IMO, China’s welcome to lead the world in some things…

A week or so ago, I noted, via an awesome slide from Bit9 Security, that Chinese hackers are just workin’ stiffs like the rest of us.  Then I had a quick piece that even here in the West we see increasing indications they face some of the same concerns we do with regard to the trouble of keeping information bottled up.  (This was further emphasized today by the stories, backed by pretty strong evidence, claiming that a hacker going by “Hardcore Charlie” has penetrated China Electronics Import & Export Corporation or “CEIEC”, China North Industries Corporation, WanBao Mining, and others.)

Well, today, (OK it was actually Friday, but apparently I forgot to hit “Publish” before I sat down to dinner on Friday) another in the trickle of “China has now surpassed the US” stories, and this one they’re welcome to.

The Anti-Phishing Working Group reported today that China’s Taobao.com e-commerce site “Surpasses PayPal as the World’s Most Phished Brand“. Seems not even the (I should say alleged) world leaders in the theft of sensitive information are immune to the even the simplest forms of stealing sensitive data. This includes both intentional dOxxing like Hardcore Charlie, and the inadvertent revelations that simply can’t be stopped in world full of camera phones and Twitter (and Weibo) accounts.  (See the TV documentary that caught Chinese army personnel using click-to-play Cyber attack tools in the background as a fun example.)

Being trained in macroeconomics and generally favoring the Darwinian benefits of competition, I have to say this is one crown I’m happy to hand over.

Thanks again to the APWG for some very useful stats and reporting in today’s release.  Full report is at:

http://apwg.org/reports/APWG_GlobalPhishingSurvey_2H2011.pdf

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Advertisements

Social Media and the Military – keeping secrets keeps getting harder

I work with a group of fantastic Open Source Intelligence (OSINT) analysts.  One of them, who both reads this blog and knows I’m a pilot/airplane junkie, sent over this link under the heading of “Digital Water in China?”.  It talks about how, days before it ever made the Western press, the first confirmed sighting/evidence for a Chinese fifth generation fighter came not from the massive US intelligence apparatus but from a cell phone camera hung out a car window and posted to a Chinese military fanboy forum.

Now I recognize that China has an infamous, massive and essentially limitless-budget Web censorship program, which might well lead one to conclude that this evidence was found online because it was allowed to stay online. China decided it was time to let the world know so they intentionally let the drip-drip-drip start ahead of the (blatant thumbing-of-the-nose) first flight while Defense Secretary Robert Gates was in town.

Still, I happened to get this email the same week that linkedin discussions introduced me to both www.nosi.org (a naval OSINT blog maintained by, of all people, a physician) and osgeoint.blogspot.com, a blog both discussing and analyzing publicly available geospatial intelligence.  There are many more like these of course, but it’s still amazing that on any given day you can now read posts by people who (for free by the way) identify ships, spot aircraft and analyze other military assets from Google earth or satellite imagery. We can learn about ship construction from employee’s blogs, twitpics from dog-walkers and minutes from town meetings.  And let us not forget the first person to (albeit unknowingly) inform the world about the raid that killed Bin Laden – a Pakistani programmer up late writing code who Tweeted about the ruckus happening a few hundred yards away.

Look down the road another ten years at everything from augmented reality goggles to the questions raised for Law Enforcement and espionage by Facebook’s facial recognition.  I don’t know exactly what will and won’t be possible, but it certainly seems to me that keeping ANYTHING, from Special Ops that last an hour to weapons programs that run decades, secret is going to get a lot harder.  From the intentional  wiki-leaking to the inadvertent disclosure, the Digital Water is pushing and probing, finding its way out the cracks and crevices.  I suppose I take some comfort from the J-20 Stealth Fighter story at least in knowing our likely adversaries will have to tangle with the same problems.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

The Insider Threat: Medicaid employee emails self PII on 220,000 people

Returning for a moment to another core focus of this blog (i.e. the “Data Like Digital Water” meme), I came across this – as yet anyway – little publicized data breach.

I know there are severe limits on firewall and gateway rulesets, and Data Loss Prevention systems aren’t perfect, and there are lots of subtle and technically advanced ways to exfiltrate data (ICMP tunnel anyone?) and all, but can we not agree that anyone with access to a quarter million people’s PII should have to work a little harder than “mailto:MyOwnAccount@yahoo.com”?

http://www.myrtlebeachonline.com/2012/04/19/2782968/sc-agency-says-information-leaked.html

It’s OK though, because the data that was lost apparently included their names and their Medicaid ID numbers.

I mean it’s not like it was their Social Security Numbers or anything. Oh… wait… what’s that? Oh, wait… I was wrong, their Medicaid ID numbers ARE their social security numbers.  Oh, ok.  Well that’s helpful.

I’m thinking Phishing reports in SC are maybe gonna take a jump soon?

 

 

How to Hack Like Homer Simpson…

A few weeks ago, I gave a talk to a room full of police chiefs. I was talking about the goods, bads and unknowns of Social Media use by and for Law Enforcement (#LESM or #SM4LE).

One of the slides looked like this:

Image

It shows how, unless you explicitly change the default settings, in many cases everything from Tweets to photos are tagged with a variety of metadata.  In some cases this can include geotags for the location of the device that produced the photo, tweet or update, the model number and make of the camera or phone, etc.

I suppose if you flip the “goods” and the “bads” I could have given the same speech to hackers, but of course they are way to tech savvy to need any such guidance.

