Wednesday, December 18, 2013

Computers Can Be Hacked Using High-Frequency Sound: Scientific American

Computers Can Be Hacked Using High-Frequency Sound: Scientific American

A lot of the experts are down playing this exploit, but at great risk, some of the first great attacks against computers where based more on audible and low frequency key board emissions than network exploits. If you could get the passwords a person typed into his computer, we could usually get on the network, in the early days, wirelessly get on some pretty classified networks.  I wrote a blog spot on mixing low and high tech spy techniques to really rock the world of some of these new cyber defenses. http://www.ctic.co/2013/08/spys-it-all-gets-very-dangerous-when.html

In past blog spots as well as some radio interviews, these type of cyber attacks have been discussed. There is a real issue with cyber security types focusing on just the internet vulnerabilities.  There is a reason the CIA and NSA along with DIA and others still have physical security teams around to exploit any weakness they can find.  All agencies still collect trash, and some of the neatest scanner and computer algorithms are the ones that put shredder trash back together.

In one radio interview I did with JJ Sutton on his show, we discussed all the http://webtalkradio.net/internet-talk-radio/2013/08/05/on-americas-frontlines-of-crime-and-war-conversations-on-digital-collection-intelligence-with-rich-roth/  ways the agencies put teams together to gain intelligence.  If we can get a draft not encrypted of a policy or meeting notes, we can get a good idea of what else to look for.  At times we have all we where trying to get right there.

Tempest, once a code word, that could not be talked about in an unclassified environment, was some of the first attacks against computers.  Very passe now days, it still is in use, under the right conditions.  This sonic attack is what I am sure some old spies would claim to be a spin off of an even more basic Tempest attack.  Back when people still used typewriters, the measure of the sound and the electrical spike from the time a person hit a key and the print head hit the paper, was very readable, in fact some agencies could read the output of this type of attack as fast as it was typed.

We need to be aware that the oldest school intel attacks, are still in vogue.  The cyber security folks need to watch a little of mission impossible.  If an attacker can get in and put a video camera on your computer screen, it can be just as effective as a computer hack, and we know who actually was working the computer.

When ATM thieves go to work, they use fake card readers attached to the ATM to get the information off the card, but often use video cameras they install close by to get the code you type in to the key pad.  An added advantage is they can often see how much you have in the account over your shoulder as well, which is why most ATM's will only give you a print out of the balance not a visual readout.

Mixing old school with new, is still producing results.

Monday, December 16, 2013

Judge: NSA phone program likely unconstitutional - Josh Gerstein - POLITICO.com

Judge: NSA phone program likely unconstitutional - Josh Gerstein - POLITICO.com

I know a lot of folks feel this is a good decision by the Judge.  But I do not think it made us any safer, and I am very sure that our privacy is not any better because of it.

There is a very good tool that NSA, and other Government Agencies have developed over the years.  It is based off of a very sophisticated link analysis model.  It in it's most basic form, it shows that a known bad guy has talked to someone else.  Which by itself in a lead for an investigation, but that is the basic mode.  Now the bad guy has talked to a person, that person with out anyone finding anything else about him, like name or anything else, now talks to others, none of which are bad guys, so the number pretty much fades into the blur.  But think if that number talks to another person that talks to another bad guy, now we may have something.  Still very basic, but meets the NSA 3 jump rule, which does allow for more investigation.  Or not.

Now take the same communications pattern, but we add a little sophistication to the analysis, that says, after the Pizza call, the number notifies someone with in less than 60 seconds, who then calls two others with in 60 seconds.  Now run that pattern against a known terrorist notification or drug distribution case.  It turns out that not many people that order Pizza start calling others quickly, after making the call.  But still it could be, so you just keep the template running, and find that this happens a lot from this Pizza store, and not other stores in the area.   Now we do nothing but report this to the FBI, or another agency, who gets the warrants to go deeper into this issue.  If that agency does not find anything, they report actually they bitch to the NSA that they just went on a wild goose chase.  NSA, files this and retweeks the analysis program.

Now do this with emails, or stock purchases, or a mixture of both, or all.  The computer algorithms get more and more sophisticated.  The track record of successes, or failures, keep refining the program.  Every time a new terrorist cell, or cyber identity theft ring, or malware distribution is discovered, the program is refined.  Now add an analyst to the mix, because people still are the best way to separate out a school phone tree about a school closure from a terrorist cell.

Now run this program against the millions of phone calls and emails out there, and you find that you discard over 90% of the information as not interesting to the intel field.  Of that 10% analysts get rid of another 90% of what is left, and then the agencies get rid of another 90% with the briefest of investigations.  Like looking up names and find it is a wedding part where a few of the folks have been involved in a criminal or suspect activity in the past, but this is just a wedding party communications link.

Now you are just down to very few people ever even being looked at because of the huge NSA data base.

Something I am willing to allow happen.

France is trying to collect all the same data, and I am telling you straight out, that they do not treat the data as private at all.  If they can help a french company find a way to get more of the wedding business, they will provide that data to french companies.  If many countries find out you are visiting  porn sites, or perhaps even a christian evangelical site, they will probably act on it in some way.

But Google, AOL, as well as many other private companies, are also doing similar data mining of all the data they collect.  Most of the time we have given them the right to violate our privacy, by checking a box on line, that we have never read.  I know I read more of these disclaimers than many, and I still give them permission just so I can get what I want from the web faster.

Bottom line NSA is not the problem,

Saturday, October 12, 2013

Signals intelligence operational platforms by nation - Wikipedia, the free encyclopedia

Signals intelligence operational platforms by nation - Wikipedia, the free encyclopedia

I think Snowden was one of the gullible types, that believes that the US and the UK, were ganging up on other nations and our own people, that we were the bad guys in all of this.  When Libya fell, one of the first things exposed was his rather large signals intelligence capability.  When you travel to Foreign countries one will quickly notice even in small countries they control the web  content access as well as monitor phone calls fairly obviously.



One of the eye openers should be the fact that Cuba basically offers itself to other countries as a platform to gather signals intelligence.  China has had systems there for years to monitor cell phone and data traffic in the US.  Now you may be worried about what the US is doing think about China.  What they will do with that embarrassing cell phone conversation you had with a girl friend or prostitute, or that call you made to get better treatment on some business deal, that was just a little in the gray area.



