MEECES and Army Private First Class Bradley Manning

Army Private First Class Bradley Manning is at the center of one of the largest leaks of classified documents that the country has ever seen.  He is accused of using his privileged access to a classified government computer system to download sensitive documents, and distribute these documents to websites.

A quick read of his story on the Wikipedia website is a lesson in MEECES – the reasons for hacking.  MEECES stands for money, entertainment, ego, cause, entrance to social groups and status.  Here is a list of the MEECES examples from the Wikipedia website about PFC Manning:

Money – As there is no indication of compensation from WikiLeaks, it is unlikely that he did it for the money (I will concede that point).  As a note, WikiLeaks has donated $15,100 to a fund for his attorney’s fees (which has raised over $100,000).

Entertainment & Ego– If the statements can be attributed to him, Manning was getting satisfaction from the possible ramifications the documents to be leaked.  Allegedly, he told a writer at Wired magazine that Secretary of State Hillary Rodham Clinton “and several thousand diplomats around the world are going to have a heart attack when they wake up one morning, and finds an entire repository of classified foreign policy is available, in searchable format to the public.  Additionally, he was feeling superior as he cited “weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm …” leading to his assessment of “perfect example of how not to do INFOSEC”.

Cause – There are a couple of possible causes here.  The major cause cited was desire to publicize sensitive, classified documents pertaining to diplomatic and military affairs in the middle east.  Bradley felt that these documents needed to be placed in the public domain.  He thought that the public needed to know the truth.  In addition, Bradley was about to be discharged (for punching a female officer in the face), so revenge is apparently a motivator.

Entrance to Social Groups and Status – By initially posting the documents on-line, Bradley was able to communicate with writers for Wired magazine and the whistle-blower website WikiLeaks.  The attention from these prominent media is impressive for young techies.

The article on Wikipedia’s website is quite detailed, but obviously lacks Bradley’s opinions (since he is in jail, awaiting trial).  Time and trial by court martial will tell if Bradley is a criminal or a hero.  Right or wrong, the story posted on Wikipedia demonstrates the motivations of a hacker.

http://en.wikipedia.org/wiki/Bradley_Manning

Sam Antar video – more of a lesson in Ethics?

I’m not sure if the video about Sam Antar was entirely about social engineering.  Granted, Mr. Antar was adept at influencing the auditors, I think the video was more about Ethics.  The business world is based on integrity of financial information and the video showed that Sam Antar abused and manipulated that integrity to portray his family’s business in a better light.

Factual accounting is the means to ensure financial information is correct.  The financial information is used by investors, lenders, creditors, governments to make business and investing decisions.  As a certified public accountant, Sam Antar was fully aware of the importance of this information.  He gained knowledge about how accounting firms verified this information by working for the agency that audited Crazy Eddie’s.  He and his associates used this information to deceive auditors and misrepresent key accounts values to make their business more profitable.  Basically, he willfully deceived investors, creditors, lenders and the government when he knew better.

In class we learned that Ethics was the study of principles of conduct that apply to an individual or a group.  Furthermore, we learned that there are four Ethical Standards: Rights; Justice; Utility; and Care.  In reviewing the video and researching on-line, it is clear that Sam Antar violated all of these ethical standards.

1. Rights – an individual’s basic needs and welfare.  Sam and his co-conspirators elected to illegally manipulate business systems and take more than was rightfully theirs.
2. Justice – how the costs and benefits of an action or a policy can be fairly distributed fairly among a group.  Sam and his co-conspirators made millions off their illegal activities.  In the end (probably because of his cooperation with the government and legal plaintiffs), Sam did not go to jail and was not sued.  Sam isn’t living in poverty, as he makes a living as a consultant and is available for speaking engagements.
3. Utility – The positive and negative effects that an action or a policy has on the public.  Sam’s company cheated investors, lenders, and creditors and the government out of millions of dollars.  Customers were cheated out of warranties, paid “new” prices for “old” electronics.  Employees lost their jobs as a result of the company’s bankruptcy.  Lenders, creditors and the government lost out on monies they invested and taxes they could not collect.
4. Care – relationships we have with others.  Sam and his fellow criminals trampled on the trustworthiness of many people.  He admitted that he manipulated people to advance his company and personal interests.  In the end, he even served as a witness against family members in their trials for their crimes.

