GNU/Linux

Originally Published October 31, 2009; Last Updated June 08, 2010; Last Republished June 08, 2010:

Nations are beginning their foray into the "weaponization" or "militarization" of our open Internet and will continue unless stopped.

Some steps we can take:

• First, prohibit by international convention the weaponization or militarization of our Internet.

  The warriors can roll-out and use their own independent networks or better yet learn to stop fighting; and

• Second, begin developing a working knowledge of our Internet's infrastructure and terminology; and

• Third, begin all your Internet security discussions with a crystal clear and detailed understanding of what "asset" is proposed for protection. You will often discover a ton of security is proposed to secure zero or one gram of assets.

  If the "asset protection" discussion or analysis cannot take place transparently and in public, as our warriors will often assert, then the asset does not belong on our Internet.

• Fourth, develop a working understanding of the trade-offs between an open and secure Internet.

  Seek a minimum level of security and maximum level of openness; and

• Fifth, do not accept as inevitable the weaponization or militarization of our Internet.

  Our warriors are moving to our open Internet because it's relatively cheap warfare.

  But it does not follow that we must therefore permit them to harden, ruggedize, or close our Internet. We can boot the warriors off our Internet.

Web:

• UPDATED 06/08/2010 Some reassuring words among a lot of not so reassuring words from the Commander of CyberCom. We need the logic for ensuring non-infringing missions, in addition to the top-level reassuring words:

  "...We will partner with all departments and agencies. We will actively engage all branches of government. And we will exercise our powers and responsibilities under laws and ways designed to ensure that we are truly protecting, not infringing, the privacy and civil liberties of our fellow citizens...."--General Keith B. Alexander speaking @ CSIS on June 03, 2010--

  Hopefully the General was engaging in self-deprecating humor when saying he's a general not a reader.

  Whether the General reads or not he likely knows that network security is primarily a function of hardware architecture; protocol definition and implementation; well structured, written, and configured software; and experienced and capable system and network engineers and administrators (Army roaming not required or desired).

  Telling us that DoD's has seven million machines behind 15,000 networks that are probed 250,000 times per hour is only to hint at exposure.

  Generally (weak pun) it's not the probes you can count that are the problem—making sure you're detecting and thus counting all the probes is a significant challenge.

• UPDATED 06/06/2010 Reuters, U.S. faces remote sabotage cyber danger: general

  Operating, maintaining, and building secure nodes for some critical Internet infrastructure does not require providing our military components free roam of our Internet!

  "...our Department of Defense must be able to operate freely and defend its resources in cyberspace,..."--National Security Agency/Central Security Service Director General Keith B. Alexander--

  Wonder what "its resources in cyberspace" means—what exactly is our new Cyber Command's operational mission, domain, authority, and procedures?

• UPDATED 04/15/2010 NYT, Cyberwar Nominee Sees Gaps in Law and SASC, Lieutenant General Keith B. Alexander

  "...mismatch between our technical capabilities to conduct operations and the governing laws and policies."--Lieutenant General Keith B. Alexander--

  So..., what's the punch line general?

  Is the general asserting there should exist parity between our military technical capability and law or policy? Or is the general complaining that law and policy is throttling the military, as it often is intended to do. Or ?

  • UPDATED 04/27/2010 EPIC, EPIC v. NSA.

    EPIC has filed a FOIA request for Alexander's heavily redacted written responses to senator's questions.

• UPDATED 03/05/2010 Wired ThreatLevel, White House Cyber Czar: ‘There Is No Cyberwar’

  White House cyber-czar Howard Schmidt calls cyber-war an unfortunate metaphor; so is cyber-czar and white house.

• UPDATED 03/03/2010 Wired ThreatLevel, U.S. Declassifies Part of Secret Cybersecurity Plan and WH, The Comprehensive National Cybersecurity Initiative
• UPDATED 12/13/2009 NYT, In Shift, U.S. Talks to Russia on Internet Security and UPI, U.S., Russia discuss cybersecurity.

• UPDATED 12/04/2009 EPIC, EPIC Files Appeal for NSA Policy on Network Surveillance.

  Electronic Privacy Information Center (EPIC) is seeking FOIA disclosure of National Security Presidential Directive (NSPD) 54, Cyber Security and Monitoring dated January 08, 2008.

  EPIC's FOIA request is in the administrative appeal stage and will likely end up on the EPIC FOIA Litigation Docket.

