'We have no experience in stopping a nuclear war.' - Sidney Drell (no replies)        
'..My greatest concern is the lack of public awareness about this existential threat, the absence of a vigorous public debate about the nuclear-war plans of Russia and the United States, the silent consent to the roughly fifteen thousand nuclear weapons in the world. These machines have been carefully and ingeniously designed to kill us. Complacency increases the odds that, some day, they will. The “Titanic Effect” is a term used by software designers to explain how things can quietly go wrong in a complex technological system: the safer you assume the system to be, the more dangerous it is becoming.'

'The harsh rhetoric on both sides increases the danger of miscalculations and mistakes, as do other factors. Close encounters between the military aircraft of the United States and Russia have become routine, creating the potential for an unintended conflict. Many of the nuclear-weapon systems on both sides are aging and obsolete. The personnel who operate those systems often suffer from poor morale and poor training. None of their senior officers has firsthand experience making decisions during an actual nuclear crisis. And today’s command-and-control systems must contend with threats that barely existed during the Cold War: malware, spyware, worms, bugs, viruses, corrupted firmware, logic bombs, Trojan horses, and all the other modern tools of cyber warfare. The greatest danger is posed not by any technological innovation but by a dilemma that has haunted nuclear strategy since the first detonation of an atomic bomb: How do you prevent a nuclear attack while preserving the ability to launch one?

..

..the Cuban Missile Crisis, when a series of misperceptions, miscalculations, and command-and-control problems almost started an accidental nuclear war—despite the determination of both John F. Kennedy and Nikita Khrushchev to avoid one. In perhaps the most dangerous incident, the captain of a Soviet submarine mistakenly believed that his vessel was under attack by U.S. warships and ordered the firing of a torpedo armed with a nuclear warhead. His order was blocked by a fellow officer. Had the torpedo been fired, the United States would have retaliated with nuclear weapons. At the height of the crisis, while leaving the White House on a beautiful fall evening, McNamara had a strong feeling of dread—and for good reason: “I feared I might never live to see another Saturday night.”

..

The personnel who command, operate, and maintain the Minuteman III have also become grounds for concern. In 2013, the two-star general in charge of the entire Minuteman force was removed from duty after going on a drunken bender during a visit to Russia, behaving inappropriately with young Russian women, asking repeatedly if he could sing with a Beatles cover band at a Mexican restaurant in Moscow, and insulting his military hosts. The following year, almost a hundred Minuteman launch officers were disciplined for cheating on their proficiency exams. In 2015, three launch officers at Malmstrom Air Force Base, in Montana, were dismissed for using illegal drugs, including ecstasy, cocaine, and amphetamines. That same year, a launch officer at Minot Air Force Base, in North Dakota, was sentenced to twenty-five years in prison for heading a violent street gang, distributing drugs, sexually assaulting a girl under the age of sixteen, and using psilocybin, a powerful hallucinogen. As the job title implies, launch officers are entrusted with the keys for launching intercontinental ballistic missiles.

..

..A recent memoir, “Uncommon Cause,” written by General George Lee Butler, reveals that the Pentagon was not telling the truth. Butler was the head of the U.S. Strategic Command, responsible for all of America’s nuclear weapons, during the Administration of President George H. W. Bush.

According to Butler and Franklin Miller, a former director of strategic-forces policy at the Pentagon, launch-on-warning was an essential part of the Single Integrated Operational Plan (siop), the nation’s nuclear-war plan. Land-based missiles like the Minuteman III were aimed at some of the most important targets in the Soviet Union, including its anti-aircraft sites. If the Minuteman missiles were destroyed before liftoff, the siop would go awry, and American bombers might be shot down before reaching their targets. In order to prevail in a nuclear war, the siop had become dependent on getting Minuteman missiles off the ground immediately. Butler’s immersion in the details of the nuclear command-and-control system left him dismayed. “With the possible exception of the Soviet nuclear war plan, [the siop] was the single most absurd and irresponsible document I had ever reviewed in my life,” Butler concluded. “We escaped the Cold War without a nuclear holocaust by some combination of skill, luck, and divine intervention, and I suspect the latter in greatest proportion.” The siop called for the destruction of twelve thousand targets within the Soviet Union. Moscow would be struck by four hundred nuclear weapons; Kiev, the capital of the Ukraine, by about forty.

