- Non-nation state actors now pose a significant threat to nation states
- Historical threats usually associated with bad nation states, can now be executed by non nation-states
- Industrial Era, was about a consolidation of power, in the past only the Government could run something as complex as a phone network
- In a Post-Industrial Era, it’s about the decentralization or power–today, modern economies privatize and decentralize important things like the phone network. (my comment: The internet is the epitome of this, a fully decentralized network controlled by no one single entity)
- American Foreign Policy, Power Projection and Defence has been fully focused on hard power against nation states (hard power = men with guns)
- In order to address the threat of non nation-states, the US government has pivoted it’s attack vectors and tactics
- Yesterday : Killing someone from a foreign army in a designated war-zone
- Today : Drone Strikes on enemy combatants that aren’t fully recognized
- Yesterday : Capturing Foreign combatants and imprisoning them
- Today : Guantanamo
- Yesterday : Intercepting enemy communications, disabling and sabotaging
- Today : Programs that Edward Snowden revealed
- (my comment: I don’t think the full surveillance of domestic internet traffic was a good idea)
- We’re seeing the melting down of Post WW2 and Post WW1 global order, and maybe even the breakdown of Westphalian nation-states…ISIS is a response to Westphalian ideas of separation of church and state.
- There is a fundamental similarity between what Christian Europe faced in the 16th-17th century and what the middle east today, both sides are debating the relationship between religion and power.
- Christian Europe had the answer of separating them—we call this separation, modern!
- No guarantee that Islam in the Middle East will come to the same conclusion, i.e. they may never become modern.
- Less important stuff about Nuclear power, about how Russia is adopting a Nuclear first option, and considering it de-escalatory. And Hayden doesn’t like the Iran Deal, and not a big fan of Pakistan.
- American foreign policy makers like Hayden are more concerned with Chinese failure than with Chinese success. Political, Economical and Social factors may hamper the growth of China, but a failure of the regime is going to a massive problem for the world, while a success for China would a relatively smaller impact that can easily be folded into the world order.
- The Chinese claims on the 9-dash line, is a nationalistic approach to remedy the economical slowdown (Hayden’s opinion), what’s more interesting is that this is a diplomatic error, and ASEAN countries are running back to America to balance China’s power.
- Fundamentally though, China has no reason to be an enemy of the US
- His last slide on American foreign policy, the 4 different president types, as a fan of Wilson, and a World War 1 History freak—that was awesome!! I think one of the best historically precise frameworks for understanding US foreign policy, that isn’t based just the last 20 years
- Only one country supports targetted killings by the US—Israel.
This week, I’ll put the final touches on my move from Malaysia to Singapore.
So, I felt it would a good idea to read through some Singaporean tech articles to see how tech events played out on the little red dot, and offer some unsolicited and completely useless advice on them.
It wasn’t easy shifting through a boat-load of gadget reviews masquerading as tech journalism (I guess some things are the same in every country), but underneath the hundreds of phone reviews and fiber broadband comparison, I found a little interesting report on illegal downloads.
The Singapore Straits time reports that:
A local law firm that started proceedings to go after illegal downloaders in Singapore on behalf of two Hollywood studios said it will cooperate with the local authorities to ensure no abuse of process.
It follows a rare intervention by the Attorney-General’s Chambers (AGC) in civil applications made by Samuel Seow Law Corp (SSLC) in the High Court last month.
“We will work with the local authorities to ensure that there will be no unnecessary alarm to consumers who receive the letters of demand we plan to send out,” Mr Samuel Seow, managing director of SSLC, told The Straits Times yesterday.
This is just a re-hashed version of what happened last year in Singapore, when the same law firm went after downloaders of another movie, the difference is that this time they’ll be doing it under the watchful eyes of the AGC.
There is something to be said here about copyright-trolling, the abuse of power and the bullying tactics usually involved. But, we’ll leave that discussion for another day.
Today, I want to explore a little bit about anonymity and how many people have a mistaken notion about what it is.
You’ve probably heard of the hackers who almost got away with $1 billion, only to be thwarted by a typo. (if it weren’t for those meddling keyboards!)
