Wednesday, 4 December 2013

Ultrasonic cyber-attack can “steal information” even from high-security systems, researchers warn

An audio communication system designed for ultrasonic underwater communications can be used to steal data – even from disconnected PCs in secure environments, by relaying it to the outside world from PC to PC through computer speakers, researchers claim.
The technique could defeat the security measures used by military establishments and stock markets – and was described as ”
Researchers showed how computer speakers could transmit data at around 20 bits per second over ranges of up to 60 feet, according to The Telegraph, and “secretly leak critical data to the outside world”.
Using ordinary computer hardware, infected with malware, computers can be “chained” so that data could plausibly be stolen from a disconnected – or “air gapped” – PC, and sent via a relay to the outside world, all via PC speakers.
Sensitive data can be stolen undetectably, using audio signals transmitted from PC to PC at frequencies up to 35,000Hz – well outside the range of human hearing. The researchers did not investigate whether the technique could be used to infect machines. Their technique is discussed at length here.
“The proof-of-concept software, detailed in the Journal of Communications, suggests that a lack of an Internet connection isn’t enough to insulate sensitive internal computer systems from the outside world,” CNET said in its report.
Previously, an “air gap” – computers disconnected entirely from internal and external networks – was considered a highly secure way to protect data. This research may “break the security” of such systems, the researchers warn. “Air gaps” – where a computer is not connected to any network, internal or external, wired or wireless, are used in high-security environments, such as military systems or financial institutions such as stock market, to protect data.
The researchers demonstrated how the attack could transmit data from one infected PC through a series of relay “drones”, to an attacker PC which then sends the information out via the internet. The researchers demonstrated this with keylogger software – which logged what was typed on a disconnected PC, then transmitted it, inaudibly to other PCs.
The researchers say that such attacks bypass current security measures to transmit covert and stealthy information from PC to PC, even on networks with strict security policies. Using five Lenovo T400 PCs, and their built in speakers and audio cards, the researchers were able to transmit data from a disconnected PC to the outside world.
“If we want to exploit a rigorously hardened and tested type of computing system, or networks, we have to break new ground,” the researchers wrote in the Journal of Communications. “Covert channels are communication channels utilizing means for communications that have not been designed for this purpose.  With a covert channel, we can circumvent system and network security policies.”
The Telegraph points out that malware that bridges “air gaps” has been used before – Flame, which the Washington Post claimed may have been developed by the NSA and CIA, used Bluetooth to download contact information from nearby devices. Flame was largely detected on machines in Iran.
The idea that malware could communicate in this way is not far-fetched in itself – earlier this year, We Live Security reported on research from the University of Alabama at Birmingham, where sound was used as a “trigger” for malware.
Researchers found signals could be sent from a distance of 55 feet using “low-end PC speakers with minimal ampliļ¬cation and low-volume”, the researchers said.
“We showed that these sensory channels can be used to send short messages that may eventually be used to trigger a mass-signal attack,” said Nitesh Saxena, Ph.D., of UAB. “While traditional networking communication used to send such triggers can be detected relatively easily, there does not seem to be a good way to detect such covert channels currently.”
The researchers presented a paper titled “Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices,” at the 8th Association for Computing Machinery Symposium on Information, Computer and Communications Security (ASIACCS) in Hangzhou, China.

Why your small business needs an information security policy and WISP

Did you catch the webinar that I did today on information security policy? It was titled “How can your small business make security policies pay off?” If you missed it, there is a recording here that you can view at any time. During the question and answer session towards the end of the recording, a member of the audience asked the following: You talk about policy singular but also multiple policies, which do I need? This really got me thinking about how information security people talk about policy and I realized it can be confusing. So here are some explanations, about security policy, policies, and a thing called WISP.
First of all, what does it mean for an organization to have an information security policy, singular? It means that the organization has stated and recorded its commitment to protecting the information that it handles. For example, here is what Acme Bicycle Company might say:
It is the policy of ABC that information, as defined hereinafter, in all its forms–written, spoken, recorded electronically or printed–will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.
This statement of overall policy usually appears as the preamble to a series of more specific policies. For example, there may be a section on Risk Management:
A thorough analysis of all ABC information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information.
There should probably be a virus protection policy. It that might say something like this:
Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.
So there are multiple specific policies below the overall information security policy. There is another term you may see when people talk about information security policy and that is information security program, and sometimes written information security program or WISP (not to be confused with Wireless Internet service Provider).
WISP is a term that encompasses all relevant policies plus your organization’s program for implementing them. I like the term because it implies something more practical that just a collection of policies sitting in a binder (although the WISP will likely sit in a binder too). Regular readers may recall that WISP plays a prominent role some information security legislation, notably the law Massachusetts which says:
“Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…”
I won’t go into the details about Massachusetts law since the main points were covered in that earlier article, but suffice to say I think that every business, large or small needs to have a WISP. This may simply be an attachment to existing policies that says:
The ABC Written Information Security Program consists of the enclosed policies and the steps we take to enforce them, including dissemination of polices to all new employees and the regular training of all employees on how to uphold the policies in their work, together with a periodic management review of the program to ensure that all aspects of information security in our organization are appropriately addressed at all times.
Now, if you meet resistance when it comes to the not inconsiderable effort of creating and executing a WISP, try persuading skeptics with a litany of examples of actual small firms that actually went out of business or suffered severe loss because of cyber criminals, many of whom could have been defeated if the victim had been on top of the problem. Where to find the facts? The highly reliable Brian Krebs has a sobering collection of small biz cases, constantly updated.

Why a WISP may deal you a winning hand

Suppose you run Acme Bicycle Company and have developed an new style of bicycle pedal. Will Joe Consumer, who just wandered into you retail store ask to see your WISP before he buys pedals from you? Probably not. But suppose you’re bidding to supply a lot of pedals wholesale to the MegaSports chain. Will MegaSports want to see your WISP? Probably.
I have seen the lengthy compliance documents that some large companies present to smaller companies with whom they want to do business and, without a WISP, it is going to be hard to comply in a timely fashion, which means you could lose the business to a competitor who already has their security program in place and documented. Here is language from one such document which was attached to a juicy contract, as a condition of doing business:
Vendor must have a written policy that addresses information security, states management commitment to security, and defines the approach to managing information security.
And here are some questions which another big vendor put to an SMB, again as part of the contract process:
  • Are there documented policies and procedures for managing security?
  • Does the vendor perform internal reviews of security policy and technical compliance?
  • Are security policies and procedures disseminated to all vendor employees?
So, getting your information security policy in order is not a wish list item or a “nice to have but not essential” extra for your business. Not only is a WISP essential to succeed in fending off the bad guys (who are most definitely targeting small businesses these days); it also helps you to win business.

Policy links that may help

Here are some links to free information and policy samples that can help you tackle the task of WISP creation and implementation:
If you’re in the business of education you can easily find the security policies used by other schools by using Google. For example, here is The George Washington University Information Security Policy. Note that policies are one area where some “plagiarism” may be permissible. In other words, your organization may take policies from others and customize them to your needs (Policies are a bit like recipes as far as copyright is concerned, but I’m not a lawyer, so you may want to check this, and you certainly shouldn’t be reselling policies you didn’t write).
If you’re in the business of government, then the security policies of other agencies should be readily available to you. There is an index of links to state information security policies here.
There are several commercial vendors that offer tools for implementing policy, for example Info-Tech’s Security Policy Implementation tool.

Malware can infect system using Inaudible Audio signals

German researchers demonstrated how a malware can infect system in air gapped networks and transfer stolen data using Inaudible Audio signals.

