Monday, October 29, 2007

Our Broken Itelligence Agencies

HumInt/SigInt:
Human Intelligence, CIA
Signal Intelligence, NSA

The English have been masters at the spy trade for centuries. In WWII, the United States felt that it should get into the act and turned to the English for guidance.

With their tutelage, the CIA became a formidable tool against the Soviet threat throughout the cold war. We had clearly defined enemies with clearly defined borders. Gathering intelligence became a methodical science... then, once the Soviet Union collapsed, the clearly defined enemies with clearly defined borders went with it.

The growth of the internet created an atmosphere wherein information and 'intelligence' became a commodity. Then the emergence of an enemy that is not only difficult, if not impossible, to clearly define but who also operates entirely without borders. The polar opposite from what the CIA were trained to do.

Not only has this rule-set reset turned the CIA upside-down, it has rendered it all but useless. The UK isn't doing much better either. The problem is that western society itself is at odds with the rules required to make an effective spy agency. Our open government(s), free access to information, laws against spying on citizens and so forth are what both protect our civil liberties as well as create the environment in which our enemies can plot against us.

The CIA knew about al Qaeda operators operating in the USA prior to 9/11, yet did nothing to notify the FBI. This is because of the opposing nature of each agency. The CIA finds a criminal and wants to string them along to see what intelligence they can uncover by monitoring them. When the FBI finds a criminal, they want to string them up. From the CIA perspective, the FBI sure knows how to screw up an investigation and destroy your intelligence network.

The CIA is now dysfunctional to the point of uselessness. In fact, there isn't a single effective spy agency in the western world. The current battle we're fighting and the enemy we face is one that cannot be defeated by military might, it is a war that MUST be fought using intelligence.

So, the administration turned to the only other agency with experience in gathering and monitoring enemies. It also happens that this agency is experts at SigInt, as opposed to the HumInt. The problem is that the NSA is forbidden by law from spying on American Citizens, UNLESS they are monitoring overseas communications. This exception has always been allowed, no warrant necessary. There is no law that states that I have the constitutional right to conspire with enemies overseas.

No other nation even comes close to the SigInt capabilities of the NSA...

Monday, October 22, 2007

No Rules, Just Write - and the OLPC

Does technology enable crime? Yes, but it isn't technology per se, it is connectivity in general.

Anywhere that you have connectivity combined with the absence of a functioning judicial system; you will breed crime. It doesn't matter what that connectivity is, or how you measure that connectivity - whether it is in paved roads, running water, electricity - each of these factors contributes to both the reach of commerce and the reach of criminals. The two cannot be divorced from each other. If you have a rapid expansion of transportation, without an equal expansion of police power, criminals will exploit that weakness. In the wild west, outlaws would rob trains as they crossed the nation, knowing that they'd be vulnerable and there was little chance of being caught.

Let's look at Russia. Back in the cold war era, there were technology export restrictions in place. With the fall of the Iron Curtain, those restrictions were relaxed. By the time we in the United States started going online en-masse in 1995, upgrading our computer systems to Pentium machines running Windows 95 - our old computer systems didn't go into the garbage, they were sold into the huge technological vacuum of the former Soviet Union.

Who are the early adopters of technology? Kids of course! And Russia was no exception. Like a 16-year-old with a hot rod, the youths started souping up computers that we considered garbage. They got on to the internet using whatever they could, and once they connected to our information flows, they started teaching themselves programming. Because they were learning to program on outdated equipment, this forced them to become very, very good. There was no such thing as code bloat. Then you add 5 years to the calendar and what do you have? Little Ivan is no longer 15, he is 20 and has 5 years experience - and therein lies the rub - Ivan cannot go out and get a job in information technology, there is no economy to support his skill set. So, he goes about earning a living any way he can. I call it "N0 RUL3Z, JU5T WR1T3". Ivan sets about writing spam software, creating Trojan horses, worms... this is where we see the emergence of the botnet.

