Cybersecurity Archives - Page 82 of 88

Fear, Uncertainty, and Doubt: the Real Cyber Attack on the Truth [UPDATE]

January 14, 2013/3 Comments/in Cybersecurity, Foreign Policy /by Rayne

[photo: cdrummbks via Flickr]

[UPDATE – see end of article.]

One weaselly senator–with long-identified agendas and a pathetically thin understanding of technology–takes to the microphone. Suddenly, by virtue of wrapping his senatorial lips around a few scary words on topics about which he knows little, we citizens are supposed to quake in fear and plead for salvation.

Screw that noise. This is textbook “fear, uncertainty, and doubt” — more commonly referred to as FUD in the information technology industry.

Since the 1970s, FUD tactics have used to suppress competition in the computer marketplace, targeting both hardware and software. Roger Irwin explained,

…It is a marketing technique used when a competitor launches a product that is both better than yours and costs less, i.e. your product is no longer competitive. Unable to respond with hard facts, scare-mongering is used via ‘gossip channels’ to cast a shadow of doubt over the competitors offerings and make people think twice before using it.In general it is used by companies with a large market share, and the overall message is ‘Hey, it could be risky going down that road, stick with us and you are with the crowd. Our next soon-to-be-released version will be better than that anyway’. …

FUD has non-technology applications as well; one need only look at product and service brands that encourage doubts about using any product other than their own, in lieu of actually promoting the advantages their product or service might have.

So what’s the FUD about? Senator Joe Lieberman spouted off about cyber attacks in September last year, claiming Iran was behind disruptive efforts targeting U.S. banks.

Right. Uh-huh. Predictable, yes?

But FUD is used in situations where there is competition, one might point out. Yes, exactly; in September 2012, the case for support of unilateral attacks against Iran was up against the news cycle crush, powered by the post-Benghazi fallout and the drive toward the November general election, followed by the terror that was the “fiscal cliff.” That’s a lot of powerful, compelling competition for both attention, votes, and tax dollars, when members of a reliable but lame duck Congress could be mounting up a pre-emptive cyber war without the headwind of public awareness and resistance, or the too-inquisitive pushback from newbies in the next seated Congress. Read more →

“Liberal” 9th Circuit Deals Death Blow To Al-Haramain Illegal Wiretapping Accountability Case

December 5, 2012/15 Comments/in Bush Administration, Congress, Cybersecurity, Department of Justice, FISA, Intelligence, Law, Obama Administration, state secrets, Terrorism, Unitary Executive /by bmaz

There is only one substantive case left in litigation with the ability to bring tangible accountability for the illegal and unconstitutional acts of the Bush/Cheney Administration’s warrantless wiretapping and surveillance program. That case is Al-Haramain v. Bush/Obama. Yes, there is still Clapper v. Amnesty International, but that is a prospective case of a different nature, and was never designed to attack the substantive crimes of the previous Administration.

A little over a couple of hours ago, late morning here in the 9th, the vaunted “most liberal of all Circuit Courts of Appeal”, the Ninth Circuit, drove what may be the final stake in the heart of Al-Haramain by declining to conduct an en banc review of its August 7, 2012 opinion. The notice from the court today is brief:

The opinion filed on August 7, 2012, and appearing at 690 F.3d 1089, is hereby amended. An amended opinion is filed concurrently with this order.

With these amendments, the panel has voted to deny the petition for panel rehearing and the petition for rehearing en banc.

The full court has been advised of the petition for rehearing and rehearing en banc and no judge has requested a vote on whether to rehear the matter en banc. Fed. R. App. P. 35.

The petition for panel rehearing and petition for rehearing en banc are DENIED. No further petitions for en banc or panel rehearing shall be permitted.

Before going further with analysis, a word about the “amendments” to the opinion. The “Amended Opinion” is here. You can compare for yourself to the August 7 original opinion linked above, but the difference is pretty slight.

It appears all the court did is delete a few sentences here and there about 18 USC 2712(b). The court did not address, nor change, their erroneous assertion that plaintiffs’ Al-Haramain could have sued under 1806(a), or restore the misleadingly-omitted (by elipsis) language from 1806(a). Nor did the Read more →

On Toobz and Gases

December 3, 2012/15 Comments/in Cybersecurity /by emptywheel

Danger Room answers–sort of–one of the big questions I had after reading NYT’s report (relying in part on Israeli sources) that Syria appeared to be preparing to use its chemical weapons: what is the connection between Syria’s two and a half day Internet outage last week and today’s barrage of leaks reporting on the CW?