They will use it to draft you into working for them, or perhaps offer the information as a service to your competitors.  Then use them as talent, or double agents.  As disclosed in the Wikipedia article on Cuba,




Russia and China, at various times, have operated or are operating intercept stations in Cuba. The largest and best-known, Lourdes SIGINT Station, was shut down by Russia in 2001, along with the Russian station  at Cam Ranh Bay, Vietnam.[2] Of the additional bases are in Cuba, two of which are operated by China:[3]
Bejucal
Yaguajay
Santiago de Cuba
Paseo
Chinese personnel, in 1998, began operating the Bejucal and Santiago de Cuba facilities. The first seems concerned with intercepting US telephone communications and data traffic, while the second appears aimed at US military satellites One is a large complex at Bejucal, just south of Havana, which has ten SATCOM antennas, and which is primarily concerned with intercepting telephone communications in the US.[3] A 'cyber-warfare' unit at the station focuses on computer data traffic. The second is located northeast of Santiago de Cuba at the easternmost part of the country and is 'dedicated mainly to intercepting U.S. military satellite communications'.




Before we worry about the US, you need to worry about the countries that do not have any responsibility to protect you.  France for instance, has long held that it's intelligence gathering can and is used to give French businesses an advantage over their foreign competitors.  Business men have been warned for years to be careful what they say in French Airport travel lounges, and even in first class areas on their aircraft.  But take a look at this revelation of their capability;. 



France: Strategic Ground Platforms:
The technical department of the French espionage service, DGSE, operates a major communications satellite collection site at Domme, in the Dordogne valley to the east of Bordeaux, in south-western France. This site, which includes at least 11 collection antennas, seven of them directed at Atlantic satellites, is clearly as extensive and capable as the largest sites in the UKUSA network. Reports by journalists, cited in the European Parliament report, confirm the Domme installation, and also a facility at Alluetts-le-Roi near Paris. There were also reports of stations in Kourou in French Guyana and in Mayotte.



Now I do not think for a moment that France can match the US in storage capacity, but the fact that some think they do, should be of concern, and also is a good reason that NSA planned and is building the huge storage site, in Nevada. 

So far we have just touched on the ground based gathering systems, go further and look at the collection being done by China and others with Ships, off the coast of the US, Planes flying over airspace that allows them to pick up communications, and finally Space based collection systems.

At one point in the cold war, the Soviets used to bring in huge intel gathering containers, and then would book them to travel across the US from one of their consulates to another by train, even by truck, always trying to pick routes that came as close as possible to US sites they wanted to gather information from.  I am not sure if the new Russia is still doing it, but remember Putin is a former Spy, and loves the technical end.


If you are going to wonder or worry about what the US is doing, and even what Google is doing, go ahead, but just think of that information in the hands of a hostile country, or even a friendly country like France, or even Israel.  Now that should really make you worry, no one is going to spank them for violating your privacy, in fact they will get rewarded for a good job.  Yes the US is the best at it, so far, but the US is also the good guy, or at least the better guy in this on going war of signals intelligence.

Now just for a second think about the Russian Mafia, or the Israel Mafia working in the US, even with out any support from their countries, they can buy equipment like Libya used for intel gathering on the open market.  In just a few minuets on ebay, I came up with enough equipment for sale, to monitor and trap all the cell phone data with in a 1/4 mile or so, in low signal areas, perhaps even a mile or two. 


For instance:  




As a signals collection device, this test instrument, like many others for sale, can mimic a cell site, and gather data and voice communications.  Cost is up there, but the return on investment for a criminal is well worth it.



Test Equipment has long been where Government Intel buys what they need, and on the used market is readily available to others as well.  




Keep watching this blog, more to come.

Wednesday, October 2, 2013

Internet Talk Radio | The Philosophy of Security – Is there a possible solution to the Chicago violence | WebTalkRadio.net

Internet Talk Radio | The Philosophy of Security – Is there a possible solution to the Chicago violence | WebTalkRadio.net

This radio interview was addressing for the most part the violence in Chicago, but in the bigger picture, we really have not had a big break through in the Science of Policing for quite some time.  This program in Bensenville is new in the respect that it adds intelligence gathering and training of the different watch groups as a way to both get people more involved but also give them some (washed) sensitive intelligence so they can help the Police more.

Some point to the New York stop and frisk, but most gang squad police will tell you this has been done for years, New York  just really put a name to it, and expanded the method by a lot.  But still make no mistake, it has done a lot to reduce crime.  You can also point to this New York Police Chief, as a leader in really using Intelligence to a bigger degree than in the past.  I think he first directed it at the terrorist problem, but like all counter terror programs, it also helps in (should we call it) normal criminal problems.

Looking at the two approaches, Bensenville, and New York, the one thing that jumps out is intelligence, and the one thing that improves intelligence the most is getting information from the people down close to the problem.

There are a lot of great thinkers out there, including the young folks involved in the digital world like Google and Facebook, as well as Linked in, and others.  We need all to be thinking of solutions to not only the Chicago problem, but also the worlds conflicts, like the Cartels in Mexico, how do we help the Citizens of Mexico regain their country.  Please give us your thoughts,

One I have looked at for years has to do with a Debate Team South East Conference held in Shreveport La, at the Collage there.  I had the honor to be one of many judges at the conference, to do so I went back and researched the rules again, and then listened to these Students and Graduates deal with real world issues.  I think the rules and points systems held these folks to a fairly ridged way of debating the different subjects, one for instance was the whole Syrian crisis.

If we could, one put more of these debaters in the roles like the Mideast Peace conference I think we could push by a lot of the stalemates they keep running into.  Two, if more people learned the rules of debating as well as the "Roberts  Rules of Order" that they already use as a frame work, we may be able to get some new ideas on table and find some solutions.

Now take these skills to the Ministers , Business owners, Citizens, Police, perhaps even gang members of Chicago, perhaps we could find a dialog that would lead to a reduction in violence.  Chicago has some of the finest Collages in the World, and I am sure many well trained Debaters that could be used.

Just an idea, let me know yours?

