The End is Nigh

Over the past 12 weeks I have written on a multitude of topics within the scope of information security and Cyber Security/Warfare in an effort to provide a broad overview of the issues us IT pros face today and those we might face in the future. As a Cyber Security Analyst working for the Department of Defense I thought it would be appropriate to include a Cyber spin to the topics since that is my primary focus these days. My topics included:

• Lack of true experts within Cyber Security
• Retinal scans
• Legality of hacking the hackers
• Throwing cyber criminals a curve ball, forcing them to work for a change
• PDF usage and the choice to continue to use the cyber-criminal vector of choice
• Wikileaks and the impact of recent events
• Internet kill switch and the forward thinking of Hollywood
• Benefits of certification
• Uninformed IT Experts spreading misinformation
• Future of Cyber Warfare

As you can see no real rhyme or reasoning to my choice in topics. Essentially I either used course material from our class or from my work to inspire my posts.

It is doubtful any of my postings would assist another IT pro aside from simply providing some awareness to topics they may not have considered previously. If I could go back and do the blog over again I would probably focus on a specific topic and drill into the weeds. Especially after my last blog which covered the need for true experts within the Cyber community. The next best thing to having an expert is having a resource someone can reference. It may not be expert quality, but combined with other blogs or resources you have a better chance of filling the gaps. I’ll remember that for my next class with Sue!

This was my first blog ever. I would have probably never started one if it were not for this class. I am thankful for the opportunity and look forward to starting another blog in the future, if for no other reason than to just rant about topics that frustrate me (very therapeutic!). Good luck to everyone in the class, I look forward to learning from you all in future classes.

Where have all the experts gone?

It is interesting that my schoolwork and my job had a similar conversation pieces this week. In one of the assignments for school we had to explain why certs were or were not important and that eventually led into the "how do you define what an expert is" type of conversations. At work we have a sort of forum that allows others to speak their minds on occasion and one particular person, someone whom I have never met, actually had the audacity to suggest that the world has run out of experts, period...

After being offended for a few moments I soon saw his point. The days of old are gone in a sense he suggested. Where someone could go to college, get a phd, get a job immediately after college in his/her preferred field, and most importantly work in that field until retirement. This process, in the past, was what made American experts, well... EXPERTS!

Now, its all about money, even at the university level. This is painfully obvious in the IT industry where individuals are looked down on if they stay in the same job for more than 5 years. To make up for it we ask our employees to get certifications, as if the pieces of paper will somehow transform people into experts overnight.

The truth is, that expertise is applied experience, enough so that an "expert" is capable of determining what a good or bad outcome truly is. Sounds simple right? Here is an example...

Lets say you need an expert on rifles, you are interviewing two people for the position of "expert". One has been a military analyst for 30 years and has done assessments on many rifles but has never once touched an actual rifle. The other is a retired service member who now lines his garden with rusty and defunkt rifles. Both claim to be experts on rifles. Which one can truly claim to be an expert?

The answer is in the question and not the person. If I wanted to know the maximum fire rate of an assault rifle then sure, the analyst would be the expert. But if I wanted to know how to disassemble a rifle the analyst would likely lose the title of expert while the gardener could lay claim. What if the question was, how hard does it kick? Does it make much noise when carried? How well do the components hold up to the wear and tear within an operational theater?

So again, expertise is applied experience enough so that a person could, in the case of the rifles, answer all of the questions not just because they had used that rifle before but because they had used similar rifles as well and had a basis of comparison.

A certificaion provides zero expertise. Education provides zero expertise. Experience in general provides zero expertise. The days of experts are truly numbered within the IT industry as a result. It is my perosnal and professional opinion that this will be the downfall of our nation. The next war will be fought in cyberspace and we have no experts there, just jacks of all trades. Sadly I am one the jacks and I feel powerless to change our course...

Minority Report Had It Right... Kinda....

So, obviously the title isn't referring to casting Tom Cruise in the lead role! Ha! But it seems that our focus on technology these days mimics many things from popular TV and movies like Star Trek and Minority Report. The piece that Minority Report got right was the method/practice of using iris/retinal scans to identify people.

I can imagine a great number of ways in which this technology could take care of some of our most troublesome problems at a national level. Imigration and homeland security being one of them. Think about it, if everywhere you went you had a billboard scanning your retina or iris to identify you you would have nowhere to run if you were a terrorist or illegal alien. No more need for driver's licenses just your eyes.

The Minority Report movie took the tech a little too far with it's "spider" scanners. It would be cool to see some sort of UAV with a scanner going around and snapping shots of peoples eyes on occasion. Talk about a deterrent to crime! Imagine if how streamlined our legal system would become. No more lies about where soemone was at the time of a crime. Just a log showing you in the library with a candlestick knocking Colonel Mustard to the floor! That is, of course, until Tom Cruise comes in and prevents the murder and hauls your butt off to jail for hating on veterans! : )

Where is Robin Hood when you need him?

Ok, so I found myself daydreaming this weekend about how cool it would be to have the ability to just snap your fingers and "poof" know how to do or fix anything. Of course my mind wandered into how I would apply this ability to my current work and my current class so I thought why not just help all the cyber criminals learn that crime doesn't pay (at least it shouldn't because it surely does today). So I thought to myself what would I actually do? I kept finding myself in a Robin Hood esq plotline in which I would steal from the criminals and give to the needy!