After the end of the Cold War, a Russian surprise attack became extremely unlikely. Nevertheless, hundreds of Minuteman III missiles remained on alert. The Cold War strategy endured because, in theory, it deterred a Russian attack on the missiles. McNamara called the policy “insane,” arguing that “there’s no military requirement for it.” George W. Bush, while running for President in 2000, criticized launch-on-warning, citing the “unacceptable risks of accidental or unauthorized launch.” Barack Obama, while running for President in 2008, promised to take Minuteman missiles off alert, warning that policies like launch-on-warning “increase the risk of catastrophic accidents or miscalculation.” Twenty scientists who have won the Nobel Prize, as well as the Union of Concerned Scientists, have expressed strong opposition to retaining a launch-on-warning capability. It has also been opposed by former Secretary of State Henry Kissinger, former Secretary of State George Shultz, and former Senator Sam Nunn. And yet the Minuteman III missiles still sit in their silos today, armed with warheads, ready to go.

William J. Perry, who served as Secretary of Defense during the Clinton Administration, not only opposes keeping Minuteman III missiles on alert but advocates getting rid of them entirely. “These missiles are some of the most dangerous weapons in the world,” Perry wrote in the Times, this September. For many reasons, he thinks the risk of a nuclear catastrophe is greater today than it was during the Cold War. While serving as an Under-Secretary of Defense in 1980, Perry also received a late-night call about an impending Soviet attack, a false alarm that still haunts him. “A catastrophic nuclear war could have started by accident.”

Bruce Blair, a former Minuteman launch officer, heads the anti-nuclear group Global Zero, teaches at Princeton University, and campaigns against a launch-on-warning policy. Blair has described the stresses that the warning of a Russian attack would put on America’s command-and-control system. American early-warning satellites would detect Russian missiles within three minutes of their launch. Officers at norad would confer for an additional three minutes, checking sensors to decide if an attack was actually occurring. The Integrated Tactical Warning/Attack System collects data from at least two independent information sources, relying on different physical principles, such as ground-based radar and satellite-based infrared sensors. If the norad officials thought that the warning was legitimate, the President of the United States would be contacted. He or she would remove the Black Book from a briefcase carried by a military aide. The Black Book describes nuclear retaliatory options, presented in cartoon-like illustrations that can be quickly understood.

..

Although the Air Force publicly dismissed the threat of a cyberattack on the nuclear command-and-control system, the incident raised alarm within the Pentagon about the system’s vulnerability. A malfunction that occurred by accident might also be caused deliberately. Those concerns were reinforced by a Defense Science Board report in January, 2013. It found that the Pentagon’s computer networks had been “built on inherently insecure architectures that are composed of, and increasingly using, foreign parts.” Red teams employed by the board were able to disrupt Pentagon systems with “relative ease,” using tools available on the Internet. “The complexity of modern software and hardware makes it difficult, if not impossible, to develop components without flaws or to detect malicious insertions,” the report concluded.

In a recent paper for the Royal United Services Institute for Defence and Security Studies, Andrew Futter, an associate professor at the University of Leicester, suggested that a nuclear command-and-control system might be hacked to gather intelligence about the system, to shut down the system, to spoof it, mislead it, or cause it to take some sort of action—like launching a missile. And, he wrote, there are a variety of ways it might be done.

..

Strict precautions have been taken to thwart a cyberattack on the U.S. nuclear command-and-control system. Every line of nuclear code has been scrutinized for errors and bugs. The system is “air-gapped,” meaning that its networks are closed: someone can’t just go onto the Internet and tap into a computer at a Minuteman III control center. At least, that’s the theory. Russia, China, and North Korea have sophisticated cyber-warfare programs and techniques. General James Cartwright—the former head of the U.S. Strategic Command who recently pleaded guilty to leaking information about Stuxnet—thinks that it’s reasonable to believe the system has already been penetrated. “You’ve either been hacked, and you’re not admitting it, or you’re being hacked and don’t know it,” Cartwright said last year.

