Cybersecurity | emptywheel

The Sabotage Attack on the Syrian Coalition

By: emptywheel Monday May 13, 2013 11:36 am

The NYT reports — adding to an earlier WaPo story — that hackers have attempted to sabotage a bunch of US energy companies.

A new wave of cyberattacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers’ aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East.

It ties these attacks to earlier attacks, claimed to have been launched by Iran, against ARAMCO and Qatar’s RasGas.

Two senior officials who have been briefed on the new intrusions say they were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name. That is similar to what happened to Saudi Aramco, where a computer virus wiped data from office computers, but never succeeded in making the leap to the industrial control systems that run oil production.

[snip]

At Saudi Aramco, the virus replaced company data on thousands of computers with an image of a burning American flag. The attack prompted the defense secretary at the time, Leon E. Panetta, to warn of an impending “cyber 9/11” if the United States did not respond more efficiently to attacks. American officials have since concluded the attack and a subsequent one at RasGas, the Qatari energy company, were the work of Iranian hackers. Israeli officials, who follow Iran closely, said in interviews this month that they thought the attacks were the work of Iran’s new “cybercorps,” organized after the cyberattacks that affected their nuclear facilities.

Saudi Aramco said that while the attackers had attempted to penetrate its oil production systems, they had failed because the company maintained a separation between employees’ administrative computers and the computers used to control and monitor production. RasGas said the attack on its computers had failed for the same reason.

And while the adoption of earlier sabotage approach used with ARAMCO and RasGas infrastructure to US energy producers does not mean all members of the coalition to topple Bashar al-Assad have been attacked by an entity insinuated to be Iran (unless the European parters’ energy companies have been attacked and we just don’t know about it). But this attack does seem to be an assault on the coalition trying to undercut Iran by taking down its client regime in Syria.

Which has me wondering whether this is an Iranian attack — revenge, if you will, for StuxNet, serves the US right. Or if it’s an attack launched by a coalition, possibly including Russia.

I also wonder whether the point of the sabotage isn’t on the information side of the equation, rather than the operational one.

In other news, remember how former NSA head and all-around cyberwar profiteer Mike McConnell declared digital 9/11 warning based on the ARAMCO attack and some crude DNS attacks on banks here in the US? Guess who has become a player in Saudi (and Gulf generally) cybersecurity?

During this event, Booz Allen Hamilton leadership shared their insights on global cyber security practices and the importance of a cross-border cooperative approach to protecting critical infrastructure in the Gulf.

Commenting at the event, McConnell said, “The GCC states have become global hubs in finance. However, this growth introduces increased cyber security risks by threat actors who target this region for monetary or political gain. GCC states have already experienced significant cybercrime in the recent past, it is now more important than ever to ensure that these are not repeated.”

He also added, “Financial institutions are a prime target for cyber criminals, and as a result, they need to focus on staying ahead of cyber threats by developing the right human capital, developing appropriate training programmes and retaining the right skills and technology to properly access and protect corporate data.”

Booz Allen Hamilton was recently registered by the Kingdom of Saudi Arabia Ministry of Commerce and Industry to pursue business opportunities in the Kingdom in support of domestic economic diversification. The firm will provide services to government and commercial clients on critical issues related to the Kingdom’s development, most notably in the areas of cyber security, information technology, financial services and other selected infrastructure. [my emphasis]

I’m guessing BAH’s work in KSA has a lot to do with the expanded Technical Cooperation Agreement signed with the US in January, which added a cyber component onto the previous effort to create a 35,000 person security force Mohammed bin Nayef could use to protect the kingdom’s oil infrastructure.

So if you’re bummed that BAH gets to troll American networks with abandon, rest assured that it will now be doing so in Saudi Arabia, too.

Sheldon Whitehouse: Cybertheft Is [May Be] Biggest Transfer of Wealth in History

By: emptywheel Wednesday May 8, 2013 11:40 am

In an attempt to scare Congress into passing the cybersecurity legislation they failed to pass last year, Sheldon Whitehouse scheduled a hearing on cybersecurity today. In the hearing — and in this op-ed he penned with Lindsey Graham — he repeated a claim he has made before: cybertheft may be the biggest “illicit” transfer of wealth in history.