The shocking news that it is possible to infect a computer with Inaudible Audio signals is circulating within the security community has been circulating for several weeks between denials and confirmations.
In October the security researcher Dragos Ruiu described a malware codenamed badBIOS characterized by the capability to infect targeted machines using sound waves as transmission vector, immediate was the skeptical reaction of the world security community.
Even if a computer system is isolated from the Internet, and any if the use of any mobile devices (e.g. USB stick, mobile storage) is not allowed, an attacker could infect the target just using Inaudible Audio signals.
The proof of concept has been provided by German scientists at the Fraunhofer Institute for Communication, Information Processing and Ergonomics, that designed malware prototype, the scientists also have published a paper describing on how malware can be designed to cross the air gap by transmitting data through common speakers and recording it via microphone. The malicious code relies on network stack originally developed for underwater communication and the propagation of the signal exploit a software-defined modem based on the GNU Radio project.
The computers operates as a mesh network where each node can send or receive audio emanation, and implements routing activities sending data to the next hop in the chain before it’s received by the attacker.
“The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered,” states the paper.
Malware exploit Inaudible Audio signals
The fake sense of security that isolating a network is possible to protect a network was dismantled by the news.
The methods attack open the way to scaring scenarios, let’s think of the ability to infect any ability air gapped network within a critical infrastructure exploiting Inaudible Audio signals as a vector to spread malicious code for sabotage or for cyber espionge.
The attack scenario is described in the paper with the below statement:
“The infected victim sends all recorded keystrokes to the covert acoustical mesh network. Infected drones forward the keystroke information inside the covert network till the attacker is reached, who is now able to read the current keyboard input of the infected victim from a distant place.”
The researchers demonstrated that the malware is able to transfer data at a very low transfer rate, 20 bits /Sec, that anyway are enough to transfer sensitive data such as user’s credential or any other personal information.
The researchers also demonstrated how to use sound waves to send keystroke information to a network-connected computer, which then sent the data back to the attacker via email.
Malware exploit Inaudible Audio signals2
How to mitigate a similar attack?
Some basic countermeasures can be implemented to protect systems against malware transferred via Inaudible Audio signals:
  • Switching off the audio input and output devices from the system.
  • Employ audio filtering that blocks high-frequency ranges.
  • Using an Audio Intrusion Detection Guard.
The paper describes is very intriguing because it incorporates the Dragos Ruiu’s allegations, it remark the principle that is possible to infect a “disconnected system” exploiting a different channel for malware propagation.
Michael Hanspach and Michael Goetz confirmed that there is no connection between their paper and badBIOS, Hanspach said their attack is feasible today because the utilized techniques are well documented.
“If we were able to come up with this research with very few people, time and budget (and with good intentions), so would be larger groups (maybe with a different intention),”  “Therefore, anyone working in a security critical context should be thinking about protection measures.” Hanspach said via email to the Threatpost.
Let’s wait for a security solution, meantime security managers of critical computing systems are advised.

Is Cyber War Around the Corner? Collective Cyber Defense in the Near Future

nformation technologies and infrastructure―from satellites orbiting the earth to the smart phones in our hands, from undersea cables to wireless networks all around us, and from the global banking system to household appliances―play an increasingly indispensable role in daily life. At the same time, threats to cyber security are becoming both more numerous and more serious.

Recognizing the threat

President Obama provided a high-profile warning of the growing threat in the cyber domain in his February 12, 2013 State of the Union Address.[1] He pointed out that “America must also face the rapidly growing threat from cyber-attacks” and “our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.” He revealed that he had signed a new executive order “that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.”
Cyber security has become a top priority in national and international security, even if some experts are skeptical about possibilities for an actual cyber war. In a speech to business executives in October 2012, then-U.S. Secretary of Defense Leon Panetta noted that a “cyber attack perpetrated by nation states and violent extremist groups could be as destructive as the terrorist attack of 9/11,” and that “the collective result of these kinds of attacks could be a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life.” [2]
Is cyber war really a possibility, as high-ranking government officials have begun to warn? Many cyber experts have been debating this question for more than a decade,[3] but the question is yet to be answered.
It is true that many countries face cyber espionage, cyber sabotage or subversive activity, varying from cyber snooping aimed at news media―New York Times, Wall Street Journaland Washington Post, to name a few―and think tanks[4] to the corporate sabotage aimed at Saudi Aramco.[5] We have, however, not seen cyber acts resulting in “hurting, injuring, and killing human beings, even a single one” as Thomas Rid argued recently in a panel discussion at Brookings. [6]
Cyber warfare in the future might be far from what we might imagine. It is sure that a cyber war would not meet the rigid social scientific definition of “war” codified in the notable and long-standing “Correlates of War Project (COW)”[7] which describes it as “sustained combat, involving organized armed forces, resulting in a minimum of 1,000 battle-related fatalities.”[8]
Even though fatalities may not occur in a future cyber war, experts are seriously concerned about cyber attacks as part of a larger act of aggression. As Secretary Panetta argued in his speech, “the most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country.”[9]

