Category Archives: Security

Toddler and Infant face arrest/charges

Bruce wrote another spot-on post on the idiocy of secret US data mining programs and the fallability of travel info databases. The worst part about these programs is that they are apparently promoted, through any means necessary, by people who do not understand how very little integrity their information will have.

So in that vein, which is worse, an individual making robbery charges against the infant of a man s/he has a grudge against, or a country putting a toddler on their no-fly list and issuing an arrest warrant?

Compare, contrast:

3-month old baby charged with robbery

The baby had been charged with robbery, extortion and banditry, said local superintendent of police Rattan Sajai.

Though the robbery in the remote village of Muzzafarpur occurred Sept. 19, the fact that a prime suspect was an infant only came to light recently when police launched their investigation, Sanjai said.

Toddler gets travel ban, arrest warrant: paper

“While going through the passport checking procedures to get on board, one of the officers on duty said they wanted to take Suhail,” Emirates Today quoted the boy’s father, Abdullah Mohamed Saleh, as saying.

“I thought he was kidding me and said ‘Take him if you want’,” he said. “He showed me a print-out of a document that said Suhail was wanted and there was an arrest warrant for him.”

Now let’s say you are in charge of writing the queries for the mining tools. How would you prevent these errors from happening?

Is such a question even relevant if no one will face accountability for data integrity?

Welcome to The Trial, children…

Hip hop origins

Whenever I hear a song with a guy laying down a deep and rough bass rhyme while girls sing a liltingly melodic background, I remember the hits of Mahlathini and the Mahotella Queens (some of the best music ever made, IMHO). The similarities are very striking. Thus, I was not surprised to read that Zola’s success is bringing some to realize that “American” forms of music are rarely an invention at all, but rather an evolutionary step:

“Maybe hip hop does not come from the States,� Zola proposes. “Rhyming over a beat? Zulus and Xhosas have been doing that for a long, long time.� If that is indeed the case, then kwaito has thrown hip hop just about the most raucous homecoming bash imaginable.

And this translation shows a bit of humor in the darkness of poverty and violence, if I’m reading it correctly:

You need to be fluent in tsotsitaal, the street slang of South Africa, to understand so much as a bar, but you quickly get the gist. Like the cratered streets he grew up on, Zola’s music is littered with the scree, broken glass, spent bullet casings and other detritus of recent township wars. The music is a collection of sonic snapshots taken under fire. Umdlwembe sets the tone:

Always looking for more booze
When we leave the only people left standing will be widows
Real men die and left will be the gangsters
The gangsters will die and leave the beers

Pre-war intelligence dismissed by Bush

In 2003 someone told me about an event at the US Naval Postgraduate School that had revealed some shocking information. They said a former government official gave a speech about extensive planning and analysis done by the Pentagon following the 1990-1991 Iraq war to assess the risks of a US-led invasion. The speaker, apparently, had spent some years in Iraq and up until 1999 was working with a team that tried to gain an accurate picture of what would be required to secure the region. I remember hearing (paraphrased) “All of it was thrown out, completely destroyed, when Bush came into power in 2001. Bush’s staff wanted nothing to do with, no information left behind. All of our hard work on the ground, our research and planning, unbelievably, was simply tossed out.”

Clarke, Hart, Gingrich and others’ recount how their warnings about national security risks were dismissed gave credence to the story. Otherwise I was not sure what to make of the story. It was also interesting to read a few passing remarks (but no real reports on the fact) that Cheney’s partner quit the bi-partisan Hart-Rudman Comission when she did not like what was hearing. I mean it just seems ironic that Bush’s reaction to the Hart Rudman Comission was to task Cheney’s husband with a new review. The outcome was sadly predictable. Bush himself said that terrorist threats were “not immediate” (remember, this is in the summer of 2001) and suggested that Mr. Cheney would have to setup a new task-force to review the conclusions. Note that Cheney’s task force never met, perhaps because he was more occupied with re-writing the energy policy with regard to emissions and de-regulation of oil companies:

Bush administration officials told former Sens. Gary Hart, D-Colo., and Warren Rudman, R-N.H., that they preferred instead to put aside the recommendations issued in the January report by the U.S. Commission on National Security/21st Century. Instead, the White House announced in May that it would have Vice President Dick Cheney study the potential problem of domestic terrorism — which the bipartisan group had already spent two and a half years studying — while assigning responsibility for dealing with the issue to the Federal Emergency Management Agency, headed by former Bush campaign manager Joe Allbaugh.

