Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Tech giants gang up on Obama over encryption key demands
C’mon, Barry. Quit trying to kick down our front doors
http://www.theregister.co.uk/2015/06/10/obama_encryption_letter/
10 Jun 2015 at 00:02, Shaun Nichols
A pair of technology industry pressure groups have sent a letter to President Obama asking his administration to back off demands that companies give government agencies the ability to decrypt all user data.
In the letter [PDF], the Information Technology Industry Council (ITIC) and the Software and Information Industry Association (SIIA) ask the President to curb the NSA from demanding that companies hand over decryption keys or require them to otherwise weaken their encryption.
“We are opposed to any policy actions or measures that would undermine encryption as an available and effective tool,” the groups write. “Encryption is an essential asset of the global digital infrastructure, enabling security and confidentiality for transactions as well as assurances to individuals that their communications are private and information is protected.”
The companies have drawn criticism from the US federal government – and law enforcement and intelligence agencies, in particular – which want the ability to decrypt the data from any user device when conducting investigations.
The groups argue that if customers knew that companies could be forced to hand over decryption keys to the government, they could start looking elsewhere for their technology needs, including outside the US.
“In addition to these security and trust concerns, the US policy position on encryption will send a signal to the rest of the world. Should the US government require companies to weaken encryption technology, such requirements will legitimize similar efforts by foreign governments,” the groups write. “This would threaten the global marketplace as well as deprive individuals of certain liberties.”
Tomi Engdahl says:
United Airlines accounts open to mass lock-outs
Web pests can inundate carrier’call centre
http://www.theregister.co.uk/2015/06/10/united_airlines_accounts_open_to_mass_lockouts/
A simple brute-force attack is all that’s needed to lock users out of their frequent flyer accounts.
However, in spite fof the discovery, by WorldMate security officer Yosi Dahan, being disclosed under the airline’s bug bounty in March, the researcher is complaining that United isn’t responding to him.
Dahan says the airline has not responded to his disclosure under its bug bounty launched March.
The Israeli hacker told El Reg someone could force scores of United Airline customers to call the airline’s call centres by enumerating MileagePlus account numbers and launch brute-force password guessing.
“An attacker can generate a targeted attack against UA in which he will be able to lock all the accounts related to the MileagePlus program by generating a user ID and random pin codes combined of four numbers, or some random passwords,” Dahan says.
“In order to unlock and reset the password of the locked account, a user would have to call the support center.
“With a simple script, an attacker can generate any account ID in the form of AA000000, for example: AA000001, AA000002 until he reaches ZZ999999.”
Dahan says accounts are locked after four incorrect attempts and can only be unlocked after a phone call to an airline operator.
Tomi Engdahl says:
CIA Cybersecurity Guru Dan Geer Doesn’t Use a Cell Phone
http://www.wired.com/2015/06/cia-cybersecurity-guru-dan-geer-doesnt-use-cell-phone/
Why doesn’t cybersecurity icon Dan Geer carry a cell phone? If he doesn’t understand how something works in detail, he says, he won’t use it. Yet he’s no Luddite: as chief information security officer at In-Q-Tel, the nonprofit venture arm of the CIA, Geer has one of the clearest views of the future of security technology. His personal vision? To put those technologies (as well as new laws and policies) to work in ways that governments and corporations around the world today are too feeble, dysfunctional, or corrupt to implement themselves.
Geer argues that the EU’s “right to be forgotten” doesn’t go far enough, that software needs liability policies, and that governments should buy and disclose all zero-day vulnerabilities to prevent countries from stockpiling cyber weapons. Geer’s ideas (outlined in 10 points
Dan Geer’s 10 Cybersecurity Best Practices
http://www.wired.com/2015/06/dan-geers-10-cybersecurity-best-practices/
Mandatory reporting for cybersecurity failures: Geer argues that organizations should be legally required to report failures above a certain level of severity.
Two net neutrality options: Geer proposes that ISPs either charge whatever price they like based on their content and assume liability for any damage that content causes; or charge only for carrying the content and be free from liability, but give up right to inspect or alter the content.
Require software liability: Software should be covered by product liability, Geer says
Strike backs OK: When necessary, companies, individuals and governments should strike back against cyber attackers with counter attacks or campaigns to identify the target.
Build resiliency into embedded systems: Computer systems that are embedded in larger systems should be designed so that people can shut them down remotely.
Corner the world vulnerability market: Geer believes the U.S. should buy (from hackers) and disclose all “zero-day” vulnerabilities (unknown holes in software) to wipe out the world’s supply of cyber weapons.
Make the “right to be forgotten” possible: The EU’s “right to be forgotten” doesn’t go far enough
No Internet voting: Geer says online voting is a bad idea because the process and results are especially vulnerable to manipulation.
Open source abandoned software: When software companies stop releasing updates for code, they should be required to make it open-source so that others can patch and update it.
Create off-the-grid backup: As networks from municipal electric grids to government databases increasing rely on the Internet, they become more vulnerable to cyber attacks.
Tomi Engdahl says:
Wassenaar Treaty Will Hamper Bug Bounties
http://it.slashdot.org/story/15/06/09/2117240/wassenaar-treaty-will-hamper-bug-bounties
If the proposed U.S. Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.
Researchers are starting to speak out, not only about the rules’ broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license.
Bug Bounties in Crosshairs of Proposed US Wassenaar Rules
https://threatpost.com/bug-bounties-in-crosshairs-of-proposed-us-wassenaar-rules/113204
Bug bounties have gone from novelty to necessity, not only for enterprises looking to take advantage of the skills of an organized pool of vulnerability hunters, but also for a slew of independent researchers who make a living contributing to various vendor and independent bounty and reward programs.
The proposed U.S. rules for the Wassenaar Arrangement pose a real challenge for all sides of that equation.
The rules are meant to curb the sale and trade of dual-use weapons, and in a computer security context, that means so-called intrusion software such as FinFisher and HackingTeam tools that are allegedly sold to and used by oppressive regimes to spy on citizens.
Security researchers have voiced their concerns in the two weeks since the proposed rules were made public that the U.S. rules definition of intrusion software is too broad, and legitimate vulnerability research and proof-of-concept development will come under regulation.
That means researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor in question. As a result, there will be occasions when a foreign researcher, for example, would have to share details on a zero-day with their government before the affected vendor.
“There are lots of concerns from researchers if this gets implemented,”
Tomi Engdahl says:
Internet Explorer 11 Gains HTTP Strict Transport Security In Windows 7 and 8.1
http://tech.slashdot.org/story/15/06/09/2219211/internet-explorer-11-gains-http-strict-transport-security-in-windows-7-and-81
Anyone using the Windows 10 preview has had a chance to use the HTTP Strict Transport Security (HSTS) in Microsoft Edge, and today the security feature comes to Internet Explorer 11 in Windows 7 and Windows 8.1.
HTTP Strict Transport Security comes to Internet Explorer 11 on Windows 8.1 and Windows 7
http://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/
With today’s monthly security updates (KB 3058515), we’re bringing the protections offered by HSTS to Internet Explorer 11 on Windows 8.1 and Windows 7. HSTS is also available in both Internet Explorer 11 and Microsoft Edge on Windows 10.
Site developers can use HSTS policies to secure connections by opting in to an HSTS preload list, which registers websites to be hardcoded by Microsoft Edge, Internet Explorer, and other browsers to redirect HTTP traffic to HTTPS. Communications with these websites from the initial connection are automatically upgraded to be secure. Like other browsers which have implemented this feature, Microsoft Edge and Internet Explorer 11 base their preload list on the Chromium HSTS preload list.
Alternatively, sites not on the preload list can enable HSTS via the Strict-Transport-Security HTTP header. After an initial HTTPS connection from the client containing the HSTS header, any subsequent HTTP connections are redirected by the browser to be secured via HTTPS.
Tomi Engdahl says:
Ex-CIA Director: We’re Not Doing Nearly Enough To Protect Against the EMP Threat
http://hardware.slashdot.org/story/15/06/10/0344245/ex-cia-director-were-not-doing-nearly-enough-to-protect-against-the-emp-threat
Last week saw the release of an open letter written to President Obama by a committee of notable political, security and defense experts — which includes past and present members of Congress, ambassadors, CIA directors, and others — on the country’s concerning level of vulnerability to a natural or man-made Electro-Magnetic Pulse (EMP). An EMP has very real potential for crippling much of our electrical grid instantaneously. Not only would that immediately throw the social order into chaos, but the timeline to repair and restart the grid in most estimated scenarios would take months to a year or more.
