Cybersecurity
Latest
Source code theft prompts Symantec to issue warning to customers
Security software publisher Symantec has confirmed it was the victim of a cyber attack, resulting in the theft and disclosure of product source code. Earlier this month, the online-collective Anonymous stated, via Twitter, that it possessed portions of the code in question and planned to release it in support of a class-action lawsuit filed by consumers -- the suit claims Symantec employed scare tactics to encourage users to purchase its wares. Via its website, the company affirmed Anonymous' claims, citing a source code heist dating back to 2006. The post goes on to suggest that users running Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks, Symantec Endpoint Protection 11.0, or Symantec AntiVirus 10.2 apply the latest maintenance patches. If you have the company's pcAnywhere solution deployed, Symantec suggests only using it for "business critical purposes," as this software is "at increased risk." Those looking to stay up-to-date on the breach and what Symantec is doing to ameliorate its effects can get the blow-by-blow from the source link below.
US Cyber Command completes major cyber attack simulation, seems pleased with the results
The US Cyber Command is barely out of its infancy, but it's already crossed one milestone off its to-do list, with the successful completion of its first major test run. The exercise, known as Cyber Flag, was carried out over the course of a single week at Nellis Air Force Base in Nevada, where some 300 experts put their defense skills to the test. According to Col. Rivers J. Johnson, the participants were divided into two teams: "good guys," and "bad guys." The latter were delegated with the task of infiltrating the Cyber Command's networks, while the former were charged with defending the mock cyberattack and keeping the government's VPN free of malware. The idea, according to the agency, was to simulate a real-world attack on the Department of Defense, in order to better evaluate the Command's acumen. "There were a variety of scenarios based on what we think an adversary would do in real world events and real world time," Johnson explained. "It was a great exercise." The Colonel acknowledged that the good guys weren't able to defend against all of the attacks, but pointed out that the vast majority were recognized and mitigated "in a timely manner." All told, Cyber Flag was deemed a success, with NSA Director and Cyber Command chief Gen. Keith Alexander adding that it "exceeded" his own expectations.
WikiLeaks' Spy Files shed light on the corporate side of government surveillance
WikiLeaks' latest batch of documents hit the web this week, providing the world with a scarily thorough breakdown of a thoroughly scary industry -- government surveillance. The organization's trove, known as the Spy Files, includes a total of 287 files on surveillance products from 160 companies, as well as secret brochures and presentations that these firms use to market their technologies to government agencies. As Ars Technica reports, many of these products are designed to get around standard privacy guards installed in consumer devices, while some even act like malware. DigiTask, for example, is a German company that produces and markets software capable of circumventing a device's SSL encryption and transmitting all instant messages, emails and recorded web activity to clients (i.e., law enforcement agencies). This "remote forensic software" also sports keystroke logging capabilities, and can capture screenshots, as well. Included among DigiTask's other products is the WifiCatcher -- a portable device capable of culling data from users linked up to a public WiFi network. US-based SS8, Italy's Hacking Team and France's Vupen produce similar Trojan-like malware capable of documenting a phone or computer's "every use, movement, and even the sights and sounds of the room it is in," according to the publication. Speaking at City University in London yesterday, WikiLeaks founder Julian Assange said his organization decided to unleash the Spy Files as "a mass attack on the mass surveillance industry," adding that the technologies described could easily transform participating governments into a "totalitarian surveillance state." The documents, released on the heels of the Wall Street Journal's corroborative "Surveillance Catalog" report, were published alongside a preface from WikiLeaks, justifying its imperative to excavate such an "unregulated" industry. "Intelligence agencies, military forces, and police authorities are able to silently, and on mass, and [sic] secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers," wrote Wikileaks in its report. "In the last ten years systems for indiscriminate, mass surveillance have become the norm." The organization says this initial document dump is only the first in a larger series of related files, scheduled for future release. You can comb through them for yourself, at the source link below.
