Kaspersky Paranoia or Somethig More ??

Several months ago (March 2015), I wrote the below article elsewhere.  It references a Reuters and Daily Facts article.  Some found it to sound somewhat paranoid while others found it to be intriguing.

[March 2015] 

"Russian researchers expose breakthrough U.S. spying program" and "Kaspersky links US to spread of PC spyware across 30 countries"

Both titles are referring to the same article, with the first being affiliated with Reuters[1] and the second with the Daily Facts.[2]

I find this article interesting due to the allegations in the article where the NSA and or the CIA are considered responsible for the altering of hard drive firmware for purposes of spying.  I would not doubt whatsoever that this speculation is true or partially true considering a similarity between Stuxnet and this attack.

What I find incredibly fascinating is that once again, Kaspersky Labs has made the discovery of an incredibly brilliant and complex "malware" spying tool.  It really is amazing that Kaspersky Labs is known for most high profile discoveries involving complex malware and shedding light on hacking incidents where other companies seem to be ignorant.

Please follow the bouncing ball for one moment in an effort to entertain me as I don my tinfoil hat and begin to profess my long time belief about Kaspersky Labs, specifically Eugene Kaspersky. 

Wired Magazine conducted an interview[3] with Mr. Kaspersky a few years ago that was rather enlightening.  This interview was the king pin in what I believe to be part of a larger master plan... you still with me and my tinfoil hat?

Apparently, Mr. Kaspersky was a bright cryptologist recruited and sponsored by the KGB of that time and graduated from a five year program in 1987.

Knowing the past history with the former Soviet Union (USSR) and knowing that those in the KGB never leave - ever hear of Comrade "J"? 

Is it plausible that the plan all along was for Mr. Kaspersky to start his well respected anti-virus company as a mechanism into many of the U.S.A.'s companies and government systems?

I will take it a step further... what better foothold to establish for the day when the cyberwar begins... a foothold into the core economy, core infrastructure and other critical infrastructure components?  After all and unbeknownst to many, Kaspersky products are found within other products being used by everyday Americans.

What better way to amass needed information that could allow for a collaborative effort to hijack and destroy the U.S. economy and infrastructure?

One last thought before I remove this itchy tin hat... how does one lab (Kaspersky) consistently find the most sophisticated malware on the face of the planet before any others in the security realm? 

Are they really that good or could this be a case of Spy VS. Spy?  My guess is the latter of the two.

I would like to ask Mr. Kaspersky for the Powerball winning numbers since the odds of that prediction are approximately the same as Kaspersky Labs being on the forefront and discovery of every global cyber event.

MT>

1 http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216

2 http://daily-facts.net/kaspersky-links-us-to-spread-of-pc-spyware-across-30-countries-financial-times/ 

3 http://www.wired.com/2012/07/ff_kaspersky/

Now I fast forward to information and questions from David Vincenzetti of HackingTeam and a recent Reuters article found here.

Both are asking similar questions and pointing to anomalies similar to those I have pointed out in my March 2015 ranting about Kaspersky Labs and their incredible ability to ferret out the root cause of breaches as well as being the first on scene like an arsonist to a fire.

Just my crazy rants or is this a case of where there's smoke there's fire?

"Unprepared law firms vulnerable to hackers" - do tell!

 I recently read an article HERE describing how law firms may be vulnerable to cyber-attacks as Mr. David Ries is pictured holding technologies that are at least ten years old.

Mr. Ries is considered to be a "leading expert" in cyber-security and is only now coming to the press with this information?

I guess the joke is on "them"...

Indeed this article addresses security concerns, ones that will not be addressed until the hand is strictly forced.  

Having performed security consulting work in these environments, I have made numerous attempts to “pitch” the need for robust security infrastructure and methodologies inside law firms. 
Training and education, standards, quality security employees or teams, etc. etc… before the tsunami strikes.

Unfortunately, many law firms tend not to employ highly trained, experienced or recognized security professionals, particularly those seated at “higher” positions within the firm.

Law firms tend to keep the circle tight and don't always subscribe to industry style structuring, especially regarding information security. Many firms are accustomed to hiring "experts" for cases or trial and then quickly giving them the broom.

My personal experience has been that many law firms generally hire those that are average at best, and give those average employees too much to protect with too little funding or personnel to achieve their goals – because law firms are not being strictly “compelled” to protect those assets.
It all comes down to risk vs reward and many law firms do not see the need… especially when it comes down to allocating the required funds for experienced security “leaders”.