Former CIA Director: We’re Not Doing Nearly Enough To Protect Against The EMP Threat
It’s a BIG risk. And we’re doing little about it.
http://www.peakprosperity.com/podcast/92943/former-cia-director-were-not-doing-nearly-enough-protect-against-emp-threat
An EMP has very real potential for crippling much of our electrical grid instantaneously. Not only would that immediately throw the social order into chaos, but the timeline to repair and restart the grid in most estimated scenarios would take months to a year or more. Those curious on learning exactly how devastating an EMP can be can read our report on the topic from last summer.
What’s frightening in this story is not just the carnage an EMP could wreak, but the apparent rabid intransigence with which the electrical power lobby is fighting any responsibility for defending against one
Chris Martenson: Now, we’ve had a commission to assess the threat to the United States from an EMP attack, which delivered a report back in 2008.
Dr. Pry: Well, the short answer to that is it’s called the North American Electric Reliability Corporation. They used to be a trade association or a lobby for the 3,000 electric utilities that exist in this country. And, their relationship with the federal government, with the U.S. Federal Energy Regulatory Commission, is a 19th century-type relationship. There is no part of the U.S. government that has the legal powers to order them to protect the grid. This is unusual, because in the case of every other critical infrastructure, there’s an agency in the U.S. government that can require them to take actions for public safety.
Ambassador Woolsey: And, when NERC is studying a problem, it doesn’t exactly operate at breakneck
Dr. Pry: Sure. Interesting question, because there are different numbers, depending upon how much security you want to buy. One of my colleagues on the, who served on the EMP Commission, had a plan that would cost $200 million. That’s not billions, but millions with an ‘m’. Now, that would be a very minimalist plan, and it would just protect the extra high voltage transformers that service the major metropolitan areas. It would by no means—we would still be at a very high level of risk, but it would at least give us something like a fighting chance to save all those people in the big cities, in the hundred largest big cities from starving to death, if you just invested $200 million.
Tomi Engdahl says:
Tom Maxwell / 9to5Google:
Gmail for Android now has Oauth support for Yahoo and Microsoft accounts
http://9to5google.com/2015/06/10/gmail-for-android-oauth-support-yahoo-microsoft-accounts/
Google killed its stock email app in favor of Gmail with the release of Android 5.0 Lollipop, but they also made it possible to connect email accounts from other providers including Microsoft and Yahoo. Today they’ve gone ahead and added OAuth support for both of these third-party providers, which means increased security and added features including two-step verification and account recovery. The change will be rolling out to users over the next few days.
OAuth is an open-source standard used for authorization by many large services including Twitter, PayPal, and a bevy of others. In layman’s terms OAuth is used by these service providers to give applications like Gmail for Android a token they can use to access a user account on company servers. It’s considered much safer than simply giving out email-password combinations to apps which could be targeted by outside attacks.
Tomi Engdahl says:
Big Brother at the Wheel
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326835&
‘A car is one’s second living room today,’ says Audi chief. ‘That’s private. The only person who needs access to the data onboard is the customer.’
Nowadays, it’s almost impossible to judge whether a “space” is private or public, in light of the reality that whatever technology we carry constantly collects and sends out data from wherever we are — via smartwatch, smartphone or the system in the family car.
“Is the data collected via autonomous cars considered ‘public domain,’ since it was obtained on public roads?”
We’re all aware of the Orwellian nightmares about the possible impact on privacy of remote tracking in autonomous cars.
On one hand, I suspect that monitoring, tracking and remotely controlling autonomous cars is probably a necessary evil for the safe operation of self-driving cars.
On the other hand, I admit that I know little about legal grounds for collecting such data. Do I want Big Brother to know where I’ve been in an autonomous car? Is it OK for Big Brother to share that data with somebody, anybody, everybody? How will my passengers’ data be protected? What are the legal obligations for carmakers in the future?
The Edward Snowden controversy aside, I’ve sensed lately that users, even in the United States, are more aware of the potential privacy complications of all their devices. But awareness doesn’t mean action. It could just be prelude to resignation.
Tomi Engdahl says:
Data Privacy Playbook For Wearables And IoT
http://www.informationweek.com/mobile/mobile-devices/data-privacy-playbook-for-wearables-and-iot/a/d-id/1320690
Wearables and the Internet of Things raise significant consumer privacy issues that you need to prepare for now. We outline the key concerns with a primer on how to get your organization ready.
The study specifically highlights the following privacy concerns:
Sponsor video, mouseover for sound
Social implications and the lack of awareness of the impact on the privacy of others: Devices may not only record a user’s activity, but also record the activities of those around the user.
“Right to forget”: Users fear that when certain data are combined, they could have serious personal implications; users therefore want the data collected — with or without user consent or awareness — to be deleted.
Implications of location disclosure: Users are concerned that their GPS location may be made available to malicious parties and criminals.
Discrete display of confidential information: Confidential information displayed on smart watches may be viewable to other parties nearby.
Lack of access control: Users fear that organizations and the government may use their personal data without their awareness or consent.
Surveillance and sousveillance: Users fear continuous surveillance and sousveillance, not only as a matter of personal privacy, but also in light of the potential for criminal abuse.
Privacy concerns for head-mounted devices: Users are concerned that head-mounted display (HMD) computers with cameras and microphones may impact their privacy and the privacy of others.
Speech disclosure: Users express concerns about their speech being overheard or recorded by others.
Surreptitious audio and video recording: Users are concerned that wearables with camera and audio input may record them discreetly without their knowledge.
Facial recognition: Users are concerned that systems may recognize and identify them individually.
Automatic synchronization with social media: Some users do not like the idea of their devices immediately synchronizing with social media applications and sharing their data without being able to control this sharing.
Visual occlusion: Head-mounted displays that cover the user’s field of view disrupt the user’s ability to interact privately because vision is blocked.
According to PwC’s report “Consumer Intelligence Series: The Wearable Technology Future,” 82% of respondents in the survey indicated that they are worried that wearable technology would invade their privacy. Eighty-six percent expressed concern that wearables would make them more prone to security breaches.
On the legislative front, Congress and some federal agencies are investigating the practices of third-party consumer data collectors. The FTC has recommended that Congress pass a law giving consumers the right to have access to their personal data compiled by data brokers. Regulators may require data resellers to periodically provide consumers with free data reports.
Tomi Engdahl says:
Kaspersky Lab cybersecurity firm is hacked
http://www.bbc.com/news/technology-33083050
One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers.
Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.
It said the intrusion involved up to three previously unknown techniques.
The Russian firm added that it was continuing to carry out checks, but believed it had detected the intrusion at an early stage.
Although it acknowledged that the attackers had managed to access some of its files, it said that the data it had seen was “in no way critical to the operation” of its products.
“Spying on cybersecurity companies is a very dangerous tendency,” said the company’s chief executive Eugene Kaspersky.
“The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly.
“We will always report attacks regardless of their origin.”
Kaspersky Lab said that it had detected the breach in the “early spring”, and described it as “one of the most sophisticated campaigns ever seen”.
The malware does not write any files to disk, but instead resides in affected computers’ memory, making it relatively hard to detect.
Kaspersky linked the attack to the unidentified creators of an earlier Trojan named Duqu, which made headlines in 2011 after being used in attacks on Iran, India, France and Ukraine.
As before, the hackers are said to have exploited Microsoft software to achieve their goal.
“Duqu 2.0 seems to be the biggest [cybersecurity] news of the year so far – it’s major new malware from a major source,” said Mikko Hypponen, chief research officer at F-Secure.
“But we have previously seen security companies used as a way to reach other targets.
Tomi Engdahl says:
Kaspersky Lab investigates hacker attack on its own network
https://blog.kaspersky.co.uk/kaspersky-statement-duqu-attack/
I’ve got some bad news and some good news.
The bad news
The bad news is that we discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploited several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it. We’ve called it Duqu 2.0. Why Duqu 2.0 and what it has in common with the original Duqu? – See here.