Yes, this is why I don't work in Hollywood. Anyway I found myself focussing more on the "legality" of it all. Could I do this sort of thing legally? Would I only be able to return the money to the orignial victims? What if my abilities couldn't accomplish such a task?

So here's the question, if you steal from a thief are you just as guilty as they are regardless of what you do with the money (aside from returning it to the original victims)? What if the money stolen is insured? What if the money recovered is used to fund the organizations that fight cyber security?

Then, of course, I remember that I would have the ability to snap my fingers and have a way to fix any situation. : )

I truly think we need a hero or group of heroes to fight the good fight within cyber security. It truly is like the wild west, no borders, no laws, and everyone has the ability to do whatever they want with little risk. I wonder if some think tank somewhere will take matters into their own hands and start hacking the hackers and emptying the bank accounts of cyber criminals. Wouldn't that be an awesome headline! "Hackers Hacked, left broken and broke!"

Not much of a post this week everyone, I know and I am sorry. I just can't help myself. With the economy the way it is I can't help but think that eventually cyber criminal endeavors will take its toll, if it already isn't, on our weak economy. I guess I just wish I had a way to help defend our country from this threat.

Disrupt The Operations Tempo of the Enemy

In my last post I talked about getting rid of the PDF file format completely in order to rid our networks of the most prevalent attack platforms to date. Then I realized, would it really make a difference? I am sure the hackers and cyber criminals that use the PDF file format for their dirty work would just band together and choose another format within a relatively short period of time. So would nuking the PDF file format be a good thing even if this were absolutely true? Absolutely! Right now the bad guys have the rest of us on our heels! They have no need to change their Modus Operandi. Force them to stay ahead of the game, make them work for every scrap at our table! Eventually they will make mistakes, they will be busted and brought to justice!



In reality, this is probably nothing more than a pipe dream. As much effort as we think they will have to go through to implement a bypass will only be half as much work as any solution we could come up with that could be viable in the enterprise.

The only real solution I could ever see would be a new file format that is nothing more than a zip file. One that is encrypted on the network and consists of xml, transforms and uncompressed image data. Have run scans on the zip files, opening them in sandboxed virtual machines. Then have an application that is capable of reconstituting the data from the zip file into the necessary file type (sans PDF) on the host machine. The process would be invasive and slow. But the days of low hanging fruit would be a thing of the past for would be hackers and cyber criminals.

Just my two cents anyway...

OMG! WTF? PDF! (week 7 posting)

Sorry everyone for not posting anything in a while, I was in an accident and things have been a little hectic around the house for a little over a week now. Things are returning to normal so it's time I get caught up on my work...

So what's up with the tittle there? If you know your memes you know the tittle is a spinoff from the "OMG! WTF? BBQ!" meme. I can't take credit for this one however. This variation was brought around by Julia Wolf as she recently gave a presentation at the 27th Chaos Communication Congress. Her presentation focussed on the growing problem of Adobe Acrobat's file format, PDF. I hope the meme sticks becuase like the BBQ reference it seems as though you can't read any sort of cyber or information security literature that isn't riddled with instances in which the PDF format was the vector of choice for some sort of attack.

Just do a search for the title and you will find the presentation on youtube, no worries. It's a rather interesting account of all the "fun" stuff that makes PDF such a wonderful platform for hackers and cyber criminals. In the end you probably won't "learn" more than you already knew minus a few technical details, so yes PDF is bad, always has been always will. This, I think, was the purpose of the presentation. Not to teach us something new, but to serve as a slap in the face like a Homer Simpson "DOH!" when we think to ourselves "Why are we still using PDF?"

I have gone over it in my head a few times and there is nothing PDF provides that other formats can't. To those who would say that its the ease of use since PDF is more of an encapsulating format than anything else I would respond by saying "This is why hackers love it too!"

So why don't we just drop the format completely? Start simple, have your company, your school, your home block incoming pdf files and remove the mime type from your computer while uninstalling Adobe Acrobat. See how much of a disruption it causes. My guess would be that it wouldn't be much and your network will probably be fairly free of nastiness to boot!

Wikileaks from a patriot's point of view

I have to say that the whole Wikileaks debacle that is going on right now is hard to wrap my head around. Not that I can't imagine someone releasing sensitive information about the US govenrment, hell there is a whole genre of movies on the spy trade after all. What I can't understand is why there are Americans that see Wikileaks as a "good" thing? Maybe it's genetic, who knows?

All I know is that if the data/information that was obtained was something else of value, say money stolen from the government, would their be any question of how "wrong" the theft of and further distribution would be? Hiding behind the first amendment and the freedom of the press is just another example of how our country is bending over backwards to ensure that the rights of the extremists aren't violated while the rest of the country suffers in the wake of their actions.

But I digress...

My biggest beef with this latest PFC who stole classified information is the resulting increase in security measures at DoD facilities. I can't go into details but I compare what is happening now to just about every single stupid sign in existence: "Caution, coffee may be hot!", "Slippery when wet!", etc....

Why? Because now when people ask why we can't do something the easy way or the most efficient way we end up saying: "oh, you remember that idiot PFC that gave Wikileaks all those documents?" That's why...

All it takes is one rotten apple to spoil the bunch. I only hope our government decides to make applesauce of those involved...