Chaos Program

According to the Wall Street Journal, up until recently the United States Air Force was too stupid to encrypt the video feed from attack drones such as the predators used in Afghanistan and Iraq.

I know that sounds harsh. Maybe it’s even too harsh. Let’s look at the story (original report here) and see how it develops. The short version is that sometime “late last year” (apparently December 2008) the computer of a captured Shiite fighter in Iraq was found to contain video from U.S. aerial drones. In July, more of these intercepted videos were found. The WSJ report claims that the interception was done with (or with something like – the writing is unclear) Skygrabber, software advertised as intercepting satellite transmissions of various file types. The price on the website is $45.95 (apparently was $26.95 a few days ago. Did they raise the price to capitalize on increased demand due to the publicity?).

According to the WSJ report, the Air Force has understood that these feeds were vulnerable to interception since the 1990s but did not do anything to encrypt them because a) It costs a lot of money and b) This kind of interception is too hard for the primitives we fight against anyway. (Okay, I’m paraphrasing, but the gist seems accurate.)

In their defense, Skygrabber probably did not exist in the 1990s. The Internet was less developed in those days too. According to Defense Tech the Global Information Grid used by the U.S. military to transfer data is 25 years old. One consequence of this is that security measures that are considered basic today are completely lacking. Defense Tech estimates that upgrades needed could run to $65 billion over the next three years.

Hackers work faster than that.

read more »

After I wrote the last post about problems with the upcoming CyberSecurity bill (see The Law of Unintended Cyber Consequences) – actually after I went to bed – I realized what bugged me about the whole idea of the president having a Real-Time CyberSecurity Dashboard. It’s an alarm system just begging for someone to mess with it. There are three possible scenarios that I can think of without trying very hard.

In the first scenario someone with a great many resources (maybe well-educated Russian youth groups (as described in my post Cyberwars Redux), launches a series of  “events” to gauge the workings of the dashboard. Maybe they do a virus one month, a severe denial of service attack on a high profile target another month and a serious attempt at penetration of a military target some other month. They monitor responses from the White House, particularly the CyberSecurity Advisory Panel. Maybe they go by press releases and rumors in the press. An actual intelligence operation (as all governments have and quite a few terrorist organizations as well) might have live humans they can pump for information. Anyway, after a time, they gather enough information to know how to make the dashboard show what they want it to show.

I’ve described this as an entire intel program but it doesn’t have to be. The dashboard will be something most security geeks will be interested in. Information about it will get out. Maybe it will show up in the trade press, or in casual conversations at conventions or on IRC. The trouble is, once people learn how to manipulate the system, worse scenarios become possible or even likely.

read more »

Computer security seems to be an endlessly hot topic. Recently, there has been talk of a bill in the U.S. Senate that would dramatically change the security landscape in this country. Under the guise of protecting national infrastructure, this legislation would raise the price tag for security significantly while allowing the federal government to take charge of any and all systems and networks it happened to choose.

Great idea. “We’re from the government, and we’re here to help your computers. Here’s our secure example. It’s called Colossus” (That’s a somewhat obscure movie reference. See Colossus: The Forbin Project or even Colossus: The DVD. See what people worried about long before we ever heard of Skynet).

The bill is The Cybersecurity Act of 2009, co-sponsored by Democrat John Rockefeller of West Virginia and pretend Republican Olympia Snowe of Maine. As of yet (if I remember correctly and didn’t miss something in my reading), the bill has no sponsors in the House. That’s a hopeful sign. Let’s see why.

read more »

What do you do if a foreign government attacks your country’s computer systems? In America we apparently throw a lot of money down a hole and then the guy theoretically in charge of defending our networks quits.

Anyone who has followed the news knows this is not a hypothetical question. For example, two years ago when Russia invaded Estonia there was a concurrent denial of service attack across the Internet on Estonian servers. This attack caused communications difficulties that may have affected the Estonia response to the invasion (not that there was ever very much they could do) and even reportedly disrupted such things as ATM transactions (See Russia’s Cyberwar on Estonia)

Recently, a story has been circulating that the Russians have admitted to being behind the Estonian attacks (See Russian politician: ‘My assistant started Estonian cyberwar’). There’s less to this story than meets the eye, though. Sergei Markov, a Russian government official, claimed recently that a deputy (who he conveniently refused to name) of his was outside Russia at the time the war began and started the cyber attacks entirely on his own, as a “reaction from civil society.” Apparently this was meant to indicate that the attacks had nothing to do with any official strategy but were a spontaneous uprising of the proletariat against the reactionary forces etc. etc.

In other words, it sounds like typical old-fashioned Soviet propaganda and just doesn’t pass the smell test. Unless the Russians really want the world to believe that low grade government functionaries often have access to destructive botnets that can be turned against any country that happens to annoy them?
read more »