IACSP Symposium – Report From the Field

Last month I attended The International Association for Counterterrorism & Security Professionals’ 17th Annual Terrorism Trends & Forecasts Symposium near NYC. This is my long overdue report from the field. 

The most dynamic speaker, by far, was Dr. Tawfik Hamid.  Dr. Hamid, author of Inside Jihad, discussed the factors that cause the proliferation of Islamic Radicalism.  In laymen’s terms, he explained why people become radical Islamic Jihadist.  And he did it in a way that westerners could understand.  I finally understand (or get) the craziness that has never made sense to me. This one speaker made the trip worth it.

The other speakers made it quite clear that the northeast US has been working together to build a comprehensive and solid first-responder network.  Yep, you read that right – I said first-responder network.  Cherie Castellano spoke about the psychological effects suffered by first-responders and a program she has developed to combat those effects.  Her research has led to the creation of a program that triages first-responders (in the NE).  This program has since been used as the basis for a similar program for returning vets – the only one of its kind in the country).  Unfortunately, this program is limited to only four states, which is a shame since it has been shown to decrease the number of suicides among returning vets.

Mr. Mike Cutler, another speaker focusing on Immigration Enforcement, should run for President.  His assessment of the deficiencies of the (ill-conceived) immigration system were brilliant.  Attendees could have done without all the name dropping though.

Two other speakers covered the Terrorism Trends Report (released in April), and the accomplishments of Osama Bin Laden and Mallah Omar (to which we were all well aware).

Overall my impressions of the symposium were mixed.  The venue and organization were sub-par but affordable.  With attendees numbering below 100 and mostly working as first-responders in the NE, it is clear the rest of the country needs to get into the game on multiple fronts.

As far as the IACSP is concerned, pamphlets led me to believe I’d be among my terrorism fighting peers – and that’s not what happened.  I was among first responders (not international, but regional) who keep an eye on what is going on in the terrorism arena.  This was more than a small disappointment to me.

Next Blog:  IACSP and the Twitterverse

QuakeCon 2009: Basics

We’ve been part of the QuakeCon phenom for the past 7 years.  Our son is on the QuakeCon staff, and the male members of my family all attend.  We’re kinda geeky like that.  Usually I sit at home and wait for the madness to stop.  This year  I’m here at QuakeCon 2009, brining you the event from a Non-Quaker (player), First Timer, and Girl perspective.

In this first post I’ll cover the basics: things you need to know/do to have a good time at QuakeCon:

  1. Know Your Venue.  This year’s event is at The Gaylord.  When looking at the complex, the event is located to the far left.  Knowing this, you should aim for parking as close as possible.  Unfortunately for most, the majority of available parking is located to the far right of the complex, in a multi level garage. 
  2. Don’t Go Alone.  Bring a friend with you.  Drop them off at the BYOC drop-off (far left of the complex, adjucent to the preferred parking lot that you won’t be able to use, because it will be full).  Leave them (and all your gear) at the drop-off point. 
  3. Park It If You Can.  Now go find a parking space.  On the parking stub, write the number/location of your vehicle and then take it with you.  There is nothing worse that not being able to find your ride. Then schlep your butt all the way to the other end of the complex to meet your friend and your gear.  Parking is $12.  Mention you’re attending QuakeCon (when you leave) to score a 50%  discount.  Or better yet, wait until 11pm (when the garage is unattended) and you can exit for free. 
  4. If You Pre-Registered.  For first day attendees, those who pre-registered for BYOC were kings. Stand in the long line and wait your turn to get into the BYOC area. We waited (and did the equipment shuffle) abt 2 hours.   If you have any physical limitations, bring a fold up chair. Otherwise prepare to stand or sit on the floor as you wait your turn. As of this writing (Day 2) the line is super short. 
  5. If You are not Pre-Registed (FCFS Wait List).  Day 1: Hope you brought your own entertainment with you. Sit (on the floor) in a very long line and wait.  And wait.  Wait until 8pm.  Wait until midnight. Then you get to join the fun. Day 2? Looks like humanity has returned to the QuakeCon staff.
  6. Inventory List.  That piece of paper they gave you includes your inventory list.  You can’t leave with your gear (when the Con is over) if you loose it.  So don’t loose it.  Once you find your spot, fold it up nicely and store it behind your badge.
  7. BYOC: Pick Your Spot.  Don’t pick an area with no peeps in it.  This will allow you to figure out (before you set up your gear) that there will be an asshole behind you who screams F**K at the top of his lungs (every chance he gets) to impress his friends.  Also, try to pick a table that does not have a switch on it – it takes up valuable space and you need your space.
  8. Food and Drink.  Hotel food is overpriced.  No ice (or glass) is allowed on the Con floor.  But you can stuff a cooler with gel packs with your fav non-alcholic bev and store it under your table.  Or leave the cooler in your ride – get up to stretch your legs once and a while and replenish your supply of caffeeine.
  9. Socializing. It’s dark in here.  Find your friends via phone or <insert fav social networking site here>.  Walking around looking for them without a clue?  Just think “Where’s Waldo?”.
  10. Schedule.Yeah, that schedule you printed before the Con started?  It’s wrong.  Check the online schedule for updates during the Con.
  11. Gaming.Wanna play QuakeLive?  You’ll have to register with the internal version.  The public version isn’t assessable from within the Con.  Wanna play Steam? Hope you updated your games before you left for the Con.  Set Steam to Offline Mode.  This will force you to begin from the beginning of your games.  Wanna play WoW? You should know better!
  12. Coming and Going.  If you step away from your gear, lock your box.  Remember where you’re stiting (write it on your badge if you suffer from short-term memory loss). If you have a bag/purse, expect it to be peered into everytime you leave or enter the BYOC area.  Trust me: this is a good thing and helps ensure your gear dosen’t go home with someone else.  And make sure your mother does NOT come looking for you.  They will announce your full name over the loud speaker (for instance: “Blake Holly, your mother is here for you.”).  They may even anounce it twice.  Then everyone will erupt in loud jeers, ruining your social standing (if you had one) for the rest of your life.

I’ll be posting more about my first day at QuakeCon (and events for the rest of the Con) as they unfold. - Sweets Out

Twitter Stalk Daily – Redux

Remember the kid that hacked Twitter and was offered a job afterwards? It was April. Anyway, seems the hacking community gets a bitiffed when you hack and then become an attention whore. Just two days later I found the post below. Humorous!

Hacking the Hacker

Twitter Stalk Daily

Originally Posted on Google Blogger 04/14/2008

This past weekend Twitter users were treated to another worm. Aren’t worms fun? Not.

Here’s how it worked:

  1. Teenager creates Twitter Account for Bot.
  2. Bot follows tons of Twitter users.
  3. Users who have the “notify me when someone new follows” option turned on, get an auto email that includes a link to the follower’s Twitter page.
  4. Users who like to know more about who is following them, click the link.
  5. Link goes to follower’s Twitter page.
  6. Once on the Bot’s Twitter page, hidden code (in the color scheme of the layout) redirects the User to the Stalk Daily website. Note: Stalk Daily is a Twitter like service created by a kid. Notice that the site looks very much like Twitter.
  7. Stalk Daily takes advantage of Twitter User, using cross-site scripting.
  8. Stalk Daily posts a tweet (in the User’s ID) to Twitter. The tweet says that Stalk Daily is a legitimate website. The tweet includes a link to the website.
  9. Other Twitter User’s see the tweet (in the public timeline) and click the link.
  10. The circle of life is complete.

Thanks to @erickbrockway for sending me a copy of the Bot’s Twitter page for investigation.

To read more, click here.

I see smart kids who (because they lack effective parental oversight and/or are just plain bored) get into big trouble with the Feds.

Me thinks Mikeyy needs a spanking!

Hacktivism 101: Email Campaigns

Originally Posted on Google Blogger 04/02/2008

Most of you know that I love Twitter. The ability to converse with like-minded individuals (and those with other viewpoints) is a powerful enticement to participate in the global discussion.

Last December, during the Gaza Conflict, there were thousands of tweets representing both sides of the Gaza conflict. Some tweets linked to news sites that supported the Tweeter’s viewpoint. Some tweets were written to taunt and enrage others. And some tweets funneled our attention to rally, boycott, and activism-related sites.

What does this have to do with hacktivism? One recurring tweet directed me to the website of the Jewish Internet Defense Force. The JIDF regularly uses email as a means to fight anti-Semitic on-line content. Today’s blog post is about using email as an effective hacktivism tool.

According to their website, JIDF is “a nonviolent protest group [of individuals] who share concerns about anti-Semitic on-line content, as well as content which promotes terrorism on sites including FaceBook, YouTube, Wikipedia, Google Earth, Blogger, and other sites and forums throughout the Internet.”

JIDF is embroiled with FaceBook over several FaceBook pages that belong to known terrorist organizations. After notifying FaceBook that these pages appeared to violate FaceBook’s Terms of Service, JIDF found it’s own FaceBook account deactivated. After email protests by JIDF and it’s supporters, the JIDF account was reactivated. Since then, JIDF’s FaceBook account has been up and down more times than a Six Flags roller-coaster. The accounts of known terrorist groups remain intact.

In the JIDF vs FaceBook saga, email campaigns have proven to be ineffectual. To be effective, email campaigns must abide by 3 simple rules:

1) Target individual email accounts.
2) Be difficult for recipients to suppress.
3) Performed by a coordinated multitude.

In my next blog post, I’ll cover these rules in detail and I’ll back them up with real world examples.

Hacktivism 101

Originally Posted on Google Blogger 02/24/2008

According to Wikipedia, “Hacktivism is “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development.”

Using the definition above as a guide, I can say that: The Army of Davids is a group of individuals banding together to disrupt the on-line activities of individuals, groups, and organizations that support terrorism. We believe the use of legally ambiguous digital tools and electronically unethical methods is a justified means of fighting terrorism. The Army of Davids does not support the use of physical violence or illegal activities as a viable means to obtaining our goals.
 
Over the next several weeks, I’ll introduce you to the specific methods The Army of Davids will use to disrupt the on-line activities of individuals, groups, and organizations that support terrorism. These methods will include virtual sit-ins, domain/site adoption, electronic disturbances, direct interception/provocation, public awareness campaigns, and web site parodies. You will learn what to do, how to cover your tracks, the legal risks (both criminal and civil), and things to avoid. I’ll also include examples of others who have successfully (and some not-so-successfully) pulled off similar actions. Then I’ll let you know if The Army of Davids will be using that method and why.

After that, I’ll begin to post initial Operations. Operations are “plans to employ specific actions and activities towards specific targets”. The following template will be used for each operation:

  • Operation Name: Everything has got to have a name so we can communicate about it.
  • Operation Dates: The date the Operation will occur. Operations can be one day or many months long.
  • Operation Contact: Contact information for the person who will be directing the Operation.
  • Method: The method being used for the Operation. There may be one or more methods used.
  • Criminal Risk: What is the risk that someone will bring criminal charges against an Operation’s participants?
  • Civil Risk: What is the risk that someone will bring civil suit against an Operation’s participants?
  • Reprisal Risk: What is the risk that the Target will employ illegal means to seek revenge against an Operation’s participants?
  • Prerequisites: Essentially anything that needs to be done to (1) limit risks (2) maintain anonymity, and (3) ensure successful completion.
  • Target: Self-explanatory.
  • Background: Why? Why is this individual, group, or organization a Target? What info supports them being a viable Target? Where did I get my background info from? I’ll give you all the info you need to come to the same conclusion I did. And I’ll give you plenty of time to do your own research beforehand.
  • Footprint: Information about the Target’s electronic footprint. You’ll understand this one when you see it.

Thanks to everyone who has sent tweets and emails about The Army of Davids. Thank you for being interested in standing up and doing something about terrorism. And thank you for being supportive. We are individuals. But if we work together, we can slay the dragon. I just know we can!

I see smart people who have decided to use technology to do something about terrorism!

The Army of Davids

Originally Posted on Google Blogger 02/09/2008

A few days ago I sent a cryptic tweet that said “the first Army of Davids Event is coming soon”. I realized that, before creating the event, I might need to explain it to everyone. And that is the purpose of this post.

