Hidden but important truths from the presidential debate

Summary: The last debate was mostly chaff, like the campaign mostly entertaining demonstrations of the obvious. But there were moments revealing deep truths about our government and us. They were, of course, ignored. Here is the story of one such moment, a statement by Hillary Clinton that is rich with useful insights — if we dig into it.

“Fire destroys all sophistry, that is deceit; and maintains truth alone, that is gold.”
— Leonardo da Vinci, from his Notebooks. A bad solution for political structures built on lies.

CyberEspionage

More essential insights from Glenn Greenwald at The Intercept: “In the Democratic Echo Chamber, Inconvenient Truths Are Recast as Putin Plots”…

“Donald Trump, for reasons I’ve repeatedly pointed out, is an extremist, despicable, and dangerous candidate, and his almost-certain humiliating defeat is less than a month away. So I realize there is little appetite in certain circles for critiques of any of the tawdry and sometimes fraudulent journalistic claims and tactics being deployed to further that goal. In the face of an abusive, misogynistic, bigoted, scary, lawless authoritarian, what’s a little journalistic fraud or constant fearmongering about subversive Kremlin agents between friends if it helps to stop him?

“But come January, Democrats will continue to be the dominant political faction in the U.S. — more so than ever — and the tactics they are now embracing will endure past the election, making them worthy of scrutiny. Those tactics now most prominently include dismissing away any facts or documents that reflect negatively on their leaders as fake, and strongly insinuating that anyone who questions or opposes those leaders is a stooge or agent of the Kremlin, tasked with a subversive and dangerously un-American mission on behalf of hostile actors in Moscow.

“To see how extreme and damaging this behavior has become, let’s just quickly examine two utterly false claims that Democrats over the past four days — led by party-loyal journalists — have disseminated and induced thousands of people, if not more, to believe. …”

Both are straightforward lies by Team Hillary about the Wikileak emails of John Podesta, propagated by good liberals and her loyal journalists — allowing them to ignore the emails’ damaging content. His conclusion is spot-on.

Read more

Advertisements

We Must Stop The Race to Attribution After Each Cyberattack

Summary: Cybersecurity expert Emilio Iasiello discusses one of the key issues in cybersecurity — how do we determine who attacked us? Each attack brings forth rapid declarations by the government that the attacker is one of their favorite foes. Should we believe them?

businessman working with new modern computer show social network structure

The Race to Attribution Needs to Stop

By Emilio Iasiello
Posted at Dead Drop (of the LookingGlass Cyber Threat Intelligence Group)
30 March 2016. Posted with his gracious permission.

It has become almost systemic for people to immediately question, “Who did it?” when a major breach occurs in the public and/or private sectors. Understandably, the victimized have a keen interest in identifying their faceless attackers especially when they have been publicly exposed. There is also a competitive aspect, as the first person to make attribution can add credibility to his or her name. However, while providing information for public consumption is important, it’s equally as important to provide accurate information.

In the cyber security industry, a commonly heard mantra is that attribution in cyberspace is difficult. Cyber security experts and organizations, and even some government officials, have emphasized this point. If most agree that attribution is difficult and time consuming, why is there invariably a need to immediately attribute hostile activity that may end up being incorrect and misleading?

This is perplexing especially when one considers that some state actors are considered to be sophisticated and stealthy, yet once their operations are exposed, attribution appears relatively easy to assign. This contradicts the general premise of the attribution challenges that cyberspace presents and discounts the anonymization and obfuscation techniques employed by savvy actors to avoid those very identification efforts. Furthermore, reliance on technical evidence as indicators of attribution may become less important as actors may alter timestamps, use different keyboard languages, and change compile times to point blame in a different direction.

Read more

Determining guilt in cyberspace: difficult now, but there’s hope for the future

Summary: We see the nature of modern America in our response to cyberattacks. The government quickly points to one of the usual suspects, and Americans believe. Reminders of past government lies have no effect, nor do experts’ warnings that attribution in cyberspace ranges from difficult to impossible. For a change of pace, today cybersecurity expert James Palazzolo explains why this might not always be so. Law and order might someday come to cyberworld.   {1st of 2 posts today.}

Guilty!

