone in Anonymous wanting to do that kind of thing, but I can imagine the press wanting to encourage it if they can. They are starting to run out of legitimate stories to run about the candidates and hope for more. Wouldn't a little inside information, stolen in the name of Anonymous, be nice to have? It doesn't have to be any of the known hacker groups; it just has to be a name they can attach to it, similar to the stories run when British newspaper people were hacking answering machines. This is the kind of unethical journalism that the press discounts but has to deal with among its peers.
Intelligence services, which is probably more to the point of what a person like the DNI would be talking about, do not often feed information to the press about what they find out. If they did, Hillary Clinton would have more trouble than a person could ever handle. They take the information and use it to plot out what kinds of policies the candidate will have given the people writing her speeches, advising, or supporting them. They don't give it to the press, although the Russians did similar things to the staff of Ronald Reagan when they tried to prevent him from running for office. They didn't succeed, in case we have forgotten.
Maybe the staffs need a little advise that the Secret Service has already given them - don't say anything in email that you don't want on the front page of the New York Times or the St Louis Post Dispatch, because somebody is reading your email right now. That doesn't mean you have to become paranoid or stop using email. You just have to be realistic about the prospects of it remaining a secret.
This time, he has struck out on something that has come up before, the hacking of Presidential candidates during an election. Only this time China was not mentioned directly, when the previous times it came up, China was behind it. ABC is speculating, perhaps wishfully thinking, that Anonymous will take up cyber weapons against Donald Trump [http://abcnews.go.com/Politics/intelligence-chief-presidential-campaigns-cyber-targets/story?id=39200335 ]. I can't imagine anyone in Anonymous wanting to do that kind of thing, but I can imagine the press wanting to encourage it if they can. They are starting to run out of legitimate stories to run about the candidates and hope for more. Wouldn't a little inside information, stolen in the name of Anonymous, be nice to have? It doesn't have to be any of the known hacker groups; it just has to be a name they can attach to it, similar to the stories run when British newspaper people were hacking answering machines. This is the kind of unethical journalism that the press discounts but has to deal with among its peers.
Intelligence services, which is probably more to the point of what a person like the DNI would be talking about, do not often feed information to the press about what they find out. If they did, Hillary Clinton would have more trouble than a person could ever handle. They take the information and use it to plot out what kinds of policies the candidate will have given the people writing her speeches, advising, or supporting them. They don't give it to the press, although the Russians did similar things to the staff of Ronald Reagan when they tried to prevent him from running for office. They didn't succeed, in case we have forgotten.
Maybe the staffs need a little advise that the Secret Service has already given them - don't say anything in email that you don't want on the front page of the New York Times or the St Louis Post Dispatch, because somebody is reading your email right now. That doesn't mean you have to become paranoid or stop using email. You just have to be realistic about the prospects of it remaining a secret.
Tuesday, May 17, 2016
The Cost of Complying with Chinese CT Law
Paul Mozur and Jane Perlez in the New York Times yesterday [http://mobile.nytimes.com/2016/05/17/technology/china-quietly-targets-us-tech-companies-in-security-reviews.html?referer=https://news.google.com ] lay out a quiet strategy by the Chinese government to examine "national security" issues with some companies operating in China. For China, national security means something a little different than it does in the U.S. Even so, we should consider any actions taken by China towards our businesses operating there as a measuring stick for reciprocity. They want source code and encryption software provided to them and we should ask for the same things.
Companies have been called in and questioned about commercial products, a dangerous and potentially conflicting way of getting access to trade secrets and proprietary information. Their intelligence and Army officials are participating. The Chinese are doing it quietly because they know what the U.S would say about the kind of stunt they are pulling. They know we will not be happy about having them poke around in Apple software hoping to find something that might allow one dissident to communicate with another. They call this Counter Terror legislation, when it blatently is not. It is just another way to steal the source code from U.S businesses, which before this, China stole openly. As the criticism of their actions mounted, they decided a better way to go would be Counter Terror. Everyone understands the need for it. Nobody would want to be seen as not cooperating with a counter terror measure. If that was what it was, we might even agree.