In 2007, Glenn Reynolds wrote an interesting book titled An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths. The title of the book adequately conveys its message, so I don’t feel the need to go into that detail here.

I got my first taste of the impact of social media during the Obama campaign. It was so successful that conservative republicans have galvanized on Twitter via the TCOT (Top Conservatives on Twitter) hash tag. That is supported by a TCOT website that provides social media mentoring to new members. All this – in an effort to get the conservative message to new audiences.

Next up was the Israeli Offensive in the Gaza Strip. This political hotbed generated a lot of tweeting. The #hamas, #gaza, and #israel hash tags were born in quick succession. The Israeli Consulate, the Israel Defense Forces, and other Israel position supporters began showing up on Twitter. A regular re-tweet directed supporters of Israel to a number of newly created pro-Israel websites. One of those sites even provided an aggregate of anti-Israeli news from around the world, coached supporters on how to create a proper response to negative press, and then managed who was responding to what! All this to counter the Hamas propaganda machine.

I think the use of social media to address political goals, sell a product, or gain supporters for a cause is awesome. The cause I am most passionate about is this: I’d like to make it hard for US-based websites that promote terrorism to exist.

Up to this point, I have (as an individual) located and footprinted a few of these websites. I’ve created false accounts on their forums, and posted tons of anti-terrorism messages. I know, it’s only a nuisance, but it was legal and [deeply] satisfying.

In many cases, I’ve discovered that the owner of the site is an American or is living in the US on a visa. It is disturbing to find “death to America” or “death to Americans” all over these websites – websites owned by people who are enjoying what our country has to offer.

After speaking to others about my passion and how I might disrupt these websites (i.e. become a nuisance to them so they will move along), I’ve come up with some good (and legal) ideas. Sure, they’ll just spend a few bucks and a few hours to create a new site. That’s OK – that is a few bucks they won’t have for weapons or bombs, and a few hours they won’t have to plot our demise. They create a new site and guess what? I find them again. And again. And again.

To effectively harass these sites, I will need an Army of Davids. I will need you. And this is what the Army of Davids Events are all about. I’ll send a tweet directing folks to my blog for event info. The blog will include the location of the site, the date and time of the event, and all the specifics.

What might an event be? Well, we might all decide to visit the same site at the same time. I sincerely hope the site doesn’t crash with all those visitors. You folks with FireFox need to watch your auto-refresh settings. We might camp the domain registration as it nears its expiration. Then swoop in and buy it up. We might fill up their message boards with tons of anti-terrorism posts. Or we might “out them” to the public via a coordinated propaganda campaign. There are tons of things we can do to mess up their day. Tons. Literally.

Am I supporting illegal activities? Heavens no. I am not planning on doing anything illegal. And I am not supporting illegal activities.

Will the terrorist supporters come after you? Each event will be structured to maximize your security and anonymity. All the risk is mine to bear.

When is the first event? I am currently researching several sites. Before I share anything with you I must confirm (beyond a shadow of a doubt) that the site is supporting terrorism, that the site is not a honeypot meant for terrorists, and that the site is not hosted by a third party – only then will I even consider planning the event.

Why am I doing this? Because I am sick and tired of no one doing anything about these sites. Plain and simple. If I could rid the world of these sites, I would. But I can’t. The most I can do is become an annoyance. Doing something, even a small thing, makes me feel better.

Just think of the fly that continually buzzes your face. Even though you know the fly can’t hurt you, you still desperately want it to go away.

Why should you join me? Because you are sick and tired of no one doing anything about these sites. And because maybe, just maybe, you’ll get a small measure of enjoyment out of it.

Welcome to the Army of Davids. I am CinnabarSweets, your Event Coordinator.

I see smart people who use technology to tackle big obstacles.

Disengaging the Disenfranchised

Originally Posted on Google Blogger 01/29/2008

One of the top stories on InformationWeek today, concerned a “Fannie Mae Contractor Indicted For Logic Bomb“. The story goes on to state that “had the malicious script designed to wipe Fannie Mae’s 4,000 servers not been discovered, the company could have lost millions of dollars and a week’s worth of uptime“.