The Complexities of Attribution in Cyber Space: An Overview

By James Palazzolo, 25 August 2015
From DarkMatters: Providing superior attack intelligence.
Posted with their gracious permission.

Seeking attribution

The challenges with attribution and Cyber Space are a study of both social and political aspects that directly relate to the overall technical architecture of the Internet as a whole.

Rid and Buchanan argue that attribution is not a matter of technology but a matter of want; meaning: attribution in Cyber Space is determined by the importance for states to want accurate high confidence attribution with regards to cyber systems. If this want is not realized than little kinetic effort will be spent on the process of attribution.

The challenges of attribution are a well-known argument from a technical studies perspective, but it still does not help to answer: what can organizations do in the short term when looking for high degrees of confidence in attribution? If high degree confidence technical attribution is possible how long will organizations (that utilize cyber systems to conduct business) have to wait until states globally accept levels of concrete identity over the Internet for all systems? From an analogous perspective the wait for an answer to the question is the ‘gorilla in the room’.

There is a good possibility that consistent high confidence attribution of cyber systems will never be achieved. From a covert operations viewpoint the lack of high confidence attribution benefits states’ Intelligence communities.

The ability to launch political campaigns with almost complete anonymity is too convenient for states to ignore (Alyia Sternstein in Defense One). It can be argued that social applications have cemented this stance as these applications are able to reach millions of individuals rapidly and typically cost the end user nothing to use.

Therefore, why would states want to engage other states in creating policy that reflects the technical gaps surrounding attribution in Cyber Space?

Additionally, there is no monetary incentive from a private industry stance to push the conversation closer towards high confidence attribution for cyber systems. With billions of dollars already invested in offensive and defensive cyber systems there is no need to reel in development costs and towards developing systems that offer high degrees of user and host attribution.

Read more

Identifying the guilty: tying nation states to cyber espionage

Summary:  It’s the cycle of our time. Cyberattack on us. The government points a figure, without evidence and encumbered by their history of lies (and of committing similar deeds).  Today cyber intelligence analyst Emilio Iasiello explains why attribution is so important but difficult to do.  (2nd of 2 posts today.)

“Attempt the end and never stand to doubt;
Nothing’s so hard but search will find it out.”

— Robert Herrick, “Hesperides” (1648).

Lighthouse shining in a storm

Tying Nation States to Cyber Espionage

By Emilio Iasiello. From DarkMatters, 3 March 2015
Providing superior attack intelligence.
Posted with their gracious permission.

Introduction

Cyber espionage is a significant contributor to what then Director of the National Security Agency Keith Alexander termed “the greatest transfer of wealth in history.”

While 2014 marked some of the more sensationalized breaches committed by cyber criminals, espionage actors continued to demonstrate their prowess by targeting a wide variety of sectors in support of information theft. Yet, as more cyber espionage campaigns have come to light, there is a growing body of evidence to suggest that part of this actor set is composed of enterprising independent contractors looking to monetize their efforts, rather than being directed by or working directly for a foreign government.

The case of Su Bin articulates why this new “as-a-service” model could potentially provide an opportunity for miscalculation and error, thereby impacting governments from developing appropriate response actions.

Attribution in Cyberspace is Difficult at Best

Read more

The horror of cyberspace: we can’t easily identify our attackers.

Summary: In this last of Marcus Ranum’s 2 posts about identifying cyber-attackers, he explains why the usual methods we read in the news are quite fallible — no matter how confidently they’re stated. Our difficulty with this is a common if scary aspect of modern warfare and crime.  {2nd of 2 posts today.}

Attribution Is Hard - Part 2

Attribution is Hard, Part 2

By Marcus Ranum, Senior Strategist at Tenable Network Security

This article originally appeared on the Tenable Blog.
Reposted with their generous permission.

