jump to navigation

Chris Mark speaking at Secura Risk Management Fall Forum (Oct 28-29) October 24, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , ,
add a comment

SecuraIf you are a bank, credit union, or work for one and want to listen to me (Chris) speak and are looking for a reason to go to beautiful Charleston, South Carolina..check out the Secura Fall Risk Management Forum!  Yours Truly will be speaking on CyberCrime and the DarkNet as well as EMV “Chip & PIN” (a misnomer but…I will not discuss here).  Should be a great event and will be in one of my favorite US cities…Charleston, South Carolina!..I have not had an opportunity to speak at a Secura event yet but they appear to be very well put together and the agenda looks very compelling.  Also, if you didn’t have a chance to attend the AT&T Cyber Security Conference in NYC, you can watch a replay of the event here!  You can see me on the ‘big stage’ talking with Jamie Wallace on Mobile Security.  It was a great event with top shelf speakers…(notice that I am rocking my Recon Jack to represent the USMC Recon Community!)

Hacking, Facebook Fakers, and Felonies…What you don’t know can hurt you August 20, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , ,
2 comments

CyberFelonConsider this situation.   You want to see what your ex husband/wife is up to in 2015 and try to access his/her Facebook account only to realize that you have been ‘blocked’! Oh the Humanity!  in response you decide to set up a ‘fake’ account and go to his/her public page to download some content.  No harm no foul, right?  Not so fast brainiac from Smartron 5!  Let’s take a closer look at this situation. You could be committing a crime…and a felony no less!

Many states, including Utah, have statutes (laws) against. ‘Hacking’ which is generally acknowledged as ‘unauthorized’ access to computer systems (this is a blog post so some more detailed info is not included).  Since I live in Utah, I will use the Utah law Utah Computer Crimes Act (76-6-702) as an example.  First…let’s lay some ground work. (more…)

超限战 – “Warfare without Bounds”; China’s Hacking of the US June 11, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

Unconditional_warfare

“Pleased to meet you…hope you guessed my name…But what’s puzzling you is the nature of my game.”
– The Rolling Stones; Sympathy for the Devil

With the recent US Government’s acknowledgement of China’s hacking of numerous government websites and networks, many are likely wondering why China would have an interest in stealing employee data?  To answer this question, we need to look back at the 1991 Gulf War. You can read my 2013 Article (WorldCyberwar) in the Counter Terrorist Magazine on this subject.

In 1991, a coalition led by the United States invaded Iraq in defense of Kuwait.  At the time Iraq had the 5th largest standing army in the world.  The US led coalition defeated the Iraqi army in resounding fashion in only 96 hours.  For those in the United States the victory was impressive but the average American civilian did not have an appreciation for how this victory was accomplished.

The Gulf War was the first real use of what is known as C4I.  In short, C4I is an acronym for Command, Control, Communications, Computers, and Intelligence. The Gulf War was the first use of a new technology known as Global Positioning Systems (GPS).  The Battle of Medina Ridge was a decisive tank battle in Iraq fought on February 26, 1991 and the first to use GPS.  In this 40 minute battle, the US 1st Armored Division fought the 2nd Brigade of the Iraqi Republican Guard and won decisively. While the US lost 4 tanks and had 2 people killed, the Iraqis suffered a loss of 186 tanks, 127 Infantry Fighting Vehicles and 839 soldiers captured.  The Chinese watched the Gulf War closely and came away with an understanding that a conventional ‘linear’ war against the United States was unwinnable.

After the Gulf War the Chinese People’s Liberation Army tasked two PLA colonels (Qiao Liang and Wang Xiangsui) with redefining the concept of warfare.  From this effort came a new model of Warfare that is published in the book “Unrestricted Warfare” or “Warfare without Bounds”.  Unrestricted Warfare is just what it sound like.  The idea that ‘pseudo-wars’ can be fought against an enemy.  Information warfare, PR efforts and other tactics are used to undermine and enemy without engaging in kinetic, linear battle.  Below is a quote from the book:

“If we acknowledge that the new principles of war are no longer “using armed force to compel the enemy to submit to one’s will,” but rather are “using all means including armed force and non-armed force, military and non-military, lethal and non-lethal means to compel the enemy to accept one’s interests.”

“As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.”

It further stated: “… a single rumor or scandal that results in fluctuation in the enemy country’s exchange rates…can be included in the ranks of new concept weapons.”

On April 15, 2011, the US Congressional Subcommittee on Oversight and Investigations conducted a hearing on Chinese cyber-espionage. The hearing revealed the US government’s awareness of Chinese cyberattacks. In describing the situation in his opening remarks, subcommittee chairperman Dana Rohrbacher* astutely stated:

“[The]United States is under attack.”

“The Communist Chinese Government has defined us as the enemy. It is buying, building and stealing whatever it takes to contain and destroy us. Again, the Chinese Government has defined us as the enemy.”

Given the Chinese perspective on Unlimited Warfare, it becomes much more clear that what we are seeing with the compromises are examples of ‘pseudo wars’ being fought by the Chinese.  It will be interesting to see how or if the US responds.

*thank you to the reader who corrected my referencing Mr. Rohrbacher as a female.  My apologies to Chairman Rohrbacher!

”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
1 comment so far

“Everyone has a plan until the’ve been hit” – Joe Lewis

PiratePicGRIHaving spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.

As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers.  This is frequently referred to as ‘hacking back’ or ‘offensive hacking’.  Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’.   On May 28th, 2013 there was an online discussion in which an author of the upcoming book:  The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:

“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added) (more…)

“Failed State of Security” Part II; Cybercrime Victim Blaming May 18, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , , , , ,
add a comment

PartIIfailedStaetI am proud to release another research brief that is Part II of my “Failed State of Security” series in which I discuss and analyze victim blaming in the context of data security.  In 2012 I published a research brief titled “A Failed State of Security: A Rational Analysis of Deterrence Theory and The Effect on CyberCrime.” in which I discussed the failing of law enforcement, and cybersecurity to deter cyber events and discussed the theory of deterrence and the need for deterrence within cybersecurity.  You can download the article on IDGA’s website or on my own website here.  This paper is part II of the “Failed State of Security” series.  Started after the Target data breach, this topic is one that has always been close to me.  In April 2009 I wrote an article titled “Lessons from the Heartland Breach” which was published as the cover story by TransactionWorld magazine.

Victim blaming is common in sexual assault, as well as other types of crimes.  A quick Internet search will demonstrate scores of instances in which the victim of a violent is blamed for being victimized.   When we include a large, corporate entity it becomes easier to point the accusatory finger at the organization.  Whether due to Schadenfreude or some other reason, people want to blame companies that are victimized by hackers.  Did the company “cause” the breach?  Were they somehow complicit in the attack?  What do we mean when we say “cause”?  What is a causal fallacy?  These, and many more topics, are discussed in Part II of the “Failed State of Security” series.  I invite you to download “Failed State of Security Part II”; Victim Blaming in Cybercrime.  As always, I welcome any comments or debate on the topic…

%d bloggers like this: