The Institute for Critical Infrastructure Technology (ICIT) Releases the Encyclopedia of the Most Prominent Hacktivists, Nation State, and Mercenary Hackers

The Institute for Critical Infrastructure Technology, a leading cybersecurity think tank, has published its most recent research report entitled Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups. The report is an encyclopedia of bad actors stemming from the nation state, mercenary, and hacktivist arenas and details the characteristics and intricacies of the world’s most prolific threat groups.

Authors James Scott (ICIT Co-Founder and Senior Fellow) and Drew Spaniel (Visiting Scholar) cover threat groups not by use of a particular ranking system, rather by the dominant players categorized by geography, including China, Russia, Iran, and North Korea. Zero days, malware, tool kits, exploit techniques, digital foot prints and targets are covered in-depth. The report covers 40 bad actors including: Blue Termite, the Elderwood Platform, Deep Panda APT 30, APT 2, Tarh Andishan, Ajax, Dark Hotel, Bureau 121, Energetic Bear, Uroburos, Sofacy Group, the “Duke” family, Carbanak, SEA, Animal Farm, Hellsing. and Shrouded.

Who Knows More about You – The US, or China?

While I suspect China lags the US in knowing about its citizens, China might be catching up quickly.

In light of last week's 4 million strong data breach, described as one of the largest thefts of government data ever seen, TK Keanini, CTO at Lancope, offers the following.

"Last Thursday night, U.S. officials said that the Office of Personnel Management (OPM) had suffered a breach. Data from four million current and former federal employees, across numerous government agencies, may have been stolen by Chinese hackers. It does not take a security expert to see a pattern taking place here. Most of the attacks allegedly from China over the past few years have gone after the personal information of US citizens, and there is no sign that this trend will diminish. It is fair to assume at this point in the game, China may have more accurate information on US citizens than the US itself. 

"The OPM manages security clearances for various government organisations. During that process, employees must provide extreme detail to every aspect of their life – which is in turn stored and kept in the same systems that were breached.
 
"Organizational confidence takes a long-time to build, but can (and is) eroded much more quickly. Governmental breaches put these trusted government organizations in the same light as all the recent private company breaches (like Target, Home Depot). Much like your personal medial history, the big difference here is the government has much more sensitive data about their victims, and the victims have no choice in sharing that data.

"This attack once again exemplifies the need for more security resourcing in the federal government and the need for a different more comprehensive approach to incident detection and response. The current methodologies have lead to this breach – not avoided them. Attacks are being detected much too late in the attack continuum. Effective security these days means detecting these threat actors as they operate and before they exfiltrate data. You can't win all the battles but all of these headlines suggest that we are still on the losing side.

"In particular, organizations need to categorize and isolate what they need to protect, place additional controls around that information, and meticulously log & monitor access to that encrypted data.
For example, some past advanced attacks have targeted Windows administrative accounts. Smart organizations have realized this, and created a separate isolated set-up for domain admin accounts, with additional security controls around them (like dual factor authentication, jump boxes that are the only place domain admin activity can occur and logging and monitoring of that separate set-up). This isn’t fast, easy or cheap, but organizations have been pushed into adding these controls by ongoing attacks.

"In addition, organizations need to leverage telemetry, and leave hackers no place to hide. If there is a blind spot on your network, someone will be hiding there. Find them and remove them in a way that they can't get back in. These types of incident detection and response approaches have been vastly under-funded in the past, but as these hacks increase, we will see a shift in focus. Until organizations get better at doing this, we can guarantee that the Chinese will continue to have better data on US citizens than anyone in this country does and this information superiority is what scares me the most."

Chinese Smartphones a Security Threat

While I'm fascinated by this, it's becoming old news. Of course if it's made in China, it's going to report home.

News would be that Chinese manufacturers were acting like their US counterparts and making it difficult if not impossible to the government to access devices. Hats off to (and I shutter to say these names) Apple and Google.

Some soon to be published books:

Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScript by J. D. Glaser

Android Malware and Analysis by Ken Dunham and Friends

Manufacturers Losing Intellectual Property to Security Breaches

While this isn't new, spies have been stealing IP since there's been IP to steal, the techniques have changed. And while the PRC seems to be villain #1, our so-called allies, such as Israel and France, are just as active.

So, what's a person to do? You can start with Trade Secret Theft, Industrial Espionage, and the China Threat.

This book provides an overview of economic espionage as practiced by a range of nations from around the world—focusing on the mass scale in which information is being taken for China's growth and development. It supplies an understanding of how the economy of a nation can prosper or suffer, depending on whether that nation is protecting its intellectual property, or whether it is stealing such property for its own use. The text concludes by outlining specific measures that corporations and their employees can practice to protect information and assets, both at home and abroad.

