Holiday Shopping Safety! Debit or Credit? PIN or Pen? Check or Cash? November 18, 2020
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, credit or debit, durban amendment, mark consulting group, PCI DSS, PIN
1 comment so far
With the holidays around the corner, it is a hot time for criminals to steal from us all! CyberCriminals are specifically after your money and cards. There is ongoing confusion about whether cards are better than checks are better than cash. While we all have our own opinions, I think the argument is pretty clear that payment cards are the most secure options for consumers. Read below!
For some background, I am a payment card security professional. I have worked at both MasterCard and with Visa, as well as the other card brands. I now work at a major telco overseeing the payment security program. 2020 marks the 15th consecutive year someone has stolen my card at least once (17 times in 15 years) BUT…I wasn’t worried…read below to find out why! (more…)
Covid19: “The War God’s Face Has Become Indistinct” – China’s Unlimited Warfare Strategy April 14, 2020
Posted by Chris Mark in cybersecurity, Risk & Risk Management, terrorism.Tags: china, Chris Mark, coronavirus, covid19, cyber espionage, Foxnews, PLA, Unrestricted Warfare, War, Warfare, Wuhan
add a comment
UPDATE- Today (April 15, 2020) Fox News published an article supporting what has been proposed in this post. Titled“Sources believe coronavirus originated in Wuhan lab as part of China’s efforts to compete with US the article lays out compelling evidence that China was attempting demonstrate that China’s “…efforts to identify and combat viruses are equal too or greater than capabilities of the United States.” The article states that evidence comes from classified, and open source sources and documents. It further states that:
“…(China) blaming the wet market was an effort by China to deflect blame from the laboratory, along with China’s propaganda efforts targetting the US and Italy.”
For those who have not read Unrestricted Warfare referenced in this post, I would strongly suggest you consider reading. The Fox News article is directly in line with China’s 1999 strategy of unlimited warfare against the US and European countries.
In 2013, I wrote an article for The Counter Terrorist Magazine that identified the Chinese strategy of CyberWarfare. You can read the article here.
This followed a seperate article I wrote for the same magazine called “CyberEspionage” that identified China’s efforts to infiltrate the US. Both identify the Chinese focus on unlimited warfare discussed below.
Today, while reading the news, I came across an article that stated that stated that the US State Department cables (read CIA and Intelligence) has stated that the Covid19 Virus may have originated the Wuhan Viral Lab (WVL) who were testing the Coronavirus in bats. According to the Washington Post:“
“As many have pointed out, there is no evidence that the virus now plaguing the world was engineered; scientists largely agree it came from animals. But that is not the same as saying it didn’t come from the lab, which spent years testing bat coronaviruses in animals, said Xiao Qiang, a research scientist at the School of Information at the University of California at Berkeley.”
No “Evidence” is distinctly different than “They did not do it”. Keep in mind that in February, 2020, the US Government charged 4 Chinese Military members with the 2017 Equifax breach.
The question should be: “why would the Chinese launch viruses (if they did) and why would they hack US companies?” The answer is actually pretty straightforward. If you read the article from 2012, you will get much more information than in this blog post.
In 1990 the US engaged the Iraqi military in the Gulf War. The Russians (then Soviets) 
and Chinese watched closely as the US went literally “toe to toe” with the World’s 5th largest standing Army (Iraqi). 96 hours later, the Iraqi Army was soundly defeated. In particular was the Battle of Medina Ridge (also called the Battle of 73 Easting) fought on Feb 27, 1991. It was an absolute route. This convinced the Chinese that a “linear/kinetic war” with the US was unwinnable.
For this reason they embarked upon a new policy called “Unlimited/Unrestricted warfare”.
This is documented in the book called Unrestricted Warfare. In first reading the document, I was shocked at what it contained. In 1999, two Chinese Peoples’ Liberation Army (PLA) Colonels were tasked to write a document titled: Unrestricted Warfare that outlines China’s approach to war with the West. In short, the document articulates a new definition of warfare that includes using all economic, political, and PR means to fight ‘sub wars’ and ‘pseudo wars’.
