“Mandiant” – Announcing Mandiant for Security Operations

Citation: "Organizations spend millions of dollars investing in top-notch security teams and in
building secure networks to keep would-be attackers out of their IT environments.
Despite these investments, determined attackers routinely compromise well-secured
organizations and steal their intellectual property and financial assets.

Our newest product, Mandiant for Security Operations
equips security teams to confidently detect, analyze and resolve incidents in a
fraction of the time it takes using conventional approaches. This appliance-based
solution connects the dots between what’s happening on their network and what’s
happening on their endpoints. 

With Mandiant for Security Operations security teams can:
*Search for advanced attackers and the APT
*Integrate endpoint security with your network security
*Accelerate triage of suspected incidents
*Find out what happened, without forensics
*Contain endpoints

Read more
about Mandiant for Security Operations or request a call
to receive a demonstration.


Mandiant In The Headlines

January 30, 2013
Hackers in China Attacked The Times for Last 4 Months
By Nicole Perlroth – The New York Times 
February 7, 2013
Mandiant, the Go- To Security Firm for Cyber-Espionage Attacks
By Brad Stone & Michael Riley – Bloomberg Businessweek 
February 18, 2013
Chinese Army Unit Is Seen as Tied to Hacking Against U.S.
By David E. Sanger, David Barboza & Nicole Perlroth – The New York Times 

Learn More About Mandiant®

Mandiant Website
Mandiant's official blog
Mandiant on Twitter
Be Part of Something More
Join the Mandiant Team

To unsubscribe or manage your subscriptions, please click here

Mandiant® | 2318 Mill Road. Suite 500 | Alexandria, VA 22314
Privacy Policy

Unveiled by Public Intelligence – NATO Legal Deskbook




NATO Legal Deskbook Second Edition

  • 348 pages
  • 2010


NATO leads efforts to bring stability in its ongoing missions in the Balkans, Afghanistan, and Iraq.

Legal Advisers serve as key members of a Commander‘s staff in the complex legal and political environment that NATO operates. The challenges NATO Commanders and legal adviser face to fulfil mandates, accomplish missions, and support the rule of law in embryonic and fragile democratic governments requires discussion, understanding and the documentation of practical solutions.

The NATO Legal Deskbook is published by the Office of the Legal Adviser, Allied Command Transformation Staff Element Europe (Mons) with the active support and help of the Office of the Legal Adviser, Headquarters Allied Commander Transformation (HQ SACT, Norfolk, USA) and the Office of the Legal Adviser, Supreme Headquarters Allied Powers Europe (SHAPE, Mons, Belgium), as well as many legal advisers in NATO and in the Member States or in other official or academic positions outside NATO.

Why a NATO Legal Deskbook?

Two re-occurring themes surface in after-action reports from exercises and operations. The first is that NATO Commanders and staffs naturally and increasingly turn to the Legal Advisers to help plan, execute, coordinate, evaluate, and support the assigned mission. The second is that no single doctrinal resource exists in NATO to assist legal practitioners in the fulfilling of this task. Although several Alliance members have produced such guides, before the NATO Legal Deskbook none existed for Legal Advisers and legal personnel assigned to NATO commands.

Whether doctrinally ready or not, the Alliance calls upon NATO Legal Advisers and staffs to advise and, often, help direct the execution of the legal component of a mission or mandate. NATO owes these attorneys, paralegals, and legal personnel, who work under often austere and demanding conditions, practical guidance in the form of a comprehensive resource that provides an overview and insight on the legal regime that forms NATO practice. Fulfilling this need is the genesis, purpose and rational for this practitioner‘s guide.

What this Deskbook is not:

This Deskbook is not NATO policy or military doctrine for legal support to operations.

The Deskbook intends to reflect as closely as possible the policies and practice of NATO in legal matters, however, the Deskbook is not a formally approved NATO document and therefore shall not be deemed as reflection of the official opinion or position of NATO.

The practitioner‘s guide is not intended to offer guidance or advice to other military professionals involved in operations. It was written by Legal Advisers for Legal Advisers and legal staff. Its scope and purpose is limited to providing the military legal subject matter experts assistance in the accomplishment of the mission. While others may find the guide helpful, they should understand it is not a tutorial. Fundamental legal principles, standard practices of interpretation, and basic legal practices are assumed as matters already known by its intended audience: the Legal Adviser, legal assistant, or paralegal.

This practitioner‘s guide does not offer an all-inclusive formula on how to advise a NATO commander on any particular aspect of the law, nor is it intended to supplant national guidance. Instead, the guide pre-supposes that Legal Advisers will continue to find themselves providing legal support to operations and missions in a variety of different circumstances, environments, and locations. The guide and its contents must therefore be flexible and geographically universal in application.

Cryptome – National Security in the Digital Age: Review

National Security in the Digital Age: Review



Michael Hayden, Ex-CIA and Ex-NSA head, discusses “National Security in the Digital Age” on C-SPAN. Hayden avidly defends use of murderous drones with “we are at war,” and repeats the phrase several times in formulaicly grave tones and glares  — the most beloved mantra of militarists. Then declines to affirm or deny CIA has a drone program, “remember, the CIA has never admitted using drones.”

In one of the few admissions of CIA error, Hayden says the agency has become dominated by OSS-like military operations at the expense of its primary intelligence mission, that the military ops were appropriate to 9/11 but now believes CIA should return to its more important role.

He claims that in a state of war things are done that should not be prolonged, that wartime powers given to the natsec agencies should be balanced with other national requirements. In response to an audience question about why only the US has a drone warfare program, he answers that the American people and US allies seem to not understand the US is currently at war.

Hayden laughs and jokes a lot, a peculiar behavior for an avowedly grave topic. His bizarre twisting, jerking, spastic body language indicates roiling contempt of the naive questions being asked and evaded. Hayden exhibits characteristic, Petraeus-like, attributes of a trypical military careerist kiss-upper, kick-downer, a vain double-speaker masking intellectual incapability, condescending of civilians without access to secrets, a grandstanding surrogate hero relishing being at the top, mingling with and succoring global prominents (who will hire ex-natsecs to advise and promote warfare) — job requirements to military pinnacle.

This behavior may derive from Hayden being among the horde of natsec-exes managed by speaker bureaus and shows the silly mannerisms required to be “appealing” overlaid long-practiced WMD-terrifying. Hayden noted WMD now means Weapons of Mass Disruption to flog and finance terrifying cyberwar threats — both by and against the US. He emphasizes that the US has masterful technology to address cyber threats but is constrained, to his regret, by political and social clamor about using that technology against the homeland and foreign innocents.

Noteably, when Hayden loses a train of thought or fails to dreg a glib answer, he leans toward interlocutor Frank Sesno and blurts as if pre-metronomed by advanced officer school and sales, “we are at war.”

Observe Hayden’s use of three fingers, four fingers, ticking off points as if to a crowd of subordinates, pointed looks at friendlies in the audience, nodding “you know what I mean.” Among us secrets-knowers, he fingers coded signals, “let’s play the game of taunting with tidbits what others cannot be allowed to know we are stealing from them,” as he is quoted in the title of Gibney’s documentary “We Steal Secrets.”

This signature behavior of officials who have been carefully briefed to say little in public while implying much in secret is endemic in the world’s capitals of testimony and public speaking. Banal, numbing, open information to tease about the classified and confidential only to be delivered in “closed sessions” to those willing to keep the secrets. “Closed sessions” refutation of democracy for its seemingly always at risk, at war, top security.

Excessive, vulgar joshing between Hayden and Sesno, alternating with mock gravitas of the drone-slaughter rationale “we are at war” red-phone cliche, exemplifying mutual caressing and pandering of spies and journalists in sessions closed to the public but branded and hyped with “anonymous sources” and “leaks.”

Hayden likes the CIA-propaganda film Zero Dark Thirty, with slight demur about artistic license. Crows “I know the real CIA heroine and bin Laden hunters,” not naming Frances Bikowsky, Stephen Nicgorski and band of assassins. With clips of and comments on Homeland Hayden and Sesno parade consummate failure of public responsibility — inbred NatSec idiocy — of knowing and over-protecting insiders too well, advanced by lurid entertainment and vapid interviews complicity

A word about Hayden’s physical flabbiness, a characteristic of military members of spy agencies — except for Petraeus. Not needing physical prowess for combat, one might wonder if the physical indolence is deliberate, vaunting mind over muscle, as a mark of superiority now newly institutionalized with the Distinguished Warfare Medal for drone pilots and hackers. Certainly that reward for arrogance over drone targets and clueless Internet users vaunts flab as a war winner, sure to flatter fat-headed gastronomes of all ideologies.

The C-SPAN show is a repugnant, vacuous public relations DC faux natsec simpering horror show, watch it, upload to YouTube, crowd source — Hayden touts crowd sourcing for espionage exploitation.