Well, most of them. There’s always the exception

http://www.informationweek.com/news/security/government/232900329

I couldn’t help but smile.  A hacker implicated in the recent Texas DPS breach, in painfully cliche fashion, decided that a bit of geek chest thumping was in order.  In a bugs-bunny-esque “you’ll never catch me coppers! Mwah hah hah!” moment, he decided to post pics on Social Media of his girlfriend holding signs taunting law enforcement.

The only problem?  Hacker-genius-computer-expert guy neglected to remove the geotagging from the photos, which were taken in her back yard. Police took the arcane and Star-Treky step of reading the lat/long coordinates on the files and looking them up on a map.

What I wouldn’t have given to be a fly on the wall when he was told how they got him.

Image

Social Media for Trade Sanction Enforcement?

So here’s a novel twist on Open Source Intelligence and using Social Media for good?  I read these articles and was kind of intrigued:

http://finance.yahoo.com/news/exclusive-iran-ships-off-radar-tehran-conceals-oil-132350134.html

http://rt.com/news/iran-oil-tanker-tracking-system-018/

So, in response to international sanctions, the Iranians have told their national fleet of tankers (NITC) to turn off their transponders so no one can see where the oil is going.  Then they offer terms so favorable that buyers in China, India and the like are just too enticed to turn it down.  And the Western powers trying to cut off Iran’s oil revenues don’t know where all the oil is going.

So, as a pilot, I know a couple of things about turning off your transponder.

  1. It doesn’t make your plane invisible.
  2. It doesn’t make your plane invisible to radar, just makes you unidentified.
  3. Your plane still has to land somewhere.

I’m pretty sure the same is true for a ship that tips the scales at a quarter million deadweight tons, except for one other thing… there ain’t that many airports to choose from.  I don’t know the numbers, but the model’s pretty simple right?

So given the finite number of places that can offload an oil tanker, (100 in the world? 500?) And given that a chunk of those (half? less? more?) are in countries that are actively engaged in the sanctions and thus unlikely landing places, it would seem to me that the “free workforce” of camera-phone armed citizens could swing into action here.  How tough is it to spot a ship that runs a thousand feet from tip to tail, given it can only dock in one of a very small number of places?  I know some of the offload stations are offshore, but people on boats have cameras too right?

Whether social activists, ship-spotting hobbyists, or just people who think it might be fun to stick one to the social-media-crackdown-ing regime in Tehran, I would think that a viral campaign to engage users in those few hundred locations might trigger the occassional flickr upload or TwitPic, no?

OK, so I’m not sure about penetration of social media rates, mobile web access, and so on in some of those countries, and like I said, I know the larger ones may offload at an offshore pump station, but the beauty of the “Digital Water” model, where nearly every person and mobile device can become a sensor and witness, is that it literally only takes one person to provide a concrete update.  I mean, an ostracized regime goes to great pain and expense to maintain the flow of billions that keep them in power, and any yahoo with a camera phone can strike a blow for democracy  with a five-second upload? And the pic is probably geotagged and timestamped to boot? How awesome is that?!

Now if only there were some public source of information anyone could access where one could find the names and descriptions of the ships to be looking out for… hmmmmm…

http://www.nitc-tankers.com/fleet.html

http://shipspotting.com/

etc.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

 

 

 

Well it’s nice to know our adversaries are just workin’ stiffs like the rest of us.

I happened across this in a deck from Bit9 Security from this week’s TechSecurity Conference, and just thought this was too good not to share. It’s a timeline pattern for attacks they guys at Bit9 see/detect.  I think it pretty much speaks for itself.  Awesome.

Bit9 Timeline Image

 

 

 

 

 

 

 

Source: http://dataconnectors.com/events/2012/pres/Bit9_030212.ppsx

(The deck’s a good read by the way.  Well OK it’s a good read if you’re the type of nerd who’s into this stuff.)

Spontaneous Help For Law Enforcement – Baltimore PD gets Social Media tips it didn’t even ask for.

So one of the things cops ask me about all the time is, “Can I go out and search Twitter and Facebook when investigating a crime?”  The answer is “it depends”.  It depends on what your department’s rules are.  It depends on what your DA thinks about admissibility of evidence you proactively gather from SM.  It depends on whether you were (please say you weren’t) actually logged into your own account vs. searching publicly accessible posts.  It depends on…, and it depends on… and it depends.

However, there is a model under which you don’t need to worry about any of that.  It’s the inbound model of “SM4LE” as I call it, where the public brings information in to you via social media.  In yesterday’s post, I previously noted cases where material posted on Department SM feeds and pages brought in responses, tips and definitive IDs on various criminals.

Here’s a different variant, one I actually found kind of heartening.  Not long ago, not one but two different videos surfaced online of a man being publicly beaten, stripped and humiliated in Baltimore.  There has since been an arrest thanks to material gleaned from Social Media.  So what’s different about this case?  Unlike the Utica and Texas cases noted yesterday, this wasn’t a video the police put out on SM asking for help, it was a video that was going viral on various video sharing sites.  What the press reports indicate is that the video so incensed some of its viewers, they spontaneously worked through social media to identify the men in the video and voluntarily notify BPD of their findings without being asked.

People just saw injustice and stepped up of their own accord.  That’s kind of cool, given the original video could make one wonder about people. As the Baltimore Police Commissioner says in the article:

“It’s easy to [see a video like that] and think, ‘Damn, what’s happening to the fabric of our society.’ But to come in the next day and know that we’ve got leads on who the suspect is — just when you think we’ve left the rails, people help bring you back. That’s enormously gratifying.”

%d bloggers like this: