Wednesday, October 17, 2012

Tools of Oppression

"In reality, cyber tools of oppression are most often in the form of databases."

Just a short note for the day. Gary McKinnon not being extradited is interesting as well - truth be told, America's sentencing guidelines for hackers tend to be far out of the ordinary for a first world nation. Generally a hacker is looking at more time than a rapist or murderer, which is probably a bit out of whack.

You don't see the EFF going on about this though. You do see them talking about exploit sales, which I think is a misjudgment.

Monday, October 15, 2012

Being "held accountable" is the new black.

There's a general proscription in the IC about talking in any way about offensive things - for good reason. For for that reason, I recommend you take a little grain of salt with some of the things in Secretary Panetta's talk (here).

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco.  Shamoon included a routine called a ‘wiper’, coded to self-execute.  This routine replaced crucial systems files with an image of a burning U.S. flag.  But it also put additional garbage data that overwrote all the real data on the machine.  More than 30,000 computers that it infected were rendered useless and had to be replaced.  It virtually destroyed 30,000 computers.

For example, the reason the Iranians named their module "wiper" is to reflect the name against their attackers, who had previously destroyed some Iranian oil refinery computers ( .

Over the last two years, DoD has made significant investments in forensics to address this problem of attribution and we're seeing the returns on that investment.  Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.

Likewise, offensive operations are how you do attribution, although defensive tools (such as forensics) typically have a small role as well (IMHO).

A big question here is the meaning of "Hold them accountable." Does this mean targeted assassination, the way it does with Iranian nuclear scientists? Is that how far we've come?

Friday, October 12, 2012


There's been no real "Cyber Security" in the last two debates, either the Presidential or last night's VP debate. In fact, there's been very little "tech" at all in the last few debates, although the Republicans are coming out as "anti-green-energy-subsidies" which may or may not be a good political move.

Is it possible we'll get all the way to the election without cyber security becoming a Presidential-level issue?

Monday, October 8, 2012

There are Consequences for Getting Caught

So the big news is about to drop. The unfortunate thing, whether Huawei has been spying or not, is they are in a very difficult and indefensible position. Even their direct whitepaper response leaves a lot to consider.

Huawei's response that it would required hundreds of thousands of people to pull off an attack of this magnitude is false. The final firmware burn-in on their products would be controlled by very small teams, if not individuals. A well placed government asset in this position could very easily slip code in that passes all regression testing by the quality assurance team, but has additional behaviour that doesn't affect the end product.

Assuming their manufacturing process is locked down, do they apply the same rigor when handling remote firmware updates? Numerous times in the past we've seen build servers (ala Adobe) or source repositories get remotely compromised. The result varies, but the typical end goal is to backdoor the product, and Huawei is a prime target for an attack of this nature. The important thing to note is that this does not require an embedded government asset, only a well placed attack. Let's not forget that Cisco had their own breach that saw an 800MB chunk of source code get stolen, some of which was later publicly posted. Had the Cisco attacker used a little less ego, he very well could have begun a targeted campaign to backdoor Cisco products or IOS updates.

It begs to ask the question: how does the CSO of Huawei, or the US government know that the supply chain has or hasn't been compromised? The only way for the US to know this for certain is to have someone embedded at the same trust level as the people actually coordinating or carrying out the espionage. Disclosing this fact compromises their own position, so less likely, but still a possibility.

Could it also be that Huawei has been caught enough times, and a mountain of independent evidence has finally piled up to a tipping point? If this is the case then how does their CSO not know that they have been compromised? If this is true, it is the most damaging situation Huawei could find themselves in.

I often wonder why the US has picked Huawei out of a number of foreign telecommunications manufacturers. Why aren't we examining all foreign entities that power critical infrastructure in North America? The unfortunate thing is the congressional report will give the high level information, but their classified annex will have the real dirty details as to why they did this in the first place. Information that only a select few will have access to.Yet they are still free to wage a very public campaign against Huawei.

There is a key takeaway from this story that other foreign companies should be aware of. If the US comes knocking at your door: open it, let them do what they want, see what they want, and record what they want or they will make you pay dearly for it.

UPDATE: The committee report is here.