Russia, China urge to develop and introduce rules for information security

First, I don't believe this for a minute. It's like Cold War propaganda. But wait, we're now in a new Cold War.

But you'd think they'd have better translators for this stuff.

I just finished the latest novel from Tom Clancy, Inc., Command Authority. What's interesting about this, aside from Tom, like L. Ron Hubbard, writing books from the grave, is how closely the book comes to recent events in the Ukraine. Of course, the Putin-liked Russian leader controls all media and is given to long diatribes against enemies, internal and external, real and imaginary.

So, I decided to read the last year or so of the Russian English-language press to see how they covered the lead to the Russian invasion of the Urkaine.

What I found, and this applies to the Chinese English-language press, were barely literate articles, many penned by "Americans." What this amounted to was illiterate propaganda. The outrageous claims were funny enough (and I know our politicians are wont to make outrageous claims that can't be substantiated), but the writing was abysmal. (One editorial printed the lyrics to "Feel Like I'm Fixin' to Die Rag" verbatim. I'm willing to bet they didn't get permission to do that.)

Anyway, how effective can propaganda be when its laughable on so many levels?

Huawei Faces Indian Inquiry over Hacking Claim

Huawei faces Indian inquiry over hacking claim.

Poor Huawei. They can't catch a break. While this doesn't seem to be a supply chain issue, something that fascinates me, it still reflects negatively on the PRC and its quasi-owned companies.

I suspect there are some national security issues at play here, too. China is nothing if not aggressive in pushing the fear buttons on its neighbors.

O-TTPS and Huawei

The Open Group Releases Global Technology Supply Chain Security Standard
From the press release, "Specifically intended to prevent maliciously tainted and counterfeit products from entering the supply chain, this first release of the O-TTPS codifies best practices across the entire COTS ICT product lifecycle, including the design, sourcing, build, fulfilment, distribution, sustainment, and disposal phases."

Meanwhile, the head of Huawei admits "challenges and problems" in America.

So, even though the new O-TTPS is supposed to create trust within the supply chain for COTS, could Huawei, even if it were a software company, ever use it? I doubt any type of certification will overcome the deep mistrust of enterprises owned by either the PRC or the PLA.

Chinese firms draw fire in House Intelligence report; Cisco cuts ties to China's ZTE after Iran probe

Well, of course the Chinese firms would call the charges "baseless."

Seems like the House Intelligence Committee did something right. Reuters reports  that the committee is recommending that Huawai and ZTE be barred from buying US companies because of fears that they could be used for cyber-espionage. Of course, depending on who wins the Presidential election next month, the committee's recommendation has a good chance of being ignored. I'm suprised we allow them to sell kit into the US, or at least the defense establishment. As I said before, cyber-espionage is still esponiage. Is it any easier done over networks than by coopting employees of target companies or government agencies? I'd be more concerned about cyberwarfare. And didn't India ban Chinese telecom firms from selling into the country because of security concerns? Frankly, I'd be as worried about French and Israeli providers.

10/9/12 -- According to Reuters, Cisco cuts ties to China's ZTE after Iran probe. Shall I rest my case now?

National Security-Related Agencies Have No ITC Supply Chain Risks?

Last week, the GAO said that defense-related departments have a security problem because of software, hardware, and components sourced or manufactured overseas, especially China. The departments in question don't track these items, and maintain that no threat exists, or the cost of monitoring exceeds the cost of the risk. This is disingenuous at best.

Now, today, the GAO reports that suspect counterfeit electronic parts can be found on DOD supply chain Internet purchasing platforms.

I recall Whitfield Diffie addressing a RSA conference state that one of his greatest security fears is components calling home (to China). This type of threat has movie written all over it, but this doesn't make it any less real.

Australia has no such qualms, however. It's blocked Huawei from bidding on gear for its National Broadband Network. It seems that foreign governments, especially in Asia, are much more aware of these threats. At least the US Congress has blocked sale of some US high-tech companies to Chinese enterprises controlled by the PLA.

There are other IT security lessons that Australia can teach us.

Chinese government to crack down on phishing schemes

It was a busy weekend, with new hacks of commerical and political sites.

A couple of recent items (here and here) highlight China's attempts to protect its citizens from the evils of phishing. Maybe they should dial back their espionage, IP theft, and cyberwar efforts instead. China's apparant ham-handed approach to everything is a wonder to observe. Why do something subtle when you can use a cudgel? Sitting on top of all that money, they really don't care what the world, or its citizens, thinks. If the money threat doesn't work, there's always the new carrier-killer missles.