It is time for new legislation that levels the playing field. Chinese businesses have to be subject to the same types of review in the U.S that they place on foreign companies in China. Let's get some of those cell phones and computers that China makes and start going over the software and hardware to see what they might have done to allow terrorists to communicate without the U.S being able to get to those communications. We should bring in NSA and the CIA to help out. They will be allowed to communicate anything they find to Dell and Apple, at the very least. That is what reciprocity is about.
Companies have been called in and questioned about commercial products, a dangerous and potentially conflicting way of getting access to trade secrets and proprietary information. Their intelligence and Army officials are participating. The Chinese are doing it quietly because they know what the U.S would say about the kind of stunt they are pulling. They know we will not be happy about having them poke around in Apple software hoping to find something that might allow one dissident to communicate with another. They call this Counter Terror legislation, when it blatently is not. It is just another way to steal the source code from U.S businesses, which before this, China stole openly. As the criticism of their actions mounted, they decided a better way to go would be Counter Terror. Everyone understands the need for it. Nobody would want to be seen as not cooperating with a counter terror measure. If that was what it was, we might even agree.
It is time for new legislation that levels the playing field. Chinese businesses have to be subject to the same types of review in the U.S that they place on foreign companies in China. Let's get some of those cell phones and computers that China makes and start going over the software and hardware to see what they might have done to allow terrorists to communicate without the U.S being able to get to those communications. We should bring in NSA and the CIA to help out. They will be allowed to communicate anything they find to Dell and Apple, at the very least. That is what reciprocity is about.
Monday, May 16, 2016
The Hypocrits at Twitter
L. Gordon Crovitz, in today's Wall Strett Journal, points out that Twitter allows the Russian "news service" RT, which is the personal playground of Putin, and creates news by its own admission, access to its Dataminr service but denies it to the Intelligence Community. The IC, is more than just the CIA, which Crovitz has missed. It includes the FBI, NSA, DIA, DNI, et al (https://en.m.wikipedia.org/wiki/United_States_Intelligence_Community). It does exclude all the news agencies, including such noted ones as NBC, CBS, ABC, CNN, et al. Unlike Russia, our news services are not dictated to by the President very often. Our reporters are not jailed if they fail to make the right point.
Twitter is missing the point, in an attempt to make a point about how it's data services are used. If you sell a commercial service, and ignore the politics of who you sell it to, you have a basic commercial service. I remember a little company selling engineering knowledge bases to the Russians during the Cold War. Defense tried to stop them, and lost. They sold this service to anyone who wanted to buy engineering services. Twitter should stick to that model.
Twitter has to look at China, Russia, Iran, North Korea, Syria, and a few of our allies to find out whether "intelligences services" are buying their goods - data - when they should know there is no way to determine who is and who isn't. North Korea is not likely to list the Reconnaissance General Bureau (RGB) as the entity buying data from them. Nobody is going to be open about buying this data, nor how they use it.
Personally, I don't like Twitter selling data at all. I have to read a 14 page End User Acceptance Agreement to find out what I have agreed to, and almost nobody ever does. I could have authorized them to sell data to the Russia Today for all I know. Besides, if I don't agree, they don't let me use the service, which is kind of like extortion.
Twitter is missing the point, in an attempt to make a point about how it's data services are used. If you sell a commercial service, and ignore the politics of who you sell it to, you have a basic commercial service. I remember a little company selling engineering knowledge bases to the Russians during the Cold War. Defense tried to stop them, and lost. They sold this service to anyone who wanted to buy engineering services. Twitter should stick to that model.
Twitter has to look at China, Russia, Iran, North Korea, Syria, and a few of our allies to find out whether "intelligences services" are buying their goods - data - when they should know there is no way to determine who is and who isn't. North Korea is not likely to list the Reconnaissance General Bureau (RGB) as the entity buying data from them. Nobody is going to be open about buying this data, nor how they use it.
Personally, I don't like Twitter selling data at all. I have to read a 14 page End User Acceptance Agreement to find out what I have agreed to, and almost nobody ever does. I could have authorized them to sell data to the Russia Today for all I know. Besides, if I don't agree, they don't let me use the service, which is kind of like extortion.
