Apparently Mr. Puri was using the entire Citi machinery – its computer systems, mails to generate falsified statements of accounts, portfolios and receipts merrily & was running this happily for sometime.  Citi also used to get BLANK investment forms signed off by the stupid high net-worth investors! The critical question is – How could this massive fraud go unnoticed for such a long time. More important is – How can a low level official such as Mr. Puri orchestrate this complex fraud as one man army? was he alone – certainly not possible.

Let us examine some best practices -

Most people in India do not know that fraud is a legal term and not a concept that changes with time. Fraudulent incidents in the information age have devastating effects. Every single piece of information in today’s knowledge driven era has a value attached to it, and is thus prone to fraud. Information leakage and technology or people failure in an organization result in major financial losses. Traditionally, audit was the best way to investigate frauds; however, in recent times with economies going from boom to bust, this profession has innovated drastically.

Recruiting a proficient team

A person investigating fraud must understand that every organization is susceptible to fraud as human behavior cannot be controlled, unlike policies, laws, and hierarchy. Hence, the question is how to investigate fraud after an incident has been reported.

Investigating fraud is not a one-man job and requires a competent and experienced team. The fundamental of any investigation is to have professionals with the right skills, knowledge, and experience. This team needs to be focused on the assignment and ensure resolution within a reasonable timeframe. Inexperienced or under-trained personnel could hinder the fraud investigation process.

Depending on the magnitude of the incident, the fraud investigation team should consist of:

•         A legal attorney/professional who is able to identify applicable compliance provisions, statutory regulations and their violations. In majority of frauds detected, the evidence obtained is purely circumstantial in nature and thus requires special skills to put forth the point in an appropriate manner and visualize the implication in the court of law.

•         A forensic accountant/auditor, who is not necessarily an accountant but an individual with a techno-functional background in specialized areas like business, finance, Information Technology (IT), and law.

•         A cyber forensic expert with appropriate technical knowhow and experience. Today, computer is a tool as well as a victim in financial crimes. Cyber forensic expertise is one part of forensic accounting practice that deals with various aspects of digital evidence, data recovery, data analysis, password recovery, and risk profiling of user. These crimes are most difficult to probe and prosecute because of jurisdictional issues and many times are cross-border in nature.

•         A field investigator who based on requirements of a forensic auditor collates the evidence, which is crucial for any investigation to be successful. Awareness of legal environment is critical for a field investigator and all evidence should be gathered and collected with respect to law of the land. Any violation of the same may result in the evidence getting tainted and becoming unacceptable in the court of law.

Using the SPEC (scope, plan, execute, close) model

Having an initial investigative hypothesis of the incident helps to understand where exactly the fraud investigation should commence. The SPEC model can be used to investigate fraud.

•         Scope: Post incident reporting, investigator/s need to gain maximum first hand information of the actual job. Understand and evaluate various factors such as cultural, regulatory, and legal to investigate a fraud. Speculate on different levels of investigative hypothesis, by approving and/or disapproving facts of the incident/s and the process of gathering evidence for the same. It must be noted that this is not the planning stage.

•         Plan: Plan the fraud investigation in a phased manner to maintain its intent and purpose. The plan stage includes establishing the investigative hypothesis, process mapping, scheduling timeframes, resource allocation, and reacting appropriately to facts/information while executing an investigation.

•         Execute: This includes supervision of the case, proving and/or disproving facts/information, and triggers raising such incidents. While investigating a fraud, the investigators should apply their knowledge, expertise and skills to deduce potential outcomes based on different theories such as the Fraud Triangle by Dr. Donald Cressey.

•         Close: This is the final stage of a fraud investigation, where the case is closer to completion. Investigation outcomes of the incident and appropriate recommendations are documented in a logical, coherent report.

An important fact is that corporations in India today do not update themselves on the different and continuously developing types of frauds and methods to investigate frauds. Corporations “act” or rather “react” only when a fraud occurs in their own backyard. Review of internal procedures and technological advancements not only in audits but also various departments assist in reducing fraudulent activities. Training the staff regularly by organizing fraud awareness programs keeps them abreast of the changing nature of frauds and ways to combat them effectively.

Internet is a great opportunity as well as a dangerous threat. Nick Carr says that Internet makes people stupid. I don’t agree – it makes people smart. You have to find a method in the madness of using the Web. Just look at Europe where the idea of competition in the Internet space appears to focus on litigation, legislation, regulation, and criminalization. A country like India can benefit greatly by using Internet as a business platform. Many smart Indian entrepreneurs have done that. But there is room for many millions.

The danger of Internet is that it makes you and your identity vulnerable. Your social networking can be a threat. More and more Criminals and Terrorists are learning and getting smart with Cuber-terrorism.  In the near future you will see many cyber attacks on Indian companies and Governments.

Here are some thoughts from The Edge -

1.  No moment in technology history has ever been more exciting or dangerous than now. The Internet is like a new computer running a flashy, exciting demo. We have been entranced by this demo for fifteen years. But now it is time to get to work, and make the Internet do what we want it to.

2. One symptom of current problems is the fundamental puzzle of the Internet. (Algebra and calculus have fundamental theorems; the Internet has a fundamental puzzle.)  If this is the information age, what are we so well-informed about? What do our children know that our parents didn’t? (Yes they know how to work their computers, but that’s easy compared to — say — driving a car.)  I’ll return to this puzzle.

3. Here is a simpler puzzle, with an obvious solution. Wherever computers exist, nearly everyone who writes uses a word processor. The word processor is one of history’s most successful inventions. Most people call it not just useful but indispensable. Granted that the word processor is indeed indispensable, what good has it done? We say we can’t do without it; but if we had to give it up, what difference would it make? Have word processors improved the quality of modern writing? What has the indispensable word processor accomplished?

4. It has increased not the quality but the quantity of our writing — “our” meaning society’s as a whole. The Internet for its part has increased not the quality but the quantity of the information we see. Increasing quantity is easier than improving quality. Instead of letting the Internet solve the easy problems, it’s time we got it to solve the important ones.

5. Consider Web search, for example. Modern search engines combine the functions of libraries and business directories on a global scale, in a flash: a lightning bolt of brilliant engineering. These search engines are indispensable — just like word processors. But they solve an easy problem. It has always been harder to find the right person than the right fact. Human experience and expertise are the most valuable resources on the Internet — if we could find them. Using a search engine to find (or be found by) the right person is a harder, more subtle problem than ordinary Internet search. Small pieces of the problem have been attacked; in the future we will solve this hard problem in general, instead of being satisfied with windfalls and the lowest-hanging fruit on the technology tree.

6. We know that the Internet creates “information overload,” a problem with two parts: increasing number of information sources and increasing information flow per source. The first part is harder: it’s more difficult to understand five people speaking simultaneously than one person talking fast — especially if you can tell the one person to stop temporarily, or go back and repeat.  Integrating multiple information sources is crucial to solving information overload. Blogs and other anthology-sites integrate information from many sources. But we won’t be able to solve the overload problem until each Internet user can choose for himself what sources to integrate, and can add to this mix the most important source of all: his own personal information — his email and other messages, reminders and documents of all sorts. To accomplish this, we merely need to turn the whole Cybersphere on its side, so that time instead of space is the main axis.

7.  In the last paragraph I wrote “each Internet user”; but users of any computing system ought to have a simple, uniform operating system and interface. Users of the Internet still don’t.

8. Practical business: who will win the tug of war between private machines and the Cloud? Will you store your personal information on your own personal machines, or on nameless servers far away in the Cloud, or both? Answer: in the Cloud. The Cloud (or the Internet Operating System, IOS — “Cloud 1.0″) will take charge of your personal machines. It will move the information you need at any given moment onto your own cellphone, laptop, pad, pod — but will always keep charge of the master copy. When you make changes to any document, the changes will be reflected immediately in the Cloud. Many parts of this service are available already.

9. Because your information will live in the Cloud and only make quick visits to your personal machines, all your machines will share the same information automatically; a new machine will be useful the instant you switch it on; a lost or stolen machine won’t matter — the information it contains will evaporate instantly. The Cloud will take care that your information is safely encrypted, distributed and secure.

10. Practical business: small computers have been the center of attention lately, and this has been the decade of the cellphone. Small devices will continue to thrive, but one of the most important new developments in equipment will be at the other end of the size spectrum. In offices and at home, people will increasingly abandon conventional desktop and laptop machines for large screen computers. You will sit perhaps seven feet away from the screen, in a comfortable chair, with the keyboard and controls in your lap. Work will be easier and eyestrain (which is important) will decrease. Large screen computers will change the shape of office buildings and create their own new architecture. Office workers will spend much of their time in large-screen computer modules that are smaller than most private offices today, but more comfortable. A building designed around large-screen computers might have modules (for example) stacked in many levels around a central court; the column whose walls consist of stacked modules might spiral helically as it rises….

