E-rant

Hot off the presses:  Nothing.

Per Fox news – Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack.

A standard reply on subjects of national security, I suppose.  But you may note that there’s not a whole lot of hoopla going on or statements from the Pentagon that we’re scrambling to make sure it’s not going to happen here.  While it’s true there are serious things going on led by serious people in serious organizations to reduce the possibility that it will happen here (mad props to my homies at NERC / FERC / even DOE), but no official statement from the Pentagon encouraging the private sector to batten down the hatches. 

On the other hand, the only place I could find this wishy-washy, standard-practice Pentagon statement was via Fox News, so take that for what it’s worth.

All in all, I still stand my previous implications of the Chapman / Jackson spy team.

The Stuxnet virus / trojan / attack has been receiving a lot of press and there’s lots of speculation as to who’s behind it.  This, of course has greased the gears in my tiny little scheming paranoid mind and I’ve assembled a timeline of world events and some factoids about Stuxnet for your reading pleasure.  Use at your own risk.

Backstory:

In the event you’ve been living under a rock (or aren’t in IT), Stuxnet is a computer virus / worm that is very sophisticated and attacks specific software controlling specific control systems that are used in all kinds of industrial plants.  It has huge potential to do large scale horrible things.  Many security professionals / industry experts say this was the work of a nation-state, attacking another.  Up to speed?  Super.

Theory:

So if you happen to be a nation-state, how do you launch a cyber attack without giving up your own arsenal?  Consider traditional warfare (handgun version):  Good guy shoots bad guy.  Bad guy has possession of the bullet, good guy keeps the gun.  Without the gun, the bullet is useless.  Compare this to cyber war:  Good guy exploits a zero-day vulnerability on bad guy’s system.  Bad guy collects evidence and analyzes/evaluates the attack and now has the capability to exploit the same system.  The equivalent of reverse engineering a gun out of a bullet – now bad guy has the capability to attack similar systems.  See a problem there?  It’s quite likely that good guy is also running the same systems, running the same software, supporting similar infrastructure within his own country.  Seems to me that before this is actually done in the real world, somebody would launch a test shot; somewhat harmful, but not intended to absolutely destroy the adversary.  Just to see how the vendors, community, and world at large would react.

And as my friend and real, actual rocket scientist, Doctor Bob has pointed out, war college teaches that successful strategies involve multiple attack vectors.

Is stuxnet a sophisticated, multi-facted proof of concept?  And who dunnit?  Judge for yourself.  I’ve highlighted what I think are key concepts.

Timeline:

Supporting Factoids:

From what I can find by examining everything online, is that the “words” used in the file naming and dll routines are in english.

The USB malware stops infecting after three systems.  It’s like they didn’t want this to get out of control – just attack the single target.  Three times.

Guava was frequently used in military rations in WWII.  There are groves of guava trees on Guantanamo Bay Naval Air Station.

Conclusion:

US Cyber Command launched an attack targetting Iran’s newest power plant in order to hamper the nuclear program.  They did it by having Anna Chapman coerce one (or more) Atomstroyexport contractors to swap infected USB drives (likely ones that look and maybe are labelled just like the other presumed “safe” drives) with existing ones.  Michael Jackson in his new role as special operative was the chief architect behind the software, his gloved hand tipped by his love of Guavas.  Currently, US Cyber Command is monitoring this situation carefully, to determine how quickly the community reacts so it can time future attacks.  Mel Gibson and Lindsay Lohan are not suspects in this case.

There may be some inaccuracies in the conclusion.  For example, I’m not sure Michael Jackson still wears the glove.  And Weatherford at NERC – …coincidence?

To quote Pogo: “We have met the enemy, and he is us.”

Dear Pastor Terry Jones -

Hey, buddy, how’s it going?  I just wanted to send a quick note to let you know that you’re an asshole of amazing proportions, if that isn’t incredibly clear at this point.  Here’s why:

1. You’re supposed to be a Christian – forgive me if I’m wrong, but isn’t one of the core teachings of Jesus “turn the other cheek”?  Oh, right – clearly you can’t forgive me or anyone else, and feel the need to publicly display your incapability of doing so (and anti-Christian behavior) by disrespecting millions of people.  If you’re really a Christian, clearly you’re a Christian Asshole.
2. How many people are you intending to hurt?  And which people would they be?  If you haven’t heard, your Koran burning will likely incite violence against Christian Americans.  Unfortunately you’re American – but at least we can see you’re an American Asshole.
3. You are going to offend ALL Muslims on 9/11.  Aren’t you really just pissed off at just a couple of ‘em?  Sure, the Muslim community has some assholes, most notably (and significant by the date you’ve chosen) Bin Laden.  Well, I suppose we’ve got assholes here as well – you being the American Christian Asshole Club’s (ACAC) reigning Asshole-In-Chief.  Congratulations on your promotion, and your new memberhsip in it’s sister organization, the Worldwide Asshole Club. 

And one last thing – I’m travelling this weekend.  If I get stuck not being able to get back due to grounded flights or something like that, I’m going to come to Florida and kick your friggin’ ass!

Seriously, dude, knock it off.   Asshole.

Jim
Recovering Asshole, and member of Assholes Anonymous

P.S.:  Hey, Britain – how about doing us a solid here and finding a use for this guy?  We took Piers Morgan!