What you probably didn’t hear was that they had already wired $100 million to themselves, are assumed to have pocketed anywhere from $21 million to $81 million in cold hard cash.
Sure, Billions is more than millions, but one a single hack that returns $21 million is a good pay-day by anyone’s standards.
The group managed to hack into the Bangladesh Central Bank, and gained access to specific machines on their network. From there they wired payment instructions over the Swift network to transfer nearly $1 Billion dollars in cash, all from a bank with just $28 Billion in foreign exchange reserves.
These were not 2-bit hackers who were foiled by typo’s, this was a well targeted attack, that would have probably occurred even if the bank upgraded their switches from $10 D-links to $100,000 Cisco routers, it wouldn’t have made a difference. The BAE report on the breach made for some interesting bed-time reading, but what really struck me was that the hackers were smart enough to suppress print-outs of confirmations, thereby ensuring no bank employees knew of the breach.
Each payment instruction generates a paper print out for employees to verify physically, but because that paper printout was generated by the same comprimised software, it was trivial to suppress.
But Hacking is one thing, knowing how to wire the money anonymously in a heavily regulated banking system is another.
The hackers had figured out that the best way to smuggle out millions of dollars was via casinos in the Philippines, that aren’t covered by anti money-laundering laws. This knowledge isn’t something that appears on last week’s Jeopadry, or a question you pose on Reddit, it’s something that only insiders know about.
Oh, and by the way, another $20 million was routed to Sri Lanka, suggesting there are other avenues to launder money out of the system from that Island nation as well.
But just who are these sophisticated hackers?
The Philippines Senators who had a hearing on the incident suggested that the perpetrators ‘could’ be Chinese. And while there’s probably a conflict of interest in their statement (nobody wants to admit that there are criminals in their own borders), evidence does seem to suggest it’s at least a likelihood.
And if I were to put on my tin-foil hat for a while, we may be able to correlate this attack to something that occurred late last year, keep in mind though this is venturing deep in the crazy woman with cat territory, and you have been warned.
So with that warning, let me take you back to good ol’ 2015.
In September of that year, President Obama and President Xi had a ‘broad agreement’ that both nations will no longer hack each other for ‘commercial purposes’. Nationwide espionage and intelligence gathering was still OK, but intentionally targeting corporations for their intellectual property was not.
Of course, the agreement was a bit vague on specifics, if Chinese hackers were to target Lockheed Martin to obtain the designs for the F-35 fighter — would that be considered commercial?
But overall the agreement was clear that both countries would not use hacking to advance their commercial interest. Keep in mind, that both countries vehemently denied they ever did this, so in essence the statement was merely formalizing something both countries have always denied doing–sort of saying we promise never to do the things we never did in the first place.
To give you a flavor of corporate espionage, I recommend reading a brilliant post titled “Stealing White” by Del Quintin Wilber from Bloomberg. It’s a long read (almost 4000 words long), which involves a Malaysian trying to steal the secrets of Titanium Dioxide production from Dupont. Apparently Titanium Dioxide makes a perfect white, that is the envy of all other whites, but the plot of stealing the manufacturing secrets of this perfect white is elaborate enough to make Wile E. Coyote green with envy, and just like in the cartoons it fails.
The Bloomberg piece concludes with an interesting point “the Chinese may have gotten what they needed directly from the chemical company. Newly filed court documents reveal that the FBI motel raid found evidence DuPont’s computers had been hacked.”
So elaborate espionage didn’t work as effectively as simply hacking into the source and getting it directly, and for a long time it was assumed that these breaches were executed by the hackers from the Chinese Government themselves. Think of it as a special arm dedicated to corporate espionage.
Of course, let me re-iterate that this is merely hypothetical, and let’s also not forget that the Snowden leaks suggest that the NSA was also in on the corporate espionage game, and spied on Corporate entities like Brazil’s Petrobras.
And here’s where the tin-foil comes in.
If China did indeed have a corporate espionage arm (not saying they did), and that arm was disbanded back in September due to the agreement with the US–what would happen exactly?
Well you’d think hundreds (if not thousands) of well-trained hackers, who specialized in the breaching of corporate networks would soon be out of jobs. And since hacking, especially government level hacking, isn’t exactly a generic skill set you can use to job-hop around, the most likely scenario would be that these hackers soon become freelancers.