Glimpses of the future

In fact, there is a high incidence of country-level cyber attacks aimed at critical infrastructure in the past half-decade: on Estonia in 2007, on Georgia in 2008, and on South Korea in 2009 and 2013.
In the Estonian case, a nationalistic confrontation between Russia and Estonia over the relocation of the Soviet-era Bronze Soldier monument, which to some in Estonia symbolizes Soviet oppression, triggered large scale of distributed denial-of-service (DDoS) cyber attacks targeting the country's infrastructure. It caused the websites of government authorities, political parties, and financial institutions to shut down. At that time Estonia had one of the most advanced information infrastructures in Europe and depended heavily on information technology, so the results of the attack were quite disruptive. In the second wave of DDoS attacks on May 10, 2007, nearly a million computers outside Estonia requested Estonian servers to respond to external communications and filled the national network with meaningless data. As a result, on-line baking services and ATMs belonging to Estonia’s two largest banks came to a standstill.
South Korea faced cyber attacks more severe and sophisticated than DDoS in 2013. On the afternoon of March 20, internal computer networks of television broadcasters and three major banks were forced to shut down, caused by a premeditated malware assault on servers and tens of thousands computers in the networks. The banks’ ATMs and the broadcasters’ news distribution systems were paralyzed for several hours. South Korea’s official investigation team blamed North Korea for masterminding the cyber attacks[10] and the government estimated the damage to South Korea of the March attack and a subsequent June attack to be at least US$800 million, according to a ruling party legislator.[11] After eight months of careful preparation, Pyongyang apparently put a mass cyber attack plan into action, coinciding with increasing military tension on the Korean Peninsula after its third nuclear test on February 12.

Japan’s response

In Japan, since around 2006, ministries and agencies, other governmental organizations, think tanks, and scholars have faced sophisticated cyber attacks from so-called “advanced persistent threats (APT)” aimed at stealing top-secret information from specific organizations and individuals. Only recently, however, has Japan recognized the reality of wide-ranging cyber espionage against not only government ministries and agencies but also against private-sector businesses. The year 2011 could even be termed the “first year of cyber war” for Japan, in that it was the year in which the scope of the threat became widely known. It was revealed, for example, that there had been cyber espionage on defense industrial companies and on the internal network of the House of Representatives.
Careful attention to each cyber attack in this half-decade reveals that cyber attacks frequently follow incidents of international discord. In addition to targeted attacks with the objective of stealing classified information, signs of attacks designed to paralyze the control systems of vital social infrastructure have begun to appear in recent years. With the realization that successful attacks on electrical grids, transportation facilities, industrial sites, or others would have an adverse impact on people’s actual lives, detecting and preventing attacks on control systems has become the top cyber defense priority.
Perhaps more seriously, the ability of politicians, bureaucrats, military officers, and experts to react efficiently to crises or threats without access to communications networks or control systems is a major threat, representing the potential dark side of our globalized information world. Therefore, cyber attacks present at least a two-tier threat: they are damaging in themselves, and they create potential for widespread physical damage exacerbated by potentially ineffective government response.
In the face of new challenges, in March 2012 the Ministry of Economics, Trade and Industry (METI) of Japan and eight Japanese electronics companies established a “Control System Security Center (CSSC).” This is a technology research association designed to strengthen the security of control systems of important infrastructure and to establish verification methods and evaluation of control systems. In collaboration with eighteen companies including manufacturers, vendors, and consumers of control systems, the CSSC opened a test-bed laboratory for the security of control systems in Miyagi, Tohoku on May 17, 2013. The lab has several objectives: 1) to provide the latest security verification tools for controls systems, 2) to develop secure technology for control systems, 3) to drive international system security standardization, 4) to develop certification tools, 5) to provide incident support, 6) to develop human resources, and 7) to establish security guidelines.
In order to protect cyberspace, early detection of cyber attacks is essential and warnings must be shared without delay among like-minded countries. At the same time, it is difficult to defense against cyber attacks and cyber espionage through defensive measures alone. It will also be necessary to invade attackers’ networks in return as measures of “cyber-counterattacks in self-defense” for purpose of identifying enemies’ activities and striking back at them. This may be considered “collective cyber defense.”