If communications between Minuteman control centers and their missiles are interrupted, the missiles can still be launched by ultra-high-frequency radio signals transmitted by special military aircraft. The ability to launch missiles by radio serves as a backup to the control centers—and also creates an entry point into the network that could be exploited in a cyberattack. The messages sent within the nuclear command-and-control system are highly encrypted. Launch codes are split in two, and no single person is allowed to know both parts. But the complete code is stored in computers—where it could be obtained or corrupted by an insider.

Some of America’s most secret secrets were recently hacked and stolen by a couple of private contractors working inside the N.S.A., Edward Snowden and Harold T. Martin III, both employees of Booz Allen Hamilton. The N.S.A. is responsible for generating and encrypting the nuclear launch codes. And the security of the nuclear command-and-control system is being assured not only by government officials but also by the employees of private firms, including software engineers who work for Boeing, Amazon, and Microsoft.

Lord Des Browne, a former U.K. Minister of Defense, is concerned that even ballistic-missile submarines may be compromised by malware. Browne is now the vice-chairman of the Nuclear Threat Initiative, a nonprofit seeking to reduce the danger posed by weapons of mass destruction, where he heads a task force examining the risk of cyberattacks on nuclear command-and-control systems. Browne thinks that the cyber threat is being cavalierly dismissed by many in power. The Royal Navy’s decision to save money by using Windows for Submarines, a version of Windows XP, as the operating system for its ballistic-missile subs seems especially shortsighted. Windows XP was discontinued six years ago, and Microsoft warned that any computer running it after April, 2014, “should not be considered protected as there will be no security updates.” Each of the U.K. subs has eight missiles carrying a total of forty nuclear weapons. “It is shocking to think that my home computer is probably running a newer version of Windows than the U.K.’s military submarines,” Brown said.In 2013, General C. Robert Kehler, the head of the U.S. Strategic Command, testified before the Senate Armed Services Committee about the risk of cyberattacks on the nuclear command-and-control system. He expressed confidence that the U.S. system was secure. When Senator Bill Nelson asked if somebody could hack into the Russian or Chinese systems and launch a ballistic missile carrying a nuclear warhead, Kehler replied, “Senator, I don’t know . . . I do not know.”

After the debacle of the Cuban Missile Crisis, the Soviet Union became much more reluctant to provoke a nuclear confrontation with the United States. Its politburo was a committee of conservative old men. Russia’s leadership is quite different today. The current mix of nationalism, xenophobia, and vehement anti-Americanism in Moscow is a far cry from the more staid and secular ideology guiding the Soviet Union in the nineteen-eighties. During the past few years, threats about the use of nuclear weapons have become commonplace in Moscow. Dmitry Kiselyov, a popular newscaster and the Kremlin’s leading propagandist, reminded viewers in 2014 that Russia is “the only country in the world capable of turning the U.S.A. into radioactive dust.” The Kremlin has acknowledged the development of a nuclear torpedo that can travel more than six thousand miles underwater before devastating a coastal city. It has also boasted about a fearsome new missile design. Nicknamed “Satan 2” and deployed with up to sixteen nuclear warheads, the missile will be “capable of wiping out parts of the earth the size of Texas or France,” an official news agency claimed.

..

Russia’s greatest strategic vulnerability is the lack of a sophisticated and effective early-warning system. The Soviet Union had almost a dozen satellites in orbit that could detect a large-scale American attack. The system began to deteriorate in 1996, when an early-warning satellite had to be retired. Others soon fell out of orbit, and Russia’s last functional early-warning satellite went out of service two years ago. Until a new network of satellites can be placed in orbit, the country must depend on ground-based radar units. Unlike the United States, Russia no longer has two separate means of validating an attack warning. At best, the radar units can spot warheads only minutes before they land. Pavel Podvig, a senior fellow at the U.N. Institute for Disarmament Research, believes that Russia does not have a launch-on-warning policy—because its early-warning system is so limited.