On Thursday, Syria abruptly became disconnected from the internet, likely after the regime disabled the four cables that provide Syria with connectivity. The rebels use the internet not only to document regime atrocities but to disseminate training tactics and to spread their propaganda,. Yet the regime also relies on the internet: it’s tried to hijack rebel hardware by spreading spyware in the form of fake security software. As Danger Room predicted last week, the outage ended quickly, as online monitor Renesys confirmed a “largely complete restoration of the Syrian Internet” by Saturday.

The U.S. official doesn’t believe the internet blackout was related to the combination of the chemical weapon binaries. And at the Pentagon, Defense Department spokesman Little said the online outage didn’t make a difference for the U.S. understanding of Assad’s dangerous weapons. “The U.S. government has good visibility into the chemical weapons program and we continue to monitor it,” Little said.

These paragraphs make it clear that:

The US and Israel are not relying on the Toobz to spy on the Assad regime
A US source claims to believe there is no tie between alleged Syrian moves, taken on Wednesday, to mix sarin precursors and the complete shutdown on Thursday of Syria’s Internet

Danger Room’s sources aren’t even asserting that both events–the mixing of the CW on Wednesday and the Intertoobz blackout on Thursday–are both signs of Bashar al-Assad’s panic.

Which would sort of be the default unless intelligence sources had reason to know that the Intertoobz blackout had nothing to do with the CW mixing.

We’ve long traced interesting Intertoobz blackouts caused by cut cables on this blog: the recent blackout in Djibouti. to a cable in the Bay Area, to a number of cut cables in the Middle East back in 2008.

It appears to be an increasingly common tactic, one difficult to attribute to a specific actor.

But if one of those actors comes out a few days after an outage and says they have no reason to find that outage as suspicious as the mixing of CW, maybe it’s not so hard to attribute after all.

Update: See Moon of Alabama’s description of why Assad is not mixing chemicals. Which makes it all the more interesting that US sources claim to be so certain the outage had not ties to their claimed sarin mixing.

Cyber-9/11 Warning!! … Screams Man Making Huge Profit Off Such Screams

December 3, 2012/5 Comments/in Cybersecurity /by emptywheel

The FT reports (and CNET repeats almost in its entirety) that former Director of National Intelligence Mike McConnell says we have had our 9/11 warning and we risk the cyber equivalent of a World Trade Center attack unless “urgent action” is taken.

A former US intelligence chief says the west has had its “9/11 warning” on cybersecurity and warns that unless urgent action is taken, the US faces “the cyber equivalent of the World Trade Center attack”.

According to John “Mike” McConnell, such an attack would bring the country’s banking system, power grid and other essential infrastructure to their knees.

Mind you, McConnell doesn’t appear to be talking about a real warning–the kind of intelligence that set George Tenet’s hair on fire in 2001. Rather, he says the recent attacks on Saudi Aramco and some banks’ internet interfaces constitutes that warning.

Sustained cyber attacks targeting the websites of a dozen major US banks including Wells Fargo, JPMorgan Chase and Bank of America, coupled with an earlier attack on Saudi Aramco, which erased data on two-thirds of the Saudi oil company’s corporate PCs, were examples of the growing threat.

McConnell apparently would have us believe that some crude DNS attacks on banks and an infiltrator’s attack on Saudi oil business (not production) computers is a hair on fire warning.

Leon Panetta made similarly unconvincing claims back in October.

Nevertheless, the FT presented McConnell’s warning without providing readers a few important details. First, here’s how they describe the background that qualifies McConnell to issue such warnings.

Mr McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under President George W. Bush and President Barack Obama, believes those corporate attacks should be treated as a further “wake-up call” to politicians and business leaders in the west.

Here’s the very important detail they left out.

Mike McConnell is Vice Chairman of Booz Allen Hamilton, where his primary roles include serving on the firm’s Leadership Team and leading Booz Allen’s rapidly expanding cyber business.

It is McConnell’s job to make the cyber threat seem as dangerous as possible so his employer can get rich by charging the government an arm and a leg to take “urgent action.” While I’m not sure where the emails are available anymore, one of the amusing features of the HB Gary emails liberated by Anonymous is Mike McConnelll licking his chops as he identified new purported threats to build business around.