The good news – pt. 1: We uncovered it
The good news – pt. 2: Our customers are safe
Tomi Engdahl says:
Nude celeb iCloud hack: Feds seize Chicago man’s computers
‘Targeted attack’ traced back to IP address
http://www.theregister.co.uk/2015/06/10/computers_seized_in_fbi_investigation_fappening/
The FBI has seized the computers of a Chicago man in connection with the “Fappening” hack of Apple’s iCloud system, which saw celebrities’ nude photographs published online, a recently unsealed warrant has revealed.
Photographs and videos of more than 100 celebrities were published online last August after an unspecified intrusion into the iCloud platform.
The fruity folk claimed that iCloud accounts “were compromised by a very targeted attack on user names, passwords and security questions,” and not “from any breach in any of Apple’s systems”.
Special Agent Josh Sadowsky, of the FBI’s Cybercrimes Unit, claimed in the affidavit that an IP address linked to one Emilio Herrera’s home “was used to access approximately 572 unique iCloud accounts”, between 31 May 2013, and 31 August 2014.
Herrera, notably, has not been charged — nor, it seems, is he even considered a suspect.
The FBI said that “the unique iCloud accounts were accessed 3,263 times”, and the Feds added that “a number” of these accounts belonged to “celebrities” involved in what the internet quickly dubbed “The Fappening”.
As Gawker notes, someone capable of the reasonably sophisticated hack accessing their targets’ accounts using their own IP address raises questions.
Tomi Engdahl says:
Undetectable NSA-linked hybrid malware hits Intel Security radar
While Flash malware nastiness detections quadruple – we’re all clearly doomed
http://www.theregister.co.uk/2015/06/09/nsa_firmware_sighted_ctb_ransomware/
CTB Locker ransomware attacks rose 165 per cent in the first three months of 2015.
More than a third (35 per cent) of victims were based in Europe, McAfee Labs reported. CTB Locker encrypts files and holds them hostage until the ransom is paid. As such, the crimeware is picking up the baton that dropped with the takedown of the infamous CryptoLocker ransomware scam in May last year.
The latest edition of Intel Security’s report, released on Tuesday, reports attacks on firmware for the first time. More specifically, the report details “persistent and virtually undetectable attacks” by the so-called Equation Group that reprogram hard disk drives and solid state drive firmware.
Although not identified as such by Intel Security, the Equation Group has been linked to elite units of the NSA, via confirmation by former staffers.
“We at Intel take hybrid software-hardware threats and exploits seriously,” said Vincent Weafer, senior vice president, McAfee Labs.
Lastly, the security firm’s research report flags up a flare up of Adobe Flash exploits targeting unpatched vulnerabilities.
Forty-two new Adobe Flash vulnerabilities were submitted to the National Vulnerability Database in Q1.
Tomi Engdahl says:
Super Stuxnet’s SCADA slaves: security is atrocious
153 computers, six SCADA systems, most C&C points to Iran
http://www.theregister.co.uk/2015/06/11/super_stuxnets_scada_slaves_security_is_atrocious/
Botnet boffin Peter Kleissner says at least 153 computers are still slaves to Stuxnet.
Of those, six are tied to supervisory control and data acquisition (SCADA) systems which the malware is designed to exploit to destroy the attached machinery.
Kleissner told a presentation at an information security conference in Vienna last week that half of all infections stem from Iran, where the super worm was first targeted.
“The amount of unique identifiers basically equals to unique Stuxnet infections; it is safe to say that in 2013 and 2014 there were at least 153 distinct infected machines with Stuxnet,” Kleissner says in the paper Internet Attacks Against Nuclear Power Plants [PDF].
“It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system.”
The infected boxes appear to be isolated puppets no longer being controlled by the United States attackers, but are nonetheless exposed to hijacking by anyone in control of those servers.
“… any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infection,” Kleissner says.
Tomi Engdahl says:
Fake Mobile Phone Towers Found To Be “Actively Listening In” On Calls In UK
http://news.slashdot.org/story/15/06/10/2330233/fake-mobile-phone-towers-found-to-be-actively-listening-in-on-calls-in-uk
More than 20 Stingray fake phone towers which can collect data from passing devices and listen in on calls have been discovered operating in the UK. The Metropolitan Police have refused to say who is controlling the IMSI catchers, also known as Stingray
Fake mobile phone towers found to be ‘actively listening in’ on calls in UK
http://www.independent.co.uk/news/uk/home-news/fake-mobile-phone-towers-found-to-be-actively-listening-in-on-calls-in-uk-10311525.html
The IMSI catchers, also known as Stingrays, have been found to be operating in London, but the Metropolitan Police have refused to say who is controlling them or what is being done with the information they are gathering.
The controversial surveillance technology, used by police forces around the world, is supposedly for catching criminals’ communicating by intercepting information on its way to the network.
It tricks mobile phones into thinking the Stingrays are phone masts, so that handsets connect to the tower and all the data flowing through them is collected – but the masts are unable to distinguish between criminals and everyone else.
A Sky News investigation located the masts using technology made by GSMK Cryptophone, a German security company, and found more than 20 of the rogue towers in three weeks.
Stingrays are frequently used in the US by police to monitor suspects, though the use of them is inevitably subject to heated debate as they can eavesdrop on anyone’s calls, even without a warrant. The American Civil Liberties Union has called the towers “incredibly invasive”.
Eric King, deputy director of Privacy International, said it was time police forces stopped pretending the IMSI towers didn’t exist, so the public could understand the legal framework behind them. He said: “This spying tool has featured in everything from The Wire to Zero Dark Thirty. Companies are selling them on the grey market to anyone who can pay. The only thing we don’t know is what the police are doing to protect people from their use by criminals, and when they use them, what legal frameworks ensures they’re properly used?
“In an urban space, thousands of people’s mobile phones would be swept up in that dragnet. What they do with that data, we don’t know.”
Tomi Engdahl says:
Eurojust and Europol in massive joint action against cybercriminals
http://www.eurojust.europa.eu/press/PressReleases/Pages/2015/2015-06-10.aspx
Yesterday, a total of 49 suspects were arrested and 58 searches carried out in the framework of a massive joint action against cybercrime led by Italian, Spanish and Polish judicial and police authorities with the support of Belgium, the UK and Georgia.
Operation Triangle stems from large-scale investigations carried out in Italy
The investigations targeted organised crime groups (OCGs) involved in phishing money from the internet. This type of crime is carried out by specialised criminals who use the internet to carry out a fraudulent scheme known as ‘the man in the middle’; they basically divert funds from legitimate to illegitimate destinations, thereby defrauding large quantities of money from victims located throughout Europe.
The parallel investigations revealed international fraud totaling 6 million euro accumulated within a very short time. The suspects, mainly from Nigeria and Cameroon, transferred the illicit profits outside of the European Union through a sophisticated network of money laundering transactions.
Yesterday’s action against cybercriminals yielded excellent operational results and demonstrated that several EU bodies and national authorities, joining forces, can together successfully combat one of the most difficult-to-detect forms of modern criminality.
Tomi Engdahl says:
Warning: Don’t Download Software From SourceForge If You Can Help It
http://www.howtogeek.com/218764/warning-don%E2%80%99t-download-software-from-sourceforge-if-you-can-help-it/
“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project. Since 2013, SourceForge has been bundling junkware along with their installers — sometimes without a developer’s permission.
Don’t download software from SourceForge if you can help it. Many open-source projects now host their installers elsewhere, and the versions on SourceForge may include junkware. If you absolutely have to download something from SourceForge, be extra careful.
One alternative download site: https://ninite.com/
Tomi Engdahl says:
Dan Goodin / Ars Technica:
State sponsored sophisticated attack Duqu 2.0 penetrated Kaspersky network, tapped Iran nuke talks — Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks — Hacker group used a “zero-day trampoline” to scale Kaspersky defenses. — Not long after blowing the lid off …
Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks
Hacker group used a “zero-day trampoline” to scale Kaspersky defenses.
http://arstechnica.com/security/2015/06/stepson-of-stuxnet-stalked-kaspersky-for-months-tapped-iran-nuke-talks/
“We see this battle or arms race emerging and now it involves some kind of confrontation between the security industry and nation-state sponsored spies,” Vitaly Kamluk, a Kaspersky principal security researcher, told Ars. “Bringing this to the next level is a very alarming trend for us because before people and organizations of all kinds could understand that the security solutions they were deploying can protect them. There was kind of an unspoken rule not to attack the security industry. But now we see they are stepping on this territory. They are trying to step on our land and they are trying to ruin the last island of safety for all these organizations and companies, which is very alarming for us.”