It is clear that ethics was not a high priority to Mr. Antar while he was working at Crazy Eddie’s.  However, according to his website, it appears that he is attempting educate the public so transgressions like this can be avoided.  Time will tell if his intentions are indeed good and ethical.

http://www.whitecollarfraud.com/

On-line Job Application Scam

As if job-seekers didn’t have it hard enough, the Better Business Bureau of Abilene, TX posted warnings about on-line job application scams that trick applicants into providing personal information.

http://abilene.bbb.org/article/score-a-job–not-a-scam-28725

The scammers were smart to target people who are willing to provide whatever information it takes to get hired by an employer.  Your resume usually contains your contact information and your employment history.  With the job market tightening up and many employers referring applicants to websites, it is no wonder that social engineers recognized this as a way to steal identities on a large scale.  With the publicity of websites like Linked.com and Monster.com it was inevitable that scammers would create copy-cat websites or create fake Craigslist postings.  Some scammers were even able to convince applicants to provide direct-deposit information or send money to the fake companies!

As we all prepare to look for Co-Op and permanent jobs, it is best to watch out for the red flags to a scam as suggested by the Better Business Bureau.

1. Watch out for grammatical and/or spelling errors on application websites or in e-mails.
2. Emails from job posting websites claiming there’s a problem with a job hunter’s account.
3. Employer asks for extensive personal information such as social security or bank account numbers.
4. An employer offers the opportunity to become rich without leaving home.
5. An employer asks for money upfront.
6. The salary and benefits offered seem too-good-to-be-true.
7. The job requires the employee to wire money through Western Union or MoneyGram.

Overall, be sure to know the company that you are applying for.  Do some research and make some telephone calls to be sure that the company and website are legitimate.  And remember that if it sounds too good to be true, it probably is!

The hackivist group Anonymous

The hackivist group Anonymous is described by Wikipedia as “an international hacking group, spread through the Internet, initiating active civil disobedience, while attempting to maintain anonymity”.

Recently, they have been attributed as the source of denial of service attacks against the Oregon Tea Party, Sony, and the Irish political party Fine Gael.  They have also employed attacks against the governments of Australia, Egypt, and Libya.

The group has also provided websites and support for social-political efforts like Occupy Wall Street, the Green Party movement in Iran, and the Arab Spring efforts in Egypt and Syria.  Additionally, Anonymous recently took down 40 child porn websites and published the names of 1500 people who often visited the illegal websites.

In October, parts of Anonymous have taken on the Los Zetas drug cartel in Mexico.  The drug cartel had kidnapped a member of Anonymous.  In response, Anonymous has threatened to release the names of police and political officials who are illegally collaborating with the Los Zetas drug cartel.  We will see how Anonymous fairs in this battle since more is at stake than just lawsuits and prison time.  Los Zetas has been known to kill whistle-blowers and hacktivists in the past.

So what role do you see hacktivists playing in society?  Do they act as modern-day Robin Hoods to correct social injustices, or are they disruptive elements like Tyler Durden in “Fight Club”?

In my readings about them, it looks to me like Anonymous is more of a brand that can be placed on a hacking attack.  There does not appear to be any hierarchy or centralized managing authority, which makes it easy nearly anyone to say that they are part of the group.  If a hacker attack is popular and successful, then the event is publicized.  Case-in-point is the fact that parts of Anonymous were active both for and against the war in Libya.  Anonymous members were also divided over the Westboro Baptist Church and its claim to free speech while protesting at military funerals.

Thoughts?

http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous

An apparent inside job in Brazil’s DNS cache poisining

Securelist.com reported that an employee at one of Brazil’s internet service providers is accused of tampering with the cache of a domain name server.  It is believed that the employee’s work redirected customers looking for Google, Gmail, YouTube, and Hotmail to websites that instructed users to unwittingly download Java programs containing trojans.  These trojans installed banking malware.

http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil

Once again, encryption and security protocols are defeated by vulnerabilities attributed to human elements.  Because of the ties to the banking malware, it suggests that this probably is not the work of just one person, acting by themselves.  It is troubling to think that elements of organized crime can gain access to the domain name servers of internet service providers.  We will have to wait and see if the employee was a willing participant or a coerced victim.

Of course it should not be too much of a surprise that it happened in Brazil.  According to Symantec’s latest Intelligence Quarterly Report, Brazil ranks #3 in the world for the source of malicious activity (behind #2 China and #1 USA).

 

Cyber Security Insurance-Related Industry

The introduction to the Bruce Schneier’s book Secrets & Lies alluded to an industry that will be booming in the upcoming years,  insurance company-driven Cyber Security Providers.