11. The Internet will never create a new economy based on voluntary instead of paid work — but it can help create the best economy in history, where new markets (a free market in education, for example) change the world. Good news! — the Net will destroy the university as we know it (except for a few unusually prestigious or beautiful campuses).  The net will never become a mind, but can help us change our ways of thinking and change, for the better, the spirit of the age. This moment is also dangerous: virtual universities are good but virtual nations, for example, are not. Virtual nations — whose members can live anywhere, united by the Internet — threaten to shatter mankind like glass into razor-sharp fragments that draw blood. We know what virtual nations can be like: Al Qaeda is one of the first.

12. In short: it’s time to think about the Internet instead of just letting it happen.

13. The traditional web site is static, but the Internet specializes in flowing, changing information. The “velocity of information” is important — not just the facts but their rate and direction of flow. Today’s typical website is like a stained glass window, many small panels leaded together. There is no good way to change stained glass, and no one expects it to change. So it’s not surprising that the Internet is now being overtaken by a different kind of cyberstructure.

14. The structure called a cyberstream or lifestream is better suited to the Internet than a conventional website because it shows information-in-motion, a rushing flow of fresh information instead of a stagnant pool.

15. Every month, more and more information surges through the Cybersphere in lifestreams — some called blogs, “feeds,” “activity streams,” “event streams,” Twitter streams. All these streams are specialized examples of the cyberstructure we called a lifestream in the mid-1990s: a stream made of all sorts of digital documents, arranged by time of creation or arrival, changing in realtime; a stream you can focus and thus turn into a different stream; a stream with a past, present and future. The future flows through the present into the past at the speed of time.

16. Your own information — all your communications, documents, photos, videos — including “cross network” information — phone calls, voice messages, text messages — will be stored in a lifestream in the Cloud.

17. There is no clear way to blend two standard websites together, but it’s obvious how to blend two streams. You simply shuffle them together like two decks of cards, maintaining time-order — putting the earlier document first. Blending is important because we must be able to add and subtract in the Cybersphere. We add streams together by blending them. Because it’s easy to blend any group of streams, it’s easy to integrate stream-structured sites so we can treat the group as a unit, not as many separate points of activity; and integration is important to solving the information overload problem. We subtract streams by searching or focusing. Searching a stream for “snow” means that I subtract every stream-element that doesn’t deal with snow. Subtracting the “not snow” stream from the mainstream yields a “snow” stream. Blending streams and searching them are the addition and subtraction of the new Cybersphere.

18. Nearly all flowing, changing information on the Internet will move through streams. You will be able to gather and blend together all the streams that interest you. Streams of world news or news about your friends, streams that describe prices or auctions or new findings in any field, or traffic, weather, markets — they will all be gathered and blended into one stream. Then your own personal lifestream will be added. The result is your mainstream: different from all others; a fast-moving river of all the digital information you care about.

19. You can turn a knob and slow down your mainstream: less-important stream-elements will flow past invisibly and won’t distract you, but will remain in the stream and appear when you search for them. You can rewind your lifestream and review the past. If an important-looking document or message sails past and you have no time to deal with it now, you can copy the document or message into the future (copy it to “this evening at 10,” say); when the future arrives, the document appears again. You can turn a different knob to make your fast-flowing stream spread out into several slower streams, if you have space enough on your screen to watch them all. And you can gather those separate streams back together whenever you like.

20. Sometimes you will want to listen to your stream instead of watching it (perhaps while you’re driving, or sitting through a boring meeting or lecture). Software will read text aloud, and eventually will describe pictures too. When you watch your high-definition TV, you might let the stream trickle down one side of the screen, so you can stay in touch with your life.

21. It’s simple for the software that runs your Lifestream to learn about your habits; simple to figure out which emails (for example), or social updates, or news stories, you are likely to find important and interesting. It will therefore be easy for software to highlight the stream elements you’re apt to find important, and let the others rush by quickly without drawing your attention.

22. Lifestreams will make it even easier than it is today for software to learn the details of your life and predict your future actions. The potential damage to privacy is too large and important a problem to discuss here. Briefly, the question is whether the crushing blows to privacy from many sources over the last few decades will make us crumple and surrender, or fight harder to protect what remains.

23. The Internet’s future is not Web 2.0 or 200.0 but the post-Web, where time instead of space is the organizing principle — instead of many stained-glass windows, instead of information laid out in space, like vegetables at a market — the Net will be many streams of information flowing through time. The Cybersphere as a whole equals every stream in the Internet blended together: the whole world telling its own story. (But the world’s own story is full of private information — and so, unfortunately, no human being is allowed to hear it.)

24. Ten years ago I wrote about the growing importance of lifestreams. Last year, the technology journalist Erik Schonfeld asked in a news story whether a certain large company “can take the central communication model of social networks — the lifestream — and pour it back into its IM clients.” (The story was headlined “Bebo Zeroes In On Lifestreaming For The Masses.”) “Lifestreaming” is a word that is now used generically, and streams are all over the net. Ten years ago I described the computer of the future as a “scooped-out hole in the beach where information from the Cybersphere wells up like seawater.”  Today the spread of wireless coverage and the growing power of mobile devices means that information does indeed well up almost anywhere you switch on your laptop or cellphone; and “anywhere” will be true before long.

25. From which we learn that (a) making correct predictions about the technology future is easy, and (b) writers should remember to put their predictions in suitably poetic language, so it’s easy to say they were right.

25. If we think of time as orthogonal to space, a stream-based, time-based Cybersphere is the traditional Internet flipped on its side in digital space-time. The traditional web-shaped Internet consists (in effect) of many flat panels chaotically connected. Instead of flat sites, where information is arranged in space, we want deep sites that are slices of time. When we look at such a site onscreen, it’s natural to imagine the past extending into (or beyond) the screen, and the future extending forward in front of the screen; the future flows towards the screen, into the screen and then deeper into the space beyond the screen.

26. The Internet is no topic like cellphones or videogame platforms or artificial intelligence; it’s a topic like education. It’s that big. Therefore beware: to become a teacher, master some topic you can teach; don’t go to Education School and master nothing. To work on the Internet, master some part of the Internet: engineering, software, computer science, communication theory; economics or business; literature or design. Don’t go to Internet School and master nothing. There are brilliant, admirable people at Internet institutes.   But if these institutes have the same effect on the Internet that education schools have had on education, they will be a disaster.

27. Returning to our fundamental riddle: if this is the information age, what do our children know that our parents didn’t?  The answer is “now.” They know about now.

28. Internet culture is a culture of nowness. The Internet tells you what your friends are doing and the world news now, the state of the shops and markets and weather now, public opinion, trends and fashions now. The Internet connects each of us to countless sites right now — to many different places at one moment in time.

29. Nowness is one of the most important cultural phenomena of the modern age: the western world’s attention shifted gradually from the deep but narrow domain of one family or village and its history to the (broader but shallower) domains of the larger community, the nation, the world. The cult of celebrity, the importance of opinion polls, the decline in the teaching and learning of history, the uniformity of opinions and attitudes in academia and other educated elites — they are all part of one phenomenon. Nowness ignores all other moments but this. In the ultimate Internet culture, flooded in nowness like a piazza flooded in sea water, drenched in a tropical downpour of nowness, everyone talks alike, dresses alike, thinks alike.

30. As I wrote at the start of this piece, no moment in technology history has ever been more exciting or dangerous than “now.” As we learn more about now, we know less about then. The Internet increases the supply of information hugely, but the capacity of the human mind not at all.  (Some scientists talk about artificially increasing the power of minds and memories — but then they are no longer talking about human beings. They are discussing some new species we know nothing about. And in this field, we would be fools to doubt our own ignorance.)  The effect of nowness resembles the effect of light pollution in large cities, which makes it impossible to see the stars. A flood of information about the present shuts out the past.

31. But — the Internet could be the most powerful device ever invented for understanding the past, and the texture of time.  Once we understand the inherent bias in an instrument, we can correct it. The Internet has a large bias in favor of now. Using lifestreams (which arrange information in time instead of space), historians can assemble, argue about and gradually refine timelines of historical fact. Such timelines are not history, but they are the raw material of history. They will be bitterly debated and disputed — but it will be easy to compare two different versions (and the evidence that supports them) side-by-side. Images, videos and text will accumulate around such streams. Eventually they will become shared cultural monuments in the Cybersphere.

32. Before long, all personal, familial and institutional histories will take visible form in streams.   A lifestream is tangible time:  as life flashes past on waterskis across time’s ocean, a lifestream is the wake left in its trail. Dew crystallizes out of the air along cool surfaces; streams crystallize out of the Cybersphere along veins of time. As streams begin to trickle and then rush through the spring thaw in the Cybersphere, our obsession with “nowness” will recede, the dykes will be repaired and we will clean up the damaged piazza of modern civilization.