Almost every facet of American life is threatened when intruders exploit our cyber-vulnerabilities. And the risk is not from China alone. Foreign governments such as Iran and terrorist groups such as al-Qaida seek to worm into national infrastructure and threaten catastrophe here at home. Foreign agents raid companies, stealing plans, formulas and designs. Foreign criminal networks take money out of banks, defraud consumers with scams and sell illicit goods and products, cheating U.S. manufacturers. It may be the greatest illicit transfer of wealth in history. [my emphasis]

I think in the hearing itself, Whitehouse wasn’t as careful to always use that word “might.”

The greatest illicit transfer of wealth in history.

Don’t get me wrong: cyberattacks of all sorts are a real threat. They cost consumers a great deal of inconvenience and, at times, lots of money. They cost defense contractors far more (though of course, some of that is built into our model of defense). They cost sloppy companies as well.

But the biggest illicit transfer of wealth in history?

Ignore recent unpunished giant transfers of wealth in the wake of the financial crisis, which the Senate Judiciary Committee has largely ignored.

I guess the reason I find this so stunning is all the obviously huge transfers of wealth it ignores that were part of slavery and colonization.

Were those licit?

Those were, like Chinese or Iranian or Russian cyberattacks on the US, examples of states (and private entities) taking advantage of vulnerabilities elsewhere. They were certainly considered legitimate at the time, because Europeans got to write the history of colonization, and because they made up claptrap about “civilization” to justify it. But from a distance they look more like the kind of exploitation states often engage in if they’ve got an obvious advantage over another state or organization.

All that’s not to say Montezuma shouldn’t have resisted the Spaniards. That’s not to say we shouldn’t defend against cyberattacks.

But what really makes the US so vulnerable to cyberattacks are 1) that we’re so reliant on the Internet and 2) we’re so reliant on intellectual property (indeed, the very claim that cybertheft is the biggest transfer of wealth relies on a certain understanding of IP as wealth that itself depends on a legal infrastructure that is contingent on our relative world power). And also that so much of our critical infrastructure and IP holders are in private hands and therefore much harder to demand diligence from. That is, our vulnerability to cyberattacks is in part a fragility of our own bases for power (a vulnerability that will probably end up being less lethal than the fact that the immune systems of indigenous peoples hadn’t been exposed to European diseases).

Also, this entire discussion — which danced around the question of an international regime that might limit such attacks — completely ignored the StuxNet attack, the fact that a nation as vulnerable as we are pushed the limits of the offensive capability first. One of the witnesses (I think FBI Assistant Director Jonathan Demarast) even suggested that if our government were chartered to attack the private sector (cough, Echelon) of other countries we’d be damn good at it too — as if our attacks on the public infrastructure of Iran doesn’t count.

I get the value of a good fear campaign (I wish Whitehouse would fearmonger more in his regular addresses on climate change). But there’s fearmongering and there’s absurdity. And I think suggesting that cybertheft is worse than the stealing of entire continents is the latter.

Stephen Cambone, Hacker PWN, Used to Head DOD’s “Intelligence”

By: emptywheel Wednesday May 1, 2013 9:01 pm

Stephen Cambone was the first ever Under Secretary of Defense for something called “Intelligence.”

In that role, he oversaw a domestic spying program that targeted hippies and made GOP cronies rich. And then he went on to profit off that domestic spying program at a company called QinetiQ.

Which is why I’m having a hard time summoning much grief that Chinese hackers have pwned another US Defense Contractor — none other than QinetiQ (George Tenet, another noted “intelligence” figure, was there until 2008)!

Here are the kinds of things the hackers accessed, almost unimpeded.

The lengthy spying operation on QinetiQ jeopardized the company’s sensitive technology involving drones, satellites, the U.S. Army’s combat helicopter fleet, and military robotics, both already-deployed systems and those still in development, according to internal investigations.

And here is the kind of access QinetiQ allowed both Chinese and Russian hackers.

In 2008, a security team found that QinetiQ’s internal corporate network could be accessed from a Waltham, Massachusetts, parking lot using an unsecured Wi-Fi connection. The same investigation discovered that Russian hackers had been stealing secrets from QinetiQ for more than 2 1/2 years through a secretary’s computer, which they had rigged to send the data directly to a server in the Russian Federation, according to an internal investigation.

Read the whole thing — you won’t know whether to laugh or cry.

