The following are my notes from the event, sorted by each speaker:

Richard Clark

Most companies that have any intellectual property (IP) of value have already been victims of cyber espionage and that their IP has been looted.  He referenced a report released by Verizon (which I can’t find anywhere) that supposedly discusses data theft.  Apparently Verizon approached a bunch of companies to inform them of malicious activity and over two-thirds of the companies that they approached didn’t know about the malicious activity.

The prospect of cyber war is remote.  Nations do not just attack because they have a new offensive weapon that they want to try out.

If there were an attack today, a sophisticated adversary could:

• derail trains;
• blow up refineries;
• blow up natural gas refineries; or
• knock out air traffic control systems.

Cyber war to him means a cyber attack that causes damage that a bomb would cause.

Russia & China have no incentive to use cyber war against us unless they were going to attack anyway.

He worries about Government of Iran or North Korea because they are not as dependent on the world economy as most advanced countries.

Cyber security legislation is hopefully coming but that we need to overcome partisan politics and get something done.

We need to engage Internet Service Providers (ISP) and give them safe harbor to look for evidence of attacks and stop them.

Michael Hayden

ARPANET was the bloodline for the Internet but it was built on trusted nodes.  Today’s Internet has many more nodes and most are not trusted.

We are moving in the right direction with the creation of US Cyber Command but we are unable to deploy our defenses because of a lack of policy and legal guidelines, so we pull our punches.

Bill Lynn wrote an article in Foreign Affairs about “cyber” being a domain which we must be prepared to defend.  It is a DoD concept.  Most commercial companies aren’t looking at cyber as a domain yet.

He went to a hacker conference and spoke and said that “cyber” is comparable to European man’s discovery of western hemisphere.  After his speech he was approached by someone who said that it is comparable to the human development of language.  He agreed with the person.  Cyber is changing human cognition.

Vocabulary is being used from other areas but it doesn’t translate over.

• Deterence – sounds nice but requires attribution.
• Privacy – we don’t even have a concept for what constitutes legitimate privacy in cyber.

We need to develop policy or our cyber capacity will be useless.

The private sector is not much better.  Often security is looked at as “additional” or something you bolt on.  It needs to be included as part of the process.

Jeff Carr

Just returned from India where he met with Indian Government Officials who were worried about China and Pakistan.  Indian Government doesn’t trust private industry because of their motives.

The title cyber warfare was used on his book but he doesn’t like the term.

We need to rethink war.

China is engaged in ultimate war.  A war where they move forward and gather leverage on their foes without shedding a drop of bloodshed.  Cyber has given them this ability.

China is engaged in theft of intellectual property.

They encourage research and development companies to come to China and then require that communications be monitored and supervised.

In 2002 there were 100 R&D labs.
In 2007 there were 1200 R&D labs.

There has been a 500% increase in Chinese patents in recent years.

Russia is now following the same tactic.  They are building an R&D area supported by Intel and others to attract foreign companies to Russia.

In Russia, FSB has power to review source code or have source code added – all in the name of national security.

We don’t recognize these efforts by Russia and China as warfare but they are achieving a national political goal without bloodshed.

Remember the data breach relating to the F35 contractor.  Apparently now there are fewer orders for F35 because customers are saying that Chinese anti-aircraft technology has advanced so much that it isn’t worth the cost of the F35.

Russia is different from China in that Russia has used cyber along with kinetic force.  He mentioned:

• Chechnya
• Kyrgistan
• Estonia

Russia works with organized crime to use their platforms to engage in cyber activities.

Russia is also playing hard in technology development and social networks.  DST (Russian investment firm with links to the Kremlin) now has a 10% share of Facebook.

DST has become the venture capitalist of choice in silicon valley due to their lenient lending.

END

The notes above are my attempt at paraphrasing what was actually said by the speakers.  The event was recorded so it should be available in its entirety through Georgetown’s web site.

This is the first time that my collection of AV products (MalwareBytes, McAfee, and Microsoft Malicious Software Removal Tool) were not up to date on a threat so I was forced to deal with it myself.