U.S.-Japan alliance

U.S. Secretary of State John Kerry and Secretary of Defense Chuck Hagel met with their Japanese counterparts, Minister for Foreign Affairs Fumio Kishida and Defense Minister Itsunori Onodera, for a meeting of the U.S.-Japan Security Consultative Committee (SCC) in Tokyo on October 3, 2013. The SCC meetings, so-called “2+2,” are convened on an irregular basis, usually in Washington, and rarely with two Ministers and two Secretaries―normally only one U.S. leader is able to participate at any one time. This time, however, was a landmark in the long history of the alliance, as a true 2+2 meeting was held for the first time in Tokyo.
The joint statement[12] announced in Tokyo covers a gamut of alliance-related concerns but places particular emphasis on five topics: 1) revising the U.S.-Japan 1997 Defense Guidelines by the end of 2014 in a way that reflects new challenges, such as in the space and cyber domains, and enhancing the alliance to enable a more active international role; 2) enhancing the ballistic missile defense capabilities of both countries, and deploying a second X-band defense radar in the middle of the coast along the Sea of Japan, which will cover the Japan as well as the U.S. homeland; 3) widening the role of the alliance for more active regional engagement, especially in the maritime security and humanitarian assistance/disaster relief arena; 4) pursuing steady implementation of the realignment of U.S. forces in Japan; 5) deploying more advanced U.S. military capabilities into Japan, including the introduction of the MV-22, P-8 maritime patrol aircraft, Global Hawk unmanned aerial vehicle, and the F-35B.
Japan and the U.S. seek in particular to enhance the “collective cyber defense” capability of the alliance, aiming to make it a foundation for information security and information protection more broadly. As a senior Obama administration official told reporters in a background briefing at the Tokyo 2+2 meeting, cyber security is “also an important line of effort in the U.S.-Japan alliance, ensuring that our practices, our standards, our procedures are as strong and robust as they can be, because that’s the thing – that’s the foundation for everything else that we do together.”[13]
Japan could make an important contribution to collective cyber defense by developing secure technology for control systems and by promoting global standardization of control system security. This dual track would help create a more robust social infrastructure among allies and like-minded countries.
In addition to the effort to ensure the safety of social infrastructure in the case of cyber warfare, it is inevitable for allies to attempt to preempt cyber attacks with dual aims of deciphering signs of impending cyber attacks and taking measures against them. From that standpoint, global surveillance of the sort conducted by the National Security Agency (NSA) is absolutely imperative to secure our society not only from terrorist attacks but also from cyber attacks. According to some recent news reports,[14] in 2011 Tokyo rejected the NSA’s offer of cooperation in wiretapping fiber-optic cables across the Asia-Pacific region; Article 21[15] of the Constitution of Japan strongly forbids the government from violating the secrecy of any means of communication. On the other hand, Article 12[16] asks Japanese citizens to utilize their freedoms and rights for the public welfare. Judged in light of the potential benefit to the common welfare that collective cyber defense could produce, Tokyo should re-consider its refusal to participate in joint global surveillance against cyber attacks.
In any event, better judgment on the scope and scale of surveillance is needed. Even if President Obama and senior U.S. government officials plead their ignorance, the NSA surveillance scandal which now involves the monitoring of telephone calls of world leaders including German Chancellor Angela Merkel, casts doubt over the trust between Western allies and the United States. Merkel told President Obama that wiretapping among allies is “completely unacceptable.”
According to the secret NSA documents unveiled by Edward Snowden, the U.S. SIGINT system has targeted on both enemies and allies.[17] The documents show that the NSA has been snooping not only around European countries but also around U.S. Pacific allies, South Korea and Japan, aiming to gather information on strategic technologies, economic influence and foreign policy, for the purpose of ensuring economic advantage and national security interests.
Despite of a lot of press coverage on NSA spying in Japan, Tokyo somewhat surprisingly has not publicly criticized the United States for these activities. It is not as yet clear whether this silence indicates a deep-seated belief in the alliance or a lack of basic knowledge for cyber security literacy.
No matter how strong the belief in the alliance, however, the betrayal of a friend leads to the catastrophe of the end of the trust and to severe difficulties in collective cyber defense against real enemies.
[1] The White House, Office of the Press Secretary, “President Barack Obama's State of the Union Address,” February 12, 2013;
[2] U.S. Department of Defense, “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security,” New York City, October 11, 2012;
[3] See. Richard A. Clarke, Cyber War: The Next Threat to National Security and What to Do About It, New York: Harper Collins Publishers, 2010. Thomas Rid, Cyber War Will Not Take Place, London; C. Hurst & Co., 2013.
[4] See. Mandiant, “APT1: Exposing One of China’s Cyber Espionage Units,” February, 2013;
[5] See. Christopher Bronk, Enekenand Tikk-Ringas, “The Cyber Attack on Saudi Aramco,”Survival, Vol. 55 Issue 2 (2013), pp.81-96.
[6] Center for 21st Century Security and Intelligence, “Cyber War Will Not Take Place, Or Will It?” The Brookings Institution, September 9, 2013,
[7] David Singer founded COW as a project in the University of Michigan in 1963. After his retirement, Penn State has archived all data and materials of COW:
[8] Meredith Reid Sarkees, “The COW Typology of War: Defining and Categorizing Wars,” and Frank Wayman, Resort to War: 1816 – 2007, 2010, CQ Press.
[9] “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security.”
[11] “Damage from N.K. cyber-attacks estimated at 860 bln won: lawmaker,” Yonhap News, October 15, 2013;
[12] U.S. Department of State, “Joint Statement of the Japan-U.S. Security Consultative Committee,” October 3, 2013,
[13] U.S. Department of State, “Background Briefing on the Joint Statement of the Security Consultative Committee,” October 3, 2013;
[14] The Japan Times, “NSA asked Japan to tap regionwide fiber-optic cables in 2011,” October 27, 2013.
[15] Article 21: “No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.”
[16] Article 12; “these freedoms and rights and shall always be responsible for utilizing them for the public welfare.”
[17] New York Times, “Documents Show N.S.A. Efforts to Spy on Both Enemies and Allies,” November 2, 2013;