• UPDATED 11/18/2009 Government Information Security, Einstein 3 Privacy Concerns Voiced

Some Useful Terms to Know (from US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation (1M pdf)):

Follow up:

• Backbone – A primary transit network or series of networks, designed to carry data between different local area networks. A backbone generally has greater data carrying capacity, or “bandwidth”, than the networks connected to it. The Internet Backbone is the interconnection of high-speed networks, primarily government, commercial telecommunications and academic networks that route data for public Internet users.
• Backdoor – A method of regaining remote control of a victim’s computer by reconfiguring installed legitimate software or the installation of a specialized program designed to allow access under attacker-defined conditions. Trojan horse programs and rootkits often contain backdoor components.
• Black hat - A computer hacker who is intent on causing damage or taking other unauthorized or illegal actions against a victim. C2 – Command and control. The term, in the context of computer network operations, often describes a communications method or a component thereof to maintain remote control of an operational asset, such as a compromised computer.
• Coder – A computer programmer or one who writes computer programming language code. Computer Network Attack (CNA) – Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. (See: http://www.dtic.mil/doctrine/jel/new_pubs/jp3_13.pdf). Computer network defense (CND) – Actions taken through the use of computer networks to protect, monitor, analyze, detect and respond to unauthorized activity within information systems and computer networks.
• Computer network exploitation (CNE) – Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks (See: http://www.dtic.mil/doctrine/jel/new_pubs/jp3_13.pdf).
• Computer network operations (CNO) - Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations (See http://www.dtic.mil/doctrine/jel/new_pubs/jp3_13.pdf). US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation 77
• Distributed denial of service (DDoS) – A class of attacks that results in the exhaustion of computing or communications resources by engaging many intermediate computers to simultaneously attack one victim. These intermediate attack systems are often previously compromised and under the control of the attacker.
• Electronic Warfare (EW) – Any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy. The three major subdivisions within electronic warfare are: electronic attack, electronic protection, and electronic warfare support.
• File Transfer Protocol (FTP) - A standard Internet protocol implemented in FTP server and client software, including most web browsers. It is used to “transfer data reliably and efficiently.” http://www.rfc-editor.org/rfc/rfc959.txt

• Hacker – An individual who uses computer technology in ways not originally intended by the vendor. Commonly the term is applied to people who attack others using computers. For the purposes of this discussion, hackers are subdivided as follows:

  • Script kiddies: Unskilled attackers who do not have the ability to discover new vulnerabilities or write exploit code, and are dependent on the research and tools from others. Their goal is achievement. Their sub-goals are to gain access and deface web pages.
  • Worm and virus writers: Attackers who write the propagation code used in the worms and viruses but not typically the exploit code used to penetrate the systems infected. Their goal is notoriety. Their sub-goals are to cause disruption of networks and attached computer systems.
  • Security researchers and white hat operators: This group has two subcategories: bug hunters and exploit coders. Their goal is profit. Their subgoals are to improve security and achieve recognition with an exploit.
  • Professional hacker-black hat: Individuals who get paid to write exploits or actually penetrate networks; this group also falls into the same two subcategories as above. Their goal is also profit (See: http://www.uscert.gov/control_systems/csthreats.html).
• Hypertext Transfer Protocol (HTTP) – The message format and exchange standard used by web browsers and web servers. US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation 78
• Hacktivism – Computer hacking intended to communicate a social or political message, or to support the position of a political or ideological group. Hactivism activities include data theft, website defacement, denial of service, redirects and others.
• Hacktivist – An attacker who practices hacktivism.

• INFOCON - Information Operations Condition (INFOCON) classifications mirror Defense Conditions (DEFCON) Alert System and are a uniform system of five progressive readiness conditions– INFOCON 5 thru INFOCON 1 with INFOCON 5 being a level of normal readiness and INFOCON 1 a level of maximum readiness, implemented because of severe threat or attack. As the INFOCON levels increase, elements of network functionality or services deemed lower priority or at high risk of attack may be temporarily suspended.

  Thus, CNA tools that work during a normal state of readiness may be rendered ineffective if the services or applications they exploit are turned off.