See VirusTotal for my entry.

The file hijacks the user’s ability to get access to the Internet via browsers like Microsoft IE and Firefox.  I only have those two but I assume it stops others too.

It also blocks the ability to use utilities such as PING and CMD.exe but doesn’t work if you have rename the utilities.  I renamed my command prompt file to “special.exe” and was able to get command prompt access.

The file also uses a batch file to try to delete itself but it wasn’t too successful.

It start out trying to trick the user into thinking that Microsoft Security Essentials is installed and has caught the file.

If you select “clean computer” or “apply actions” you get the same result…

After you choose “Scan Online”, it goes through the motions of making you think that you are getting your file scanned but I did this in my VM on “host only” and got the same result.

The result is what appears like a successful scan.  Of course only a few AV vendors have discovered this variant and now offer you free access to their products.  At this point, you have the option of downloading their files for free and your system will reboot automatically.

The file is packed with UPX but I was able to dump out the unpacked version of Ollydbg easily.

It also beacons out to www.stopbadware.org but didn’t issue a “GET” request.

The company name shows as “Mouskit AG” which also shows up in other FAKEAV files.

I was able to run Process Explorer and kill it outright. It didn’t come back and didn’t seem to have persistence. Also, it only resides in user profile so I was able to use other profiles on my PC to get files I needed to get rid of it.

When I first submitted it, only two AV had seen it so I pushed it to McAfee via email.

It is my understanding that the entirety of this program was captured on video and will be available for review.  Select here for a copy of the agenda.

Congressman Nadler gave the opening keynote and spoke of his bill HR 984 which he hopes will reform the use of the state secrets privilege.

This was a very enlightening discussion.  I recommend taking the time to watch the video of the panels.

The following were note worthy (to me):

• Laura Donoghue (from Georgetown) is writing a book on history of the use of state secrets privilege;
• Obama administration has new procedures for deciding when to invoke the state secrets privilege.  They ran their process against cases in the system now and all of them would have passed under their new procedures.  To me this says that the Bush administration use of the state secrets privilege was probably legitimate (contrary to popular opinion of many);
• According to one panelist, the US didn’t assert state secrets privilege on NSA Terrorist Surveillance Program (TSP) cases;
• Oral argument on Jeppesen to be heard by 9th Circuit on 15 December 2009; and
• IG report on TSP was released in July 2009.

Overall, (I believe) all that attended agree on the following:

• The state secrets privilege is a legitimate and necessary tool to keep classified information from getting into the public record;
• There is a need for more standards and/or guidance for courts to handle the privilege in a consistent way;
• Need to consider alternatives to just dismissing cases that can’t sustain state secrets privilege invocation; and
• We need to be careful how we reform SSP since it could lead to an appearance that we are telling the courts how to run or even that there is a hit on executive power.

The following podcast links are from the ABA Standing Committee on Law and National Security web site.  I highly recommend watching the panel on “Modern Piracy”.

Podcasts

• Opening Remarks – Carolyn Lamm
  Panel I – Executive Update on Developments in National Security Law
• Panel II – Legislative Update on Developments in National Security Law and Keynote Address – Hon. James B. Steinberg
• Panel III – Emerging Issues in National Security Law: Narco-Violence Along the Border
• Friday Opening Remarks – Professor John Norton Moore
  Panel IV – Modern Piracy: Legal and Policy Options
• Panel V – Military Commissions
• Panel VI - Cyber Security and Cyber Warfare

Over the course of two days, I noted the following which I found interesting enough to mention here:

• General Counsel for DHS was the only one in the first panel discussion one to mention cyber security as a top issue.
• When topic of interaction between Title 10 & Title 50 came up during the first discussion, many of the panelists had very little to say (as if they were avoiding it).
• According to Martin Murphy, modern piracy should be viewed as an organized crime problem.
• Based on the comments by the shipping industry representative, shipping companies do not consider piracy an issue because they can just avoid the area or pay the ransom and there is very little impact on cost.  Mostly a personal safety issue of employees.
• There are forty threshold legal issues associated with cyber strategy.
• According to FBI rep at the cyber panel, hackers are targeting law firms and public relations firms.  Since this conference there have been a number of stories that have come out about this statement.
• Someone in the crowd stood up and said that Raytheon had been penetrated by known foreign power.  I can’t find anything in open press to support this statement.

