Security

Why Russian Hackers Fail: Ukraine Defense Lessons

Leave a comment

There’s an old bogus saw in IT that goes something like attackers only need to be successful once yet defenders always have to succeed.

As you can probably tell I really dislike such thinking.

The reverse is actually well known and practiced often. Defenders benefit from efficiency that comes through “defense in depth”. It’s a pervasive practice that completely invalidates nonsense about attackers needing just one success.

History shows us many examples of building designs that had not just one wall, but many layers plus other measures. Attackers since the beginning of time have been forced to run expensive campaigns to have chances of success… given defenders are even a little bit thoughtful about threats.

Maginot’s line is the counter-example of great infamy that also proves this point.

The actual man Maginot (a French WWI veteran with literal tunnel vision) could not think of anything other than spending exorbitant sums of money on dumb walls with passages beneath them.

Meanwhile threat models of WWI worth noting were about rapid mobility, such as powerful engines of emerging airplanes and trucks/tractors that could go right around those walls. Had Maginot’s campaign been tempered against France (and Britain) leading the world in combustion engine innovations, Nazi General Rommel would have been more quickly exposed for his greed/incompetence.

Another way of expressing this is in basic economics, which is to say investing in inexpensive controls that increase cost of attacks tend to be highly effective prevention measures.

Investing in expensive controls that attackers can bypass easily… that’s the opposite of defense, that’s insider threat as demonstrated by America First’s Wall Fraud.

Seriously, America First (a continuous hate platform since it was started by the KKK 1915) campaigned to divert security funds away from sensible use at air and sea ports instead into stretches of empty desert where no real threats existed. And in reality the money went into pockets, leaving America less safe — ergo, insider threat.

With that background and context, lately I’ve been asked quite often why Russia’s big hacker threat failed to materialize.

The simple answer is that Russia did attempt to attack, but it’s overblown reputation for hacking ability was based on a history of petty crimes more than anything.

It’s a bit like saying why didn’t the pickpockets of Moscow’s buses manage to jump into a mostly automated tank and roll through Kiev streets victorious.

A lot of things stood in the way, not least of all repetition of history: simple and inexpensive defensive measures stood up in Ukraine to rushed and complex attacks of low integrity.

Russia since 2014 had been attempting rather loud sustained cyber warfare against Ukraine, leaving nothing to surprise. This created a heavily defended environment with critical data resilient through support of widespread (e.g. distributed) technology allies.

As a tangent, I don’t mean to throw any more water here on the popular tactic of security consultants lighting fires in critical infrastructure to win funding.

Honestly it’s not that expensive to increase the security levels in most environments. In fact, it’s downright shameful how inexpensive better security can be when experts get involved. This actually feeds into attacker motives as they tend to whine about “these lazy people deserve to be hacked” if you ever monitor such forums.

I dislike victim shaming and I dislike fear-based fundraising. Both unfortunately tend to mix into a debate about why bankers (accountants who tend to operate critical infrastructure risk management in market-based countries) starve defense budgets until they essentially transfer wealth to attackers or overly animated and expensive “saviors”.

Back to the point, Russian hackers have now been indisputably proven a paper bear as they couldn’t put up a fight. I tend to explain this in three related ways.

1) Russian hackers (and those they trained) like domestic abusers actually tend to be very risk-adverse predators who exploit known and easy weakness for quick personal gains. That equation tends to be trivial to change by security professionals.

2) The first point is compounded by organization. Even a petty thief becomes highly dangerous when acting in a mule role under coordinated criminal syndicates. That equation is non-trivial to change. Yet security professionals as well as political scientists have much history success to draw upon here. NYC Mayor LaGuardia didn’t have an airport named after him for nothing.

3) In both points above we’re still talking financial motivations more than social or even cultural let alone religious or racial. As I’ve spoken and written here for many years, disrupting financially-motivated hackers is the least difficult level of defense given a law enforcement paradigm for MEECES (or MICE).

In conclusion, post-2015 efforts and certainly late 2021 basic defense measures in Ukraine (VERY inexpensive measures) made Russian hackers fail and run.

It’s been such a non-issue headlines went from “America isn’t prepared for what’s coming” to… crickets.