Symantec CEO Declares IP Theft Greater Threat Than Cyber War

Symantec's CEO has said that the threat of intellectual property theft is more dangerous than that of cyber war, bringing with it th​e potential to "have a big negative impact on global economic growth.”
Speaking to the Financial Times yesterday, Steve Bennett, CEO at Symantec and an advisor to president Obama, suggests that business is putting emphasis in the wrong place. "Governments, still reeling from the fallout of the revelations about National Security Agency surveillance, are asking the 'wrong question,'" reports the FT, "and confusing privacy with cyber security... The focus should be ensuring information is secure before you can create privacy policies."
“While we’re making best efforts that aren’t producing results, the bad guys are getting more sophisticated and the consequences of breaches are going up,” said Bennett. “What I’m most concerned about for the world is the economic threat if intellectual property is transferred from IP creators to countries with lower costs.”
It is widely believed that cyber espionage and IP theft were largely instrumental in the demise of Nortel. Just two months ago Brian Shields, a former Nortel security adviser, said “Hackers are what brought Nortel down.” China Watch Canada went on to explain, "Shields says he suspects the hackers were Chinese because a Chinese competitor suddenly started offering cheaper products and services that erased Nortel's income."
“Intellectual property (IP) is no longer safe and businesses are losing their competitive edge as a result," agrees Lior Arbel, CTO ofPerformanta Ltd. "The Symantec chief is right to warn companies over the cyber threat to intellectual property as barely a day goes past without a story about a business being a victim of hacking or a data breach. A US commission on the Theft of American Intellectual Property in May 2013, estimated that theft of IP from the US is costing the nation an estimated $300bn (£200bn) each year, with China thought to be behind 50-80% of the theft. Whilst the US is clearly stepping up its rhetoric on this issue, calling for stronger deterrent measures that make IP theft unprofitable at a governmental level, there are ways in which businesses can deal with the threat of critical data loss right now at a technological level."
Although IP regulation is always a major part of trade agreements, it is noticeable that the leaked IP chapter of the current negotiations for the Trans-Pacific Partnership (TPP) seem to concentrate more on the IP of the creative industries than on business IP. It is also noticeable that China – often blamed for the worst excesses of IP theft – is not a party to the TPP.
Peter Armstrong, director of cyber security at Thales UK believes that improving security defenses is the way to stop IP theft, and that such improvement will be best achieved by regulation. "Regulation is a necessity to alter corporate behavior," he suggests. "The National Institute of Standards and Technology framework set up by executive order from President Obama is a step in the right direction for the security industry. Greater collaboration on cyber issues should also lead to an improvement in cyber awareness and cyber standards, particularly as external attacks multiply faster than legacy IT security solutions can currently keep up with.”