DARPA setting up a $130 million 'virtual firing range' to help battle cyber attacks
The US government is serious about online security, just ask any one of its cyber commandos. Adding to its arsenal for battling the big bad hackers, Reuters reports that DARPA is working on a National Cyber Range, which would act a standalone internet simulation engine where digital warriors can be trained and experimental ideas tested out. Lockheed Martin and Johns Hopkins University are competing to provide the final system, with one of them expected to soon get the go-ahead for a one-year trial, which, if all goes well, will be followed by DARPA unleashing its techies upon the virtual firing range in earnest next year. The cost of the project is said to run somewhere near $130 million, which might have sounded a bit expensive before the recent spate of successful hacking attacks on high profile private companies, but now seems like a rational expenditure to ensure the nuclear missile codes and the people crazy enough to use them are kept at a safe distance from one another. DARPA has a pair of other cleverly titled cybersecurity schemes up its sleeve, called CRASH and CINDER, but you'll have to hit the source link to learn more about them.
Pentagon says cyber attacks are acts of war: send us a worm, get a missile in return?
Well, the Pentagon is finally fed up with hackers picking on its buddies and foreign intelligence taking shots at its computer systems, and has decided that such cyber attacks can constitute an act of war. Of course, the powers that be won't be bombing you for simply sending them some spyware, but attempts to sabotage US infrastructure (power grids, public transit, and the like) may be met with heavy artillery. It's unclear how our government will identify the origin of an attack or decide when it's serious enough to start shooting, but Uncle Sam is looking to its allies to help create a consensus answer for those questions. The retaliatory revelation is a part of the Pentagon's new cyber strategy that'll be made public in June -- so saboteurs beware, your next internet incursion might get you an ICBM in your backyard.
Obama administration moves forward with unique internet ID for Americans, Commerce Department to head system up
President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity. Other candidates mentioned previously to head up the new system have included the NSA and the Department of Homeland Security, but the announcement that the Commerce Department will take the job should please groups that have raised concerns over security agencies doing double duty in police and intelligence work. So anyway, what about this unique ID we'll all be getting? Well, though details are still pretty scant, U.S. Commerce Secretary Gary Locke, speaking at an event at the Stanford Institute, stressed that the new system would not be akin to a national ID card, or a government controlled system, but that it would enhance security and reduce the need for people to memorize dozens of passwords online. Sorry, Locke, sounds like a national ID system to us. Anyway, the Obama administration is currently drafting what it's dubbed the National Strategy for Trusted Identities in Cyberspace, which is expected at the Department of Commerce in a few months. We'll keep you posted if anything terrifying or cool happens. Update: For clarity's sake, we should note that the proposed unique ID system will be opt in only, not a mandatory program for all citizens.
China Telecom re-routes 15% of the world's Internet traffic for a full 18 minutes, hopes no one noticed
On April 8 of this year there was an approximately eighteen minute long period of time where China Telecom advertised erroneous network traffic routes, causing foreign Internet traffic to travel through Chinese servers. According to a congressional panel, about fifteen percent of the world's Internet traffic was diverted -- including that of the US government and military, and a number of commercial websites. As always seems to be the case when we're talking about The People's Republic, there are few things that can be said for certain, while a ton of questions linger: was this really just a mistake, or was someone flexing their muscles? Could this have been a diversion "intended to conceal one targeted attack," as Arbor Networks Chief Security Officer Danny McPherson suggested? We don't know, but this is the country that brought us both iorgane and buses that drive over cars, so we suppose anything's possible.
Operation Cyber Storm III underway, makes digital certificates cool again
Fans of cyberwarfare (which we are, if only because we like to imagine that it looks like Battlezone) take note: following hot on the heels previous Cyber Storm I and II and Cyber ShockWave wargames, the Department of Homeland Security is sponsoring a little something called Cyber Storm III. Starting yesterday, the three-day exercise simulates more than 1,500 different types of attack, with a special emphasis on identities, trust relationships, and digital certificates. As Brett Lambo, director of Homeland Security's Cyber Exercise Program, told AFP, "we're kind of using the Internet to attack itself. At a certain point the operation of the Internet is reliant on trust -- knowing where you're going is where you're supposed to be." The exercise will test the National Cyber Incident Response Plan as well as the new National Cybersecurity and Communications Integration Center. But you can breathe easily: the operation is focusing on defense, not offense (for now).