As I begin to read the story, I’m expecting to read about a hack that happened after the fact (after the Contractor left Fannie Mae). I would have then posted a blog about technically-able people who take revenge on the firms that let them go. Most of the blame would have been placed on the person who performed the hacking. I would have added some comment about how fast he got caught – proving his dismissal was well warranted, given his (obviously) inept technical skills. Unfortunately, that’s not what happened.

According to the story, the IT Contractor was terminated in the early afternoon. The reason for his termination? Earlier that month he created and deployed a script that changed server settings and he did it without the proper authority.

Anyway, after he heard he was being dismissed, he was allowed to return to his cubicle and work for the remainder of the day. Within a few hours, from his Fannie Mae issued laptop, he logged onto a development server (also in his cubicle) with his own user ID, gained root access, and appended malicious code into a (legitimate) server script. At the end of the day his laptop was turned in. Later that evening, his access was revoked.

In the end, the axed IT Contractor is at fault. What about Fannie Mae? Did they hold some responsibility in this fubar? You bet!

On how many levels did Fannie Mae screw up? Let us count the ways:

  1. Fannie Mae should have terminated all systems access prior to the termination action. If they had done this one step, the chances of an internal attack would have been severely limited. Given the reason Fannie Mae decided to terminate the IT Contractor, you’d think they’d at least be concerned about his having access to their systems.
  2. Fannie Mae should have confiscated all hardware immediately. People walk away with hardware all the time, especially when they leave a job. Hardware is an asset that needs protection – protection beyond the safety of the cubicle.
  3. Fannie Mae should have had a security guard accompany the Contractor while he gathered his personal belongings and left the premises. This one is a no-brainer. No one knows for sure how someone will react when they get the axe.

Three simple things that would have prevented this threat. Of course, we haven’t even looked at the reason for his termination. Sure, the IT Contractor pushed code to Production without permission. Shame on him. But shame on Fannie Mae for not having adequate controls in place to prevent developers (or other unauthorized folks) from making changes to Production.

What I find strange about the whole thing (and what, quite frankly, disgusts me) is that Fannie Mae is a public company, subject to SOX compliance. Everything I’ve outlined above would be rudimentary in a healthy SOX environment. So how the heck did they pass external/internal audit?

If the logic bomb had wiped out 4000+ servers, it would have cost Fannie Mae millions. The root causes of this threat, sit squarely in Fannie Mae’s lap.

I see dumb companies, that don’t know the first thing about disengaging the disenfranchised.

Case File: Mazin Qumsiyeh

Originally Posted on Google Blogger 01/14/2008

The Israeli operation in Gaza is a common topic on social media networks. Sites like Twitter provide supporters of both sides the opportunity to debate the issues and express their views. Tweets reporting the latest news fuel the constant debate. Some tweets share links to websites that support either side of the debate. A recent tweet linked #gaza hashtag readers to www.boycottisraeligoods.org. This site provides lists of companies that have invested in the Israel market or do business in Israel, and Israeli products.

I learned about the site when a fellow (pro-Israel) Tweeter sent me a link and asked me to support the businesses and products on the list. I think it’s brilliant to use an anti-Israeli site, for pro-Israeli purposes! That may be the subject of a future blog. Being the curious person that I am, this blog is about what I found while investigating the origins of the site.

A quick whois search on the Public Interest Registry, provided the site’s registrant: Mazin Qumisyeh. I would post his current location info and email, but that would be unfair to him. I don’t like what I’ve read about this person, but he is a human being and his safety and privacy are paramount.

My friend (and yours) Mr. Google, provides the mother-lode of info on Qumisyeh, including:

The 2003 Yale Herald article “When Free Speech Costs a Career” covers Qumsiyeh’s downfall as a Yale Associate Professor of cytogenetic services. Qumsiyeh, “born a Lutheran in Palestine… was working as the national treasurer of Al-Awda, the Palestine Right to Return Coalition”, when he “sent an email to a Yale anti-war group listing the membership roster of the Yale Friends for Israel and labeled it a “pro-war cabal”. ” The resulting controversy surrounding Qumsiyeh’s extreme opinion, expressed so publicly, was likely the cause for Yale’s failure to renew Qumsiyeh’s contract in 2004.