Saturday, May 14, 2016
China not Market Economy
You will be glad to know that the Chinese economy is not a market economy. We know this because the European lawmakers say so.... So, I was not surprised by Viktoria Dendrinou's article in the Wall Street Journal [European Parliament Rejects China’s Bid for Market Economy Status, 12 May, 2016].
It may turn out to be a bigger deal than we know, but it is at least recognition that nobody is fooling the Europeans into believing China does not control its businesses in a way that is open and competitive. They certainly don't. This article says they believe that China's government subsidizes its businesses (unfairly, they should have added) and offers exports at below market prices. This is not a secret, and a little surprising, given that it the EU did not have to vote on something so obvious, but did anyway. As it turns out, there were 546 votes for, 28 against and 77 abstentions. Let's confirm that there are 28 people who can't see their hand in front of their face on a clear day to say China was a market economy. The abstentions are easier to figure out. When politics are involved, those with no convictions abstain.
It may turn out to be a bigger deal than we know, but it is at least recognition that nobody is fooling the Europeans into believing China does not control its businesses in a way that is open and competitive. They certainly don't. This article says they believe that China's government subsidizes its businesses (unfairly, they should have added) and offers exports at below market prices. This is not a secret, and a little surprising, given that it the EU did not have to vote on something so obvious, but did anyway. As it turns out, there were 546 votes for, 28 against and 77 abstentions. Let's confirm that there are 28 people who can't see their hand in front of their face on a clear day to say China was a market economy. The abstentions are easier to figure out. When politics are involved, those with no convictions abstain.
Thursday, May 12, 2016
Intrusive Software for Anyone
In my third book, The New Cyberwar, I talked about some of the software out there marketed to parents of teens that opened e-mail, tracked users, and blocked sites the parents found inappropriate. These can be purchased and used by anyone, without anyone asking for a birth certificate proving you actually have children. There is a relatively new report (April 2016) on this from the Government Accountability Office [http://www.gao.gov/assets/680/676738.pdf#page13 ]. It surveys software and how it is marketed: for parents of children who want to see more about what they do in their spare time, (2) for spouses who think their husband or wife is cheating on them, and (3) employers who think their employers are cheating on them, or (4) people with Alzheimer's.
The important thing this study does is look at laws that apply to these kinds of software. I don't want to get into that right now, but suffice it to say, there are some since these devices are tracking and monitoring someone when they are not at home/work or anywhere where it is legal to monitor another. There are plenty of good reasons for the kind of monitoring that is done here, but we have to wonder whether those good reasons are the ones this software is purchased for, or whether intent of use is even a factor in purchasing this kind of thing. I wrote about what governments do with this kind of software, often made in the U.S for law enforcement. We call this spying.
This is a tricky area to say the least. I should point out that these are the kinds of things this software does: (1) geo-fencing i.e. Tracking based on a defined boundary. When the subject leaves that boundary a message is sent to the tracking party. (2) intercepting and reading texts and e-mail (3) the ability to access and view photos on the tracked device (4) listen in and record phone calls (5) read the phones browser history (6) accessing and reading social media postings and (7) using the speaker to listen in to events going on around the phone. I'm really glad my parents didn't have this capability when I was a teen, but I'm wondering why we allow this kind of software to be sold. It records phone calls without permission of either party; it looks at things that would clearly require a warrant if law enforcement used it; it looks at things that a spouse could get from a private investigator following a cheater, but only if those events were in a public place. This software gives us access to things we don't need and certainly have no right to have.
This report was for Senator Grassley, Judiciary Committee so we will shortly be seeing things related to this kind of surveillance, but I wonder if the good Senator can get consensus, especially on monitoring of employees in the workplace. Any business using this kind of thing would not be a good place to work. Imagine how you would feel about your employer doing all of the things this software will do. A tool to detect this kind of thing might be a better use of our money.
This is the kind of thing Willis Ware wrote about years ago, when he said we could stop computer crime but the things we have to do are things we might not want to do in a democracy. There is something wrong with us when this kind of thing is available in the marketplace and can define its use solely on the basis of its legality in a narrow corner of law. States have laws that ban devices on cars that look only at radar units that police use, but they have no laws that ban this kind of thing. We clearly do not have our priorities in the right place.