For the past nine years, I’ve been immersed in the minutiae of nuclear command and control, trying to understand the actual level of risk. Of all the people whom I’ve met in the nuclear realm, Sidney Drell was one of the most brilliant and impressive. Drell died this week, at the age of ninety. A theoretical physicist with expertise in quantum field theory and quantum chromodynamics, he was for many years the deputy director of the Stanford Linear Accelerator and received the National Medal of Science from Obama, in 2013. Drell was one of the founding members of jason—a group of civilian scientists that advises the government on important technological matters—and for fifty-six years possessed a Q clearance, granting him access to the highest level of classified information. Drell participated in top-secret discussions about nuclear strategy for decades, headed a panel that investigated nuclear-weapon safety for the U.S. Congress in 1990, and worked on technical issues for jason until the end of his life. A few months ago, when I asked for his opinion about launch-on-warning, Drell said, “It’s insane, the worst thing I can think of. You can’t have a worse idea.”

Drell was an undergraduate at Princeton University when Hiroshima and Nagasaki were destroyed. Given all the close calls and mistakes in the seventy-one years since then, he considered it a miracle that no other cities have been destroyed by a nuclear weapon—“it is so far beyond my normal optimism.” The prospect of a new cold war—and the return of military strategies that advocate using nuclear weapons on the battlefield—deeply unnerved him. Once the first nuclear weapon detonates, nothing might prevent the conflict from spiralling out of control. “We have no experience in stopping a nuclear war,” he said.

..

Donald Trump and Vladimir Putin confront a stark choice: begin another nuclear-arms race or reduce the threat of nuclear war. Trump now has a unique opportunity to pursue the latter, despite the bluster and posturing on both sides. His admiration for Putin, regardless of its merits, could provide the basis for meaningful discussions about how to minimize nuclear risks. Last year, General James Mattis, the former Marine chosen by Trump to serve as Secretary of Defense, called for a fundamental reappraisal of American nuclear strategy and questioned the need for land-based missiles. During Senate testimony, Mattis suggested that getting rid of such missiles would “reduce the false-alarm danger.” Contrary to expectations, Republican Presidents have proved much more successful than their Democratic counterparts at nuclear disarmament. President George H. W. Bush cut the size of the American arsenal in half, as did his son, President George W. Bush. And President Ronald Reagan came close to negotiating a treaty with the Soviet Union that would have completely abolished nuclear weapons.

Every technology embodies the values of the age in which it was created. When the atomic bomb was being developed in the mid-nineteen-forties, the destruction of cities and the deliberate targeting of civilians was just another military tactic. It was championed as a means to victory. The Geneva Conventions later classified those practices as war crimes—and yet nuclear weapons have no other real use. They threaten and endanger noncombatants for the sake of deterrence. Conventional weapons can now be employed to destroy every kind of military target, and twenty-first-century warfare puts an emphasis on precision strikes, cyberweapons, and minimizing civilian casualties. As a technology, nuclear weapons have become obsolete. What worries me most isn’t the possibility of a cyberattack, a technical glitch, or a misunderstanding starting a nuclear war sometime next week. My greatest concern is the lack of public awareness about this existential threat, the absence of a vigorous public debate about the nuclear-war plans of Russia and the United States, the silent consent to the roughly fifteen thousand nuclear weapons in the world. These machines have been carefully and ingeniously designed to kill us. Complacency increases the odds that, some day, they will. The “Titanic Effect” is a term used by software designers to explain how things can quietly go wrong in a complex technological system: the safer you assume the system to be, the more dangerous it is becoming.'

- Eric Schlosser, World War Three, By Mistake, December 23, 2016


Context

The International Day for the Total Elimination of Nuclear Weapons

          A nonprofit's guide to online security: So you want to learn the lingo?        
This year marks the 25th anniversary of the World Wide Web becoming publicly available. For many of us, this is a reminder of just how much the Internet has transformed our daily lives. This rings true for nonprofits too: The Internet has revolutionized the way that nonprofits communicate, fundraise, and recruit volunteers. It has enabled nonprofits like yours to share their mission with a global audience. To raise awareness. And to change the world. 