Duqu 2.0, as Kaspersky has dubbed the 2014 version, used at least one “zero-day” in Windows that Microsoft patched only Tuesday.
Tomi Engdahl says:
Many Organizations Lack Maturity to Address Security Risks: RSA
http://www.securityweek.com/many-organizations-lack-maturity-address-security-risks-rsa
Nearly three quarters of global organizations lack the maturity to address cybersecurity risks, and size is not a determinant of strong maturity, according to RSA’s inaugural Cybersecurity Poverty Index.
The report from EMC’s security division is based on the responses of over 400 IT security professionals from 61 countries who were asked to self-assess the maturity of their cybersecurity programs using the NIST Cybersecurity Framework as a benchmark.
Respondents answered 18 questions covering the identify, protect, detect, respond, and recover functions outlined in NIST’s Cybersecurity Framework. They rated their capabilities by using a five point scale indicating their organization’s maturity level: negligent, deficient, functional, developed, and advantaged.
The survey shows that only 25 percent of organizations have well-developed (developed) or superior (advantaged) security programs. The rest of respondents indicated having significant cybersecurity exposure with overall capabilities falling below the “developed” level.
Geographical location and size are factors that don’t seem to influence the maturity level of an organization’s security strategy. For instance, 83 percent of organizations with more than 10,000 employees are not well prepared to handle cyber threats.
Tomi Engdahl says:
Serious Vulnerabilities Patched in CUPS Printing Service
http://www.securityweek.com/serious-vulnerabilities-patched-cups-printing-service
CUPS has been updated to address a couple of security bugs that can be exploited by a malicious actor to elevate privileges and execute arbitrary code on affected systems.
CUPS (Common Unix Printing System) is a popular open source printing system developed by Apple for UNIX-like operating systems. CUPS uses the Internet Printing Protocol (IPP) for printing to local and network printers.
Tomi Engdahl says:
Following the Regulatory Beat: Continuous Compliance
http://www.securityweek.com/following-regulatory-beat-continuous-compliance
More and more industry standards and regulations promote or even mandate that organizations apply the concept of “continuous compliance”. Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. This approach can not only increase an organization’s compliance posture, but also its security efficacy. However, there are some real technological challenges to overcome. So how can organizations achieve continuous compliance and take advantage of the benefits of leveraging a common control framework?
The number of regulations that affect average organizations can easily exceed a dozen or more, and grow more complex by the day. This is forcing most companies to dedicate an inordinate amount of resources to governance and compliance efforts – often, in addition to a lengthy list of existing IT priorities. This typically results in a mad dash, in the months leading up to the annual audit; spent gathering the data needed just to meet the auditor’s requirements. As a result, it’s not surprising that according to a Verizon Payment Card Industry Report, for PCI DSS, compliance levels drop to 18% within just 60 days of certification.
In today’s threat-driven environment the bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack.
These renewed guidelines encourage organizations to find ways to streamline governance processes, continuously monitor compliance and their security posture, and correlate it to business criticality.
Tomi Engdahl says:
Good Fences Do Not Make Good Neighbors: How Continuous Delivery Busts Silos for Security
http://www.securityweek.com/good-fences-do-not-make-good-neighbors-how-continuous-delivery-busts-silos-security
Continuous delivery of software and applications is one of the most significant advancements that has taken place in the computing industry in the past 25 years. It is catching on so fast that you can now hear the death rattle of the 18-month software delivery cycle. The rise of cloud computing infrastructures — both in corporate data centers and infrastructure-as-as-service providers (IaaS) such as Amazon Web Services (AWS) — is powered by agile software development teams using orchestration tools like Puppet and Chef to decouple application development from the infrastructure, adding speed and agility to the enterprise.
Just as enterprise computing is having its DevOps moment, though, much of the security profession has woken up to the fact they are mired in the traditional infrastructure and silo approach. When everything in computing is dynamic, distributed, heterogeneous, and hybrid (i.e., alive), security that is bonded to static infrastructures like the network — an architecture based on hierarchies and chokepoints — appears out of sync with the new reality. If you are a security professional, continuous delivery and agile development is your future.
Consider the traditional approach to securing applications. Development creates a new app and then passes it over to the infrastructure team, which then onboards it to server, storage, and networking platforms. When that is complete, the security team comes in to protect it so employees, partners, suppliers, and customers can use it securely.
The organizational “fences” among these teams can leave security practitioners with poor visibility into how an application is constructed from a security perspective.
What would happen if security became part of the development process from day one? What would happen if security adapted to a more fluid, continuous delivery world?
The good news is that security is evolving. Gartner has outlined how new Adaptive Security platforms are emerging that treat security protection as a continuous process, mirroring the changes in application development and software-defined infrastructures.
For security to flourish in the age of continuous delivery, it must meet the following requirements:
1. Security policy must be embedded into the application development cycle at inception.
2. Enforcement of security policies must move and adapt with the continuous delivery approach.
4. Finally, as Gartner notes, security must offer detective, preventive, responsive, and predictive capabilities that adapt with changes in the threat environment and provide transparency to the various IT constituencies involved.
Tomi Engdahl says:
German Parliament May Need To Replace All Hardware and Software To Stop Malware
http://yro.slashdot.org/story/15/06/10/202244/german-parliament-may-need-to-replace-all-hardware-and-software-to-stop-malware
Trojan spyware has been running on computers in the German parliament for over four weeks, sending data to an unknown destination; and despite best efforts, nobody’s been able to remove it. The German government is seriously considering replacing all hardware and software to get rid of it.
German parliament may need to replace all software and hardware after hack
http://www.itworld.com/article/2934135/german-parliament-may-need-to-replace-all-software-and-hardware-after-hack.html
All software and hardware in the German parliamentary network might need to be replaced. More than four weeks after a cyberattack, the government hasn’t managed to erase spyware from the system, according to a news report.
Trojans introduced to the Bundestag network are still working and are still sending data from the internal network to an unknown destination, several anonymous parliament sources told German publication Der Spiegel.
In May, parliament IT specialists discovered hackers were trying to infiltrate the network. So far, they have been unable to mitigate the attack.
People in parliament are already talking about a possible replacement of the whole system, according to Der Spiegel. In addition to the internal network’s software, the hardware may have to be replaced as well, an operation that would take months and cost millions of euros.
Some Germans suspect that the Russian foreign intelligence service SVR is behind the attack.
On Thursday, the parliament will discuss how to address the situation.
Tomi Engdahl says:
Cops turn Download Festival into an ORWELLIAN SPY PARADISE
Face recog tech, RFID tracking – gotta love Donington Park
http://www.theregister.co.uk/2015/06/11/download_festival_big_brother_playground_leicestershire_police/
As if being ankle deep in muddy field, surrounded by pretend hippies seemingly re-enacting highlights of the Battle of Waterloo was bad enough, attendees of the aptly named Download Festival will be subjected to a new police facial recognition system, and surveillance of their onsite location and expenditure via the debut of RFID wristbands.
The debut surveillance technologies are a new facial recognition system being rolled out by Leicestershire Police, and Download’s own RFID wristbands, provided by German RFID specialists YouChip.
Tomi Engdahl says:
White House mandates HTTPS-only govt websites
http://www.itnews.com.au/News/405036,white-house-mandates-https-only-govt-websites.aspx
While struggling to implement SSL/TLS properly.
The United States government chief information office has published a set of technical guidelines that state the administration’s many different websites should use the encrypted HTTPS only.
The memorandum – published by US government CIO Tony Scott – requires that “all publicly accessible federal websites and web services only provide service through a secure connection”.
“All browsing activity should be considered private and sensitive,” Scott wrote.
The standard hypertext transport protocol transmits data in clear text only. This makes users browsing on government websites vulnerable to interception and alteration of data, as well as privacy violations.
Correctly configuring HTTPS with digital certificates is notoriously difficult to do right.