Tuesday, May 10, 2016
Syrian Electronic Army hacker Brought to US
We are about to see one of the most interesting cases brought against a member of the Syrian Electronic Army, a semi-mystical group of hackers claiming to represent the Assad regime.
The first indictment of some of these folks was in March and was described this way: "According to allegations in the first complaint, beginning in or around 2011, Agha and Dardar engaged in a multi-year criminal conspiracy under the name “Syrian Electronic Army” in support of the Syrian Government and President Bashar al-Assad.
The conspiracy was dedicated to spear-phishing and compromising the computer systems of the U.S. government, as well as international organizations, media organizations and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government. When the conspiracy’s spear-phishing efforts were successful, Agha and Dardar would allegedly use stolen usernames and passwords to deface websites, redirect domains to sites controlled or utilized by the conspiracy, steal email and hijack social media accounts. For example, starting in 2011, the conspirators repeatedly targeted computer systems and employees of the Executive Office of the President (EOP). Additionally, in April 2013, a member of the conspiracy compromised the Twitter account of a prominent media organization and released a tweet claiming that a bomb had exploded at the White House and injured the President. In a later 2013 intrusion, through a third-party vendor, the conspirators gained control over a recruiting website for the U.S. Marine Corps and posted a defacement encouraging U.S. marines to “refuse [their] orders.”
This newest group, announced today is slightly different, but it is interesting that the individual was extradited from Germany.
" Peter Romar, 36, a Syrian national affiliated with the Syrian Electronic Army (SEA), made his initial appearance this afternoon before U.S. Magistrate Judge John F. Anderson of the Eastern District of Virginia on charges that he conspired to violate U.S. law, including by unauthorized access to, and damage of, computers and related extortionate activities; receiving the proceeds of extortion; money laundering; wire fraud; violations of the Syrian Sanctions Regulations; and unlawful interstate communications.
Romar, who was detained by German authorities on a provisional arrest warrant on behalf of the United States, was charged by criminal complaint unsealed on March 22, 2016.
According to allegations in the complaint, beginning in or around 2011, co-defendant Firas Dardar, 27, known online as “The Shadow,” and another member of the SEA’s “Special Operations Division” engaged in a multi-year criminal conspiracy to conduct computer intrusions against perceived detractors of President Bashar al-Assad, including media entities, the White House and foreign governments. Beginning in or around 2013, SEA members Romar and Dardar also engaged in an extortion scheme that involved hacking online businesses in the United States and elsewhere for personal profit. Specifically, the complaint alleges that the conspiracy would gain unauthorized access to the victims’ computers and then threaten to damage computers, delete data or sell stolen data unless the victims provided extortion payments to Dardar and/or Romar. In at least one instance, Dardar attempted to use his affiliation with the SEA to instill fear into his victim. If a victim could not make extortion payments to the conspiracy’s Syrian bank accounts due to the Syrian Sanctions Regulations or other international sanctions regulations, Romar would act as an intermediary in an attempt to evade those sanctions."
The first indictment of some of these folks was in March and was described this way: "According to allegations in the first complaint, beginning in or around 2011, Agha and Dardar engaged in a multi-year criminal conspiracy under the name “Syrian Electronic Army” in support of the Syrian Government and President Bashar al-Assad.
The conspiracy was dedicated to spear-phishing and compromising the computer systems of the U.S. government, as well as international organizations, media organizations and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government. When the conspiracy’s spear-phishing efforts were successful, Agha and Dardar would allegedly use stolen usernames and passwords to deface websites, redirect domains to sites controlled or utilized by the conspiracy, steal email and hijack social media accounts. For example, starting in 2011, the conspirators repeatedly targeted computer systems and employees of the Executive Office of the President (EOP). Additionally, in April 2013, a member of the conspiracy compromised the Twitter account of a prominent media organization and released a tweet claiming that a bomb had exploded at the White House and injured the President. In a later 2013 intrusion, through a third-party vendor, the conspirators gained control over a recruiting website for the U.S. Marine Corps and posted a defacement encouraging U.S. marines to “refuse [their] orders.”
This newest group, announced today is slightly different, but it is interesting that the individual was extradited from Germany.