Meanwhile, the government seems more intent on violating my privacy to fix this kind of wholesale hacking, rather than blackballing those contractors who are incapable of securing their networks.

The State Department, which has the power to revoke QinetiQ’s charter to handle restricted military technology if it finds negligence, has yet to take any action against the company.

[snip]

In May 2012, QinetiQ received a $4.7 million cyber-security contract from the U.S. Transportation Department, which includes protection of the country’s critical transport infrastructure.

The same company that let China hack at will for years is being paid millions for cybersecurity.

That about says it all.

Hackers Penetrate Freedom; The Ship Has Already Sailed

By: emptywheel Monday April 29, 2013 12:24 pm

Reuters has a report I found sort of punny, about how white hat hackers had managed to break into the computer systems of the lead ship of the Navy’s Littoral Combat Ship program, the USS Freedom.

A Navy team of computer hacking experts found some deficiencies when assigned to try to penetrate the network of the USS Freedom, the lead vessel in the $37 billion Littoral Combat Ship program, said the official, who spoke on condition of anonymity.

The Freedom arrived in Singapore last week for an eight-month stay, which its builder, Lockheed Martin Corp., hopes will stimulate Asian demand for the fast, agile and stealthy ships.

It may be ironic that Lockheed had a ship get hacked just before it sent the ship out on a sales trip to Asia. (Asia! Where our most fear hacking-rival is!)

But … um, Lockheed?

Lockheed, of course, couldn’t keep the F-35 program safe from hackers either, and that time it wasn’t white hats doing the hacking.

Before the government imposes fines for companies unwilling to sacrifice the security of their systems to program in a backdoor, as the WaPo reports is being debated …

A government task force is preparing legislation that would pressure companies such as Facebook and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.

[snip]

Susan Landau, a former Sun Microsystems distinguished engineer, has argued that wiring in an intercept capability will increase the likelihood that a company’s servers will be hacked. “What you’ve done is created a way for someone to silently go in and activate a wiretap,” she said. Traditional phone communications were susceptible to illicit surveillance as a result of the 1994 law, she said, but the problem “becomes much worse when you move to an Internet or computer-based network.”

Marcus Thomas, former assistant director of the FBI’s Operational Technology Division, said good software coders can create an intercept capability that is secure. “But to do so costs money,” he said, noting the extra time and expertise needed to develop, test and operate such a service.

… Maybe we ought to instead focus on Lockheed’s apparent inability to keep the hundreds of billion dollar weapons systems it produces safe from hackers?

A Partial Defense of Bill Keller’s Column on Manning

By: bmaz Monday March 11, 2013 11:41 pm

Late Sunday, former New York Times Executive Editor Bill Keller put up an op-ed column at the NYT website on the state of Bradley Manning’s case, his perception of Manning’s motivations and what may have been different had Manning actually gotten his treasure trove of classified information to the Times instead of WikiLeaks. The column is well worth a read, irrespective of your ideological starting point on Mr. Manning.

Bradley Manning has ardent supporters and, predictably, they came out firing at Keller. Greg Mitchell immediately penned a blog post castigating Keller for not sufficiently understanding and/or analyzing the Manning/Lamo chat logs. Kevin Gosztola at Firedoglake also had sharp words for Keller, although, to be fair, Kevin did acknowledge this much:

It is an interesting exercise for Keller. Most of what he said is rational and, knowing Keller’s history, he could have been more venerating in his description of how the Times would have handled Manning.

Frankly, many of the points Mitchell and Gosztola made, which were pretty much representative of a lot of the chatter about Keller’s op-ed on Twitter, were fair criticism even if strident. And part of it seems to simply boil down to a difference in perspective and view with Keller, as evidenced in Keller’s response to inquiry by Nathan Fuller, where he indicates he simply views some things differently.

This is all healthy give and take, difference in view and sober discussion by the referenced Continue reading →

Wondering Wednesday: Suicide in Singapore, Drone Over Brooklyn, and Telco Tattlers

By: Rayne Wednesday March 6, 2013 5:00 pm

Help me get over the hump and clue me in on a few things. I’ve been scratching my head wondering about these topics.

Suicide in Singapore — The recent “suicide” of a U.S. electronics engineer in Singapore looks fishy to me. It looked not-right to Financial Times as well; it appears no other domestic news outlet picked up this case for investigative reporting before FT. The deceased, who’d worked for a government research institute on a project related to Chinese telecom equipment company Huawei, is alleged to have hung himself, but two details about this case set off my hinky meter.

