QOTD - Cyber Spies Are Winning

Business leaders are waking up to the new reality that cyber adversaries, from hacktivists to nation-state adversaries, can gain almost unlimited access to their networks. Corporate boards are now demanding answers from befuddled Chief Information Security Officer who frequently only have their compliance lists instead of real solutions to counter the threat.

The reality is we have all collectively been too complacent in the face of a determined adversary for too long. We have let our technology stagnate for a decade using reactive defenses developed in the 2oth century against a 21st century threat that produces over 70,000 new attacks every day. All the while there is a constant, methodical, silent, systemic hoovering of our nation’s secrets and our corporations’ intellectual property, eroding our ability to compete against emerging economies. The intellectual wealth of our nation is being stolen out from underneath us, hastening the flattening of the world faster than even Thomas Friedman predicted. For the nation that invented the Internet and built billion dollar businesses like Google and Facebook, it’s time to re-invent security for the digital economy.

-- Anup Ghosh,founder and CEO of Invincea

Src: Cyber Spies Are Winning: Time To Reinvent Online Security - Forbes

QOTD - Schwartz on APTs

The new fact of life is a 'state' of persistent, dynamic, intelligent threat and disruption, the economic and societal ramifications of which are overwhelming. This doesn't mean that we as a collective of security professionals are powerless against our adversaries – we can and should be able to manage our risk to an acceptable level and change the ongoing and grim trends.

-- Eddie Schwartz, Chief Security Officer of RSA, The Security Division of EMC

Src: Cyber Security Leaders Rally to Combat Advanced Persistent Threats

QOTD - ASIO DG on e-Spying Threat

The Internet and increased connectivity has expanded infinitely the opportunities for the covert acquisition of information by state-sponsored and non-state sponsored actors.

-- Mr David Irvine AO, Director-General of the Australian Security Intelligence Organisation

Src: Australian Security Intelligence Organisation - Transcript of remarks by ASIO head on July 5, 2011

QOTD - ASIO DG on e-Spying Threat

Cyber espionage has emerged as a serious and widespread concern and one that will continue to gain prominence due to the ongoing digitisation of data and increasing reliance on technology in commercial, governmental and military business.

-- Mr David Irvine AO, Director-General of the Australian Security Intelligence Organisation

Src: Royal United Services Institute of Australia - Transcript of remarks by ASIO head

QOTD - US DoD on Threat to Intellectual Property

While the threat to intellectual property is often less visible than the threat to critical infrastructure, it may be the most pervasive cyber threat today. Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies.

Src: US Department of Defense Strategy for Operating in Cyberspace

QOTD - Uri Rivner on the RSA Hack

One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.
[...]
It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology.
[...]
What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores. It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.

-- Uri Rivner, Head of New Technologies, Consumer Identity Protection, at RSA

Src: Anatomy of an Attack « Speaking of Security – The RSA Blog and Podcast

QOTD - Chess as Warfare

In essence, chess is warfare, as much psychology as strategy. To win, one must understand the mentality of the opponent, hinted at in each new move. One must so thoroughly master the adversary’s weaknesses—an overzealous offence? guarding rather than attacking? a passion for sweeping one end?—that one can anticipate them and use them. Chess is a game of information, false and true, derived from what the opponent “should” do, based on his own past play or that of others, and on what the opponent actually does. Chess has no bloodshed, but the exhilaration of psychological warfare—taking no prisoners in a complete victory—is its attraction.

-- Stewart Gordon

Src: Saudi Aramco World : The Game of Kings
Note: emphasis is mine

QOTD on e-spying

A knowledge economy needs to protect from exploitation the intellectual property at the heart of the creative and high-tech industry sectors.

-- Iain Lobban, director of the Britain's Government Communications Headquarters (GCHQ)

Src: Cyber Threats Very Real For Britain: Official | RedOrbit.com

QOTD on Google

They have an awful lot of data. They record everything. They have your IP address, your search requests, the contents of every e-mail you've ever sent or received. They know the news you read, the places you go. They're even collecting real-time GPS location and DNS look-ups.
They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. They even know what you are thinking about. -- Moxie Marlinspike, Privacy advocate, creator of the GoogleSharing Firefox Addon, speaking at the SOURCE conference about Google

Src: Privacy Tool Sidesteps Google's Data Collection | threatpost

QOTD on Cyber Attacks

A cyberattack would be like being bled to death and not noticing it and that's kind of what's happening now. -- James Lewis, senior fellow at the nonprofit Center for Strategic and International Studies (CSIS)

Src: Experts warn of catastrophe from cyberattacks | InSecurity Complex - CNET News

QOTD - Blair on E-spy

Mr. Dennis C. Blair, Director of US National Intelligence, speaking at the Alfred M. Landon Lecture Series on Public Issues, Kansas State University, Manhattan, Kansas:

One of the major growth areas of the business of gathering intelligence is penetrating foreign
networks, and bringing information to our analysts to write their reports. In this area, I can’t give
you many specific examples, since they’re classified. But it’s not difficult to imagine the value of
being able to read the e-mails of some foreigner involved in a plot against the United States.

Earlier, Mr. Blair also said:

Increasingly, the information we want to see – in order to find out what others are thinking and
doing – is stored and shared in their networks. So that’s where we go to get it. Foreign
governments communicate on networks [...] Organizations in which we’re interested store their records electronically, not in file cabinets.