Thursday, September 12, 2013

China Agents enter Guilty plea in Colorado Springs espionage case

The High Ground / Guilty plea in Colorado Springs espionage case

This is right out of a spy novel, deep in the heartland of the US, Colorado Springs, a single security aware employee sees something suspect and reports it to the FBI.  This is not a chip that many even know about or even a company.  It is the US playing the long game in developing chips that may withstand the effects of a Nuclear blast, in this case the EMP part of the blast that will cripple most of the world by disabling electronic components.

Which brings in the science fiction movies of Mad Max, in a world of old basic cars being the only things that will run ( they do not use sophisticated electronic chips)  Or the TV show depicting a world with out electricity, it uses a much less plausible attack but the same results.  Our entire electric grid in the US, and as most of the world is controlled by sophisticated electronic switching systems. Experts estimate between 70% to 90% of our electricity grid will just stop working, after certain nuclear attacks.

Now China knows the long game as well, and this type of chip is critical to being the survivor of a nuclear attack. They are working against our electrical grid with targeted attacks on the SCADA systems , that network of sensors that keep the grid working and talking to other parts of the grid., but this is a survivor chess move.  If a nuclear attack hurt a countries grid, then they would be the weaker.

Now bring on the very sophisticated attempt here.  Now we are talking computer chips here, first they are taken from a small electronics company working on US Gov, contracts.  Not in New York, LA or Washington DC, but in Colorado Springs.  Most of the US would never expect an espionage attempt there.

Once you have the chip, you are on the run, just like the spy film they have to get the device out of the country as quickly and safely as possible, which requires a lot of logistics and planning.  So the device is hidden in a infants formula container, that is taken to the port of Long Beach Ca, where China actually has years ago purchased a pier and storage buildings. The question is do they want to chance the US catching on and having an excuse to raid this basically Chinese land of the Pier, or do they opt for a China Flag ship that is also in port.  They know once they can get the Chinese flag ship into international waters, it would take almost if not an act of war to get the chip back.  By the way sit back and think of all the logistics of this attempt, it is mind boggling.

Now the FBI has to see how far they can let this go, with out losing the chip, they also need to be aware of the international incident that can be caused by a mis-step.

Now, it all started by one employee that was not just doing his job, but was also security aware enough to recognize the suspect event.  He did not need to know the whole plot, just that what he saw was suspect, and how he could act on it.

CTI provides this training to groups, firms, even at times the US Government as we did with the CAG program for the US State Department.  We provided counter espionage awareness training, not using high tech sensors, but by just being more aware of your surroundings.  This awareness does not just help stop high or low level espionage, but terrorist attacks, simple theft, even workplace violence.  Let CTI provide this training to your team.  Call and set up a training session at 301-907-0127.

Monday, August 12, 2013

Nightmare of terrorists with bombs surgically implanted INSIDE their bodies | Mail Online

Nightmare of terrorists with bombs surgically implanted INSIDE their bodies | Mail Online

 In this story is the mention of an explosive, liquid that was used to saturate some clothing and then let it dry and wear in on. There is a lot of ways to hide explosives that folks in the business have known about for years.

The liquid explosive plot that was hatched in Britain, and may have changed our travel life for ever, was known by the vast majority of the professions in the counter terrorism business for many years. It was just sort of not talked about since the bad guys had to that point not figured out how to exploit the vulnerability.


There are more out there, that keep many of us wondering when it will show. This internal attack method is harder than other possible plans we know about. For instance a simple attack that has been used by drug carriers for years, is to put small amounts of explosive into small bags and swallowed. With the intent of either defecating them on a long flight, or even defecating them in the passenger lounge before the flight. Now you have a mold-able explosive, and if you use multiple passengers, could have quite a bit of explosive.


This among other attacks are ones I worry more about than a small amount located internally inside a person. Quite possible, but better ways to do it.


It should be said we have gone to the whole body scanner, which even the manufactures agreed had only a 50/50 chance of finding the original underwear bomb, let alone these new threats. We need to rethink our knee jerk responses to new threats.


With that said, non metallic weapons could not be found by the metal detectors, so the use of whole body imagery had to be in our arsenal of counter measures, the question would be did it have to be used as the primary detector. Liquid explosives are still a threat, we still do not have a great detector for them, but as many passengers ask me, in the original plot did the not have multiple people, and each one now days could bring X amount of explosives? The shoes are still one of the most difficult things to scan, with out taking them off and placing them on the belt of the xray. So yes knee jerk reactions, but there is a need, the question is how they are implemented. Is it the most effective in a risk approach?


I will end with, when the bad guys figure out some of the other vulnerabilities we have that are still not talked about, do we just stop all airline traffic?

Friday, August 2, 2013

Spy's it all gets very dangerous when old school, and new school, sort of the hacker with a lock pick are in the same package

Spying is often called the second oldest profession, right after prostitution, with less morals than the first.  Back in world war two era, a spy in New York was found out after a paper boy was paid with a quarter he had hollowed out and had hidden a micro dot in.  The micro dot of the day, was a very high definition piece of film that had a number of documents on it.  The story is the paper boy dropped the quarter, and it opened up.  Now days the quarter can hold a flash SD, in this case a flash micro SD, that can now hold 64 Gig's of data.
or even a nickle can hold that much data.
So this major spy was traded back to Russians for Gary Powers the pilot of the only U2 spy plane the Soviets had brought down.   One with a very high tech quarter, the other the Pilot of our highest tech plane at the time.  Think of what they would have thought of these new technologies. 64 Gigs of  data in such a small size.  When I left the US Secret Service the Grid was the laptop of choice for espionage types.  It had a 10 Meg hard drive, a really big one at the time.  

Back in the 80's we had some very tiny microphones that we hid in a lot of neat places, now days the whole recording system can be bought at a local computer store in a ball point pen, or a flash drive.  The systems are so small they can be hidden in virtually anything.   The current drain is so minimal that batteries last for days.  One small USB flash drive has a system for 25 days, of recording, it can be left in a printer, even in a spare computer.   