34. The Internet today is, after all, a machine for reinforcing our prejudices. The wider the selection of information, the more finicky we can be about choosing just what we like and ignoring the rest. On the Net we have the satisfaction of reading only opinions we already agree with, only facts (or alleged facts) we already know. You might read ten stories about ten different topics in a traditional newspaper; on the net, many people spend that same amount of time reading ten stories about the same topic. But again, once we understand the inherent bias in an instrument, we can correct it. One of the hardest, most fascinating problems of this cyber-century is how to add “drift” to the net, so that your view sometimes wanders (as your mind wanders when you’re tired) into places you hadn’t planned to go. Touching the machine brings the original topic back. We need help overcoming rationality sometimes, and allowing our thoughts to wander and metamorphose as they do in sleep.

35. Pushing the multi-mega-ton jumbo jet of human thought-style backwards a few inches, back in the direction of dream logic, might be the Internet’s greatest accomplishment. The best is yet to be.

Source Credits – David Gelernter – http://www.edge.org/3rd_culture/gelernter10/gelernter10_index.html

In the future, information will be presented in a manner that is easy to comprehend quickly at any level of decision
making and in a presentation style chosen by the user. This capability will be available for individual or group
presentation, without requiring users to have knowledge of the underlying IS structure or internal activities. ISs will
collect, monitor, and protect information with such accuracy and reliability that the user is confident of the quality of
the data representation and accepts it as a basis for decision making.
The underlying ISs will contain an ability to initiate automated self-protection, automated maintenance and
repair, and automated disaster detection and recovery. This will be done in a reliable, self-checking and selfdeconflicting
fashion. When users are presented displays constructed from within an IS, they will have confidence in
the validity of these displays.
Data and analytic presentation will be rapid and inexpensive so that multiple users can simultaneously access
and inquire about the same information while residing at different locations and using quite different viewer style
preferences. Rapid “what-if” analyses will be processed simultaneously, without interference or delay to others
engaged in similar inquiry.

RATIONALE
Decision making in a military situation can be based upon manifold, interdependent (although not obviously
so) events or situations occurring anywhere in the world. Analyses and correlation of event content may require a
search through substantial amounts of data maintained in different formats distributed across memory located in different,
geographically distant systems. Decision makers will not be required to be sophisticated technologically or be
expected to initiate or define the details of inquiry methodology. Decision support data will be made rapidly available
to command authorities. A numeric data credibility level will be declared as a component of the results of each
inquiry.
Decision makers need analytic results of event correlation to be presented in a fashion congruent with their own
personal mode of thinking and understanding. Genetic variation creates humans who process information in quite
discordant dominant modes and in different combination’s of visual, quantitative, or verbal preference. To reduce misunderstanding,
ambiguity, or delay in forming a combat decision, data presentation styles will include a selective
capability to accommodate those individual preferences. A variety of scenario options that can be explored automatically
by the IS and presented in summary form will be available. Decision makers will be able to select and view
any desired level of detail upon voice command. Uttering an oral request will modify presentation scale. Analyses
will be initiated on request by pointing to a remote graphic, map, chart, or table displayed on a wall using a lightpen
or wand.

There may be a need for real-time gathering of information with ongoing specialized analyses, based not only
upon requested information but also upon algorithmically derived scenarios offered for optional consideration by the
decision maker. The IS will be able to present a projection of the consequences of actions currently being employed
and in progress. For example, the viewer could be presented with possible results of the current course of action,
based upon automatic algorithmically derived options. Combat is always less than predictable and infested with surprise.
This real-time analytic capability does not ensure the outcome, but it does improve a capability to discover
errors while sufficient time remains to intervene, recover, or support a stressed force.
In the future, many decision makers will become immersed in their information environment by using a 3-D
representation, such as holographic imaging or VR capabilities. The 3-D presentations will be appropriate for use by
individuals and groups. In some situations, robots will be employed to represent individuals acting in a scenario.
Individuals will not have to be collocated physically to participate but will appear to other participants in surrogate
likeness or simulation. This capability will compensate for situations with personnel limitations.
In addition to use in decision making, these presentation capabilities will be used for training and in a variety
of other aspects of military preparation

This review appeared in the NYT – http://www.nytimes.com/2010/04/27/books/27book.html?8dpc=&pagewanted=all

CYBER WAR

Blackouts hit New York, Los Angeles, Washington and more than 100 other American cities. Subways crash. Trains derail. Airplanes fall from the sky.

Gas pipelines explode. Chemical plants release clouds of toxic chlorine. Banks lose all their data. Weather and communication satellites spin out of their orbits. And the Pentagon’s classified networks grind to a halt, blinding the greatest military power in the world.

This might sound like a takeoff on the 2007 Bruce Willis “Die Hard” movie, in which a group of cyberterrorists attempts to stage what it calls a “fire sale”: a systematic shutdown of the nation’s vital communication and utilities infrastructure. According to the former counterterrorism czar Richard A. Clarke, however, it’s a scenario that could happen in real life — and it could all go down in 15 minutes. While the United States has a first-rate cyberoffense capacity, he says, its lack of a credible defense system, combined with the country’s heavy reliance on technology, makes it highly susceptible to a devastating cyberattack.

“The United States is currently far more vulnerable to cyberwar than Russia or China,” he writes. “The U.S. is more at risk from cyberwar than are minor states like North Korea. We may even be at risk some day from nations or nonstate actors lacking cyberwar capabilities, but who can hire teams of highly capable hackers.”

Lest this sound like the augury of an alarmist, the reader might recall that Mr. Clarke, counterterrorism chief in both the Bill Clinton and George W. Bush administrations, repeatedly warned his superiors about the need for an aggressive plan to combat al Qaeda — with only a pallid response before 9/11. He recounted this campaign in his controversial 2004 book, “Against All Enemies.”

Once again, there is a lack of coordination between the various arms of the military and various committees in Congress over how to handle a potential attack. Once again, government agencies and private companies in charge of civilian infrastructure are ill prepared to handle a possible disaster.

In these pages Mr. Clarke uses his insider’s knowledge of national security policy to create a harrowing — and persuasive — picture of the cyberthreat the United States faces today. Mr. Clarke is hardly a lone wolf on the subject: Mike McConnell, the former director of national intelligence, told a Senate committee in February that “if we were in a cyberwar today, the United States would lose.”

And last November, Steven Chabinsky, deputy assistant director for the Federal Bureau of Investigation’s cyber division, noted that the F.B.I. was looking into Qaeda sympathizers who want to develop their hacking skills and appear to want to target the United States’ infrastructure.

Mr. Clarke — who wrote this book with Robert K. Knake, an international affairs fellow at the Council on Foreign Relations — argues that because the United States military relies so heavily upon databases and new technology, it is “highly vulnerable to cyberattack.” And while the newly established Cyber Command, along with the Department of Homeland Security, is supposed to defend the federal government, he writes, “the rest of us are on our own”:

“There is no federal agency that has the mission to defend the banking system, the transportation networks or the power grid from cyberattack.” In fact, The Wall Street Journal reported in April 2009 that the United States’ electrical grid had been penetrated by cyberspies (reportedly from China, Russia and other countries), who left behind software that could be used to sabotage the system in the future.

For more than a decade now, Mr. Clarke has been warning about “an electronic Pearl Harbor,” and he is familiar with the frustrations of a political bureaucracy. He notes that pressure from both the right and left over the hot-button issues of regulation and privacy have made it difficult for the government to get individual corporations (which control vital services like electricity, Internet access and transportation) to improve their ability to defend themselves against cyberattack.

Meanwhile, Mr. Clarke says, China has developed “the ability to disconnect all Chinese networks from the rest of the global Internet, something that would be handy to have if you thought the U.S. was about to launch a cyberwar attack on you.” After the first gulf war, he explains, the Chinese “began to downsize their military” — which reportedly has about one-eighth of the Pentagon’s budget (before adding in the costs of the wars in Afghanistan and Iraq) — and invest in new technologies, which they believed could give them an asymmetric advantage over the United States, despite America’s overwhelming conventional arsenal.

As for North Korea, Mr. Clarke says, it employs an Olympics-like approach to creating cyberwarriors, selecting “elite students at the elementary-school level to be groomed as future hackers.” North Korea is suspected of being behind the cyberattacks of July 2009 that took down the Web servers of the Treasury, Secret Service, Federal Trade Commission and Transportation Department and is thought to have placed “trapdoors” — code that allows hackers future access to a network — on computer networks on at least two continents.

Trapdoors are just one device that rival nation states and cyberterrorists can use. There are also “logic bombs” (code that can set off malicious functions when triggered), Distributed Denial of Service (D.D.O.S.) attacks (in which a site or server is flooded with more requests for data than it can process), and foreign-manufactured software and hardware that might have been tampered with before being shipped to the States.

The Defense Department, Mr. Clarke says, began to embrace the cost-saving idea of using commercial off-the-shelf software (instead of applications custom-made in-house) in the ’90s, and it “brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer.” He says, for instance, that in 1997, when the Windows system on a retrofitted “smart ship” called the U.S.S. Yorktown crashed, “the cruiser became a floating i-brick, dead in the water.”