Brazil wasn't far behind. In 2004-2005 we saw an uptick in the botnet wars arms race with Russia being one-upped by Brazil with the Beagle/Bagle, Mydoom and Sasser botnet pissing contest.

There is a tide shift taking place. Putin has implemented a 12% flat tax which is bringing revenues flowing into the Russian economy for the first time in 15 years. They are reviving their legal system because they want to attract the Foreign Direct Investment dollars which will never come if they have no legal system which can enforce a legal contract. Along with the civil justice and FDI dollars, criminal justice must reign in corruption otherwise the FDI dollars will quickly disappear. So, Russia is growing out of the script kiddie phase and reemerging onto the world scene. Its good to have Mother Russia back (New & Improved with 1337 h4x0rs).

I could go on providing details of history and economics, but I will leave that for the book I'm writing. But I will pose this question for you to think about: What do you think the outcome of One Laptop Per Child will have on the future of cybercrime? If connectivity absent a legal system is the breeding ground for crime, what do you think will happen as the bottom billion in Africa gets online?

Computer security is all about dealing with the unintended consequences. Every computer and every system that was ever built was first done to share information, not secure it. Security only came after we got everything connected, then had the collective "awww crap!" moment.

Thursday, August 30, 2007

Global Policy Changes

From an Article on Slashdot on 8/30/2007:

Financial Services Firms Simulate Flu Pandemic

The U.S. Government is co-sponsoring a three-week exercise that will simulate the impact of a flu pandemic on financial services firms, including their ability to support telecommuters. The exercise is expected to be the largest in U.S. history and will involve more than 1,800 firms. From the article: 'The program will follow a compressed time frame that simulates the impact of a 12-week pandemic wave. Participants will be given information on how many absentee employees they can expect. Companies won't know exactly how hard they will be hit with sick-calls from employees until this data is made available ... In addition, participating firms won't be able to pick and choose the level of workforce reductions they get hit by.
I think you might be very surprised at how much value comes out of running these types of simulations. I work in the tech field and that side of the story is easy to imagine but as I worked with economists and academia it gave me a new appreciation that I would like to share with you.

Pre-Y2k, the government wanted to plan for the "Systemic Perturbations" that could come out of the Y2k bug. The US Gov't said to its top economists, military leaders: "Assume it is going to be bad, the worst case scenario." For once, perhaps the first time in history, we knew beforehand WHAT the vertical shock to the system was going to be and on what date and time it was going to happen. This gave the discussion a very real sense of importance because it wasn't hypothetical. In disaster planing, you don't know what the vertical shock is going to be-- think of a rock hitting a pond, you don't know how big the rock will be or when, where it will hit, and from a planning scenario it doesn't matter because what you need to plan for is how to deal with the huge splash it creates and the waves and ripples it creates. Once you have created plans to deal with the splash and ripples, what they term as "System Perturbations" you are then ready for any vertical shock (rock hitting pond) to the system. The rock can hit anywhere and be any size. We already know how to respond to the splash and run all the ripples to ground.

So, with Y2k, the Pentagon engaged with a global financial firm of Cantor Fitzgerald to plan for the vertical shock of Y2k and what sort of rule set resets are going to take place. If Y2k was going to be big, Banks failing, power outages, trading stops, mass chaos, martial law... what would be the GLOBAL impact of such massive chaos. Interestingly, Cantor Fitzgerald stated: "I think we've seen this before, in China, with SARS."

Huh? What does China and SARS have to do with Y2k bug?

The Chinese healthcare system, and by extension their entire government was very closed about revealing any of their internal problems. When the SARS outbreak happened, Chinese authorities ignored the problem. When SARS started spreading, the World Health Organization (WHO) started inquiring with China about the outbreaks and extent of the spread within China. China flat denied that any problem existed. When people started dying, the WHO shut down all flights leaving certain Chinese provinces suspected of spreading SARS. This had a DIRECT impact on the Chinese economy and government.