TMZ – Paulina Gretzky — Knockers, Knockers… Who’s There?


Paulina Gretzky — Knockers, Knockers… Who’s There?

Check out this photo of a sexy, hot celeb stepping out of a car so that all you can see is her cleavage. Can you guess who it is? You get one hint: It’s not Bette Midler.

Proven – China ‘aiding hacker attacks on west’

The building in Shanghai that hosts the Chinese military's Unit 61398

The building in Shanghai that hosts the Chinese military’s Unit 61398, which has been accused of involvement in hacking attacks. Photograph: Peter Parks/AFP/Getty Images

The Chinese army has launched hundreds of cyber-attacks against western companies and defence groups from a nondescript office building in Shanghai, according to a report that warns hackers have stolen vast amounts of data from their targets.

Mandiant, a security company that has been investigating attacks against western organisations for over six years, said in a report (PDF)the attacks came from a 12-storey building belonging to the People’s Liberation Army (PLA) general staff’s department, also known as Unit 61398.

Mandiant said it believed a hacking network named the Comment Crew or the Shanghai Group was based inside the compound, in a rundown residential neighbourhood. Although the report fails directly to place the hackers inside the building, it argues there is no other logical reason why so many attacks have emanated from such a small area.

“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively,” said the report.

The discovery will further raise the temperature in the intergovernmental cyberwars, which have heated up in recent years as the US, IsraelIran, China and UK have all used computer subterfuge to undermine rival state or terrorist organisations. One security expert warned that companies in high-profile fields should assume they will be targeted and hacked, and build systems that will fence sensitive data off from each other.

Rik Ferguson, global vice-president of security research at the data security company Trend Micro, said: “We need to concentrate less on building castles and assuming they will be impervious, and more on building better dungeons so that when people get in they can’t get anything else.” .

Mandiant says Unit 61398 could house “hundreds or thousands” of people and has military-grade, high-speed fibre-optic connections from China Mobile, the world’s largest telecoms carrier. “The nature of Unit 61398’s work is considered by China to be a state secret; however, we believe it engages in harmful computer network operations,” Mandiant said in the report.

It said Unit 61398 had been operating since 2006, and was one of the most prolific hacking groups “in terms of quantity of information stolen”. This it estimated at hundreds of terabytes, enough for thousands of 3D designs and blueprints.

“APT1”, as Mandiant calls it, is only one of 20 groups Mandiant says has carried out scores of hacking attacks against businesses and organisations in the west, including companies that work in strategic industries such as US power and water infrastructure.

A typical attack would leave software that hid its presence from the user or administrator and silently siphon data to a remote server elsewhere on the internet at the instruction of a separate “command and control” (C&C) computer. By analysing the hidden software, the pattern of connections and links from the C&C server, the team at Mandiant said they were confident of the source of the threat.

A Chinese foreign ministry spokesman denied the government was behind the attacks, saying: “Hacking attacks are transnational and anonymous. Determining their origins is extremely difficult. We don’t know how the evidence in this so-called report can be tenable. Arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue.”

But Ferguson told the Guardian: “This is a pretty compelling report, with evidence collected over a prolonged period of time. It points very strongly to marked Chinese involvement.”

Mandiant, based in Alexandria, Virginia, in the US, investigated the New York Times break-in, for which it suggested Chinese sources could be to blame.

President Barack Obama is already beefing up US security, introducing an executive order in his State of the Union speech this month that would let the government work with the private sector to fend off hacking. But it will take until February 2014 to have a final version ready for implementation.

The revelation comes days after the New York TimesWall Street Journaland Washington Post, as well as the social networks Facebook and Twitter, said they had been subjected to “highly sophisticated” hacks that in some cases focused on correspondents writing about China and its government.

Separate investigations by the computer company Dell, working with the news company Bloombergtracked down another alleged hacker, Zhang Changhe, who has written a number of papers on PC hacking. Zhang works at the PLA’s “information engineering university” in Zhengzhou, Henan province, north-central China.

The allegations will raise the temperature in the continuing cyberwar between the west and China, which has been steadily rising since the Pentagon and MI6 uncovered Titan Rain, a scheme that tried to siphon data from the Pentagon and the House of Commons in 2006, and which one security expert said at the time dated back at least to 2004.

Ferguson suggested that western governments were also carrying out attacks against Chinese targets – “but that’s not a culture which would open up about being hit. I would be surprised and disappointed if most western nations don’t have a cybersecurity force.”