Read more: http://www.itnews.com.au/News/405036,white-house-mandates-https-only-govt-websites.aspx#ixzz3ckrQaaVz
Tomi Engdahl says:
Japan’s dangerously rose-colored view of the dark world of hacking
http://asia.nikkei.com/Politics-Economy/Policy-Politics/Japan-s-dangerously-rose-colored-view-of-the-dark-world-of-hacking
TOKYO — Japan must not let itself be perceived as a hacker’s paradise, lest it encourage more attacks like the one on its pension service.
Computer networks are constantly exposed to threats. Some 317 million new pieces of malware were created last year alone, according to U.S. information security company Symantec.
Hackers are becoming better organized and capable of carefully planned data heists. Simply relying on existing methods of detection risks missing their increasingly cunning attacks. On average, security breaches are discovered more than 200 days after the fact. Living with the threat of hacking means living with the fear that by the time the jig is up, much damage will have already been done.
The Japanese government insists that its technical ability to contend with external cyberattacks is world-class. But cybersecurity industry insiders often warn that Japanese precautions tend to take a dangerously blithe view of human nature.
Japan needs to abandon the optimism that has held back safeguards against cyberattacks.
Tomi Engdahl says:
Spy Virus Linked to Israel Targeted Hotels Used for Iran Nuclear Talks
http://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-talks-1433937601
Cybersecurity firm Kaspersky Lab finds three hotels that hosted Iran talks were targeted by a virus believed used by Israeli spies
Tomi Engdahl says:
Ken Dilanian / Associated Press:
Federal worker union says Social Security Numbers and other data on all federal employees stolen in hack of Office of Personnel Management — Union: Hackers have personnel data on every federal employee — WASHINGTON (AP) — A federal employee union says hackers stole personnel data …
Union: Hackers have personnel data on every federal employee
http://bigstory.ap.org/af77f567a4b74f128a4869031dc9add9
WASHINGTON (AP) — Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, asserting that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged.
Sen. Harry Reid, the Democratic leader, said on the Senate floor that the December hack into Office of Personnel Management data was carried out by “the Chinese” without specifying whether he meant the Chinese government or individuals. Reid is one of eight lawmakers briefed on the most secret intelligence information. U.S. officials have declined to publicly blame China, which has denied involvement.
The OPM data file contains the records of non-military, non-intelligence executive branch employees, which covers most federal civilian employees but not, for example, members of Congress and their staffs.
The union believes the hackers stole military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance and pension information; and age, gender and race data, he said. The letter was obtained by The Associated Press.
Tomi Engdahl says:
Duqu 2.0: ‘Terminator’ malware that pwned Kaspersky could have come from Israel
Infosec bigwigs differ — but it’s definitely a state operation
http://www.theregister.co.uk/2015/06/11/duqu2_kaspersky_attack_analysis/
Eugene Kaspersky reckons hacking into his firm’s corporate network was a “silly” move by cyberspies, but independent experts are far from convinced.
All seem agreed that the rare attack by a state against an leading information security firm is bad news for corporate security more generally, as it shows attacks are getting more sophisticated and harder to defend against.
Kaspersky Lab went public on Wednesday about an attack on its corporate network which also hit high-profile victims in Sweden, India, USA, UK, as well as North Africa and SE Asia, including covert surveillance attempts during the ongoing Iranian nuclear talks. Telecoms and electronics firms were among the targets.
The Duqu 2.0 malware platform associated with the attacks was exploiting up to three zero-day vulnerabilities, marking it out as sophisticated and likely the work of an intelligence agency.
Duqu 2.0 is an evolution of the older Duqu worm, which was used in reconnaissance attacks against industrial control systems before it was exposed in September 2011.
Tomi Engdahl says:
If hackers can spy on you all then so should we – US Senator logic
CISA info-sharing bill tacked onto military funding paperwork
http://www.theregister.co.uk/2015/06/11/cyberspying_cisa_amendment/
Following the cyber-attack during which dossiers on four million US government employees were stolen from Uncle Sam’s servers, staggering out of the smoldering blast crater is Senator Richard Burr (R-NC). And he’s not happy.
In his soot-covered hand is a copy of the Cybersecurity Information Sharing Act (CISA), and this week, he angrily stapled it to another proposed law. Because that’s how people get things done in Washington.
The CISA legislation was written to allow technology companies to share information about their customers with the Feds for the purposes of national security and online threats, in exchange for partial legal immunity from citizens upset about this data handover. Critics say it’s a license to spy, whereas supporters say it will thwart the cyber-boogeymen.
“The recent cyber breach at the Office of Personnel Management was a serious attack on our government and we cannot continue to have citizens’ personal information needlessly exposed to foreign adversaries and criminals,” said Burr, referring to the government data center compromise revealed earlier this month. Hackers swiped from the Office of Personnel Management sensitive records on millions of Americans, some of whom had applied for security clearances. Its IT defenses were found to be lacking by auditors.
“We can no longer simply watch Americans’ personal information continue to be compromised.”
“Cybersecurity threats demand thoughtful solutions, not half-baked efforts that don’t address the real problems,”
“CISA would create a way for the government to obtain Americans’ information without a warrant, and without adequate protections to protect their privacy. Most security experts agree that encouraging private companies to share more information with the government would have done little if anything to prevent recent data breaches.”
Tomi Engdahl says:
US Navy wants 0-day intelligence to develop weaponware
In the Navy, you can sail the seven seas, in the Navy, you can p0wn your foes with ease
http://www.theregister.co.uk/2015/06/12/us_navy_wants_0day_intelligence_to_develop_weaponware/
In the Navy, the Village People sang, you can sail the seven seas and live a life of ease. And now you can also work with third parties to identify and exploit 0-day flaws in common commercial software.
That Naval job is revealed in a fascinating solicitation for a provider capable of reporting new flaws and developing weaponised software to exploit them.
“This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” the solicitation reads.
The document goes on to say it wants “… a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old).” Quarterly updates are sought and should “include intelligence and exploits affecting widely used software.”
And here’s the nasty part:
“The government will select from the supplied list and direct development of exploit binaries.”
Tomi Engdahl says:
4 new twists that push the hacker attack on millions of US govt workers into WTF land
You Really Won’t Believe What Happened Next
http://www.theregister.co.uk/2015/06/12/opm_hackers_chinese/
The data breach that recently hit the US government’s Office of Personnel Management, in which personnel records for millions of federal workers were swiped, is worse than first feared, sources claim.
According to new reports that emerged on Thursday, the attack was active for more than a year and the pilfered information included detailed personal information on what may be every federal employee, in addition to lists of their foreign contacts.
Citing information leaked from classified briefings, The New York Times reports that the hackers – who are believed to be based in China – built a database of intelligence on prominent US officials including diplomats, nuclear experts, White House staffers, and trade officials.
Among that information were lists of foreign contacts, which US government employees are required to disclose when applying for security clearance passes.
Those contacts would include relatives, friends, and associates in mainland China. And US intelligence officials now worry that if that information is in the hands of the Chinese government, it could be used for blackmail or retaliation. What’s more, it could spell trouble for people in China who may have concealed their relationships with American officials.
In the system for more than a year
It should come as no surprise, then, that the hackers enjoyed a lengthy stay in the OPM network before they were detected. ABC News reports that the hackers harvested data from various segments of OPM’s records database for more than a year, including forms filled out by federal employees seeking security clearances.
How high up did the breach go?
The full extent appears to be dire. A report by the Associated Press cites correspondence between the OPM and the American Federal of Government Employees, a public sector union, which fears that every federal employee may have been compromised in the breach
Sources told the AP that the data includes “military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, and race data.”
On top of what will be a steep cost in lost intelligence and potential blackmail of government employees, the fallout from the attack carries with it a significant monetary cost.
Discovered during a product demo
Finally, the Wall Street Journal has sources that claim the network breach was discovered when an IT security company called CyTech turned up to demonstrate its intrusion forensics software to federal staffers. A diagnostic check of the agency’s computers turned up hidden malware, sparking further investigation.