The Chinese immediately responded. "AH, roo mean SARS! Well, we have very much SARS!" To this day, there are police stationed at the airport that will approach any passenger and take their temperature on the spot. If you are running a fever, or you don't look 100% healthy, you don't fly. You've just won an extended 3 day vacation with all expenses paid by YOU because they don't ever want to run the risk of spreading disease and having their airports shut down again. This also started the Chinese equivalent of the CDC to start cooperating with the WHO, which is why we know about the H5N1 "Bird Fru" virus years before it has become a viable threat to humans.

The real lesson here was this: China received a vertical shock to their system. The direct result of that shock was rapid changes taking place to China's political system, changes that NEVER could have come about on their own absent the external influence. An external event causing internal change. Internal change that never could have come internally. Rapid policy changes that forever alter the way the country interacts with the outside world. This was huge.

The correlation to Y2k was the recognition that the vertical system shock to the global system would create unheard of system perturbations. The output of which would cause a permanent global policy change that would forever alter the rules by which governments interact with each other and how each government interacts with its own citizens. External events driving internal change.

Well, as we all know, on 01 January 2000 at 00:00:01 hrs: nothing happened. There was no vertical shock. We planned for the worst and the best happened, with the possible exception of the ten million pissed off network administrators that spent the party of the century sober watching server lights blink.

Then, a year and nine months later, something did happen. 11 September 2001 was a huge vertical shock to the global system. The result of which caused massive global policy change that forever altered the rules by which governments interact with each other and how each government interacts with its own citizens. For the first year after, every day you could pick up the paper and read about a NEW law being passed or policy being implemented that would forever change business-as-usual. To this day, you read any newspaper and you'll see some story that can be traced back to that event. It was a massive global rule set reset. It could be said that the reason that the USA recovered so well from 9/11 was a direct result of the system shock and perturbations that were planned for on Y2k.

Second major lesson was that you cannot predict the vertical shock, but you can plan for the horizontal output and how you'll run those situations to ground.

So, the impact on Information Technology is simply a very small, yet very important sub-component of these war games.

Tuesday, August 21, 2007

Wells Fargo Bank Offline - 48 hours and counting

Wells Fargo Bank, the nation's fifth largest bank with over 6000 locations, is now 48 hours into a total system collapse which started on Sunday, 19 August 2007. All transactions have stopped, dead cold. Deposits, withdrawals, online payments, ACH transfers, Fedwire, e-v-e-r-y-t-h-i-n-g is down.

They issued a press release yesterday, stating that they had experienced a "service disruption", an excuse that worked yesterday. Today, I want answers.

Where is my money? Is it safe? Can I access it?

I monitor the activities of online criminals, primarily Russians. In visiting their online forums, they're speculating what the problem is, but what they're really doing is gearing up for a massive phishing run unlike any other seen before. The criminals have now amassed databases of "fulls", a term they use to indicate they have the targets full personal information, all they need is access to the online banking.

Their increased sophistication is evident in the emails they're crafting for this scam.
=====================
Dear {firstname} {lastname},
Your primary email address for Wells Fargo Bank Online has been successfully changed.
Thank you for using Wells Fargo Bank Online Services

Save time and money by paying your bills online. Its safe, secure and easy to set up. For more information sign in to online banking center and click the 'Bill Pay' tab.

=====================

And that's it... this email combined with other tried and true techniques are sure to catch a few phish. Adding injury is that Wells Fargo customer service is already swamped with complaints, is going to be playing catch-up with millions of delayed transactions, and is sure to let transactions through and deal with the consequences later.

I will provide updates as this situation unfolds. The problem is already big, and its going to get a whole lot worse.

Joel Helgeson

Monday, July 30, 2007

U//FOUO

"Unclassified // For Official Use Only" is the key phrase nowadays of the intelligence services, because the sources for their intelligence is, to a very large extent, based upon Open Source information such as blogs and newspapers. Historically, the source of intelligence was from our intelligence agencies. Now, all they are is information agencies - repositories, if you will. The information they once held is now online, and all they have left is their operational intelligence. This has left them feeling very disempowered, and whining. An intelligence analyst is now just another knowledge worker, just like me, which is just a fancy way of saying that we add value to information.

