Too Much Information

Do you wear a Fitbit?

If you do, satellites may be watching you.

Yesterday, Strava, a social network that collects data from devices with GPS, uploaded a heat map of its users around the world to the internet. Intelligence services are now combing that map for data about hidden military bases and other tidbits. It’s apparently not just fitbits, but mobile phones and a lot of other devices.

The Guardian gives a few examples. Here are a few more. Read more



Estonia Considers Its Monuments

Estonia’s Justice Minister, Urmas Reinsalu, said early in January that the government could take down the Soviet war memorial at Maarjamäe because it is falling apart and it is not on the official list of historic monuments. This led Prime Minister Jüri Ratas to suggest that the entire area, which includes a German cemetary and a memorial under construction to the victims of Communism, be designated a historic area.

The Soviet Union built many war memorials across its territory, particularly to commemorate World War II, or the Great Patriotic War, as they call it. I find those monuments moving; they are, after all, memorials to people who died in wars and who had families who grieved them. I’ve been to the Maarjamäe memorial a few times.

One of those times I visited with a graduate student who was studying monuments in the former Soviet Union. As we see now in the United States, monuments are a part of a country’s story of itself. The Soviet Union wanted to erase the past.

Read more



Trump’s Nonexistent Cyberdeterrence

Michael Morell and Mike Rogers argue that the United States has failed to deter Russia from its attacks on our electoral system because those attacks continue. They rely on a model of deterrence that assumes that what Russia is doing is in some way equivalent to physical war. They feel that the Barack Obama administration and Congress did not administer heavy enough penalties. They want “policies that prevent adversaries from achieving their objectives while imposing significant costs on their regimes.” but do not say what those policies would be.

Deterrence in cyberspace is not completely analogous to deterrence in physical war. Physical deterrence relies on observable, measurable things: the military and its equipment and positioning. Attribution in cyberspace is murkier than in the physical world, which weakens deterrence. Countermeasures are likely to rely on surprise, so they cannot be fully revealed to bolster deterrence. Imposing sanctions or other measures after the fact is possible and may deter future hostile action. An essential part of deterrence is a statement of unacceptable actions and the planned response to those actions.

Two recent long articles in the Washington Post on Russian interference in the 2016 US election list the countermeasures the Obama administration decided on. They included expulsions of 35 diplomats and the closure of two Russian compounds, economic sanctions against individuals, and planting of cyberweapons in Russia’s infrastructure that could be activated in the future. The last may or may not have been implemented; the articles are unclear. Read more



Penetration at All Levels: The Trump Organization Was Hacked Four Years Ago

David Corn and AJ Vicens at Mother Jones have the details.

Four years ago, the Trump Organization experienced a major cyber breach that could have allowed the perpetrator (or perpetrators) to mount malware attacks from the company’s web domains and may have enabled the intruders to gain access to the company’s computer network. Up until this week, this penetration had gone undetected by President Donald Trump’s company, according to several internet security researchers.

In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.) The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains.

Here is a list of a Trump Organization shadow subdomains.

The existence of these shadow subdomains suggests a possible security compromise within Trump’s business network that created the potential for unknown actorsusing these Trump Organization subdomains—to launch attacks that could trick computer users anywhere into handing over sensitive information and unknowingly allow the attackers access to their computers and network. In fact, the IP addresses associated with the fake subdomains are linked to an IP address for at least one domain previously used by hackers to deploy malware known as an “exploit kit,” which can allow an attacker to gain a computer user’s passwords and logins or to take over another computer and gain access to the files within it.
Much more at the link. And I’m sure much more reporting and analysis to come over the next several days.


Cyber Warfare, Asymmetric Advantage, and Limiting Factors

According to The BBC the DPRK successfully hacked the Republic of Korea’s Ministry of Defense. This includes contingency plans developed with the US.

Hackers from North Korea are reported to have stolen a large cache of military documents from South Korea, including a plan to assassinate North Korea’s leader Kim Jong-un.

Rhee Cheol-hee, a South Korean lawmaker, said the information was from his country’s defence ministry.

The compromised documents include wartime contingency plans drawn up by the US and South Korea.

They also include reports to the allies’ senior commanders.

The South Korean defence ministry has so far refused to comment about the allegation.

Plans for the South’s special forces were reportedly accessed, along with information on significant power plants and military facilities in the South.

This type of cyber warfare, specifically an act of espionage in the cyber domain, provides the DPRK with an asymmetric informational advantage. This advantage creates a limiting factor for the ROK, the US, and their allies in attempting to deter the DPRK’s actions and activities. A limiting factor is defined in Joint Publication 1-2/Department of Defense Dictionary of Military and Associated Terms as:

A factor or condition that, either temporarily or permanently, impedes mission accomplishment. (from Joint Publication 5-0/Joint Operational Planning)

If the reports about this hack are correct, the US’s military options, which were already constrained by the physical and human geography of the Korean peninsula, have now been further narrowed by enemy action. While US military planning is continuously updated with plans and sequels being adjusted as needed, they are usually based on a consensus understanding of the potential operating environment. This includes an understanding of the challenges and opportunities that arise from everything from the political to infrastructure to the geography of where the US may have to deploy military forces. What the DOD planners will have to do now is go back and review the consensus that the contingency plans were based on to determine if they have the operational space to develop new plans for the same potential operating environment that both achieve the same strategic effects and are significantly different enough to neutralize the asymmetric information advantage that the DPRK now has.



BlogCon 1: Global Ransomware Attack in Progress

Time to batten down the cyber hatches!

Companies across the globe are reporting that they have been struck by a major ransomware cyber-attack.

British advertising agency WPP is among those to say its IT systems have been disrupted as a consequence.

Ukrainian firms, including the state power company and Kiev’s main airport, were among the first to report issues.

The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down.

The international police organisation Interpol has said it is “closely monitoring” the situation and liaising with its member countries.

Experts suggest the malware is taking advantage of the same weaknesses used by the Wannacry attack last month.

“It initially appeared to be a variant of a piece of ransomware that emerged last year,” said computer scientist Prof Alan Woodward.

The NY Times has a break down of what is and is not known.

Known:

• Cybersecurity researchers first said that the new ransomware appeared to be a variation of a well-known ransomware strain called Petya. One researcher from the Moscow-based cybersecurity firm Kaspersky Lab reported the new ransomware was a strain of Petya first identified in March 2016. Kaspersky found evidence that the latest strain had been created on June 18, suggesting it has been hitting victims for more than a week. But Kaspersky also said it was still investigating the attack and that it could be a new type of ransomware that has never been seen before.

• Kaspersky reported that approximately 2,000 computer systems had been affected by the new ransomware so far.

• Symantec, a Silicon Valley cybersecurity firm, confirmed that the ransomware was infecting computers through at least one exploit, or vulnerability to computer systems, known as Eternal Blue.

Unkown:

• Who is behind the ransomware attack. The original Petya ransomware was developed and used by cybercriminals, and variations have been sold through dark web trading sites, which are accessible only by using browsers that mask a user’s identity, making it difficult for cybersecurity researchers to track.

• Why it is spreading as quickly as it is. Cybersecurity researchers believe that like WannaCry, the ransomware infects computers using vulnerabilities in the central nerve of a computer, called a kernel, making it difficult for antivirus firms to detect. It is not yet known if the new ransomware uses any new vulnerabilities, or variants of the vulnerabilities, made public by the group known as the Shadow Brokers.

• It’s unclear if systems protected against WannaCry can still be affected by the new ransomware attack.



Cyber Strategy – Different From A Shooting War

Big hack of pretty much everything in Ukraine this morning: internet, power plants, government. I wrote this post before that happened, but it applies.

The Obama administration was in an extremely difficult position after learning about Russian hacking of last year’s election. Several factors came into play: the difficulty of dealing with international cyber attacks, intransigent Republican partisanship, and the decaying relationship with Russia. I’m going to break down those factors into at least two posts.

Cyber attacks present a national security problem different from any encountered before. Lumping them into a designation of “cyberwar” projects assumptions of conventional war onto them and distorts the difficulties and possibilities. I haven’t seen much analysis of these differences and how they affect strategy. Please point me to them, if they exist. Most punditry assumes that cyber attacks can be equated to war, and numerous opinion articles have referred to the Russian hacks as a form of war. In this post, I will consider only that part of last fall’s situation. A later post will consider the political ramifications. Read more