Category Archives: Opinion

About CyberWar, Deterrence, and Espionage

Posted on by
Reply

It’s been a long time since my last post, but trust me for all the good reasons (i.e. work). This one is long due, and has been recently fueled after I had a chance to attend RAND’s Martin Libicki’s brief at the Tel-Aviv University.

Spy vs. Spy - copyright Kigs, devianart.

Martin is a great source for debate and thought exercises as he is fluent in many realms of the subject at hand, and has been trained as an economist which makes it much easier to broaden the debate into politics and diplomacy.

I’ll address a few key elements of the brief – at least the ones that speak to me the most in terms of research and ongoing work that we are engaged in on a national, international and local levels.

First – the ever provoking “there is no CyberWar” statement. Immediately followed by “this is the definition of CyberWar as I see it”… Obviously, with a definition that closely resembles war as defined in other domains (land, sea, air, space), it’s hard to see how one can state that CyberWar was ever engaged (or ever will be for that matter). But the key here is not to treat the Cyber domain as “another” domain and try to use the template of the traditional domains when defining it. Cyber is a game-changer, it’s not a domain like any other, it has its own rules, territorial issues are mute here, jurisdiction is a mess, and accessibility is even worst. It’s almost impossible to define what a conflict is in Cyber, what an engagement is in terms of forces colliding and how is aggression defined. Nevertheless, all the issues mentioned in the last sentence have risen many times over the last decade, and yet some refuse to realize that in several occasions it was indeed a state or form of warfare.

The second issue is deterrence. On this one I almost completely agree with Martin’s approach which speculates whether real deterrence can be subjected into the domain. Nevertheless, I do believe that sustained and proven threat over the opponent’s critical infrastructure, financial and base production facilities can be used as a deterrence factor. You do not need missile silo counts to prove deterrence in the Cyber domain, you need sustainable access to critical systems, and a prove that you can retain such access in light of some vulnerabilities and key access elements being taken off the table by the defensive strategy. For that – enter espionage… With a combination of cyber-domain capabilities, and a solid intelligence practice (i.e. both gathering as well as proactive), one side can create a situation where such access to critical elements in the other side’s Cyber domain are kept consistently under surveillance and accessible to modification/sabotage.

Which leads to the last issue, which has surprisingly raised a lot of eyebrows lately – even from people who I consider proficient in the “Art” of international relationships and diplomacy: the “legality” of espionage. Face it – espionage has been and will always be a fully acceptable part of a nation strategy. It is accepted at all level of diplomacy, and by every nation. Everyone knows that everyone else is engaged in it, and is putting a lot of resources to make sure that their efforts are successful while trying to minimize everyone else’ efforts in their own territory. The same applies for the Cyber domain. It’s no big surprise that the US finds itself dealing with a major espionage case (on the commercial level) almost every year, and just think about all the cases that are not made public in the government, and military sectors… But have no fear – the other side is being spied on just as well with skills that do not fall short (and usually surpass) of what the US is subjected to. It’s a fact of life, so stop whining about it (and excuse the burn notice cameo).

To conclude – I truly think that dealing with such a young and ever evolving domain is a great challenge – both technologically, as well as from the diplomacy / international relationship aspects of it. And until we’ll have some shape or form of formalized discourse on this domain (such as the efforts put in by NATO, the UN and a few of the world’s largest nations), it’s a free-for-all playground that is going to keep providing us with moral, technological and sociological challenges. BRING IT ON!

Information Security Intelligence Report for 2010 and Predictions for 2011

Posted on by
2

Looking back at 2010 shows a widening gap between cybercrime and law enforcement capabilities, in conjunction to nations that have started the cyber-race to develop defensive and offensive capabilities. Most of the attacks analyzed in 2010 depict organizations that fall behind in their defensive strategies as attackers take advantage of a hybrid approach that merges technical merits alongside human weaknesses to cash-out on their attacks.

Cybercrime widens the gap between attack capability and defense mechanisms. Analyzing several of the major attacks of 2010, Security Art notes that organizations were attacked in two key ways. Firstly, through technical exploits such as Aurora, Mariposa, ZeuS, and SpyEye. Secondly, by attacks that bypassed traditional protection methods, and gained access to targets through human-weakness areas such as social media. While businesses focused on defending themselves using security mechanisms such as anti- virus software and perimeter defenses, attackers jumped over these defenses, and proceeded to flood the market with a high volume of malware that now poses a serious threat to security providers in terms of detection rates and response time. However, law enforcement agencies have focused mainly on menial cybercriminals, and have not successfully reduced the impact of online criminal activities. On a national level, we see nations have embarked upon the race to develop defensive and offensive cyber capabilities.