" Peter Romar, 36, a Syrian national affiliated with the Syrian Electronic Army (SEA), made his initial appearance this afternoon before U.S. Magistrate Judge John F. Anderson of the Eastern District of Virginia on charges that he conspired to violate U.S. law, including by unauthorized access to, and damage of, computers and related extortionate activities; receiving the proceeds of extortion; money laundering; wire fraud; violations of the Syrian Sanctions Regulations; and unlawful interstate communications.
Romar, who was detained by German authorities on a provisional arrest warrant on behalf of the United States, was charged by criminal complaint unsealed on March 22, 2016.
According to allegations in the complaint, beginning in or around 2011, co-defendant Firas Dardar, 27, known online as “The Shadow,” and another member of the SEA’s “Special Operations Division” engaged in a multi-year criminal conspiracy to conduct computer intrusions against perceived detractors of President Bashar al-Assad, including media entities, the White House and foreign governments. Beginning in or around 2013, SEA members Romar and Dardar also engaged in an extortion scheme that involved hacking online businesses in the United States and elsewhere for personal profit. Specifically, the complaint alleges that the conspiracy would gain unauthorized access to the victims’ computers and then threaten to damage computers, delete data or sell stolen data unless the victims provided extortion payments to Dardar and/or Romar. In at least one instance, Dardar attempted to use his affiliation with the SEA to instill fear into his victim. If a victim could not make extortion payments to the conspiracy’s Syrian bank accounts due to the Syrian Sanctions Regulations or other international sanctions regulations, Romar would act as an intermediary in an attempt to evade those sanctions."
Thursday, May 5, 2016
Tit-for-Tat in Russia/NATO Standoff
We can see several news sources picking up a story on Russia saying they will put three new divisions on their western border to counter a NATO move to put additional troops in Poland. We can't really believe the Russians care very much about those troops in Poland because they don't amount to much in an area that size, but we seem to be spinning in a Cold War rehash of troop movements to help shore up the notion that Russia will try to duplicate Crimea and Ukraine somewhere else. If we are really concerned about it, we should be putting troops in Latvia and not Poland.
The Poland front comes as the U.S. has waffled around and finally settled on a missile defense system in Poland. This was something the Russians really don't like, but unless they plan on launching missiles at Europe, I can't, for the life of me, see why they are so concerned about missile defense.
More to the point is Steven Erlanger's New York Times piece today which summarizes NATO's actions up to this time:
"At the 2014 NATO summit meeting in Wales, the alliance decided to rotate small numbers of troops through the Baltic region; now NATO is planning to deploy four combat battalions of roughly 1,000 troops each in Poland and the three Baltic States: Estonia, Latvia and Lithuania. Two of them are likely to be American, one German and one British. And Washington will add a third combat brigade in Europe."
The response has been a long time coming, but it isn't over either. The next step is a Russian threat to move nuclear weapons on delivery systems into Kaliningrad, a small little island of land between Poland and Lithuania claimed by Russia. It was the capital of Prussia in the 1500s, and after WWII went to Russia. Maybe they think the Poles or Germans want Kaliningrad back.
Anyway, it looks like the Cold War, which was very interesting to those of us fighting in it. More money will go to defense on both sides and the cycle of building weapons will start back up. Defense contractors on both sides loved those years.
The Poland front comes as the U.S. has waffled around and finally settled on a missile defense system in Poland. This was something the Russians really don't like, but unless they plan on launching missiles at Europe, I can't, for the life of me, see why they are so concerned about missile defense.
More to the point is Steven Erlanger's New York Times piece today which summarizes NATO's actions up to this time:
"At the 2014 NATO summit meeting in Wales, the alliance decided to rotate small numbers of troops through the Baltic region; now NATO is planning to deploy four combat battalions of roughly 1,000 troops each in Poland and the three Baltic States: Estonia, Latvia and Lithuania. Two of them are likely to be American, one German and one British. And Washington will add a third combat brigade in Europe."
The response has been a long time coming, but it isn't over either. The next step is a Russian threat to move nuclear weapons on delivery systems into Kaliningrad, a small little island of land between Poland and Lithuania claimed by Russia. It was the capital of Prussia in the 1500s, and after WWII went to Russia. Maybe they think the Poles or Germans want Kaliningrad back.