Russia’s biggest mistake in 2022, similar to Putin’s KGB job to breed Nazi terror cells in 1980s Germany, therefore seems to be a plan to roll into fights on an assumption everyone and everything in their path would be just a coin-operated fraud (like themselves).

Higher orders of defense (efficient ones especially) tend to toss such looming threats off the day of actual battle, even despite spending just a little time and money instead of a lot.

Energy, History, Security

At Least 1/3 of North Korean Missile Program Funded by Crypto

Leave a comment

A decade ago or so people seemed surprised when I warned about links between Crypto and North Korea (or even Russia) military funds.

Now the U.S. Deputy National Cyber Adviser, Anne Neuberger, is very publicly stating one-third of North Korea’s missile program is funded by Crypto.

Neuberger analysis seems based on the fact that $1bn in Crypto was stolen in the first nine months of 2022 alone — it’s a total mess of insecurity and societal harms.

This reminds me of a consulting engagement on Crypto risks many years ago, which I’ve written about before.

I was parachuted into a bank to help their executive teams navigate Crypto. They asked whether a giant power generation plant pushing them to invest in bitcoin mining on massive scale (energy sector generally is run/owned by for-profit bankers in America) should be given the green light.

“That’s all we need to know” I remember a roundtable of executives saying after I asked if they really wanted the blood of North Korean missile launches to be on their hands.

The hungry power company was given a giant negatory.

This idea of “blood Crypto” that I presented back then wasn’t meant to be new, but something more like the latest chapter in an old tragic story.

Having long studied anonymity games for weapons proliferation among global hate groups (e.g. “blood diamond” money laundering to fund mercenaries and coups in Africa — “fascist pig” glorification) it seemed somewhat obvious to me where Crypto was and would sit for some time — organized international crime.

People often told me they didn’t see a dark Crypto future, until I explained the past reality of blood diamonds.

I guess more to the point, many people STILL wear diamond assets around publicly like they just don’t see “it”, and many people STILL boast about owning Crypto assets.

The evolution from diamond crimes to Crypto crimes shouldn’t seem abrupt to anyone observing particularly onerous billionaires in the news.

If you remember, websites were setup by white South Africans specifically to allow unregulated international movement of racist mining wealth (PayPal was a “fast and easy” money transfer service intended to escape humanitarian regulations).

“Fascist Pig” glory like a Tatra T87 story right out of 1938: Peter Thiel and Elon Musk moved from South Africa to America and nearly killed themselves in a sports car because Musk couldn’t figure out how to drive.

From there Crypto really became a minor change to expand global risk. This also probably explains why white South Africans STILL so brazenly promote toxic odious Crypto mines today even though it should bring to mind their parent’s washing of blood diamonds.

The bottom line is that for the last two years Crypto (crime) has funded modernization of North Korean long-range missiles, which soon pose direct nuclear threat to all of America.

Security

Pentagon Announces Mission in Germany to Streamline Aid to Ukraine

Leave a comment

This past September European Command (EUCOM) head Gen. Christopher Cavoli presented a new plan for EU defense to Defense Secretary Lloyd Austin. A dedicated Ukraine mission would be run in Germany, to solidify progress made since 2015 to protect Europe against unprovoked Russian aggression.

The NYT described the plan soon after as “streamlining an assistance system…created on the fly” with several hundred dedicated personnel. Results have been nothing but impressive since then, including supply-chain security measures to reduce integrity risks (fraud, graft) and ensure intended outcomes.

In retrospect, before Russia invaded earlier this year, the US, Canada, Lithuania, Denmark, Poland, Sweden and UK (Joint Multinational Training Group-Ukraine) had been operational inside Ukraine near Lviv. Thus the September Pentagon announcement continues to be notable for Europe (or even Africa), not least of all because of its role in fighting corruption, yet it hasn’t restored official staffing levels that once were inside Ukraine.

History, Security

Russia’s “Masculine” Military Destroyed by a Thoughtful Ukraine

Leave a comment

Analysts have shifted to asking how far Ukraine might go in liberating people from the brutality of Russia’s “masculine” rhetoric and occupation.

“Ukraine has the initiative and momentum and is dictating to the Russians where and when the next fight will be,” said Philip Ingram, a former senior British military intelligence officer. […] Mile after mile of abandoned trenches along the road to the southern port city of Kherson spoke of the miserable living conditions some Russian forces had to endure on the right bank of Kherson before their retreat.