And freelancers sooner or later coalesce into well organized teams which high levels of knowledge and expertise.
But what kind of heist could a group of well-trained, highly skilled, out of a job hackers do?
Hypothetically they could infiltrate a financial organization and start routing money to themselves–maybe? Identifying flaws in the global monetary system and using them to steal about $1 Billion from bank in Bangladesh?
*A republication of my article on 2600, a hacker magazine*
Greetings from Malaysia.
This is my first time writing to 2600, although I’ve been a kindle subscriber for more than 2 years now.
For my first article, I hoped to write about a little hacking expedition I embarked on a couple of months back to help me improve my coding skills as well as help me learn more about local internet users.
Malaysia got onto the internet scene much later than most developed countries, our first ISP was only founded in 1992, and even then it was pretty much exclusively dial-up. Soon the local telecom company, Telekom Malaysia (TM) got into the ISP business and basically killed every other player because as the incumbent Government-owned telecommunications company, it alone had access to the phone lines of every Malaysian household.Until very recently, phone lines in Malaysia were owned by the Federal government through Telekom Malaysia, and it was only in the late 90’s that a privatisation plan opened that up.
During the days of dial-up over PSTN, and even after ADSL connectivity (which still ran over PSTN lines), TM held a monopoly over all internet subscribers in the country, simply because it owned the phone lines. Other ISPs struggled to penetrate the market, because their offerings couldn’t compete with the scale and unfair advantage of TM.
Fortunately, that all changed when TM was laying down fiber-optic cables. As part of a deal, TM secured a government subsidy to fund the fibre infrastructure but was forced to allow other ISPs to utilize the last-mile. In theory this would have increased competition and provided a more level playing field–which it did. But, TM was slow in opening up the last-mile, and manage to get a head-start of around 400,000 subscribers before any other ISP began to offer a Fiber to Home internet connection.
Why am I telling you this?
Because TM doesn’t really prioritize security, and I discovered a near perfect storm of security lapses that may prove costly to TM at some point.
As a ‘legacy’ ISP in the country, TM was around when IP addresses were cheap, and IPv4 exhaustion was a prediction not a reality. Hence it managed to secure for itself nearly 2.5 Million IP addresses from IANA. This abundance of IP addresses meant that TM offers all its customers a public facing internet IP by default, something all other ISPs in Malaysia offer only on request of the subscriber. I won’t go into the details of NAT-ing here, but you can Google it if you’re interested.
Secondly, as part of a Fibre subscription, TM provide a Modem and WiFi router, which is nothing out of the ordinary, except that TM sourced all their routers from just 2 manufacturers, and each manufacturer provided only 1 router model. From a security stand-point having an entire population of a single device isn’t a good thing, because a single exploit could take them all out at once, akin to the super-viruses we hear about that could make entire crops extinct because there’s so little genetic biodiversity in industrial agriculture.
Thirdly, TM provide a TV box for free and paid channels streamed to your TV. Problem is, that the TV box requires a complex VLAN segmentation and setup on the router, meaning most routers won’t support the TM Fiber offering. This forced most (or all) TM subscribers to continue using whatever router TM provided them in the first place, without the ability to swap the router for a more secure or feature rich one.
All in all, this meant that all of TM’s 600,000 fibre subscribers (at the time of writing this) were connected directly to the internet via a Public IP, and most of them continued to use one of the two routers supplied by them.
So far, nothing too exceptional here, except for two last bits. All the routers were configured to allow access from the WAN interface (i.e. you could configure the router from the internet), and all the routers were setup with one of a 5 different username/password combination by default. The default passwords (as you may have guessed) were rarely changed, and most users were left completely vulnerable to attack on a device they never even considered would be a target.
In 2007, while the fiber offering was still very new, several hackers in the Malaysia alerted TM to the ‘flaw’ in their operating model, but TM maintained that the WAN interface was necessary for ‘maintenance and support’, although they did promise to change all passwords to a unique password per router.So here we are in 2015, and I wanted to see just how honest TM were in keeping that promise.
First I had to get the list of IP addresses that belong to TM, a quick Google search revealed that TM was AS4788. AS stands for Autonomous System, a sort of internal network within the internet and used primarily for BGP routing. BGP is the border gateway protocol, which defines how IP packets are routed between AS nodes, and the great thing about it is that all this information is public, meaning you can easily determine TM’s IP addresses.
Once I had the list of IP addresses I quickly created a python script to loop through each individual IP, and determine the http-header of the end device on that IP (if there was one in the first place). I queried only port 8080, to save time. Since TM had only 2 router models, it was pretty trivial to validate the http-header and see if the IP was hosting a vulnerable TM router. A more professional approach would be to use zmap, or Shodan, but creating your own scripts to do this has it’s advantages in learning.
Try as I might, I couldn’t get it working using just python. Eventually I gave up trying to navigate the routers homepage, but then I found Selenium.
Eventually, I wrote a whole script in Python, that would scan an IP range, determine if a router was present at the end of the IP (on port 8080), and then pass that to another script that would use Selenium to interact with a Firefox browser to visit the routers webpage, try the handful of default username/passwords and determine if any of them worked. And they DID!!
Of course, while I was in, I poked around to determine things like WiFi SSIDs, etc, but mostly for fun, and I made it a point not to change any setting on the router.
But there’s no way I could scale all of this on my home PC, or even my laptop. So, I decided to host this on the cloud, and chose to use Amazon–specifically a Windows instance on Amazon.
Initially, I decided to host this in Singapore–made sense since I was visiting Malaysians IPs, but then I realized that the Oregon data center of Amazon had much cheaper rates than the Singapore one–so I changed my decision and hosted in Oregon instead. IN some cases this was a 20% reduction in cost, and the expense of ‘slightly’ more latency, but my application wasn’t latency sensitive, as much as I was price-sensitive 🙂
Then in true, cheap-skate fashion, I decided to toy with Amazon spot instances–this a special deal from Amazon, where they would lease you un-utilized machines to the highest bidder, and you can get this for nearly 50% the price of the ‘on-demand’ Amazon instance. The only down-side is that Amazon reserves the right to terminate your instance at anytime–but from my experience of using this, and from the blogs I read, the chances of that happening were pretty slim.
I’ve run nearly 10 of these so far, and every time I spin up a spot-instance, it’s never been auto-terminated. Pretty decent deal–the only real down-side is that a spot-instance usually takes about 3-5 minutes to launch, due to the bid processing. But other than that it’s as good as a on-demand instance 🙂
With a very powerful Amazon instance, that had a large amount of RAM, I could spin up a large number of instances of Firefox to do my bidding. Using a simple Database to ensure all the instances weren’t visiting the same IP addresses, I was able to automate the whole process of ‘visiting’ TM routers with ease.
Eventually, a single large Amazon instance (procured through a spot-instance method), was able to hack through 10,000 routers in less than 12 hours for under $10.00. Quite a good return of investment if you’re looking to create your own little bot-net army.
TM have especially dropped the ball here, they now have at least 10,000 vulnerable routers floating on their network, waiting to be owned by the next Lizard Squad characters. I could have easily configured my script to turn-off the WAN interface on the router, to limit people’s exposure, but I thought against making changes on a host system without the owners explicit permission.
Hopefully if you’re from Malaysia and a TM subscriber, now you know, and you’re that yourself.
Selamat Tinggal from Malaysia.
KLANG: Two years on, the the pilot initiative to teach coding and digital security as an SPM subject has been touted as a resounding success, and the government is mulling a move to make it compulsory by 2020.
The announcement shocked parents, as out of 10,000 students who took part in the pilot program, only 10 had scored an A while the rest had failed with a grade of F.
Education Minister, Dato’ Seri Java, said that this reflects the current IT market, where out of 10,000 security consultants, only 10 will ever give you good advice.
“We benchmarked against the industry, and set the grading curve accordingly, so only a 10 students getting an A was the intention!! We can’t have cases where students just memorize a textbook and then score an A, this is not History or Geography, this is an important subject” he said, while further mocking drama and English literature under his breath.
