Hackers, Crackers, Stratfors and the Cyber Arms Race

In Michael Jang’s work on building strategic security strategies, he separates the Microsoft and Linux or OpenSource communities right out of the gate.  The definitions of the folks responsible for growing the multi trillion dollar cyber security market look like this.

The Windows world diverges from the Linux or Open Source world by accepting the programmer’s view of the words used to define the actions and motives of those responsible for making networks secure, and by those who attempt intrusions and worse.  The Microsoft folks label “hacker” to mean anyone who wants to break into computers, while the Open source folks use the word “hacker” the same way the workers do, to define anyone working on computers and networks to make them work better.  The difference is surprising in many ways that may seem trivial to those not involved.  The term “cracker” is the choice of the Linux development community as the terms predate the current usage in mainstream.

Jang cites The Institute for Security and Open Methodologies (ISECOM) to differentiate the two communities:

ISECOM is an open, non-profit collaborative community since January 2001. We are dedicated to providing practical security awareness, research, certification and business integrity. ISECOM provides certification, training support, and project support services for non-partisan and vendor-neutral funding of our projects and infrastructure and to assure you our training programs, standards, and best practices are truly neutral of national or commercial influence.

The ISECOM has been describing the work of hackers as what we should be teaching our kids in school, an idea NetHawk has championed for many years.  Evidence of this POV is substantial and reinforced routinely by news reports as we saw this week when Anonymous exposed thousands of email addresses and contact information on those folks they feel best attempt to squash the truth.  The truth being whatever Wiki Leaks pushes out as “whistleblower” stories.

Trusted Data Assurance in the Cloud

Regardless of your views of Julian Assange, Wiki Leaks or your views on the military and intelligence communities’ abilities to secure their own information, it’s important to state that Wiki Leaks is not the source of the information they publish.   Having said that, their loyalties don’t defer to a military either unwilling or unable to curtail the leaks.  For some odd reason, these stories don’t make big headlines in the states, but the headline in yesterday’s London paper, The Guardian, ripped both the UK and US:  “Hackers expose defence and intelligence officials in US and UK.”

Here we find a new term applied to these Robin Hood’s of the forest as, “the huge database of private information exposed by self-styled “hacktivists” are the details of 221 British military officials and 242 NATO staff.” (http://tek-blogs.com/a/kj1cnp)

John Bumgarner, an expert in cyber-security at the US Cyber Consequences Unit, a research body in Washington, has analyzed the Stratfor breach for the Guardian. He has identified within the data posted by the hackers the details of hundreds of UK government officials, some of whom work in sensitive areas.

Among the leaked email addresses are those of 221 Ministry of Defence officials identified by Bumgarner, including army and air force personnel. Details of a much larger group of US military personnel were leaked. The database has some 19,000 email addresses ending in the .mil domain of the US military.

In the US case, Bumgarner has found, 173 individuals deployed in Afghanistan and 170 in Iraq can be identified. Personal data from former vice-president Dan Quayle and former secretary of state Henry Kissinger were also released.

You have to admit, it’s surprising that Dan Quayle’s name still shows up anywhere when it comes to government business, but the whole thing smacks of more of the same incompetence we have seen the last twenty years by our military and intelligence communities.  Why can’t they at least get the human protocols down correctly so not to sabotage themselves?

The Stratfor database was recorded in “spreadsheets the user IDs – usually email addresses – and encrypted passwords of about 850,000 individuals who had subscribed to Stratfor’s website.”  Stratfor is a highly compensated, by taxpayers, leader in this industry yet they continue to step all over themselves anytime a breach is uncovered.  Perhaps that answers the question as to why this doesn’t show up in the states.  This sort of says it all, “Stratfor has taken down its website while it investigates the security breach. The company says it is “working diligently to prevent it from ever happening again”.  Sure they always say that but the fact is, the guys who are always a step ahead of them are a lot smarter and they get it.

It’s time the intelligence and military cyber folks got their acts together and got rid of folks who can’t protect them from themselves.  It’s time we started teaching kids in grade school about security and how to mold their careers around the opportunities afforded by a government who would prefer to make criminals out of our best and brightest.


No comments yet.

Leave a Reply