Read the exhaustive list of standards and requirements and you will not find where law firms are strictly or specifically included… where are formal reporting or audits included? 
I would argue that law firms (lawyers) make incredible arguments, considering that is what they are paid to do, and that it will be difficult for any outside body to compel them to follow a strict standard – Judges are lawyers too.

I have read many articles that state “no large breach has taken place that would require notification”. Considering there are no real legal requirements to do so, it is disingenuous to make such a statement.  There have been reported breaches, but those are only the tip of the iceberg.  There is much, much more taking place behind the curtain that is not being reported.

Most importantly, some of this information can be just as confidential, if not more confidential, than medical and financial information.

So where is the outcry and why is this sector largely ignored?

I personally believe that the general public is ignorant regarding the information possessed by law firms, that law firms inherently know the laws and willingly accept the risk because there are few “real” deterrents or penalties that could be easily administered.

When the ethics rules and opinions relating to law firms openly use wording such as “reasonable” to define what must be done to safeguard information, and then does nothing to define "reasonable"… that is clearly an ambiguous statement that allows for plausible deniability.

If Mr. Ries and those like him wish to truly secure their assets and trade-craft, I would strongly suggest hiring long term, highly qualified security leaders that are capable of leading a team of security professionals.

Professionals that understand the threats of today, potential threats of tomorrow and have already covered the passé threats of yesteryear.

Mitnick - Security Expert or Security Whore?

Rarely blogging, it's hard to be taken seriously - I know, enough said.

Kevin  Mitnick started his foray into "hacking" well before most reading this (if there is anyone reading this) were even born, as I doubt many over the age of forty-something read these types of articles.

If you are reading this, chances are that you already know who Mitnick is and why he has received so much notoriety - good and bad.
If you do not know of him, I'd recommend reading the Wikipedia page HERE before reading the rest of the post, else it really won't mean that much.

Kevin started into the computer age just a few years before I had.  It was a wonderful new world whereby many geeks were freed and came together to share in their geekdom.
The major differences between Kevin and those like Kevin and myself and those like myself was, and still is, integrity and respect for others.

In 1982ish, I too performed some low level "hacking" on a DEC that allowed me to access the neighboring rival school's system.  Of course their geeks thought that our geeks were not up to the challenge and "we" needed to disprove that misguided thought - no matter the cost.

It wasn't long before I and another were called to the principal's office and were asked a series of questions regarding the incident that had been discovered some two weeks later.  Only after listening to this voice of reason for what seemed to be an hour, I was sent on my way... fortunately with no real penalties.
I gave the interaction a bit of thought and realized that the geeky"new toys" that we had access to were not to be used to make people's lives more difficult but to enhance and assist lives - everywhere. That's not to say that "fun" and "pranks" don't have their place - we wrote many pieces of code that today would be deemed "viruses" or "malware".

That stated, Kevin had his fun and proved his points many times in the past - we all get it! Additionally, he made money with his nefarious doings, past and present.
Yes, he "did his time" for the wrong doings of the past, but now it seems that being away from the spotlight just isn't doing it for him.

I had read where Kevin was taking his consulting firm to the next level - at least in his eyes.  Kevin decided that "Zero Day" exploits could be a lucrative business and that his business model needed a shift.

Welcome the Kevin Mitnick 0-day exploit for hire business model!  Have a look HERE.

Knowing that we live in the United States of America, considered to the "freest" country in the world, I can understand how Kevin thinks this could be "good" idea.

Sadly and pathetically, this is far from a good idea and begs the question, "Was Kevin ever anything less than a 'whore' within the computer and security field?"
In my opinion, Kevin has "jumped the shark" with this business endeavor and has lost what little respect I had in reserve.

Mr. Mitnick has once again decided that "criminal type" behavior is where he likes to live.  I use the term "criminal type" because he's engaging in behavior that is not clearly criminal, just looks, walks and acts like that type of behavior... anyone remember the duck analogy?

This is really nothing less than old school pirate or mercenary behavior - period.

Plausible deniability has its roll here as you may be able to infer on his website.

Okay, so Kevin is the broker of "wrong-doing" but not the actual "wrong-doer"... that makes it so much better, right?

I am sure that every transaction will be throughly investigated so that the 0-days do not fall into the hands of the Devil.  Certainly these 0-days cannot be traced, certainly the buyers will abide by any type of professional Terms of Use, and the buyers would never pass it on to an insidious user of the 0-day - anyone every hear the term "straw purchase"?
After all, Kevin has never been known to do anything that would be deemed inappropriate or nefarious himself, right?

Regardless of the outcome of this "business", why would anyone consider Kevin Mitnick a security professional?
From this moment on, I hereby propose the title - Kevin Mitnick, Security Whore.

Getting Things Started

I just wanted a place to collect information and occasionally rant about the security field in general.  However you may have arrived at this location, thanks for stopping by.

If you would like to visit my professional site, you can do so by stopping by michaeltaylor dot pro

I don’t intend anything here to be personal and I don’t mean any type of harm towards anyone or any organization.  This isn’t a political or religious blog and it is intended to be science related, even if there becomes a minor overture of political systems bashing when those systems interact with one another.

Experts say DoD cyber workers undertrained

Original article is HERE

In the words of Gomer Pyle - "Sur-pise, sur-pise, sur-pirse!"

In other words "you reap what you sow”.

That really is the bottom line here.  Maybe not so much in the private sector where the “mission” is usually the same from day to day – give or take a bit.  If a company is in the business of making widgets, they’ll most likely be making widgets for the foreseeable future and very little changes – inside and out.

That is a very important distinction from government where the “mission” or “threat” changes every day even though the overarching mission may stay the same.  It’s usually ALL about putting out fires, and damned be the consequences – just get it done.

For years now, I and many other IT/IS professionals have claimed that experience is the only true measure.  Unfortunately HR (human resources) types and the like have shoved the “certification” and “educations” mantra down the throats of information security professionals and many are buying what is being sold.

As a result, you end up with a bunch of “over educated” and “over certified” do nothings that have little to no field experience; often times performing some type of "oops" resume generating event. Yes, I am aware of the chicken and egg scenario.  I believe that expericenes can be had outside the workplace as well as in the workplace.

But you can't really completely blame the inexperienced button pusher for wanting to learn or to do better.  Good people want to learn, gain experience and impress the "boss" with their skills.

Personally, I will take the field experienced person WITHOUT any “official” education whatsoever.  I know several absolutely brilliant individuals in the IT/IS field that have (until recently forced) nothing to “prove” that they can perform their mission – except proven experiences.

Here’s a Duh moment for those believing that certifications, degrees and constantly changing specialized frameworks are the complete answer to our information security woes…

Chinese hackers. Does anyone really believe that thousands of Chinese hackers have their CISSP/CCNA/MCSE etc, etc?

I would suggest that most, if not all rely on experience – and they are winning, no FUD here.

HR, politicians, attorneys and the like (IE Gov’t) fail to understand (or care) about the critical importance of hands-on, in the trenches experiences. Even though the US armed forces live by FTXs (field training exercises) and always enforce everything with hands-on training, they fail miserably when doing the same in the IT/IS fields - moreso gov't and not armed forces.

For every certification or training that I have attended, I have always asked, “why not more/any hands on”?

Or better yet, why can’t we have a complete virtual environment where we can “break” things and see the cause and effect so that we may defend or fix the issues? 

The answers have been that it cost too much or that “we aren’t permitted to do that” or some other bureaucratic answer that makes absolutely no sense at all. I realize that some trainings are beginning to incorporate this process – finally.

Although I believe ISC2 and associations similar to them do a better job than most, I also know that a very large portion of the training companies are simply “garbage in – garbage out” at the lowest cost possible. 

Let’s face it; it’s all about profit and competitive market analysis studies.  Much of it has very little to do with real learning, and in the end it all comes down to getting past OCR resume readers – thanks ignorance.

Maybe if we were to just ask a few more certifying bodies, so called experts or PhDs how to “fix” the problem?

Meanwhile, we could spend another decade chasing our tails until we really are too far in the hole to do anything constructive.  Or maybe the politicians can just hurry and push through some garbage legislation that will surely fix all the issues – because that always works.

Maybe I shouldn’t allow this to frustrate me so much, but I really have noticed a significant degradation over the past couple of decades and it seems to be getting worse by the month - especially in and about the government sectors.

General thought and potential fixes?

• Complete revamp of certification processes to include (during or additionally) real world scenarios.  We have enough examples to use from real world breaches and honeypots.
• CCIE has an exam and lab side to the certification, why not others?  No more paper tigers!
• Enough of the certification whore process. Companies & government must understand that a jack of all trades is a master of none – including myself at times.
• More “real” competition with regard to price vs deliverables of certifications, instead of "hey, what are they charging? That's what we should be charging"
• How about NPO (non-profit orgs) training facilities that everyone can use?  Does the US really want to be globally competitive and secure or is that just lip service?
• Transparency and reality - $6000.00 for a certification class and 20% pass rate because the vendor changed the test – come on!  Oh, I can re-sit the class for free - gee thanks!  Teach the material, not the test.