Cyberwar arms race sends nations to shopping frenzy. As CyberWar gained merit (and criticism) during 2010, with the movie-material Stuxnet incident being the poster-boy for news outlets that published every spin-off, speculation, and plain old gossip, the international scene had its own race for the latest and greatest defense mechanisms. The implications of Aurora and Stuxnet made most countries feel their lack of a critical infrastructure defense and the capability to deliver a similar cyber-blow, and many went shopping for weapons. Security Art witnessed the strategic build up of capabilities in some countries, and a more hurried shopping spree (that usually led to amassment of CyberCrime provided tools) in others. This, and the delayed response of organizations such as the UN, the EU, and NATO, left the scene looking more like the Wild West than Silicon Valley.

Expanding digital domain and improved understanding of security will reign in 2011. Our prediction for 2011, drawn from the criminal, political and diplomatic sides of cybercrime that dominated 2010, is that more focus is going to be given to approaching security from a strategic standpoint. Rather than buying “best of breed” products and ticking off compliance sheets, we predict that organizations and countries will apply a more sensible executive-level understanding of what information security means to them. In the expanding personal digital domain (smartphone, tablets, and suchlike), and the continued digitization of all organizational information (from scanned materials to VOIP telephony), security must be applied to more layers than ever before. Countries and organizations will have to adopt additional skill-sets and look for solutions in areas they have not dealt with before.

Please go to http://www.security-art.com/download-report to download the full report, or email [email protected] for additional information.

Building a brand loyalty – how NOT to

Posted on by
Reply

Disclaimer: this is a rant.

OK, so I travel a lot. Over a dozen trips this year to be more precise (17 and counting). As such, I tend to be “liked” by airlines which I tend to travel more with. Nevertheless, on my last couple of hops into Europe, I decided to test the water and make sure that I wasn’t missing anything. You know – play the educated consumer who does not get locked down to a certain brand, shops around and knows what’s on the table in terms of alternative suppliers. And that’s how my story starts with ElAl.

you have to realize, than up until this month, I haven’t flown a single flight with ElAl for almost a decade. I have been a loyal customer of another airline (and it’s “alliance”) and as a frequent traveller have been on their highest status for the past few years in a row. I figured, that based on this I would get equal status in ElAl and the same benefits – which turned out almost right… Upon submitting my current status with Continental and my flight history I got a quick call back to inform me that ElAl have graciously granted me (drumroll…) GOLD status!. Gold??? Too bad that my current status with Continental is Platinum. A quick explanation on the phone, and another call back and I was an ElAl Platinum member.

Cool. Shaky start, but getting there. Off to the flights. My real test was a flight that mixed business with a bit of vacation in London with the wife. Used to the status rules on EVERY OTHER AIRLINE I expected that my significant other would get the same treatment as myself. SURPRISE. Pay up – that’s what I got when I tried to get “preferred” seating (exit row/bulkhead) for us. 80 “points” later (because ElAl can’t use miles like the rest of the industry does – that would enable people to compare apples to apples and they can’t have THAT!), and we got a seat for my wife as well.

The flight to London was uneventful, nothing too fancy in terms of service, checkin process, or alike (no separate boarding to business/platinum – just a general “yee-haa!” of a mess, well, that’s Israel for you…).

But airlines are not tested when everything is ok, but when the shit hits the fan. Enter snowpocalypse. the local UK version of it at least. On Saturday the 18th, a bit of snow hit London, and started showing signs of disrupting the quiet English city in ways that were unexpected (surprise – wintery weather in the UK…). As our flight time was fast approaching, we gave ElAl a quick call to check up on our flight status. 7pm, and ElAl’s representative festively announces to us that the flight is on time, and will be leaving so we can head off to Heathrow. Just to set the stage right – we are following what’s going on in Heathrow through all the news channels as both the airport and every other airline on the planet is feverishly communicating to their customers on what’s up and what’s not.

We make our merry way to the airport, all packed up and ready to go, only to get to Heathrow and find a temporary hostel. everyone is stuck, people are sleeping on the floor, and the gates are all closed. The ElAl crew is happily handing out flyers that state the flight being delayed for tomorrow morning.

