In his slight paranoia blog, Christopher Soghoian shares some of his thoughts on the FBI spyware documents that were released in response to a Freedom of Information Act request by Wired.For those of you who aren't familiar with CIPAV, check out the Wikipedia entry or my earlier posting entitled When Is Hacking OK?In addition to being highly redacted, the documents were interesting not so much for what they said, but rather for what a security professional can see when reading between the blacked-out lines.Wired's Kevin Poulsen:The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That's what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."
So the FBI wants us to believe that tech-savvy crooks who use elaborate means to obfuscate their location and identity are going to be tricked into clicking on a link to be redirected to a website hosting malcode to exploit their browser vulns? That's a pretty big stretch for me to accept.Chris has a much more probable theory:What is far more likely is that the FBI has asked MySpace, Google or Yahoo to insert the drive-by malware infection code directly into their own websites, so that the next time the suspect signed into their account, their browser would automatically be infected without the need to trick them into visiting a FBI-controlled Web site.
Such cooperation by Web 2.0 companies (if it indeed occured) would be fascinating, troubling and would likely do significant damage to their reputations -- which would also explain the significant redaction in the FOIA documents.
Very interesting indeed.
BoingBoing details how conservative icon and dead person Ronald Reagan was once a no-good, low-down FBI rat fink.
Reagan and his wife apparently provided the FBI with the names of actors who they believed were commie sympathizers.
Because nothing represents conservative American better than selling everyone else out to get ahead. Ronald Reagan was a secret FBI anti-commie snitch
The GAO has released a new report, entitled National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture.
Detailed within the report are key recommendations to address some of the primary gaps in our cybersecurity strategy that have been discussed for years.
The GAO identified 5 areas in further need of attention:1. Bolstering cyber analysis and warning capabilities
2. Completing actions identified during cyber exercises3. Improving cybersecurity of infrastructure control systems4. Strengthening DHS’s ability to help recover from Internet disruptions
5. Addressing cybercrime
Key strategic improvements recommended by the GAO's cybersecurity experts include:1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy.3. Establish a governance structure for strategy implementation.4. Publicize and raise awareness about the seriousness of the cybersecurity problem. 5. Create an accountable, operational cybersecurity organization.6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.7. Bolster public/private partnerships through an improved value proposition and use of incentives.8. Focus greater attention on addressing the global aspects of cyberspace.9. Improve law enforcement efforts to address malicious activities in cyberspace.10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts.11. Increase the cadre of cybersecurity professionals.12. Make the federal government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services.None of these recommendations or areas of focus are new or unexpected. Do we really believe we need to raise awareness regarding how serious cybersecurity problems are? Everyone that I know is painfully aware - it's the fierce competition for dwindling budget and resources that stands as a major obstacle.
As far as public/private partnerships, the last session I attended with the FBI Deputy Director of Cybersecurity provided information that I had read in E-Week weeks before, along with a plaintive request for those of us in the audience to share what we knew to assist the FBI in their efforts. That seemed a little one-sided.
I'm also part of the FBI's InfraGard program, and while not permitted to discuss many (any?) of the details, it's no secret in the info security community that the intelligence bulletins that they provide are neither timely nor useful.
Like most people in the private sector, I'm quick to opine that government intervention seldom serves as an agent of improvement. Quite the contrary - when was the last time you heard anyone wax poetically about the agility and acumen of the federal Department of Whatever? It's always the private sector that innovates and actions because there's an underlying profit motive at work.It will be interesting to watch as the Obama administration trots out a new approach, and I hope it works. All the scuttlebutt about the NSA taking over the cybersecurity mission actually seems promising, since their skillsets appear better suited for the challenge than, say, the Department of Homeland Security. Plus, the NSA has been able to keep us from perishing in an atomic holocaust since the 50s, so they have that going for them.
Read and digest the report at your leisure, but the devil is in the details. Many a brilliant concept has died a slow death when it came to implementation. I hope the Obama administration takes what the thinkers have assembled and allows some doers to make it so.
AirTran Airways, true believers in the concept "never underestimate the power of stupid people in large groups," is now valiantly attempting to appear contrite in the wake of their inexcusable decision to kick members of a Muslim family off of a plane and then refusing to book them on another flight, even though FBI agents had cleared the family of any wrongdoing and had requested that the airline rebook the family members.
AirTran originally yanked the group from a flight set to depart from Reagan National in Washington DC, bound for Orlando, when they became concerned by conversations overheard as they awaited departure.
These "suspicious" conversations included the family discussing where the safest part of the plane might be, as they shuffled up the aisle to find their seats. A passenger overheard, notified a flight attendant, who in turn made the cockpit crew aware. This led to the onboard air marshals being asked to remove the Muslim family from the plane.
Is there anything that a Muslim family might say on a commercial airliner that might not cause concern for at least one passenger, especially since the odds are pretty high that a percentage of all fliers are charter members of the Bill O'Reilly - Sean Hannity fear-monging brigade? These folks believe that racial profiling is not only acceptable, but the responsibility of all true red-blooded patriotic Americans. You're either with us, or you're against us, right?
Conversely, what would the reaction be if a group of Muslims boarded a plane and sat silently, eyes fixed straight ahead at all times? I'm certain that several FOX News devotees would find this equally disquieting, and the result would probably have been the same.
But you can't cure stupid, so we'll always have instances like this, which is why airlines and the TSA (allegedly) have processes in place to separate the real security risks from those caused by misperception, misunderstanding, and bigotry. And processes, by definition, are standard and repeatable.
AirTran hustled this family off the plane and ran them through interviews by the FBI, who quickly determined that no actual risk existed. Score one for the process working as designed. The stories of what happened next, however, differ between the FBI and AirTran.
The FBI claims that once their interviews were completed and the family was cleared of suspicion, they attempted to get AirTran to rebook the group on another AirTran flight, but representatives from AirTran refused. The FBI then arranged to have the family continue their travel on US Airways.
AirTran claimed in a written statement that it did not re-book the family only because the security issue had not been resolved, and because one member of the group "became irate and made inappropriate comments."
It's difficult to take this statement at face value when three hours later AirTran issued another statement that appeared to contradict their earlier press releases that indicated they were unapologetic about the way they handled the incident.
"We regret that the issue escalated to the heightened security level it did," AirTran said in a statement Friday afternoon. "But we trust everyone understands that the security and the safety of our passengers is paramount."
Security and safety is important, but not paramount. That's simply an "ends justifies the means" attempt to excuse poor decisioning that does nothing more than shine a bright light on the heresy involved. The one thing I hope we've learned during the past eight years is that taking extreme measures that trample civil liberties is not permissible, even if the stated objective is maintaining the safety and security of the populace. Throughout history, citizens have always had more reasons to fear a secretive, oppressive government than they have small, radical groups intent on acts of destruction.
When the FBI cleared the family of any suspicion and asked AirTran to assist them in getting these folks to their destination, the correct response was for AirTran to cooperate with the FBI and make these travelers whole. Their refusal is a black eye for their entire organization, and no amount of apologizing, free travel, or public groveling can change that fact.
Nice going, AirTran. If you see a white male with short hair on one of your flights, looking slightly like an FBI agent, it won't be me. I choose to exercise my right to never fly with you again.
