Tag Archives: Cyber

Honest review – CSI:Cyber

There seems to be a lot of chatter (at least on my highly biased Twitter and Facebook feeds) about how terrible of a show CSI:Cyber was. People seem to be extremely concerned about the fact that the show did not portray all the hacking related activities (cyber, infosec, whatever you want to call it) precisely as it is in real life. So here’s my take at it.

First – I’m not talking about the overall quality of the show. I’m not a TV critic, and I’m not going to go into the casting choices, the bad acting, the hollow and predictable script or any of the cinematographic elements. Let’s just focus for a second on what irks people the most – cyber.

So let’s talk about some (again some!) of the technical elements that show up there:

1. Hacking into baby cameras. Totally true. http://www.cnet.com/news/hacker-shouts-at-baby-through-baby-monitor/

2. Social media being a major source for intelligence. Been using it for a decade now through red teaming. Actually joined a social risk management company as it’s that big of an issue. (www.zerofox.com)

3. Social engineering – micro expressions, cold reading, etc. Legit. Again – red teaming. We even teach it on our red team classes.

4. The camera ball used to survey a site before entering it. http://bounceimaging.com/

5. Usage of malware (RAT) to spy on people. Welcome to the last 17 years of my professional career. And yes – you can buy this on the “surface web” (WTF – can’t you just say Internet?). Blackshades used to go for about $40-$50 a pop as far as I recall (and no, not going to do the homework for you and link to a live site that sells this. Google it.).

6. Companies that release products with known flaws in them? Yeah, you are probably reading this from one of those. Welcome to reality, where business decisions trump technical purity and security. Companies want to make money. Fast. If fixing all the flaws found in the software or hardware will keep them from making money, guess what – they will prioritize these to a point where they can get $ in the bank.

And yes – there where some highly amusing things where the artistic license was taken very liberally. Malware showing up in the code as red letters (vs. the traditional green on black). Fingerprints taken from a scene of a crime using an “Expensify” like app – quick snap of the phone’s camera, and within seconds you got a match with full profile and mug. Tracking every IP address to a physical location and swatting it within minutes. A teenager that needed help on a console game from a 30-something year old FBI agent. Having an online bidding that consists of basically a conference call conducted in multiple languages (nobody has time for this – it’s all going to be done through IM’ing, and on dedicated forums). And the list goes on… no regard to the judicial process, medical examinations that are beyond absurd, taking an hour to drive from DC to Baltimore, but from Baltimore to upstate New York in minutes just to get to the drowning car so that the baby can be saved.

Am I hearing my lawyer friends going crazy on the lack of judicial process? About the deal that put a convicted felon to work closely with the FBI? (they are having hard time finding good people because they smoked pot FFS)? Nope. You know why? BECAUSE IT’S TELEVISION.

It’s not a documentary.

If it would be, 90% of the show would be someone staring at a debugger on a screen, drinking coffee, eating junk food, and cursing. And then writing a report. I’m sure that’s a blockbuster – call in the writers.

So ease off. Be thankful that this isn’t another Scorpion, and that there are enough elements in the script based on reality, kick back, take a load off and watch your entertainment on TV. If you want more accuracy – feel free to watch the hundreds of videos from conferences like BlackHat, Defcon, Derbycon, etc. You’ll get educated. Can’t promise anything about entertained though 😉

Oh. here’s a bonus for you if you thought that the image above was cool – my desk is much simpler 😛2015-03-05 10.43.43

 

Cyber, Cyber, Cyber. What are we talking about anyway?

A long draught (almost a month) in this blog is finally coming to an end after I had some great conversations with good friends at the cyber un-conference here in Israel. One of the obvious discussions is around the use of the term cyber (surprise). The general agreement is that the term has been violated pretty badly by security consulting firms and vendors trying to jump on the “cyber” bandwagon without a slim clue of what they are talking about (another shocker!).

But seriously now, we are all to blame for using the term once in a while (yours truly not excluded), while we all refer to different things. So, let’s try to get some order in the media hype and understand (at least the way I see it) what is this cyber we are talking about.

Disclaimer: this is what I believe that Cyber actually refers to. Your mileage may vary…

For me, cyber starts from way up. Beyond technology and Internet, and even beyond warfare and conflict. Cyber is first and foremost a domain. Much like air, land, sea, and space. A domain is (from the Merriam-Webster dictionary):

1. a. complete and absolute ownership of land
b. land so owned
2. a territory over which dominion is exercised

As such, domains that are not under the direct ownership, are treated by sovereign countries as first and foremost economical factors that affect their well-being. Most importantly, shared, or international domains are crucial to enabling international trade, communication, travel and freedom (especially air, sea and space). Such domains are referred to as “global commons“.

Now think of the Internet and the underlying parts that make it work. Computers, network equipment, cabling, satellite communications and other elements that are owned by a variety of private companies, governments, and are under different jurisdictions around the world. Because it is so hard to pinpoint the ownership of a specific part of the Internet, it is much simpler to treat it as a general domain, and as such, a global common. This is exactly how most modern countries act, and how it, much like the other global commons, became an element of conflicts when such countries escalate diplomatic efforts into actions. A good example of how this works can be seen in the work that NATO are putting to address this exact question. Note how a lot of the efforts are placed first on the legal and cooperative elements before addressing the battlefield (NATO and Cyber Defense – PDF) .

So we went from an economical domain that supports communications, trade and information, to an element which countries may use as part of their available conflict management against other countries. Enter: cyberwar. What most abuses of the term these days do not take into account, that cyberwar, much like airwar, seawar, spacewar and landwar is almost never a singular element in a conflict. It is part of a larger strategy and a mean of affecting diplomatic efforts to achieve some goal at a national or international level. Hence, cyber-weapons are never products or pieces of software, but more generally tactics that are deployed in order to gain an advantage in the cyber common in conjunction with other tactics and strategies used in other domains.

I’m sorry that this isn’t the “sexy” cool thing that some consultant that used to do vulnerability assessments is trying to pitch to you, or some product that a vendor is trying to sell you in preparation to the imminent cyberwar that will erupt any minute now and eject all the CD trays of the PCs in your organization. It’s more in the lines of a broader understanding of what elements that would be used in the cyber common would affect us as individuals, organizations, cultures and countries that we should be concerned about. It’s more about how countries are developing capabilities that would be used to gain an advantage over their adversaries in diplomatic conflicts. Whether on an ongoing basis – much like “normal” spying and intelligence gathering is done in times of peace, or in times when more active measures are taken.

The bottom line is that the “Cyber” term is first handled at the higher levels which may have nothing to do with some virus or worm hitting a nuclear plant, and only then translated to the tactics used to protect or attack assets which have some manifestation in that domain.

Now we can all get back to abusing the term. At least we knowhow we are going to abuse it :-).

Additional reading:
http://www.worldpoliticsreview.com/articles/6838/resetting-article-5-toward-a-new-understanding-of-natos-security-guarantees
http://security.cbronline.com/news/cyberspace-is-operational-domain-like-air-land-and-sea-us-150711