U.S. Spy Agencies Join Probe of Personnel-Records Theft
Sales demonstration may have uncovered government breach
http://www.wsj.com/articles/u-s-spy-agencies-join-probe-of-personnel-records-theft-1433936969
Tomi Engdahl says:
OpenSSL releases seven patches for seven vulns
Flood of fixes to clear LogJam flaw
http://www.theregister.co.uk/2015/06/12/openssl_slings_patch_to_free_logjam/
Users are being urged to upgrade OpenSSL to prevent eavesdroppers listening to otherwise encrypted connections undermined through the LogJam vulnerability thought to be the NSA’s crypto-cracking tool of choice.
OpenSSL maintainers have patched seven vulnerabilities including the LogJam vulnerability (CVE-2015-4000) which allows attackers to trick browsers into considering an insecure encrypted connection as secure.
“A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography,” OpenSSL maintainers wrote in an advisory.
Tomi Engdahl says:
Hard data on the top cloud services and their risks
https://www.skyhighnetworks.com/cloud-report/
Tomi Engdahl says:
Vintage Ask toolbar is malware – and we’ll kill Jeeves, says Microsoft
Redmond, in the butler’s bedroom, with the iron pipe
http://www.theregister.co.uk/2015/06/12/microsoft_reclassifies_ask_toolbar_as_malware/
Older versions of the Ask toolbar, the bane of many a computer user over the years, has been declared persona non grata by Microsoft, and Redmond says its security software will now kill it on sight.
In a June 11 update to its Malware Protection Center site, Microsoft states that older versions of the toolbar, which set itself up as a browser’s homepage and redirected all searches through Ask’s engine, now contravene Redmond’s policies. The latest build is fine, but older Ask toolbars will be hunted down and deleted.
“Older versions of software can restrict or limit your control over your search provider. It can prevent you from disabling or modifying your search provider,” said Microsoft’s advisory. “This software poses a high threat to your PC.”
Tomi Engdahl says:
Bloomberg Business:
Cybersecurity bill that would protect companies from lawsuits when sharing cyber-attack information in limbo after Senate fails to pass it as an amendment
Senate Republicans Fail to Get Votes for Cybersecurity Measure
http://www.bloomberg.com/news/articles/2015-06-11/senate-republicans-fail-to-get-votes-for-cybersecurity-measure
The U.S. Senate blocked a proposal to shield companies from lawsuits when they share cyber-attack information with each other and federal agencies after Democrats opposed adding it to a defense-funding bill.
Obama has threatened to veto the underlying defense bill because it exceeds agreed-upon budget caps for military spending.
Efforts to pass cyber legislation have stalled or failed during the past four years in part due to concerns over privacy and government spying.
Obama, company executives and cybersecurity specialists have seized on recent high-profile hacking attacks to bolster their case for legislation. Anthem Inc. announced in February an assault that exposed personal data on about 80 million customers, and Sony Pictures Entertainment was the victim last year of an attack that crippled thousands of computers.
Companies have resisted providing data to the government about hacking attacks out of concern they could be sued if they accidentally included private information about their customers. They’re also concerned about violating antitrust laws if they share information with competitors. Information sharing is needed to help prevent attacks that are growing more sophisticated and dangerous, according to the Obama administration.
Tomi Engdahl says:
U.S. Tech Industry Appeals to Obama to Keep Hands Off Encryption
http://recode.net/2015/06/09/exclusive-u-s-tech-industry-appeals-to-obama-to-keep-hands-off-encryption/
Top U.S. tech companies are warning the Obama administration against imposing new policies that the companies say would weaken increasingly sophisticated encryption systems designed to protect consumers’ privacy.
In a strongly worded letter to President Barack Obama on Monday, two industry associations representing major software and hardware companies said, “We are opposed to any policy actions or measures that would undermine encryption as an available and effective tool.”
The Information Technology Industry Council and the Software and Information Industry Association, representing tech giants, including Apple, Google, Facebook, IBM and Microsoft, fired the latest salvo in what could be a long fight over government access into smart phones and other digital devices.
Obama administration officials have pushed the companies to find ways to let law enforcement bypass encryption to investigate illegal activities including terrorism threats, but not weaken it in a way that would let criminals and computer hackers penetrate the security wall.
So far, however, the White House has not spelled out specific regulatory or legislative steps that it might seek to achieve that objective.
The industry groups noted that online commerce has flourished in part because consumers believed their payment information would be secure.
“Consumer trust in digital products and services is an essential component enabling continued economic growth of the online marketplace,” the industry wrote.
“Accordingly, we urge you not to pursue any policy or proposal that would require or encourage companies to weaken these technologies, including the weakening of encryption or creating encryption ‘work-arounds’.”
Tomi Engdahl says:
Klint Finley / Wired:
Facebook open sources Infer, a tool that uses AI to spot bugs in source code for mobile apps before release
Facebook’s AI Tool for Squashing Bugs Is Now Open to All
http://www.wired.com/2015/06/facebooks-ai-tool-squashing-bugs-now-open/
Facebook used to move fast and break things. Now it’s trying to move fast and fix things. To do that, the company developed an artificially intelligent tool called Infer that can spot bugs in its mobile apps before they ever reach customers. And now the company wants everyone to test their software this way.
Today the company open sourced Infer, making its code freely available to any company or independent developer looking for new ways to debug their apps.
“It looks at the program and makes guesses or hypotheses about the program, the way a human might,” says Peter O’Hearn, Infer’s co-creator.
But unlike a human, it can read thousands of lines of code in mere minutes to spot potential bugs. Facebook claims that it has a fix rate of about 80 percent, which is great for such an automated system.
Infer
http://fbinfer.com/
A tool to detect bugs in Android and iOS apps before they ship
Tomi Engdahl says:
DDoS attacks are a growing digital threat to freedom of expression in Latin America
https://knightcenter.utexas.edu/blog/00-16118-ddos-attacks-are-growing-digital-threat-freedom-expression-latin-america
The media and Latin American journalists are starting to experience firsthand what until recently seemed to be the exclusive concern of US, European or Asian media outlets: cyberattacks.
This type of online criminal activity, known as Distributed Denial of Service (DDoS), is the other side of technological advances that aim to maximize flow of information online.
Cybercrime legislation is backward and broken in Latin America
One of the most recent cases occurred in Mexico, where minutes after publishing an investigation about the alleged responsibility of federal police in extrajudicial executions of several young people in Apatzingan, a town in the state of Michoacan, the Aristegui Noticias site was out of services for hours, a victim of a DDoS attack.
The Knight Center for Journalism in the Americas consulted Robert Guerra, an expert on cyber security and Internet freedom, and Luis Horacio Najera, a Mexican journalist and expert in the field, on the consequences of these attacks for media companies.
“The main consequence of a cyber attack in the context of Latin America is the reduction of critical spaces that encourage debate or the exposure of misconduct and abuse of power, like corruption,” Guerra said.
In the context of countries like Mexico, where media workers are victims of assassinations, kidnappings and threats, this “silent war” on the Internet is presented as a new alarm when speaking about freedom of expression and of the press.
Momentary “blackouts” of online media affect the flow of information, the legitimacy of the company and its journalists, and also cause adverse economics effects for the media companies which base their income in online advertising.
“With the changes in technology and ways of doing journalism, cyber attacks will become more frequent because they attack the legitimacy of the journalist, and also affect the publication of news. Therefore, all attacks and threats should be condemned with the same intensity,” Guerra added.
While in the United States DDoS attacks are considered crimes and are punishable under the penal code, this has not been shown to combat the situation. The question is what can legislation achieve regarding this issue.
Experts agree that international cooperation is key to fighting cybercrime.
“Most regional legislation concerning information security have been poorly, and in many cases have been motivated by local public security crisis,”
Meanwhile, Jara noted that while regulations should establish a legal framework that protects personal information and data, in the case of journalists, these professionals should take measures to protect such data.
“Because of the work, they may be a target of criminal organizations and sometimes governments. If they also have blogs or personal pages, they should ensure the safety of them, as a vulnerable site also becomes the focus of attack, ” Jara said.
Tomi Engdahl says:
It’s 2015 and Microsoft has figured out anything can break Windows
Win 10 anti-malware analyser will peer into memory to kill IM-and-game-borne viruses
http://www.theregister.co.uk/2015/06/12/windows_10_antimalware_scan_interface/
Microsoft head software engineer Lee Holmes says Windows 10 applications will now be able to plug into installed anti-virus platforms to better malicious scripts.
Holmes says the Windows 10 Antimalware Scan Interface (AMSI) will allow apps and services to use anti-virus to find badness operating in memory.
