Author Topic: Cyberwar, Cyber Crime, and American Freedom  (Read 217738 times)


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
WSJ: Fake digi certificates
« Reply #50 on: March 24, 2011, 05:14:27 AM »

An Internet-security company said it was tricked into trying to lure Iranian users to fake versions of major websites, a sophisticated hack it suspects the Iranian government carried out.

Comodo Group Inc., a Jersey City, N.J., company that issues digital certificates to assure Internet users of websites' authenticity, said Wednesday it had issued nine such certificates to what turned out to be fraudulent websites set up in Iran.

The March 15 attack involved certificates for fake versions of Google Inc.'s Gmail site, Yahoo Inc.'s login page and websites run by Microsoft Corp., Firefox browser maker Mozilla Corp. and Internet telephone company Skype.

In theory, an Iranian attempting to log into his Yahoo account, for example, could have been misdirected to a fake site. That would allow the perpetrators to obtain a host of online information including contents of email, passwords and usernames, while monitoring activity on the dummy sites.

Since the targeted sites offer communication services, not financial transactions, Comodo said it seemed clear the hackers sought information, not money.

It wasn't clear whether anyone fell for the ruse. Comodo said it didn't know how many of the nine certificates were received by the attacker.

Iran's mission to the U.N. didn't reply to an emailed request for comment after business hours. Iran has said it is trying to combat Western culture and influence entering Iran via the Internet, a virtual clash it has called the "soft war."

The attack comes amid popular uprisings across the Middle East, where the Internet has played a critical role—not just in activists' efforts to stage protests, but also in state censorship and repression.

If Iran was involved, it suggests the government has stepped up electronic-monitoring efforts of its citizens, Internet security experts said. Iranian authorities got an early look at the power of social media during the mass protests following allegations of rigged elections in June 2009. It has since formed a "cyber army" to gain the upper hand over the Internet in Iran, which has more than 20 million users.

"This is a nightmare scenario," said Mikko Hypponen, head of research at F-Secure, a Helsinki, Finland-based Internet security firm. "You have to trust the companies selling these certificates and if we can't, then all bets are off."

Comodo said it traced the attack to an Internet service provider in Iran and concluded in an online post that the act was likely "state-funded" because the attacker would have needed access to critical Web infrastructure in the country.

While the company acknowledged the attacker could have been laying a false trail, it said the likely aim was to get online information about Iranian citizens.

"It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups," the company said in the post.

Comodo said the attacker gained entry to its system by obtaining the password and username of a European affiliate. Once inside, it issued the certificates for the phony sites. Comodo said it detected the breach within hours of the attack and revoked the certificates immediately.

A Microsoft spokeswoman said the company issued an upgraded security patch to help protect against fraudulent digital certificates. Mozilla declined to comment. Skype said it was monitoring the situation but didn't expect any impact. Google said it took steps to protect its users, but didn't specify them. Yahoo also said it was monitoring the situation.

"This is not a random hacker tinkering around," said Mr. Hypponen of the Finnish security firm. "You have to plan it beforehand and know what you're doing."

Austin Heap, a San Franciso-based Internet activist who has developed anti-censoring tools for use in Iran, said the development seems to suggest the Iranian government is becoming more professional and organized in online repression.

"It shows they have a plan," he said. "They are getting to the point where China is, where they can exert total control."

Write to Christopher Rhoads at

Read more:


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
LATimes (POTB) US Vulnerable to Cyber War
« Reply #51 on: March 28, 2011, 08:14:11 AM »
The U.S. is vulnerable to a cyber attack, with its electrical grids, pipelines, chemical plants and other infrastructure designed without security in mind. Some say not enough is being done to protect the country.

Reporting from Washington—

When a large Southern California water system wanted to probe the vulnerabilities of its computer networks, it hired Los Angeles-based hacker Marc Maiffret to test them. His team seized control of the equipment that added chemical treatments to drinking water — in one day.

The weak link: County employees had been logging into the network through their home computers, leaving a gaping security hole. Officials of the urban water system told Maiffret that with a few mouse clicks, he could have rendered the water undrinkable for millions of homes.

"There's always a way in," said Maiffret, who declined to identify the water system for its own protection.

The weaknesses that he found in California exist in crucial facilities nationwide, U.S. officials and private experts say.

The same industrial control systems Maiffret's team was able to commandeer also run electrical grids, pipelines, chemical plants and other infrastructure. Those systems, many designed without security in mind, are vulnerable to cyber attacks that have the potential to blow up city blocks, erase bank data, crash planes and cut power to large sections of the country.

Terrorist groups such as Al Qaeda don't yet have the capability to mount such attacks, experts say, but potential adversaries such as China and Russia do, as do organized crime and hacker groups that could sell their services to rogue states or terrorists.

U.S. officials say China already has laced the U.S. power grid and other systems with hidden malware that could be activated to devastating effect.

"If a sector of the country's power grid were taken down, it's not only going to be damaging to our economy, but people are going to die," said Rep. Jim Langevin (D-R.I.), who has played a lead role on cyber security as a member of the House Intelligence Committee.

Some experts suspect that the U.S. and its allies also have been busy developing offensive cyber capabilities. Last year, Stuxnet, a computer worm some believe was created by the U.S. or Israel, is thought to have damaged many of Iran's uranium centrifuges by causing them to spin at irregular speeds.

In the face of the growing threats, the Obama administration's response has received mixed reviews.

President Obama declared in a 2009 speech that protecting computer network infrastructure "will be a national security priority." But the follow-through has been scant.

Obama created the position of federal cyber-security "czar," and then took seven months to fill a job that lacks much real authority. Several cyber-security proposals are pending in Congress, but the administration hasn't said publicly what it supports.

"I give the administration high marks for doing some things, but clearly not enough," Langevin said.

The basic roadblocks are that the government lacks the authority to force industry to secure its networks and industry doesn't have the incentive to do so on its own.

Meanwhile, evidence mounts on the damage a cyber attack could inflict. In a 2006 U.S. government experiment, hackers were able to remotely destroy a 27-ton, $1-million electric generator similar to the kind commonly used on the nation's power grid. A video shows it spinning out of control until it shuts down.

In 2008, U.S. military officials discovered that classified networks at the U.S. Central Command, which oversees military operations in the Middle East and Central Asia, had been penetrated by a foreign intelligence service using malware spread through thumb drives.

That attack led to the creation in 2009 of U.S. Cyber Command, a group of 1,000 spies and hackers charged with preventing such intrusions. They also are responsible for mounting offensive cyber operations, about which the government will say next to nothing.

The head of Cyber Command, Gen. Keith Alexander, also leads the National Security Agency, the massive Ft. Meade, Md.-based spy agency in charge of listening to communications and penetrating foreign computer networks.

Together, the NSA and Cyber Command have the world's most advanced capabilities, analysts say, and could wreak havoc on the networks of any country that attacked the U.S. — if they could be sure who was responsible.

It's easy to hide the source of a cyber attack by sending the malware on circuitous routes through computers and servers in third countries. So deterrence of the sort relied upon to prevent nuclear war — the threat of massive retaliation — is not an effective strategy to prevent a cyber attack.

Asked in a recent interview whether the U.S. could win a cyber war, Alexander responded, "I believe that we would suffer tremendously if a cyber war were conducted today, as would our adversaries."

Alexander also is quick to point out that his cyber warriors and experts are legally authorized to protect only military networks. The Department of Homeland Security is charged with helping secure crucial civilian infrastructure, but in practice, the job mostly falls to the companies themselves.

That would've been akin to telling the head of U.S. Steel in the 1950s to develop his own air defenses against Soviet bombers, writes Richard Clarke, who was President George W. Bush's cyber-security advisor, in his 2010 book, "Cyber War: The Next Threat to National Security and What to Do About It."

The comparison underscores the extent to which the U.S. lacks the laws, strategies and policies needed to secure its cyber infrastructure, experts say.

"If we don't get our act together, the consequences could be dire," said Scott Borg, who heads the U.S. Cyber Consequences Unit, which analyzes the potential damage from various scenarios.

The problem, though, is "there's nothing that everyone agrees on," said James Lewis, cyber-security expert at the Center for Strategic and International Studies in Washington.

For example, Lewis and other experts believe the government should mandate cyber-security standards for water systems, electric utilities and other crucial infrastructure. Some contend that major U.S. Internet service providers should be required to monitor patterns in Internet traffic and stop malware as it transits their servers.

But both ideas are viewed with suspicion by a technology industry that wants the government out of its business, and by an Internet culture that sees such moves as undermining privacy.

"There are a whole lot of things that can't be legislated," said Bob Dix, vice president of government affairs for Sunnyvale, Calif.-based Juniper Networks Inc., which makes routers and switches.

Yet Washington may be reaching a moment when the seriousness of the threat trumps political resistance. Sources familiar with the negotiations say the White House has promised Senate leaders that it will offer its own cyber-security legislation in a month. But any proposal that calls for far-reaching regulations would face an uphill battle.

CIA Director Leon E. Panetta told Congress recently that he worried about a cyber Pearl Harbor. Yet many who follow the issue believe that's what it will take to force Americans to awaken to the threat.

"The odds are we'll wait for a catastrophic event," said Mike McConnell, former director of National Intelligence and cyber-security specialist, "and then overreact."


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
China and Cybersecurity: Trojan chips
« Reply #52 on: May 12, 2011, 06:15:35 AM »

Pasting here BBG's post in the Internet thread

China and Cybersecurity: Trojan Chips and U.S.–Chinese Relations
Published on May 5, 2011 by Dean Cheng and Derek Scissors, Ph.D. WEBMEMO #3242

One subject of the third round of the U.S.–China Strategic and Economic Dialogue will be cybersecurity. Part of Secretary of Defense Robert Gates’s proposed Strategic Security Dialogue, it reflects the growing prominence of cybersecurity in Sino-American strategic relations.   

The concerns include computer network exploitation and computer network attacks, but also tampering with the physical infrastructure of communications and computer networks. Vulnerabilities could be introduced in the course of manufacturing equipment or created through purchase of malignant or counterfeit goods. Recent experience highlights these problems.
Such possibilities have brought calls for trade barriers, ranging from random entry-point inspections of various types of goods and equipment (e.g., chips and routers) to prohibition of some imports (e.g., communications hardware), especially from a major manufacturer, the People’s Republic of China (PRC).
The trade proposals tend to be vague because the cyber threat itself, while real, is vaguely presented. While an ill-defined threat certainly bears watching, it does not justify protectionism. Cybersecurity is largely classified, but trade is not, and trade policy cannot be held hostage to cybersecurity unless specific dangers are put forward.
What Is the Threat?
A longstanding fear has been that cyber attacks against the U.S. might result in disruptions to power, banking, and communications systems at a critical moment. The cyber attacks on Estonia and Georgia, which disrupted commerce and communications, raise the specter that the U.S. might undergo the equivalent of a cyber Pearl Harbor. Efforts by the Defense Advanced Research Projects Agency (DARPA) to improve verification capabilities highlight the limitations of current computer engineering skills in, for example, diagnosing cyber intrusions. Initial studies on the Trusted Integrated Circuit program, seeking to create a secure supply chain, were requested in 2007. As of late 2010, DARPA was still seeking new research proposals for determining whether a given chip was reliable, and whether it had been maliciously modified, as part of the Integrity and Reliability of Integrated Circuits (IRIS) program.[1]
A more recent worry is vulnerabilities “hardwired” into the physical infrastructure of the Internet. In the last several years, the FBI has warned that counterfeit computer parts and systems may be widespread.
This can manifest itself in two ways: fake parts and systems, which may fail at dangerously higher rates, or contaminated systems that might incorporate hardwired backdoors and other security problems, allowing a foreign power to subvert a system.[2] Similar problems have been identified by American allies; the U.K. has identified counterfeit parts entering into its military supply chain.
Much cyber-related attention has been focused on the PRC. China is reportedly the source of many of the hacking efforts directed at U.S. military and security computer networks. Chinese computer infiltration has reputedly obtained access to such sensitive programs as F-35 design information. Such efforts as Titan Rain, Ghostnet, and others have reportedly attacked U.S. and other nations’ information systems systematically and have infiltrated email servers and networks around the world. One example is the “Shadow network,” which affected “social networking websites, webmail providers, free hosting providers and services from some of the largest companies.”[3] Many have been traced back to the PRC—but attribution to any specific Chinese entity is extremely difficult.
A growing concern is that China can exploit its position as one of the world’s largest producers of computer chips, motherboards, and other physical parts of the Internet to affect American and allied infrastructure. China has apparently already demonstrated an ability to tamper with Domain Name System (DNS) servers based in China, “effectively poisoning all DNS servers on the route.”[4]
The fear is that they could now affect foreign-based routers. In this regard, the issue of Chinese counterfeit parts is compounded by uncertainty about whether fake parts are being introduced as part of a concerted intelligence campaign or simply the result of profiteering by local contractors.
Public Information Is Lacking
The arcane nature of the threat enhances uncertainty. Understanding the workings of computer viruses, patches, and the vulnerabilities of routers or microchips is difficult. Comprehending the intricacies of global supply chains and tracing the ultimate source of sub-systems and components can be equally difficult. Former NSA and CIA Director General Michael Hayden writes that “Rarely has something been so important and so talked about with less clarity and less apparent understanding.”[5]
Several studies highlight some of the myriad vulnerabilities.
The 2005 Defense Science Board Task Force on High Performance Microchip Supply identified the growing security problem of microchips being manufactured (and more and more often designed) outside the United States.
The 2007 Defense Science Board Task Force on Mission Impact of Foreign Influence on DOD Software noted that software frequently incorporates pieces of code from a variety of sources, any of which might be a point of vulnerability.
The 2008 National Defense Industrial Association’s handbook “Engineering for System Assurance” provides a comprehensive overview of system assurance, which in turn highlights how difficult it can be to achieve it.
Over-classification is also a problem. General Hayden notes that much of the information on cyber threats is “overprotected.” Greg Garcia, head of the Bush Administration’s efforts on cybersecurity, has similarly noted that “there was too much classified…Too much was kept secret.”[6]
Leave Trade Alone
The ambiguity on the security side actually clarifies the trade side. If the cyber threat is understood only tenuously, testing imported goods for cyber threats will be inadequate to identify compromised equipment. With ineffective testing, banning some importers would not be worthwhile. In a global economy, equipment will simply be re-routed. The U.S. does not have the resources necessary to track the true source of goods when dangerous items cannot be easily discovered—and discovery may even be impossible.
If the threat was well understood but national security argued against the disclosure of vital information, this at least suggests that the danger from trade is secondary to other dangers. America retains the option, of course, of simply restricting trade on national security grounds without disclosing its reasons. This would be unwise.
One drawback of restricting trade would be the costs incurred by the U.S. in terms of spending on import inspections and the loss of availability of certain goods. The defense community is often not well-positioned to anticipate the extent of these economic costs. People will not relinquish scarce resources voluntarily when the gains from doing so are not spelled out.
The second drawback is the reaction of American trade partners. American exports already suffer from undocumented national security justifications for protectionism. Were the U.S. to introduce a new set of potentially sweeping restrictions based on hidden national security requirements, the global trade environment would immediately and sharply deteriorate. Costs would be far higher than indicated by looking at American actions alone.
Balancing Economic and Security Responsibilities
Security. For policymakers and the public to properly comprehend the magnitude of the problem, the Department of Defense must be as transparent as possible. Some material will be classified. But the trade-off between security classification and the ability to promptly and adequately respond to a threat should be weighted more heavily to the transparency side than it is at present.
Trade. The Department of Commerce and United States Trade Representative should restrict trade only in accordance with what can be defended publicly and systematically. Introduction of ad hoc trade restrictions that claim a classified basis will harm the American economy.
For now, it is unreasonable to impose considerable economic costs for the sake of a serious but vaguely presented threat.
Dean Cheng is Research Fellow in Chinese Political and Security Affairs and Derek Scissors, Ph.D., is Research Fellow in Asia Economic Policy in the Asian Studies Center at The Heritage Foundation.


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Security for AF bomber program
« Reply #53 on: May 17, 2011, 11:27:25 AM »

Interesting blog post on the security costs for the $50B Air Force
bomber program -- estimated to be $8B.  This isn't all computer
security, but the original article specifically calls out Chinese
computer espionage as a primary threat.


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
WSJ: US draws a line in the silicon
« Reply #54 on: May 23, 2011, 06:09:09 AM »
In the days immediately after 9/11, the U.S. sent tanks to surround the Federal Reserve Bank of New York and protect it from potential threats. In its basement is the largest depository of gold in the world, worth some $300 billion, almost all owned by foreign governments. The Fed's gold has only ever been stolen in the movies.

We know all about defending real-world treasure, but we are only beginning to understand threats to the 1s and 0s of the digital era. Vastly more capital and valuable information now flow digitally than through the real world, but Internet security is an afterthought

This month the White House issued a pair of reports on the problem, both years in the making. One includes proposals for new domestic rules to protect infrastructure and to give companies immunity for sharing information about data breaches with local and federal authorities.

The other report, "U.S. International Strategy for Cyberspace," is a warning shot directed at rogue countries and cyber terrorists. Released at an event with four cabinet secretaries present, the study defines the benefits of the Web as "prosperity, security and openness in a networked world." It warns countries that cut off their own citizens from the Web or use cyber weaponry against the U.S. or its allies. The goal is to make the Web secure "without crippling innovation, suppressing freedom of expression or association, or impeding global interoperability."

The report says that "hostile acts in cyberspace" are as much a threat as physical acts. "We reserve the right to use all necessary means," including military, to "defend our nation, our allies, our partners and our interests." It adds, "Certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners."

This tough language would have been more forceful if the usual suspects, including China and Russia, had appeared by name somewhere in the 30-page document. It would also be helpful for the U.S. to disclose cyber attacks by the country of origin. But at least the White House pledges to "ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits." The U.S. now spends some $16 billion a year for classified and unclassified work on cyber security, and this expense will grow.

There's a lot of catching up to do. There are constant cyber attacks against the Pentagon and other federal agencies, as well as against banks, electrical grids, dams and nuclear facilities. Over the past year, the U.S. failed to stop Chinese hackers from penetrating the Gmail accounts of American human rights activists. It also failed to prevent efforts to access Nasdaq's computers and a break-in at RSA, the cyber security company that provides SecurID access to private networks.

It's not surprising that our digital networks are vulnerable—they were planned to be. The Internet was created in the 1970s to solve the Pentagon problem of how to keep communications lines open during all-out war. The Darpanet-inspired Web moves packets of data around in an open, interconnected, decentralized and mostly unencrypted way. This is resilient, but also highly subject to infiltration.

There's cyber crime, such as the hacking of Sony PlayStations that revealed some 100 million accounts, including credit cards. Sony CEO Howard Stringer last week admitted he can't ensure the security of the videogame network, saying: "It's not a brave new world; it's a bad new world." There's also cyber war, which, at least so far, we seem to be winning. Israel apparently used the Stuxnet computer worm last year to undermine Iranian nuclear facilities, and in 2007 Israel may have activated a kill switch in Syrian air defenses before bombing Syria's nuclear facility.

The biggest unknown is cyber terrorism. The report doesn't say how many cyber attacks are by foreign governments as opposed to by terror groups, a dangerous known unknown.

The Washington response is the usual: too many agencies, more than a dozen, each claiming some cyber responsibilities. The result is that no one agency is being held accountable. There are proposals now to add the Securities and Exchange Commission to the bureaucracy by asking corporate lawyers to assess the materiality of data breaches by publicly traded companies.

A better approach includes proposals in "Cyber War," co-authored last year by former White House aide Richard Clarke. These include the U.S. maintaining its own "white hat" hackers tasked with trying to break into the grid. Another idea is to create a private government network for sensitive purposes accessible only by authorized officials.

Protecting the Web will never be as straightforward as dispatching tanks to protect gold bars. But it's progress for the U.S. to draw a line in the silicon warning enemies that digital attacks may be result in real-world responses.


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
WSJ: IMF hacked
« Reply #55 on: June 12, 2011, 04:25:23 AM »
Or we could withdraw from the IMF , , ,

WASHINGTON—The International Monetary Fund is investigating a recent cyber attack that hit its network, the latest in a series of high-profile hacking incidents against major corporations and institutions.
The fund declined to disclose the nature of the attack, whether its systems were infiltrated or whether any confidential information had been compromised. The extent of any infiltration remains unclear.
"We had an incident," said IMF spokesman David Hawley. "We're investigating it and the fund is completely functional." He said IMF staff received a "routine notification" about the incident by email Wednesday asking them to contact their tech department "if they saw anything suspicious."
The threat against the institution is the latest in a recent series as it responds to economic turmoil in several European nations. Earlier this month, the IMF said it had taken precautions after a group called Anonymous indicated its hackers would target the IMF web site in response to the strict austerity measures in its rescue package for Greece.
The IMF has faced repeated cyber attacks in recent years. It routinely collects sensitive information about the financial conditions of its 187 member nations. Some data in its computer systems could conceivably be used to influence or trade currencies, bonds and other financial instruments in markets around the world.
The latest infiltration was sophisticated in that it involved significant reconnaissance prior to the attack, and code written specifically to penetrate the IMF, said Tom Kellermann, a former cybersecurity specialist at the World Bank who has been tracking the incident.
"This isn't malware you've seen before," he said, making it that much more difficult to detect. The concern, Mr. Kellermann said, is that hackers designed their attack to gain market-moving insider information.
The attackers appeared to have broad access to IMF systems, which would give them visibility into IMF plans, particularly as it relates to bailing out the economies of countries on shaky financial footing, Mr. Kellermann said.
The IMF spokesman wouldn't comment on any specific details of the incident, which was first reported Saturday by the New York Times.
The attack on the IMF led the World Bank this week to cut a network link between the two institutions, even though the tie is not used for confidential financial information or other sensitive data. The IMF and World Bank, whose headquarters are next door to each other in Washington, work closely together on economic concerns of their member nations around the world.
A World Bank official said Saturday the network link with the IMF "involved nonpublic, nonsensitive information and it was cut out of an abundance of caution."
The network link between the two institutions has been severed before due to attacks against the fund.
Cyber threats against the fund have increased in recent years, particularly after the global financial crisis. The IMF has been heavily involved with European governments in bailing out Greece, Ireland and Portugal as the nations struggle with sovereign-debt crises.
It's not clear whether the number of cyber attacks is increasing, but it is certainly the case that institutions have recently grown more comfortable about disclosing them. So widespread is the threat that the fear of embarrassment appears to have shrunk, security experts say.
Google Inc. recently said users of its Gmail email service had been hacked by unknown people in China. Lockheed Martin Corp. has acknowledged a breach that it linked to an attack on EMC Corp.'s RSA unit, a security company that makes the numerical tokens used by millions of corporate employees to access their network.

Read more:


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
WSJ: China's Cyber Assault
« Reply #56 on: June 15, 2011, 10:46:41 AM »
This eems rather ominous , , ,

In justifying U.S. involvement in Libya, the Obama administration cited the "responsibility to protect" citizens of other countries when their governments engage in widespread violence against them. But in the realm of cyberspace, the administration is ignoring its primary responsibility to protect its own citizens when they are targeted for harm by a foreign government.

Senior U.S. officials know well that the government of China is systematically attacking the computer networks of the U.S. government and American corporations. Beijing is successfully stealing research and development, software source code, manufacturing know-how and government plans. In a global competition among knowledge-based economies, Chinese cyberoperations are eroding America's advantage.

The Chinese government indignantly denies these charges, claiming that the attackers are nongovernmental Chinese hackers, or other governments pretending to be China, or that the attacks are fictions generated by anti-Chinese elements in the United States. Experts in the U.S. and allied governments find these denials hard to believe.

Three years ago, the head of the British Security Service wrote to hundreds of corporate chief executive officers in the U.K. to advise them that their companies had in all probability been hacked by the government of China. Neither the FBI nor the Department of Homeland Security has issued such a notice to U.S. executives, but most corporate leaders already know it.

Some, like Google, have the courage to admit that they have been the victims of Chinese hacking. We now know that the "Aurora" attack (so named by the U.S. government because the English word appears in the attack software) against Google in 2009 also hit dozens of other information technology companies—allegedly including Adobe, Juniper and Cisco—seeking their source code. Aurora wasn't an isolated event. This month Google renewed its charge against China, noting that the Gmail accounts of senior U.S. officials had been compromised from a server in China. The targeting of specific U.S. officials is not something that a mere hacker gang could do.

The Aurora attacks were followed by systematic penetrations of one industry after another. In the so-called Night Dragon series, attackers apparently in China went after major oil and gas companies, not only in the U.S. but throughout the world. The German government claims that the personal computer of Chancellor Angela Merkel was hacked by the Chinese government. Australia has also claimed that its prime minister was targeted by Chinese hackers.

Recently the computer-security company RSA (a division of EMC) was penetrated by an intrusion which appears to have stolen the secret sauce behind the company's SecureID. That system is widely used to protect critical computer networks. And this month, the largest U.S. defense contractor, Lockheed, was subject to cyberespionage, apparently by someone using the stolen RSA data. Cyber criminals don't hack defense contractors—they go after banks and credit cards. Despite Beijing's public denials, this attack and many others have all the hallmarks of Chinese government operations.

In 2009, this newspaper reported that the control systems for the U.S. electric power grid had been hacked and secret openings created so that the attacker could get back in with ease. Far from denying the story, President Obama publicly stated that "cyber intruders have probed our electrical grid."

There is no money to steal on the electrical grid, nor is there any intelligence value that would justify cyber espionage: The only point to penetrating the grid's controls is to counter American military superiority by threatening to damage the underpinning of the U.S. economy. Chinese military strategists have written about how in this way a nation like China could gain an equal footing with the militarily superior United States.

What would we do if we discovered that Chinese explosives had been laid throughout our national electrical system? The public would demand a government response. If, however, the explosive is a digital bomb that could do even more damage, our response is apparently muted—especially from our government.

Congress hasn't passed a single piece of significant cybersecurity legislation. When the Chinese deny senior U.S. officials' claims (made in private) that Beijing is stealing terabytes of data in the U.S., Congress should not leave the American people in doubt. It should demand answers to basic questions:

What does the administration know about the role of the Chinese government in cyberattacks on public and private computer networks in the United States?

If there is widespread Chinese hacking of sensitive U.S. networks and critical infrastructure, what has the administration said about it to the Chinese government? Specifically, did President Obama raise concerns about these attacks with Chinese President Hu Jintao at the White House this spring?

Since defensive measures such as antivirus software and firewalls appear unable to stop the Chinese penetrations, does the administration have any plan to address these cyberattacks?

In private, U.S. officials admit that the government has no strategy to stop the Chinese cyberassault. Rather than defending American companies, the Pentagon seems focused on "active defense," by which it means offense. That cyberoffense might be employed if China were ever to launch a massive cyberwar on the U.S. But in the daily guerrilla cyberwar with China, our government is engaged in defending only its own networks. It is failing in its responsibility to protect the rest of America from Chinese cyberattack.

Mr. Clarke was a national security official in the White House for three presidents. He is chairman of Good Harbor Consulting, a security risk management consultancy for governments and corporations.


  • Power User
  • ***
  • Posts: 2321
    • View Profile
Re: Cyberwar and American Freedom
« Reply #57 on: June 15, 2011, 11:15:11 AM »
Have you read his book?  It IS rather onimous. 


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Israel vs. Iran
« Reply #58 on: August 13, 2011, 06:56:39 PM »
August 12, 2011: Israel is apparently involved in a Cyber War with Iran, one that receives little official publicity. Not even all the damage is publicized, as a lot of the damage is undetected (often for a long time) by the victim. While Iran has made the most noise about this Cyber War, Israel is doing the most destruction. Israel wants to keep it that way, and keep it quiet. Partly, this is to keep the Iranians confused, but also to keep Israeli government lawyers happy. A lot of the tactics and weapons used in Cyber War are of uncertain legality. The traditional Laws of War have not caught up with Cyber War.

This process has been going on for some time, and some aspects of it do surface in the media. For example, three months ago, Israel established the National Cybernetic Taskforce, with orders to devise and implement defensive measures to protect the economy and government from Internet based attacks. The taskforce consists of about 80 people and is run by a retired general. Apparently, existing Internet security efforts, and military Cyber War organizations have discovered a growing number of vulnerabilities in the national Internet infrastructure. The only solution to this growing vulnerability is a large scale effort to monitor the national network infrastructure for vulnerabilities, and fix them as quickly as possible. You will never catch all the vulnerabilities, but in Cyber War, as in the more conventional kind, victory is not always a matter of who is better, but who is worse (more vulnerable to attack.)

Meanwhile, Israel makes no secret of what it thinks about its Cyber War capabilities. Over the last year, Israel has revealed that its cryptography operation (Unit 8200) has added computer hacking to its skill set. Last year, the head of Israeli Military Intelligence said that he believed Israel had become the leading practitioner of Cyber War. This came in the wake of suspicions that Israel had created the Stuxnet worm, which got into Iran's nuclear fuel enrichment equipment, and destroyed a lot of it. Earlier this year, Iran complained that another worm, called Star, was causing them trouble. Usually, intelligence organizations keep quiet about their capabilities, but in this case, the Israelis apparently felt it was more useful to scare the Iranians, with the threat of more stuff like Stuxnet. But the Iranians have turned around and tried to attack Israel, and are apparently determined to keep at it for as long as it takes.

This struggle between Israel and Iran is nothing new. Seven years ago, Israel announced that Unit 8200 had cracked an Iranian communications code, an operation that allowed Israel to read messages concerning Iranian efforts to keep its nuclear weapons program going (with Pakistani help), despite Iranian promises to UN weapons inspectors that the program was being shut down.

It's long been known that Unit 8200 of the Israeli army specialized in cracking codes for the government. This was known because so many men who had served in Unit 8200 went on to start companies specializing in cryptography (coding information so that no unauthorized personnel can know what the data is.) But it is unusual for a code-cracking organization to admit to deciphering someone's code. Perhaps the Iranians stopped using the code in question, or perhaps the Israelis just wanted to scare the Iranians. Israel is very concerned about Iran getting nuclear weapons, mainly because the Islamic conservatives that control Iran have as one of their primary goals the destruction of Israel. In response to these Iranian threats, Israel has said that it will do whatever it takes to stop Iran from getting nukes. This apparently includes doing the unthinkable (for a code cracking outfit); admitting that you had successfully taken apart an opponent's secret code.

Israel is trying to convince Iran that a long-time superiority in code-breaking was now accompanied by similarly exceptional hacking skills. Whether it's true or not, it's got to have rattled the Iranians. The failure of their counterattacks can only have added to their unease.

prentice crawford

  • Guest
Re: Cyberwar and American Freedom
« Reply #59 on: September 05, 2011, 12:47:56 AM »
  AMSTERDAM — The Dutch government said on Sunday it was investigating whether Iran may have been involved in hacking Dutch state websites after digital certificates were stolen.

Dutch Interior Ministry spokesman Vincent van Steen declined to say whether Iranian authorities in the Netherlands or Iran had been contacted, and said more details would be published in a letter to the Dutch parliament early next week.

But van Steen confirmed the veracity of a report by the Dutch news agency ANP saying the cabinet was looking into whether the Iranian government played a part in breaking into Dutch government websites.

Such web sites may no longer be safe after the digital theft of internet security certificates from Dutch IT company DigiNotar, the Interior Ministry said in a statement.

Officials at the Iranian embassy in The Hague were not immediately available for comment nor was there an immediate reply to emails asking for comment.

Google said in its security blog on August 29 that it had received reports of attacks on Google users, that "the people affected were primarily located in Iran," and that the attacker used a fraudulent certificate issued by DigiNotar.

DigiNotar's systems were hacked in mid-July and security certificates were stolen for a number of domains, DigiNotar and its owner, U.S.-listed VASCO Data Security International, said on August 30.

Relations between Iran and the Netherlands deteriorated early this year when a Dutch-Iranian woman was hanged in Iran in January and buried without her relatives being present. She had been arrested after taking part in demonstrations and accused of drug smuggling.

In April, the Iranian embassy in the Hague criticised the Dutch government after an Iranian asylum seeker who was being extradited set himself on fire in Amsterdam and died.


A certificate guarantees that a web surfer is securely connected with a website and not being monitored by someone else. Breaking into a secure link is known as a "man-in-the-middle attack."

The stolen certificates were immediately revoked after detection of the theft but one, for the site, was only "recently" revoked after a warning from the Dutch government, DigiNotar and VASCO said.

Internet security experts said it was possible the hacking originated from Iran and involved state support.

"This is the second batch of fraudulent security certificates in the last six months with questionable links to Iranian actors," said John Bumgarner, a cyber researcher and chief technology officer for the non-profit U.S. Cyber Consequences Unit.

"The certificates in question would not only allow a state actor to access the email and skype accounts of dissenters, but also install monitoring software on their computers," Bumgarner said.

Experts use the term "cui bono test" to know who could benefit from an act and be the perpetrator.

"The 'cui bono?' test suggests Iranian state involvement. No doubt the government of Iran will try to blame some hacker group, if they say anything at all," said Ross Anderson, Professor in Security Engineering at Cambridge University.

It was possible, Anderson said, that a government used hacker groups as auxiliaries but it was not likely that a small group would do a man-in-the-middle attack on its own.

"To use the forged certificate to do a man-in-the-middle attack on gmail, you need to be in a position to be the man in the middle, which means you usually have to be an internet service provider (ISP), or in a position to compel an ISP to do your bidding. That means proximity to government," he said.

U.S.-listed VASCO said in a statement on Saturday that it had invited the Dutch government to "jointly solve the DigiNotar incident" and offered staff to solve the problem.

DigiNotar and VASCO were not immediately available for comment on Sunday.



  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Re: Cyberwar and American Freedom
« Reply #60 on: September 05, 2011, 06:59:14 AM »

I suspect this thread is going to grow in importance as time goes by , , ,


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Conficker Worm
« Reply #61 on: September 27, 2011, 03:43:49 PM »
The 'Worm' That Could Bring Down The Internet
Tweet Share Email
September 27, 2011 — 9:13 AM
Courtesy of the author
Mark Bowden is the author of several books, including Black Hawk Down, Killing Pablo: The Hunt for the World's Greatest Outlaw and Guests of the Ayatollah.
For the past three years, a highly encrypted computer worm called Conficker has been spreading rapidly around the world. As many as 12 million computers have been infected with the self-updating worm, a type of malware that can get inside computers and operate without their permission.
"What Conficker does is penetrate the core of the [operating system] of the computer and essentially turn over control of your computer to a remote controller," writer Mark Bowden tells Fresh Air's Terry Gross. "[That person] could then utilize all of these computers, including yours, that are connected. ... And you have effectively the largest, most powerful computer in the world."
The gigantic networked system created by the Conficker worm is what's known as a "botnet." The Conficker botnet is powerful enough to take over computer networks that control banking, telephones, security systems, air traffic control and even the Internet itself, says Bowden. His new book, Worm: The First Digital World War, details how Conficker was discovered, how it works, and the ongoing programming battle to bring down the Conficker worm, which he says could have widespread consequences if used nefariously.
"If you were to launch with a botnet that has 10 million computers in it — launch a denial of service attack — you could launch a large enough attack that it would not just overwhelm the target of the attack, but the root servers of the Internet itself, and could crash the entire Internet," he says. "What frightens security folks, and increasingly government and Pentagon officials, is that a botnet of that size could also be used as a weapon."
When Russia launched its attack on Georgia in 2008, Russian officials also took down communication lines and the Internet within Georgia. Egypt also took down its own country's Internet service during the uprisings last spring.
"It's the equivalent of shutting down the train system during the Civil War, where the Union troops and the Confederate troops used trains to shuttle arms and ammunition and supplies all over their area of control," says Bowden. "And if you could shut their trains down, you cripple their ability to function. Similarly, you could do that today by taking down the Internet."
The Conficker worm can also be used to steal things like your passwords and codes for any accounts you use online. Officials in Ukraine recently arrested a group of people who were leasing a portion of the Conficker worm's computers to drain millions of dollars from bank accounts in the United States.
"It raises the question of whether creating or maintaining a botnet is a criminal activity, because if I break into a safe at the bank using a Black & Decker drill, is Black & Decker culpable for the way I use the tool?" he says. "That's one of the tools you could use the botnet for. With a botnet of 25,000 computers, you could break the security codes for, you could raid people's accounts, you could get Social Security numbers and data — there's almost no commercial security system in place that couldn't be breached by a supercomputer of tens of thousands."
After Conficker was discovered in 2008 at Stanford, it prompted computer security experts from around the world to get together to try to stop the bot. The volunteer group of experts, which called itself the Conficker Working Group, also tried to get the government involved with their efforts. But they soon discovered that the government didn't have a very good understanding of what the worm could do.
"[They] began reaching out to the NSA [National Security Agency] and [the Pentagon] to see if they would be willing to loan their computers [to help them], and what [they] discovered was that no one in the government understood what was happening," says Bowden. "There was a very low level of cyberintelligence, even at agencies that ought to have been very seriously involved, who were responsible for protecting the country, its electrical grid, its telecommunications. These agencies lacked the sophistication not only to deal with Conficker, but even to understand what Conficker was."
At some point in early 2009, the Conficker Working Group learned that the Conficker worm could wreak havoc on April 1, 2009 — a date when the computers infected by Conficker would receive instructions from their remote-controlled operator.
"The assumption was that if Conficker was to do anything, that would be the day that it would be destructive to the Internet," says Bowden. "But on April 1, nothing happened."
The Conficker Working Group realized that the creator of Conficker had little interest in taking down the Internet or using its bot to create mass destruction.
"The people behind it apparently want to use it for criminal reasons — to make money," says Bowden.
But that doesn't mean that Conficker is controlled, says Bowden. No one knows yet who controls the worm or what its intentions might be.
"At any moment, Conficker could do something really threatening," he says. "[People fighting the bot] are trying to figure it out still. And every new day, as the worm makes its contacts, they generate long lists of computers that are infected — which still include big networks within the FBI, within the Pentagon, within large corporations. So they monitor it and keep track of where it's spread, and they're still working with the government to secure vital computer networks from botnets like Conficker."


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
« Reply #62 on: October 14, 2011, 04:26:12 AM »
A friend for whom I have high regard recommends this:


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Bruce Schneier
« Reply #63 on: October 15, 2011, 11:42:41 AM »

               October 15, 2011

               by Bruce Schneier
       Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at
<>.  These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section.  An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
      Three Emerging Cyber Threats
      Status Report: Liars and Outliers
      Official Malware from the German Police
      Domain-in-the-Middle Attacks
      Schneier News
      Insider Attack Against Diebold Voting Machines
      National Cybersecurity Awareness Month

** *** ***** ******* *********** *************

      Three Emerging Cyber Threats

Last month, I participated in a panel at the Information Systems Forum in Berlin.  The moderator asked us what the top three emerging threats
were in cyberspace.   I went last, and decided to focus on the top three
threats that are not criminal:

* The Rise of Big Data.  By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google.  They're collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government.  Big data is becoming a powerful industry, resisting any calls to regulate its behavior.

* Ill-Conceived Regulations from Law Enforcement.  We're seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime.  I'm thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity.  None of these will work, and they'll all make us less safe.

* The Cyberwar Arms Race.  I'm not worried about cyberwar, but I am worried about the proliferation of cyber weapons.  Arms races are fundamentally destabilizing, especially when their development can be so easily hidden.  I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust.  Plus, arms races are expensive.

That's my list, and they all have the potential to be more dangerous than cybercriminals.

Big data:

Internet kill switches:

Calls to eliminate anonymity:



  • Power User
  • ***
  • Posts: 20047
    • View Profile
Re: Bruce Schneier
« Reply #64 on: October 15, 2011, 01:59:25 PM »
I don't mind Schneier when he sticks to what he knows, like cybersecurity.


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Re: Cyberwar and American Freedom
« Reply #65 on: October 15, 2011, 05:40:32 PM »
So, what is off here with the other offerings?  I confess I haven't read them and simply posted them as a resource read.


  • Power User
  • ***
  • Posts: 20047
    • View Profile
Re: Cyberwar and American Freedom
« Reply #66 on: October 15, 2011, 08:58:32 PM »
So, what is off here with the other offerings?  I confess I haven't read them and simply posted them as a resource read.

My complaint with Schneier is when he ventures into aviation security or other areas where he doesn't know what he is talking about.


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
WSJ: China and Russia spying
« Reply #67 on: November 04, 2011, 06:30:19 AM »

WASHINGTON—The U.S. government accused the Chinese of being the world's "most active and persistent" perpetrators of economic spying, an unusual move designed to spur stronger U.S. and international action to combat rampant industrial espionage threatening U.S. economic growth.

Russian intelligence agents also are conducting extensive spying to collect U.S. economic data and technology, according to a U.S. intelligence report released Thursday that concluded China and Russia are "the most aggressive collectors" of U.S. economic information and technology.

"The nations of China and Russia, through their intelligence services and through their corporations, are attacking our research and development," said U.S. counterespionage chief Robert Bryant.

Mr. Bryant spoke at a rare public event Thursday to roll out the report by his staff at the Office of the National Counterintelligence Executive. The report focuses on spying primarily for commercial and economic purposes, as opposed to national security. "This is a national, long-term, strategic threat to the United States of America," he said. "This is an issue where failure is not an option."

The bulk of this theft of U.S. corporate and economic secrets is carried out in cyberspace, where vast volumes of data can be stolen in seconds, according to U.S. intelligence officials. The spying campaigns have reached a crescendo, they said, as U.S. government and business operations have grown extraordinarily reliant on communication technology.

The U.S. is a prime target of economic espionage by countries like China and Russia that seek to build up their domestic industries with stolen technology and intellectual property from more advanced U.S. firms, officials say. The leading areas of theft are components of the U.S. economy: information technology, military technology, and clean-energy and medical technology.

 A lot of U.S. companies like to say they'll beat the Chinese at what the U.S. does best - innovation. They'll simply run faster than the Chinese. The problem is, they may not have history on their side. John Bussey has details on The News Hub.

It's illegal under U.S. law to steal corporate secrets from other companies, and there is less incentive for U.S. companies to pilfer from countries that are less developed.

Allies of the U.S. have also gotten in the game of stealing industrial secrets, the report said. It did not name those countries, but officials privately acknowledge that Israel and France have tried to steal U.S. secrets.

Thursday's report was unusual because it called out China and Russia by name as the top perpetrators of economic espionage, which is something U.S. officials have been reluctant to do for fear of harming diplomatic relations.

"When you hide these things, nobody does anything about them," said Alan Paller, director of research for the SANS Institute cybersecurity firm who also spoke at the rollout of the report.

A senior intelligence official said it was necessary to single out specific countries in order to confront the problem and attempt contain a threat that has gotten out of control. Economic espionage is condoned by both China and Russia and is part of each country's national economic development policy, the official said.

The Chinese government is believed to have been behind a number of recent high-profile cyber attacks, including multiple hacks of Google Inc. and the EMC Corp.'s RSA unit, a security company that makes the numerical tokens used by millions of corporate employees to access their network.

Cyberattacks revealed earlier this year on Lockheed Martin Corp. and the International Monetary Fund are also believed be traced to China.

The threat will accelerate in the coming years and presents "a growing and persistent threat" to U.S. economic security, according to the intelligence report, which reflects the views of 14 U.S. intelligence agencies.

At the Chinese Embassy in Washington, spokesman Wang Baodong called the U.S. charges "unwarranted allegations" that were part of a "demonizing effort against China." The Russian Embassy didn't respond to requests to comment but has in the past denied allegations of cyberspying.

The U.S government doesn't have calculations of the economic losses due to economic cyberespionage. The senior U.S. intelligence official cited estimates of $50 billion in losses in 2009 due to lost intellectual property and counterfeiting, through all means of theft, including cyber break-ins.

"If our research and development—$400 billion a year—is pilfered, frankly, it will destroy part of our economic viability in this country," Mr. Bryant said.

Industrial espionage poses a number of national-security threats to the U.S., including the risk that stolen military technology will be handed to hostile countries like North Korea or Iran, the intelligence report concluded.

 WSJ's Chana Schoenberger has details of U.S. companies being deterred from taking advantage of easy access to the Chinese Yuan by bureaucracy and paperwork. Photo: STR/AFP/Getty Images
.Government-sponsored economic spying is growing, the senior official said. Officials wouldn't say, however, how much of the industrial spying is believed to be from government agents, though they said government, intelligence services, and private organizations and individuals all took part.

U.S. officials have confronted foreign counterparts with allegations of industrial espionage, the senior U.S. official said, but the official declined to provide an example or cite a particular country's government. More confrontations are necessary, the official said, to begin to curb the spying.

One proposal intelligence officials are considering is building the cyberattack equivalent of the National Counterterrorism Center, which merges terrorism data from intelligence agencies and state and local governments.

Write to Siobhan Gorman at

Read more:


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
WSJ: Chinese Cyberspying
« Reply #68 on: December 12, 2011, 02:43:13 PM »
WASHINGTON—U.S. intelligence agencies have pinpointed many of the Chinese groups responsible for cyberspying in the U.S., and most are sponsored by the Chinese military, according to people who have been briefed on a U.S. intelligence investigation.

Enlarge Image

U.S. Air Force personnel work in the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado in a July 2010 file photo.
.Armed with this information, the U.S. has begun to lay the groundwork to confront China more directly about its expansive cyberspying campaign. Two weeks ago, U.S. officials met with Chinese counterparts and warned China about the diplomatic consequences of economic spying, according to a former official familiar with the meeting.

The Chinese cyberspying campaign stems largely from a dozen groups connected to China's People's Liberation Army and a half-dozen nonmilitary groups connected to organizations like universities, said those who were briefed on the investigation. Two other groups play a significant role, though investigators haven't determined whether they are connected to the military.

In many cases, the National Security Agency has determined the identities of individuals working in these groups, which is a critical development that provides the U.S. the option of confronting the Chinese government more directly about the activity or responding with a counterattack, according to former officials briefed on the effort.

"It's actually a small number of groups that do most of the PLA's dirty work," said James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies who frequently advises the Obama administration. "NSA is pretty confident of their ability to attribute [cyberespionage] to this set of actors."

In early November, the U.S. chief of counterintelligence issued a report that was unusually blunt in accusing China of being the world's "most active and persistent" perpetrator of economic spying. Lawmakers have also become more vocal in calling out China for its widening campaign of cyberespionage.

Still, diplomatic considerations may limit the U.S. interest in taking a more confrontational approach because some U.S. officials are wary of angering China, the largest holder of U.S. debt. Chinese officials regularly dispute U.S. allegations of cyberspying, saying they are the victims, not the perpetrators, of cybercrime and cyberespionage.

Identifying adversaries has been difficult because it is easy to fake identities and locations in cyberspace. An inability to tie cyberspying activities with precision to a certain actor has in the past limited the U.S.'s ability to respond because it is hard to retaliate or confront an unidentified adversary.

The U.S. government, led by the National Security Agency, has tracked the growing Chinese cyberspying campaign against the U.S. for decades. Past government efforts have had exotic names like "Titan Rain," and "Byzantine Hades.

"More recently, NSA and other intelligence agencies have made significant advances in attributing cyberattacks to specific sources—mostly in China's People's Liberation Army—by combining cyberforensics with ongoing intelligence collection through electronic and human spying, Mr. Lewis said.

The U.S. investigation of China's activities is the latest round of spy-versus-spy in cyberspace.

The activity breaks down into cyberspying efforts by 20 groups with different attack styles that are responsible for most of the cybertheft of U.S. secrets, said the people briefed on the investigation. U.S. intelligence officials have given different classified code names to each group.

U.S. intelligence officials can identify different groups based on a variety of indicators. Those characteristics include the type of cyberattack software they use, different Internet addresses they employ when stealing data, and how attacks are carried out against different targets. In addition to U.S. government agencies, major targets of these groups include U.S. defense contractors, according to former officials.

Collectively, these groups employ hundreds of people, according to former officials briefed on the effort. That number is believed to be small compared to the estimated 30,000 to 40,000 censors the Chinese government is believed to employ to patrol the Internet.

prentice crawford

  • Guest
Re: Cyberwar and American Freedom
« Reply #69 on: December 13, 2011, 12:12:49 AM »
Reports Claim First-Ever Cyber Attack on US Utility
The first cyber attack on utility infrastructure may have finally arrived via a hacked SCADA system and a broken-down water pump in rural Illinois.

We’ve been reporting for years how linking the internet to grid communications and control technology could open the country’s utilities to cyber attack. On Friday came reports of what may be the first such hack to cause physical damage to the country’s electric, water or gas infrastructure -- a burned-out water pump at a small utility in Illinois.

That’s not such a big deal in terms of damage caused. But if the report is true, it indicates that nefarious actors may have strung together several key stages of security vulnerabilities to infiltrate, then take control of, a piece of automated utility infrastructure -- and that could be a very big deal indeed.

Here’s the story. Earlier this month, workers at a small utility in central Illinois found a problem with the SCADA industrial controls that manage their water system, including a damaged water pump. An investigation by an IT services company found that the SCADA system had been hacked into by a computer in Russia, according to Joe Weiss, managing partner of cybersecurity firm Applied Control Solutions in Cupertino, Calif.

Weiss, who cited a report he said came from the Illinois Statewide Terrorism and Intelligence Center (ISTIC), said that unknown hackers had taken over control of the SCADA system and turned the pump on and off until it burned out. The hackers had apparently stolen entry credentials from a company that makes software to access the SCADA system -- and Weiss said the same hackers could be planning future attacks using the same means and methods.

The U.S. Department of Homeland Security has told multiple news agencies reporting on this matter that it has no evidence that indicates there is a risk to utilities or public safety. Still, DHS and the FBI are investigating the matter.

Breaking Down the Risks

We need to wait for more facts to emerge on this murky matter. But there’s no getting around the fact that security is a major challenge for utilities that are seeking to secure legacy control systems that are being hooked up to the internet for the first time. Let’s break down the alleged SCADA hack in Illinois, and see how it could have happened, taking as examples some of the cybersecurity problems that have been identified for utilities over the past few years.

First, where could potential attackers have found the credentials they needed to access a utility SCADA system? One significant possibility is that the hackers took advantage of poor human management of security by fooling employees into turning over critical passwords or other credential information that they could exploit. That kind of “social engineering” is still a key concern for utility security, and requires employee training as much as software expertise to prevent.

Human failures can also open newly networked utility systems to remote attacks. Tom Parker, vice president at computer security firm FusionX, showed at a Black Hat conference in August how he could use simple code and Google searches to theoretically take control of a water treatment facility’s remote terminal units (RTUs), particularly when the RTUs are protected by the password “1234” -- the easiest password to guess besides the word “password” itself.

Even if SCADA system operators aren’t using idiotic passwords and are taking proper measures to protect their security credentials, there are harder-to-prevent ways to pull access and security data out of them. One scary possibility is that the hackers had accessed the utility’s SCADA system for months beforehand, and are currently worming their way into others, using more sophisticated cyber-intrusion tools.

Worming Into SCADA Systems?

Take Duqu and Stuxnet -- two words that are probably meaningless to most people, but which strike fear into SCADA system operators around the world. First came Stuxnet, a virus that is believed to have been targeting Iran’s nuclear materials program by infecting Windows computers and thence infiltrating SCADA systems built by Siemens, all with the goal of causing malfunctions in uranium enrichment centrifuge equipment.

It was just about a year ago that cybersecurity experts first discovered Stuxnet, but it’s believed that the virus may have been introduced years beforehand -- meaning that SCADA systems around the world may be carrying a version of it right now. While the hope is that the virus was targeting only Iranian centrifuges, the idea that similar viruses could use the same techniques to do more damage remains high on the list of concerns for smart grid cybersecurity experts.

More recently, those concerns have refocused on a computer virus known as Duqu. Whether or not it’s related to Stuxnet remains a point of contention, but it appears to operate in a similar way, by exploiting a vulnerability in Windows to lodge itself inside servers and collect data passing through them, which could allow for espionage or gathering security data for further exploitation.

The Duqu virus has been shifting around the world, from India to Europe, Africa and Indonesia (and reportedly back to Iran), as security experts seek to track it down and eliminate it. While no exploitation has been found in the utility industry as of yet, its ability to infect Windows machines should give it access to almost any industry out there.

Using Controls to Wreak Havoc

Unfortunately, once hackers have gotten access to a SCADA system, there are plenty of actions they can take to damage the system they’ve hijacked. Back in 2007, reports emerged of a DHS experiment that showed how the control system of gas-fired generator at the Department of Energy’s Idaho National Lab could be hacked in a way that destroyed the generator, using a mock-up of a typical power plant’s control system.

The U.S. utility industry has had four years since that demonstration to try to fix any similar vulnerabilities in their power plant controls systems, but it’s unclear if they’ve made much progress. The North American Electricity Reliability Council (NERC), an industry group in charge of setting critical infrastructure protection (CIP) guidelines for U.S. and Canadian utilities, has just this year begun auditing utilities on the compliance they’ve been self-reporting over the past few years.

NERC recently held a grid security exercise for utilities seeking to comply with its “critical infrastructure protection” program, which might provide some examples of the security precautions that are being tackled.

While outside attacks are the subject of much of our recent worries, it was an inside job that gave the world a sense of just how much havoc a SCADA system takeover could wreak. In 2000, a disgruntled former employee of a Queensland, Australia water treatment plant decided to remotely access the system and release millions of gallons of sewage into nearby streams and parks. Though he served two years in jail for the act, that didn’t stop it from happening.

To guard against these kinds of attacks, experts recommend multiple layers of security to detect and prevent such unusual and knowingly self-destructive commands. Preventing intrusion is the first line of defense, but stopping an attack in progress will be equally important. After all, the IT industry’s experience with hackers has shown that it’s almost impossible to anticipate all the clever ways hackers are working on their next exploits.

There’s little doubt that U.S. national security officials are worried about the potential threats that could come from connecting SCADA systems to the internet. Will utilities decide to cope with the threat by unplugging those systems, thus essentially turning back the clock on the smart grid? Or will they be able to manage the new security challenges that come along with the benefits of networking and integrating the grid? Looks like we’ll be talking a lot more about these subjects, thanks to a broken-down water pump in Illinois.

prentice crawford

  • Guest
Re: Cyberwar and American Freedom
« Reply #70 on: December 13, 2011, 12:27:48 AM »
 This, along with a Sentinel stealth done losing it's satellite tether and gliding to a landing in Iran, might be of concern.

By Jason Ryan
Follow on Twitter
Nov 16, 2011 8:11pm
US Satellites Compromised by Malicious Cyber Activity
On at least two occasions, hackers have taken over U.S. satellites and targeted their command-and-control systems, a report by the U.S.-China Economic and Security Review Commission revealed today.
The incidents involved two Earth observation satellites. While it may be difficult to trace who hacked the satellites, U.S. officials acknowledged the incidents had to come from a nation power.
U.S. officials cannot clearly trace the incidents to China, but the report released by the by congressionally mandated commission noted that Chinese military writings made reference to attacks on ground-based space communications facilities.
“Chinese military writings advocate attacks on space-to ground communications links and ground-based satellite control facilities in the event of a conflict. Such facilities may be vulnerable,” the report noted, “In recent years, two U.S. government satellites have experienced interference apparently consistent with the cyber exploitation of their control facility.”
The report noted that some of the malicious cyber activity targeting the satellites involved NASA’s Terra EOS satellite being targeted in June 2008 and again in October 2008. The June incident resulted in the satellite being interfered with for two minutes and the October incident lasted at least nine minutes.
The report noted that in both instances, “The responsible party achieved all steps required to command the satellite but did not issue commands.”
NASA confirmed in a separate statement: “NASA experienced two suspicious events with the Terra spacecraft in the summer and fall of 2008. We can confirm that there was no manipulation of data, no commands were successfully sent to the satellite, and no data was captured. NASA notified the Department of Defense, which is responsible for investigating any attempted interference with satellite operations.”
The report noted that the Landsat-7 satellite operated by the U.S. Geological Survey experienced similar interference and events in 2007 and 2008 but added that the entity behind that incident did not achieve the ability to control the satellite.

Artist's rendering of the Terra Satellite (source: NASA)

The report mentions the serious implications the intrusions could have on the satellite systems, particularly if they were directed against more sensitive systems such as military or communications satellites.
“If executed successfully, such interference has the potential to pose numerous threats, particularly if achieved against satellites with more sensitive functions. For example, access to a satellite’s controls could allow an attacker to damage or destroy the satellite,” the report read.
“The attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission,” the report added. “A high level of access could reveal the satellite’s capabilities or information, such as imagery, gained through its sensors. Opportunities may also exist to reconnoiter or compromise other terrestrial or space based networks used by the satellite.”

prentice crawford

  • Guest
Re: Cyberwar and American Freedom
« Reply #71 on: December 13, 2011, 12:30:55 AM »
Iran claims its experts almost done recovering data from captured US drone
Nasser Karimi, The Associated Press  Dec 12, 2011 13:45:00 PM

TEHRAN, Iran - Iranian experts are in the final stages of recovering data from the U.S. surveillance drone captured by the country's armed forces, state TV reported Monday.
Tehran has flaunted the capture of the RQ-170 Sentinel, a top-secret aircraft with stealth technology, as a victory for Iran and a defeat for the United States in a complicated intelligence and technological battle.
President Barack Obama said Monday that the U.S. was pressing Iran to return the aircraft, which U.S. officials say malfunctioned and was not brought down by Iran. But a senior commander of Iran's Revolutionary Guard said on Sunday that the country would not send it back, adding that "no one returns the symbol of aggression."
Iranian lawmaker Parviz Sorouri, a member of the parliament's national security and foreign policy committee, said Monday the extracted information will be used to file a lawsuit against the United States for what he called the "invasion" by the unmanned aircraft.
Sorouri also claimed that Iran has the capability to reproduce the drone through reverse engineering, but he did not elaborate.
State TV broadcast images Thursday of Iranian military officials inspecting what it identified as the drone. Iranian state media have said the unmanned spy aircraft was detected and brought down over the country's east, near the border with Afghanistan.
Officers in the Revolutionary Guard, Iran's most powerful military force, have claimed the country's armed forces brought down the surveillance aircraft with an electronic ambush, causing minimum damage to the drone.
American officials have said that U.S. intelligence assessments indicate that Iran neither shot the drone down, nor used electronic or cybertechnology to force it from the sky. They contend the drone malfunctioned. The officials spoke anonymously in order to discuss the classified program.
U.S. officials are concerned others may be able to reverse engineer the chemical composition of the drone's radar-deflecting paint or the aircraft's sophisticated optics technology that allows operators to positively identify terror suspects from tens of thousands of feet in the air.
They are also worried adversaries may be able to hack into the drone's database, although it is not clear whether any data could be recovered. Some surveillance technologies allow video to stream through to operators on the ground but do not store much collected data. If they do, it is encrypted.
Separately, in comments to the semi-official ISNA news agency, Sorouri said Iran would soon hold a navy drill to practice the closure of the strategic Strait of Hormuz at the mouth of the Persian Gulf, which is the passageway for about 40 per cent of the world's oil tanker traffic.
Despite Sorouri's comments and past threats that Iran could seal off the waterway if the U.S. or Israel moved against Iranian nuclear facilities, no such exercise has been officially announced.
"Iran will make the world unsafe" if the world attacks Iran, Sorouri said.
Both the U.S. and Israel have not rule out military option against Iran's controversial nuclear program, which the West suspects is aimed at making atomic weapons. Iran denies the charge, saying its nuclear activities are geared toward peaceful purposes like power generation.
In another sign of the increasing tensions between Iran and the U.S., Tehran said Monday it has asked Interpol to help seek the arrest of two former U.S. officials it accuses of supporting the assassinations of Iranian officials.
Iran's state prosecutor, Gholamhossein Mohseni Ejehei, told reporters that Iran has filed charges against retired U.S. Army Gen. Jack Keane and former CIA agent Reuel Marc Gerecht.
Ejehei said Iran sent a request to Interpol in Paris to help pursue the two Americans through its office in Washington.
Iran says the two men urged the Obama administration to use covert action against Iran and kill some of its top officials, including Brig. Gen. Ghassem Soleimani commander of the Quds Force, the special foreign operations unit of the Revolutionary Guard.


  • Power User
  • ***
  • Posts: 20047
    • View Profile
Exclusive: Comedy of Errors Led to False ‘Water-Pump Hack’ Report
« Reply #72 on: December 13, 2011, 05:30:06 AM »

Exclusive: Comedy of Errors Led to False ‘Water-Pump Hack’ Report

Threat Level Privacy, Crime and Security Online Previous post Next post Exclusive: Comedy of Errors Led to False ‘Water-Pump Hack’ Report
By Kim Zetter  November 30, 2011  |  5:54 pm  |  Categories: Cybersecurity, Hacks and Cracks
Jim Mimlitz on vacation in Russia last June with his wife and three daughters. Photo courtesy of Jim Mimlitz.

It was the broken water pump heard ’round the world.

Cyberwar watchers took notice this month when a leaked intelligence memo claimed Russian hackers had remotely destroyed a water pump at an Illinois utility. The report spawned dozens of sensational stories characterizing it as the first-ever reported destruction of U.S. infrastructure by a hacker. Some described it as America’s very own Stuxnet attack.

Except, it turns out, it wasn’t. Within a week of the report’s release, DHS bluntly contradicted the memo, saying that it could find no evidence that a hack occurred. In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.

Now, in an exclusive interview with Threat Level, the contractor behind that Russian IP address says a single phone call could have prevented the string of errors that led to the dramatic false alarm.

“I could have straightened it up with just one phone call, and this would all have been defused,” said Jim Mimlitz, founder and owner of Navionics Research, who helped set up the utility’s control system. ”They assumed Mimlitz would never ever have been in Russia. They shouldn’t have assumed that.”

Mimlitz’s small integrator company helped set up the Supervisory Control and Data Acquisition system (SCADA) used by the Curran Gardner Public Water District outside of Springfield, Illinois, and provided occasional support to the district. His company specializes in SCADA systems, which are used to control and monitor infrastructure and manufacturing equipment.

Mimlitz says last June, he and his family were on vacation in Russia when someone from Curran Gardner called his cell phone seeking advice on a matter and asked Mimlitz to remotely examine some data-history charts stored on the SCADA computer.

Mimlitz, who didn’t mention to Curran Gardner that he was on vacation in Russia, used his credentials to remotely log in to the system and check the data. He also logged in during a layover in Germany, using his mobile phone.

“I wasn’t manipulating the system or making any changes or turning anything on or off,” Mimlitz told Threat Level.

But five months later, when a water pump failed, that Russian IP address became the lead character in a 21st-century version of a Red Scare movie.

Jim Mimlitz at the airport in Frankfurt, Germany, during a layover last June on his way to Russia. Courtesy of Jim Mimlitz.

On Nov. 8, a water district employee investigating the pump failure called in a contract computer repairman to check it out. The repairman examined the logs on the SCADA system and saw the Russian IP address connecting to the system in June. Mimlitz’s username appeared in the logs next to the IP address.

The water district passed the information to the Environmental Protection Agency, which governs rural water systems. “Why we did that, I think it was just out of an abundance of caution,” says Don Craven, a water district trustee. “If we had a problem we would have to report it to EPA eventually.”

But from there, the information made its way to the Illinois Statewide Terrorism and Intelligence Center, a so-called fusion center composed of Illinois State Police and representatives from the FBI, DHS and other government agencies.

Even though Mimlitz’s username was connected to the Russian IP address in the SCADA log, no one from the fusion center bothered to call him to ask if he had logged in to the system from Russia. Instead, the center released a report on Nov. 10 titled “Public Water District Cyber Intrusion” that connected the broken water pump to the Russian log-in five months earlier, inexplicably stating that the intruder from Russia had turned the SCADA system on and off, causing the pump to burn out.

“And at that point … all hell broke loose,” Craven said.

Whoever wrote the fusion center report assumed that someone had hacked Mimlitz’s computer and stolen his credentials in order to use them to hack into Curran Gardner’s SCADA system and sabotage the water pump. It’s not clear whether it was the computer repairman or the fusion center that first jumped to this conclusion.

A spokeswoman for the Illinois State Police, which is responsible for the fusion center, pointed the finger at local representatives of DHS, FBI and other agencies who are responsible for compiling information that gets released by the fusion center.

“We did not create the report,” said spokeswoman Monique Bond. “The report is created by a number of agencies, including the Department of Homeland Security, and we basically are just the facilitator of the report. It doesn’t originate from the [fusion center] but is distributed by the [fusion center].”

But DHS is pointing the finger back at the fusion center, saying if the report had been DHS-approved, six different offices would have had to sign off on it.

“Because this was an Illinois [fusion center] product, it did not undergo such a review,” a DHS official said.

The report was released on a mailing list that goes to emergency management personnel and others, and found its way to Joe Weiss, managing partner of Applied Control Solutions, who wrote a blog post about it and provided information from the document to reporters.

The subsequent media blitz identified the intrusion as the first real hack attack against a SCADA system in the U.S., something that Weiss and others in the security industry have been predicting would happen for years.

The hack was news to Mimlitz.

He put two and two together, after glancing through his phone records, and realized the Russian “hacker” the stories were referring to was him.

Teams from the FBI and DHS’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) subsequently arrived in Illinois to investigate the intrusion and quickly determined, after speaking with Mimlitz and examining the logs, that the fusion center report was wrong and should never have been released.

“I worked real close with the FBI and was on speakerphone with the fly-in team from CERT, and all of them were a really sharp bunch and very professional,” Mimlitz said.

DHS investigators also quickly determined that the failed pump was not the result of a hack attack at all.

“The system has a lot of logging capability,” Mimlitz said. “It logs everything. All of the logs showed that the pump failed for some electrical-mechanical reason. But it did not have anything to do with the SCADA system.”

Mimlitz said there was also nothing in the logs to indicate that the SCADA system had been turned on and off.

He cleared up another mystery in the fusion report as well. The report indicated that for two to three months prior to the pump failure, operators at Curran Gardner had noticed “glitches” in their remote access system, suggesting the glitches were related to the suspected cyber intrusion.

But Mimlitz said the remote access system was old and had been experiencing problems ever since it was modified by another contractor.

“They had made some modifications about a year ago that was creating problems logging in,” he said. “It was an old computer … and they had made network modifications that I don’t think were done correctly. I think that’s why they were seeing problems.”

Joe Weiss says he’s shocked that a report like this was put out without any of the information in it being investigated and corroborated first.

“If you can’t trust the information coming from a fusion center, what is the purpose of having the fusion center sending anything out? That’s common sense,” he said. “When you read what’s in that [report] that is a really, really scary letter. How could DHS not have put something out saying they got this [information but] it’s preliminary?”

Asked if the fusion center is investigating how information that was uncorroborated and was based on false assumptions got into a distributed report, spokeswoman Bond said an investigation of that sort is the responsibility of DHS and the other agencies who compiled the report. The center’s focus, she said, was on how Weiss received a copy of the report that he should never have received.

“We’re very concerned about the leak of controlled information,” Bond said. “Our internal review is looking at how did this information get passed along, confidential or controlled information, get disseminated and put into the hands of users that are not approved to receive that information. That’s number one.”

Additional reporting by Ryan Voyles in Illinois.

prentice crawford

  • Guest
Re: Cyberwar and American Freedom
« Reply #73 on: December 13, 2011, 06:44:06 AM »
Woof GM,
 Ha! Good update. :lol:


  • Power User
  • ***
  • Posts: 20047
    • View Profile
Re: Cyberwar and American Freedom
« Reply #74 on: December 13, 2011, 06:47:00 AM »
Woof GM,
 Ha! Good update. :lol:

Even though that one wasn't an attack, the vulnerability of SCADA systems are a real concern.

prentice crawford

  • Guest
Drone tricked into landing?
« Reply #75 on: December 16, 2011, 04:17:34 PM »

Exclusive: Iran hijacked US drone, says Iranian engineer

In an exclusive interview, an engineer working to unlock the secrets of the captured RQ-170 Sentinel says they exploited a known vulnerability and tricked the US drone into landing in Iran.
By Scott Peterson, Payam Faramarzi* | Christian Science Monitor – 11 hrs agoEmail
 Iran guided the CIA's "lost" stealth drone to an intact landing inside hostile territory by exploiting a navigational weakness long-known to the US military, according to an Iranian engineer now working on the captured drone's systems inside Iran.

Iranian electronic warfare specialists were able to cut off communications links of the American bat-wing RQ-170 Sentinel, says the engineer, who works for one of many Iranian military and civilian teams currently trying to unravel the drone’s stealth and intelligence secrets, and who could not be named for his safety.

Using knowledge gleaned from previous downed American drones and a technique proudly claimed by Iranian commanders in September, the Iranian specialists then reconfigured the drone's GPS coordinates to make it land in Iran at what the drone thought was its actual home base in Afghanistan.

"The GPS navigation is the weakest point," the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran's "electronic ambush" of the highly classified US drone. "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain."

The “spoofing” technique that the Iranians used – which took into account precise landing altitudes, as well as latitudinal and longitudinal data – made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.

The revelations about Iran's apparent electronic prowess come as the US, Israel, and some European nations appear to be engaged in an ever-widening covert war with Iran, which has seen assassinations of Iranian nuclear scientists, explosions at Iran's missile and industrial facilities, and the Stuxnet computer virus that set back Iran’s nuclear program.

Now this engineer’s account of how Iran took over one of America’s most sophisticated drones suggests Tehran has found a way to hit back. The techniques were developed from reverse-engineering several less sophisticated American drones captured or shot down in recent years, the engineer says, and by taking advantage of weak, easily manipulated GPS signals, which calculate location and speed from multiple satellites.

Western military experts and a number of published papers on GPS spoofing indicate that the scenario described by the Iranian engineer is plausible.

"Even modern combat-grade GPS [is] very susceptible” to manipulation, says former US Navy electronic warfare specialist Robert Densmore, adding that it is “certainly possible” to recalibrate the GPS on a drone so that it flies on a different course. “I wouldn't say it's easy, but the technology is there.”

In 2009, Iran-backed Shiite militants in Iraq were found to have downloaded live, unencrypted video streams from American Predator drones with inexpensive, off-the-shelf software. But Iran’s apparent ability now to actually take control of a drone is far more significant.

Iran asserted its ability to do this in September, as pressure mounted over its nuclear program.

Gen. Moharam Gholizadeh, the deputy for electronic warfare at the air defense headquarters of the Islamic Revolutionary Guard Corps (IRGC), described to Fars News how Iran could alter the path of a GPS-guided missile – a tactic more easily applied to a slower-moving drone.

“We have a project on hand that is one step ahead of jamming, meaning ‘deception’ of the aggressive systems,” said Gholizadeh, such that “we can define our own desired information for it so the path of the missile would change to our desired destination.”

Gholizadeh said that “all the movements of these [enemy drones]” were being watched, and “obstructing” their work was “always on our agenda.”

That interview has since been pulled from Fars’ Persian-language website. And last month, the relatively young Gholizadeh died of a heart attack, which some Iranian news sites called suspicious – suggesting the electronic warfare expert may have been a casualty in the covert war against Iran.

Iran's growing electronic capabilities
Iranian lawmakers say the drone capture is a "great epic" and claim to be "in the final steps of breaking into the aircraft's secret code."

Secretary of Defense Leon Panetta told Fox News on Dec. 13 that the US will "absolutely" continue the drone campaign over Iran, looking for evidence of any nuclear weapons work. But the stakes are higher for such surveillance, now that Iran can apparently disrupt the work of US drones.

US officials skeptical of Iran’s capabilities blame a malfunction, but so far can't explain how Iran acquired the drone intact. One American analyst ridiculed Iran’s capability, telling Defense News that the loss was “like dropping a Ferrari into an ox-cart technology culture.”

Yet Iran’s claims to the contrary resonate more in light of new details about how it brought down the drone – and other markers that signal growing electronic expertise.

A former senior Iranian official who asked not to be named said: "There are a lot of human resources in Iran.... Iran is not like Pakistan."

“Technologically, our distance from the Americans, the Zionists, and other advanced countries is not so far to make the downing of this plane seem like a dream for us … but it could be amazing for others,” deputy IRGC commander Gen. Hossein Salami said this week.

According to a European intelligence source, Iran shocked Western intelligence agencies in a previously unreported incident that took place sometime in the past two years, when it managed to “blind” a CIA spy satellite by “aiming a laser burst quite accurately.”

More recently, Iran was able to hack Google security certificates, says the engineer. In September, the Google accounts of 300,000 Iranians were made accessible by hackers. The targeted company said "circumstantial evidence" pointed to a "state-driven attack" coming from Iran, meant to snoop on users.

Cracking the protected GPS coordinates on the Sentinel drone was no more difficult, asserts the engineer.

US knew of GPS systems' vulnerability
Use of drones has become more risky as adversaries like Iran hone countermeasures. The US military has reportedly been aware of vulnerabilities with pirating unencrypted drone data streams since the Bosnia campaign in the mid-1990s.

Top US officials said in 2009 that they were working to encrypt all drone data streams in Iraq, Pakistan, and Afghanistan – after finding militant laptops loaded with days' worth of data in Iraq – and acknowledged that they were "subject to listening and exploitation."

Perhaps as easily exploited are the GPS navigational systems upon which so much of the modern military depends.

"GPS signals are weak and can be easily outpunched [overridden] by poorly controlled signals from television towers, devices such as laptops and MP3 players, or even mobile satellite services," Andrew Dempster, a professor from the University of New South Wales School of Surveying and Spatial Information Systems, told a March conference on GPS vulnerability in Australia.

"This is not only a significant hazard for military, industrial, and civilian transport and communication systems, but criminals have worked out how they can jam GPS," he says.

The US military has sought for years to fortify or find alternatives to the GPS system of satellites, which are used for both military and civilian purposes. In 2003, a “Vulnerability Assessment Team” at Los Alamos National Laboratory published research explaining how weak GPS signals were easily overwhelmed with a stronger local signal.

“A more pernicious attack involves feeding the GPS receiver fake GPS signals so that it believes it is located somewhere in space and time that it is not,” reads the Los Alamos report. “In a sophisticated spoofing attack, the adversary would send a false signal reporting the moving target’s true position and then gradually walk the target to a false position.”

The vulnerability remains unresolved, and a paper presented at a Chicago communications security conference in October laid out parameters for successful spoofing of both civilian and military GPS units to allow a "seamless takeover" of drones or other targets.

To “better cope with hostile electronic attacks,” the US Air Force in late September awarded two $47 million contracts to develop a "navigation warfare" system to replace GPS on aircraft and missiles, according to the Defense Update website.

Official US data on GPS describes "the ongoing GPS modernization program" for the Air Force, which "will enhance the jam resistance of the military GPS service, making it more robust."

Why the drone's underbelly was damaged
Iran's drone-watching project began in 2007, says the Iranian engineer, and then was stepped up and became public in 2009 – the same year that the RQ-170 was first deployed in Afghanistan with what were then state-of-the-art surveillance systems.

In January, Iran said it had shot down two conventional (nonstealth) drones, and in July, Iran showed Russian experts several US drones – including one that had been watching over the underground uranium enrichment facility at Fordo, near the holy city of Qom.

In capturing the stealth drone this month at Kashmar, 140 miles inside northeast Iran, the Islamic Republic appears to have learned from two years of close observation.

Iran displayed the drone on state-run TV last week, with a dent in the left wing and the undercarriage and landing gear hidden by anti-American banners.

The Iranian engineer explains why: "If you look at the location where we made it land and the bird's home base, they both have [almost] the same altitude," says the Iranian engineer. "There was a problem [of a few meters] with the exact altitude so the bird's underbelly was damaged in landing; that's why it was covered in the broadcast footage."

Prior to the disappearance of the stealth drone earlier this month, Iran’s electronic warfare capabilities were largely unknown – and often dismissed.

"We all feel drunk [with happiness] now," says the Iranian engineer. "Have you ever had a new laptop? Imagine that excitement multiplied many-fold." When the Revolutionary Guard first recovered the drone, they were aware it might be rigged to self-destruct, but they "were so excited they could not stay away."

* Scott Peterson, the Monitor's Middle East correspondent, wrote this story with an Iranian journalist who publishes under the pen name Payam Faramarzi and cannot be further identified for security reasons.



  • Power User
  • ***
  • Posts: 20047
    • View Profile
Re: Drone tricked into landing?
« Reply #76 on: December 16, 2011, 04:21:07 PM »
This is very bad. I have no proof to back it up, but I suspect the big chicken shaped country in asia had a hand in this.


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Re: Cyberwar and American Freedom
« Reply #77 on: December 16, 2011, 04:34:31 PM »
PC:  Would you please move this to the Military Science thread?  TIA.


  • Power User
  • ***
  • Posts: 2321
    • View Profile


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Re: Cyberwar and American Freedom
« Reply #79 on: February 16, 2012, 11:20:34 AM »

For most of this year, Arab-Israeli tensions have been spilling off the streets and airwaves and onto the region's fiber optic cables. Citizen hackers on both sides have engaged in tit-for-tat raids on Israeli, Saudi and other regional computer networks. Stock exchanges, airlines, government offices and even hospitals have had their websites defaced or shut down. Credit-card numbers and personal emails have been stolen and posted on the Internet. One Israeli official has labeled the escalating cyber hostility "terrorism" and called for it to be dealt with as such.

It has not been terrorism. No one has died and, so far, nothing has blown up as a result. Indeed, most of the activity has involved the use of relatively commonplace hacker tools and techniques. This ongoing cyber "hacktivism" has, however, demonstrated three things that should cause nations to act.

First, the ease with which the hacktivists have been able to steal data and to shut down Web pages suggests that companies (and perhaps governments) in the region have not yet taken cyber security seriously. Governments in other regions (Asia, Europe, North America) have been educating, assisting and regulating companies to improve their cyber security. There has been a notable lack of such government activity in the Middle East, and that inactivity has opened the way for citizen hackers to cause the mischief we see today.

If the hackers turn their attention to disruption and destruction, as some have threatened, they are likely to find the controls for electric power grids, oil pipelines and precious water systems inadequately secured. If a hacker causes real physical damage to critical systems in that region, it could quickly involve governments retaliating against each other with both cyber and conventional weapons. Middle Eastern governments need to get their citizen hackers under control and better protect their own critical networks, or they will eventually be dragged into unwanted conflict.

Second, the Arab-Israeli hacker exchanges have demonstrated again the lack of any effective international organization to assist in preventing cyber crime and de-escalating tensions among nations in cyberspace. The Budapest Convention on Cyber Crime, which entered into force in July 2004 and has been ratified by more than 40 countries including the U.S., does require nations to assume responsibilities for any attacks that originate in their cyberspace.

But there is still no operations center that a nation can call to get another nation to stop its citizens (or servers in its country) from causing problems. Nations, if they talk at all about these cyber attacks, do so at 19th-century speed with embassies requesting assistance either in person or through a letter.

An international Cyber Risk Reduction Center could be modeled on the Nuclear Risk Reduction Center (NRRC), which I once led at the end of the Cold War. It was created in 1987 to link Washington and Moscow operation centers so the two superpowers could immediately talk with someone on the other side when there appeared to be a nuclear threat or an event that could lead to one. The success of the centers depended on the ability of the two sides to act quickly to stop their own risky activity once they learned about it from the other side.

Now Washington and Moscow are beginning to explore using their NRRC channels to discuss cyber concerns, but neither side yet has the authority or capability quickly to stop malicious cyber activity originating in their own nation. Moreover, there is no international counterpart center.

If, as happened last month, Saudi Arabia's stock market is again knocked offline by a cyber attack originating in Israel (or vice versa), the Saudis should be able to call an international center and seek assistance. Israel, as a member of the international center, should be able to act promptly to see the attack and shut it down. All of that should happen in a few hours. Implicit in such a system would be an "obligation to assist" other members of the international system and to identify and prosecute the culprits. Failure to assist should have consequences such as financial damages or even outside filtering of message traffic to search for attack programs.

The recent hacker exchange should also remind us that just as hacking could escalate to the use of conventional force in the Middle East, the reverse is also true. Bombing Iran, for example, could unleash an Iranian government cyber attack. Israelis say they could handle that, despite the recent evidence to the contrary. Unfortunately, much of the critical infrastructure in the U.S. is still not ready for a sophisticated nation-state cyber attack either.

Mr. Clarke, who served three presidents as a senior White House national security official, now serves on the board of the Middle East Institute. He is the author of "Cyber War: The Next National Security Threat and What to Do About It" (Ecco, 2010).


  • Power User
  • ***
  • Posts: 2321
    • View Profile
Cyber Security Act of 2012
« Reply #80 on: February 23, 2012, 05:27:41 AM »
Discussion of the Cyber Security Act of 2012, written by a former DHS general counsel.


  • Power User
  • ***
  • Posts: 2321
    • View Profile
« Reply #81 on: February 28, 2012, 06:57:32 AM »
In Attack on Vatican Web Site, a Glimpse of Hackers’ Tactics

SAN FRANCISCO — The elusive hacker movement known as Anonymous has carried out Internet attacks on well-known organizations like Sony and PBS. In August, the group went after its most prominent target yet: the Vatican.

The campaign against the Vatican, which did not receive wide attention at the time, involved hundreds of people, some with hacking skills and some without. A core group of participants openly drummed up support for the attack using YouTube, Twitter and Facebook. Others searched for vulnerabilities on a Vatican Web site and, when that failed, enlisted amateur recruits to flood the site with traffic, hoping it would crash, according to a computer security firm’s report to be released this week.

The attack, albeit an unsuccessful one, provides a rare glimpse into the recruiting, reconnaissance and warfare tactics used by the shadowy hacking collective.

Anonymous, which first gained widespread notice with an attack on the Church of Scientology in 2008, has since carried out hundreds of increasingly bold strikes, taking aim at perceived enemies including law enforcement agencies, Internet security companies and opponents of the whistle-blower site WikiLeaks.

The group’s attack on the Vatican was confirmed by the hackers and is detailed in a report that Imperva, a computer security company based in Redwood City, Calif., plans to release ahead of a computer security conference here this week. It may be the first end-to-end record of a full Anonymous attack.

Though Imperva declined to identify the target of the attack and kept any mention of the Vatican out of its report, two people briefed on the investigation confirmed that it had been the target. Imperva had a unique window into the situation because it had been hired by the Vatican’s security team as a subcontractor to block and record the assault.

“We have seen the tools and the techniques that were used in this attack used by other criminal groups on the Web,” said Amichai Shulman, Imperva’s chief technology officer. “What set this attack apart from others is it had a clear timeline and evolution, starting from an announcement and recruitment phase that was very public.”

The Vatican declined to comment on the attack. In an e-mail intended for a colleague but accidentally sent to a reporter, a church official wrote: “I do not think it is convenient to respond to journalists on real or potential attacks,” adding, “The more we are silent in this area the better.”

The attack was called Operation Pharisee in a reference to the sect that Jesus called hypocrites. It was initially organized by hackers in South America and Mexico before spreading to other countries, and it was timed to coincide with Pope Benedict XVI’s visit to Madrid in August 2011 for World Youth Day, an international event held every other year that regularly attracts more than a million Catholic youths.

Hackers initially tried to take down a Web site set up by the church to promote the event, handle registrations and sell merchandise. Their goal — according to YouTube messages delivered by an Anonymous figure in a Guy Fawkes mask — was to disrupt the event and draw attention to child sexual abuse by priests, among other issues.

The videos, which have been viewed more than 77,000 times, include a verbal attack on the pope and the young people who “have forgotten the abominations of the Catholic Church.” One calls on volunteers to “prepare your weapons, my dear brother, for this August 17th to Sunday August 21st, we will drop anger over the Vatican.”

Much as in a grass-roots lobbying campaign, the hackers spent weeks spreading their message through their own Web site and social sites like Twitter and Flickr. Their Facebook page called on volunteers to download free attack software and implored them to “stop child abuse” by joining the cause. It featured split-screen images of the pope seated on a gilded throne on one side and starving African children on the other. And it linked to articles about sexual abuse cases and blog posts itemizing the church’s assets.

It took the hackers 18 days to recruit enough people, the report says. Then the reconnaissance began. A core group of roughly a dozen skilled hackers spent three days poking around the church’s World Youth Day site looking for common security holes that could let them inside, the report says. Probing for such loopholes used to be tedious and slow, but the advent of automated tools made it possible for hackers to do this while they slept.

In this case, the scanning software failed to turn up any gaps. So the hackers turned to a brute-force approach — a so-called distributed denial-of-service, or DDoS, attack that involves clogging a site with data requests until it crashes. Even unskilled supporters could take part in this from their computers or smartphones.

“Anonymous is a handful of geniuses surrounded by a legion of idiots,” said Cole Stryker, an author who has researched the movement. “You have four or five guys who really know what they’re doing and are able to pull off some of the more serious hacks, and then thousands of people spreading the word, or turning their computers over to participate in a DDoS attack.”

Over the course of the campaign’s final two days, Anonymous enlisted as many as a thousand people to download attack software, or directed them to custom-built Web sites that let them participate using their cellphones. Visiting a particular Web address caused the phones to instantly start flooding the target Web site with hundreds of data requests each second, with no special software required, the report says.

On the first day, the denial-of-service attack resulted in 28 times the normal traffic to the church site, rising to 34 times the next day. Hackers involved in the attack, who did not identify themselves, said through a Twitter account associated with the campaign that the two-day effort succeeded in slowing the site’s performance and making the page unavailable “in several countries.” Imperva disputed that the site’s performance was affected and said its technologies had successfully siphoned the excess data away from the site.

Anonymous moved on to other targets, including an unofficial site about the pope, which the hackers were briefly able to deface.

Imperva executives say the Vatican’s defenses held up because, unlike Sony and other hacker targets, it invested in the infrastructure needed to repel both break-ins and full-scale assaults.

Researchers who have followed Anonymous say that despite its lack of success in this and other campaigns, recent attacks show the movement is still evolving and, if anything, emboldened. Threatened attacks on the New York Stock Exchange and Facebook last autumn apparently fizzled. But the hackers appeared to regain momentum in January after federal authorities shut down Megaupload, a popular file-sharing site.

In retaliation, hackers affiliated with Anonymous briefly knocked dozens of Web sites offline, including those of the F.B.I., the White House and the Justice Department. At one point, they were able to eavesdrop on a conference call between the F.B.I. and Scotland Yard.

“Part of the reason ‘Op Megaupload’ was so successful is that they’ve learned from their past mistakes,” said Gabriella Coleman, an associate professor at McGill University who has studied Anonymous. Professor Coleman said the hackers had been using a new tool to better protect their anonymity. “Finally people felt safe using it,” she said. “That could explain why it was so big.”

In recent weeks, Anonymous has made increasingly bold threats, at one point promising to “shut the Internet down on March 31” by attacking servers that perform switchboard functions for the Internet.

Security experts now say that a sort of open season has begun. “Who is Anonymous?” asked Rob Rachwald, Imperva’s director of security. “Anyone can use the Anonymous umbrella to hack anyone at anytime.”

Indeed, in the last six months, hackers have attacked everything from pornography sites to the Web portals of Brazilian airlines. And some hackers have been accused of trying to extort money from corporations — all under the banner of Anonymous.

“Anonymous is an idea, a global protest movement, by activists on the streets and by hackers in the network,” the hackers said through the Twitter account. “Anyone can be Anonymous, because we are an idea without leaders who defend freedom and promote free knowledge.”


  • Power User
  • ***
  • Posts: 2321
    • View Profile
InterPol arrests 25 Anonymous hackers
« Reply #82 on: February 28, 2012, 07:02:39 PM » Europe and South America.


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
US outgunned by hackers
« Reply #83 on: March 29, 2012, 11:22:19 AM »
WASHINGTON—The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said.

 WSJ's Devlin Barrett reports the FBI is struggling to combat cyberattacks by hackers. "We're not winning," FBI executive assistant director Shawn Henry said. AP Photo/Haraz N. Ghanbari
.Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is "unsustainable.'' Computer criminals are simply too talented and defensive measures too weak to stop them, he said.

His comments weren't directed at specific legislation but came as Congress considers two competing measures designed to buttress the networks for critical U.S. infrastructure, such as electrical-power plants and nuclear reactors. Though few cybersecurity experts disagree on the need for security improvements, business advocates have argued that the new regulations called for in one of the bills aren't likely to better protect computer networks.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.

Enlarge Image

CloseAssociated Press
'You never get ahead, never become secure, never have a reasonable expectation of privacy or security,' says Shawn Henry, executive assistant director of the FBI.
."I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,'' Mr. Henry said.

James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies, said that as gloomy as Mr. Henry's assessment may sound, "I am actually a little bit gloomier. I think we've lost the opening battle [with hackers].'' Mr. Lewis said he didn't believe there was a single secure, unclassified computer network in the U.S.

"There's a kind of willful desire not to admit how bad things are, both in government and certainly in the private sector, so I could see how [Mr. Henry] would be frustrated,'' he added.

High-profile hacking victims have included Sony Corp., SNE -1.28%which said last year that hackers had accessed personal information on 24.6 million customers on one of its online game services as part of a broader attack on the company that compromised data on more than 100 million accounts. Nasdaq OMX Group Inc., NDAQ -2.57%which operates the Nasdaq Stock Market, also acknowledged last year that hackers had breached a part of its network called Directors Desk, a service for company boards to communicate and share documents. HBGary Federal, a cybersecurity firm, was infiltrated by the hacking collective called Anonymous, which stole tens of thousands of internal emails from the company.

Mr. Henry has played a key role in expanding the FBI's cybersecurity capabilities. In 2002, when the FBI reorganized to put more of its resources toward protecting computer networks, it handled nearly 1,500 hacking cases. Eight years later, that caseload had grown to more than 2,500.

Mr. Henry said FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.

"We have found their data in the middle of other investigations,'' he said. "They are shocked and, in many cases, they've been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.''

Mr. Henry said that while many company executives recognize the severity of the problem, many others do not, and that has frustrated him. But even when companies build up their defenses, their systems are still penetrated, he said. "We've been playing defense for a long time. ...You can only build a fence so high, and what we've found is that the offense outpaces the defense, and the offense is better than the defense,'' he said.

Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn't realize they had been breached until someone else told them. The median number of days between the start of an intrusion and its detection was 416, or more than a year, he added.

In one such incident in 2010, a group of Chinese hackers breached the computer defenses of the U.S. Chamber of Commerce, a major business lobbying group, and gained access to everything stored on its systems, including information about its three million members, according to several people familiar with the matter.

In the congressional debate over cybersecurity legislation, the Chamber of Commerce has argued for a voluntary, non-regulatory approach to cybersecurity that would encourage more cooperation and information-sharing between government and business.

Matthew Eggers, a senior director at the Chamber, said the group "is urging policy makers to change the 'status quo' by rallying our efforts around a targeted and effective information-sharing bill that would get the support of multiple stakeholders and come equipped with ample protections for the business community."

The FBI's Mr. Henry said there are some things companies need to change to create more secure computer networks. He said their most valuable data should be kept off the network altogether. He cited the recent case of a hack on an unidentified company in which he said 10 years worth of research and development, valued at more than $1 billion, was stolen by hackers.

He added that companies need to do more than just react to intrusions. "In many cases, the skills of the adversaries are so substantial that they just leap right over the fence, and you don't ever hear an alarm go off,'' he said. Companies "need to be hunting inside the perimeter of their network," he added.

Companies also need to get their entire leadership, from the chief executive to the general counsel to the chief financial officer, involved in developing a cybersecurity strategy, Mr. Henry said. "If leadership doesn't say, 'This is important, let's sit down and come up with a plan right now in our organization; let's have a strategy,' then it's never going to happen, and that is a frustrating thing for me,'' he said.

Write to Devlin Barrett at


  • Power User
  • ***
  • Posts: 2321
    • View Profile
How China Steals Our Secrets
« Reply #84 on: April 11, 2012, 12:46:52 PM »

"FOR the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property.

It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), told Congress last week of an American company that had all of its data from a 10-year, $1 billion research program copied by hackers in one night. Gen. Keith B. Alexander, head of the military’s Cyber Command, called the continuing, rampant cybertheft “the greatest transfer of wealth in history.” "


C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Cyber Warfare: The next Cold War
« Reply #85 on: April 12, 2012, 12:32:15 AM »

Instead of military assaults, today's adversaries hire coders to create attacks that can run autonomously for years, says Stephen Lawton.
History books tell us that the Cold War ended in roughly 1991 after the dissolution of the Soviet Union. But, today's security practitioners say the Cold War has simply morphed from a threat of armed conflict among major world powers into a battle of computer-savvy “troops” fighting from the comfort of offices.

Instead of countries spending billions of dollars to create new weapons, supply massive armies and spend millions of dollars (or rubles, francs or yuan) fighting conventional attacks against political, economic, religious or commercial foes, today's adversaries hire code-writers to create attacks that can run autonomously for years with little or no human intervention. By repurposing code to spawn new attacks, the cost of cyber warfare can be a fraction of the cost of a conventional war.
While China and Russia generally are considered by industry experts to be the leaders in state-sponsored cyber attacks against the United States, they are not the only countries to have sophisticated espionage infrastructures in place, says Richard Bejtlich, chief security officer at Alexandria, Va.-based Mandiant. Other nations with sophisticated capabilities include North Korea, Iran, France, Israel and, of course, the United States.

North Korea, Bejtlich says, uses technology against its neighbor, South Korea, and to make political statements against the West, generally resulting in attacks against the United States, he says. Iran primarily uses its cyber weaponry to suppress internal dissidents.

In the past, he says, U.S. politicians spoke in general terms about cyber attacks, choosing not to name those believed to be responsible. That all changed late last year when the Office of the National Counter Intelligence Executive released a report, “Foreign Spies Stealing U.S. Economic Secrets in Cyber space,” which specifically identified China and Russia as key participants. However, the report also said U.S. allies are actively involved.
“Certain allies and other countries that enjoy broad access to U.S. government agencies and the private sector conduct economic espionage to acquire sensitive U.S. information and technologies,” the report states. “Some of these states have advanced cyber capabilities.”

It cited four factors that will shape the cyber environment over the next three to five years. These are: A technological shift, including the use of smartphones, laptops and other internet-connected devices; an economic shift that changes the way corporations, government agencies and other organizations share storage, computing, networking and application resources; a cultural shift in the U.S. workforce, where younger employees mix personal and professional activities; and a geopolitical shift as globalization of the supply chain and worker access increase the ability for malicious individuals to compromise the integrity and security of computing devices.
Jared Carstensen, manager of enterprise risk services at Deloitte in Dublin, Ireland, likes to differentiate between cyber crime and cyber espionage because the end goals differ significantly. For an attack to be considered a cyber crime, he says, the adversary does so for financial gain. This typically includes attacks designed to obtain credit card or bank data. Cyber espionage, on the other hand, is designed to steal intellectual property, and/or disable or attack critical infrastructure. It often is performed for political purposes.

Spying has been around since the dawn of man, Carstensen says. Early tribes snooped on other tribes to learn where they found food. Today's sleuths also are looking for the same competitive advantage over their enemies – and even their allies.
In some countries, such as North Korea, students believed to have a propensity for math or technology are trained at an early age as cyber warriors. These academies provide the students with respectability and good pay. In China, for example, the Communist Party codified cyber warfare in 2010, and President Hu Jintao deemed cyber war a priority. Author and retired U.S. Marine Corps Lt. Col. William Hagestad says in an upcoming book that China bases its policies on the Art of War, Sun Tzu's doctrine written around 500 B.C., one of whose tenets is: Keep your friends close, but keep your enemies closer. Chinese officials, however, regularly deny they are involved in any cyber spying efforts.

In the United States, the military is also shifting its war strategy to further prioritize cyber efforts. The soldiers who pilot military drones over Pakistan and Afghanistan actually sit in control rooms at Creech Air Force Base in Nevada. This, Carstensen says, is not unlike cyber attackers who might work out of a hotel to conduct assaults.

However, the level of expertise of foreign cyber attackers varies widely from so-called script-kiddies, who download exploit software that is widely available on the internet, to experienced computer engineers who have either religious or political reasons for staging actions.

Some of these attacks are advanced persistent threats (APTs) that are designed to enter a computer system and perhaps sit dormant for a period of time. The intrusions are designed not to be noticed.

This tactic varies significantly from those of hacktivists, who attack websites with the expressed purpose of drawing attention to the site being breached. Some groups, such as Anonymous and LulzSec, have claimed credit for damage to sites they have compromised.

Unlike hacktivists, cyber spies are so concerned about flying under the radar that once they successfully enter a target system, they actually  install security patches to ensure that other attackers are unable to access the system using the same vulnerability, says Daniel Teal, founder and chief technology officer of Austin, Texas-based CoreTrace and a former officer at the Air Force Information Warfare Center (AFIWC). By installing fixes, he says, the attacker will have the compromised systems all to themselves and will not have to worry about a sloppy rival alerting the IT manager that there has been a breach.
Admins might actually see their network performance improve while the attacker ensures that others are unable to infect the environment, Teal says. Because the attacker does not want to draw attention, they simply can leave a back door open so that the malware payload is not accidentally identified by the target network.

Toney Jennings, CEO of CoreTrace, adds that companies might have the equivalent of a “cyber atomic bomb” in the server that “is not doing anything bad today.” That bomb could be set off by an intruder at a later date, well after the initial breach took place. Additionally, he says companies purchasing mission-critical hardware should spot check the “guts” of the new systems, including all device drivers, for malicious code before putting them into production.
Most hardware and software today is developed outside U.S controls, so ensuring it is safe is a good business practice. “It's a valid bit of paranoia,” Jennings says.

Underscoring this concern, an FBI presentation last year detailed how counterfeit Cisco Systems networking equipment originating in China – including network routers, switches, gigabit interface converters and WAN interface cards – was being sold in the United States. “Operation Cisco Raider” resulted in the recovery of 3,500 pirated network devices valued at $3.5 million, James Finch, assistant director of the FBI's cyber division, has said.

Teal says he once discovered, by accident, a malicious device driver for a keyboard he purchased for his daughter's computer. The driver was sending personal information off his home network. He contacted the system manufacturer, Hewlett-Packard, and discovered that the kernel driver was written by a third party. Further investigations by Teal and HP determined that the manufacturer was sending data off the network simply to ensure an internet connection – a task that easily could have been accomplished by sending random data bits without using personal information.

When Bejtlich was the director of incident response at General Electric, the company had an estimated half-million computers, and no shortage of defensive technologies and staff. Even still, he says, with the full resources of a sophisticated IT team and a corporate leader who recognized the need for IT security, the company still was unable to maintain 100 percent effectiveness against intruders or persistent threats.

And now, mobile and cloud
Mandiant's Bejtlich says that despite the best intentions of CISOs and IT staffs, it is nearly impossible to keep a network of a 1,000 or more endpoints safe from outside attacks.

Today, Bejtlich says, IT staffs need to address not only the needs of a company's primary computer systems, but also non-standard systems, such as smartphones and other mobile devices. While cyber espionage is normally thought of as an attack against a large computer system, many corporate executives and engineers have confidential data on their devices that might be useful to attackers.

Companies that believe they are too small or insignificant to be targeted are wrong, and do not necessarily understand how and why attacks work, says Erin Nealy Cox, managing director and deputy general counsel at Stroz Friedberg LLC and a former federal prosecutor and assistant U.S. attorney. While technology firms are obvious targets for attackers after intellectual property, small companies may be considered stepping stones.

Cox says security education is essential in companies of all sizes. Large organizations with established policies and procedures need to educate their employees on a regular basis not only about sound computing practices, but also about data and office security policies. For example, she says employees need to be reminded not to insert thumb drives they find in the parking lot or those handed to them at a trade show into a company computer. Such devices could be plants with malware on them.
“Typically,” she says, “security comes at the price of convenience.”

Even data security companies can fall prey to sophisticated attacks, she says. Within the past year, there have been several online raids on companies that specialize in data security. The reasons for the success vary, she says, but it generally falls into the category of an exploit that was allowed because someone was not paying attention to details. It might have been faulty website code or a misconfigured network, but generally the vulnerabilities could have been caught.

Scott Crawford, research director for security and risk management at Enterprise Management Associates, with corporate headquarters in Boulder, Colo., agrees that companies of all sizes could be targets. While smaller entities might not provide the breadth of information that a multinational corporation offers, it still could have secrets worth stealing, he says.
Crawford views this kind of cyber theft, be it from a state-sponsored or industrial source, to be similar to espionage conducted during the Cold War. There could be value in stealing information, he says, but “you don't want to kill the market.” One purpose for this type of espionage is to build a country's or company's own ability to compete against existing players in the field.

If it costs $50 million to develop a product, but only $2 million to steal it, some will opt for the less costly approach. This is particularly true for emerging nations that might have technical resources, but are not necessarily competitive enough to develop their own intellectual property.

Defense is all about managing a company's or a country's risk, Crawford says. Some organizations look for fast fixes to potential weaknesses without fully understanding their risk profile or the impact of their actions. A layered approach to security is necessary.

Crawford also blames guidance or regulations that do not match the threat. The Payment Card Industry Data Security Standard (PCI DSS), for example, is prescriptive and specifies to security officers how to maintain compliance, but this is only a point in time, he says. A company's compliance “can be passé or irrelevant” immediately after passing the audit.
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Deibert, R. & Rohozinski, R. (2008). “Good for Liberty, Bad for Security? Global Civil Society and the Securitization of the Internet.” In Access Denied: The Practice and Policy of Global Internet Filtering, ed. Deibert R., Palfrey, J., Rohozinski, R., Zittrain, J. MIT Press.

The spectacular rise and spread of NGOs and other civil society actors over the past two decades is attributable in part to the emergence and rapid spread of the Internet, which has made networking among like-minded individuals and groups possible on a global scale.

But the technological explosion of global civil society has not emerged without unintended and even negative consequences. Just as progressive and social justice groups have made use of the Internet to advance global norms, so too have a wide variety of resistance networks, militant groups, extremists, criminal organizations, and terrorists. Whereas once the promotion of new information communications technologies (ICTs) was widely considered benign public policy, today states of all stripes have been pressed to find ways to limit and control them as a way to check their unintended and perceived negative public policy and national security consequences.

Full Report:
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Has the ‘Cyber Pearl Harbor’ already happened?
« Reply #87 on: April 12, 2012, 05:02:40 AM »

Has the ‘Cyber Pearl Harbor’ already happened?

By Philip Ewing Monday, March 26th, 2012 10:54 am
Posted in Cyber Security

The Russians are picking our pockets, the Chinese are stealing our most vital secrets, and there’s nothing we can do about it – and it’s all going to get worse.

That was the basic conclusion after Friday’s Air Force Association cyber-conference, where speaker after speaker drove home the utter futility and helplessness of today’s cyber climate, all the while warning that the problem will only grow.

Richard Bejtlich, chief security officer for the info-security firm Mandiant, said 100 percent of the high-profile intrusions his company tracks were done with “valid credentials” – meaning the cyber bad-guys had been able to steal a real user’s login and password, obviating the need for more complex attacks.

The typical time between an intrusion and its discovery is 416 days, he said – down from two or three years – and the way most companies find out about them is when they get a visit from the FBI.

The publicly available malware in the so-called “cyber underground” is now so good that you can do a lot of damage without a dedicated team of code-writers coming up with their own stuff, speakers said. In fact, the much-discussed cyber attack against Georgia was carried out mostly with publicly known tools – “there was nothing sacred here,” said National Defense University iCollege chancellor Robert Childs.

Cyber-intrusions and compromise are so endemic, Bejtlich said, that many attackers don’t even bother with the wholesale vacuuming of information that used to characterize cyber-snooping. Now hackers go after very specific pieces of information, often data that is useless on its own, he said.

He described how a company had approached Mandiant befuddled that someone would want to steal a certain proprietary device, because it only worked in combination with a specific chemical formula owned by another company. Naturally, it wasn’t long before the second company discovered it was compromised, and also befuddled because its chemical formula would only be useful to someone who had information about the device manufactured by the first.

Online miscreants are also becoming more sophisticated at a strategic level, Bejtlich said: He described how they might target small companies that were merging with larger ones, to avoid trying to attack the bigger firm’s online security. Instead, by compromising a small company’s computer networks, the bad guys can then get into the new common network after a merger.

This can have profound financial as well as security implications, Bejtlich said – if you’re an aerospace giant and you want to acquire a small firm because its widget is worth $10 million, but then you discover it’s been cyber-stolen and no longer proprietary, the technology might only be worth $10,000, and that could put your shareholders and Wall Street in a bad mood.

And you can’t do anything about any of this. Government officials won’t talk about offensive cyber-attacks, so we can’t go there. Private sector clients in crisis with Mandiant often ask, how can we get back at these guys, or at least, can we destroy the data they’ve stolen, Bejtlich said.

“I’ve never seen somebody execute this, because of legal concerns,” he said. “The CEO says, ‘I wanna get these guys,’ but if there’s a lawyer in the room, what does he say? ‘Absolutely not.’”

Going after data that has been stolen from your network is like following a thief who has stolen your television and then breaking into his house to steal it back, Bejtlich said – “not authorized by our legal code.”

And the law can’t catch up with cyber, as we’ve seen so many times. And by the time the feds knock on your door to tell you about your compromise, it’s too late. And even though officials have been warning about cyber-dangers for more than a decade, the cyber-world has basically just been treading water this whole time, another speaker argued.

“I’ve been at this conference for 15 years,” said Jason Healey, an analyst with the Atlantic Council. He showed government reports warning of “computers at risk” from 1991 and before, and said although the technology involved has gotten much more advanced since then, the cyber doctrine, for lack of a better term, has not.

Healey argued that the U.S. can’t afford to keep being coy with China. It must build a coalition of cyber-victims and formally call out Beijing on the world stage, citing specific examples of Chinese hacking. Healey said Washington has never laid out its cyber-grievances in this way, and suggested that threatening to embarrass China might be one first step.

He also said the cyber-world must dispense with its worries over “attribution” – tracing the origins of attacks. Healey repeated the factoid that 178 countries were “involved” in the 2007 cyber-attack on Estonia: “Who cares?” he said. “That is completely meaningless.” In those situations, if the U.S. is affected, “the president needs to pick up the phone and call the Kremlin.”

(For what it’s worth, Bejtlich said the lines between Russian government and organized-crime cyber-mischief were so blurred as to be nonexistent. As for China, he said that if you want to know if you’ll be a cyber-target, see where your company falls on Beijing’s regular 5-year “industrial priorities” plans – it tracks very closely with hacking victims.)

An audience member’s question Friday crystallized all the speakers’ points at the cyber-conference: The much-feared “Cyber Pearl Harbor” has already happened, he said. Global cyber crime is more profitable than the drug trade.  America’s onetime technological advantage is gone; much of its intellectual property secrets have been stolen.

“People just haven’t realized it yet,” the questioner said.

It’s a depressing thesis, but from all the public statements about cyber-losses, it sounds plausible. Unless a true “Cyber Pearl Harbor” — in which bad guys knock out the power grid or the financial system or our telecommunications — happens tomorrow. Even if it doesn’t, Healey proposed a new set of parallels: A “Cyber-Vietnam,” i.e. a prolonged campaign, rather than a single sneak attack; or a “Cyber Battle of Britain,” in which the government appeals to — or impresses — private citizens for help in responding to a major crisis.

Can anything be done? Healey called for “cyber-mindedness,” for users to be that much more careful when they use the network, and for military cyber-units to study their forebears as airmen study MiG Alley or Operation Linebacker.

Maj. Gen. Suzanne Vautrinot, commander of the 24th Air Force, said military networks must be “proactive in defense,” able to monitor intrusions and irregularities and turn them against attackers. She showed the infamous clip of New York Giants bruiser Lawrence Taylor tackling Washington Redskins great Joe Theismann – crushing his leg and ending his career. That’s what cyber-defense has to be, she said.

Bejtlich left attendees with perhaps the most hopeful metaphor: The best organizations turn cyber-security “into a manageable situation,” he said – “they go from being a volunteer fire department to a continuous business process.”

In other words, governments and businesses must treat cyber-security like a chronic disease, a condition that will always be there, but can be managed and even suppressed. Bejtlich said if he could, he’d mandate that everyone did an inspection every 30 days to see where their networks were compromised, then act appropriately once discovering the details.

Turning to the inevitable cyber-football analogy, Bejtlich said defenders have to stop permitting attackers to complete touchdown passes every time. Instead they’ve got to pressure the quarterback and defend downfield, forcing attackers to try for field goals instead.

“The bad guys are going to complete passes, they’re going to compromise your systems, get to your data, try to aggregate it, encrypt it, exfiltrate it, and you want to prevent them from getting to the point of the extrusion,” he said. “If you have fast identification, fast containment, if you can get to them before they complete their mission, it may not matter as much that they’re in your system.”

That, it appears, is the best diagnosis we can hope for. Congress can’t act – which means it can’t pass its own laws or ratify a theoretical international cyber-treaty. If the military and government are getting better at cyber-defense, the private sector remains more or less on its own. Here’s how Twitter user @hal_999999999 put it in a response to @DoDBuzz on Friday:

“It’s the old west, the Roaring Twenties, and the Cold War all rolled into one, w/some wires and CPUs… We’re gonna have to earn it.”
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed


  • Power User
  • ***
  • Posts: 20047
    • View Profile
Re: Cyberwar and American Freedom
« Reply #88 on: April 12, 2012, 05:07:54 AM »
That's just depressing.

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
An Evaluation of Nation-State Cyber Attack Mitigation Strategies (w speaker)

Speaker: Kenneth Geers Naval Criminal Investigative Service (NCIS), Cooperative Cyber Defence Centre of Excellence (CCD CoE)

This presentation argues that computer security has evolved from a technical discipline to a strategic concept. The world's growing dependence on a powerful but vulnerable Internet — combined with the disruptive capabilities of cyber attackers — now threatens national and international security.

Strategic challenges require strategic solutions. The author examines four nation-state approaches to cyber attack mitigation.

•Internet Protocol version 6
•Sun Tzu's Art of War
•Cyber attack deterrence
•Cyber arms control

The four threat mitigation strategies fall into several categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deterrence is a mix of military and political considerations; arms control is a political/technical approach.

The Decision Making Trial and Evaluation Laboratory (DEMATEL) is used to place the key research concepts into an influence matrix. DEMATEL analysis demonstrates that IPv6 is currently the most likely of the four examined strategies to improve a nation's cyber defense posture.

There are two primary reasons why IPv6 scores well in this research. First, as a technology, IPv6 is more resistant to outside influence than the other proposed strategies, particularly deterrence and arms control, which should make it a more reliable investment. Second, IPv6 addresses the most significant advantage of cyber attackers today — anonymity.

For more information visit:
To download the video visit:
Playlist Defcon 19:
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed


  • Power User
  • ***
  • Posts: 20047
    • View Profile
Re: Cyberwar and American Freedom
« Reply #90 on: April 13, 2012, 05:38:11 AM »
Really good posts, Robert.


C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Re: Cyberwar and American Freedom
« Reply #91 on: April 13, 2012, 12:41:48 PM »
Thanks GM, interesting / scary stuff out there!
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Re: Cyberwar and American Freedom
« Reply #92 on: April 16, 2012, 05:57:56 PM »

You are posting some really good material about something that we may not like hearing but need to know.  Keep up the good work. 


PS:  Please feel free to interject simple practical asides for the simple-minded amongst us!

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Re: Cyberwar and American Freedom
« Reply #93 on: April 17, 2012, 12:39:23 AM »
I'm not quite sure if this belongs in this thread or the Internet thread:

Services for fraudsters utilizing malware are not new – AV checkers, malware encryption and malware infection services have existed in the criminal underground market for several years.

However, recent research has indicated changes in service scope and price due to service convergence and demanding buyers.

What's new?

One-stop-shop - Trusteer Research came across a new group that besides offering infection services (for prices between 0.5 and 4.5 cents for each upload, depending on geography) also provides polymorphic encryption and AV checkers. This new one-stop-shop approach for malicious services is a natural evolution of the market – if the customers need to infect, then they also need to evade AV. Why not sell the whole package?

For Polymorphic encryption of malware instances they charge from $25 to $50 and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for one week and $100 for one month of service.

It’s a buyer market. Researchers also came across advertisements published by prospective buyers of infection services. The ad basically presets the buying price, how it is charged and the scope of the service:
The advertiser pays only for unique uploads
The calculations will be conducted according to the advertiser's own Black Hole (exploit kit) stats module
The advertiser will pay in advance to the sellers with recommendations, i.e. those that have 1-10 "fresh" forum messages. Otherwise, the sellers will get paid afterwards
The domains are checked via a malware scan service website (scan4you) during the day. If the domain is recognized as blacklisted on anti-virus databases, the advertiser will automatically replace it with another.
The final paid price depends on percentage of infections:
$4.5 for 1,000 of traffic with 3% of infections
$6 for 1,000 of traffic with 4% of infections
$30 for 1,000 of traffic with more than 20% of infections.
In an attempt to stay competitive we came across an ad by an Encryption Service provider that sold its service for 20$ per file, and offered a money back guarantee if it fails an AV checker.
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Re: Cyberwar and American Freedom
« Reply #94 on: April 17, 2012, 12:47:54 AM »
5 page article:

Richard Clarke on Who Was Behind the Stuxnet Attack
America's longtime counterterrorism czar warns that the cyberwars have already begun—and that we might be losing
By Ron Rosenbaum
Smithsonian magazine, April 2012,

Read more:

1st page below

The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation—which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive...or awaiting further orders.

A great story, right? In fact, the world-changing “weaponized malware” computer worm called Stuxnet is very real. It seems to have been launched in mid-2009, done terrific damage to Iran’s nuclear program in 2010 and then spread to computers all over the world. Stuxnet may have averted a nuclear conflagration by diminishing Israel’s perception of a need for an imminent attack on Iran. And yet it might end up starting one someday soon, if its replications are manipulated maliciously. And at the heart of the story is a mystery: Who made and launched Stuxnet in the first place?

Richard Clarke tells me he knows the answer.

Clarke, who served three presidents as counterterrorism czar, now operates a cybersecurity consultancy called Good Harbor, located in one of those anonymous office towers in Arlington, Virginia, that triangulate the Pentagon and the Capitol in more ways than one. I had come to talk to him about what’s been done since the urgent alarm he’d sounded in his recent book, Cyber War. The book’s central argument is that, while the United States has developed the capability to conduct an offensive cyberwar, we have virtually no defense against the cyberattacks that he says are targeting us now, and will be in the future.

Richard Clarke’s warnings may sound overly dramatic until you remember that he was the man, in September of 2001, who tried to get the White House to act on his warnings that Al Qaeda was preparing a spectacular attack on American soil.

Clarke later delivered a famous apology to the American people in his testimony to the 9/11 Commission: “Your government failed you.”

Clarke now wants to warn us, urgently, that we are being failed again, being left defenseless against a cyberattack that could bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system.

“Are we as a nation living in denial about the danger we’re in?” I asked Clarke as we sat across a conference table in his office suite.

“I think we’re living in the world of non-response. Where you know that there’s a problem, but you don’t do anything about it. If that’s denial, then that’s denial.”

As Clarke stood next to a window inserting coffee capsules into a Nespresso machine, I was reminded of the opening of one of the great espionage films of all time, Funeral in Berlin, in which Michael Caine silently, precisely, grinds and brews his morning coffee. High-tech java seems to go with the job.

But saying Clarke was a spy doesn’t do him justice. He was a meta-spy, a master counterespionage, counter­terrorism savant, the central node where all the most secret, stolen, security-encrypted bits of information gathered by our trillion-dollar human, electronic and satellite intelligence network eventually converged. Clarke has probably been privy to as much “above top secret”- grade espionage intelligence as anyone at Langley, NSA or the White House. So I was intrigued when he chose to talk to me about the mysteries of Stuxnet.

“The picture you paint in your book,” I said to Clarke, “is of a U.S. totally vulnerable to cyberattack. But there is no defense, really, is there?” There are billions of portals, trapdoors, “exploits,” as the cybersecurity guys call them, ready to be hacked.

“There isn’t today,” he agrees. Worse, he continues, catastrophic consequences may result from using our cyber­offense without having a cyberdefense: blowback, revenge beyond our imaginings.

“The U.S. government is involved in espionage against other governments,” he says flatly. “There’s a big difference, however, between the kind of cyberespionage the United States government does and China. The U.S. government doesn’t hack its way into Airbus and give Airbus the secrets to Boeing [many believe that Chinese hackers gave Boeing secrets to Airbus]. We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco. [He believes Microsoft, too, was a victim of a Chinese cyber con game.] We don’t do that.”

Read more:
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Cracking Bin Laden's Hard Drives
« Reply #95 on: April 17, 2012, 10:48:00 PM »

Security experts detail how the government will attempt to unlock the "trove of information" on devices recovered during the raid on Osama bin Laden's residence.

By Mathew J. Schwartz    InformationWeek
May 05, 2011 06:38 PM
The weekend raid on Osama bin Laden's compound carried out by Navy Seals and CIA paramilitary operatives reportedly recovered numerous data storage devices.
According to the New York Times, "the team found a trove of information and had the time to remove much of it: about 100 thumb drives, DVDs and computer disks, along with 10 computer hard drives and five computers. There were also piles of paper documents in the house."

An unnamed U.S. official told Politico that the Navy Seals had recovered "the mother lode of intelligence," and that hundreds of people were already at work analyzing it at a secret base in Afghanistan.

"They're very likely to get a lot of really good, actionable intel off of these devices," since Osama bin Laden apparently had no direct connection to the Internet, said Greg Hoglund, CEO of security software and consulting firm HBGary, Inc., in a telephone interview. "So all of his work was done with outside couriers … and information that's coming and going is probably on thumb drives and DVDs, media like that," meaning that they likely stored important operational information.

According to Hoglund, the effort to recover Osama bin Laden's data likely started with--and was part of--the raid, in a process that's known as battlefield exploitation, which seeks to extract as much data as possible while in the field. That's because it's much easier to extract information from a computer that's still running. Even if a hard drive employs encryption, if the drive is still mounted, then it's vulnerable. Furthermore, if the team can take physical memory RAM snapshots of a live device, this can help crack any encryption.

Here's how the process works, said Rob Lee, a director at information security company Mandiant and a fellow at The SANS Institute, in a telephone interview: A military team will secure a location but not touch the computers. Next, computer experts--typically, contractors--traveling with the team come in and do a "clean takedown" of any machines. Little if any "deep dive" data analysis will be performed in the field, except perhaps some quick analysis in search of "low-hanging fruit," for example to note on a captured cell phone any phone numbers that the target recently called, or any recently sent emails. But the true payoff comes when intelligence analysts compare the captured data with "the hundreds of terabytes of data that they've already gathered over many years," for example to see how names, email addresses, and phone numbers match up.

The goal isn't just to recover data, but to rapidly understand its intelligence context. "Instead of standard forensics, the terminology is called media exploitation, and in the intel community, that word has a high value to it," said Lee. He said the practice dates from the start of the Iraq War.
Interestingly, both the data on the recovered devices as well as the devices themselves may provide valuable clues. That's because every USB storage device has its own serial number, which can be retrieved from any computer to which it's been connected. "You're able to track that USB device in every system it's touched," said Lee. That may help analysts better understand how the courier network operated, especially if the storage devices match up with previous PCs that they've encountered.
The raid on Osama bin Laden's compound reportedly lasted 38 minutes, and recent accounts suggest that the facility may have been secured relatively quickly. That would have left time for computer specialists to go to work.

"To process a computer that's in a running state, you're probably talking about 15 to 30 minutes," said HBGary's Hoglund. "A guy has a toolkit--a hardened briefcase, he sits down, plugs it in," and it provides him with a full view of what's on the RAM chips, and also allows him to image the hard drive. In addition, a subset of the information can be transmitted via VSAT--a very small, two-way satellite communications system--to intelligence analysts in for immediate study.
What happens, however, if computers are powered off, as well as encrypted?

"If you're doing encryption on the drive properly, meaning you've done your research, looked at the solutions, you follow best practices, have a strong key, and don't have a weak passphrase, then it will probably never be decrypted. Because drive encryption done properly is extremely difficult, it ends up being a brute-force problem," said Hoglund.
To try and recover data in such situations, he said one standard practice is to remove the drives to an analysis facility that has crackers built using large arrays of field-programmable gate array chips. If a strong passphrase can be broken, that approach will do it within a week, or not at all. "It's like the event horizon--it's the threshold of tolerance," he said.

But given Osama bin Laden's use of couriers--who might not be computer-savvy, and who may have needed to operate from places like Internet cafes--"I wouldn't be surprised to find out that they weren't using any type of encryption," said Hoglund.
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
JPL computers hacked repeatedly in 2010 and 2011, NASA report says
« Reply #96 on: April 23, 2012, 12:20:49 AM »

Hacker attacks have repeatedly penetrated NASA computers in the past, stealing user information from dozens of employees and gaining control over key networks at the Jet Propulsion Laboratory in La Cañada Flintridge, according to a federal report.

In written comments submitted to Congress this week, NASA Inspector General Paul K. Martin noted that between 2010 and 2011 the agency reported 5,408 computer security breaches, resulting in the spread of destructive software or unauthorized access to computer systems.

The inspector general also noted that NASA was victimized 47 times in 2011 by particularly stealthy and sophisticated attacks from well-funded sources hoping to steal or modify computers without detection. One such attack involved hackers from Chinese Internet addresses gaining access to networks at JPL.

Martin noted that intruders “gained full access to key JPL systems and sensitive user accounts,” allowing them to alter files, user accounts from mission critical JPL systems and upload tools to steal user credentials. “In other words, the attackers had full functional control over these networks," Martin wrote.
In a 2009 attack, an Italian hacker appears to have gained access to a pair of computer systems supporting NASA's Deep Space Network, a series of powerful antennae operated by JPL and based partly in the Mojave Desert. NASA officials assured Martin that critical space operations weren’t at risk.

Martin said the agency was plagued by hackers with a variety of backgrounds: individuals trying to boost their skills by attempting to break into NASA computers; criminal groups mining information for profit; and possibly state-sponsored attacks from foreign countries. Suspects have been arrested in China, Estonia, Great Britain, Italy, Nigeria, Portugal, Romania and Turkey.

Martin testified before Congress on Wednesday, using the report to back his statements. He urged increased NASA vigilance regarding cyber-attacks, warned of the agency’s slow pace of encryption for laptops and mobile device, and highlighted shortcomings in continuous security monitoring at NASA.

NASA spends more than $1.5 billion a year on information technology, including about $58 million for security, according to the report, which cautioned that those figures may not represent the full cost of expenditures because of the way the agency bundles funding.
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed

C-Kumu Dog

  • Power User
  • ***
  • Posts: 576
    • View Profile
Re: Anatomy of an Attack
« Reply #97 on: April 23, 2012, 02:02:27 PM »

Follow the link and it gives a high level view of a spear phishing.
Sometimes the term high level is misleading and refers to a "simplistic" overview & low level would actually get into the "nitty gritty details"

I can move this into the Internet thread if you like but this could also provide some insight to one of the many ways how penetration is achieved.
"You see, it's not the blood you spill that gets you what you want, it's the blood you share. Your family, your friendships, your community, these are the most valuable things a man can have." Before Dishonor - Hatebreed


  • Administrator
  • Power User
  • *****
  • Posts: 55124
    • View Profile
Re: Cyberwar and American Freedom
« Reply #98 on: April 23, 2012, 02:57:10 PM »
A brainiac cousin  (MD from Harvard and PhD from Stanford) worked at JPL for a time and I have forwarded the JPL piece to him.

Robert, I am sure I am not alone in being glad for your contributions to this area.  Please feel free to develop these themes as you think best.  Your good subject line headings to facilitate search commands are additionally appreciated.  Some other folks around here could do well to model this  :-D


  • Power User
  • ***
  • Posts: 20047
    • View Profile
Re: Cyberwar and American Freedom
« Reply #99 on: April 23, 2012, 03:39:49 PM »
FWIW, I'd think any sort of hacking/computer crime would be best to post in this thread.