The Hart-Rudman Commission had specifically recommended that the issue of terrorism was such a threat it needed far more than FEMA’s attention.

Before the White House decided to go in its own direction, Congress seemed to be taking the commission’s suggestions seriously, according to Hart and Rudman. “Frankly, the White House shut it down,” Hart says. “The president said ‘Please wait, we’re going to turn this over to the vice president. We believe FEMA is competent to coordinate this effort.’ And so Congress moved on to other things, like tax cuts and the issue of the day.”

The administration’s distrust of anything outside the cabal is now even more stark and disturbing. The military criticism of Rumsfeld seems to be that he cruelly dismisses anyone or anything that he disagrees with. The same appears to be true of Cheney and his wife, as well as Rice:

Privately, as the strategy took form in spring and summer, the Bush team expressed disdain for the counterterrorist policies it had inherited from President Bill Clinton. Speaking of national security adviser Condoleezza Rice, a colleague said that “what she characterized as the Clinton administration approach was ’empty rhetoric that made us look feckless.'”

Something seems terribly strange about this comment now. What can be more empty than completely dismissing the bi-partisan comission reports, intelligence and military professionals, while appointing a Bush campaign manager to come up with a new security strategy? A former campain manager! Rhetoric indeed.

Ultimately the facts appear to have been tossed out and replaced with a faith-based premise focused on pride and prestige. Bush fell right into the emperor-has-no-clothes policy without question because he “doesn’t do details“:

Bush is the detached CEO, a man who got his position thanks to a lifetime of privilege; Johnson was a hands-on CEO who got the job after having worked his way up from the very bottom of the political world. Bush doesn’t do details; Johnson pored over the aerial maps of Vietnam, hoping that he could pick a bombing target that would turn the tide of the war.

Bush doesn’t go to funerals for our dead soldiers. Until last week, his administration had refused to release photos of the flag-draped caskets coming back to the United States. (The Pentagon caved as a result of a Freedom of Information Act suit.) When it comes to the second Iraq war, Bush displays no doubt, no anguish. And therein lies the key: It is that quality that made Johnson, for all his faults and failings, a great president. It’s the same quality that exposes Bush as the wrong president at the wrong time, fighting the wrong war in the wrong place.

Right, so there’s the background, which brings me back to my friend’s amazing story of an insider who bemoaned how the Bush administration should have known better but they insisted that all the pre-2001 Pentagon data on Iraq be tossed.

Now, perhaps, you can imagine my surprise when I read the news today that a FOIA release at an “independent archive” of George Washington University proves that the US military was in fact peforming war games in 1999 to assess the viability of US invasion of Iraq. And sure enough they came to a number of conclusions that the Bush administration threw out when they came to office. Unfortunately for the US, these military experts and facts were ignored:

“The conventional wisdom is the U.S. mistake in Iraq was not enough troops,” said Thomas Blanton, the archive’s director. “But the Desert Crossing war game in 1999 suggests we would have ended up with a failed state even with 400,000 troops on the ground.”

There are currently about 144,000 U.S. troops in Iraq, down from a peak of about 160,000 in January.

That’s some pretty damning evidence that Rumsfeld is incompetant. Even Perle is now able to acknowledge they made a mistake, although he tries to blame the “disloyal” members of the Bush administration for the failure:

Richard N. Perle, the former Pentagon advisor regarded as the intellectual godfather of the Iraq war, now believes he should not have backed the U.S.-led invasion, and he holds President Bush responsible for failing to make timely decisions to stem the rising violence, according to excerpts from a magazine interview.