The United States’ lack of an effective cyberdefense system, Mr. Clarke ominously warns, “will tempt opponents to attack in a period of tensions,” and it could also tempt America to take pre-emptive action or escalate a cyberconflict very rapidly if attacked. Were such a war to start, it could easily jump international boundaries, causing cascades of collateral damage to unspool around the world.

How best to address this alarming situation? Mr. Clarke reports that a 2009 meeting of some 30 cyberspace “old hands” — former government officials, current bureaucrats, chief security officers of major corporations, academics and senior information technology company officials — came to the conclusion that critical infrastructure should be separated from “the open-to-anyone” Internet. They also came out in favor of more government involvement in cyber research and development and a heightened emphasis on building “resilience” into systems so as to enable recovery, post-attack.

In addition to these suggestions, Mr. Clarke adds some fairly common-sense — but not so easily achieved — recommendations of his own. He argues that America needs to “harden the important networks that a nation-state attacker would target” by putting automated scanning systems in place to look for malware. Also, it needs to make sure that the Pentagon enhances the security of its own networks; and to work toward cyberarms-control agreements with other nations.

“The reality is that a major cyberattack from another nation is likely to originate in the U.S.,” Mr. Clarke says, noting that logic bombs and trapdoors are quite likely already in place, “so we will not be able to see it coming and block it with the systems we have now or those that are planned. Yes, we may be able to respond in kind, but our nation will still be devastated by a massive cyberattack on civilian infrastructure that smacks down power grids for weeks, halts trains, grounds aircraft, explodes pipelines and sets fire to refineries.”

And should America then decide to cross the line from cyberwarfare to conventional warfare, he says near the end of this chilling book, the highly advanced technology in our military arsenal “may suddenly not work.”



Post Google attack by Cyber Criminals many experts have come out with interesting views. Here are some -

George Kurtz, CTO of McAfee, and his team were involved in the analysis of just what happened during these attacks which he dubs “Aurora”.    He revealed in his blog on January 14th that the primary mechanism was a Trojan horse that exploited a new vulnerability in Internet Explorer.   What is interesting to note is Kurtz’s surprise at the dramatic turn the threatscape has taken.
“All I can say is wow. The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value. “
There have been many instances of Chinese hacking of US research and defense organizations.  To date the US State Department has remained aloof. Hiliary Clinton’s Remarks on Internet Freedom are worth noting because they are the first time a US Secretary of State has so explicitly endorsed Internet freedom and access to information.  Full text and video is available here.
“The same networks that help organize movements for freedom also enable al-Qaida to spew hatred and incite violence against the innocent. And technologies with the potential to open up access to government and promote transparency can also be hijacked by governments to crush dissent and deny human rights.
In the last year, we’ve seen a spike in threats to the free flow of information. China, Tunisia, and Uzbekistan have stepped up their censorship of the internet. In Vietnam, access to popular social networking sites has suddenly disappeared. And last Friday in Egypt, 30 bloggers and activists were detained.”
The most important thing Ms Clinton said in my opinion:
“On their own, new technologies do not take sides in the struggle for freedom and progress, but the United States does. We stand for a single internet where all of humanity has equal access to knowledge and ideas. And we recognize that the world’s information infrastructure will become what we and others make of it.”
Them’s fight’n words and the Chinese reacted in kind.  Xinhua, the official news agency of the Chinese government, published a Commentary: Don’t impose double standards on “Internet freedom” My favorite quote:

“As is widely recognized, freedom is always relative, and such is also the case with Internet freedom.”

That says it all and the lines are drawn.

Evgeny Morozov, the Yahoo! Fellow at Georgetown University characterized Ms. Clinton’s remarks as laced with cold war rhetoric. He predicted correctly that China would reciprocate with criticism of US restrictions on Internet communications.  While Evgeny may denigrate Cold War thinking (keep in mind that he grew up on the wrong side of the Iron Curtain: Belarus)  there is something to be said for recognizing China is indeed engaged in regional hegemony and global jockeying for power and control that is reminiscent of the Cold War.  Never lose sight of China’s nuclear arsenal, standing army, and caustic rhetoric.

Marcus Ranum got a little heated in his contribution to the discussion.   Aside from inferring that all of the rest of people I am quoting here are clueless he had this to offer:
“My prediction for you: The Chinese Government will offer to block access to Google. I.e.: “Want to pull out of China? Here, let us help you.” Google will shut up, and the whole thing will blow over.”
He might just be right there as Google has yet to carry through on their threat to stop censoring search results at Google.cn.
Bruce Schneier, cryptographer, author, and critic of the TSA, singled out a different aspect of the story.  He criticizes the existance of so-called back doors that Google and other Internet services have built in so that they can comply with government demands for information.
“China’s hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won’t be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?”
Schneier may have jumped to conclusions based on too little information.   Read this refutation by John Mark Walker here.

L. Gordon Crovitz, the Information Age columnist at the Wall Street Journal invoked the ‘Shores of Tripoli” when he called for Washington to fix the cyber security problem.   If you have not heard the story of how Thomas Jefferson finally beat the Barbary Pirates as a shining example of how law enforcement can be effective you have missed out.   I first heard the story applied to Internet security in 2004 when Steve Forbes recited it at a dinner he sponsored in California.  It is telling that we have to go back 200 years in history to find a good example of the US effectively dealing with brigands.   Crovitz calls for a government crackdown, claiming:
“Just as the traders of the 18th century could not protect open sea lanes by themselves, technology companies, even ones as powerful as Google, today cannot keep digital sea lanes open on their own. Washington has started to talk about the seriousness of the problem. Now it needs a plan to fix it.”
If he digs into it a bit Mr. Crovitz will find that the government has far less ability to keep the Internet sea lanes open than those who own and operate the networks.
Brahma Chellaney, Professor of Strategic Studies at the Indian Centre for Policy Research gives us the perspective of someone who is a little closer to China.  His blog contains a post “A new war, a new frontier”.
“In peacetime, China is intimidating India through intermittent cyber warfare, even as it steps up military pressure along the Himalayan frontier. In a conflict, China could cripple major Indian systems through a wave of cyber attacks. With cyber intrusions against Indian government, defence and commercial targets ramping up since 2007, the protection of sensitive computer networks must become a national-security priority.”

That holds true not just for India.  Every country has to realize that the protection of sensitive computer networks must become a national security priority.

Wow, the world has changed this week.

A NEW WAR – A NEW FRONTIER

Even though India showcases its world-class information-technology and knowledge skills and civilian space assets, it lags far behind China’s cyberspace capabilities. Worse, it has developed no effective means to shield its rapidly expanding cyber infrastructure from the pervasive attacks that are now being carried out both in search of competitive intelligence and to unnerve the Indian establishment.

In peacetime, China is intimidating India through intermittent cyber warfare, even as it steps up military pressure along the Himalayan frontier. In a conflict, China could cripple major Indian systems through a wave of cyber attacks. With cyber intrusions against Indian government, defence and commercial targets ramping up since 2007, the protection of sensitive computer networks must become a national-security priority.

The cyber threat is at two levels. The first is national, as manifest from the attacks already carried out against India’s National Infomatics Centre (NIC) systems, the office of the national security adviser and the ministry of external affairs. By scanning and mapping some of India’s major official computer systems, China has demonstrated a capacity to steal secrets and gain an asymmetrical advantage. Cyber intrusion in peacetime allows China to read the content and understand the relative importance of different Indian networks so that it knows what to disable in a war situation.

The second level of cyber threat is against chosen individuals. Such targets in India range from functionaries of the Tibetan government-in-exile and Tibetan activists to Indian writers and others critical of China. The most-common type of intrusion is an attempt to hack into the e-mail accounts. The targets also can face the so-called Trojan horse attacks by e-mail that are intended to breach their computers and allow the infiltrators to remotely remove, corrupt or transfer files.

To be sure, it is not easy to identify the country from where a particular cyber attack originated if it is camouflaged. Through the use of so-called false flag espionage and other methods, attacks can be routed through the computers of a third country. Just as some Chinese pharmaceutical firms have exported to Africa spurious medicines with Made-in-India label — a fact admitted by Beijing — some Chinese hackers are known to have rerouted their cyber intrusion through computers in Russia, Iran, Cuba and other countries. But like their comrades in the pharmaceutical industry, such hackers tend to leave telltale signs that allow investigators in the victim countries to trace the origin of the disguised attacks to China. Then there are many cases where the attacks have directly originated in China.

So the reasonable supposition at the highest levels of the Indian government is that most cyber attacks have been carried out from China. That is also the conclusion Google reached when it reported “a highly sophisticated and targeted attack on our corporate infrastructure originating from China” and threatened to end “our business operations in China.” Cyber strikes are just the latest example of how China’s actions — from manipulation of the renminbi’s value to the large-scale dumping of artificially cheap goods — are beginning to rankle other nations, undercutting its claims of a “peaceful rise.”