More amusing still is this:

Mr McConnell said such an attack could see a country like Iran work with Russian criminals or Chinese hackers to target banks, the power grid and the computers that control routing and ticketing for planes and trains.

[snip]

Mr McConnell said he doubted whether Iran or a terrorist group could undertake such a devastating assault at the moment but added that it is only a matter of time before the sophisticated tools needed fall into the wrong hands.

The government (and, apparently McConnell himself) believes Iran launched the attacks on Aramco and the banks. But as McConnell suggests, Iran couldn’t carry out a real 9/11 cyber-attack by itself: it’d have to have the help of Russian criminals or Chinese hackers to pull off a really serious attack.

Because, you see, cyberattacks aren’t as easy as McConnell’s fear-mongering suggests.

But note the scenario he envisions: “the sophisticated tools” needed for a cyber attack would “fall into the wrong hands” and enable such an attack.

Mike McConnell was Director of National Intelligence from 2007 to 2009. During his tenure, the StuxNet project moved from intelligence-gathering to testing to implementation. It is inconceivable the DNI, the former head of NSA, and former executive of BAH would be out of the loop on that operation.

In other words, McConnell is almost certainly one of the people involved in the decision to unleash these sophisticated tools in the first place. And now he’s screaming about the dangers he unleashed for profit.

It’s a very neat system our Military Intelligence Industrial Complex has created.

Are Escaped Zoo Animals Autonomous?

November 28, 2012/15 Comments/in Cybersecurity /by emptywheel

Back when David Sanger revealed new details of how StuxNet broke free of Natanz, he used the metaphor of an escaped zoo animal actively unlocking its cage.

In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. [my emphasis]

This zoo animal found the keys to its cage, broke free, spread to an engineer’s computer, failed to recognize its new environment, and then began replicating itself all around the world.

That is, Sanger used the language of a cognizant being, acting as an agent to spread itself. That’s not inapt. After all, viruses do spread themselves (though they don’t actually go seek out keys to do so).

Which is why this detail, noted in Obama’s other pre-Thanksgiving document dump, is so stunning. (h/t Trevor Timm)

The Defense Department does not require developers of computer systems that launch cyber operations to implement the same safeguards required of traditional arms makers to prevent collateral damage.

[snip]

A directive, released Nov. 21, mandated that automated and semi-autonomous weaponry — such as guided munitions that independently select targets — must have human machine interfaces and “be designed to allow commanders and operators to exercise appropriate levels of human judgment over the use of force.” The mandate called for “rigorous hardware and software verification and validation” to ensure that engagements could be terminated if not completed in a designated time frame. The goal is to minimize “unintended engagements,” the document states.

The Pentagon is permitting less human control over systems that deploy malware, exploits and mitigation tools, highlighting Defense’s focus on agile responses to computer threats. The document, signed by Deputy Secretary of Defense Ashton Carter, explicitly states that the directive “does not apply to autonomous or semi-autonomous cyberspace systems for cyberspace operations.”

We have already lost control of one our semi-autonomous cyberspace operations. The potential danger from its “escape” could be tremendous.

And yet DOD specifically exempts similar operations in the future? So we can commit the same error again?

ECPA Amendments and Privacy in a Post Petraeus World

November 20, 2012/5 Comments/in Congress, Cybersecurity, Department of Justice, FISA, Law, PATRIOT /by bmaz

One of the issues making the rounds like wildfire today was a report from Declan McCullagh at CNET regarding certain proposed amendments to the Electronic Communications Privacy Act (ECPA). The article is entitled “Senate Bill Rewrite Lets Feds Read Your E-mail Without Warrants” and relates:

A Senate proposal touted as protecting Americans’ e-mail privacy has been quietly rewritten, giving government agencies more surveillance power than they possess under current law.

CNET has learned that Patrick Leahy, the influential Democratic chairman of the Senate Judiciary committee, has dramatically reshaped his legislation in response to law enforcement concerns. A vote on his bill, which now authorizes warrantless access to Americans’ e-mail, is scheduled for next week.

Leahy’s rewritten bill would allow more than 22 agencies — including the Securities and Exchange Commission and the Federal Communications Commission — to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge. (CNET obtained the revised draft from a source involved in the negotiations with Leahy.)

This sounds like the predictably craven treachery that regularly comes out of Senate, indeed Congressional, legislation on privacy issues. And exactly what many had hoped would cease coming out of Washington after the public scrutiny brought on by the Petraeus/Broadwell/Kelley scandal. And, should these amendments make it into law, they may yet prove detrimental.