• Every photo I’ve seen of engineer Shane Todd depicts a happy chap. Sure, depressed folks can hide their emotions, but comparing a photo of his family after his death to photos of him and you’ll see the difference. My gut tells me that if he was truly depressed, he should have looked more like his folks–flat, withdrawn, low affect. Perhaps meds could have messed with his head more than depression itself. But I’m not a psychologist or a pharmacologist, what do I know?

• Among all the details of the case, it’s said the victim’s face postmortem was white when his body was discovered. This doesn’t strike me as consistent with hanging; there should have been lividity above the ligature. Conveniently, Singapore’s law enforcement cleaned everything up so quickly there was no chance to see the crime scene or the body as found. Law enforcement also snagged the victim’s laptop and all other work-related stored content, save for a hard drive that looked like a speaker. Everything he was working on “disappeared” except for the contents of that drive.

The engineer had been very concerned about technology he was working on and its possible transfer, which included gallium nitride transistors with potential for both commercial and military applications. After poking around for some time on gallium compounds used in various computing, communications and other technology, nothing screams at me as highly sensitive technology that might get someone “suicided.” But…as I went through abstracts, it seems odd there are a substantive number of Chinese researchers working in on GaN-based technologies.

Thought these two points in particular jar my senses, more than just these two points don’t sit well. Read the story at the link above and see for yourself. (Original FT link here.)

What do you make of this case? Suicide or no? Strategic technology or no? Continue reading →

DOD Uses Sequester to Excuse 5 Year Delay in Implementing Basic Network Security

By: emptywheel Monday February 25, 2013 10:48 am

More than 22 months ago, I wrote a post analyzing Congressional testimony describing the gaping holes in DOD network security 3 years after a nasty malware infection and a year after the publication of Collateral Murder by WikiLeaks.

Almost two years later, Assistant Secretary of Defense Zachary Lemnios says sequestration might hold up improving network security on classified and unclassified networks.

Zachary J. Lemnios, the assistant secretary of defense for research and engineering, was asked by Sen. Rob Portman (R-Ohio) to describe the “most significant” impacts on cybersecurity that could follow from the anticipated cuts to the Pentagon’s budget.

Mr. Lemnios replied that “cuts under sequestration could hurt efforts to fight cyber threats, including [...] improving the security of our classified Federal networks and addressing WikiLeaks.”

This is news not just for the specific details offered about how bad DOD’s network security remains (click through for more details). But also for the tacit admission that 3 years after a breach DOD considers tantamount to aiding the enemy, and 5 years after a malware infection that badly affected DOD’s networks in Iraq, DOD still hasn’t completed security enhancements to its networks.

What if China Not Just Hacked — But Sabotaged — the F-35?

By: emptywheel Sunday February 24, 2013 6:02 pm

Over the last week, two perennial stories have again dominated the news. China continues to be able to hack us — including top DC power players — at will. And the F-35 has suffered another setback, this time a crack in an engine turbine blade (something which reportedly happened once before, in 2007).

The coincidence of these two events has got me thinking (and mind you, I’m just wondering out loud here): what if China did more than just steal data on the F-35 when it hacked various contractors, and instead sabotaged the program, inserting engineering flaws into the plane in the same way we inserted flaws in Iran’s centrifuge development via StuxNet?

We know China has hacked the F-35 program persistently. In 2008, an IG report revealed that BAE and some of the other then 1,200 (now 1,300) contractors involved weren’t meeting security requirements; last year an anonymous BAE guy admitted that the Chinese had been camped on their networks stealing data for 18 months. In April 2009, WSJ provided a more detailed report on breaches going back to 2007.

The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons program the Pentagon has ever attempted. The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter.

Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into.

Continue reading →

Jane Harman Now Targeting Individual CyberTargets with Drone Court

By: emptywheel Tuesday February 19, 2013 6:13 pm

Jane Harman’s advocacy for a drone court suffers from the same problem I touched on here (and will lay out at more length in the next day or so): before you can have a Drone and/or Targeted Killing Court, you need some law the court will apply. Harman seems to envision just applying the standards the Executive — not Congress — came up with, which isn’t how Schoolhouse Rock taught me the government is supposed to work.