My alter ego was invited to host a round table at a conference recently, on the topic of “Security and Compliance in IT Networks”.  The conference was hosted by a network provider / integrator in town, and focused on topics such as migrating to high performance wide-area networks and the like – “carrier-class” topics.  The biggest security concern, for most attendees, is the prevention of denial of service.   And “compliance” doesn’t have a whole lot of applicability to carrier networks.   So I had a nice blank slate, and a “roundtable” that would likely be a bunch of 10 year old questions (questions on topics that are 10 years old; not implying that they’re coming from 10 year olds).

So in typical Jovian fashion, I decided I’d take the most controversial stance I could (while remaining on topic) that Compliance had nothing to do with security – in fact, they’re almost mutually exclusive.  I quoted the statistics from the latest Verizon Data Breach Investigations report, interpreting the statistics to match my agenda appropriately and prepared to engage in a pointed discussion.  Here’s a quick summary of how the statistics could be viewed (or “skewed”):

1. 21% of organizations subject to PCI were fully PCI compliant. 
2. Out of the remaining 79%, on the average, 39.75% of those were compliant with the majority of PCI requirements. 
3. In other words, 31.4% of the organizations subject to PCI were mostly or entirely non-compliant.

It then it goes on to say:

The [PCI] standard is authored to provide an approach towards security, built to make unauthorized access to systems and data iteratively harder through a series of control gates.

The idea here was that I would infer from this that organizations in compliance more (“comlplianter”?) would be less subject to breach – as one becomes compliant by implementing more “control gates”, you would be more secure as a result.  However, the data presented in the Verizon study simply don’t uphold that premise, since from above, rougly equal numbers of compliant, semi-compliant, and non-compliant organizations were represented in the study, with only a slight lead taken by those that are completely compliant.

At least that was the premise for the conversation, coupled with a liberal sprinkling of McAfee and Symantec threat report goodness for added flavor.  So how’d it go, you ask? 

Crickets.  Nobody wanted to talk about any of that hoo-ha, they just wanted to know how to keep their damn networks up.  So the round table became a dissertation on the techniques behind DDOS with a then-and-now perspective, talking about how easy it was to how complex it’s become, citing cases from February of 2000 through the most recent Yahoo and DNSmadeeasy.com’s attack.  Same conclusion as always:  fix it with more bandwidth and processing power.  Ho-hum.

But the real value was in preparing the presentation, because it tore me away from catching up on Snooki’s adventures in North Jersey and got me … well, thinking.  Compliance and Security are in fact closely related, and each entirely benefit from the other.  Now before you go thinking I’ve flipped my lid, let me explain:

To start with, the Random House Unabridged dictionary defines compliance as:

1. the act of conforming, acquiescing, or yielding.
2. a tendency to yield readily to others, esp. in a weak and subservient way.
3. conformity; accordance: “in compliance with orders”.
4. cooperation or obedience: “Compliance with the law is expected of all.”

Ok, so you can see this goes totally against every fiber of my being.  Sort of like Joe Walsh’s “Ordinary Average Guy”, you know – where he sings about the guy who takes out the garbage, cleans out the garage, goes bowling, average kids and wife – all the things I rebelled against as a starry(bloodshot?)-eyed young man aspiring to be a rock star.  And here I am, damnit, with a day job and a mortgage.  I blame my ex-wife for all of it.  But I’m digressing.

Regulatory Compliance is something that is enforced by some kind of regulatory body.  The enforcement is usually in the form of civil or criminal penalties.  Take PCI or HIPAA.  Both have fairly significant sanctions for non-compliance.  (yes, I know that enacting sanctions based on noncompliance for these involves zillions of dollars in court costs on behalf of the regulatory entity and the non-compliant entity, and that it’s challenging at best to even get a slap on the wrist administered, but just ride this out with me here). 

Sanctions are applied and delivered to the highest level of governance at the organization.  This tends to make the top of the organization angry, and that anger is typically directed through executive management as vague and poorly thought out, yet forecefully delivered, edicts.  That cascades through the organization and gathers size and steam – the proverbial poop-rolls-downhill metaphor in action.  By the time it ends up as a splattered steamy stain on your new Manolo-Blahniks, it’s death by stoning  for anyone who doesn’t prostrate themselves before their immediate supervisor to honor this new proclamation and do whatever it takes (lying, falsifying records, etc) to be compliant.

Are we secure yet?  Nope.  We’ve just witnessed a cultural ripple – a wave that made it to shore.  It’s what “actual security” can piggyback on and make it all the way through the organization.  Compliance (or rather, the impact of non-compliance) can bring with it serious cultural change in an organization – it can be the catalyst for implementing the security program you’ve been pitching to the board and seeing ignored due to lack of funding for years (although the new Aeron Chairs in all the conference rooms were clearly more important).  It’s something that you can totally leverage.  

The moral / conclusion to this long winded story?

1. Make sure you’re not responsible for compliance.
2. Scrap your security pitch, and rewrite it as if you’re implementing it in response to a gigantic non-compliance fine.
3. Get fined for non-compliance.  I don’t know, maybe hire a hacker, sell pictures to TMZ, whatever it takes.
4. Let chaos ensue.
5. Save the day with your new security compliance plan, get a raise and a promotion.  And one of those cool new aeron chairs.