But there are a couple of problems here. First, as Julian Sanchez noted, those abilities by the government already substantially exist.

Lots of people RTing CNET’s story today seem outraged Congress might allow access to e-mail w/o warrant—but that’s the law ALREADY!

Well, yes. Secondly, and even more problematic, is Pat Leahy vehemently denies the CNET report. In fact, Senator Leahy does not support broad exemptions for warrantless searches for email content. A source within the Judiciary Committee described the situation as follows: Read more →

General Dynamics: The Digital Tale of John & Jill and Dave & Paula

November 13, 2012/69 Comments/in 2008 Presidential Election, Benghazi Attack, CIA Leak Case, Congress, Cybersecurity, Department of Justice, FISA, Law, Leak Investigations, War /by bmaz

DO YOU KNOW THE WAY TO TAMPA BAY??

Another giant shoe has dropped in L’Affaire Petraeus. Not simply more specifics, but yet another General:

Gen. John Allen, the top American and NATO commander in Afghanistan, is under investigation for what a senior defense official said early Tuesday was “inappropriate communication’’ with Jill Kelley, the woman in Tampa who was seen as a rival for David H. Petraeus’s attentions by Paula Broadwell, the woman who had an extramarital affair with Mr. Petraeus.

In a statement released to reporters on his plane en route to Australia early Tuesday, Defense Secretary Leon E. Panetta said that the F.B.I. had informed him on Sunday of its investigation of General Allen.

Mr. Panetta turned the matter over to the Pentagon’s inspector general to conduct its own investigation into what the defense official said were 20,000 to 30,000 pages of documents, many of them e-mails between General Allen and Ms. Kelley, who is married with children.

Really, at this point, what can you even say about the secret storm soap opera that roils within the rarified brass air of the US Military? This was just the last hit for a night that saw the emergence of the Shirtless FBI Guy (now under investigation himself by the Office of Professional Responsibility at DOJ) to a nightime search of Paula Broadwell’s home by the FBI.

There are too many tentacles, evolving too quickly, to go too deep on all the facts that have rolled out even in the last twelve hours. But the General Allen/Jill Kelley bit is fascinating. Remember, the handful of emails Paula Broadwell sent to Kelley reportedly did not mention Petraeus by name. This latest report at least raises the possibility Broadwell was referring to an inappropriate relationship between Kelley and Allen, and not Kelley and Petraeus. I am not saying such is Read more →

Blowback: Stuxnet and the Ongoing Risk to Manufacturing Worldwide

November 10, 2012/29 Comments/in Cybersecurity /by Rayne

Dear Chevron: Thanks for letting us know you’ve been infected with Stuxnet. It’s difficult to muster sympathy for your management or shareholders, because you were warned.This guy quite clearly warned your industry, as did other firms specializing in technology security.

Every single manufacturer around the world using supervisory control and data acquisition (SCADA) driven equipment in their processes was warned. Businesses at particular risk are those relying on certain ubiquitous applications in a networked environment.

Perhaps you heeded the warning months ago but didn’t disclose widely that your business was working on eliminating the exposures. If your business has been hardening your systems, great. However, the public does have a right to know know if your plant located in their backyard might blow up or release toxic chemicals because your firm was exposed to cyber warfare elements our country sponsored in some fashion.

This goes for any other firms out there that are dealing with the same exposure. Perhaps you believe it’s a business intelligence risk to let your competitors know you’ve got a problem– frankly, we’re way past that. The potential risks to the public outweigh your short-term profitability, and if your plant blows up/dumps chemicals/produces unsafe or faulty products because of Stuxnet, our public problem becomes your public relations/long-term shareholder value problem anyhow.

By the way: perhaps it might be worthwhile to actively recruit American citizens who qualify for security clearance when hiring SCADA application analysts to fix your Stuxnet problems. Why compound your problem for lack of foresight with regard to national security risks? We can see you’re hiring. Ahem. Read more →

Breaking: Panetta Equating Crude Iranian Cyberattacks with Pearl Harbor, Iran Infiltrated Aramco

October 14, 2012/10 Comments/in BP Oil Disaster, Cybersecurity, Financial Fraud /by emptywheel

Today, the NYT–serving its role as spokesperson for the Cold War against Iran–confirms what blabby Joe Lieberman told CSPAN last month: the government suspects Iran was behind a series of crude cyberattacks on US banks.