Lets go back to the 64 gig 
It can hold data, that data can be voice, captured key strokes, like passwords, or encryption keys.  It can be hidden virtually anywhere, and has more capabilities than Spies of the old days could even dream of.   Yet put in their hands, they can get around most cyber security systems, by old school physical access.  Some of the programs on them act like the old burst transmitters, they store and hold data, looking for a time to send it out via your own network when its defenses are at the lowest.   I remember the first password logger I ever installed on an old style cable based network.  It had limited storage, but when installed at night, it caught the first keystrokes of the morning, which was the system administrator logging in.  These new keyboard loggers, fit in the the cable as it goes into the key board.  As a person sits down and logs in their passwords and other key data it is all captured.   One is sold as a converter, that takes a PS-2 keyboard connector and converts it to a USB key board.  3 seconds of work an you are in play. 

Now lets put some of the old and new together, like a cellphone charger, like the one displayed this week at a computer show.  
Now lets examine this device for a second, it has a flash memory with a malware program on it that when a phone is inserted into the charger, it infects the phone with a malware.  Some of the newest malware's are nothing more than a small program that can allow people past your security.  Some experts claim virtually every smart phone, ever computer, has at least one malware inserted in it already. 

Now take an old time spy with these, they can install them virtually anywhere.  At the SouthWest airlines USB charging stations at virtually every boarding area.  If you want what a person has printed you can install a device into his printer, usually with an altered printer cable, by the way spies have been altering printer cables for years, since at least back in the 70's which is when I first came on one.  Now let's look at those devices we never even look at just install them and never touch them again until they break down, routers and other network gear.  

There is some belief, that the Chinese have built malware inserts and other spy software in most if not all the routers they sell.   I can say they have done this to a lot of them.

Now lets talk about finding them... good luck, it can be a very frustrating time.  I suggest you rent or go on Netflix and watch a movie called the Conversation, with Gene Hackman.  A little slow at times but the ending may give you an idea, of what we are up against. 

Monday, July 29, 2013

Mexican authorities accuse 5 detainees of being cartel lookouts in Reynosa - The Monitor: Local News

Mexican authorities accuse 5 detainees of being cartel lookouts in Reynosa - The Monitor: Local News

Excellent work by the Mexican Authorities, these look outs are what help keep the Drug Cartels in business.  As you cross over the pedestrian bridge from Hidalgo into Reynosa you always see lookouts on the bridge itself.  Normally it is a He, with multiple phones, if he see something of interest, I can often see the look out at a bar visible from the bridge answering the call, and looking up to see who is coming over.  If there is enough interest, the second look out at the Bar, quickly goes into the Bar and will come out with others.

Part of what we teach US State Department Staff is how to recognize these look outs.  Often we can see them on the US side of the Hidalgo bridge.   For a long while it was a taxi driver who never seem to take fare's but did get on the phone a lot as cars came into the area.  Sometimes he would give warnings to car's coming into the US, and you would see them avert their path to take either the road to the right, or blast off down the main road.

Teams of look outs have been seen near military road giving hand signals and sometimes using small flags as to the level of security at the bridge they where watching.  If to much security, then the drivers go to the next bridge to check the security levels there.

In the Mid East, we would conduct surveys to see where the look outs where, and where they may want to be if they target a State Department Employee.  There are many if not all hotels in Russia, where look outs are paid by multiple sources to keep an eye on visitors.   Some even would help delay people till an outside surveillance team could get in place.

In the Valley, we have conducted these assessments of people's homes and offices and the travel routes between to determine one if they are under surveillance, and two to teach people how to recognize surveillance teams.

In every case in the valley that we have looked at regarding a kidnapping or car jacking the victim always reports that yes after the fact they did notice people watching them.  The key is to become aware before it happens.  Even purse snatchers and pickpockets conduct surveillance prior to attacking.

Saturday, July 27, 2013

The O'Reilly Factor on NSA Spying and what is possible

The O'Reilly Factor | Bill O'Reilly | Fox News   Mr. O'Reilly doubted that all voice could be recorded, I think the confusion here is, what is a telephone call now days.  In most offices, and many homes now days, with the use of Vonage and similar Computerized voice devices, the voice is turned to data from the start.  In any case if a phone call over 20 years go or more traveled more than 20 miles in distance, and a lot less these days, it is digitized.  

Once a phone call is digitized it becomes just another data stream, just like the email.  NSA should be thought of in the realm of a big pipe, that data instead of water flows thru.   NSA takes in all the data on in this big pipe.  Data, is data, once it has been captured it is stored as that as data, nothing more until analysts and computer analysis is done to it.  This is where the Meta data comes in, the meta data tells what the data from the pipe that has been captured is.  IE a phone call, or an email, or a picture, or video.  The key is that you need to be in a place where all the data flows thru, and NSA is in most if not all those places.

The US is not the only one doing this, England has a number of capture points as well as most countries.  Add to this the Satellites up in sky. We all beam up data to it, often the data is passed between satellites, then at some point it is beamed back to earth.  At any of these points the data can be captured, some is voice, some is emails, some is large contracts for major companies, or new schematics of weapons.

This data is sent in what are called packets, with meta data telling the packets where to go, and who sent it.  In many cases if the data is encrypted, we really do not need to know much more than that.  If we know it comes from your plumber to you, that even if encrypted, is probably not a problem.   But since we store the data, if we find you or your plumber affiliated with a terrorist group, we can go back and decrypt the data, and see what was going on.

Since NSA captures so much data, it sometimes is a problem to decide which to actually look at.  So it just sits as raw data, stored for some period of time, until it is considered irrelevant.  We still have data from WWII that has not be decrypted.  

Now back to meta data, computer programmers are always looking for new ways to analyse the meta data.  Templates are I assume some of the newest ways to analyse.  Developed by a young lady a number of years ago when she was doing analysis of corporate communications for large firms.  She developed an analysis tool that allowed her to tell how information best flowed in a corporation.  She found that once she developed a template of the best or most profitable corporations information flows, she could go into another corporation and  analyse their data to find the best communications flow using the template.

Some of our three letter intel agencies heard about her work, and took her in.  What they found is that they could use these templates to analyse terrorist communications.  If a known terrorist group's data could be analysed, then a template developed, then that template can be used to analyse the vast meta data, looking for the same communications paths.  Then suspect meta data can be analysed even further.  This template is constantly updated and changed as more terrorist cells are discovered.