Mr. Schneier pointed out that many companies and organizations don’t invest enough money and effort into protecting their digital data. Making sure that data is safe from potential attack or theft is a new concept to non-tech savvy business leaders, and one that isn’t at the top of many company’s priority list.  Unfortunately attacks are becoming more widespread and more complex, so the likelihood that a business will be attacked increases daily.  To off-set the threat and the possible losses incurred from an attack, some business owners are turning to insurance policies.

Mr. Schneier feels that as more business owners turn to cyber insurance policies, the insurance industry will push for cyber security providers to supply better services (to better protect business owners).  The demand for services will increase, and so will the need for some sort of industry standards for cyber security providers.  Looking forward from Mr. Schneier’s viewpoints, one can see a new service industry spring up to meet the needs of standardized and strong cyber security services to meet insurance company requirements.

A similar “cottage-industry” boom occurred in the late 1990s as companies rushed to prepare their computer systems for Y2K, but that was a temporary surge in demand.  Conversely, cyber crime and attacks will only increase as global economies suffer and people become more desperate to find alternative sources of income.  To see how important it is, just look at the Information, Security and Forensics program that is growing in popularity here at RIT.  The emergence of the Cyber Insurance industry will increase the need for more highly trained professional, and should lead to plenty of long-term employment opportunities for people with the right skill set.

Security – It takes a “culture” mindset

So far, we have seen that the biggest vulnerability to security is the human element: namely the workers at the company.  We saw the Johnny Long’s video “No Tech Hacking” point out numerous examples of people who let their guards down and left their companies vulnerable to hacking.  Obviously most people are “trained” at some point about the security threats that are out there, but to successfully defend against these threats, more effort is needed: namely a “culture of security” within the company.

As the default IT security managers (because all things computer related will be our fault if they fail), we have to be the primary cheerleaders for computer related security.  We have to impart the importance of computer and physical security to top management AND get their support in policy AND their buy-in for policy execution.  Having the boss sign policy letters won’t do much if they appear to be personally exempt from policies.  It won’t set a good example for the underlings (monkey see, monkey do principle).  It maybe uncomfortable tactfully telling the boss what to do, but remember that is what is what they pay you to do.  Hopefully, if the boss(es) follow the policy, then it will trickle down to everyone.

Just because the policies are out there and people have been trained, constant reinforcement is still needed.  If you see infractions to policy, correct it on the spot (tactfully if it is one of the bosses), and let the errant coworker the rationale behind the policy.  Also ask the errant coworker to help the company out by correcting anyone they see making similar mistakes.  If you can get coworkers helping to promote computer related security, you are well on your way to creating a self-sustaining program where you don’t have to do all the work.

Just because coworkers are policing themselves on previous policies and threats, the work isn’t over.  You should try to research computer security threats, and inform coworkers (in laymen terms) any threats that have evidenced themselves.  Fliers on bulletin boards (or in the bathrooms) and e-mails work to get the info out to many people in a short period of time.  And don’t forget to add these threats to recurring training sessions.

It is lots of work, but if it is your job to be the IT security person, you’ll need to create a “culture of security” within the company.  It will be a tough job to be the cheerleader, but think of the repercussions: information lost or damaged, money lost, customer or employee data stolen, and possibly your job lost.  Being recognized as the “kooky computer security person” when you walk down the hall will at least get the coworkers to think about computer (even if it is just for a minute each day).  I guess that is a small price to pay to keep the company (and my job) safe.

Counterfeit QR codes

Overnight, it seems like all the advertisements sprouted QR codes.  It seems like a fun way for people to find out more about a product or service.  That seems harmless enough, but I wondered it this wasn’t a way for cyber criminals to use these.  After a quick google, I found that the cyber criminals are already working on new ways to use this technology.

The Hacker News posted that there was a QR code that installed a Trojan on their smart phone and subsequently sends texts to $6 premium rate message service (which could add up quickly, if you do not know about it).

An article in Scientific America reported that cyber criminals could increase the scope of their attacks by printing the counterfeit QR codes and pasting them over already-existing tags on posters in public places.  Counterfeit QR codes could be combined with typo-squatted URL which looks an acts like the original website, thereby tricking the web surfer into a false sense of security.

And the Cyveillance website predicted that smart phones could be used as botnets.  These botnets could lay dormant for long periods of time before being employed as foot-soldiers in a denial-of-service attack.

These are just a few of the ways that cyber criminals are utilizing QR technology to infiltrate the security of our smart phones.  But the way to avoid falling prey to these deceitful tactics is to treat QR codes for what they really are – a way for encoding URLs.

And URLs can be used safely by following the rules we learned in class Cyber Self Defense class:

Never click on links directly from an email.