Or to put it differently, Leon Panetta wants us to be more afraid of crude DNS attacks on US online banking sites than he wants us to be of the orders of magnitude greater damage the banks cause all by themselves. Because … Iran!

More interesting is the widely reported speculation we think Iran was behind the more serious attack on Aramco.

The attack under closest scrutiny hit Saudi Aramco, the world’s largest oil company, in August. Saudi Arabia is Iran’s main rival in the region and is among the Arab states that have argued privately for the toughest actions against Iran. Aramco, the Saudi state oil company, has been bolstering supplies to customers who can no longer obtain oil from Iran because of Western sanctions.

The virus that hit Aramco is called Shamoon and spread through computers linked over a network to erase files on about 30,000 computers by overwriting them. Mr. Panetta, while not directly attributing the strike to Iran in his speech, called it “probably the most destructive attack that the private sector has seen to date.”

Until the attack on Aramco, most of the cybersabotage coming out of Iran appeared to be what the industry calls “denial of service” attacks, relatively crude efforts to send a nearly endless stream of computer-generated requests aimed at overwhelming networks. But as one consultant to the United States government on the attacks put it several days ago: “What the Iranians want to do now is make it clear they can disrupt our economy, just as we are disrupting theirs. And they are quite serious about it.”

That’s interesting not because the attack did real damage–it didn’t, because it hit the business, not the production, computers.

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

“All our core operations continued smoothly,” CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

“Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus.”

It’s interesting because the malware was introduced into the Aramco network by an insider.

One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company last month, sources familiar with the company’s investigation say.

[snip]

The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.

“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination.

Once you translate the NYT’s spin, here’s what we’re left with:

We’re supposed to treat cyberattacks by Iran as an existential threat, even though they expose Iran’s relative impotence in the cyber sphere.
We’re supposed to get panicked about computers here at home because Iran succeeded in human espionage with Aramco.

And while Panetta cries wolf over and over, the banksters and the oil companies continue to real damage he ignores.

Panetta Misses Underlying Problem with Cyberwhines

October 12, 2012/12 Comments/in BP Oil Disaster, Cybersecurity /by emptywheel

We can play a game we often play here at emptywheel with Leon Panetta’s address on cybersecurity last night. For each major attack he discusses or potential threat he envisions, there is an equivalent one that has or could easily happen without the cyber component.

Panetta talks about the Shamoon malware that hit Aramco infecting 30,000 computers.

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a ‘wiper’, coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.

But how did that do more damage than the Richmond Refinery fire and subsequent spike in gas prices, likely caused by a corroded pipe neglected in a recent turnaround? How did that do more damage than the damage BP, Transocean, and Halliburton did when their negligence led to the Deepwater Horizon spill, which still appears to be leaking 31 months later?

Panetta talks about DDS attacks on banks that disrupted customer websites.

In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks. These attacks delayed or disrupted services on customer websites. While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.

How is this worse than the damage done by repeated flash crashes and other irregularities caused by high frequency trading? To say nothing of the damage done by reckless gambling during the housing crisis, which wiped out trillions of dollars in wealth?

Panetta talks about passenger or transport trains derailing.

They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals.

Apparently Panetta is unaware that trains derail all the time, and even spill dangerous chemicals, often because of operational or maintenance issues.

To some degree we could continue this game indefinitely, always finding an equivalent threat to the imagined or real threat posed by a cyberattack.

But there is a logic to the game: it reveals not only that Panetta is fearmongering while ignoring the reality of equally or more dangerous non-cyber threats.

It suggests that he–and frankly, the rest of government trying to address this problem–misunderstands why corporations are not responding to the serial fearmongering about cyber. If corporations refuse to take obvious precautions against cyberthreats, but also refuse to take obvious precautions against non-cyberthreats, it suggests the problem is not the cyber component in the least.

The problem is that these corporations don’t want to–and in many cases refuse to–take obvious precautions against risk in general.

This suggests, then, that these corporations have not been given the sufficient combination of carrot and stick generally to mitigate obvious risks. And giving them immunity for cyber-negligence is likely not going to mitigate the threat reckless, negligent corporations pose to our society, whether because our enemies cause them to do things, or whether they do them of their own accord.

The problem is a culture that encourages corporations to skirt all accountability. No amount of fancy programmers are going to change that by themselves.