Thumb drive-based malware attack led to formation of US Cyber Command
Recently declassified documents have revealed that the worst breach of U.S. military computers evar went down in 2008, a major turning point in our nation's cyberstrategy that eventually led to the formation of the United States Cyber Command. Operation Buckshot Yankee, as the defense came to be known, began when a USB thumb drive infected by a foreign intelligence agency was found in the parking lot of a Department of Defense facility in the Middle East. Whomever found the thing placed it in their laptop (probably hoping to find Justin Bieber MP3s), which just so happened to be attached to United States Central Command. From that point, writes Deputy Defense Secretary William J. Lynn in Foreign Affairs, malware spread "undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control." Yikes! We still haven't found out which country orchestrated the attack, or what they might have learned from it, so until the Pentagon tells us otherwise we're going to do what we usually do in these situations and blame Canada (sorry, Don). [Warning: read link requires subscription]
Attractive, non-existent woman on internet easily makes inroads in military, intel, and hacker circles
Thomas Ryan of Provide Security's making it public knowledge that social networking sites aren't just annoying: they're also potentially major security threats. Ryan set up a fake Facebook, LinkedIn and Twitter account for "Robin Sage," a person who doesn't exist and never has -- but we can assure you she's really, really hot. Robin billed herself as a graduate of MIT and a prestigious New Hampshire prep school, and quickly made hundreds of connections across all three sites, without ever offering any proof of her existence or the connections she espoused. Even more stunning, "Robin" was befriending military, government and intel people on Facebook and Linked In (where she dubbed herself a "hacker"), and hackers on Twitter. Ryan's findings state that the military and intel "friends" Robin made freely share information and documents with her, as well as inviting her to various conferences. Interestingly, it turns out the only group that was in anyway resistant to Robin were the MIT-associated people... but we knew they were all whip-smart already. Moral? Next time you accept the request of a beautiful, intelligent hacker who wants to come over and view your secret dossiers, you should probably think twice.
Perfect Citizen: secret NSA surveillance program revealed by WSJ
Do you trust your government? Do you just support it like an obedient Britney Spears, steadfast to your faith that it will do the right thing? Your answer to those questions will almost certainly predict your response to a Wall Street Journal exposé of a classified US government program provocatively dubbed, "Perfect Citizen." Why not just call it "Big Brother," for crissake! Oh wait, according to an internal Raytheon email seen by the WSJ, "Perfect Citizen is Big Brother," adding, "The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security." Histrionics aside, according to the WSJ, the "expansive" program is meant to detect assaults on private companies and government agencies deemed critical to the national infrastructure. In other words, utilities like the electricity grid, air-traffic control networks, subway systems, nuclear power plants, and presumably MTV. A set of sensors deployed in computer networks will alert the NSA of a possible cyber attack, with Raytheon winning a classified, $100 million early stage contract for the surveillance effort. Now, before you start getting overly political, keep in mind that the program is being expanded under Obama with funding from the Bush-era Comprehensive National Cybersecurity Initiative. The WSJ also notes that companies won't be forced to install the sensors. Instead, companies might choose to opt-in because they find the additional monitoring helpful in the event of cyber attack -- think of Google's recent run-in with Chinese hackers as a potent example. Like most citizens, we have mixed emotions about this. On one hand, we cherish our civil liberties and prefer to keep the government out of our personal affairs. On the other, we can barely function when Twitter goes down, let alone the national power grid.