The same article shows how the American government is laying sound political and military sentiment on the heels of such retreat.

“This whole notion, I think, in the Western press of ‘When is Ukraine going to negotiate?’ misses the underlying fundamentals, which is that Russia continues … to make these outlandish claims about annexed Russian territory,” [White House National Security Advisor Jake Sullivan] said.

The key to asking when it might end, is when Russia may finally admit its occupation will end.

After all, it’s led to a situation where Russian men run are on the run from their own country.

Fighting-age men in Russia are still hiding in fear of being sent to war

It’s clear Putin doesn’t care for Russian men, while telling them they should jump forward and die for him in a foreign country. Does anyone really believe if Putin can’t even care for the welfare of Russians that he somehow cares for the people in Crimea being forcibly occupied by Putin’s conscripts?

You have to really marvel at such a serious disconnect. Perhaps later I’ll write about how this fits a pattern of Putin since the 1980s, as he’s tried for decades to cultivate thoughtless brutality as strategy. Ultimately, just like when Putin was running KGB operations in East Germany to breed neo-Nazi cells, his toxic “masculinity” strategy has resulted in men being afraid of coming out of hiding.

It couldn’t have been any clearer than when Putin just attempted to mobilize 300,000 in Russia, and instead saw nearly that many immediately exit its borders in protest.

Why should they lose their lives for him? I’ve pointed out this failure of Putin before and warned his day of reckoning was coming, although I admit I had no idea it would be in Ukraine. In fact, I told people Putin couldn’t be so stupid as to roll into Ukraine (even on the day before) because it seemed so obvious how Russia’s military would fail. Whoops. I guess that was only partially right.

The dictator’s obsession with promoting himself over everything completely backfired. Loyalty to him is more empty than ever and because he allowed no other loyalty to grow, not even “motherland” rhetoric, that country is rudderless.

It’s something of a similar fate for toxic “masculine” leaders in America, who aligned themselves with Putin (e.g. many in the GOP) and peddled constant nonsense about fear and being scared. It’s worse in Ukraine of course as Russian men pressed into Putin’s “meat-grinder” have basically been armed only with rusty shovels (not an exaggeration) to dig their own graves and then fall into them dead.

That’s some Hitler-level stupidity and a predictable outcome of fear-based bogus “masculine” propaganda.

The German Nazis (especially children drafted into battle) were literally convinced they would be killed if they surrendered, so they hid in trenches and bunkers.

British soldiers in WWII recount finding Nazi teenagers scared, hiding and sobbing in tears — poor kids had been brainwashed to think everyone was out to kill them. Proper care once under the command of Allied liberators blew their minds, allowing them to be thoughtful once again.

Thus we’re watching as a whole generation of Russian men may be lost at this point in Putin’s tragic folly, unless they hide and surrender to Ukraine.

It even has led to widespread protest by the people who actually show some sense of care for Russian men: women.

Russian women march to Ukrainian frontline to demand husbands be sent home

In conclusion it begs a tough question whether Russian women should decide when, where and how to negotiate with Ukraine. Maybe set that as a goal for Putin: what woman will you appoint to lead any negotiation?

Women in Russia seem to be the only ones being thoughtful right now. They show much better ideas about Russia’s best interests… versus Putin’s toxic masculine clown show.

I’m somewhat reminded of Henry Ford getting a medal from Adolf Hitler in 1939 then losing more and more authority at work while refusing to admit being wrong; all 50,000 autoworkers walked off the job in 1941 asking why their CEO was on the side of Nazis. Henry was stumped completely until an end of his crisis eventually was negotiated by his wife.

And I don’t just mention the connection to Ford idly here. The emasculation of men, due to industrialization causing massive cultural shifts through the early 1900s, was one of the driving forces behind the rise of fascism in the 1930s. People wanted to orient around “masculine” safety, but instead attached themselves to toxic charlatans.

Italian dictator Mussolini and his mistress hang before they could be tried for war crimes. His soldiers claimed to be victims yet committed atrocities that for 60 years have gone unpunished.

Bogus promises by notorious “strong men” who promised they would lead through times of uncertainty, doubt and hyperbolic fear turned out to be mostly snake-oil and disinformation (breeding hate) to unjustly rise into power yet avoid accountability for mass harms.