According to Mikko Hypponen,  Twitter suspended his account (@mikkohypponen) and removed all his tweets without notice or explanation.  After a short period of time, Twitter finally reactivated his account with the following accompanying statement.

“ I’ve unsuspended your acct.
You were suspended for using the malware URL rnyspeceDOTcom in DMs.
Be careful!
We scan evrythng for malware.“

Based on this statement, it appears to me that Twitter believes Mikko was distributing a malicious link and Twitter must have felt that they would be at least partially on the hook for his actions.

This seems directly in contrast to what they state in their terms of service.

Under the heading “Basic Terms”, it clearly is speaking to users who post content when it states the following:

“You are responsible for your use of the Services, for any content you post to the Services, and for any consequences thereof. The Content you submit, post, or display will be able to be viewed by other users of the Services and through third party services and websites (go to the Account Settings page to control who sees your Content). You should only provide Content that you are comfortable sharing with others under these Terms.”

The portion about being comfortable sharing is a little wiggly since it is rather subjective (apparently Mikko felt comfortable sending it out) but the rest of it seems pretty straight forward and clear (at least to me).  They are stating in pretty direct terms that they are not responsible.

Under the heading “Content on the Services”, it states:

“All Content, whether publicly posted or privately transmitted, is the sole responsibility of the person who originated such Content. We may not monitor or control the Content posted via the Services and, we cannot take responsibility for such Content. Any use or reliance on any Content or materials posted via the Services or obtained by you through the Services is at your own risk.

We do not endorse, support, represent or guarantee the completeness, truthfulness, accuracy, or reliability of any Content or communications posted via the Services or endorse any opinions expressed via the Services. You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive. Under no circumstances will Twitter be liable in any way for any Content, including, but not limited to, any errors or omissions in any Content, or any loss or damage of any kind incurred as a result of the use of any Content posted, emailed, transmitted or otherwise made available via the Services or broadcast elsewhere.”

This throws me for a loop, when they say “We may not monitor or control the Content posted via the Services and, we cannot take responsibility for such Content”.  Based on the response to Mikko regarding why his account was suspended, they do appear to be monitoring or they would not have suspended Mikko’s account based on a scan of the link.

Under the heading “Restrictions on Content and Use of the Services”, it states:

We reserve the right at all times (but will not have an obligation) to remove or refuse to distribute any Content on the Services and to terminate users or reclaim usernames.  Please review the Twitter Rules (which are part of these Terms) to better understand what is prohibited on the Service.”

Based on “Twitter Rules“, under the heading of Malware/Phishing, “You may not publish or link to malicious content intended to damage or disrupt another user’s browser or computer or to compromise a user’s privacy.”

Based on my review of the tweet that got Mikko into trouble with Twitter, he did not provide a functional link but rather a domain name reference.  To further show that he attempted to dissuade casual visitors from going to that site, he included a warning to not visit the site.

With all this mess, it makes me wonder if Twitter will issue some revisions to its policy and rules.

I guess this throws a wrinkle into the argument that nobody takes Tweets seriously, at least Twitter does.

This action comes one day after someone posted a null-prefix certificate on the full-disclosure mailing list.  The concept of this hack was introduced by Moxie Marlinspike this summer in Las Vegas during Black Hat and then again at Defcon 17.  I happened to have attended his brief at Black Hat and remember the buzz that resulted from his presentation.  The effect of the disclosure seemingly lost some of the shock factor after Dan Kaminsky gave a presentation where he discussed this same vulnerability.  Mr.  Kaminsky commented that he had reached out to certificate authentication authorities.  So why does this problem still exist and more importantly why is a chilling action being taken against a security researcher, again?