Let’s be clear: If China can carry out sophisticated cyber attacks on at least 34 U.S. companies, including Google, as part of a concerted effort to pilfer valuable intellectual property, it certainly has the capability to outwit the elementary safeguards found in most Indian computer systems. Google today is crying foul but it was instrumental is aiding online censorship controls in a country that is most fearful of the free flow of information. It custom-built for China a search engine that expurgates the search results of references and Web sites that Beijing considers inappropriate. Now, Google itself has become a victim of China’s growing cyber prowess, in the way the appeasement of Hitler had recoiled on France and Britain.

Hackers in China have been carefully studying different software programmes to exploit their flaws. For example, hackers have found openings that allow them to infect victims’ computers through booby-trapped documents stored in the Acrobat Reader format. Opening such a document allows the hackers to automatically scan and transfer computer-stored files to a digital storage facility in China as part of a vast surveillance system dubbed “Ghostnet” by Canadian researchers. This is what happened when computers of the Tibetan government-in-exile in Dharamsala were methodically attacked last year. Officials in Germany, Britain and the U.S. have acknowledged that their government and military networks also have been broken into by Chinese hackers.

It seems unlikely that the hackers, especially those engaged in systematic cyber espionage and intimidation, are private individuals with no links to the Chinese government. It is more likely that the hackers are tied to the People’s Liberation Army. In war, this irregular contingent of hackers would become the vanguard behind which the regular PLA divisions take on the enemy.

India already is on the frontlines of one mode of asymmetrical warfare: Terrorism. That type of warfare has traumatized and bled India for long, with the country exposing itself as a soft state through the absence of an effective response. Now a new frontier of asymmetrical warfare is being opened against India, not by state-sponsored non-state actors but by state actors. It cannot fight two asymmetrical wars simultaneously, one against terrorists and extremists and the other against a state flouting international norms and wedded to cybercrime. The two asymmetrical wars indeed are a reminder that unconventional threats cannot be defeated through conventional forces alone. That is why India should treat the growing cyber attacks as a wake-up call to plug its vulnerabilities by developing appropriate countermeasures on a priority basis.

Brahma Chellaney is professor of strategic studies at the Centre for Policy Research in New Delhi.

The ART of CyberWAR

Let’s go back a couple of thousand years and examine Sun Tsu’s original treatise on The Art of War. In his book The Craft of Intelligence Allen W. Dulles, father of the CIA, writes:

“To Sun Tsu belongs the credit not only for the first remarkable analysis of the ways of espionage but also for the first written recommendations regarding an organized intelligence service. He points out that the master of intelligence will employ all five kinds of agents simultaneously; he calls this the “Divine Skein.” The analogy is to a fishnet consisting of many strands all joined to a single cord. He comments on counter-intelligence, on psychological warfare, on deception, on security, on fabricators, in short, on the whole craft of intelligence.”

Indeed, Sun Tzu devoted a separate section of The Art of War to the employment of spies. Dulles then says:

“It is no wonder that Sun Tzu’s book is a favorite of Mao-Tse-tung and is required reading for Chinese Communist tacticians. In their conduct of military campaigns and of intelligence collection, they clearly put into practice the teachings of Sun Tzu,”
This from the man in charge of the United States’ intelligence operations during the Cold War when China and the USSR were his primary adversaries.
In his 2004 paper “Sun Tzu’s Strategic Thought and Its Inspiration for Informationized Warfare” presented at the Sixth International Seminar on Sun Tzu’s Art of War, Chai Yuqui of the Nanjiing Army Command Academy called Sun Tzu a grand strategist without parallel in history. (Virtual Dragon p333)
Chinese theoreticians have been considering the implications of Information warfare for two decades. Look at the titles of some of their research:

• Wang Qingsong, Modern Military-Use High Technology, 1993
• Zhu Youwen, Feng Yi,and Xu Dechi, Information War Under High Tech Conditions1994
• Li Qingshan, New Military Revolution and High Tech War, 1995
• Wang Pufeng, Information Warfare and the Revolution in Military Affairs, Beijing: 1995;
• Zhu Xiaoli and Zhao Xiaozhuo, The United States and Russia in the New Military Revolution, 1996;
• Li Qingshan, New Military Revolution and High Tech War, 1995
• Dai Shenglong and Shen Fuzhen, Information Warfare and Information Security Strategy, 1996
• Shen Weiguang, On New War, 1997

According to China analyst Timothy L. Thomas (author of Decoding the Virtual Dragon, a publication of the US Army’s Foreign Military Studies Office), Dr. Shen Weiguang is known in China as the father of Information Warfare (IW) theory. Also in 1995, Shen wrote an introductory article on IW for the PLA Daily Newspaper. In it Shen states that the main target of IW is the enemy’s cognitive and trust systems and the goal is to exert control over his actions.

Thomas discovered more interesting thinking in a 2004 article by General Xu Xiaoyan, the former head of the Communications Department of the Chinese General Staff. Xu dissects the realm of Information Warfare. At the granular level he points out the need for:

“Network confrontation technology—intercepting, utilizing, corrupting, and damaging the enemy’s information and using false information, viruses, and other means to sabotage normal information system functions through computer networks.” (Virtual Dragon p. 66)

Thomas goes on to offer the following observations:

“If Xu’s suggestions were accepted, then one might expect to see more active reconnaissance and intelligence activities on the part of the PLA (as seems to be occurring!)”

That exclamation point is Thomas’s and written after Titan Rain(2004) but before the GhostNet report on Chinese hacking of the Dalai Lama’s network (2009).

Last Tuesday Google announced that they had been hacked by sources in China. The target was email accounts of Chinese activists and bloggers.  An outraged Google threatened to discontinue censoring search results at the Google China search engine google.cn.   Yahoo chimed in in support of Google. Yahoo of course is another Internet company with a history of bowing to Chinese requests including providing information that led to the arrest and imprisonment of Shi Tao, a Chinese journalist who still has four years of his sentence to serve.
According to the New York Times
“Several human rights advocates in China said last week that their Gmail accounts had been compromised, among them Ai Weiwei, an artist, and Teng Biao, a lawyer.”

In addition, two foreign journalists, one from the Associated Press, claim their gmail accounts were compromised.
Google claims they found evidence of attacks on 33 companies.  Some of these have acknowledged the attacks: Yahoo, Symantec, Northrup Grumman, Dow Chemical, a law firm involved in suing China, Adobe, and even India has gone public with accusations that China has been hacking them.
Chinese cyber espionage should come as no surprise.  A historical perspective is needed to understand how these attacks against Google and others are merely an extension of spying activity that has been documented at least since 2001.
There is a group of foreign intelligence analysts whose job it is to keep an eye on China and interpret what is going on there. Since 2001 these analysts have devoted their efforts to understanding China’s thinking on modern warfare and, in particular, Information Warfare. The body of knowledge they have to work with is extensive and surprising in the level of logic and careful consideration that China’s military theoreticians have applied to what they call the Revolution in Military Affairs (RMA).

China is engaging in systematic industrial and military espionage via the Internet.  Do not be surprised as more and more organizations announce that they too have been targets.  For that matter, do you know if your own organization has been the victim of Chinese cyber spying?

Source Research: http://www.threatchaos.com – Putting Chinese cyber espionage in perspective

For U.S. military firms, the latest revelations of highly sophisticated hacker attacks on Google Inc. are highlighting a new THREAT VECTOR AND reality, and a potentially lucrative business: The battlefield is shifting to cyberspace.

Google’s admission last week that it and other large companies were infiltrated by cyber-spies ( Chinese? Russian?) is bolstering prospects for major military contractors that in recent years have been intensifying their focus from developing weapons to defending computer systems and networks.

“Cyber-security is shaping up to be a major growth opportunity for the defense industry,” said Loren Thompson, a military policy analyst for the Lexington Institute, a think tank in Arlington, Va. “We’ve spent the last 20 years putting all of our information onto computers. Now, we don’t have any choice but to defend ourselves against foreign intrusion.”

As the threat becomes more coordinated and complex, military firms say that demand for sophisticated cyber-security will rise. The attacks on Google alarmed security analysts because it appeared that a new battle was being waged in which corporate computers and the valuable intellectual property they hold had become a target of a foreign government. In the past such intricate attacks were primarily aimed at military and state secrets.

The military industry, having already done extensive work protecting federal government computers, may be in a good position in the emerging market that could exceed $100 billion in revenue within the next decade, analysts said.

It may have little choice. Pentagon spending on weapons is expected to slow, leaving military firms scrambling for new business.

“Each of these companies recognizes that growing demand for cyber skills could help cover any shortfall in revenues,” Thompson said.

