Last Saturday, the hacker collective Lulz Security disbanded after nearly two months of “high-quality entertainment at your expense,” stating that they had always intended to keep their campaign to 50 days and were not responding to heightened law enforcement pressure.

Throughout their internet rampage, the hacker group was heavily hyped by the media, often for good reason. They took websites associated with the CIA, U.S. Senate, and Brazilian government offline with a gleeful “tango down!” on Twitter, and breached websites such as those of the FBI affiliated Infraguard, the Arizona Department of Public Safety, Sony, and Nintendo, leaking sensitive information. They also teamed up with the extensive, leaderless hacktivist group Anonymous and other supporters for Operation Anti-Security, devoted to exposing classified government documents.

This high-profile hacking activity drew a lot of media attention, which was good for putting network security on the agenda and exposing widespread security flaws, but as usual the press tended to mystify LulzSec, hackers, and “cyber” in general. Lulz Security is not some dark brotherhood of evil geniuses. The group accurately described themselves as “chaotic neutral.” Sometimes they would act for ideological reasons and just as often they would release the personal information of innocent bystanders “for the lulz.” But they were neither on a campaign to protect human rights nor were they stealing for financial gain. Mostly, they were just goofing around and showing off.

Just as Lulzsec wasn’t “evil,” they weren’t “geniuses.” While skilled, their hacks did not display any amazing technical expertise and tended to rely on Distributed Denial of Service attacks, SQL injections, and social engineering, some of the most basic attack techniques. Nothing that Lulzsec did was comparable to malware such as Stuxnet, which exploited numerous zero-day vulnerabilities and took hundreds of hours and thousands of dollars to develop. What LulzSec did, like most hackers, was analogous to the strategy of most burglars. When I worked with several police departments, I analyzed hundreds of burglaries and the vast majority, about 90%, involved entry through doors left unlocked, and the rest weren’t exactly Mission Impossible, with thieves kicking in air conditioners or climbing through windows. Similarly, LulzSec got most of their leverage from glaring security oversights like reusing passwords for important accounts.

All of that is not to say Lulz Security was trivial. Targeting such important and ostensibly secure websites was both bold and eye-opening.  LulzSec attacked law enforcement head-on with no fear of arrest. This is where their skills come in, as despite the recent worldwide arrests of dozens of hackers in a crackdown, Lulzsec’s 6 core members remained untouched. Because attribution is difficult in cyber attacks, informants are a key way for law enforcement to trace criminal hackers, but LulzSec dealt with “snitches” with ruthless efficiency that the mob would envy. When two wanted hackers leaked some affiliated logs, LulzSec released their locations, pictures, last known IP addresses, phone numbers, and screen names to law enforcement, even as one was trying to flee the country. “These goons begged us for mercy after they apologized to us all night,” they warned in the release, “There is no mercy on The Lulz Boat. Snitches get stitches.”

They also brought an unprecedented amount of attention to network security of the lack thereof. While the field of cyber security is riddled with periodic “wake up calls,” LulzSec didn’t just breach numerous important websites, they did so while cultivating a new level of celebrity, including so many followers on Twitter that they brought websites down simply by tweeting a link. They were the first hacker group that cultivated a brand name outside of a niche of experts and even had a PR branch. LulzSec also went after highly visible targets  associated with security, causing cognitive dissonance and exposing the flawed state of computer network security. This was all part of the plan, as LulzSec said that they relied on such unsophisticated methods precisely to make a joke of the security culture- they got more “lulz” that way.

In the end, perhaps the most cogent media analysis of Lulz Security came from an interview of CTOvision’s own Bob Gourley: “Their humor cracks me up… Any unauthorized break-in should be investigated as a crime, and I hope all who participate in those crimes get caught. But as we learn about the forensics after their major attacks, they are going after enterprises that make poor choices when it comes to security. At some point we citizens should expect more from corporate America and our government when it comes to computer security.  Do we blame Lulz for their attack against Sony, or do we blame Sony?”

Related articles

• LulzSec hacker group says Internet rampage over (bobgourley.com)
• LulzSec to critics: We’re doing you all a favor (fedcyber.com)
• CNO Part 1: Computer Network Exploitation (CTOvision)

You may also like -

Phone Hacking Scandal Reinforces the Value of Basic Information SecurityOnly 18% of Software Apps Pass Security Tests2011 in Cybersecurity

The DoDIIS Conference Agenda is now up at the conference site, and it really looks to be a great one. The confernece will be great for technology leaders in government, technology providers from industry, and the mission-focused executive leadership who seeks to guide both. If you want to shape the future, come to the DoDIIS conference and see what secure enterprises with advanced analytical missions are up to.

I’ve pasted the full agenda below, but some key highlights include:

• An overview by DIA’s CIO and Director of DS, Mr. Grant Schneider.
• Insights into secure collaboration provided by Mr. John “Mike” McConnell, former Director of National Intelligence and a mentor to legions of us who have long revered him.
• An overview of the mission needs put on the DIA technology team, provided by the Director of DIA Lieutenant General Ron Burgess.
• Insights into the human element of the system provided by noted professor and thinker Robert Axelrod.
• Deep dives into successes in innovation and information sharing, “CIA Style” presented by champion innovator Mr. Geoffrey Fowler, Director and Managing Editor of the World Intelligence Review (WIRe).
• Many breakout sessions are scheduled, including a wide range of mission-focused topics and advanced technology deep dives. I personally plan on hitting the ones on Hadoop (of course, since “Big Data” is an issue we should all be accelerating into our enterprise). I’ll also attend the “Data Center for the Future” talk since DoDIIS planners are always at the forefront of datacenter design and I’m sure I’ll pick up some good tips there.  I also noticed a breakout on the “Egyptian Revolution and Twitter” that might be insightful.

I hope to run into about 2000 of my friends at the event. I’ll also be blogging a bit from there, as will Ryan Kamauff and Chris Barnes.  And look for us on Twitter as well. We are at: @bobgourley, @Ryan_Kamauff, @ChrisBarnesCP

And, consider this a pre-announcement: we are putting the finishing touches on a site meant to pull together our evals of DoDIIS technology and twitter feeds/etc during the event. Find it at http://dodiistech.com

For more details and to register see: http://www.ncsi.com/dodiis11/index.html

Here is the DoDIIS agenda:

Sunday 1 May

Evening reception/strategy sessions/networking.

Monday 2 May

0750 – 0800

Announcements

0800 – 0830

Keynote Speaker

Mr. Grant M. Schneider Deputy Director for Information Management and Chief Information Officer, Defense Intelligence Agency

0830 – 0915

Secure Collaboration — Technology to Support the Mission

Mr. John “Mike” McConnell Executive Vice President, Booz Allen Hamilton

0915 – 1000

Networking Break/Technology Exposition

1000 – 1045

Keynote Speaker

Lieutenant General Ronald L. Burgess, Jr.Director, Defense Intelligence Agency

1100 – 1145

Vulnerabilities of Wetware Professor Robert Axelrod Walgreen Professor for the Study of Human Understanding, University of Michigan

1145 – 1300

Networking Break/Technology Exposition/Lunch

1300 – 1345

Breakouts / Learning Labs

1400 – 1445

Breakouts / Learning Labs

1445 – 1545

Networking Break/Technology Exposition

1545 – 1630

Breakouts / Learning Labs

Tuesday 3 May

0750 – 0800

Announcements

0800 – 0845

The Real Business Value of IT: How CIOs Create and Communicate Value

Mr. Richard Hunter Vice President Distinguished Analyst, Gartner

0845 – 0930

Disruptive Innovation in Computing, and Mission Impact in the Next Decade

Mr. David McQueeney Vice President of Software Research, IBM

0930 – 1030

Networking Break/Technology Exposition

1030 – 1115

Breakouts / Learning Labs

1130 – 1215

Breakouts / Learning Labs

1215 – 1330

Networking Break/Technology Exposition/Lunch

1330 – 1415

Potential for Two-Way Collaboration

Mr. Terry Kline Vice President and Chief Information Officer, General Motors

1415 – 1515

IC Executive Board: Integrating the Intelligence Mission through Technology

Moderator:
Mr. Al Tarasiuk Assistant Director of National Intelligence and Chief Information Officer, Intelligence Community

Panelists:
Mr. James Beagles Acting Director, Chief Information Officer, Department of Homeland Security

Mr. David DeVries Principal Director, Office of the Department of Defense Chief Information Officer, Under Secretary of Defense for Intelligence

Mr. Dean E. Hall Associate Executive Assistant Director and Deputy Chief Information Officer, Federal Bureau of Investigation

Mr. Kelly A. Miller Deputy Chief Information Officer, National Security Agency/Central Security Service

Mr. Paul E. Muench Deputy Chief Information Officer, National Geospatial-Intelligence Agency

Mr. Grant M. Schneider Deputy Director for Information Management and Chief Information Officer, Defense Intelligence Agency

Mr. Neill Tipton Director, Information Sharing and Partner Engagement, Department of Defense

Ms. Jill Tummler Singer Chief Information Officer, National Reconnaissance Office

Ms. Jeanne C. Tisinger Chief Information Officer, Central Intelligence Agency

1515 – 1615

Networking Break/Technology Exposition

1615 – 1700

Breakouts / Learning Labs

Wednesday 4 May

0750 – 0800

Announcements

0800 – 0845

Unifying Intelligence Strategies — The Central, Critical Node to Achieving Integrated Intelligence

Mr. Robert Cardillo Deputy Director for Intelligence Integration, Office of the Director of National Intelligence

0845 – 0930

Innovation in Information Sharing — CIA Style

Mr. Geoffrey K. Fowler

Director and Managing Editor, World Intelligence Review (WIRe), Central Intelligence Agency

0930 – 1030

Networking Break/Technology Exposition

1030 – 1130

Services Panel: Secure and Collaborative Intelligence to Support the Warfighter

Panel Moderator: Mr. James R. Martin Director, ISR Programs, Office of the Under Secretary of Defense (Intelligence)

Panel Members:

Mr. Robert “Bo” T. Martin Deputy Director, ISR Capabilities, U.S. Air Force

Mr. Gregory B. Palmertree Chief Technology Officer, Marine Corps Intelligence

Ms. Lynn Schnurr Senior Technical Advisor, Army Intelligence Chief Information Officer, Information Management, Deputy Chief of Staff, G2 Headquarters, Department of the Army

Mr. Jack Y. Gumtow Chief Information Officer, Office of Naval Intelligence

1130 – 1215

The Path to Secure and Agile Cloud Computing

Mr. Michael Capellas Chairman and CEO, VCE, The Virtual Computing Environment Company

1215 – 1315

Networking Break/Technology Exposition/Lunch

1315 – 1400

Breakouts / Learning Labs

1415 – 1500

Breakouts / Learning Labs

1500 – 1545

Networking Break/Technology Exposition

1545 – 1630

Breakouts / Learning Labs

Thursday 5 May

0750 – 0800

Announcements

0800 – 0845

NIST Cloud Computing Program: Useful Information for USG Cloud Adopters

Ms. Dawn Leaf Senior Advisor, National Institute of Standards and Technology Information Technology Laboratory and Senior Executive for Cloud Computing

0845 – 0930

Keynote Speaker

Mr. James Stout Senior Director, DoD Customer Executive, Avanade Federal Services

0930 – 0945

Networking Break

0945 – 1030

Intelligence Studies: What Academia Provides

Professor James Breckenridge Dean of the Walker School of Business and Chair of the Department of Intelligence Studies at Mercyhurst College

1030 – 1100

Related articles

• Technology Firms at the DoDIIS Worldwide (ctovision.com)
• 2011 DoDIIS Worldwide Conference (ctovision.com)
• DIA CIO Grant Schneider Highlights Cloud Computing (blogs.forbes.com)
• Government Eyeing Security Technology To Prevent Another Wikileaks (informationweek.com)
• Leaks a “Serious Problem” for Defense Intelligence (fas.org)

Vance Hitch, Department of Justice’s CIO, recently sat down with FedScoop and discussed his cybersecurity efforts.  DoJ has a phased approach to cybersecurity.  Included in these issues needed to be addressed are data loss prevention and insider threats. The results are some great context in video.

Mr Hitch was also kind enough to add some words on cloud adoption.  As a large contributor to FedRAMP, he is working to provide guidance and identify controls for cloud programs. Mr Hitch is one of the people in federal IT who is definitely worth noting.

The clip of his discussion with Fedscoop is presented below:

httpv://www.youtube.com/watch?v=Qh_kK6lU1rU

The following bio of Mr. Hitch is from the DoJ website:

e-government, and user computing. He has served as the Chief Information Officer of the Department of Justice since April 2002.

Prior to coming to the Department of Justice, Hitch was a Senior Partner with Accenture. His projects there included the development of the IT Strategic Plan for the State of Maryland and a comprehensive re-engineering and automation of the City of Philadelphia’s Records Department. Other government organizations that he worked with include the Department of State, the National Security Agency, the Central Intelligence Agency, the Department of Defense, the Department of Justice, and multiple state and local governments. Altogether he devoted 28 years as a consultant to leading government organizations successfully through major change initiatives.

Hitch earned a Masters of Systems Management from George Washington University in 1973 and a Bachelor of Science in Physics from Muhlenberg College in 1967. He served in the United States Navy from 1969 -1973, attaining the rank of lieutenant.

Related articles

• The Government CIO 50: Vision, Influence, And Results (informationweek.com)
• Keeping Focus on Mission IT at ODNI CIO (ctovision.com)

You may also like -

Vance Hitch: One of the enterprise IT's greatest

I’ve previously written about some of the challenges of IT support in the national security space. Leaders have to balance competing mandates of mission support and security and have to do that in an environment constrained by resource limits and slowed by layers of oversight. One of the most challenging positions in the national security space is the CIO job at the Office of the Director of National Intelligence. This position is complicated because it is mandated to drive change over organizations where budgets and missions are frequently under competing pressures. It takes really savvy professionals to make a positive difference in this environment.

One of my favorite IT leaders just departed after an incredibly successful stint there. Priscilla Gutherie held this appointed position during a time of incredible chaos and she brought sanity and created an environment of continuous improvement. Priscilla is a leader with class and an ability to hold knowledge of huge enterprise architectures in her head. I think that comes from her experiences as a program manager and VP at TRW and her system engineering experience, but part of it is just because she is smart. Many of us were concerned when her tour at ODNI was up since we need mission focused thinkers like her in positions like the ODNI CIO. Little did I know, but the person the President named to fill her shoes would be Al Tarasiuk, a person who’s career has demonstrated, again and again, an ability to focus IT on mission needs to get things done (I’ve previously written about Al here: http://ctovision.com/2008/08/cia-it-leaders-are-world-class-it-leaders ).

Thanks Priscilla, on behalf of all of us who know what you did.

And thanks to you Al, for accepting the challenge of a position few others could tackle. We all wish you the best of luck as you address this very dynamic/challenging position.

Below is the text from the ODNI press release:

FOR IMMEDIATE RELEASE ODNI News Release No. 5-11
February 16, 2011

From: http://www.dni.gov/press_releases/20110216_release.pdf

PRESIDENT OBAMA TO APPOINT NEW CHIEF INFORMATION OFFICER
OF THE INTELLIGENCE COMMUNITY

President Barack Obama announced today his intention to appoint former CIA Chief Information Officer Al Tarasiuk as the chief information officer of the Intelligence Community.

“Al is well known for his leadership in information sharing and intelligence integration, and his experience, distinguished career and dedication to duty will greatly benefit the entire Intelligence Community,” said Director of National Intelligence James R. Clapper.

Tarasiuk served as CIA’s CIO from 2005 to 2010, and was director of the CIA’s Information Service Center prior to that.

He holds a bachelor’s degree in electrical engineering from the New Jersey Institute of Technology and a Master of Science from The George Washington University.

The CIO’s office is responsible for establishing common information technology standards across the Intelligence Community and for directing and managing all IT related procurement for the IC. The CIO is also tasked with developing IT architecture to support information sharing policies and objectives throughout the Intelligence Community.

==========================

Here is Al’s bio, from http://www.afceadc.org/events/bios-presentations/bio-al-tarasiuk/

Chief Information Officer
Central Intelligence Agency

Al Tarasiuk was appointed the Chief Information Officer of the Central Intelligence Agency on 1 October 2005.  His responsibilities span CIA’s global IT enterprise.  Before becoming CIO, Mr. Tarasiuk was the director of CIA’s Information Services Center.  In this role, he had responsibility for development, deployment and operational support of the CIA global information technology infrastructure.  Mr. Tarasiuk reports directly to the Director of the Central Intelligence Agency and is a member of the CIA Corporate Board.

Mr. Tarasiuk began his career in the federal government in 1986 as an electrical engineer developing and implementing RF systems.  He advanced quickly as a technical manager, program manager, and senior executive, serving in roles of increasing responsibilities and providing strong leadership, vision and delivering strategic IT solutions.

Mr. Tarasiuk holds an undergraduate degree in electrical engineering from the New Jersey Institute of Technology and a M.S. in Engineering Management from the George Washington University.

Related articles

• CIA CIO To Head IT For Intelligence Community (informationweek.com)
• In-Q-Tel Technologies/Capabilities Highlighted (ctovision.com)
• Cloudera Secures Investment and Technology Development Agreement From IQT to Support U.S. Intelligence Community (ctolabs.com)
• Endeca Government Summit: Important context on a key mission area (ctovision.com)

You may also like -

A few minutes with Justice's CIO, Vance HitchCalling All Federal Cybersecurity Practitioners: Contribute ideas and actions ...Is the Instant-On Enterprise Right for You?FBI CIO Chad Fulgham: Delivering Real CapabilityPrediction: BlueCat Networks is one you should watch

Forbes ran a nice piece on In-Q-Tel.  The article is worth reading in its entirety.  Here is a link: Startups Backed By The CIA.

The In-Q-Tel mission is to identify, adapt and deliver innovative technology solutions to support the missions of the Central Intelligence Agency and the broader US Intelligence Community, including the Department of Homeland Security.

As a teaser till you get around to the article, here is a list of companies in the order written about there, including a short bullet of their capability and a hot-link to their site:

• Cleversafe – Smart way to save your data in the cloud. Clever and Safe.
• AdaptivEnergy – Capture energy from vibrations.
• Qynergy – New battery technology.
• Infinite Power Solutions – Thin-film batteries to power RFID.
• ThingMagic – Advanced RFID solutions.
• GainSpan – WiFi enablement.
• Image Tree Corp – Figure out what is growing on the earth.
• Fortius One – Advanced, easy geospatial.
• Geosemble – Map people, places, things using data from RSS feeds and tweets.
• LensVector – Taking moving parts out of cameras.
• 3VR – Video analytics.
• Recorded Future – Gain knowledge of the future by looking for events mentioned on the net.
• Visible Technologies – Analysis.
• FMS – Analysis.
• StreamBase – Capture and analyze data in stream.
• Destineer Studios – Advanced immersive environments.
• Sonitus Medical – hear from your teeth.
• Basis Technology – Search in multi-language.

(These technologies (and others) are also listed on the CTOvision.com Disruptive IT list).

Congrats to all the companies mentioned here for the great write-up in Forbes.  And congrats to forward thinkers in the intelligence community for creating a structure that enables quicker discovery of technologies of interest to your mission.  This is a win-win-win.  A win for the intelligence community, a win for companies involved, and a win for national security.

Related articles

• Startups Backed By The CIA (forbes.com)
• How the C.I.A. Perfects its Social Media Monitoring Technologies (blogs.forbes.com)
• CIA Invests In Cloud, Web Analytics Startups (informationweek.com)
• CIA Invests In Anti-Cybercrime Startup (yro.slashdot.org)
• Who is A Big Fan of ArcSight? The CIA (blogs.wsj.com)
• Cleversafe Raises $31.4 Million From Motorola, VC Firms And … The CIA? (techcrunch.com)

The Endeca Government Summit was yesterday.  The agenda included some fantastic presentations from customers who have used Endeca to address issues requiring incredible scale (billions of records) and incredible scope (including the need to discover meaning in data in milliseconds) and human-focused interfaces (including, in every solution I saw, an ability to enable humans to interact with data in ways that search never enables).

One of my personal/professional friends was on the agenda:  Howard Block of NuWave Solutions. Howard is a master of technology with computer science degrees but his real contributions to the community center around making technology work for humans.  The frameworks he has helped coordinate and implement and open widget approach he has helped the community field are all focused on users and their missions, and the success he has shown in Endeca deployments are just icing on the cake. It is great seeing great people succeed like this.  Howard briefed lessons learned from his company’s deployment of solutions to the law enforcement community, including scalable, low-cost solutions enabling discovery across multiple sources of information- all focused on mission needs.

Another fantastic speaker was Brigadier-General Kampman, Director -General, Defense Force Structure Review, Department of National Defence, Canada.  The very large scale solutions he fielded with Endeca and the ability of that solution to return results to humans in sub-millisecond time (and the ability for humans to interact with and discover results in the data) provide fantastic lessons for any seeking to solve data overload issues.

Another speaker of note was Mr. Chris Darby.  Chris is a highly regarded technology professional I have had the pleasure of learning from in the past.  His current position is as President and CEO of In-Q-Tel (the independent investment firm that identifies innovative technologies to support the missions of the CIA and the Intelligence Community).   The agenda for the conference said the following about Mr. Darby’s presentation:

“To say that every large government organization recognizes the importance of “connecting the dots” would not only be accurate – it would be an understatement. Faced with more than just text, these organizations need technologies that can help process all types of non-trivial data collection – including video, voice, and images – while overcoming issues ranging from deciphering multiple languages to dealing with “dirty data.” This information is necessary to many communities of interest, each of which has different needs and uses. Identifying technologies that can help extract meaningful, actionable insight is essential. His work with the Intelligence Community (IC) provides Mr. Darby with a unique viewpoint from which to assess the challenges and opportunities in the “connect the dots” landscape. He will provide insight into In-Q-Tel’s Connect the Dots initiative and discuss the importance of leveraging both established and emerging technologies for the effort.”

I found Chris’s presentation to be riveting, for many reasons.  One is the way he clearly articulates that calculations of “risk” in the commercial sector that end up driving many decisions in business are normally not going to translate to calculations of risk in the national security sector.  When the mission is knowing enemy intentions and stopping attacks before they occur, commercial risk models will not apply.  That dynamic has always existed in the community, but it is being highlighted even more in this period of transition to a world of more asymmetric threats.  Chris’s brief highlighted how the oft used phrase “connect the dots” can sometimes make people want to oversimplify, but really this is complex.  We are, in most cases, looking for patterns of life.  And we are doing it with incredible quantities of data.

Of the many things that must be done with “dots” (which is now a bit of a shorthand way of saying “data”), perhaps the hardest are the ability to assimilate and analyze.  This is a key contribution of Endeca.

We have written about Endeca at CTOlabs.com.  Find the write-up here: http://ctolabs.com/2010/10/endecas-mdex-engine/

A Virtualization, Cloud Computing and Green IT conference was held 26-27 October 2010 in Washington DC.

This event was provided a good mix of presenters from government and industry plus a handful of analysts/commentators/writers/journalists and bloggers.  There was also an expo which enabled firms to give demos of capabilities relevant to the topics of Virtualization, Cloud Computing and Green IT.

First a note about the conference organizers: I’ve worked with 1105 Media on several events in the past and have a deep respect for their professionalism.  They always coordinate a good show and have demonstrated an ability to treat attendees, sponsors, speakers and expo vendors with respect.  There are many expos and conferences in the DC area and we all have to prioritize and choose which ones to go to and I think the 1105 options are good ones.  I like the way they seek to keep costs low for all involved and I like the way they try to bring in a wide range of speakers.  I also like the way they post presentations after the conference (for copies of presentations from this session see: www.vcgsummit.com/presentations ).

Here are some highlights:

Doug Bourgeois, VP  and Federal Chief Cloud Executive for VMware (must be a cool job) presented a keynote on Cloud Computing and Sustainability (see:  VCG10_Keynote_Bourgeois ).  His presentation provided great context by pulling together trends and observations that helped set the stage for other conference sessions.

Henry Sienkiewicz, CIO of DISA, provided a keynote presentation and discussion that focused in on some of DoD’s approaches to the cloud (see:VCG10_Keynote_DISA ).  DoD has been out in front on the topic of Cloud for quite a while so it is good to see lessons learned being provided to others.

Ira A. (Gus) Hunt, CTO of CIA, provided a keynote focused on the topic of Cloud Computing applied to missions of advanced analytics (see: VCG10_Keynote_Hunt ).  I personally enjoyed this presentation the most, for several reasons.  One is the presentation was rightly focused on the thing all enterprise IT should be about: the mission!  The CIA has a mission and the that mission is not IT.  IT is there to create mission advantage for the agency.  This point will jump right out at you when you review Gus’s brief.  Considering the fact that other federal agencies also have missions and those missions vary greatly, this means something important for all vendors/providers of cloud capability: No one should try to sell fed tech leaders on a commercial approach to cloud without first considering the mission needs of the agency they are trying to serve.  Those missions can frequently vary significantly from what capability providers are offering.

Your humble blog editor Bob Gourley provided some context on Cloud Security and moderated a panel on that topic.  I used a couple slides from my presentation on the future of IT for that.  The entire briefing on that topic is provided here.  If you have an opportunity to review this and provide feedback I would appreciate it (see: VCG10_1 4_Gourley ).

Overall I enjoyed this conference and will seek to attend next year, and I hope to see you there.

You may also like -

Virtualization, Cloud Computing, Green IT conference 26-27 Oct, DC.Coming Conferences Of InterestSOA vs Cloud Computing: Tracking the cross-over in hypeThe Cloud and CybersecurityIs the Healthcare Industry on Life Support Without the Cloud?

The following article by renowned security capability developer Dr. Anup Ghosh was was originally posted at the Invincea blog and is reposted here with the author’s permission.

=============

Question: what is the most significant cyber event of 2010? Answer: Stuxnet.

While security analysts continue to marvel over Stuxnet’s capabilities, one disturbing aspect to Stuxnet is current defenses would not defend against the next Stuxnet type threat. This article highlights some recent approaches to out-of-band memory integrity checks that can address future Stuxnet type threats.

Background on Stuxnet

Stuxnet is the most significant example of a cyber war attack against another nation state’s critical infrastructure since the Russian gas pipeline explosion in June 1982. In the June 1982 attack, a CIA operation was launched that embedded a Trojan horse in gas pipeline regulator software the CIA knew would be stolen by the Russians. The Russians did indeed steal the software and used it in a production gas line in Russia. The Trojan horse corrupted the gas pipeline regulation which resulted in a massive explosion, initially thought to be nuclear, until later evidence showed this wasn’t the case. The incident was classified, then later released and well documented in the now infamous Farewell Dossier.

Stuxnet was designed as a file-based worm that targeted a specific Siemens industrial control system (ICS) with the intention of disrupting the process it was controlling possibly with catastrophic consequences. While there has been much speculation about the specific process that was targeted, including nuclear power or uranium enrichment plants in Iran, there has been no published definitive conclusion as to the actual intended target.

The Uranium enrichment plant in Natanz Iran is speculated to have been a target of Stuxne

The Uranium enrichment plant in Natanz Iran is speculated to have been a target of Stuxnet.

What makes Stuxnet a watershed event in Cyber Warfare is the level of sophistication in the design of the worm indicates significant resources and expertise were needed to design and release the worm. In other words, this isn’t your father’s Oldsmobile worm. The most significant indicators of a state-sponsored cyber threat are the exploitation of multiple Odays (vulnerabilities not previously known or disclosed by the software vendor) to execute the attack, two different target platforms — Windows and Siemens — needed to execute the attack, and the specific domain knowledge of the target system that was required for the worm.

Zero-days, or Odays, are discovered by certain private sector security firms, software vendors, hacker groups and government agencies. They are highly prized, carefully guarded and are discovered as the result of pain-staking hard work by experts in software analysis and reverse engineering. Accepted rules of responsible disclosure tend to guide private sector firms to disclose Odays to the affected software vendor in return for credit or remuneration, or barring that, disclosure to the general public if the vendor is non-responsive or the firm is looking for publicity. The other players play for keeps, meaning if they conceal Odays it’s because they will exploit them for financial gain or national security interests.

What’s more telling about the designers of Stuxnet is the specific domain knowledge required to implement the attack against the Siemens Control System and its programming language, Step 7. While there are many groups versed in Windows libraries, how the Windows operating system works, C/C++, and reverse engineering, there is a much more limited set with the domain knowledge of this Siemens industrial control system, and a much, much smaller subset that has knowledge of both. In other words, it would take fairly significant resources to plan, assemble the team, design the exploits, have access to Odays, test, get intel on the target plant, put people in place with access, then run the op. My WAG is this would require a 1 to 2 year program with roughly $10M -$20M in resources to pull off. And this would follow previous significant investments in developing the skill sets, technologies, Odays, production engineering discipline, and weaponization techniques and CONOPS that would have needed to be developed over a multi-year duration. This puts it almost exclusively in the realm of nation states, or extremely well-funded transnational terrorist groups that mostly you see in James Bond films.

Having made the case for state-sponsored cyber warfare, there are two troubling aspects to the state-sponsored argument for Stuxnet. First, that it got caught. Most state-sponsored offensive cyber ops don’t get caught to be subsequently analyzed in the public domain for all to see the methods and Odays employed. That’s bad for business as it shows your adversaries your capabilities and methods while disclosing Odays that will no longer be Odays. Second, while the targeting was narrow in one sense — a particular Siemens ICS — it was very broad in another sense — almost all Windows machines were vulnerable and would get infected if they came in contact with the worm. Not surprisingly, the worm has infected hundreds of thousands of machines over many countries. This is not normal modus operandi for state sponsored cyber ops, not only because it means the attack will almost certainly be discovered, but also because of potential blowback. Blowback can come from the worm itself by infecting machines in the sponsoring nation’s critical infrastructure, or political blowback from launching this type of visible attack. I haven’t been able to reconcile the facts of the case except for possibly really sloppy Ops by a distressed/desperate nation.

Instead of re-hashing how Stuxnet works, please see the following articles and blogs for good background summary on Stuxnet:

• InformIT (summary article by Gary McGraw based on a presentation from Ralph Langner)
• Wired (summary article)
• Jason Syversen’s Blog.

More detailed technical information on the inner workings of Stuxnet can be found on these blogs:

• Ralph Langner, the German national experienced in Siemens Control Systems, who has analyzed the attack code in detail
• Symantec Blog where more detail on the Microsoft Odays that were exploited — including video — are described.

Although there is overlap in these blogs,  there is also detailed information for the technologist who wants to understand this at a technical level

Implications of Stuxnet

If you’ve read any of the security blogs above, you’ll see there is much hyperventilation going on in security circles over this attack. Curiously enough this is almost reverse of what we’ve seen in the past. Mainstream media will typically over-hype the security impact of the latest vulnerability or threat while security pros tend to be far less impressed. In the case of Stuxnet, we’ve seen serious security pros and researchers breathless over the sophistication of the Stuxnet threat, and the mainstream media is beginning to catch on, albeit cautiously.

The most significant implication of Stuxnet is that it demonstrated there are serious actors out there waging offensive cyber warfare against critical infrastructures. It also signaled the hacker and private sector community that they have much to learn from the state-sponsored groups who demonstrated they play on a different level while revealing some of their tactics and techniques. The upshot is Stuxnet is a real demonstration of actual cyber warfare that can and likely will be waged against any country’s — including the US’s – critical infrastructure. And clearly the players are playing for keeps. This is not unlike the history of the US setting off nuclear weapons on remote atolls to test them — which also signaled the rest of the world not to mess with the US. In the case of Stuxnet, no one has credibly claimed responsibility, so the cyber deterrence effect — if there is any to be had here, and I’m not convinced there is a valid doctrine of cyber deterrence — hasn’t been played.

For the US, this event will sharpen the active debate around Cyber Warfare. Once this attack and threat becomes better understood by mainstream media and the public, the US Congress, US Cyber Command, security companies, and other vested stakeholders will have all the evidence they need to mount a serious political assault against the White House, DHS, the Critical Infrastructure Providers, and others responsible for security of the nation to take action against the cyber threat, rather then letting the agenda slide to the right on the calendar. In other words, the genie is now out of the bottle and it can’t be put back in.

Defending Against Stuxnet

So you’re reading this and thinking, “great, more hyperbole, fear, uncertainty and doubt. You’ve got my attention, but where’s the solution?” First, let’s look at the conventional solutions that any security professional would tell you is necessary and see how well they work against the Stuxnet type threat.

1. Isolate command and control networks from shared public networks. Architecturally, this is a must do. Too many critical infrastructures share command, control, and telemetry over the Internet or other shared public network. Running command and control over shared public networks is more convenient and cost-efficient, but leads to significant risks. In the case of the target of Stuxnet, which is still unknown, we don’t know if the industrial control system was on a shared public network. For Stuxnet it would not have mattered, however, because the attack apparently was a “close-in” attack via a USB stick to infect a machine on the network — private or public.

