Monthly Archives: March 2012

Food, Security

Chinese Crackdown, U.S. Outgunned

Leave a comment

The Wall Street Journal just ran a cover story with the title called “U.S. Outgunned in Hacker War”.

Run for the hills!

No, wait, let’s take a closer look. My first reaction was to look for details on who is out gunning the U.S.. My second reaction was to look for definition of a “Hacker War.” Unfortunately, the story comes up short on both accounts.

The reader is left without clarity who is shooting or what was meant by the term war. That is unfortunate because it is not hard for them to write a more balanced (e.g. include a counter-point) and substantive (e.g. include some data) story. Here is how I tried to make some sense of this story using a few simple steps.

The WSJ uses a quote from the FBI to start their story.

The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

Could this be in terms of U.S. criminals who are plundering U.S. assets? Why would I ask that? Let’s jump right past all the glaringly obvious examples of Bernard Madoff, Kenneth Lay, Jeffrey Skilling, Andrew Fastow, Bernard Ebbers, Scott Sullivan…and look at some of the latest data on IT threats from a security solution vendor.

  • More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
  • Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
  • On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week…

Also, as I explained in my presentation on breach data at the RSA SF 2012 conference, the U.S. shows up in many reports as the #1 source of threats. Sophos lists America as the top Spam producing country (China is the most attacked, according to them), while McAfee says 73% of malicious online content is hosted in the U.S. In other words, the U.S. currently is allowing attackers to attack the U.S.. So, if we add in this detail to the story, can we conclude the U.S. is out gunned by the U.S.?

Before I answer that, you may say this data is from vendors and of course they are stoking fear. That is true but it at least gives us some quantitative detail to assess on our own and verify. The Wall Street Journal mentions no data at all.

More to the point we could make a similar argument about the Wall Street Journal source that starts their story. The perspective they cite actually is from a person leaving to a private sector consulting practice. Clearly Henry stands to profit more, and help his consulting firm win clients, when he stokes generic security fear.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy.

…operators at Mr. Henry’s firm are standing by to sign you up for a new service. You can have all the major change he says you need for the low, low price of just $$$K/month.

So the first technique I recommend when reading these scare stories is to seek transparency; get to the data and verify the analysis. Always factor and account for bias. We should not be satisfied with stories of a threat mired in sophisticated or advanced details, especially from those who stand to profit with obfuscated services. As Einstein once said “if you can’t explain it simply, you don’t understand it well enough.”

Now back to the question of the U.S. out gunning the U.S.. The Wall Street Journal suddenly and without explanation brings up China.

Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn’t realize they had been breached until someone else told them.

As Richard Bejtlich must know a vast majority of companies don’t realize they are breached until someone else told them, full stop. The new Verizon DBIR says 92% of incidents were discovered by a third party. That data point has nothing to do with China or the Chinese.

I have commented before on errors from those with an anti-Sino fixation. It is not clear to me why the Wall Street Journal is so eager to follow their fixation without question.

Breach data, referenced above, shows that the Chinese are not the most likely source of attack. That is not to mention that when I read Bejtlich’s latest opines I ponder how the person who names his book The Tao of Network Security Monitoring, his company Tao Security, and his twitter handle @taosecurity (using the yin-yang symbol as his company logo) has become the person trying to convince us that the Chinese are stealing ideas from America.

I’m not saying the U.S. should not accuse the Chinese of copying ideas, since obviously attacks can come from anywhere and a Bernie Madoff could be born in any country; but those in the U.S. who worry about transfer of knowledge should be careful to put their accusations in perspective. Noodles, gunpowder…so many things popularised as American are obviously not from America. The issue of “who” is complicated but focusing on outsiders may be a distraction from more likely threats. We should be careful before we de-emphasise or fail to account for the risk from insiders.

The answer to my first question about the WSJ title, I would argue, is that the U.S. is actually out gunned by the U.S.. This includes outsiders granted insider access. It also includes threats from trusted insiders — those supposed to be protecting other insiders.

The second technique I recommend when reading these scare stories is to seek details on the vulnerabilities. Once we identify who is involved we also need some idea of their capability to cause actual damage. Ironically, I can’t think of a better example than China to illustrate this point.

News has been flaring up that there has been a crackdown in China on expression. The Chinese are upset about the Chinese and restricting speech they consider harmful.

Authorities also closed 16 websites and detained six people, Xinhua reported, for allegedly spreading rumors of “military vehicles entering Beijing and something wrong going on in Beijing,” a spokesperson for the State Internet Information Office told Xinhua.

This is a case where an authority sees a threat so great that they take action to reduce risk. As Americans we most likely disagree with the Chinese government’s assessment of vulnerability. We live in a country where freedom of speech is said to make us stronger (still with some exceptions).