He says most anti-malware platforms will write signatures against suspicious obfuscation and encoding tricks such as XOR, but this tends to fail when those tricks are so basic as to appear benign.
Efforts so far at best miss attacks that live in memory and at worse generate mass false positives by killing legitimate processes.
Holmes says “… the antivirus engine inspects files being opened by the user. If the malicious content lives only in memory, the attack can potentially go undetected.”
“Any application can call it (AMSI) and any registered anti-malware engine can process the content submitted to it.”
Holmes urges application developers to have their apps call AMSI and anti-virus vendors to build support for the feature.
He says the feature may be extended to kill malware through instant messaging platforms or video game plug-ins for example, and is focusing on scripts in its initial launch phase.
“There are plenty of more opportunities – this is just a start,” he says.
Tomi Engdahl says:
Security firm Rapid7 files for $80 million IPO
http://fortune.com/2015/06/11/rapid7-files-ipo/
As the security space heats up, another hot cyber firm has announced that it will go public.
Rapid7, a Boston, Mass.-based cybersecurity company, has filed for an $80 million IPO.
The company will join an elite group of security companies that have moved from private venture capital markets into the public investing arena in recent years, which include FireEye FEYE -0.30% in 2013 and Palo Alto Networks PANW -0.02% in 2012. Industry watchers are keeping their eyes on other security firms such as Veracode, Bit9 + Carbon Black, LogRhythm, Mimecast and Okta that appear poised to go public in the near future, too.
Rapid7 sells security software and services that help companies understand their IT environments and reduce their exposure to cyber attacks. One of its more popular offerings is its Metasploit penetration testing products, which it acquired in a 2009 deal.
“There is a heightened and increasing level of awareness and concern over cyber security that’s being driven by the perfect storm,” Thomas told SecurityWeek, mentioning the rise of the cloud and mobile, the ease of buying hacking tools online, and the frequency of big data breaches.
Tomi Engdahl says:
Poison résumé attack gives ransomware a gig on the desktop
Multiple rival researchers warn of Cryptowall delivery ruse targeting employers
http://www.theregister.co.uk/2015/06/12/research_community_warns_of_cryptowall_30_resume_campaign/
Security researchers are focussing their crosshairs on what appears to be high-volume spam and exploit campaigns to deliver the latest iteration of the Cryptowall ransomware.
Boffins from the SANS Institute, Cisco, and MalwareBytes have identified a dangerous if goofy spam campaign slinging the nasty ransomware masquerading as file attachment bearing a résumé.
SANS handler Brad Duncan says the two campaigns to foist Cryptowall 3.0, also known as Croti, appear to be the handiwork of one attacker.
Duncan says “… we’ve seen a significant amount of Cryptowall 3.0 ransomware from malicious spam and the Angler exploit kit [and] it has increased significantly.”
“The CryptoWall 3.0 push from Angler exploit kit appears to have started around the same time.
“The timing of these campaigns indicates they might be related and possibly initiated by the same actor.”
Cisco security bod Nick Biasini says the ransomware is using clever obfuscation techniques to trick users.
“[Analysis] showed that a large number of users that received the email were seen attempting to download the file from the compromised WordPress site,” Biasini says.
The malware analyst found Cryptowall is being foisted through the Magnitude exploit kit, specifically by way of an Adobe Flash exploit (CVE-2015-3090, CVE-2014-6332, CVE-2013-2551) within Microsoft Internet Explorer.
Tomi Engdahl says:
New OpenSSL Security Advisory Announced
http://it.slashdot.org/story/15/06/11/2245243/new-openssl-security-advisory-announced
It’s time to patch OpenSSL again. The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software.
https://www.openssl.org/news/secadv_20150611.txt
Tomi Engdahl says:
Enterprise mobility slowed by security concerns
http://www.cio.com/article/2934333/mobile/enterprise-mobility-slowed-by-security-concerns.html
While mobile technology continues to move forward in all parts of the business, security issues threaten to slow the progress, according to attendees at this week’s MobileIron’s user conference.
On the upside, mobility in the enterprise has room to grow.
Even Uber is making moves in the mobility market with its new business initiative.
Will security concerns derail mobile?
Most companies, though, continue to face new mobile security challenges. Security can derail their mobile plans — “without it, we risk too much,” say polled attendees. It’s a big reason why MobileIron announced a slew of features to protect mobile enterprise data wherever it lives, such as the app, network and cloud.
In the network, for instance, MobileIron protects data with multi-OS app VPN. In the cloud, MobileIron gives companies control over content encryption keys.
Meanwhile, employees are concerned that companies secretly look at their private data on mobile devices. There’s a lot of private data, too. A recent MobileIron survey of millennials found that 87 percent say their “mobile device never leaves their side, night or day.” At MobileIron’s conference, attendees cited the challenge of gaining employee buy-in through education and communication as having the greatest risk of failure.
That’s why MobileIron announced a visual privacy tool that lets employees know exactly what data the company can see, what actions the company can take. The goal is to build trust between employer and employee.
“CIOs need new security, but it hasn’t been defined yet. They’ll have to buy again, and buy differently.”
Tomi Engdahl says:
Samsung, LG Smartwatches Give Up Personal Data To Researchers
http://it.slashdot.org/story/15/06/12/1243208/samsung-lg-smartwatches-give-up-personal-data-to-researchers
An anonymous reader sends word that security researchers have been able to extract personal information from a pair of smartwatches: the LG G Watch and the Samsung Gear 2 Neo. The G Watch gave up calendar information, pedometer data, and the user’s email address, while the Gear 2 Neo gave up health data, emails, messages, and contact information. The researchers said it wasn’t very difficult to get the data, in part because it wasn’t encrypted. “The Gear 2 Neo uses Samsung’s Tizen operating system, while the LG G Watch is one of several models that uses Google’s Android Wear operating system.”
Samsung, LG smartwatches give up personal data to researchers
http://www.cnet.com/news/samsung-lg-smartwatches-yield-personal-data-to-researchers/
In an era of identity theft and government surveillance, two smartwatches might not be doing you any favors keeping your privacy intact.
Researchers at the University of New Haven have shown that they can extract personal information from the LG G Watch and from the Samsung Gear 2 Neo.
“It was not very difficult to get the data, but expertise and research was required,”
Our personal data and who access to it has become an increasingly pressing concern, especially as the everyday objects around us — from watches to our clothes — get smarter, more connected and share more information with each other. The ease with which Samsung’s and LG’s smartwatches were hacked speaks to the importance of data encryption.
Not many people yet own smartwatches, but the numbers are sure to grow in the coming months and years.
Encryption can help keep people’s data out of prying hands by scrambling that information so that it’s readable only by those with the key to it — but even then there are limits, in particular when the prying hands have access to a person’s smartphone, laptop or smartwatch. Beyond that, there’s a broader debate over how much encryption should be allowed. Law enforcement officials have advocated for fewer protections, which would allow them to more effectively track down criminals and monitor terrorist plots. But the easier it is for government agencies to spy on members of the public. the more open the door is for criminals looking to engage in identity theft.
It would be easy for device manufacturers to encrypt smartwatch data, Baggili said, but that’s no guarantee of safety. “Just because encryption is enabled does not mean it is implemented in a way that does not allow us to defeat the encryption,” he said.
Apple, Google and Microsoft have moved to encrypt the file systems used to store data on their operating systems — often over the objections of governments that want law enforcement to be able to more easily use that data in their investigations. On Monday, the Software & Information Industry Association urged the Obama administration to avoid any “workarounds” that would weaken encryption.
“We appreciate that, where appropriate, law enforcement has the legitimate need for certain information to combat crime and threats,” the association said in its letter to Obama. “However, mandating the weakening of encryption or encryption ‘workarounds’ is not the way to address this need.”
Tomi Engdahl says:
Notepad++ leaves SourceForge
https://notepad-plus-plus.org/news/notepad-plus-plus-leaves-sf.html
SourceForge was a good place; unfortunately, sometimes good places don’t last.