The federal government is expected to set aside $8.3 billion this year for protecting its computers from hackers, up 60% from just four years ago. In a speech last year, Deputy Secretary of Defense William J. Lynn said that at the Pentagon alone, there were an “estimated 90,000 people engaged in administering, monitoring and defending 15,000 networks connecting 7 million computers.”

With attacks increasing more than 200% since 2006, federal spending on cyber-security is expected to grow 8.1% annually over the next four years, according to Input, a Reston, Va., government contracting research firm.

“That’s significant growth, given the budget pressure that the government is under,” said John Slye, principal analyst at Input.

Exactly how much private firms are spending to protect themselves from hackers is unknown, because many do not like to admit that their computers have been breached.

“In today’s current state, there’s a good chance that you’ve already been compromised,” said Timothy McKnight, vice president of Northrop Grumman Corp.’s intelligence systems division. “We want to stay ahead of this problem. We’re doing everything to stay on the cutting edge.”

To bolster their staffs, military firms have been hiring former top government officials, partnering with universities for young talent and swallowing up smaller cyber-boutiques.

Century City-based Northrop, maker of the B-2 stealth bomber and nuclear submarines, in 2007 acquired Essex Corp., which specializes in encryption technology used by U.S. intelligence agencies that could be applied to protecting valuable data.

Northrop last year consolidated its cyber-security business, scattered among various divisions across the country, into one unit.

And in December, Northrop created a cyber-security research consortium with Carnegie Mellon University, the Massachusetts Institute of Technology and Purdue University as a way to tap new technologies and recruit emerging talent.

Defense rival Lockheed Martin Corp. took a different route assembling a cyber-security alliance with tech companies, including Microsoft Corp, Cisco Systems Inc. and Dell Inc., to collaborate on developing measures against hackers.

In November, the nation’s largest military contractor finished a 5,000-square-foot facility in Gaithersburg, Md., that’s dedicated to cyber-security research. Lockheed has also recruited Lee Holcomb, former chief technology officer for the Department of Homeland Security, to head the company’s cyber-security initiatives.

Another military firm, General Dynamics Corp., has built a lucrative business protecting companies from cyber attacks. In 2007, the company helped the parent of discount retailers T.J. Maxx and Marshalls patch a security breach in which hackers had gained access to computers that had information on 50 million customers’ credit and debit cards.

“Nobody is building aircraft carriers anymore,” said James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc., a national-security firm. “It looks like, from now on, the big money is in cyber space.”

Indian NSA has recently alleged that Indian PMO websites are hacked by Chinese. This should serve as a wake-up call to Indian companies to consider IT Security as a NEED TO HAVE budget item from Nice To Have item status.

Indian companies are very vulnerable to coordinated cyberAttacks – they have unprotected websites, applications and databases. Most of the so called IT Security is left to low level system administrators and network admin guys. There is very little understanding of application security – where tons of sensitive, IP related, Customer data, Design data reside.

My recommendation is that CEO’s and Top Management should include a IS Security statement in the published Balance Sheets as part of disclosure to public and shareholders. This should be based on a IT Governance committee and audit report – like a audited financial report. Unless law mandates such a system – IT Security will remain a discretionary budget item.

Source Research: For Military Firms, A New Spy Market
(Los Angeles Times)…W.J. Hennigan

The latest is that their Screening Management Standard Operating Procedure is published on the internet. I actually do not like that.  I think that security through obscurity is a good idea in some situations/places. It will be very difficult to change all the security parameters/ secure infrastructure/ secure processes overnight but a huge damage is done.

Of course the document is marked SSI and includes this footnote on every page:

SENSITIVE SECURITY INFORMATION
WARNING: THIS RECORD CONTAINS SENSITIVE SECURITY INFORMATION THAT IS CONTROLLED UNDER 49 CFR PARTS 15 AND 1520. NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A “NEED TO KNOW,” AS DEFINED IN 49 CFR PARTS 15 AND 1520, EXCEPT WITH THE WRITTEN PERMISSION OF THE ADMINISTRATOR OF THE TRANSPORTATION SECURITY ADMINISTRATION OR THE SECRETARY OF TRANSPORTATION. UNAUTHORIZED RELEASE MAY RESULT IN CIVIL PENALTIES OR OTHER ACTION. FOR U.S. GOVERNMENT AGENCIES, PUBLIC DISCLOSURE GOVERNED BY 5 U.S.C. 552 AND 49 CFR PARTS 15 AND 1520.

So the decision to publish it on the Internet is probably a questionable one. On top of that, however, is where the real idiocy shines.  They chose to publish a redacted version of the document, hiding all the super-important stuff from the public.  But they apparently don’t understand how redaction works in the electronic document world.  See, rather than actually removing the offending text from the document they just drew a black box on top of it.  Turns out that PDF documents don’t really care about the black box like that and the actual content of the document is still in the file.

Yup, their crack legal staff managed to screw this one up pretty badly.  Want to know which twelve passports will instantly get you shunted over for secondary screening, simply by showing them to the ID-checking agent?  Check out Section 2A-2 (C) (1) (b) (iv).  Want to know the procedure for CIA-escorted passengers to be processed through the checkpoint?  That’s in the document, too.  Details on the calibration process of the metal detectors is in there. So is the procedure for screening foreign dignitaries.

It is pretty pathetic that the folks supposedly responsible for administering this “security” program cannot even be bothered to do the simplest parts of their job correctly.  Then again, passing through the checkpoint every time I fly it is pretty clear that they do a lot of things incorrectly.  Just chalk this one up to more of the same idiocy.  More done badly.

Want to read it for yourself?  Check out – www.cryptome.org

Once you’ve downloaded the PDF you’ll see the black boxes.  Simply highlight the text (start above and drag down to below the redaction area) so that you’re selecting all of the stuff in the “redacted” area.  Copy the selection and paste it into the word processing client of your choice.

UPDATE: The original link to the document appears to be dead now but a mirror of the file can be found at www.cryptome.org with the un-redaction work already completed.

This raises fundamental questions about Airport security. By now Al Queda, Taliban to LeT and all the Terrorist groups will be happily reading this manual to find loopholes that they can exploit. This means the complete TSA security manual needs a re-jig and that should be done immediately.

This concerns India – as we send some of our best brains and business guys to US. I do travel to US on Business Consultation. Today we can not feel secure with leaky weak security and entire security manuals floating in the Internet.

If you ask me – why should I write about this and educate people? may be bad guys will also read my blog. BUT the point is already the damage is done and being aware of risks is not a bad idea now that the cat is out of the bag. I sincerely hope TSA and Homeland Sec will get in to a rapid action mode & fix this before danger strikes. They should hire top security professionals with credentials such as CISA/ CISSP/ CGEIT to provide guidance.

Read the full story here -

http://www.washingtonpost.com/wp-dyn/content/article/2009/12/08/AR2009120803206_2.html?sid=ST2009120900011

http://www.cryptome.org/ – FULL DOWNLOAD OF THE SECRET MANUAL

TSA accidentally reveals airport security secrets
By Spencer S. Hsu and Carrie Johnson-Washington Post Staff Writers
Wednesday, December 9, 2009
The Transportation Security Administration inadvertently revealed closely guarded secrets related to airport passenger screening practices when it posted online this spring a document as part of a contract solicitation, the agency confirmed Tuesday.

The 93-page TSA operating manual details procedures for screening passengers and checked baggage, such as technical settings used by X-ray machines and explosives detectors. It also includes pictures of credentials used by members of Congress, CIA employees and federal air marshals, and it identifies 12 countries whose passport holders are automatically subjected to added scrutiny.

TSA officials said that the manual was posted online in a redacted form on a federal procurement Web site, but that the digital redactions were inadequate. They allowed computer users to recover blacked-out passages by copying and pasting them into a new document or an e-mail.

Current and former security officials called the breach troubling, saying it exposed TSA practices that were implemented after the Sept. 11, 2001, terrorist attacks and expanded after the August 2006 disruption of a plot to down transatlantic airliners using liquid explosives. Checkpoint screening has been a fixture of the TSA’s operations — as well as a lightning rod for public criticism of the agency’s practices.

Stewart A. Baker, a former assistant secretary at the Department of Homeland Security, said that the manual will become a textbook for those seeking to penetrate aviation security and that its leaking was serious.

“It increases the risk that terrorists will find a way through the defenses,” Baker said. “The problem is there are so many different holes that while [the TSA] can fix any one of them by changing procedures and making adjustments in the process . . . they can’t change everything about the way they operate.”

Another former DHS official, however, called the loss a public relations blunder but not a major risk, because TSA manuals are shared widely with airlines and airports and are available in the aviation community.

“While it’s certainly a type of document you would not want to be released . . . it’s not something a determined expert couldn’t find another way,” the official said.

Criticism from Congress was scathing. Sen. Susan M. Collins (Maine), the ranking Republican on the Senate homeland security committee, called the document’s release “shocking and reckless.”