However, if you look past the question of who is the threat and on to the question of capability then the Wall Street Journal story really comes down to the FBI calling for more “guns” to fight a “Hacker War” so they can increase their capabilities, perhaps to the level that the Chinese are demonstrating with their latest crackdown.

Americans reading the Wall Street Journal story might be distracted by the Chinese tangent and think this is an us versus them war. But the reader is wise to think much more carefully about whether and when they trust an increase of power in authority to crack down on threats that may actually be on the inside.

Alas, we’re now back to the question of what they mean by “Hacker War”. If we try to define war without any notion of internal threats then it becomes more of a discussion of whether and where the U.S. is working on ways to undermine or bypass sovereignty again. But it should hopefully be clear now that the threat is not just external.

Perhaps the best way to look at this is with regard to healthcare risk news. If the Wall Street Journal ran a story on the latest data on eating well they probably would have titled it “U.S. Outgunned in Sugar War.” So the question becomes why are we allowing ourselves to do so much damage to ourselves? Or maybe the question, in terms of Bruce Schneier’s new book, is how much damage is acceptable before we are willing to give more fire power to authorities if we know how much it can reduce our freedom.

Food, Poetry, Security

Big Data Integrity

Leave a comment

At the Structure:Data presentation last week Dave Aspery and I discussed some of the common and new integrity issues with big data. One of them was the issue of data tampering and pollution related to marketing campaigns and product placement.

Dave’s diaper example was classic. I apologize again to the audience for saying it sounded like a messy clean-up. It would be more fair to say that the damage really depends.

Soon after leaving the presentation I saw this, which nicely illustrates what we were talking about.

Security

SF Bike Theft Workshop

Leave a comment

Although the title suggests you could learn how to steal a bike, the workshop is actually meant to be the opposite. Then again, there’s nothing to say attendees will not be looking for new and better ways to steal bikes.

The San Francisco Police Department is hosting a forum to explain their position on a growing problem of bike theft in the city.

Thursday, Mar. 29
6:30-8pm
Community Room
Mission Police Station
Valencia St at 17th Street

SF Police Department & SF Bicycle Coalition Bike Theft Workshop: Join the SF Police Department and SF Bicycle Coalition for a conversation and workshop on bike theft in the city — hear from the San Francisco Police Department on what they’re doing to fight bike theft and investigate and prevent it. Learn the most effective locking techniques, tips to avoid losing your two-wheeled treasure, see demonstrations of hardware and registration services and find out how to maximize your odds and help the police fight back.

They undoubtedly have not coordinated the meeting with a local lockpick club, or even a locksmith, to demonstrate how weak bike locks are. That would make for a far more interesting meeting.

Here’s an infographic of bike theft in the Bay Area by @clubantietam, based on Craigslist bike listings with the word “stolen”.

Bike Theft Map

Energy, History, Security

Rain = 600% increase in So. California road accidents

1 Comment

Southern Californians are known for a love, if not obsession, with spending much of their time holding a steering wheel and staring at the tail lights in front of them.

Los Angeles county road

One might think all the time on the road and money spent on cars would mean that risk will decline, but here is some new data that suggests the exact opposite can happen — when it rains:

Traffic crashes jumped more than 600 percent in Los Angeles County Saturday morning, compared to the same period last Saturday when roads were dry.

[…]

Some 422 crashes were reported in Los Angeles County between 5 a.m. and 10 a.m., CHP Officer Tatiana Sauquillo told the San Gabriel Valley Tribune. During the same period a week ago, when the weather was dry, 58 collisions were reported, she said.

This is a nice example to pull into information security discussions for at least two reasons.

First, given the technology advances to handle wet conditions people still were unable to avoid disaster. Just like with information security the users may not have had the latest technology, they may not have had sufficient training to use the technology, or they may simply have been in a situation that the technology was unable to prevent. It is clear that technology has not yet solved a problem — inclement weather control — that has been a serious concern for decades.

Second, it is not clear whether this risk was a factor in the decision by those who removed the largest streetcar system in the world and replaced it with asphalt and unprofessional drivers.

Clearly, GM waged a war on electric traction. It was indeed an all out assault, but by no means the single reason for the failure of rapid transit.

It was not the single reason, perhaps, because of natural market effects when new technology is introduced. Buses at first were probably easy to market as superior to the streetcar. Then cars were easy to market as superior to buses. Why the streetcar had to be removed is not clear, however, which is why a bus/car manufacturer might be seen as the source of pressure to remove the streetcar as an option.

Whether or not you buy the conspiracy, or the natural market, argument about technology choices for transportation in Los Angeles there continue to be some very interesting data points related to the study of risk compared with other urban areas. In brief, factors like pride, conformance, convenience, cost, etc. may drive consumers (pun not intended) into positions of higher short-term and long-term risk.

“Exhibit 2” from General Motors and the Demise of Streetcars, Transportation Quarterly, Vol. 51. No. 3 Summer 1997, p. 52