Src: 20100222_speech.pdf (PDF) from DNI.gov

QOTD on Cyber Threats

Targeted attacks are part of everyday life now, and the sooner people wake up to this, the better prepared they can be. -- Zane Jarvis, AusCERT senior information security analyst

Src: Old software leaved the door open for net nasties | The Australian

QOTD on the Democratization of Espionage

Brian Krebs asks Roland Dobbins, solutions architect at the Asia Pacific division of Arbor Networks, about the meaning of the current situation with cyber spying, botnets, and the low level of risk for those engaging in such activities. Roland replies:

Because it's so cheap through the use of botnets for bad guys to get this information, ordinary people are essentially the targets of espionage in a way that has never been true before in human history. Their personal information is being targeted by folks who have resources that in many cases are beyond what nation states would have been able to bring to bear only ten years ago.

Src: Botnets: "The Democratization of Espionage" - CSO Online - Security and Risk

QOTD on e-Spying

Modern-day espionage doesn't involve cloak and dagger anymore. It's all electronic. -- Tom Kellermann, Vice President at Core Security Technologies

Src: China Expands Cyberspying in U.S., Report Says | WSJ.com

QOTD Ranum on Leaks

If you knew what you think you know, you wouldn't have been able to say what you just said, so I know that you don't know anything. -- Marcus Ranum, CSO of Tenable Network Security

Those that have been in the information security long enough know Marcus and his reputation as a skeptic. I have to say that I was very impressed with Marcus' quote given that it was provided during an interview with Patrick Gray of the Risky Business Podcast.

Src: Risky Business #106 -- Centrelink's new PLAID auth protocol

QOTD on Outsourced IT Supply Chain

Our national reliance on IT hardware and software from various non-pedigreed sources is a foundation for major cybersecurity risks having national security implications. The incident reports cited in this article further highlight potential risks ranging from logic bombs and self-modifying code, deliberately hidden back-doors to potentially fatal equipment failure and even foreign espionage...
As NIST advises, organizations must add “defense-in-breadth” to their strategy mix. While Defense-in-depth focuses on the operations phase of the systems development lifecycle, defense-in-breadth covers the entire lifecycle.

Src: Trust but verify: Security risks abound in the IT supply chain | GCN.com
Thanks to the CyberWarfare Forum Initiative for bringing this article to my attention.

Like Dominoes - The Anatomy Of The Twitter Attack

How many of our systems have interconnections to other systems that have weaker security? If so, remember that your ultimate level of security is that of the weakest link. This is a story about an executive, in this case the CEO of Twitter, whose Gmail account gets compromised (domino #1: password reset), which leads to leakage of corporate sensitive information that was stored with Google Docs. The intruder then covered his tracks so that the account owner would not notice (domino #2: reset password back to original by correctly guessing the CEO was using a single password for multiple accounts).

The same warning are applicable for bank accounts, phone records, insurance contracts, health records. Any account with sensitive information which uses a weaker account (e.g. most webmail applications) as a backup is likely to be a target of attackers looking for fresh prey and easy access to documents.

Src: The Anatomy Of The Twitter Attack | TechCrunch.com

QOTD - US Cyber Commander on Defending IT

On May 5, 2009, Army Lt. Gen. Keith Alexander, Director of NSA, and now poised to become new commander of the US Cyber Command, spoke before the Terrorism, Unconventional Threats, and Capabilities Subcommittee of the US House Armed Services Committee:

[The US must maintain] the capabilities to use cyberspace as a medium to deter, deny or defeat any adversary seeking to harm U.S. national and economic security; while ensuring actions are undertaken in a manner that protects our Constitutional liberties.
...
The rapid expansion and global dependence upon cyberspace required the Defense Department to evolve its warfighting doctrine to include cyberspace as a viable domain on par with the domains of the land, sea air and space. Cyberspace is unlike the other warfighting domains, it is a man-made technological phenomenon solely reliant upon human activity. The Department of Defense defines cyberspace as 'a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems and embedded processes and controllers.
...
More than the speed of the communications, the rate of change of cyberspace, and the applications that use it, is continuous, making this domain ever evolving. However, the convergence of communications devices being driven by cyberspace is fueling an integration that has far reaching consequences, both positive and negative, that must be appreciated if one is to understand this domain.

[Emphasis is my own]
Src: Defending IT: Words from the New Military Cyber Commander | GovInfosecurity.com
Direct link to PDF of testimony

QOTD on the Importance of Internet Identity and Anonymity

It's so easy to be anonymous on the Internet, that people can launch the equivalent of cyberwar and cyber-terrorist attacks from their living room, anywhere in the world, and with complete anonymity...
We are seeing this in sociopolitical and geopolitical hotspots. Organizations are reaching out individuals, telling them that if they install attack bots on their PC, that their system will be used to wage war. People can go to terrorist Web sites and download and install bots on their own. And those that are installing these applications built to attack will do so in total anonymity. -- Andrew Storms, Director of Security Operations at nCircle

The importance of internet identity, and anonymity | Threatpost [tx to @GeorgeVHulme and @digiphile]

Cybercrooks drooling over social net data

Security professionals have long warned about the abundance of information that people are willing to share about themselves and others, including relatives, friends, and even perfect strangers. This data is useful to cyber criminals seeking to guess your password, reset your account, or fool you into clicking, viewing, or downloading malicious content.

The funny thing is that security professionals are people too, and they also use social networking sites. You can follow many of them on Twitter for example; the SecurityTwits database a good place to start. Just don't expect to find much personal data or easy to guess passwords.

Src: Cautionary tales from the social-networking universe | csmonitor.com