By the way, this method is being used to track financial crimes, hackers, the uses are endless.  For instance flash mobs, have a particular pattern of starting that if templates are used can help in stopping them before they actually happen.

Mr. O'Reilly is one of my most admired  gentlemen on TV, and hearing his interview, I felt I had to add some information.

Tuesday, July 16, 2013

Fact or Fiction: Encryption Prevents Digital Eavesdropping: Scientific American

Fact or Fiction: Encryption Prevents Digital Eavesdropping

This is a great article and starts out with a premise that if you are in the business says it all.

"There are effective ways to encrypt data, whether it is in transit or in storage, but if that data is left in the clear at any point along its path, it is vulnerable to theft or tampering" 

There are also some other problems with encryption, one is that somehow the decryption pass word must be known by the person receiving the encrypted file.  There are passwords that use a  mathematics capability to allow the receiver to get the key to the password in the clear, per say.  So in this case you can attack the encryption, or you can attack the encryption key, sort of a two chance play.

As the premise starts with if the file sits anywhere in a decrypted form, which it must a some point so you can write the message or the other person can read the message.  So if you follow some intelligence agencies game plan, you look for very well encrypted data streams coming by in the big internet pipe of the world.  Once you see one that looks very hard to decrypt, you find out where it started, and you find out where it stopped.  Now you have even more ways to get at the data.  Give the encrypted data to the decryption guys, if they send a coded password give that to another team to beat.  While at the same time send in teams to break into the original computer where the message was written, and another team to the point where it was read.  Now the race is on who will break the message first.

So once the message is in the targets building or control, they often they send clear copies to people in the building,  Back where the message was developed, there often are people that have helped developed the message and have it or even parts of it in clear form. 

Ok, now the teams attacking have even more computers they can attempt to break into, or even if they get only a part of the message, they can give that to the decryption teams, which will allow them to break the code even faster. 

Now lets look at another attack, most encryption programs are fairly well known, and have formatting that tend to let the decryption attack teams know which one is being used.   Now part of a good encryption program is that you only get three attempts at the password and then the program shuts down.  That would make attacks on the passwords very slow, so most attack teams have either altered the encryption programs to by pass the three attempts and you are out part of the program, or buy an already altered program from the same vendor you used.  Now, you use a very very fast computer to do nothing but run passwords at the file till they gain access to the message.  So if you use a 4 digit or letter or symbol password, it will take x amount of time to run virtually any combination of symbols at the password, if you use 6 it take x plus a little more time to break the password.

Now you see why we used to use all letter passwords, which meant the password breakers only had to run letters against the password.  Then you had to run letters and numbers, which upped the amount of possible passwords taking longer to break them.  Add capital letters and symbols and you add even more possible passwords to the ones the attacker must try.   The amount of time to beat these is still pretty quick, since we have some pretty fast computers. 

Ok, but at the same time we have attackers hitting the places the message started and landed.  We have folks that have put malware out there that inserted code that will allow them into your computer, we have other folks that installed bogus computer chips out there in routers and other points that will allow them into your computer.  So part of our team is looking to see if any of those little trapdoors into your computer exist.  Experts say that is a very large number of computer or networks that have these trapdoors into your computer, and these are just sitting there waiting for the time they need to get into your computer. 

The Chinese went to IPV6 long before the rest of the world and made a lot of routers that could handle both the normal IPv4 to the IPv6 and go both ways thru the router or other device.  There are a number of paths or attacks that just exploit the difference in security protocols between the IPv4 and IPv6 standards. 

To just make sure that they have some access the Chinese also made a lot of counterfeit routers from some of the worlds main vendors.  In one case they used a Chinese mole or spy to take in the routers on the west coast, and his brother on the east coast.  When, say the US Air Force needed to by routers, they put it out for bid, and the west coast brother would put in a low bid, and order them from his source his brother who was in the US, and so it was a US vendor selling to a US vendor, and passed all the security checks.  If the brother on the east coast saw a bid come up, he would low price the bid and get them from his brother on the west coast, once again bypassing all the security checks again.  The only way they where found was by very sophisticated checking of the chips.  Since the Chinese were not always sure which router would end up in a good place for spying, they just made all of them with the bypass in them.

If you take it the next step, you low price the computer chips that go into routers made in the US, so they are built using Chinese chips with the same security problem in them.

In a little while you have a lot of compromised routers and other network equipment out there.   In fact more that you can really do much about.

Let's back up to software, and do the same thing.  Let's put a little bit of code in a lot of software that is cheap out there that allows us access to the persons network.  We are not sure what we may need to infect, so lets hit as many as we can, and they can just sit there till we need to use them.

This is all very problematic, but if you take it to the next step, which many have said has been done years ago, you compromise some of the leading software makers, or their employee's who write the code, and now you are into most of the systems out there with your own little trap doors, just waiting to be used.

So back to the title, Encryption Prevents Digital Eavesdropping,,,, Fact or Fiction.

NSA in perspective, and what are we facing IT espionage wise

Keeping the NSA in Perspective | Stratfor

This is a good report, we have to put what NSA is doing not only in perspective, but face the realty of a non state foe, vs a State like Germany or Japan, or even a State Sponsored faction like what Russia used to attack us for so many years.  Back then most of the attacks even terrorist attacks where sponsored by a large State, the USSR being the biggest user. 

Encryption has also made a lot of changes over the years.  I remember working to get clients encryption products thru NSA for an export license,  the key was could NSA beat the code.  There is a simple test to start the processes it is called an A block, basically you make a document using all capital A's, then encrypt it and see what you get out of it.  In most cases everyone will see a pattern start to show with in the first line, and then carries thru, which means yes we can break it.

I think one of the funnest statements out there is that NSA can not break this code or that one, the proof being that they are not saying they can.  Folks sort of the key to this whole thing is not letting the other guy know you can read his stuff.   As far as, is there code that has not been broken, there is code that has not been broken, usually because there is no need felt to do it at the moment.  Some code from WWII, are still not broken, but more due to the time it would take to break a code no longer used, than it can not be.  I remember back in the 80's and 90's of clients asking me to beat Microsoft Word and Excell encryption.   At one point we had a short routine that just pointed us to the place in the document where the password was kept, in open text.  It got a little harder, but up to the point when we stopped getting asked to break the code, it was just another piece of software we would buy as the code changed.