• Information Warfare (IW) – Actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while defending one’s own information, information-based processes, information systems, and computer-based networks (See: http://www.jpeocbd.osd.mil/packs/DocHandler.ashx?DocId=3712)
• Intrusion Detection System (IDS) – A computer or network monitoring system that matches observations against patterns of known or suspected unauthorized activity.
• Intrusion Prevention System (IPS) – An inline system or software that applies IDS-style logic and approves or rejects network traffic, program and data access, hardware use, etc.
• Network Behavioral Analysis (NBA) – An intrusion detection system that models network traffic and alerts on violations of known acceptable activity. Rules can include data volume, time of day, traffic rate, communication partners, content, and other elements.
• NIPRNET – Non-classified Internet Protocol Router Network. The unclassified network of the US Department of Defense which provides Internet access as well as interconnectivity to DoD users and facilities.
• NTLM - A Microsoft authentication protocol that uses cryptographic hash representations of account passwords. (See: http://msdn.microsoft.com/enus/library/aa378749(VS.85).aspx) US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation 79
• PDF – File format and filename extension for Adobe Portable Document Format documents.
• Phishing – The practice of enticing a victim to visit a website or other online resource with the intention of stealing credentials, financial information such as bank accounts, or credit card numbers. Phishing attacks generally involve an email claiming to come from a trusted entity such as a bank or ecommerce vendor, with a link to a website and the instructions to click the link and take actions once at the website.
• RAR or Roshal Archive - A compressed file format similar in use to the more popular ZIP format. It is used to conserve storage and network resources and simplifies the movement of large sets of files. Optional encryption is available using the NIST Advanced Encryption Standard algorithm. Just as ZIP archives are created with software such as WinZip (http://www.winzip.com) and zip (http://www.info-zip.org), RAR archives are created with WinRar and RAR (http://www.rarlab.com)

• Remote Desktop Protocol (RDP) - The communication protocol used to provide remote viewing and control of Microsoft Windows computers and applications.

  For additional information (See http://msdn.microsoft.com/enus/library/aa383015(VS.85).aspx).

• Rootkit - A piece of software that can be installed and hidden on the victim computer without the user’s knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of vulnerability on the victim machine. Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor user actions, modify programs, or perform other functions on the targeted computer without being detected (See: http://www.uscert.gov/cas/tips/ST06-001.html).
• Security Event and Information Management (SEIM) – Centralized collection and management of security event records from many different systems such as firewalls, IDS/IPS, antivirus software, authentication systems, etc. SEIMs may provide complex multifactor rules to alert on patterns of behavior not easily identifiable by one of the component systems alone.
• Spearphishing – A targeted phishing attack against a select group of victims, usually belonging to a single company, school, industry, etc. “Spearphishing” is commonly used to refer to any targeted email attack, not limited to phishing. US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation 80
• Trojan horse - An apparently useful program containing hidden functions that can exploit the privileges of the user (running the program), with a resulting security threat. A Trojan horse does things that the program user did not intend. Trojan horses rely on users to install them, or they can be installed by intruders who have gained unauthorized access by other means. Then, an intruder attempting to subvert a system using a Trojan horse relies on other users running the Trojan horse to be successful (See: www.cert.org/advisories/CA- 1999-02.html).
• Tunneling - A technique to encapsulate one communication data stream inside of another, in order to extend the advantages of the latter to the former. Attackers will often tunnel a network protocol that would not be allowed to cross network boundaries inside of another that is allowed, defeating perimeter defenses (See: http://www.its.bldrdoc.gov/projects/devglossary/_tunneling.html).

• Two-factor Authentication (T-FA) - Existing authentication methodologies involve three basic “factors”:

  • Something the user knows (e.g., password, PIN);
  • Something the user has (e.g., ATM card, smart card); and
  • Something the user is (e.g., biometric characteristic, such as a fingerprint).

  T-FA requires that a user present two of the three possible factors to the authentication mechanism. A known flaw in some T-FA systems is the server storage of a hash representation of the credentials contained on the smart card or token. With this in hand, the attacker can replay that data to the authentication system; in this case, that of the proxy server, without needing the physical card or token (See: http://www.ffiec.gov/pdf/authentication_guidance.pdf).

• USPACOM – United States Pacific Command is one of six Unified Combatant Commands of the United States Armed Forces with an area of responsibility encompassing all territory from the US West Coast to the western border of India, and from Antarctica to the North Pole. The command presently has approximately 325,000 US service personnel.
• USTRANSCOM - United States Transportation Command provides intermodal transportation across the spectrum of military operations. USTRANSCOM is comprised of three component commands -- the Air Force's Air Mobility Command, the Navy's Military Sealift Command, and the Army's Military Surface Deployment and Distribution Command.
• Zero day exploit – An attack against a software vulnerability that has not yet been addressed by the software maintainers. These attacks are difficult to defend US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation 81 against as they are often undisclosed by the vendor until a fix is available, leaving victims unaware of the exposure.