Bet we haven’t given any serious thought to economic warfare, either. Economics 101 taught me that communism places the means of production in the hands of the people… What if those people are all in China?
Look we all know that hacking is serious now. Control systems hacks are the in thing at the moment, and what is cooler than hacking a 2000 pound mountain of steel and plastic that can barrel down the road at 100 miles per hour? They did it in SnowCrash, and Shadowrun, after all. The singularity must be nigh, right?
This article in the Daily Record suggests that the death of the journalist who exposed General McChrystal was engineered, per Richard Clarke. Now, I’m not generally the kind of guy who believes in ghost stories. Spooks in the wire are the kind of scary tales that con-goers hear each time they show up at B-Sides, heck, I use those kinds of stories to my advantage all of the time. I imagine it could happen, I know its possible. We saw Charlie Miller’s laptop demo on the Prius last year. So we all know its possible. But the idea that its being done actively feels like security theater. It feels like:
We’re going to take out journalists boys… Lets use an enormously advanced hack that will leave a lot more evidence and exposure to scrutiny, instead of simply screwing with his brakes, it will be good practice.
So, this is the ultimate Destroy attack. Assassination by computer. At least according to supposition from a former White House advisor. What do you think? Is this the next step in the “cyber-arms race?” Or, is it just speculation to sell newspapers?]]>
The $552 billion 2014 military defense budget signed by President Barack Obama will continue to fund high-tech cyber and unmanned aircraft operations. The budget, which grants central Cyber Command $68 million in operational costs alongside more money for research and individual unit operations, instructs agencies to work towards controlling the proliferation of “cyber weapons.” That means stopping the sale or spread of malicious code for “criminal, terrorist, or military activities” while allowing governments and businesses to use it for “legitimate” self-defense.
The Verge – US military sees more drones, ‘cyber weapon’ non-proliferation in the future]]>
So, Spamhaus blacklists a hosting company, then Spamhaus gets hit by 300 GBPS of DDOS action. Looks like for Cyberbunker, there was immediacy, and there was a proportional response in the Disrupt spectrum, at least if Cyberbunker is doing it.
Why proportional? The blacklisting would have disrupted the business of Cyberbunker.
What do you think?]]>
“New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.”
via Broad Powers Seen for Obama in Cyberstrikes – NYTimes.com.]]>
“In 2007, the IT team of a Chennai-based drug maker detected heavy traffic on servers connected to its research lab. The company was developing an anti-asthma molecule, and it suspected that a hacker was stealing the research data.
Unable to trace the hacker, the company approached Mahindra Special Services Group MSSG, a security consulting firm, part of the Mahindra & Mahindra group. MSSG experts placed a dummy file containing a virus on the company’s R&D folder that appeared to contain research data, says Dinesh Pillai, MSSG’s CEO.
“When the hacker returned, he went straight for the dummy file and we traced him using the virus,” he says. The hacker turned out to be a 29-year-old Chandigarh resident who was hired by a rival drug maker. Experts say India remains highly vulnerable to cyber attacks on its critical infrastructure. “I do not even know the command and control system for dealing with cyber attacks in the country,” says Pillai.”
via Can cyber attacks on India’s critical infrastructure be thwarted? – Business Today.]]>
The entity defends its networks by using appropriate prevention controls, technologies and techniques designed to render improbable or impossible an attack by a network assailant. The entity uses a layered defense-in-depth approach to assure that risks to its systems are defended, and that the basic tenets of information security are designed into the network’s protections.
In essence, the Defend Spectrum is the use of traditional defense-in-depth methods to assure the network from a preventive controls and technologies perspective.
The attacker will attempt to assail the network. At a minimum, there should be defenses designed into the network to control for simple entry, the physical analogues are doors with locks. The logic analogue is the firewall. Other standard defense-in-depth approaches include identity and access management methods, ring traversal protections in the trusted computing base, vulnerability and patch management, and general monitoring like intrusion detection systems. All networks connected to the Internet should use the defend spectrum activities at a minimum.]]>
“Companies are tired of playing defense. They want to feel like they actually can fight back. Most of us in the industry agree that we ought to push the envelope to protect the rights and properties of U.S. businesses.”
-Michael DuBose, a former chief of the Justice Department’s Computer Crime and Intellectual Property Section now at Kroll Advisory Solutions.
via To thwart hackers, firms salting their servers with fake data – The Washington Post.]]>
Some good quotes from the article:
The International Association of Chiefs of Police (IACP) in its study, Police Use of Force in America 2001, defined use of force as “The amount of effort required by police to compel compliance by an unwilling subject.”
The Bureau of Justice Statistics (BJS) in Data Collection on Police Use of Force, states that “…the legal test of excessive force…is whether the police officer reasonably believed that such force was necessary to accomplish a legitimate police purpose…”
“there are no universally accepted definitions of “reasonable” and “necessary” because the terms are subjective. A court in one jurisdiction may define “reasonable” or “necessary” differently than a court in a second jurisdiction. More to the point is an understanding of the “improper” use of force, which can be divided into two categories: “unnecessary” and “excessive.” The unnecessary use of force would be the application of force where there is no justification for its use, while an excessive use of force would be the application of more force than required where use of force is necessary.”
Brandon and I discussed this, and he pointed out that he believed active defense could be distinguished from passive defense, and that it would fall somewhere in the Deceive or Disarm spectra of the use of force continuum. I can’t argue that, though I believe that the active versus passive description really is a red herring.
It occurs to me that all active defense is a use of force. Remember the law enforcement use of force continuum, from an officer’s presence to lethal force, it is all a use of force. The use of force is implicit in the entire spectrum. When an officer arrives on the scene, his presence, including the badge that he wear is a tangible warning against the negative behavior that he defends against, and an implicit threat against an escalation if compliance with the law is not achieved. When the officer issues a command he is using force to actively defend against a further escalation of , as there is an expectation of immediate compliance with the lawful order to comply with the law. If there is active resistance to the expectation of compliance, the law enforcement officer may choose to defend himself and the public through the use of a soft force, or an open-hand technique to control the subject, or even a hard technique, like a closed fist if the officer feels threatened, or is at risk of personal injury or injury to the public. Escalation to less than lethal means of force, such as pepper-spray or batons may be necessary if the actively hostile subject or group continues to threaten. Finally lethal force may be used in the defense of the officer’s life, or the life of others.
At every point in the continuum, the officer is actively defending himself, the public, or the subject from an escalation of event. Active network defense is directly analogous. At each point int he network use of force continuum the defender is actively defending himself, and his company from an assailant.]]>