“This manual provides a road map to those who would do us harm,” she said.

Sen. Joseph I. Lieberman (I-Conn.), the panel’s chairman, called the breach “an embarrassing mistake” that impugns the judgment of managers at the TSA, which is still without a permanent administrator 11 months into the Obama administration. Nominee Erroll Southers, a Los Angeles airports police executive, is awaiting a confirmation vote in the Senate.

House Homeland Security Committee Chairman Bennie G. Thompson (D-Miss.) and Rep. Sheila Jackson Lee (D-Tex.) also wrote acting TSA Administrator Gale D. Rossides, saying they are were “deeply concerned” about the disclosures and calling for an independent government investigation.

The document, dated May 28, 2008, is labeled “sensitive security information,” and states that no part of it may be disclosed to people “without a need to know” under threat of legal penalties.

Seth Miller, 32, an information technology consultant in Manhattan, first publicized the manual’s ineffectual redactions Sunday on his travel blog, WanderingAramean.com. He said he learned about the document while chatting with other fliers on an Internet bulletin board. Miller said it made him question TSA secrecy rules, saying the agency has withheld even mundane operational rules from public view rather than clarify its practices.

“After getting over the initial shock of how stupid it seemed they were for putting out a document like that,” Miller said in a phone interview, “I think the most significant risk is that when . . . you see some of the things that are marked as security sensitive information, you have to sort of smack your hand on your forehead and say, ‘What are they thinking?’ “

The TSA learned of the failure that day and has begun an internal review by its Office of Inspection, an official said. It also checked other procurement documents to correct similar vulnerabilities.

The original version of the manual is still available online, preserved by Web sites that monitor government secrecy and computer security.

The agency said the posted manual was outdated and was never implemented. Six more recent versions have been issued since that one, a TSA official said.

“TSA takes this matter very seriously and took swift action when this was discovered. A full review is now underway,” the agency said in a statement. “TSA has many layers of security to keep the traveling public safe and to constantly adapt to evolving threats. TSA is confident that screening procedures currently in place remain strong.”

The manual includes material both highly sensitive and mundane, from how TSA screening officers should handle diplomatic pouches to when they should dispose of their rubber gloves.

Among the most disturbing disclosures concern the settings used to test and operate metal detectors. For instance, officers are instructed to discontinue use of an X-ray system if it cannot detect 24-gauge wire. The manual also describes when to allow certain firearms past the checkpoint, and when police, fire or emergency personnel may bypass screening.

The document identifies the minimum number of security officers who must be present at checkpoints, how often checked bags are to be hand-searched, and screening procedures for foreign dignitaries and CIA-escorted passengers.

It also says that passport-holders from Cuba, Iran, North Korea, Libya, Syria, Sudan, Afghanistan, Lebanon, Somalia, Iraq, Yemen and Algeria should face additional screening.

US TSA Screening Manual

Amidst reports that stone age viruses such as Conflicker and Nimda disrupted the conduct of the online version of the Common Admission Test (CAT), many so called software security experts said “the complaints are different. Some talk of system crash, some of slowdown. So the snag could have been due to virus attack, lack of scale (capacity) or something to do with the application. Only the person who has developed the application would be able to tell.” HA!

How to bell the CAT?

No one has any clue about what went wrong! IIMs are blaming Prometric – which bagged a multi-million business. Prometric is speculating Virus that was already existing in the systems at Test labs! You have NIIT that was a middleman – who made a mess – that escaped attention.

This is no CATch 22.

Computer based Tests are around for a long time!

You have basically two Technology pieces -

1. Central – Exam database, OS, Hardware, Network components and Exam Delivery software services

2. Local – PCs/OS/DB and Network/ Local application for Exam Delivery, Check-in software

This mess happened because -

1. No stress Test in large scale – User Interface should have been tested for 10-15 months before actual test

2. Local Infra – such as PC/ OS/ DB at Colleges are not state-of-art. So it is usually tested for low end Infra and look for viruses/worms and other malware

3. Security should be BUILT IN not a BOLT-On. The Test process for Test Delivery should follow DMAIC principles of Six Sigma security and every piece should be audited tested and OKyed – with ZeroError Tolerance…

4. DRM and BCP is missing. There was no redundant infrastructure – no failover servers, or even PC if that hangs! If you have failover/ mirrors then one can switch over in case of a disaster

5. No good PMO – project management office or a Project Plan! I feel all that IIMs were interested in was to somehow get rid of the CAT testing to a third pary – to rid themselves of a headache. All that (un) Prometric was interested was to win the deal and outsource it to NIIT – and pocket the money!

6. Where are the SLAs/ KPIs and Security KRAs? Why is no one talking about that? Because IT does not exist!

7. Biometric Check-ins take time – Did they plan a multiple check in facility? What if the Rectors arrived late to test centers? What if local servers crash? or what if LeT bombs a test center – Did they have physical security? Fire protection?

8. Indian Institutes of Managements – IIMs can create a case study of the mess they had created & send it to Harvard for a solution

9. We have many Indian IT services companies delivering such solutions – Infosys, WIPRO, Cognizant, TCS – why they were not considered for the contract? Our local boys would have done a much better job.

10. Training was not adequate. You need 10-15 months training of all staff involved in the test system process. Qui-Bono – who cares and who gives a shit to the suffering students – their sleepless nights, anxiety and stress….endless coffee…

Its time IIMs learns some principles of Management in Practice. Not just theory.

Agile Security development is a topic that needs focus. The appeal of Agile Security is in its perceived ability to help organizations decrease time to respond, improve the security of delivered software and increase overall productivity in an agile platform.

There are plenty of examples that clearly show the benefits of Agile Security in grass roots and pilot implementations, but does Agile Security provide all those benefits on an enterprise level? If so, how do we scale Agile Security in an enterprise environment? Can it coexist with traditional Security processes? How do we build the business case for enterprise adoption through pilots and then roll out Agile Security to other parts of the organization?

How is Agile Security Different?

Agile Security differs from traditional plan-driven approaches in a number of ways. For example, Agile Security promotes a closely collaborative, cooperative team approach, where members of the team are not segregated into narrow disciplines. Agile Security teams are expected to be continuously adapting, refining and improving; practices as well as the product are evolved iteratively and incrementally. Gartner identifies that “Agile Security requires team players who are flexible and invested in the success of the team”¹.

Agile Security also emphasizes responding to change instead of following a plan. This is so because Hackers are catching up so fast that before you put a patch or secure your application – the bad guys have done the damage. So there is little time available for elaborate security strategy and framework discussions and execution. Lean software development phrases this as “defer commitment as late as possible, and then deliver as fast as possible”. The use of short, fixed duration iterations which end with stable working code is the key to achieving this responsiveness. The whole idea is HOW fast you can respond with even a dirty security solution to a dirty attack vector. Because there is NO Perfect security and perfection in security is the domain of fools.

Finally, Agile Security approaches require the customer (or their representatives, known as process owners) to be an integral part of the development team. The stakeholders and developers are all focused on the common goal of maximizing business value.

Agile Security in the Large

Agile Security approaches arose as a reaction to the heavyweight bureaucracy typically associated with large plan-driven methodologies; they emphasized a reliance on the skill and discipline of the co-located team members rather than detailed formal processes and systems. With a single small, co-located team, simple mechanisms such as sticky notes, index cards and white boards are more than adequate for maintaining and disseminating information. Face-to-face conversations suffice for answering questions and coordinating activities for these small teams.

The scale and complexity of the enterprise environment requires more support than simple tools and informal methods can provide. The Agile Security Manifesto states “We value individuals and interactions over processes and tools”; that is – processes and tools should be enablers to allow the team to be effective, and not an ends and means unto themselves. This value statement does not mean that all processes and practices should be eliminated, or that tools are to be avoided.

Given the emphasis that Agile Security places on cross-functional teams working in a highly collaborative manner, enterprise adoption of Agile Security practices requires such organizations to follow an Application Lifecycle Management (ALM) approach to software development. Proper ALM is the coordinated management of all development activities, emphasizing the interrelated nature of development activities and assets (which is why it complements Agile Security so well). Traditional phased approaches encourage the different disciplines such as requirements management, design, coding, testing and build management to be treated as distinct and relatively isolated activities. These discipline silos do not foster the cross-team communication and closed loop feedback required by Agile Security teams.

Implementing Agile Security practices within large enterprise environments involves more than just scaling the number of people working on the project. Enterprise environments introduce a number of different scalability issues: team size, distributed sites, compliance requirements, domain or product complexity, technological complexity and organizational distribution, to name but a few. Adequately supporting large distributed Agile Security teams working on such complex product lines requires enterprise ASLM solutions. According to Gartner “Application life cycle management (ALM) tools provide critical governance, collaboration, change management and workflow functions to ensure that teams work efficiently and that corporate standards are maintained”.¹

ASLM Competence

As demanded by the Agile Security Manifesto, ASLM solutions (with their tools and processes) must support development teams without getting in the way or limiting the ability of teams to continuously adapt and improve. Suitable ASLM solutions for enterprises that are adopting Agile Security practices must provide competence in all the key disciplines of software development, such as demand management, project management, requirements management, design, coding, testing and release management. Without this complete competence, teams suffer from a lack of transparency, stale or incomplete views of development activity, and the risk of omission or inconsistency due to needless data redundancy and manual integrations across disparate tools.