Anyway, it looks like the Cold War, which was very interesting to those of us fighting in it. More money will go to defense on both sides and the cycle of building weapons will start back up. Defense contractors on both sides loved those years.
Monday, May 2, 2016
Most Data Breaches are Government
I kind of got smacked in the head over this new Verizon Data Breach Report which shows the majority of data breaches are in the category Public, i.e.:
"The Public Administration sector consists of establishments of federal, state, and local government agencies that administer, oversee, and manage public programs and have executive, legislative, or judicial authority over other institutions within a given area. These agencies also set policy, create laws, adjudicate civil and criminal legal cases, provide for public safety and for national defense. In general, government establishments in the Public Administration sector oversee governmental programs and activities that are not performed by private establishments. Establishments in this sector typically are engaged in the organization and financing of the production of public goods and services, most of which are provided for free or at prices that are not economically significant."
How do government CISO's manage to get together, when they must find it difficult to look each other in the face? We can do nothing to complain about government security but we have some frightful examples in OPM, IRS and CMS which can never seem to get it right. OPM is talking about establishing another agency to do security clearances which should put more distance between their own malfeasance and the memory of the number of security clearance records lost by that agency. Nobody can ever digest all the things that happened to lose that much personal data, but almost nobody has been disciplined for what has occurred in any of these incidents. Government does not take the security of our data seriously and "works hard for us" by deflecting blame to anyone else it can find.
We have two basic things wrong with government security: (1) policy is made in NIST, when NIST was never supposed to make policy - only issue guidance which can be followed or not (they euphemistically call this "tailoring" and that is why they got the unclassified sensitive responsibility) and (2) there are no mandatory security features that any government system must have to secure it from outside.
A long time ago, I had invited a staffer from the hill to talk about how the Computer Security Act came to be and why it gave responsibility to NIST for unclassified sensitive. I think he stunned our group when he said, "Because we didn't want anything to be done about it." Give NIST those things that we do not want to deal with or get involved in. Unfortunately, the list mentality of NIST was adopted by other government agencies and spread like wildfire. Nobody wanted to deal with security of computer systems and they got their way. The White House basically ignores it.
There are no mandatory standards for security anymore and that is going to change. DoD, I have heard, has recently discussed dumping the NIST way of life and joining the real world, establishing basic policy, and making some of it mandatory for all parts of the agency. Somebody has to start. For the past 10 years people in our business having been making things up because there are no clear requirements (or in the NIST case, 30,000 requirements for a system that have to be tailored to fit the round hole). We should have dumped them a long time ago.
"The Public Administration sector consists of establishments of federal, state, and local government agencies that administer, oversee, and manage public programs and have executive, legislative, or judicial authority over other institutions within a given area. These agencies also set policy, create laws, adjudicate civil and criminal legal cases, provide for public safety and for national defense. In general, government establishments in the Public Administration sector oversee governmental programs and activities that are not performed by private establishments. Establishments in this sector typically are engaged in the organization and financing of the production of public goods and services, most of which are provided for free or at prices that are not economically significant."
How do government CISO's manage to get together, when they must find it difficult to look each other in the face? We can do nothing to complain about government security but we have some frightful examples in OPM, IRS and CMS which can never seem to get it right. OPM is talking about establishing another agency to do security clearances which should put more distance between their own malfeasance and the memory of the number of security clearance records lost by that agency. Nobody can ever digest all the things that happened to lose that much personal data, but almost nobody has been disciplined for what has occurred in any of these incidents. Government does not take the security of our data seriously and "works hard for us" by deflecting blame to anyone else it can find.
We have two basic things wrong with government security: (1) policy is made in NIST, when NIST was never supposed to make policy - only issue guidance which can be followed or not (they euphemistically call this "tailoring" and that is why they got the unclassified sensitive responsibility) and (2) there are no mandatory security features that any government system must have to secure it from outside.