In many cases, the fact of encryption of a train of data passing you was the reason to pay attention to that line of text.  At that point you analyzed the beginning and end points of the data.  This would tell you who was sending it, so then you had a pretty good idea of what kind of data was being encrypted, and could make up your mind if you wanted to extend the effort to break the code. 

With out breaking any classified info, my last briefing from the alphabets,  made it very clear that at that point nothing out there was immune to being cracked.  I keep hearing from IT types that a VPN properly set up was not breakable, the CIA has directly addressed this in the past two years, and can tell you that is not true.  People can break anything, Libya, when it was taken over from it's Dictator, had an expose of it's code and communications  capture and breaking equipment.  The wall street journal had a picture and listing of all the equipment they had.  It was very impressive, and very state of the art.

We are not in Kansas anymore Dorthy, get over it.

Rich


Wednesday, July 10, 2013

The Canada train crash, like the West Tx incident Points to threats always there

Police: Evidence criminal act may have led to Canada train crash - CNN.com

Or it could have been an accident caused by not fully understanding the risk to the town, by both the firefighters and the City Fathers.  Understanding Risk is a key part of Government protecting its Citizens.

In any case how this incident happen could be the unimportant part.  The fact that a train, is often parked above the town, often with a large load of fuel is the key issue of Risk, it is always there, whether it is a criminal action, terrorist action, or an accident.  If you look at the city of West in Texas, the Fertilizer factory in the middle of town was always a risk, and one the City Fathers and Fire Departments should have been more aware of.

When a risk assessment is conducted for a City, County, or State, I often hear from the City Fathers, we do not expect a terrorist incident here, so we do not really feel we are at risk, but just are checking.

Risks like the railroad problem in Canada or the factory in West a small town in Texas are there.  The question is how to we mitigate the risk, from Terrorism, Criminal Incident, or accident.  At some point a value assessment has to be made.  Does the factory in the small town rate a lot of mitigation, or should it be removed from the town.  The same for the railroad in Canada, if the risk it potentially high enough that mitigation does not handle it cost effectively, should it be removed.

In most cases a mitigation plan can be established to meet the risk, or at least a town, County, State, even country believes it to be so.   Nuclear plants are a prime example, they are a risk, most of the money spent of reducing this risk has been to increase security, yet all the events associated with devastation caused by a Nuclear plant have been everything but security related.   So the risk is there, never changes, just the mitigation costs, should probably be more effectively used in non security events, which by the way will also mitigate a security related incident.

If we take this to the Plane crash in San Francisco, it is the same, the risk of death or damage from a crash is always there.  But we spend most of our mitigation funds on security, when in the end it may turn out that a first responder vehicle killed the victims.  Fire and EMS vehicles approaching an incident are often moving in a  low visibility situation.  Even in drills and exercises at airports when smoke is used, near accidents have occurred of running down actors in the drill.  This is a well know risk in these events, yet very little mitigation funds have been spent on this issue.

I am a security guy, but can not help but notice that events other than security issues cause the most deaths and destruction in the world.  Risk, is always there, throwing money at security always is a good answer, but is rarely the best way to spend the money.

We all need to take a sober look at risk, and evaluate what our mitigation money is spent on.


Monday, July 1, 2013

Smart Traveler Enrollment Program (STEP) Put the odds in your Favor even for Mexico Canadian Travel

Smart Traveler Enrollment Program (STEP)

When traveling overseas, even to Mexico or to the Mid East, you want to put the odds of having a safe trip as much in your favor as possible.  One of the key issues is using what is available to you, one way is to use the State Departments STEP program.  There are a number of parts to this program, one is when you enroll and sign on to the State Department updates, they will send you key information as to the safety or problems with any area you are going.  I never completely rely on it, because of Political issues that do not allow them to disclose some information.  But they will keep you up on issues that can prove life threatening.  I supplant this information with other sources like Stratfor, SSI, and others which keep a good eye on what is going on around the world.

The second part of this is that when you establish an account with the STEP program, you will have key data on yourself available where ever you can get onto the internet.  Like your Passport information, even some data on health that you may find useful to have available when traveling anywhere in the world.

The third and perhaps most important is that you can log in and tell the system where you are going, when your are going, even flight and hotel information during the trip, or trips.  This is critical information to the State Department, and even gets to the Regional Security Officer or RSO in the region you are traveling.  In many cases if the RSO sees something in his intel traffic than could effect you he can leave messages or even email you to contact him.  This has been a life saver a number of times in my life.  But just the fact they know you are in the area is a big help.

But here is when all this really comes in, if you are missing or someone thinks you are missing, if they call the State Department, there will already be a record of travel.  The RSO will know very quickly that it is not a crank call, and even what hotel's or other places like a friends home that you are supposed to be.  This does not mean the RSO will start a search for you with the police, but it does give them the RSO a place to start checking.  This can save days even hours on someone starting to look at your problem, remember the RSO has a lot of duties, and one is not searching for every missing American around the world.  Flight delays, hotels over booked all can lead to people thinking the person is missing, so do not get flustered when the RSO does not start a world wide man hunt for you.

This is just one more thing you can do to put the odds of a satisfactory solution in your favor.  If I am in a tough place, I normally make a call to the RSO just to have a quick chat, and let them know what I am doing in their area.

You still need to take the normal precautions, like leaving copies (digital is best) of key documents in a place that people can reach to help find you.  If traveling on business, I leave it with my work and family, if on vacation, I may just leave it where family can find it.  I make sure if the trip requires a visa, that I leave a copy of that page of my passport as well.  I also leave my flight information as well as the hotels I am staying or home if with a friend.  If I am renting a car, I leave the reservation number as well.  It helps when they need to know what type of car, even what actual car I was last in.

Most of the time I leave a voice recording or where I am going hour by hour on a telephone answering machine that if the trip is successful I can just erase, but if I am missing people can reach it and give the authorities the last known information from it.  Like when I go to a meeting, or dinner, or even someplace I perhaps should not be.  Remember if you get back OK, you can erase the information, but if missing it could be the critical info to get you back.