The average Joe Sixpack now has access to more information than ever before. What we don't have, and don't need to have access to is the ops intel that comprises the majority of classified intel today. e.g. On 9/11/01, when President Bush was airborne, the press speculated about the location of Vice President Cheney. Many in the press speculated that he was being hidden away in the bunkers beneath the White House. While they may have been correct, Cheney's actual location was classified. The press could speculate all they wanted, the Secret Service would not reveval anything other than he was safe. Had any SS agent come out and confirmed his location, that would have been disseminating classified information.

Sunday, July 29, 2007

Why Security Clearances don't matter

Intelligence agencies are having a tough time moving from the cold-war era mentality of "on a need to know basis only" to a collaborative "lets work together" environment. The root problem here is that the intelligence agencies discovered the value of information before the information age even existed. They learned long ago that knowledge==power. The tighter the grip you keep on the former guarantees you a tighter grip on the latter.

There are 16 government agencies that deal with intelligence information. If any of them wish to share information with each other, the public or Law Enforcement, it first must first be cleared by an ancient cold war superior who still thinks he's fighting the Russians, who scours every snippet of intelligence set for distribution using his trusty highlighter pen that we folks in the civilian sector call a Sharpie. It's like they're waiting for his retirement party before they finally clue him that he's been using a black magic marker all those years.

The key issue is that there is no defined method for declassifying intelligence or deciding what information can be shared with others outside the intelligence services (IS). Efforts to provide the framework have met with glazed stares from the IS community as they've built up their vertical silo's of information, never anticipating the day when lateral sharing of information would be asked of them.

Then, this report gets released, from which I quote:
Despite numerous directives, exhortations, and invitations to do so, federal policymakers have failed to develop uniform standards for converting classified intelligence into an unclassified or “less classified” format that can be disseminated rapidly to appropriate state, local, and tribal authorities to thwart terrorist attacks.

They likewise have failed to create effective mechanisms through which the particular intelligence needs of those authorities can be voiced and met, or where their own information assets can be shared with the Intelligence Community (IC). This distressing lack of leadership has persisted for more than four years. In an effort to move the IC from a Cold War era “need to know” mentality to a “need to share” mindset responsive to today’s threats, Congress passed the Homeland Security Act of 2002 (Homeland Security Act). The Act directed the President to develop procedures for the declassification and dissemination of intelligence information and recommended several possible approaches. It took nearly seven months before an Executive Order took the small step of delegating this responsibility to the Department of Homeland Security (Department). When the Department failed to act, President Bush issued a new Executive Order more than a year later directing all federal agencies possessing or acquiring terrorism information to assist the Director of Central Intelligence (DCI) in developing common standards for information sharing – including standards that addressed the conversion of classified intelligence into an unclassified or “less classified” format. Still nothing happened. Congress subsequently tried to prod the process along with the Intelligence Reform and Terrorism Prevention Act of 2004 (9/11 Act), directing the new Director of National Intelligence (DNI) to establish uniform means and methodsfor this purpose. It was not until April 2005, however, that the President actually appointed a Program Manager to take on this task.5 Since that time, the Program Manager has made little progress in harmonizing the disparate approaches to declassification within the IC. Residual cultural resistance to information sharing between the various federal intelligence agencies has only compounded the problem.
What has happened is that every time the IC has tried to develop a database of information, or share, disseminate or declassify information it is lambasted by privacy rights groups. So, more and more, the IC themselves are turning to private organizations who have databases on the American public that are far more comprehensive than ANYTHING the intel agencies would ever be permitted to gather. Think ChoicePoint, Equifax, Experian, TransUnion, LexisNexis, and so forth. As a private citizen, I have more access to this information than the IC or LEO.

It is astounding to see how often common blog posts are cited in intel reports as reliable sources for actionable information - and they should be. Blogs are the greatest, most efficient method of gathering intel from distributed sources around the globe.

What does this have to do with you, me? Well, this will be the subject of future postings.

So, until next time...