2. Passwords and access control. Employing passwords and access control is like dental flossing regularly. People like to talk about how important it is, but nobody does it. Many of the problems you read about in SCADA networks start with a lack of access control and poor passwords. It’s so pedestrian that most people think SCADA security isn’t all that interesting, at least before Stuxnet. In the case of Stuxnet, even good passwords and access control would not have stopped it, however. The reason is a computer account with proper credentials is infected. Once infected, the authorized user account is able to access the Siemens ICS so even rigorous passwords and access control features would not have stopped Stuxnet.

3. Patching and compliance. Implementing a rigorous patching regime for security compliance is now gospel among practicing security professionals. Most security professionals have been trained their security program revolves around timely patching and compliance to regulations or guidelines for secure configuration control. Let’s assume that victim computers in the Stuxnet attacks were fully patched. Would it have stopped the attack? No. Oday exploits were used in the attack, which means the vulnerability wasn’t known, let alone a patch available to be applied.

4. Anti-virus updates. Again this is standard gospel distributed by the security industry. Everyone knows that you need to have the latest and greatest virus definitions on your endpoints. Again because these attacks were unknown at the time of attack, a fully updated anti-virus product would not have detected them. Some recent news revealed that StuxNet was able to re-infect “cleaned” systems because it actually injected its code in every single Step 7 program on the PC so that when anyStep 7 program was open or run, the computer got re-infected. This also shows traditional anti-virus model isn’t able to effectively restore infected systems to a clean state.

5. Intrusion detection/prevention systems. The same applies for intrusion detection and intrusion prevention systems as for anti-virus products. None of these would have stopped the attack, because these products are primarily signature driven and there were no exploit signatures available to detect Stuxnet at the time of its release.

So where does this leave us if none of the standard defenses work?

Out of Band Integrity Checks
The one thing that really stands out at me about Stuxnet is that it replaced the logic on the target control system with its own logic. Since this process control logic is mission and sometimes life-critical, and typically rigorously QA’d and tested prior to deployment, it’s remarkable to me that integrity checks are not performed on this logic. Even if the PLC designers were not aware of a malicious code threat, unintended changes to logic through memory corruptions and human error can have similar consequences, so integrity checks on critical logic are, well, critical.

The most appropriate defense against Stuxnet types of attacks are integrity checks of the core operating system software and libraries that run on the PCs and the PLC logic on the controller. While this may sound straightforward, it is anything but easy. One of the key requirements for defensible integrity checking is that it is performed out of band. In other words, the logic doing the checking should not be running in the same context as the potentially compromised system, where “context” here is operating system in the case of the PC. For instance, if your integrity checker is run by the operating system that it is checking, then its measurement is entirely unreliable. Instead, it needs to be performed by a different system.

One such approach was recently developed and published by researchers at George Mason University’s Center for Secure Information Systems. The approach and technology called HyperCheck was published in September in the Recent Advances in Intrusion Detection (RAID) Symposium in Ottawa Canada. HyperCheck uses an out-of-band network card utilizing the CPU’s System Managed Mode (SMM) to check the integrity of core libraries on the target system, including hypervisor code and the host operating system kernel. It grabs the complete state of the machine on a periodic or randomized basis using SMM, then sends this state off machine to a cloud-based service for integrity checks. As such the computation is efficiently performed off site in a cloud, which makes it both efficient, scalable, and secure against attacks from the compromised machine. At no point is the operating system of the host — which might be compromised — used to convey the measurement. As a result, this approach can check for unauthorized changes to core logic — including Windows DLL libraries, core operating system services, hypervisor code, and potentially other mission critical code like PLC logic on a target system — without placing inherent trust in those possibly compromised systems. The details are presented in the paper along with measurements of its efficiency and efficacy against kernel-level rootkits.

While this is no silver bullet solution — and if you are looking for one, you don’t understand how this game is played — it is a step in the right direction that can address the types of threats that Stuxnet has demonstrated.

Related articles

• Computer worm used against Iran was tested in Israel (seattletimes.nwsource.com)
• Iran’s nuclear program and a new era of cyber war – Los Angeles Times (news.google.com)
• Stuxnet attacks on Iran creating a backlash – Pakistan Patriot (news.google.com)
• Did a U.S. Government Lab Help Israel Develop Stuxnet? (wired.com)
• Development and testing of the Stuxnet worm (nytimes.com)
• NYT: Yep, Stuxnet is a joint U.S./Israeli project – ordered by Bush (hotair.com)
• Israel’s Dimona Nuclear Facility Splits Time as Cyberweapon Testing Ground [CyberWarfare] (gizmodo.com)
• NYT: Israel’s Stuxnet test led to Iran nuke delay (msnbc.msn.com)
• How Israel’s covert uranium enrichment programme sabotaged Iran (blogs.nature.com)
• Evidence builds that Stuxnet worm was aimed at averting war over Iran’s nuclear weapons (venturebeat.com)

You may also like -

The Debut of Invincea: New endpoint protection against malwareInvincea Webinar Will Help You Stop Spear Phishing ThreatsEnterprise Technology Developments in 2010 and 2011Invincea Browser Protection Eliminates Web2.0 Security RisksAnup Ghosh on Cybersecurity in 2012: Let’s break the security insanity cycle

I’ve just received word that Dawn Meyerriecks, one of the great’s of American technology, has just returned to federal service. Dawn has delivered real capability into some of the nation’s largest, most complex enterprises. And she has built communities of technologist as she did that, giving many of us someone to look up to and attempt to model themselves after.

I feel really good about the choice of Dawn for this incredibly demanding position.  The intelligence community needs her at a time like this.