Problem 1: How come your local crew is completely out of touch with the HQ? How come you tell us to get to the airport when every other airline is saying don’t come in as the flights are cancelled? How come you are waiting for the airport to call you instead of trying to communicate with the locals and get a status update. Answer???? Nada.

Let’s just have a quick recap: Heathrow airport: website is constantly updated with flight status and airport status. They have a twitter account, which constantly updates people on what’s going on, and keeps answering people’s questions. ElAl: website does not reflect any changes in status of flights, no indication whatsoever of any issues with EU flights or airports. On the other hand, ElAl has 3 (three) twitter accounts! (@elalUSA, @elal_il, and @elal_airlines) They must be on this so hard updating everyone!? Nope. All they have there are announcements of flight deals, and ways to spend your worthless points. WHILE PEOPLE ARE STUCK AT AIRPORTS.

Fast forward almost 2 days: Apparently, ElAl have booked me on a flight from Luton airport. Apparently because they didn’t call or text (which they became very good at – especially leaving automated voice messages in different languages on irrelevant flights). So, what’s the problem you ask? you got to get on the first flight out back to Tel-Aviv? Right. If only I was traveling alone… In utter incompetence they left out my wife from the reservation, and kept her on a waiting list for the flight from Luton (which was obviously full to the teeth), and booked on a Heathrow flight later in the evening. The lack of communication here is glaring again: I’m supposed to find out by myself (by nagging and calling them a couple of times a day) that I’m scheduled to leave to Luton early in the morning, and it would have probably helped them to figure out their mistake in not booking my wife if they would have called to notify of the change.

Problem 2: Not notifying your best customers that they are supposed to leave from a different airport is BAD!. Not taking care of the entire reservation (my wife, duh!) is BAD. Having someone at Luton as a station manager that claims that I’m introducing more problems for him by saying that “we are here and I’m flying WITH my wife because ElAl fucked up” is BAD (not to mention that I had to remind him that the flight was in his full control and reservations can’t do anything with it, because I know, and checked…).

Epilogue: Dear ElAl, thanks for getting me Platinum status. You can have it back. Really. I’m sending you back the fancy card because you have FAILED. You failed to understand that you operate in a competitive market. You failed to understand that you need to SERVE your customers who overpay for your tickets for some reason. You FAIL on an operational level if I need to be the one to come up with alternative suggestions for flying people out of places (Luton, maybe a train to another city and a flight from there). You FAIL when I need to ask if you are sending a widebody carrier (747) instead of the regional one (757 or 767) that gets to Luton as there are probably many other customers like me stranded in Heathrow. And for that you are not getting my business again for another decade probably.

Picking up the glove – DC9723

Posted on by
2

Every time I get back from the annual DefCon/BlackHat/BSides conferences in Vegas, i usually run into some of the local security folks that managed to make the trip as well, and the plan ride home usually goes like this:”so, this year was pretty cool, huh?”, “yeah, funny how we only get to meet up so far away from home”, “right! Isn’t that a shame that we don’t have any local conferences back in Israel?…”.
You get the idea.
So, after many years of just complaining and saying that we suck, we decided to finally give it a go (we being my colleague Itzik Kotler and myself).
Ergo, DefCon group 9723 (or DC9723 for short).
We have bought the domain, set up a site, and called for the first meeting to be in Tel-Aviv on December 21st. Hope that this will finally bring this disjoint community together and will get us up to par with other communities all around the world.
See you there!

The power of collaboration (BlueHat post)

Posted on by
1

Some additional BlueHat wrap-up -  a collaborative post with a dear colleague of mine Fyodor Yarochkin has just been posted on the BlueHat blog.

The interesting thing about this is that my interaction with Fyodor have been as follows:

  1. Email exchange prior to BlueHat, as we were speaking one after the other, and were referring to the same ecosystems but from different points of view.
  2. Meeting in Seattle/Redmond at BlueHat, having some conversations (and drinks, yes, some drinks were involved too) about work, research, and such.
  3. Speaking one after the other.
  4. Working together on a post through online sharing tools where we basically played with throwing ideas around, putting in writing what we thought about them, exchanging some ideas and directions, and coming up with the aforementioned post.

To sum this up quickly, we didn’t really know each other (not virtually either) a few weeks ago, and based on our mutual interests, research and passion we were able to come up with a (somewhat) cohesive post that at least I can stand back and say “damn!, that’s pretty good” (and learn something from).

Only in InfoSec!