But the power of the Internet also comes with great responsibility -- namely the need to keep information safe and secure. As a nonprofit, it can be difficult to keep up with online security, especially when terminology seems complicated. Yes, you might have heard of terms like “phishing” or “cookies,” but what do they mean?

Today, you can find the answers to your questions with our quick & easy to guide to online security terminology. In less than five minutes, you’ll be well on the way to helping keep your nonprofit safe on the Internet. 

Let’s get started! Here’s a quick guide to familiarize yourself with common lingo and learn how to distinguish terms that are friends vs foes in the online security realm. 


THE BAD GUYS: MALICIOUS ACTIONS/TERMS

  • Advanced Fee Fraud (419 scams): A technique which tricks users into sending or paying money to fraudsters on the promise of receiving greater rewards afterwards. It is most commonly associated with Nigeria, and 419 is the section of the Nigerian legal code that covers this fraud.
  • Botnet: A network of computers that are infected with malicious software without users’ knowledge, used to send viruses and spam to other computers.
  • Malware: Malicious software with the purpose of infecting devices and systems, gathering personal information, gaining access to systems or disrupting the operations of the device or systems. Essentially, any software that maliciously alters or compromises the system or device.
  • Phishing / Social Engineering Attack: An attempt by hackers who pose as trustworthy individuals or businesses in order to get your personal information such as usernames, passwords, and financial information.
  • Trojans: Malicious programs posing as or bundled with legitimate ones, which are designed to compromise your system. They are usually installed on computers from opening attachments in scam emails or by visiting infected websites. The term comes from the Trojan Horse in Greek mythology.

How to avoid social engineering attacks

THE GOOD GUYS: ONLINE SAFETY TERMS


  • [Internet] Cookie: A piece of data from a visited website and stored in the user's web browser in order to remember information that the user has entered or engaged with such as items in a shopping basket on an e-commerce site.
  • Encryption: The process of encoding data, messages, or information, such that only authorized parties can read it.
  • Firewall: A security system used to block hackers, viruses, and other malicious threats to your computer. It does this by acting as a barrier, acting on predetermined rules, which allows trusted traffic but blocks untrusted or non-secure traffic. 
  • HTTPS (Hypertext Transfer Protocol): is the protocol for secure communications over a computer network used on the Internet. It essentially provides authentication of the website and the web servers associated with it. 
  • Transport Layer Security (TLS): TLS is a protocol that encrypts and delivers mail securely, both for inbound and outbound mail traffic. It helps prevent eavesdropping between mail servers – keeping your messages private while they're moving between email providers. 
  • Two Factor Authentication / Two Step Verification: A method of using an additional process to verify your identity online. It combines both ‘something you know’ (like a password) and ‘something you have’ (like your phone or security key) — similar to withdrawing money from an ATM/cash machine, where you need both your PIN and your bank card.

That’s a wrap for now! Pass on these tips to your nonprofit partners to stay safe and secure online, so you can focus on what matters most: changing the world. 

//

To see if your nonprofit is eligible to participate, review the Google for Nonprofits eligibility guidelines. Google for Nonprofits offers organizations like yours access to Google tools like Gmail, Google Calendar, Google Drive, Google Ad Grants, YouTube for Nonprofits and more at no charge. These tools can help you reach new donors and volunteers, work more efficiently, and tell your nonprofit’s story. Learn more and enroll here.


