Featured Post

test270621

Wednesday, June 22, 2011

It's Worse Than You Can Understand

It's Worse Than You Can Understand

June 19, 2011: The U.S. Department of Defense is trying to improve its network defenses, and those of companies that supply weapons and equipment. The new plan is to pool intelligence, and defensive techniques with the major defense companies. This is being done as a pilot project called DIB (Defense Industrial Base) Cyber Pilot. This is a long shot, as the organizations with the best Internet security are not inclined to share. That's because the most dangerous vulnerability is someone knowing how your defenses are organized, and what kind of intelligence you are collecting (and how you do it) on the hackers. When it comes to security, the net is a very paranoid place.

Firms with the most to lose, like financial institutions, guard their data most successfully. They do this the old-fashioned way, with layers and layers of security, implemented by the best (and most highly paid) people and pushed by senior managers who take the time to learn about what they are dealing with, and what it will take to stay on top of the problem.

It's different in the defense business. If the Chinese steal data on some new weapon, there might be a problem years down the road, when the Chinese offer a cheaper alternative to an American weapon, for the export market. But even that problem has a silver lining, in that you can get away with insisting that those clever Chinese developed your technology independently. Meanwhile, everyone insists that there was no espionage, cyber or traditional, involved. As a further benefit, the American firm will get more money from a terrified government, in order to maintain the American technical edge. It's the same general drill for military organizations. But for financial institutions, especially those that trade in fast moving currency, derivatives and bond markets, any information leaks can have immediate, and calamitous consequences. You must either protect your data, or die.

Because of the shortage of high-end Internet security people (it's complex stuff, and a lot of the best people are lured away to the dark side), there is not enough talent to go around. Then there's that disinclination to share. Sharing with the government or defense contractors is seen as a particular waste, as these organizations lack sufficient short term incentives to stay alert and reliable.

Meanwhile, Chinese Internet based espionage has been going on for years. Some of the attacks have been traced back to Chinese government computers. But how do you respond? It's possible that there has already been a response. Espionage is a two way street, and the United States certainly has the resources (in terms of talented Internet engineers and hackers) to do the same kind of snooping against Chinese computers. If so, like the Chinese, there would be no admission of such activities. That's how espionage is done, in the dark, with denials all around. Meanwhile, China has been making more desperate sounding exhortations for their own civilian firms to get stronger Internet defenses. But China has an even greater shortage of Internet security specialists, and is much more vulnerable than the government will allow anyone to admit (or go into detail about).

But the biggest problem, according to military Cyber War commanders, is the difficulty in making it clear to political leaders, and non-expert (in Internet matters) military commanders, what the cyber weapons are, and the ramifications of the attacks. Some types of attacks are accompanied by the risk of shutting down much, or all, of the Internet. Other types of operations can be traced back to the source. This could trigger a more conventional, even nuclear, response. Some attacks use worms (programs that, once unleashed, keep spreading by themselves.) You can program worms to shut down after a certain time (or when certain conditions are met). But these weapons are difficult, often impossible, to test "in the wild" (on the Internet). By comparison, nuclear weapons were a new, very high-tech, weapon in 1945. But nukes were easy to understand; it was a very powerful bomb. Cyber weapons are much less predictable, and that will make them more difficult for senior officials to order unleashed.

So the first order of business is to develop reliable techniques to quickly, and accurately, educate the senior decision makers about what they are about to unleash. This would begin with the simplest, and cheapest, weapons, which are botnets, used for DDOS attacks. In plain English, that means gaining (by purchase or otherwise) access to hundreds, or thousands, of home and business PCs that have had special software secretly installed. This allows whoever installed the software that turned these PCs into zombies, to do whatever they want with these machines. The most common thing done is to have those PCs, when hooked up to the Internet, to send as many emails, or other electronic messages, as it can, to a specified website. When this is done with lots of zombies (a botnet), the flood of messages becomes a DDOS (Distributed Denial of Service) attack that shuts the target down. This happens because so much junk is coming in from the botnet, that no one else can use the web site.

But there are even more dangerous cyberwar weapons out there. You can unleash worm and virus software modified to take advantage of largely unknown Internet vulnerabilities, that allow the user access to many business, government and military computers. This sort of thing is called, "using high value exploits" (flaws in code that are not yet widely known). These exploits are a lot more expensive, and require more skill to use. Currently, a major source of exploits are hackers for hire. These are skilled hackers, who know they are working on the wrong side of the law, and know how to do the job, take the money, and run. This situation has developed because organized crime has discovered the Internet, and the relatively easy money to be made via Internet extortion and theft.

It is believed that those nations that have Cyber War organizations, maintain arsenals of exploits. But these have a short shelf-life. Nearly all exploits eventually come to the attention of the publisher that created the exploitable software, and gets fixed. Not every user applies the "patches", so there will always be some computers out there that are still vulnerable. But that makes "zero day exploits" (discovered and used for the first time) very valuable. That's because you can use these exploits on any computer with the flawed software on it. Thus it is expensive to maintain an exploits arsenal, as you must keep finding new exploits to replace those which are patched into ineffectiveness.

Most of the Internet combat so far has been done under peacetime conditions. In wartime, it's possible (especially for the United States) to cut off enemy countries from the Internet. Thus potential American foes want to maintain an official peacetime status, so the United States cannot use its ability to cut nations off (or nearly off) from the Internet, and remove easy access to American (and Western) targets. Thus the need to make attacks discreetly, so as to make it more difficult for an enemy to target stronger attacks against you, or threaten nuclear or conventional war.

Meanwhile, everyone (including the bad guys) seems to be concentrating on defense as the true extent of Internet vulnerability becomes known. So DIB Cyber Pilot might actually work, if the decision makers can be convinced of how vulnerable they are, and become truly and convincingly scared into action.



Sent from my BlackBerry® wireless device via Vodafone-Celcom Mobile.

Sunday, June 19, 2011

Turning The iPad Into A Weapon

Turning The iPad Into A Weapon

June 15, 2011: Combat pilots in Afghanistan have, like many businesses, discovered new and useful ways to use the iPad. U.S. Marine Corps helicopter pilots found the iPad a useful way to carry hundreds of military maps, rather than the hassle of using paper versions. Marine commanders quickly realized this "field expedient" (a military "hack" that adopts something for unofficial use while in the combat zone) worked, and made it official. That meant buying iPads for this and getting to work coming up with more uses.

This is nothing new. The U.S. Army has established an app store (the Army Marketplace) for military smart phone users. This includes the iPad, which soldiers are also big fans of. The army app store includes an "App Wanted" section where users can post descriptions of an app they need. If a developer (in uniform, or an army approved civilian with access to the Army Marketplace) is interested, a discussion can be started on an attached message board. The army hopes that the needed app will be quickly created and made available at the Army Marketplace. Developers can charge for their apps, although the army is also willing to pay developers to create needed apps that have been described by military smart phone users.

One of the more impressive apps was one that assisted troops calling in air and artillery fire. Specialized, and now portable, computers have been used in the military for decades, to help troops who call in artillery fire, or air strikes. But these "forward controllers" have to lug around a lot of gear, as they move, often on foot, with the infantry they support. Every bit of weight counts. The less you carry, the more energy you have for life-and-death tasks. Now, there is an app for that, and the forward controllers can leave behind gear that has now been replaced by an iPhone app.

The army and marines see these portable devices as key battlefield tools. Not just for communication, but for a wide range of data handling (computer) chores. Some of these apps turn the iPad or smart phone into part of a weapon. The military wants to work closely with Apple to ensure the troops get the software they need, as well as customized hardware. Details are largely kept secret. But now the military knows, for certain, that creating lots of these apps requires more time and effort than many troops can muster. Then there is the problem of maintenance (upgrading and fixing bugs). So the army is going to establish a team to take care of this, using some army personnel and contractors as part of a permanent organization.

This is all part of a trend. In the last decade, the U.S. military found the iPod music player an increasingly useful tool. This happened for two reasons. As time went on (the iPod was introduced just after September 11, 2001), more and more troops bought iPods. By 2005, most troops had them. The iPod was the perfect entertainment device for the battlefield. When you got a chance to take a break, you put in the ear buds, turned it on, and were in a different place for a few minutes. The iPod battery usually kept going until the next time you got a chance to recharge.

The second reason was that, from the beginning, the iPod could do other things (run software for things other than listening to music). That's because the iPod was, basically, a very small personal computer. In fact, the iPhone is basically an high end iPod (sold as such as the iPod Touch), with cell phone capability added.

At first, most of the other iPod software was games, but soon non-game applications were added. There was a problem for the military, however. Except for some skilled hackers, no one but Apple, or with the help of Apple, could create software for the iPod. Despite that, the U.S. Army had some military software written for the iPod. This worked well, but it took over a year to get new software for an iPod, a delay that did not encourage rapid development. That changed three years ago, when Apple opened its App Store, and released a tool kit (SDK) for programmers to develop software for the iPhone and iPod Touch. This meant that military programmers could create Touch software to suit their needs, and do it quickly. In less than a year, hundreds of military-specific Touch programs have been created. Many do not show up in the App Store, as they are only for military use.

The Touch, and now the $500 iPad, have become the new "most favorite gadgets" for the troops. The Touch is cheap (under $230), has the same interface as the iPhone, has several hundred thousand programs (and growing rapidly) available, and can also serve as an iPod (to listen to music or view vids). The Touch has caught on, and it does the job better than any earlier PDA. The Touch also has wi-fi built in, making it easier for the troops to get new software or data onto their Touch. The iPad is basically a larger Touch, and popular for reading magazines, and consulting technical manuals. Troops have long been reading books on the iPhone and Touch. Now, smart phones like the iPhone are becoming increasingly common, so much so that few troops will go off to war without one. And the smart phones get smarter every year. As of  2011, your average smart phone has the computing power of a ten year old laptop.

For use in the combat zone, troops usually put one of the many protective covers on their smart phone, Touch, or iPad and, so far, these devices have held up well under battlefield conditions. Meanwhile, some of the software written for earlier iPods, is now available for the Touch and iPhone. This includes the VCommunicator Mobile software and libraries. This system translates English phrases into many foreign languages. Each language takes up four gigabytes per language, so they easily fit on the Touch. The software displays graphics, showing either the phrase in Arabic, or a video of a soldier making the appropriate hand gesture (there are a lot of those in Arabic), and this looks great on the Touch. There are collections of phrases for specific situations, like checkpoint, raid or patrol. You can use any accessory made for the iPod, like larger displays or megaphones. Non-combat troops have found the Touch, and especially the iPad, as a useful way to carry hundreds of technical manuals around, for use while maintaining or repairing equipment. Some tech personnel have made videos of how to carry out particularly difficult repair or maintenance procedures, and passed these "show and tell" vids around.

All this is nothing new. When PCs first showed up in the late 1970s, younger troops were, as usual, early adopters. And many of them quickly found ways to create software that made their jobs easier. Databases and programs, created by the troops, that figured things out more quickly and effortlessly, kept showing up throughout the 1980s. It took about a decade for the brass to catch on, and another decade for the senior military people to embrace this flood of computerization. So when the iPod Touch came along, it was quickly adopted. And no one in uniform was surprised. This was in large part because so many of today's generals and admirals remember how programmable calculators were introduced when they were young, and how they and their troops adopted these devices for military use. This rapid adoption of technology has now become part of the military DNA, and it started at the bottom.
Sent from my BlackBerry® wireless device via Vodafone-Celcom Mobile.

Wednesday, June 15, 2011

THAAD Comes Off The Line

THAAD Comes Off The Line

June 6, 2011: The U.S. Army recently received its first two production model THAAD (Terminal High Altitude Area Defense) anti-missile missiles. Last year, the army conducted another successful test firing of THAAD, demonstrating the system's ability to hit targets closer to the ground, and to share data with Patriot anti-missile systems. This was the seventh (out of seven) successful test since 2005. There have been 20 tests since 1995, 14 of them successful. THAAD entered service in 2008, with pre-production missiles for use in further testing.

Two years ago, the army formed its second THAAD anti-ballistic missile (ABM) battery. The army will form two more THAAD batteries over the next year. Five years ago, there was a successful test of THAAD (a SCUD type target was destroyed in flight) using a crew of soldiers, and not manufacturer technicians, to operate the system.

Each THAAD battery has 24 missiles, three launchers and a fire control communications system. This includes an X-Band radar. The gear for each battery costs $310 million. The six meter (18 foot) long THAAD missiles weigh 837 kg (1,400 pounds). This is about the same size as the Patriot anti-aircraft missile, but twice the weight of the anti-missile version of the Patriot.

The range of THAAD is 200 kilometers, max altitude is 150 kilometers, and it is intended for short (like SCUD) or medium range (up to 2,000 kilometer) range ballistic missiles. THAAD has been in development for two decades. Ultimately, the army would like to buy at least 18 launchers, 1,400 missiles, and 18 radars. THAAD is a step up from the Patriot PAC-3 anti-missile (which is an anti-aircraft missile adapted to take out incoming missiles). The PAC-3 works, but it has limited (20 kilometers) range.