Use File/Properties to find out which website you are really on.

Look for the proper symbol to indicate you’re on a secure web site.

Secure web sites use a technique called SSL (Secure Socket Layer) that ensures the connection between you and the web site is private.

This is indicated by “https://” instead of “http://” at the beginning of the address AND by a padlock icon which must be found either at the right end of the address bar or in the bottom right-hand corner of your browser window.

A padlock appearing anywhere else on the page does not represent a secure site.

Sources (don’t forget the rules before you click!):

http://thehackernews.com/2011/10/qr-codes-next-way-for-android-malware.html

http://www.scientificamerican.com/article.cfm?id=qr-tags-can-be-rigged-to

http://www.cyveillanceblog.com/2010/10

Is too much defense a bad thing?

Is the U.S. doing all it can to prevent attacks in cyberspace?  U.S. Cyber Command was created in 2009 as a part of the U.S. military, but is it neglecting offensive capability development to ensure an overly robust defense?

In a recent article for TheHill.com, Retired Lt. Gen. Harry Raduege provided his opinions of how the U.S. Cyber Command should purpose itself in the war in cyberspace.  He suggests that the United States should use a blend of offensive and defensive capabilities in cyberspace along lines similar to what we employed during the Cold War with the Russians.

Back then, both countries invested in technologies to stave off attack (radar and satellites) and technologies to inflict maximum damage (nuclear war-headed, intercontinental ballistic missiles).  Fortunately, both countries respected the other country’s capability to attack and defend (and the world), and avoided nuclear war.  This delicate balance only existed because both countries were evenly matched.  If one country would have had a distinct advantage, it certainly would have eliminated the other country’s threat.

This brings us back to a troubling point that the General Raduege provided in his article, “Deterring attackers in cyberspace.” He wrote: “Our enemies must know that America can launch counterstrikes in cyberspace that can cripple their information networks if they dare to threaten ours. Unfortunately, as Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, recently explained, we are currently devoting nearly 90 percent of our attention toward building better firewalls and only 10 percent on retaliatory capabilities. Gen. Cartwright said a better strategy would be the reverse.”

That one paragraph sounds pretty prophetic, and not in a good way.  History is filled with examples of great defenses being defeated by innovative offensive attacks.  And if entities think there will be no repercussions for their aggressions, they are more likely to strike first, regardless of the size of our defenses.

Hopefully our nation’s Cyber Command is secretly working behind the scenes to balance its offensive and defensive capabilities.  That way an aggressor will be intimidated by both our spear and out shield.  I think that given enough support and time to develop themselves, this branch of our military can rise to meet the growing threats to our country.

http://thehill.com/opinion/op-ed/183429-deterring-attackers-in-cyberspace

Old identity protections still apply

Echoing the latest topics in the newspaper, my mother recently remarked how unsettling it was that anyone (criminals included) could see your house on the internet (using Google Maps, Street View).  I then “Googled” her name to show her what the layperson could find out about her on-line.  She was surprised to see the information and even some pictures of herself, as a child that one of her sisters had posted.  I told her that bad people were more likely to use a computer to steal her identity rather than rob her house.

As smug as I was about pointing out how little my parents knew about the cybercrime, I am sure that they have done a far better job of managing their cyber-identity than I have.  They have never done any on-line banking, and usually use the house phone to call websites to place orders.  Receipts of checks and financial statements are shredded and even address labels are removed from envelops before going in the trash.  My parents do not have smart phones and only recently have learned to text.  As old-fashioned as it seems, it has made their cyberfoot prints nearly non-existent and reduced their exposure to cybercriminals.

Are my parents 100% safe from identity theft?  Not completely.  Nevertheless, what they have done is avoid storing their personal financial data on an unprotected computer.  The avoidance of storing personal data on one’s computer is one of the ways to protect your identity at school, as stated by Todd Feinman’s article in USA Today (“Protect your cyberidentity”, Aug 31, 2009).  There are numerous articles, from industry experts, that echo the idea of protecting our personal data.  Despite the ability of many applications to store personal information, we should adhere to the idea that we should make sure our information is protected on-line.

Although I do not see myself pulling away from the conveniences of using the internet, my parents have taught me to slow down and consider my vulnerabilities to identity theft.  What seems like a perfectly safe and convenient way to do my banking and on-line purchases now deserves a little more scrutiny.  You can never be too careful.  Some words that my parents can be proud to hear me say!

Other ways to protect your identity at school can be found at:

http://www.tulsaworld.com/business/article.aspx?subjectid=51&articleid=20090831_51_A2_USATod19272