By the way I use the trick with the telephone answering machine when ever I go somewhere I am not sure of, or even when I see a suspect car around me, I will call in and leave a licence number and description of the car and what is going on.  If nothing happens I simply erase the message later on.  It is also a good way to keep track of suspect vehicles that you may notice more than once.

When my phones messaging service is working I usually send pictures of cab drivers and their licence to my wife's phone.  Then if I go missing we have a better place to start.

On the next posting we will deal with what to look at, at what hotel you are staying at.  Be safe.



Friday, April 19, 2013

The Boston Bombers and the Decline of al-Qaeda

From Romesh Ratnesar in Businessweek:
Acts of terrorism against the U.S. are less likely to be committed by a global enterprise like al-Qaeda than by small numbers of “self-radicalized” domestic jihadists, far-right hate groups, anarchists, and radical environmentalists. Because they’re more diffuse, these potential perpetrators are also harder to identify and stop. “We know what to do with al-Qaeda,” says Rick “Ozzie” Nelson, a senior associate in the Homeland Security and Counterterrorism Program at the Center for Strategic and International Studies. “We understand this enemy. What we don’t understand nearly as well is what to do when Americans embrace a radical ideology that might lead them to commit violence.”
The landscape of terror is changing, and the al-Qaeda model of spectacular attacks against things - like buildings, battleships, and national iconshas changed to today's lone (or twin) wolf style attacks on people. They adopt a more Hamas-like mindset, and attack public gatherings or crowded places. Whether it is shooting at Fort Hood soldiers; dropping off a backpack bomb at a parade, or parking a car bomb in Times Square;  the idea is not to disrupt the system - but rather to kill or maim as many as possible - and thereby disrupt our daily life.

While the US may have been spared any more 9/11s, the Boston Marathon bombing is a wake-up call for us. We have to come to grips with the fact that the FBI will not be able to infiltrate every plot, not every conversation can be monitored, and we cannot count on every homemade bomb to fizzle out. We should also understand that the threats are increasingly coming not from outside our borders, but within - from grassroots and radicalized sources. The enemy has changed his face and his tactics; it is past time for us to adapt and change with them.

Boston Bombers are Brothers on the Run

Early reports have then in the US since 2007 which would put these kids at around 13 & 14 when they came over.  Most of what we have seen so far would be things they could have gotten from watching TV and from the Internet.  I see nothing that shows a lot of training.

The one older boy was into boxing, in fact took off school to go into boxing.

Pro's would have made the Canadian border in the time authorities are looking for them.


The older Brother Tamerlan Tsarnaev and the one still being sought is Dzhokhar Tsarnaev. The younger went to a local High School and was known as Johar.

Wednesday, April 17, 2013

DHS Guidance for Response to Ricin Delivered by Mail DHS provided this guidance on Ricin , back in 2004






Information Bulletin
Title: Guidance for Response to Ricin Delivered by Mail
Date: February 9, 2004




Information Bulletin
Title: Guidance for Response to Ricin Delivered by Mail
Date: February 9, 2004