This seemingly retaliatory action against a security researcher is not the first of its kind.  In 2008, three students at the Massachusetts Institute of Technology (MIT) were put under a gag order after it was discovered they were going to give a talk at DEFCON 16 that would reveal vulnerabilities in Boston’s transit fare payment system.

Electronic Frontier Foundation (EFF), who defended the MIT students, were able to get a positive result for the three students but the problem of chilling researchers still exists.  EFF’s Coder’s Rights Project was established to defend researchers during these types of situations.  While they do great work, it is not a long-term solution.  We need something more concrete that can scale and be available to all researchers.

I propose creation of a safe harbor system where security researchers can reveal their findings to an objective third party (possibly US-CERT) prior (maybe 30 days) to publishing them to the public and in exchange receive some benefits and legal protections.

Without such a protection mechanism, security researchers will continue to be threatened by potential chilling effects that come with revealing vulnerabilities to the public.  In an age when cyber security is making the nightly news and is widely considered one of our greatest national security problem sets, we have a system that provides an obstacle to security research.

I am looking forward to discussion of this proposal and moving forward with trying to establish protections for security researchers.

Because I was hand writing my notes, I didn’t get a chance to get full quotes so much of this is paraphrased… so please do not take any of this as scripture.  I just wrote down the comments that caught my attention.

The speakers on the panel were as follows:

Gen. (Ret.) Michael Hayden
Former Director, National Security Agency and Central Intelligence Agency

Dr. James Lewis
Senior Fellow, Center for Strategic and International Studies

Ms. Suzanne Spaulding
Principal, Bingham McCutchen Consulting Group

Ms. Siobhan Gorman
National Security Correspondent, The Wall Street Journal

Mr. Amit Yoran
CEO, Netwitness; Former Director, U.S. Computer Emergency Readiness Team

Mr. Wes Spain
Program Director for Intelligence, Lawrence Livermore National Laboratory

The panel discussion started with each speaker having a few minutes to give their remarks. After the entire panel spoke, the crowd was permitted to ask questions.  I didn’t type out the questions and responses so you will have to watch the video for those.

Michael Hayden began the discussion stating that the problems of cyber are “really hard” and challenging.  He began thinking about cyber while leading another command prior to NSA.  He mentions the law of the seas and how it took the world almost a decade to get that right and there were years of experience and history from which to draw.

We currently have a lack of adequate laws and policies and consequently our practices are outstripping policy and actions are almost legitimized as we go along.

Regarding cyber policy, it has been tried before (even before George Bush started it).  During the last days of the Clinton campaign, Dick Clark, released a policy and it was dead in 36 hours.

NSA is the center of expertise for this area but because of previous negatively perceived incidents involving NSA many are nervous about their involvement.

James Lewis spoke second.  He started off by stating how he believed that Gen. Hayden was the greatest NSA Director.

He does not believe that the problem of cyber is a technology problem but a law and policy problem.  Due to our history as a nation, we have legal and political impediments that other nations do not have.  We care about freedom of speech and privacy where other countries have them lower on their list of concerns.

Nation states active in malicious cyber activity are conducting what is called a hybrid war (where you avoid direct military confrontation with US).  Many are staying just below the threshold.  He believes this has been going on for a while and references how in 1984 the then KGB hired German hackers.  I believe this is a reference to “The Cuckoo’s Egg” written by Clifford Stoll.

These types of attacks can get adversary’s the kind of information they desire and they are hard to attribute to the offending nation or actor.

He also believes that there are two ideological tides that push against progress.  One is the thought that the market will solve everything.  Those people don’t want the U.S. Government to be involved in cyber security.  The second is the thought that the Internet is some clean beautiful place and having U.S. Government involvement will only mess it up.

He believes a cyber September 11th scenario would get the kind of political will it takes to get moving at the right speed.

Suzanne Spaulding began by stating that she believes there is a “who goes first” problem occuring.  Lawyers want to know the goals and policymakers are asking the lawyers for what they can do.  She believes the biggest challenges relate to secrecy.  Democracy doesn’t function well with secrecy.  It is not just the U.S. Government that is being secretive, U.S. companies are also playing that game.  She would like to have an open discussion where we can make an informed decision.