Recently SF hijacked its hosted projects to distribute their wrapped crapware:
SourceForge grabs GIMP for Windows’ account, wraps installer in bundle-pushing adware
Black “mirror”: SourceForge has now taken over Nmap audit tool project
What happened to Sourceforge? The full story between VLC and Sourceforge
Obviously, the paid component per installation system is one of their important income generating scams. I would be fine with that, if they were the actual owners of the legitimate software. The real problem is, they are polluting these open source software installations for the purpose of filling their pockets by this scam,
Such a shameless policy should be condemned, and the Notepad++ project will move entirely out of SourceForge.
https://github.com/notepad-plus-plus/notepad-plus-plus
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Chinese hackers have found a way to identify Tor and VPN users in the country by exploiting a vulnerability in server software used by popular Chinese portals
Chinese Hackers Circumvent Popular Web Privacy Tools
http://www.nytimes.com/2015/06/13/technology/chinese-hackers-circumvent-popular-web-privacy-tools.html?_r=0
Chinese hackers have found a way around widely used privacy technology to target the creators and readers of web content that state censors have deemed hostile, according to new research.
The hackers were able to circumvent two of the most trusted privacy tools on the Internet: virtual private networks, or VPNs, and Tor
Both tools are used by Chinese businesses and by millions of citizens to bypass China’s censorship technology, often called the Great Firewall, and to make their web activities unreadable to state snoopers.
The attackers compromised websites frequented by Chinese journalists as well as China’s Muslim Uighur ethnic minority, Mr. Blasco discovered last week.
As long as visitors to those websites were also logged into one of 15 Chinese Internet portals — including those run by Baidu, Alibaba and RenRen — the hackers were able to steal names, addresses, sex, birth dates, email addresses, phone numbers and even the so-called Internet cookies that track other websites viewed by a user.
To get around the Tor and VPN technology, the attackers relied on a server software vulnerability that China’s top companies apparently didn’t patch, Mr. Blasco said.
While Mr. Blasco and others have not been able to pinpoint the identity of the hackers, the list of targets and the sophistication of the attacks suggest they may have been directed by the Chinese government.
Tomi Engdahl says:
Cloud Computing
VPNs Dissolve National Boundaries Online, for Work and Movie-Watching
http://bits.blogs.nytimes.com/2015/02/08/in-ways-legal-and-illegal-vpn-technology-is-erasing-international-borders/
Rod Drury, an entrepreneur in Auckland, New Zealand, regularly visits the United States. Sometimes there are multiple visits a day.
“People here can’t get Netflix, so they get a VPN that gives them a U.S. I.P. address, and watch Netflix like they’re in America,” he said. “If I want something off iTunes, I buy U.S. cards online.”
Decoding the jargon: Millions of people around the world now pay for virtual private computer networks — a security method that uses encryption to hide Internet traffic — and similar services to hook into a server in the United States. As far as the video and retail services can tell, Mr. Drury is one more American customer.
If the Internet breaks down national boundaries, it may happen from the comfort of our couches. VPNs were originally thought of as a way for companies to guarantee security or dissidents to avoid the prying eyes of their governments. Now they are part of a larger movement for people to work and play anywhere on the planet, at all times.
And if the software can’t come to consumers, the customers use VPN to get to the software.
“Unblock geo-restricted websites and web services like Netflix, Hulu, BBC iPlayer, Skype, and many more!” says the webpage of PureVPN, which charges $45 a year to turn you into a virtual American. You might prefer being Canadian, since Netflix Canada has a bigger selection of films.
Tomi Engdahl says:
Patricia Cohen / New York Times:
After recent breaches, IRS promises to add additional security measures to protect against fraud and identity theft by early 2016 — I.R.S. Adds New Safeguards to Thwart Identity Theft and Fraud — Reeling from an online attack that allowed criminals to steal personal information …
I.R.S. Adds New Safeguards to Thwart Identity Theft and Fraud
http://www.nytimes.com/2015/06/12/business/irs-increases-efforts-to-prevent-identity-theft-and-fraud.html
Reeling from an online attack that allowed criminals to steal personal information and divert tax refunds from tens of thousands of taxpayers, the Internal Revenue Service announced on Thursday a sweeping effort to step up protections against identity theft and fraud. The actions are expected to be completed by early next year, well before the April 15 filing deadline.
Collaborating with tax preparation firms and state officials, the I.R.S. promised to require a more rigorous authentication process before releasing information and refunds and to broaden efforts to pinpoint patterns of fraud.
“For the first time, everyone in the software industry will share aggregated details about their filings to help us all identify fraud,”
The new measures are the result of a security meeting in March involving private industry representatives and government officials.
Added security filters include crosschecking returns filed electronically with Internet addresses and computer devices, and scanning for mechanized fraud by checking the time it takes to complete a return, the agency said. Tax preparers will have to transmit this information on all returns filed with federal and state governments.
At the same time, the agency will provide monthly, anonymous data reports to the tax preparation industry summarizing the latest tactics used by criminals.
Brad Smith, chief executive of the software company Intuit, which makes TurboTax, the most popular tax program in the country, said in a statement that new uniform rules requiring all industry players to report suspicious activity “will be instrumental in helping to protect and serve legitimate taxpayers and safeguard their privacy.”
Last month, the commissioner revealed that criminals had used taxpayers’ personal information to gain access through the agency’s website to tax returns while bilking the agency out of at least $39 million in fraudulent refunds.
Several participants in the security meeting said the degree of collaboration between the private sector and tax officials went far beyond previous efforts.
He added: “What people don’t realize is that the information used to steal tax refunds is, for the most part, freely available online. Taxpayers should watch what they share on social media, secure their online accounts and check their credit reports annually to keep them tuned into any suspicious activity before it’s too late. Last year, someone actually filed as my daughter and it was a massive headache to get her identified as herself as she went to file this year.”
Tomi Engdahl says:
David Talbot / MIT Technology Review:
The case of 5 Chinese hackers who earlier breached US steel firms shows the ease of foiling US corporate security systems
Cyber-Espionage Nightmare
http://www.technologyreview.com/featuredstory/538201/cyber-espionage-nightmare/
A groundbreaking online-spying case unearths details that companies wish you didn’t know about how vital information slips away from them.
On a wall facing dozens of cubicles at the FBI office in Pittsburgh, five guys from Shanghai stare from “Wanted” posters. Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui are, according to a federal indictment unsealed last year, agents of China’s People’s Liberation Army Unit 61398, who hacked into networks at American companies—U.S. Steel, Alcoa, Allegheny Technologies (ATI), Westinghouse—plus the biggest industrial labor union in North America, United Steelworkers, and the U.S. subsidiary of SolarWorld, a German solar-panel maker. Over several years, prosecutors say, the agents stole thousands of e-mails about business strategy, documents about unfair-trade cases some of the U.S. companies had filed against China, and even piping designs for nuclear power plants—all allegedly to benefit Chinese companies.
It is the first case the United States has brought against the perpetrators of alleged state-sponsored cyber-espionage, and it has revealed computer-security holes that companies rarely acknowledge in public.
prosecutors traced the intrusions to a 12-story building in Shanghai and outed individual intelligence agents.
There is little chance that arrests will be made, since the United States has no extradition agreements with China, but the U.S. government apparently hopes that naming actual agents—and demonstrating that tracing attacks is possible—will embarrass China and put other nations on notice, inhibiting future economic espionage.
That may be unrealistic. Security companies say such activity is continuing, and China calls the accusations “purely ungrounded and absurd.” But there’s another lesson from the indictment: businesses are now unlikely to keep valuable information secure online. Whatever steps they are taking are not keeping pace with the threats. “Clearly the situation has gotten worse, not better,”
“We must pay the cost of security, which is inconvenience.”
For example, the indictment says, on February 8, 2010—two weeks before a preliminary ruling from the Commerce Department—the hackers sent an e-mail to several U.S. Steel employees. It seemed to be from the CEO but included a link to a website that held malware. A few employees clicked it, and their computers were soon infected. The result: the hackers stole host names for 1,700 servers that controlled access to the company’s facilities and networks.
Debbie Shon, U.S. Steel’s vice president for trade, told me that the information included valuable business intelligence. “It wasn’t high-tech designs,” she says. “It was the equally important stuff—the business strategies, the pricing, the production amounts, and the timing and content of any trade complaints that U.S. Steel, as one of the biggest companies in this area, might be exploring.”
The indictment details several similar attacks.
The failure of the companies’ supposed security technologies was stupefying.