Deputy Director of Education, Perl Ramachandran further added that instead of focusing on the 9,990 students who failed, the public should instead focus on the ‘A’ students who showed exemplary work and are were ‘bright spots’ in the dark abyss which is the Malaysian education system.
One such exemplary student was 17-year old lass Siti Pintu bt. Belakang, she had managed to install a backdoor into the MOE exam system and downloaded the question paper days before the exam. A backdoor is an application that allows an attacker unfettered access to the compromised system, and Siti managed to code one from scratch specifically for this purpose.
Already Russian cyber-criminal organizations are offering her scholarships to prestigious universities, Perl further added.
Then there Godam a/l Rajakumar, who instead of stealing exam papers, simply hacked into the MOE grading system and gave himself a ‘A’.
So now, only actual travellers will be allowed into airports, and everybody else from your mother to your 3rd aunty twice removed has to say their teary goodbye at home rather than at the Airport KFC.
So that terrorist will now have to buy a ticket in order to blow up the airport? I can picture out now, “Al-Qaeda attempt to bomb KLIA foiled due to lack of funds for ticket purchase”
Do these people even consider just how easy it is to circumvent some of the ridiculous ‘security measures’ they put in place these days. If all it takes for a terrorist to gain entry into an airport is a plane ticket, it’s not a very tall order for them to go out and buy one, or just print a fake copy good enough to fool the security officers.
We’d be spending countless of man hours, for security personnel on entry points scanning through useless documents with no real security in return.
What a waste–just like those women only KTM coaches that do absolutely nothing.
If you haven’t listened to it already, here’s a fantastic cut-down (no bullshit) version of Jim Comey’s testimony to congress, on why he recommended Hillary Clinton not be prosecuted for hosting her own e-mail servers.
For the uninitiated, while Hillary Clinton was US Secretary of State, she hosted her own official e-mail servers, and the contention was whether she was right in hosting a service that would handle classified e-mails in the basement of her house.
The politics and legal wranglings are fascinating but I want to focus on the technology.
At one point of the testimony, you can hear the shock of a Congressman that Hillary Clinton’s e-mail server was less secure than Gmail. To his credit, Jim Comey went on to elaborate that Google has a full team of security experts working on its mail servers, something Hillary could not afford, when pressed on whether he considered Hillary’s mail server ‘secure’, he answered that security “wasn’t binary”, and it’s not secure vs. insecure, but rather a spectrum of more secure or less secure.
That was a good answer.
Security is define by various factors, such as from what, from whom, and what kind of attack.
It’s very easy to look at a piece of code and determine that it’s insecure, because we know what insecure code looks like.
But it’s impossible to look any code and say it’s ‘secure’, because unless you know all the attack vectors, you’re not going to be able to determine the absolute security of any system or application.
Going back to the original point though, nobody should be surprised that Gmail has better security than anything you could build on your own. Even Hillary Clinton, with all her Clinton dollars couldn’t compete with an industrial e-mail solution from a big corporate conglomerate–and why should it?
You wouldn’t build your own car, or microwave oven, or toaster? Why would you build your own e-mail system.
A lot of people think that e-mail servers, and website are easy things to host and maintain–actually they’re not. And you couldn’t compete with the scale of services like Gmail in terms of pricing, features and security….no way jose.
Sure, we love our mother’s cooking more than any industrialized fast food, but those are the exceptions. With computers and technology, it’s often a good idea to be just like everyone else, in other words just buy Mc Donalds and be happy with it.
Highly customized solutions ‘tailored’ for your every need, are not just more prone to software errors waiting for be exploited, they’re also less likely to be fixed even if those issues are found.
I hear it all the time, people want customized websites that ‘represent my brand’, but never stop to consider the other issues at hand.
Would you ask for a customized brick and mortar shop that ‘represented your brand’, or would you be happy with a standard generic store-front that you just plaster your signboard on? A highly customized shop, that looked unique to just your brand, cost a lot of money, and that’s money only the largest companies would be willing to shell out.
If Berkshire Hathaway (with a market cap of 326 Billion) is happy with this website–do you really need anything more fancy.