Siobhan Gorman (formerly of the Baltimore Sun) is concerned about transparency.  She stated that it is easier to get details about a terror cell than to get details from officials about cyber security.  This is a problem when the average person doesn’t feel that it has an impact on them.  The closest the general public gets to the problem is identity theft.  Despite the lack of awareness, the problems are there.  According to her, GSA has a report out that states that 20 of 24 agencies have problems securing information.  DHS system called Einstein will not be online fully for another year and a half.

Impact of companies not reporting security breaches is also contributing to a lack of information and understanding of breadth of problems that are out there.

Amit Yoran, who is part of the commercial sector, believes that the nuances of cyber are phenomenally complex and that law and policy are having problems keeping up.

He believes that the future of the national defense posture is going to be the ability to be offensive in cyberspace.  He sees the cyberspace problem as more of an economic issue than a national security issue.  He concurs with the sentiment about transparency and argues that the reason the commercial industry has not solved the problems is because of the lack of transparency into the activities of national security related breaches.  He mentioned two FBI statements relating to cyber.  The first is that more money is being made by cyber criminals than drug traffickers.  Compromised systems become a commodity on the cyber market.  The second statement relates to the fact that some 100 nations now have offensive cyber operations.

Wes Spain believes it is a significant threat and is concerned with lack of U.S. Government leadership.  He believes it is a problem of predictable surprise.  Leadership is aware of the problem (and it is only getting worse) but not enough is being done.  He believes that it is a technological and law/policy problem.  He also concurs with Mr. Lewis that we will need a significant catalyst.  It is a risk management issue.  We need to get cyber security on the same plain with physical security.  Nobody argues about having physical security because they understand there is a threat.  When you walk in a tough neighborhood, you understand where you are and that you may have physical security concerns but when you get on the Internet, there is no sense of a threat.

The following are the what I took from the discussion:

• Need more transparency (from U.S. Gov and U.S. businesses);
• Need to get public awareness of the threat – don’t wait until it is too late.  There are already some good examples that could do the trick (GhostNet & SCADA);
• DHS has the authority and NSA has the know-how – need to get them working together better (FAA & NORAD work together fine for air traffic control issues – why can’t it be done with DHS-NSA for cyber security);
• Need broad law and policies because law & policy are not as reactive as technology;
• There is a current active conflict taking place in cyberspace where nation state actors are acting just below the threshold;
• Need to make a value proposition for market place to take part and be willing;
• If you involve companies, make sure you have the political will power to sustain your position (don’t let them get exposed to market penalties because the will to support them has changed).  I am guessing this is a reference to the telecom immunity and how now there is a movement to repeal the immunity; and
• We need a forum to discuss cyber problems.  China suggested the G20.  Need to have a place to do it.

The Court takes an opportunity to avoid the issue by relying on perceived problems in the pleadings.

The dissent by Justice Souter is a good read and really does a good job of highlighting the problems in the Majority opinion.  I particularly like how they key in on the fact that Ashcroft and Mueller conceded in their petition for certiorari that they would be liable if they had “actual knowledge” of discrimination by their subordinates and exhibited “deliberate indifference” to that discrimination.

There is a strange reference made by the Majority when they seemingly try to justify the “disparate, incidental impact” on Arab Muslims by saying “the September 11 attacks were perpetrated by 19 Arab Muslim hijackers who counted themselves members in good standing of al Qaeda, an Islamic fundamentalist group.  Al Qaeda was headed by another Arab Muslim – Osama bin Laden – and composed in large part of his Arab Muslim disciples.”

I agree that most of the attackers were Arabs but from what I found, not all of them were Arabs.  It is  probably an oversight but could be perceived the wrong way.

This case will certainly be discussed if we ever see any litigation involving CIA (allegations of torture) or NSA (allegations involving surveillance).

http://tinyurl.com/rxh3dk (via @PrivacyProf)

I am very surprised that this has not taken off in other states… considering all the identify theft that occurs with banks & credit card companies getting hacked.