          3 Reasons why Chromebooks might be a good fit for your nonprofit        
Nonprofits - 08_11 - Chromebooks.JPG

When we speak with nonprofit organizations, we often hear about the challenges related to technological resources. So when it comes to investing in new technology, it’s important to consider three primary factors:

  • Security: Does it keep my information private and secure?
  • Compatibility: Does it work with the programs I use?
  • Price: Is it within budget?
To address these questions, Google created the Chromebook, a series of laptops built with ChromeOS. The vision behind Chromebooks is simple — to create a safe, accessible, and affordable laptop. To improve user privacy and security, Chromebooks  automatically update to provide virus protection, encryption and safe browsing. For easy access and collaboration, they’re outfitted with Gmail, Google Docs, Hangouts (and nonprofits receive the full Google Apps bundle with 30GB of space per user at no charge). What’s more, they start at $169 USD & that’s for a laptop that has up to 10+ hours of battery life!
Nonprofits_-_08_11_-_Chromebooks2.width-1600.png
ASUS Chromebook C201 ($169)

Case Study

Charity:water, a non-profit organization that provides clean and safe drinking water to people in developing countries, has a “100 percent model,” where every dollar donated goes directly to fund clean water projects. As a result, resources are limited. In order to cover operational costs like salaries and supplies, the organization relies on a few passionate and dedicated supporters. With this in mind, Charity:water transitioned to Chromebooks to improve the efficiency of its staff’s workflow. Now, employees can spend more time focusing on their goals and working towards their mission to nourish the world.

Want to learn more?

Chromebooks gives nonprofits unified access to the Google Apps suite, including:

  • Google Docs, Sheets, Slides: Allows you to create documents, spreadsheets, and presentations in real time. They’re automatically backed up online, and you can also open and edit Microsoft Word, Powerpoint or Excel files.
  • Google Hangouts: Google Hangouts can be used to make phone calls, screenshare, and video chat.
  • Google Drive: Store, sync, and share documents in the cloud for secure and easy access.

As a nonprofit, you also receive discounted access to Chrome licenses, which give you management controls via the Chrome Device Management. Chrome Device Management is a unified way to manage all of your nonprofits’ users, devices, and data. For nonprofits, the Chrome management license is discounted to only $30 dollars — in comparison to $150!

Chromebooks are our vision for providing cheaper, easier to use, and more secure laptops. Installed with Google Apps out of the box, nonprofits can maximize impact, while saving both time and resources.


To see if your nonprofit is eligible to participate, review the Google for Nonprofits eligibility guidelines. Google for Nonprofits offers organizations like yours free access to Google tools like Gmail, Google Calendar, Google Drive, Google Ad Grants, YouTube for Nonprofits and more. These tools can help you reach new donors and volunteers, work more efficiently, and tell your nonprofit’s story. Learn more and enroll here.

To learn more about Chromebooks for nonprofits, take a look at Google for Work’s Chromebook’s website. To take advantage of the Google Nonprofit license discount, a Google partner will reach out to you once you fill out the Contact Us form.


          HTTP Verb Tampering Demo/Example/Tutorial         


What is HTTP Verb?

  •  According to Wiki "The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems.  HTTP is the foundation of data communication for the World Wide Web.

  • Verb is nothing but HTTP methods used to indicate the desired action to be performed on the identified resource.


-  List of some basic HTTP Verb or Methods
  • OPTIONS
  • GET
  • HEAD
  • POST 
  • PUT
  • DELETE
  • TRACE
  • CONNECT



What is HTTP Verb Tampering? 

It's a method to bypass a defense technique by tampering the verb. Some secret directories have restricted access by  basic authentication. This directories are protected by the .htaccess file which can be easily exploited. This attack is a result of a Apache  htaccess file misconfiguration .

An administrator, limits the access to the private resource or directory just via POST request method. See the vulnerable code below.















Here AuthUserFile is the directory to the .htpasswd file which contains the username & password in encrypted format.

<LIMIT GET POST>
require valid-user
</LIMIT>


It just limits the POST method & matches the credentials that saved in htpasswd file, if wrong error page shows up.


Here the administrator has limited POST method, but also not blacklisted other methods?. This means any requests via other method would lead the attacker having access to the protected  private resources or directory. Below i have provided a video DEMO of  successful exploitation of an HTTP Verb tampering vulnerability via Live HTTP Headers ( Firefox add-on) on AT&T sub domain (Reported & Fixed). In the next post i will be showing you various ways to fix or apply a patch to this vulnerability .