The navy has also modified its Standard anti-aircraft missile system to operate like the PAC-3. This system, the RIM-161A, also known as the Standard Missile 3 (or SM-3), has a longer range than THAAD (over 500 kilometers) and max altitude of 160 kilometers. The Standard 3 is based on the failed anti-missile version of the Standard 2, and costs over three million dollars each. The Standard 3 has four stages. The first two stages boost the interceptor out of the atmosphere. The third stage fires twice to boost the interceptor farther beyond the earth's atmosphere. Prior to each motor firing it takes a GPS reading to correct course for approaching the target. The fourth stage is the 20 pound LEAP kill vehicle, which uses infrared sensors to close on the target and ram it.

Thus the U.S. has three anti-missile systems, although one of them currently only operates from warships (cruisers and destroyers that have been equipped with the special software that enables the AEGIS radar system to detect and track incoming ballistic missiles.) AEGIS can also be operated from land bases, and the manufacturer is offering such a system to export customers.

 

 


Sent from my BlackBerry® wireless device via Vodafone-Celcom Mobile.

Saturday, June 11, 2011

The Cupcake Bombers

The Cupcake Bombers

June 8, 2011: British intelligence (MI6) recently hacked into al Qaeda's online magazine ("Inspire") and quietly replaced bomb making instructions with cupcake recipes, and removed or modified other information. While some intelligence officials prefer to hack hard and shut down these sites, outfits like MI6 and the CIA prefer to use sites like Inspire as a source of intelligence. This can be done by monitoring message boards, traffic to the site and other, more technical (but useful) information. The CIA has been suspected of doing what the MI6 did to Inspire, but using more subtle and lethal methods. For example, bomb making instructions can be changed in small ways, to make the bombs very dangerous to those making them. The same with other information on the site, making small changes that will create arguments or confusion among site users. These two techniques are ancient intelligence practices. Al Qaeda is particularly vulnerable to these kinds of attacks because Islamic terrorists have never become a threat via Internet based attacks and, in general, lack much knowledge of how the Internet is built and maintained.

For that reason, over a decade of warning about Islamic terrorists using the Internet to launch attacks has come to nothing. At most, there have been some defacing of web pages, often by hackers driven more by nationalism than religion. The Internet Jihad (struggle) has been mostly smoke, and very little fire.

Attempts by terrorists to recruit hackers have had very poor results.  The Moslem world has much lower levels of literacy, education and computer proficiency than the West. There are a growing number of programmers and Internet specialists in the Moslem world, but most of them have legitimate jobs in software firms, or maintaining software and Internet services for companies. Some are involved with Internet crime, and a very few are eager about helping carry out Internet based terrorism going. Nearly all the Moslem blackhats (criminal hackers) are reluctant to get on a terrorism watch list, or something worse if they join some terrorist outfit. Moreover, Islamic terrorists recruit mainly from the young and clueless (and angry and unemployed). Internet penetration in the Islamic world is very low, as is literacy itself. The Islamic cyber threat is largely fiction, because the potential pool of Islamic Internet Jihadis is so tiny.

This is somewhat surprising, as there are Cyber War tools available that even the poorly educated terrorist computer user could operate. For example, there's a software program that online gamers use to launch DDOS (Distributed Denial of Service) attacks on other players they are particularly angry with. DDOS is used to shut down a web site, or individual user's Internet access, with a flood of garbage messages, generated from as few as fifty "zombie PCs" (machines hackers have earlier seized control of). Some bot herders (those who control hundreds, or thousands, of zombies) will rent zombies for these small scale DDOS attacks. The going rate is a few dollars a day per zombie (fifty will usually do to shut down one person's Internet access). Several thousand zombies are needed to shut down a web site, and criminals use that many to blackmail online businesses. This sort of thing happens every day, but it is rarely used by Islamic terrorists.

Counter-terrorism organizations know why there have not been more of these attacks by al Qaeda, or any other self-proclaimed Islamic warriors. The fact is that the Islamic terrorists are not nearly as well organized or skilled as the mass media would lead you to believe. There are many types of attacks, not just those involving the Internet, that terrorists could carry out, but don't. It doesn't happen because the terrorists cannot get it together sufficiently to do it. That should tell you something. The potential is there, and that is scary. But the reality has to be recognized as well, and that's a lot less scary.
Sent from my BlackBerry® wireless device via Vodafone-Celcom Mobile.