A long time ago, I had invited a staffer from the hill to talk about how the Computer Security Act came to be and why it gave responsibility to NIST for unclassified sensitive. I think he stunned our group when he said, "Because we didn't want anything to be done about it." Give NIST those things that we do not want to deal with or get involved in. Unfortunately, the list mentality of NIST was adopted by other government agencies and spread like wildfire. Nobody wanted to deal with security of computer systems and they got their way. The White House basically ignores it.
There are no mandatory standards for security anymore and that is going to change. DoD, I have heard, has recently discussed dumping the NIST way of life and joining the real world, establishing basic policy, and making some of it mandatory for all parts of the agency. Somebody has to start. For the past 10 years people in our business having been making things up because there are no clear requirements (or in the NIST case, 30,000 requirements for a system that have to be tailored to fit the round hole). We should have dumped them a long time ago.
Sunday, May 1, 2016
China, Icahn, and Apple
I was surprised by an article in the Financial Times this past weekend about Carl Icahn selling his huge amount of stock in Apple because of how he felt about the Chinese government's relationship with them. It turns out CNBC carried a number of stories that are well done and very detailed. Josh Horwitz summarized these well in a Quartz article at http://qz.com/673035/carl-icahn-sold-his-apple-stake-because-he-is-worried-about-chinas-dictatorship-government/.
It appears Apple is doing something Trend Micro and a few others have done - say "no" to China's new policy on turning over source code to the government. Horwitz also points out that Apple had previously complied with Chinese law on other elements of their intrusive laws, including storage of data from their country on servers inside China, and censorship. Turning over source code is something nobody in their right mind would ever do, and apparently Tim Cook is still fine in that area. But Icahn may be right about the fallout from this decision. Harmony will not follow from a clash with the guys at the top. It is, however, unfortunate that Apple should be penalized for doing the right thing. Carl Icahn is the one penalizing them.
We should probably look more closely at U.S. Companies that do turn over their source code. This is one battle that a few companies should not be fighting on their own. Most of the times companies do it and say nothing about it. Have we heard Microsoft, IBM, or Intel mention whether they have turned over source code to the Chinese government? Once the government has the source code they can sell that software, modify it, or decompose it to see how it really works. That will directly undermine the proprietary software and damage our company's market position. They will use it to compete directly with the companies that supply that code. Mr. Icahn might want to take a longer view of this issue and praise Apple for what it did. Then, he should be using his market position to find out which companies have given away their future by providing source code to the very government that steals it from us all the time.
While we are at it, we need to get the Obama Administation off of its backside to start doing something to protect our industries that operate in China. If China wants to play this game, there should be reciprocity. No Chinese company can operate in the US unless it has a partnership with a similar US company, and they provide source code to the U.S. Government. Why do we continue to allow China to make up its own rules and try to get the rest of the world to play by them?
It appears Apple is doing something Trend Micro and a few others have done - say "no" to China's new policy on turning over source code to the government. Horwitz also points out that Apple had previously complied with Chinese law on other elements of their intrusive laws, including storage of data from their country on servers inside China, and censorship. Turning over source code is something nobody in their right mind would ever do, and apparently Tim Cook is still fine in that area. But Icahn may be right about the fallout from this decision. Harmony will not follow from a clash with the guys at the top. It is, however, unfortunate that Apple should be penalized for doing the right thing. Carl Icahn is the one penalizing them.
We should probably look more closely at U.S. Companies that do turn over their source code. This is one battle that a few companies should not be fighting on their own. Most of the times companies do it and say nothing about it. Have we heard Microsoft, IBM, or Intel mention whether they have turned over source code to the Chinese government? Once the government has the source code they can sell that software, modify it, or decompose it to see how it really works. That will directly undermine the proprietary software and damage our company's market position. They will use it to compete directly with the companies that supply that code. Mr. Icahn might want to take a longer view of this issue and praise Apple for what it did. Then, he should be using his market position to find out which companies have given away their future by providing source code to the very government that steals it from us all the time.
While we are at it, we need to get the Obama Administation off of its backside to start doing something to protect our industries that operate in China. If China wants to play this game, there should be reciprocity. No Chinese company can operate in the US unless it has a partnership with a similar US company, and they provide source code to the U.S. Government. Why do we continue to allow China to make up its own rules and try to get the rest of the world to play by them?
Subscribe to:
Posts (Atom)