For more, see the DNI press release, which I’ll post below:

Director of National Intelligence Dennis C. Blair announced today that he has selected Dawn Meyerriecks, an expert in technology and operations management, to be the new Deputy Director of National Intelligence for Acquisition and Technology.

Meyerriecks has extensive experience in designing, building and fielding intelligence and information technology solutions for the government and private industry.  She was formerly the Defense Information Systems Agency (DISA) chief technology officer and the senior vice president for AOL Product Technologies.

“Dawn is well respected for her work in designing, acquiring and delivering effective intelligence and information systems for the Department of Defense, and for providing some of the best commercial products for the public and private sector,” Blair said.  “Her understanding of the entire end-to-end process of acquisition will help us deliver state of the art technology efficiently and when it is needed to maintain our advantage over our adversaries.”

The DDNI for A&T is the DNI’s senior acquisition executive and science and technology advisor responsible for integrating science and technology across the IC enterprise, and for ensuring excellence in achieving cost, schedule and performance in acquisition.  The office also is responsible for generating and developing research and development advances capable of transforming U.S. intelligence, and providing intelligence advantage over future adversaries.

“Dawn will help us keep pace with the leading edge of technology which is critical to the IC’s ability to deliver better intelligence,” Blair added.

The recently published 2009 National Intelligence Strategy places emphasis on science and technology and research and development by leveraging the explosive pace of technological innovation to improve the IC’s productivity, effectiveness and agility for the entire community.

Since 2006, Meyerriecks has worked as an independent consultant for government and commercial clients. Previously, she was the senior vice president for AOL Product Technologies where she was responsible for full lifecycle development and integration of all consumer-facing AOL products and services, including the relaunch of aol.com, AOL Instant Messenger, and the open client platform.

Prior to AOL, Meyerriecks worked for seven years beginning in 1998 at DISA where she was the CTO and technical director for the Joint Interoperability and Engineering (JIEO) Organization.  Her last assignment was to charter and lead a new Global Information Grid Enterprise Services (GIG) organization.  Meyerriecks worked at the Jet Propulsion Laboratory from 1983 to 1998 as a senior engineer and product manager before her tenure at DISA.

Meyerriecks holds a Bachelor of Science Degree in Electrical Engineering from Carnegie Mellon University with a double major in business and management science, and a Master of Science in Computer Science from Loyola Marymount University.

She co-chaired a soon-to-be-released acquisition reform study for the National Academy of Sciences, and has served on advisory boards to the National Counterterrorism Center, Sun Federal, Cranite Systems, and the Defense Science Board Summer Studies.

Meyerriecks holds numerous honors and awards for her government service work and for work in private industry including the Government Computer News, Department of Defense Person of the Year for 2004; InfoWorld, 2002 and 2001 CTO of the Year; CIO Magazine, 2002 20/20 Vision Award; Business Week 2.0, 20 Young Execs You Need to Know, 2001; Federal Computer Week, 2000 Top 100 of the year for the government sector; the Presidential Distinguished Service Award, November 2001; the Senior Executive Service Exceptional Achievement Award in 1998, 1999, 2000, 2002 and 2003; and the National Performance Review in August 1996. In November 2001, she was featured in Fortune magazine as one of the top 100 intellectual leaders in the world.

The next big Gov2.0 event is the 21-22 July 2009 Open Government & Innovations Conference (OGI).  The list of speakers includes some of the greats from the federal IT scene, including:

• Vivek Kundra, Federal CIO
• Aneesh Chopra, Federal CTO
• Tim O’Reilly, Visionary of the Web2.0 movement
• David Weinberger, Berkman Center for Internet and Society, Harvard Law School
• David Wennergren, ASD NII and DoD CIO
• Michael Wertheimer, CTO, ODNI
• Lovisa Williams, Senior Technology Advisor, State Department
• Robert Carey, CIO, USN
• Colleen Coggins, Architect, Department of Interior
• Sean Dennehy, Intellipedia and Enteprise 2.0 Evangelist, CIA
• Mary Davie, Assistant Commissioner, GSA
• Debra Fillippi, Information Sharing Executive, DoD
• Jack Holt, Strategist for Emerging Media, DoD
• Jeffrey Levy, Director of Web Communications, EPA,
• Col Robert Morris, US Army

Topic, besides some incredible keynotes, include Web2.0 and National Security, Cross Agency Collaboration, Health IT, Openess and Information Sharing, Citizen Engagement, Transparency, Data Visualization and many others.

I’ll be speaking on a panel at 10:15 on the 21st on the topic of Web2.0 and National Security.  Panelists include Mark Drapeau, a published expert on the topic, Lin Wells, one of the most influential people in the national security space, and Lewis Shepherd of Microsoft’s Institute for Advanced Technology in Government.  I enjoy learning from all these guys and think they will make a good panel.  I’m wondering how they will respond to a new thesis I’m working on: the observation that just because you give Web2.0 tools to people it doesn’t mean they will use them.  We learned a similar lessons with information sharing.  Just because you connect everyone and give them interoperable tools does not mean they will collaborate.  They have to want to collaborate. If that thesis is correct, then giving everyone in the national security community access to web2.0 tools inside their firewall or not, will not mean the culture will change.  Those that want to collaborate and share will make great use of those tools.  Those that don’t want collaborate and share will not.  This means web2.0 will not make a difference for national security till we work some big cultural issues in the community (maybe that is just a blinding flash of the obvious.  Maybe that is a point of this conference).

Please check out the conference at opengovinnovations.com

Cheers,
Bob

You may also like -

Vivek Kundra's Retirement Reception and the Role of the Federal CIOCTOs: Provide your inputs on how the government will implement cloud computin ...Enterprise Technology Developments in 2010 and 2011Federal Cloud Computing StrategyThe Cloud and Cybersecurity