DARPA program will detect your anomalous behavior, eliminate you
Crime prevention is boring -- crime prediction, on the other hand, is tres exciting! Indeed, we've seen a few pre-crime projects in the past, but very little that existed outside the realm of cockamamie. That is, until we laid eyes on a new project from DARPA called SMITE (or Suspected Malicious Insider Threat Elimination). This one actually seems -- dare we say it? -- feasible. Details are sketchy (they're still in the RFI stages) but essentially the idea is to create a database of actions that correspond to "malicious" behavior; for instance, espionage. It's hoped that behaviors can be detected before they lead to an actual crime, which leads to all sorts of ethical and philosophic questions that we quite frankly don't have the energy to ponder on a Friday afternoon. Luckily for all of us, this is DARPA we're talking about -- so chances are this won't go anywhere. But if it does? As The Register kindly points out, the "e" in SMITE stands for "elimination." Nice. [Warning: PDF source link]
Cyber ShockWave training exercise tests US readiness for cyber-attacks
If we've learned anything from Hollywood it's that cybersecurity is a growing national concern. And there are a couple approaches the country could take to tackle the problem. The first, which we wholeheartedly endorse, involves relying on tough guys with bad attitudes, short fuses, and a propensity for tattered clothing (at least once the bombs start dropping). The other -- endorsed by Washington think tanks with names like the Bipartisan Policy Center -- would be actual preparation and policy-making. To this end, the Mandarin Oriental Hotel in DC hosted Cyber ShockWave, which only sounds like an awesome energy drink -- in fact, it was a simulated, 12-hour cyber attack held yesterday. In the words of the Wall Street Journal, organizers intended "to show how the U.S. government would respond to [attacks] against its networks and infrastructure." According to a 367-page November report by the US-China Economic Security Review Commission, the DoD has had to deal with some 54,640 total cyber attacks in 2008 -- with the number of attacks increasing to 43,785 in the first half of 2009 alone. That's a lot of attacks! On second thought, maybe the whole "preparation" and "training" thing does sound like a good idea. So long as we keep John McClane around -- just in case.
Acting Cybersecurity Czar resigns for 'personal reasons'
She still hasn't ever been formally named to the post she helped create, but acting White House Cybersecurity Czar Melissa Hathaway has now already taken her name out of the running and announced her resignation from the job, citing the usual "personal reasons" and the need to "pass the torch." As The Wall Street Journal reports, however, there may have been a bit more drama going on behind the scenes, with "people familiar with the matter" reportedly saying that she has been "spinning her wheels" in the post, and marginalized politically. For it's part, the White House simply says that cybersecurity remains "a major priority for the president," and that "the president is personally committed to finding the right person for this job, and a rigorous selection process is well under way."[Via Switched]
White House, Pentagon announce plans for new cybersecurity positions
It's just been a few short months since a proposed bill called for the creation of a National Cybersecurity Advisor, but it looks like there's now not one but two new positions in the offing, with both the Pentagon and President Obama himself announcing plans for some newly elevated offices charged with keeping the nation's networks secure. While a specific "Cybersecurity Czar" hasn't yet been named, the White House position will apparently be a member of both the National Security Council and National Economic Council and, in addition to coordinating U.S. response in the event of a major attack, the office will also be tasked with protecting privacy and civil liberties. Details on the new Pentagon office, on the other hand, are expectedly even less specific although, according to The New York Times, it'll be a military command that will work to coordinate efforts now scattered across the four armed services, and will apparently serve as complement to the civilian office in the White House.Read - Reuters, "Obama to name White House cybersecurity czar"Read - The New York Times, "Pentagon Plans New Arm to Wage Cyberspace Wars"[Thanks, Ryan]
Proposed bill would create National Cybersecurity Advisor
It hasn't gotten a lot of traction yet, but Senators Jay Rockefeller and Olympia Snowe have jointly introduced a bill that would create an Office of the National Cybersecurity Advisor, a new White House position designed to beef up the nation's information security policies. The new office goes hand-in-hand with the Cybersecurity Act of 2009, another proposed bill that would create an entire panel of security experts brought in from the government, private sector, and universities. All together, the two pieces of legislation would require that government networks and software meet a set of security standards and vulnerability tests -- and, more controversially, that private networks deemed "critical infrastructure" by the President meet these standards as well. What's more, El Presidente can order the disconnection of those networks during a "cybersecurity emergency" or national security emergency if needed, and security professionals will need to be licensed by the government to work on them. Yeah, it's a long way from BlackBerrys loaded with presidential campaign information being sold at yard sales, but we'd bet some of these ideas get tamer as the bill moves through the process -- we'll see how it goes.