While we sit in the US laboring under our definition of warfare, our adversaries are redefining the battlespace. Here are some quotes from the document:
“If we acknowledge that the new principles of war are no longer “using armed force to compel the enemy to submit to one’s will,” but rather are “using all means including armed force and non-armed force, military and non-military, lethal and non-lethal means to compel the enemy to accept one’s interests.”[i]
“As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.”[i]
In short, the Chinese manipulating currency, or the press or even paying a Harvard Professor to be an agent can arguably be considered a ‘pseudo war’ consistent with their strategy of unlimited warfare. As more information becomes available, I would not be surprised to see that this is much more than an “accident” in a lab in Wuhan. Look at the financial toll it has taken on the World and positions the Chinese to be much larger players.
[i] House of Representatives. (Kindle Locations 325-327). Kindle Edition.
[i] Wiangsui Qiao Liang and Wang. Unrestricted warfare. Beijing: PLA Literature and Arts Publishing House; 1999.
Dupont’s Titanium Oxide Color Recipe- Stolen for Chinese Advantage July 22, 2015
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, corporate espionage, cyberespionage, cybersecurity, Dupont, InfoSec, mark consulting group, San Francisco Chronicle, security
add a comment
Oddly (to me anyhow) this is the 2nd most popular post on my blog! It was written over 3 years ago but since it gets so much traffic I thought I should re-post. Here it is in 2015!
Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft. In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government. Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide. What is TD used in? Titanium Dioxide is the ingredient in many white products that makes the products white. Products such as paint, toothpaste, and Oreo cookie filling! Stealing the ingredients to Oreos shows just how low cyberthieves will go! According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”
I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest. Make no mistake. If your company has a unique process, technology, or product, it IS of interest to many companies. Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.
photo from: http://www.titaniumexposed.com
Asymmetric Warfare 101 July 21, 2015
Posted by Chris Mark in Risk & Risk Management, weapons and tactics.Tags: asymmetric threats, asymmetric warfare, Chris Mark, guerrilla warfare, mark consulting group, risk management, security
1 comment so far
With the current state of affairs I thought it appropriate to ‘republish’ this blog post from 2012. You can also read the article from Secure Payments Magazine on the same topic applied to InfoSec.
Asymmetric Warfare can be described as the strategy of using weapons, tactics, and methods to render the asymmetry that exists between two adversaries as moot. Consider the US Military for a moment. Since the end of World War II, which is arguably the start of US hegemony, the United States has fielded what many believe is the most powerful conventional military in the history of the world (or at least modern world). In spite, of this fact the US, and her allies) have struggled in conflicts in Vietnam, Somalia, and most recently in Iraq, and Afghanistan. In each of these theaters it was groups of lesser-trained, relatively ill-equipped insurgents that created significant challenges to the US military. By applying guerilla tactics, and employing IEDs and other technologies, the adversaries were able to balance the perceived asymmetry between the might of the US and their own capabilities.
The US is not alone in this dubious distinction of struggling with conventionally weaker adversaries. The Soviet Union was defeated in Afghanistan in the 1980s, and a much weaker France, led by Napoleon, defeated the powerful Prussian Military. France, in turn, lost French Indochina with the coup-de-grace coming in the surrender at Dien Bein Phu in 1954. If each of these countries were militarily superior to their foes, how did they end up losing their respective wars? These examples outline the effectiveness of asymmetric warfare.