ASLM Coherence

ASLM for Agile Security enterprises must support inherently connected activities, assets and processes. Such an ASLM solution needs to provide a single coherent framework and common set of interfaces that orchestrates development lifecycle activities in a consistent manner. This is accomplished through automation and enforcement of defined practices, active management of relationships between all development activities and assets, and single source of truth reporting on the development effort as a whole. Consistent change and configuration management processes should apply to all assets across the lifecycle.

ASLM Adaptability

Within enterprise environments, the Agile Security focus on continuous improvement requires a single ASLM solution that is adaptable and flexible to support continuous controlled changes to processes and practices, and different teams using different sets of practices or variations on a given practice. Most enterprise organizations will also require their ASLM solution to support a mix of traditional methodologies and Agile Security practices, since they have existing projects and teams that may eventually transition to Agile Security, but cannot afford to do a ’big bang’ switchover. Enterprise environments also include a variety of point tools to which the ASLM solution must integrate, such as test automation, build execution, integrated development environments (IDEs), modeling tools, and complementary systems that ASLM must interact with such as help desks, PLM systems and IT Service Management.

Intelligent ASLM

Dr. Vaman identifies the combination of Competence, Coherence and Adaptability within an ASLM solution as Intelligent ASLM™. With complete ASLM competence, delivered in a coherent single solution that rapidly adapts and scales, Agile Security can thrive in the enterprise environment. Without the ability to easily navigate all the activities and assets, the ability to refine and improve processes and practices on a regular basis, or easily switch roles (without having to change tools and contexts), the ability to follow the values of Agile Security in a large organization will be severely constrained.

Start Small, but Plan Big

In many enterprises, existing environments are well established and complex. The experience and skill levels of the development organization may vary widely, and a certain amount of turnover within the organization is inevitable. Implementing an Agile Security approach involves a significant shift in the culture of the organization and changes in behavior as well as practices. For these reasons, it is not advisable to take a ’big bang’ approach. Most enterprises will require a solution that can effectively support traditional processes as well as the new Agile Security processes, in order to ease transition between the two. Remember – the transition to Agile Security will neither happen in a vacuum, nor in a single moment of time.

Gartner recommends that organizations “Start small when adapting process change, and focus budget efforts on controlling the number of projects, rather than reducing teams and processes.”¹ To this point start small – take on Agile Security within one or a few suitable projects, with the objective being to demonstrate success early. Management expects better software, faster delivery and lower costs. Use the AL M solution to automate the collection and reporting of key metrics, so that the benefits can be quantified to the rest of the organization and to aid in the Agile Security team retrospectives (continuous improvement process).

The initial project teams must lay a suitable foundation for demonstrating this kind of success, and then be ready to take the tested processes to other teams once the Agile Security initiative has been approved for expansion. Having verifiable metrics and reporting to justify the expansion is critical – well managed enterprises will not adopt Agile Security on blind faith. Effective ASLM solutions must facilitate the transition between traditional and Agile Security processes (with the ability to effectively support both) and must aid in the delivery of verifiable and relevant software delivery metrics.

ASLM – The Single Source of Truth

A successful enterprise transition to Agile Security requires an ASLM solution that will act as a single source of truth for all of development, regardless of project or process. Timely feedback is a key aspect of implementing Agile Security, particularly within enterprise organizations. A key tenet of Agile Security is the shortening of feedback loops –this allows Agile Security to reduce risk by delivering value earlier (in the form of iterative working software builds/patches/whatever). Transparency across the entire project and short feedback loops in the form of continuous integration build and test practices help Agile Security organizations to improve the quality of the software produced. The ASLM system will be relied on to deliver reports and metrics that provide that feedback, and demonstrate the success of the Agile Security approach.

Real-time status should be automatically collected by the ASLM system as a result of the development activities the teams perform; no manual extraction and collation of data in a third-party reporting system should be done (such activities do not directly contribute to “working software”, which is the focus of Agile Security). With an ASLM solution providing a single source of truth, ongoing monitoring of progress is based on current data and reports can be generated at any time with the click of a button. Such monitoring and reporting keeps teams up to date on the status of their sprints and gives management the visibility needed to assess the health of the entire Agile Security initiative. Once success has been demonstrated, an ASLM solution can aid in the process of transferring the tested processes to other teams in a consistent fashion.

To deliver meaningful and accurate metrics, all development activities and assets need to be seamlessly interconnected. In fact, in high-functioning Agile Security environments, any individual may need to work with any type of asset (user story, code, test case, etc.) as team members have the tendency to take on different roles (such as a developer taking on the role of tester). The most efficient way for the developer to work is from a single application that enables access to all of these activities and assets. This is where ASLM “suites” – collections of integrated point tools – fall short. Integrations limit visibility and access to data. Only a coherent Intelligent ASLM solution that houses all activities and assets (including requirements, code, components, test cases, etc.) can deliver the transparency to address the needs of Agile Security teams where roles are sometimes interchanged and data must be complete and available in real time.

Adaptive Automation with Intelligent ASLM

The practices of Agile Security are meant to reduce redundancy. An ASLM solution that can automate non-core activities (such as the collation of data for reporting, the computation of metrics, and the production of audit trails to address regulatory requirements) helps to reduce redundant effort and eliminates time-consuming manual processes. To truly support enterprise Agile Security, this automation needs to be implemented in a way that it is adaptable to process change. Agile Security is about adapting to change, and thus, processes will change. An ASLM solution needs to be easily adaptable to changes in process, and should be able to embrace change, rather than limiting the scope of change.

Integrated ASLM suites fall short in delivering automation to Agile Security enterprises, because integration eliminates adaptability. Making a process change across a range of integrated, disparate tools can mean days or weeks of programmatic changes. Teams spend their time trying to customize tools to extend their functionality (instead of delivering software). With an adaptable Intelligent ASLM solution, processes and assets can be easily configured and re-configured as necessary.

Competence, Collaboration and Collective Memory

Agile Security demands a high degree of collaboration amongst team members and across the lifecycle. This collaboration becomes more complicated when teams are distributed – studies show that even the dispersion of team members across different floors of the same building can have a negative impact on Agile Security project success. When the team is distributed across locations, time-zones and even different companies, sustaining collaboration becomes a major challenge.

Integrated ASLM suites hinder collaboration as each role is siloed in its tool usage and will have difficulty communicating across functional boundaries. For instance, a point tool that only manages changes to source code cannot deliver real transparency and collaborative capabilities to the business (because the development team still remains siloed from the Testing organization and from the Product Owners developing the requirements that map to User Stories).

Intelligent ASLM solutions make it possible for even distributed teams to embrace collaboration because all stakeholders (regardless of location or role) are interacting with the same activities and assets in the same solution. All team members benefit from transparency into a project’s current status and information sharing that flows easily from state to state, member to member, sprint to sprint, and so forth. With a coherent solution, Agile Security teams can more consistently and effectively manage activities and assets in relationship to one another throughout the application lifecycle. A single ASLM solution for all of development also streamlines transition of staff between projects or to new teams (as knowledge of the tool and processes does not change).

An Intelligent ASLM solution effectively becomes a collective team memory for the entire development organization. Not only can individual teams and projects achieve continuous improvement but they can share their learning and best practices across other teams throughout the enterprise. Agile Security teams without such a solution will leave the business at risk when a member leaves.

In Conclusion – Scale Agile Security Successfully

Like any process change, cultural challenges can affect the success of enterprise Agile Security initiatives. Starting small and demonstrating initial success with supporting metrics will help to overcome those challenges quickly. When buy-in has been achieved, the business needs to be ready to build on and leverage that initial success.

Having an Intelligent ASLM solution in place from the start enables the organization to incrementally roll out proven processes, building on a foundation of best practices. Competence across the complete range of disciplines in development ensures that all of the needed assets and activities can be managed and controlled while eliminating redundant manual effort by the teams. Coherence in conjunction with that complete competence enables collaboration that can match the demands of enterprise Agile Security. Adaptability enables the organization to roll-out Agile Security in an iterative fashion, maintaining plan-driven development processes where desired and keeping the critical traceability and audit trails in place to maintain or achieve compliance.

By planning for success from the start and laying the foundation for expansion with Intelligent ASLM solutions, you can ensure the scalability of your enterprise Agile Security initiative.

¹Gartner Research Don’t Let Short-Term Agile ALM Create Long-Term Pain, Thomas E. Murphy, Jim Duggan, David Norton, 7 April 2009