[…]

He continued: “At the end of the day, you have to hold the president responsible….

“I don’t think he realized the extent of the opposition within his own administration, and the disloyalty.”

Contrary to Perle’s theory of whom to blame, however, the report revealed by the FOIA does not say the war would be easier if the administration officials were more “loyal”. If anything it suggests that being loyal to false hope is about as sensible as loyalty to the captain of the Titanic who believed that sailing through icebergs would be easy:

_”A change in regimes does not guarantee stability,” the 1999 seminar briefings said. “A number of factors including aggressive neighbors, fragmentation along religious and/or ethnic lines, and chaos created by rival forces bidding for power could adversely affect regional stability.”

_”Even when civil order is restored and borders are secured, the replacement regime could be problematic — especially if perceived as weak, a puppet, or out-of-step with prevailing regional governments.”

_”Iran’s anti-Americanism could be enflamed by a U.S.-led intervention in Iraq,” the briefings read. “The influx of U.S. and other western forces into Iraq would exacerbate worries in Tehran, as would the installation of a pro-western government in Baghdad.”

_”The debate on post-Saddam Iraq also reveals the paucity of information about the potential and capabilities of the external Iraqi opposition groups. The lack of intelligence concerning their roles hampers U.S. policy development.”

_”Also, some participants believe that no Arab government will welcome the kind of lengthy U.S. presence that would be required to install and sustain a democratic government.”

_”A long-term, large-scale military intervention may be at odds with many coalition partners.”

Would this have ever come to light without the independent archive? It just goes to show that the right people knew, the right information (the difficulty of success) was available, regardless of people’s loyalty to Bush. Bi-partisan groups tried to warn the US and influence its security policy, but the Bush administration categorically ignored facts presented by anyone outside their closest internal circles. I don’t buy that there was any kind of real dissent that led anywhere other than dismissal of the dissenters. What were the words of the Titanic captain who believed his ship was unsinkable? “Stay the course…”?

WebApp Security Survey

A small (21 professionals) and informal survey by Jeremiah has some interesting results, including the fact that noone appears to be “utilizing” the OWASP top ten, while a majority say the PCI standards are going “in the right direction”:

6) What do you think about the updated PCI Data Security Standard v1.1?
a) Huh? (0%)
b) It’s stupid and means nothing to me (0%)
c) Step in the right direction (57%)
d) Great for the web application security industry! (0%)
e) Other (43%)

Would be nice to know how the following numbers can be broken down. For example, is the lion’s share of time spent on a review due to size/complexity of the average commerce site (more than a week’s worth of hands-on testing), or a lack of prior reviews or documentation that stretch out the front-end preparations and back-end reporting? Or are the folks who answered just not the types who work with the small-site reviews…

4) Average number of man-hours required to perform a thorough web application vulnerability assessment on the average commerce website?
a) None (0%)
b) 0 – 10 (5%)
c) 10 – 25 (10%)
d) 25 – 40 (0%)
e) 40+ (86%)

The BBC has a related article with some interesting insights:

The hackers lack the skills to do anything with the data they steal and the old-time criminals lack the technical skills to get the data. This is where they meet.

I came across Ess4 hawking login data for the web shops he has hacked, the credit card numbers he has plundered from those sites and a how-to-guide that shows others how to do it.

He said: “i got many shops + tons of daily orders. i hack a shop in 3-4 hours and sell it for 100-500$.”

He thanked “stupid admins” for making basic mistakes that let him break in.

Roze, one experienced hand and a spammer, said he exploited “human stupidity” rather than poor security.

[…]

And, he said, when he was not relying on stupidity, he had a cadre of smart hackers working for him to break into networks. Curiously, most of these people were from Romania – a country that comes up again and again on these channels.

He said: “romanian guys are very smart. All the time they come with something new ;) they are the best hackers on earth i think.”

[…]

The big problem that these criminals face is not the police but each other and they are in constant fear of being ripped off by their brethren. There is little honour among these thieves.