While there exist a number of different definitions of Asymmetric Warfare, in a basic sense it applies to the strategies and tactics employed by a militarily weaker opponent to take advantage of vulnerabilities in the stronger opponent. As an example, few military forces on the planet would face the US military and her allies in open combat either on land or the sea. Doing so would be certain suicide. A look at the Persian Gulf War in 1991 shows the result of taking on the military might of the Western World in open combat. The Battle of Medina Ridge is a prime example. In this battle between the US 2nd Brigade, 1st Armored Division against the Iraqi, 2nd Brigade of 2nd Medina Luminous Division the US recorded 1 killed, and 30 wounded while recording 4 tanks as being damaged. The Iraqis, meanwhile, reported “heavy manpower losses” while reporting 186 tanks destroyed and 127 Armored Fighting Vehicles destroyed.
If a militarily inferior opponent cannot face the US, or Western powers in open combat, how do they fight? It is fair to day the days of Mahanian sea battles are behind us. Quite simply, they employ strategies that render the superior military might irrelevant or at least less relevant. Guerilla warfare is an example of an asymmetric strategy against a militarily superior foe. As stated in the military classic “On Guerrilla Warfare” by Mao Tse-Tung:
“At one end of the spectrum, ranks of electronic boxes buried deep in the earth hungrily spew out endless tapes. Scientists and engineers confer in air conditioned offices; missiles are checked by intense men who move about them silently, almost reverently….in forty minutes the countdown begins.
At the other end of the spectrum, a tired man wearing a greasy felt hat, a tattered shirt, and soiled shorts is seated, his back against a tree. Barrel pressed between his knees, butt resting on the moist earth between his sandaled feet, is a browning automatic rifle. ..Draped around his neck, a sausage-like cloth tube with three day’s supply of rice…In forty minutes his group of fifteen men will occupy a previously prepared ambush.”
This is warfare today. Unfortunately, the US, and her allies have learned that technology alone cannot win a war against a determined, creative enemy.
As discussed earlier the concept of Asymmetric Warfare is a field of some debate. When applying the concept to the business, and specifically the Information Security arena, it is more appropriate to apply the concept of Asymmetric Threats posited by C.A. Primmerman. Without going through too much of the math, and modifying Primmerman’s original theory, we can state that a threat can be expressed using the following two statements:
- Adversary A could & would attack Adversary B by doing X
- Adversary B could & would respond to Adversary A by doing X.
Now we have the simple conclusion that statement (1) represents an asymmetric action if statement (2) is false, and it represents a symmetric action if statement (2) is true.
As an example of this concept working in practice, consider the following:
1a. Adversary A would attack Adversary B by using terror tactics against the civilian population.
2a. Adversary B would respond to Adversary A by terror tactics against the civilian population.
If statement 2a is false then the threat in 1a is asymmetric.
According to Pimmerman, an Asymmetric Threat must meet three criteria. These have been modified for our purposes and include:
- It must involve a weapon, tactic or strategy that the adversary both could and would use against another adversary.
- It must involve a weapon, tactic, or strategy that the would not or could not be be employed by one adversary.
- It must involve a weapon, tactic, or strategy that, if not countered, could have serious consequences. If a threat meets these three criteria, it would be considered asymmetric.
As any student of military strategy can attest, being in a purely defensive mode is a losing proposition. Unfortunately, in many instances asymmetric threats place one adversary in an almost purely defensive position. One of my favorite quotes that appears appropriately relevant now is by Julius Ceasar:
“There is no fate worse than being continuously under guard, for it means you are always afraid.”
While not intended to be a comprehensive discussion of Asymmetric Threats the basic concepts are relevant in today’s world.
“Gauss What!?” – Another CyberWeapon Discovered August 14, 2012
Posted by Chris Mark in cyberespionage, Risk & Risk Management, terrorism.Tags: cyber espionage, cybersecurity, data breach, Flame, Gauss, information security, Kaspersky, mark consulting group, Stuxnet
add a comment
According to Kaspersky labs, yet another cyberweapon was discovered last week. On August 9, 2012 Kaspersky labs released a press release stating that they had identified another cyber-weapon dubbed Gauss. According to the press release:
“…‘Gauss’, a new cyber-threat targeting users in the Middle East. Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines. The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons.” (more…)
Global Security, Privacy, & Risk Management 