Yesterday’s part 1 described a classic hacking incident and discussed the challenges of establishing attribution. Today I explain what weak attribution is, and I conclude the discussion on the four requirements of establishing attribution.

Yesterday’s cliff hanger probably left you wondering what I mean by “weak attribution.” There are several forms of weak attribution that warrant discussion.

Attribution by tools

The first form of weak attribution is an argument based on tools used, if those tools are available in the wild to security researchers. Just because a tool is available and used by an attacker doesn’t mean that any other frequent user of the tool is your current perpetrator. There are plenty of hacking tools available for repurposing by other attackers. I hate to sound like a cynic, but apparently some people haven’t yet realized that there are security researchers who play both sides of the game-board; if I wanted to go rogue, I could assemble a state-of-the-art set of custom “state-sponsored” quality malware in about a week.

Tools are clues, not fingerprints.

Attribution by guessing about cui bono

Read more

How do we identify our attackers in cyberspace?

Summary: The news overflows with confident identification of cyberattackers. Today we have an account of hacking from a defender’s perspective, explaining the difficulty of attribution, written by our co-author Marcus Ranum. After reading this, you’ll regard the news about these things more skeptically. {2nd of 2 posts today.}

Attribution Is Hard - Part 1

By Marcus Ranum, Senior Strategist at Tenable Network Security

This article originally appeared on the Tenable Blog.
Reposted with their generous permission.

In 1995 I landed my first independent consulting project: an incident response for an important financial institution in New York City. That experience has informed my attitude about attribution ever since, because it was one of the rare incidents I’ve ever been involved in when we actually learned the identity and location of the attacker with a high degree of certainty.

The attacker was accessing an X.25 connection to the institution, had guessed an account/password pair on one of the Unix hosts, logged in and began looking around. He was first detected by one of the system administrators who noticed something unusual: a service account that normally didn’t log in was logged in, running the telnet command. An incident response team was assembled and we started charting out what was going on, what the attacker was doing, and when the break-in had occurred.

The financial institution was extremely lucky that the system administrator was so observant: the attack was discovered within the first 3 days of the initial break-in. As shown in this animation:

Read more

Cyberwar: About Attribution (identifying your attacker)

Summary:  Identifying the attacker is the key to modern military defense, so one can launch a reprisal or counter-strike.  But attributing cyberattacks is difficult because nothing in cyberspace has to look like anything familiar. How do you attribute a weapon that was created out of thin air and used by an enemy that has no physical location?  Links to other chapters of this series are at the end.

CyberCrime

.

Contents

  1. Cyberspace, Novel Weapons, and Location Independence
  2.  Technology, Language, Culture, and Cui Bono
  3.  A Model For Attribution
  4. About the author
  5. For more information

(1)  Cyberspace, Novel Weapons, Location Independence

Cyberspace does have some unique attributes which are not mirrored in the real world. Such as the nonexistence of “territory”.  There is no “there” there.  Some of the things we are accustomed to taking into account in warfare are missing:  hostile forces do not need an ‘assembly zone’ that can be detected and watched. Nor do they have to cross ground — where they leave traces of the type that we’re used to dealing with.

Imagine if a hostile power was going to insert a cover operations team into a target area and wanted to be stealthy enough to achieve plausible deniability. In the past troops could be outfitted with uniforms that had been carefully scrubbed of clues to their origin, “sanitized” weapons, etc. Providing such kit was expensive and exacting work. Inserting them into a target, nowadays, would entail avoiding the ubiquitous video-surveillance cameras, providing false identities under which to travel, laundering funds for the operators, and then having an equally carefully scrubbed extraction plan.

In the real world, this kind of thing is expensive and complex. In cyberspace it is relatively easy and practically free. There are some caveats about the “easy and free” claim, depending on the quality of the defenses that are being attacked but — as we’ve been assured over and over again by our government’s own technical experts — our defenses, to put it bluntly, suck.

Read more