That’s why I recommend people to just get a wordpress.com blog, or a Squarespace site, it’s simple, it’s secure and it’s cheap. Of course it looks like every other website out there, but hey less worries about DDOS attacks, and less targets for hackers, and you can just focus on the content–not managing the dodgy IT vendor you got to help with your site.
Differentiate on the content, not on the looks.
Rolling your own website, usually involves employing a website designer, a UX/UI designer, a coder, and infra guy, and a whole lot of invoicing that frankly 99% of people aren’t prepared to deal with. Even if you were, the cost would be 1000’s of times higher what you could get with sites like squarespace or ghost.
I’ve heard people moan that they spent RM10,000 on a website and it didn’t look pretty enough–but what were you hoping to get for RM10,000? Sure it’s a lot of money, but if you bought a RM10,000 car, what kind of car do you think you’ll get? A modern website is actually more complex than a car, especially one that is tailored to you, rather than a generic off-the-shelf solution.
A custom website requires custom maintenance, custom patching, and custom hosting–all of which require expertise that don’t scale very well. So unless you’re willing to shell out tens of thousands of dollars on something that will cost another tens of thousands to maintain over the years, do yourself a favor and just go generic.
What do you do when the technology turns on you?
Or when the feature that’s built to save you, is the one that might just kill you?
There’s a stark similarity between the Takata airbag fiasco, that’s already taken 2 Malaysian lives, and the lady who died in self-driving Tesla.
Both involve the auto-industry and both are technology related, but together they represent a much deeper issue at hand–despite our noblest expectations, technology isn’t perfect–but it’s better than we had before.
We’ve all been trained by Hollywood to expect perfect technology, working all the time and in every scenario, but in reality technology sometimes fails, and newer technology fails more often.
Technology endures through failures, only by our good graces, but unless we grant that grace to it, we will not progress.
What should our response to a technical failure be?
Do we insist on removing ALL traces of the offending technology, or do we accept it as a price of progress, that the occasional failure is a tax we pay to get better technology.
But are some taxes just too high?
Society might accept failing antennas on an iPhone, or even bad Google searches, but an air-bag, that might blow a hole in your chest or a car that might crash you into a truck, might be too high of a price.
So is the tax for air-bags and self-driving cars just not worth the potential safety we get in return?
Some interesting links you might want to check out during my interview on BFM today, will tidy up this list later in the week.
Office of Personnel Management Data Breach (Chinese hackers breaking into US Federal Employee Databases)
Check if your e-mail address has been part of a previous breach from the HaveIbeenPwned website.
Phineas Fisher explains how he hacked Hacking Team (in under 100 hours)
Hackers breaking into baby monitors, and shouting profanities at children
Baby monitors (and everything else) connected to the internet, aren’t good ideas..
Why GCHQ (the British equivalent of the NSA) share my thoughts…
Norton Dossier on Stuxnet (interesting, but VERY long read)
Countdown to Day Zero (more interesting, and even longer read on Stuxnet)
Or just watch the Ted Talk on Stuxnet
Let’s start with the quote that set off the rage in my heart—
“You can see today that our Internet is slow. Not because it itself is slow but because a lot of people are using it,” he said
The government agency chief blamed this on illegal downloads hogging Internet bandwidth here, adding that this does not happen in countries like Germany due to stricter enforcement.
“In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.
“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.
“That is why the Internet highway is slow but we blame the government. The government has created proper Internet highways but we don’t know how to use it. Millions have been spent on this by the government,” he explained.
So apparently, Datuk Ibrahim Saad, the National Civics Bureau (BTN) chief thinks that the internet is slow in Malaysia (it’s not that slow), because illegal downloads are hogging up the pipelines.
Let’s start with his first sentence, an substitute the word ‘internet’ with the name of any Malaysian highway you choose, personally I like to use the LDP:
You can see today that our LDP is slow. Not because it itself is slow but because a lot of people are using it
Hmmm, I guess in his infinite wisdom that makes sense to the BTN chief, but to me that just sounds like the highway wasn’t built properly.
Let’s go to the 2nd statement:
In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.
“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.
“That is why the Internet highway is slow but we blame the government
Now we come to the crux of the issue. If Malaysians weren’t illegally downloading, they’d have faster internet.
Here’s 4 reasons why he’s wrong.