The Stuxnet virus, which hit Iran’s uranium reprocessing plant in 2010, is believed to have been written jointly by the US and Israel, while Iranian sources are believed to have hacked companies that issue email security certificates so that they can crack secure connections used by Iranian dissidents on Google’s Gmail system. China is also reckoned to have been behind the hacking of Google’s email servers in that country in late 2009, in an operation that files from WikiLeaks suggested was inspired by the Beijing government.

A timeline of government-sponsored hacking attacks


2004 suspected: Chinese group in Shanghai begins probing US companies and military targets.


2005: Titan Rain” pulls data from the Pentagon’s systems, and a specialist says of a December 2005 attack on the House of Commons computer system that “The degree of sophistication was extremely high. They were very clever programmers.”


2007: Estonia’s government and other internet services are knocked offline by a coordinated attack from more than a million computers around the world – reckoned to have been run from a group acting at the urging of the Russian government. Nobody is ever arrested over the attack.


2008: Russia’s government is suspected of carrying out a cyberattack to knock out government and other websites inside Georgia, with which it is fighting a border skirmish over the territory of Ossetia.


December 2009: Google’s email systems in China are hacked by a group which tries to identify and take over the accounts of Chinese dissidents. Google withdraws its search engine from the Chinese mainland in protest at the actions. Wikileaks cables suggest that the Chinese government was aware of the hacking.


2010: The Flame virus begins silently infecting computers in Iran. Itincorporates cutting-edge cryptography breakthroughs which would require world-class experts to write. That is then used to infect Windows PCs via the Windows Update mechanism which normally creates a cryptographically secure link to Microsoft. Instead, Flame puts software that watches every keystroke and frame on the PC. Analysts say that only a “wealthy” nation state could have written the virus, which breaks new ground in encryption.


The Stuxnet worm is discovered to have been affecting systems inside Iran’s uranium reprocessing establishment, passing from Windows PCs to the industrial systems which control centrifuges that separate out heavier uranium. The worm makes the centrifuges spin out of control, while suggesting on their control panel that they are operating normally – and so break them. Iran denies that the attack has affected its project. The US and Israel are later fingered as being behind the code.


September 2011: a new virus that silently captures data from transactions in Middle Eastern online banking is unleashed. The principal targets use Lebanese banks. It is not identified until August 2012, when Russian security company Kaspersky discovers the name “Gauss” embedded inside it. The company says the malware it is “nation state-sponsored” – probably by a western state seeking to trace transactions by specific targets.


2012: About 30,000 Windows PCs at Saudi Aramco, the world’s most valuable company, are rendered unusable after a virus called “Shamoon” wipes and corrupts data and the part of the hard drive needed to “bootstrap” the machine when it is turned on. In the US, Secretary of Defense Leon Panetta described Shamoon as “one of the most destructive viruses ever” and suggested it could be used to launch an attack as destructive as the 9/11 attacks of 2001.


The across-the-board budget cuts known as sequestration that are expected
to take effect on March 1 could impede the government's ability to respond
to WikiLeaks and to rectify the flaws in information security that it
exposed, a Pentagon official told Congress recently.

Zachary J. Lemnios, the assistant secretary of defense for research and
engineering, was asked by Sen. Rob Portman (R-Ohio) to describe the "most
significant" impacts on cybersecurity that could follow from the
anticipated cuts to the Pentagon's budget.

Mr. Lemnios replied that "cuts under sequestration could hurt efforts to
fight cyber threats, including [...] improving the security of our
classified Federal networks and addressing WikiLeaks."


The sequester could also interfere with the Comprehensive National
Cybersecurity Initiative that began under President Bush, he said, and
could hold up plans to "initiat[e] continuous monitoring of unclassified
networks at all Federal agencies."

Mr. Lemnios' response to Sen. Portman's question for the record (which had
not specifically mentioned WikiLeaks) followed a March 2012 Senate Armed
Services Committee hearing on Emerging Threats and Capabilities that was
published in December 2012 (at page 42).


Generally speaking, computer security within the military is a daunting
problem, Mr. Lemnios told the Committee, particularly since "The Department
operates over 15,000 networks and 7 million computing devices across
hundreds of installations in dozens of countries around the globe."

The challenge of cybersecurity cannot be fully described in public, said
Dr. Kaigham J. Gabriel of DARPA. "The complete picture requires a
discussion at the special access level."  But he told the Committee last
year that several basic points can be openly acknowledged:

"Attackers can penetrate our networks:  In just 3 days and at a cost of
only $18,000, the Host-Based Security System" -- the Pentagon's baseline
computer security system -- "was penetrated."

"User authentication is a weak link: 53,000 passwords were provided to
teams at Defcon; within 48 hours, 38,000 were cracked."

"The Defense supply chain is at risk: More than two-thirds of electronics
in U.S. advanced fighter aircraft are fabricated in off-shore foundries."

"Physical systems are at risk: A smartphone hundreds of miles away took
control of a car's drive system through an exploit in a wireless

"The United States continues to spend on cybersecurity with limited
increase in security: The Federal Government expended billions of dollars
in 2010, but the number of malicious cyber intrusions has increased."

Though it was presumably not intentional, the WikiLeaks project galvanized
government information security programs and accelerated efforts to devise
"insider threat" detection mechanisms, along with intensified surveillance
of classified and unclassified government computer networks.

"New classes of anomaly detection methods have been developed and are
based on aggregating events across time and multiple sources to identify
network and host-based behavior that might be malicious," James S. Peery of
Sandia National Laboratories told the Senate Armed Services Committee at
last year's hearing.  "These approaches and behavioral-based methods have
been successful in finding previously undiscovered malware."

"One drawback of this technology, though, is that it has a very high false
positive rate," he said.


Government-sponsored scientific research published in expensive journals
should become more readily accessible to the public under an initiative
announced by the White House Office of Science and Technology Policy on


Federal agencies that fund at least $100 million per year in scientific
research were directed by White House science advisor John Holdren to
develop plans to make the results of such research publicly available free
of charge within a year of original publication.

"The logic behind enhanced public access is plain," Dr. Holdren wrote in
response to a public petition on the White House web site. "We know that
scientific research supported by the Federal Government spurs scientific
breakthroughs and economic advances when research results are made
available to innovators. Policies that mobilize these intellectual assets
for re-use through broader access can accelerate scientific breakthroughs,
increase innovation, and promote economic growth."

But the benefits of open access are not the sole consideration in the new
policy.  "The Administration also recognizes that publishers provide
valuable services, including the coordination of peer review, that are
essential for ensuring the high quality and integrity of many scholarly
publications. It is critical that these services continue to be made

"We wanted to strike the balance between the extraordinary public benefit
of increasing public access to the results of federally-funded scientific
research and the need to ensure that the valuable contributions that the
scientific publishing industry provides are not lost," Dr. Holdren wrote.

The resulting policy mandating free public access within 12 months of
publication is the result of an attempt to balance those competing
interests, and it too is subject to future modification "based on
experience and evidence."


Members of the public are invited to comment on the feasibility and
desirability of various forms of institutional oversight at
federally-funded institutions that perform research involving certain
pathogens or toxins.

"Certain types of research that are conducted for legitimate purposes may
also be utilized for harmful purposes. Such research is called 'dual use
research'," said a Notice filed in the Federal Register Friday by the
Office of Science and Technology Policy.


"Dual use research of concern (DURC) is a smaller subset of dual use
research defined as life sciences research that, based on current
understanding, can be reasonably anticipated to provide knowledge,
information, products, or technologies that could be directly misapplied to
pose a significant threat with broad potential consequences to public
health and safety, agricultural crops and other plants, animals, the
environment, materiel, or national security," the OSTP Notice explained.

The term "dual use research of concern" should not be taken in a
pejorative sense, OSTP said.

"Research that meets the definition of DURC often increases our
understanding of the biology of pathogens and makes critical contributions
to the development of new treatments and diagnostics, improvements in
public health surveillance, and the enhancement of emergency preparedness
and response efforts. Thus, designating research as DURC should not be seen
as a negative categorization, but simply an indication that the research
may warrant additional oversight in order to reduce the risks that the
knowledge, information, products, or technologies generated could be used
in a manner that results in harm. As a general matter, designation of
research as DURC does not mean that the research should not be conducted or

In the February 22 Federal Register Notice, OSTP posed a series of
questions concerning potential oversight arrangements for dual use research
of concern and solicited feedback from interested members of the public.

Secrecy News is written by Steven Aftergood and published by the
Federation of American Scientists.

The Secrecy News Blog is at:

To SUBSCRIBE to Secrecy News, go to:


OR email your request to saftergood@fas.org

Secrecy News is archived at:

Support the FAS Project on Government Secrecy with a donation:

Steven Aftergood
Project on Government Secrecy
Federation of American Scientists
web:    www.fas.org/sgp/index.html
email:  saftergood@fas.org
voice:  (202) 454-4691
twitter: @saftergood