Unfortunately his profile is still available on a Yale Department of Genetics website. They really should clean up their websites, aren’t they supposed to be smart?!?!

A Front Page Magazine article “A Tale of Two Palestinians” includes this summary of the Yale debacle “In May of 2003, Dr. Qumsiyeh was embroiled in an unauthorized abuse of the email system at Yale with overtones of anti-Semitism that roiled the campus for months. In November, 2004, Qumsiyeh was a prominent speaker at a memorial held in New Haven in honor of the late Palestinian terrorist leader and renowned murderer, Yasser Arafat. Last October at Duke University during a controversial Palestinian Solidarity Movement conference held there, investigative journalist Lee Kaplan heard Dr. Qumsiyeh say that “Zionism is a disease.” Qumsiyeh, according to Kaplan’s account, “denounced the Jewish state’s existence and cited texts that he claimed proved “Nazi-Zionist collaboration existed during the Holocaust.” He also stated that all Jews must leave the land of Israel while claiming to abhor nationalism of any kind.”

If you’ve ever wanted to put a face on the anti-Israeli side of the events in the Middle East, and indeed, the world…let that face be Qumsiyeh.

I see the enemy. He is in plain site – blinded by loyalty born not of reason, but of fanatical racial hatred. The enemy is an idiot.

Texas PI Licensing for Techs

Originally Posted on Google Blogger 12/23/2008

Ever since the news reported a change in Texas Private Security legislation, sensationalized news reports said computer techs, security folks, and almost everyone else that was going to touch a computer they didn’t (themselves) own – needed a PI License.

In my own household the topic has come up many times. Unfortunately, there are several laws on Texas books that are ambiguous, misleading, or downright contradictory. The Texas Private Security Bureau made a small wording change and an epidemic of panic (fueled by the media) began.

The outrage from the CyberForensics/Security area focused on:

  1. Fear that Joe Gumshoe would suddenly claim expertise in data forensics.
  2. Fear that Joe Forensics would have to spend 3 years with a PI firm in order to be granted the PI credential.

The TPSB has been inundated with calls about this law and its requirements since the day the change was publicized. Enter the Texas Association of Licensed Investigators. The TALI has been working with the TPSB on clarification of the requirements.

I’ve spent some time reading meeting minutes from TPSB and TALI. A suggestion was made that the definitions and requirements need to be redressed.

In short, as technology becomes evidence in more civil and criminal cases, it is important that guidelines (and laws) regarding evidence collection, investigation, processing, handling, and storage be followed. Law Enforcement Officers and Private Investigators have received training in this area and are certified on that knowledge.

I believe that the law was changed because someone wanted to make sure that those that collect technological evidence know and follow the same guidelines.

Keeping that in mind, let’s break it down:

  • Working on technology with the goal of evidence collection? PI license required. That one is easy.
  • Working on technology with the goal of repair/installation/whatever? PI license NOT required. Another easy one.
  • Working on technology that has the potential to end up as evidence in a criminal or civil case? PI license required. This is where we have to actually do some thinking.

So…

Legal Department asks you to pull email records of an employee. You ask if there is ANY CHANCE the info will be used in a criminal or civil case. If the answer is Yes or Maybe, PI license required.

You work in IS Security and notice an employee is downloading child porn. You are required (by law) to report contraband and you can assume there is a reasonable chance that the data/hard drive will end up being confiscated by LEOs. You need a PI license to continue your investigation.

You work in Networking and see that an employee is violating your company’s acceptable use policy. As far as you can see, there are no legal violations. What do you think? For me, I’d stop and report what I found. Because there is a chance that the employee could be fired – there is at least some residual chance that a civil suit (for wrongful termination) may follow. I’d go ahead and assume that the computer in question may come into play in a court case. I’d need a PI license to secure/take it into evidence.

Legal Disclaimer: I am NOT a security or legal expert. This blog contains my personal opinions and should not be construed as fact or used as a basis for your future actions.

I see dumb people who STILL need to change the PI Licensing Requirements to meet the needs of CyberForensics Professionals.

« Older entries