The widest dissemination of this material is encouraged and authorized.
DHS intends to update this Bulletin should it receive additional relevant information, including information provided to it by the recipients. Based on this notification, no change to the Homeland Security Advisory System (HSAS) level is anticipated; the current HSAS level is YELLOW.
OVERVIEW
This is a joint DHS and FBI Information Bulletin. DHS Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only.
While DHS possesses no information indicating specific terrorist targeting of U.S. critical infrastructures through the delivery by mail of the toxin ricin, such targeting would be consistent with certain terrorists’ stated objectives to disrupt and undermine vital economic interests in this country.
DETAILS
On the afternoon of February 2, 2004, Senate staff observed gray granular powder on an automated mail opening system. Preliminary field tests indicated the possible presence of a biological toxin. Samples of the material were tested overnight at a government laboratory and results indicated the presence of ricin. The three Senate Office Buildings were closed and secured on February 3rd. The samples were forwarded to the Centers for Disease Control and Prevention in Atlanta, Georgia and on February 4th three out of the four samples tested positive. At this time no threat letter has been identified and no threat has been received.
Past incidents involving the presence of ricin have occurred in the United Sates and the United Kingdom. On October 15, 2003, a postal worker discovered a business-size envelope containing the toxin ricin in a mail distribution facility in Greenville, South Carolina. The letter, which was addressed to the U.S. Department of Transportation, did not pass through the postal system. In January 2003, law enforcement agencies in the United Kingdom searched several locations in London as part of an ongoing counterterrorism investigation and found small amounts of ricin, as well as equipment that could be used in its production. In April 1991, several members of a domestic extremist group in Minnesota extracted ricin from castor beans and discussed using it against federal law enforcement officers. The amount of ricin produced could have killed more than 100 people if effectively delivered.
Background on Ricin
  1. Ricin is a poison that can be made from the waste (mash) left over from processing castor beans. Ricin can be made in the form of an off-white powder, a mist, or a pellet or it can be dissolved in water or weak acid. It would take a deliberate act to make Ricin and use it to poison people. Ricin is one of several toxins that exert toxicity by inhibiting protein synthesis. Ricin can enter the body through inhalation, ingestion, abraded (non-intact) skin, mucosal membranes (e.g., eyes and nose), and injection. Ricin poisoning is not contagious, and person-to-person transmission does not occur.
Toxicity
Exposure to ricin may occur through:
  • Inhalation, skin, or eye contact: as an aerosol, powder, or dust
  • Ingestion: through contamination of food, water, or consumer products
  • Injection: directly through the skin
Ricin toxicity and lethality can vary by dose and route of exposure. In animal studies, inhalation and intravenous injection have been shown as the most lethal routes. The lethal dose for humans, by inhalation or injection, is estimated to be 5 - 10 mg/kg. Because the ricin protein is large, it is not well absorbed orally or through the skin.
To date ricin poisonings have only occurred in humans after ingestion or injection. Ricin is considered to be a much more potent toxin when inhaled or injected compared with other routes of exposure, however ricin would need to be dispersed in particles smaller than 5 microns to be used as an effective weapon via inhalation. It is technologically difficult to produce ricin particles of this size and purity.
  1. For more information about ricin go to: http://www.bt.cdc.gov/agent/ricin/
SUGGESTED PROTECTIVE MEASURES
Suggested Actions for Mail Room, Postal and Shipping Facility Operators
Two categories of actions are necessary1: 1) Identifying and assessing biological (including ricin) threats; 2) Managing biological threats that appear credible.
1. Identifying and Assessing Biological Threats
Several commercial handheld or test-strip ricin detection devices are available; however the Centers for Disease Control and Prevention (CDC) have stated that the performance of these assays is unknown. While many of these tests indicate a high false positive, they may be more useful in ruling out the presence of ricin. These test kits should only be used by trained and certified hazardous materials professionals. If such testing is deemed necessary, personnel should preserve original evidence for forensic analysis. Automated, continuously monitoring bio-detection systems are available commercially; however they may be cost-prohibitive for many companies.
Measures that can be taken without installing special detection equipment are the same for most biological threats and are organized according to whether the mail is opened or unopened and whether it contains a written threat or an unidentified container:
Opened mail that is leaking a suspicious liquid or powder, or mail that has a suspicious odor: If you open a letter or package and see an unknown material, or if an unknown material is leaking from the mail as a liquid, powder, or odor, do not try to clean it up or otherwise disturb it. Set the mail down on a stable surface and call the first responder designated to respond to this type of threat, e.g., the HAZMAT team at the local fire and rescue department.
Opened mail that contains a written threat: If anyone in the organization opens a letter or package with or without powder and discovers a written threat, such as a note that says “You have been contaminated with ricin,” put the package or letter down on a stable surface and call the first responder designated to deal with this type of threat. The mail center supervisor or the first responder must ensure that local law enforcement authorities and the FBI local field office are notified in either of these events.
Unopened mail: Whenever a mail center worker identifies an unopened package or letter as “suspicious”, a mail center supervisor or specially trained employee should examine the mail piece to confirm that it meets the “suspicious” criteria established for the location (e.g., it is covered with powder or appears saturated from the inside). If confirmed, do not open it. A supervisor or designated mail center worker who is trained to confirm the identification must be available during all working hours.
Next, determine if the mail piece is addressed to a person who actually works in the facility. If so, and if the addressee can be located in a reasonable period of time, contact the addressee and ask him or her to identify the package. If the addressee recognizes the package and is certain it is not threatening, deliver it. If the addressee does not recognize the package, or if you cannot locate the addressee, attempt to contact the individual listed on the return address to verify the contents of the package. If you successfully contact the sender of the package, ask them to provide a description of the contents, intended addressee, and the reason it was mailed to your location. Provide this information to the addressee for further verification.
If the addressee does not recognize the package, or if you cannot locate the addressee, do not open it. The supervisor or designated mail center worker should call the previously designated first responder. This first responder will be responsible for opening the package in a controlled environment and following the appropriate protocol for evaluation of the threat. A “controlled environment” may be a glove box, hood with negative airflow and HEPA filters on the exhaust airflow, or a similar device. When identifying the first responder who will open suspicious letters or packages, make sure they have a controlled environment available.
Mail that contains an unidentified secondary container: If x-ray inspection shows a secondary container that may contain an unknown material, or if you open a letter or package and discover such a container, do not open or otherwise disturb the secondary container. Treat the secondary container as suspicious, unopened mail. As above, first call the addressee and see if they can identify the container. If he or she cannot be located, then call in the first responder designated to open suspicious mail.
2. Managing Biological Threats That Appear Credible
In the event that a trained first responder, after reviewing the situation, determines that a possible biological hazard may actually be present (i.e., a biological agent may have been released into the workplace, or a biological agent may be present in a package or envelope that has been opened), the first responder should take the following steps or ensure that these activities are performed where appropriate:
  • Turn off the ventilation system, fans or window air conditioners for the area of potential release.
  • Turn off any high-speed mail processing equipment that may have handled the suspicious mail piece.
  • Make sure that the suspicious substance is not disturbed by covering it
  • Keep everyone out of any room(s) that may have been contaminated.
In addition, the first responder should immediately call local law enforcement authorities and the FBI Field Office and ask to speak to the Weapons of Mass Destruction (WMD) coordinator. The FBI website is http://www.fbi.gov. The FBI WMD coordinator will respond to the scene and will, in conjunction with other federal, state, local, and internal experts, conduct a threat assessment and, in conjunction with public health officials, direct other actions to protect employees and the general public.
Suggested Actions for First Responders
Ricin should only be handled by trained and certified hazardous materials professionals. Hazardous Materials Teams should be aware that ricin mostly presents a particulate inhalation or splash hazard depending on the preparation of the material. Personal protective equipment (PPE) for first responders, including those who are decontaminating victims at the scene, is generally determined by the Incident Commander based on the mechanism of dispersal and whether dispersal is continuing. Preventing droplets from contacting broken skin or mucosal membranes (e.g., the mouth or eyes) is important when decontaminating someone, but airborne dispersal of ricin during decontamination is an unlikely hazard. PPE can consist of a chemical-resistant suit with gloves, air purifying respirator or self-contained breathing apparatus and eye/face protection. Sampling, seizure, or transportation of ricin should be completed only under the authority of or in coordination with law enforcement.
Personnel who may have been exposed to ricin should wash the effected area vigorously with soap and water. Equipment and supplies can be decontaminated with a weak (0.5 percent) hypochlorite solution (bleach) and/or soap and water.
Healthcare providers should report suspected or known cases of ricin poisoning immediately to the regional poison control center (telephone, 1-800-222-1222) and to local or state public health agencies, which will report cases to the CDC, and other federal agencies including the DHS.
DHS encourages recipients of this Information Bulletin to report information concerning suspicious or criminal activity to local law enforcement, local FBI’s Joint Terrorism Task Force or the Homeland Security Operations Center (HSOC). The HSOC may be contacted at: Phone: (202) 282-8101 or by email at HSCenter@dhs.gov.
1 Adapted from GSA Policy Advisory: National Guidelines for Assessing and Managing Biological Threats in Federal Mail Facilities; December 29, 2003