Congress, in her model, would just be fully apprised of what goes on in the Drone and/or Targeted Killing Court, not write law to limit what can be approved.

But I’m more interested — alarmed, really — by the way Harman seamlessly adds cybertargeting to her advocacy.

The FISA court, renamed the CT Court, could also oversee drones and cyber. A FISA court application must show that specific individuals are connected to a foreign power – which is defined, in part, as a group engaged in international terrorism. Drone and cyber applications could (1) list the individual/cyber target against whom the lethal operation is directed and (2) submit a finding of probable cause that the individual/cyber target is connected to a foreign power, is in a senior operational capacity and poses an imminent threat of violent attack against the United States.

Approved applications for drone strikes and cyberattacks would need to be renewed after a certain period, and discontinued if evidence is presented that the targets no longer meet the criteria. [my emphasis]

Granted, it would have been nice if the government had had to go to a court to explain why a publisher like WikiLeaks should be targeted with a persistent DNS attack, assuming that’s what happened. But given that both our FISA targeting and our targeting killing targeting probably allow for far too much abuse of the First Amendment, I’m not convinced the FISA Court would have noted the problem with that incident of prior restraint.

More generally, though, isn’t Harman’s neat inclusion of cyber targeting here a hint that our cyberattacks have gone beyond just Iran and WikiLeaks?

Why So Surprised? CIA, U.S. Military Knew Chinese Hackers Expected Since 1999

By: Rayne Tuesday February 19, 2013 3:30 pm

Cover, Unrestricted Warfare via Wikimedia

The breathless reporting about the alleged Chinese hacking at The New York Times is truly annoying because of the shock it displays. The surprise any major government or private corporate entity shows at this point about any network-based security breach that appears to originate from China should be treated as propaganda, or a display of gross ignorance.

In 1999, the CIA’s Foreign Broadcast Information Service published a white paper entitled Unrestricted Warfare, written by the PRC’s Col. Qiao Liang and Col. Wang Xiansui. The publication outlined the methodologies a nation-state could deploy as part of an asymmetric war. Further, the same work outlined the U.S.’s weaknesses at that time were it to confront such asymmetric warfare. It did not focus any other nation-state, just the U.S.*

The colonels acknowledged that the U.S.—at the time of the paper—had considered using a range of tools in response to conflicts:

“…There’s no getting around the opinions of the Americans when it comes to discussing what means and methods will be used to fight future wars. This is not simply because the U.S. is the latest lord of the mountain in the world. It is more because the opinions of the Americans on this question really are superior compared to the prevailing opinions among the military people of other nations. The Americans have summed up the four main forms that warfighting will take in the future as: 1) Information warfare; 2) Precision warfare [see Endnote 8]; 3) Joint operations [see Endnote 9]; and 4) Military operations other than war (MOOTW) [see Endnote 10]. This last sentence is a mouthful. From this sentence alone we can see the highly imaginative, and yet highly practical, approach of the Americans, and we can also gain a sound understanding of the warfare of the future as seen through the eyes of the Americans. Aside from joint operations, which evolved from traditional cooperative operations and coordinated operations, and even Air- Land operations, the other three of the four forms of warfighting can all be considered products of new military thinking. General Gordon R. Sullivan, the former Chief of Staff of the U.S. Army, maintained that information warfare will be the basic form of warfighting in future warfare. For this reason, he set up the best digitized force in the U.S. military, and in the world. Moreover, he proposed the concept of precision warfare, based on the perception that “there will be an overall swing towards information processing and stealthy long-range attacks as the main foundations of future warfare.” For the Americans, the advent of new, high-tech weaponry, such as precision-guided weapons, the Global Positioning System (GPS), C4I systems and stealth airplanes, will possibly allow soldiers to dispense with the nightmare of attrition warfare. …”

The rise of military tools like drones for precision-guided stealth attacks was predicted; quite honestly, the PRC’s current cyber warfare could be a pointed response to Gen. Sullivan’s statement about information warfare.

But in acknowledging the U.S.’s future use of MOOTW, the colonels also offered up the most likely approaches in an asymmetric assault or response: trade war, financial war, new terror war in contrast to traditional terror war, ecological war. Of these, they cited a specific example of new terror war entity and attacks: Continue reading →