Lebanon Claims: Israel Launched a 'Cyberwar' Against Us

A government committee in Lebanon claimed on Thursday that Israel was spying in the country and that its devices had infiltrated UNIFIL and army networks, reports The Daily Star.
According to the report, the Committee on Assessing the Dangers of the Israeli Telecomm Towers in Lebanese Territory, delivered a detailed review of Israel’s latest so-called spying activities, including recently erected spying stations.
The Telecommunications Ministry in Lebanon announced earlier this month that Israel had installed surveillance posts along the border with Lebanon capable of monitoring the entire country.
The review was attended by 27 foreign ambassadors, including those representing the five permanent members of the UN Security Council and the European Union as well as the UN Special Coordinator for Lebanon Derek Plumbly, according to The Daily Star.
During the session, the committee said Israel was waging a “cyberwar” on Lebanon, which it claimed violated the right of Lebanese to privacy, data confidentiality, safety and security, as well as the right of free access to information.
It added that such an “aggression” hurts the country’s economy, as it discourages investors and drives away capital, adding that confidence had already been shaken in both the public and private sectors.
Israel, according to the committee, infiltrated the Internet and the telecoms networks of the army, security forces and the UN Interim Force in Lebanon.
Israel has also expanded its network in 39 different sites along the border with Lebanon by erecting dozens of towers and hundreds of antennas directed at Lebanon, the committee claimed in its report.
“This review aims to show these countries [what Israel is doing] so they can help us in the international arena and in other ways to put an end to Israel’s spying,” Hezbollah MP Hasan Fadlallah was quoted as having told reporters after the meeting.
Fadlallah claimed Israel was eavesdropping on the Lebanese through mobile phones, landlines and the Internet, and that UNIFIL’s transmissions and those of the Lebanese security forces were also exposed to espionage.
He added that the committee also showed a short film about the Israeli devices. “We told the attending diplomats their countries were also the victims of espionage and that none of them would accept such activities either,” he said, referring to the recent revelations that the U.S. was spying on its allies.
Fadlallah said the technical committee also showed methods used by Israel to spy on UNIFIL and other embassies.
He declared that the government was working on political and diplomatic levels by preparing a complaint to be submitted to the UN Security Council, as well as a memo to UN chief Ban Ki-moon.
Lebanon regularly arrests local citizens and charges them with spying for Israel. Three years ago, more than 30 Lebanese citizens were convicted on charges of collaborating with Israel and becoming citizens of the Jewish State. All received 15-year prison terms.
At least five people have been sentenced to death in Lebanon in recent years after being convicted on charges of spying for Israel.
More than 100 Lebanese citizens – including a number of highly-placed military officials – have been arrested by authorities on suspicion of spying for the Jewish State over the past several years.
Among those charged were a number of officials from the Lebanese Alfa Telecom telecommunications company, including one of the firm's executives, Charbel Qazzi. One of these Lebanese telecom “spies” managed to escape.
Last month, Hezbollah claimed that an eagle that was caught by recreational hunters in the Lebanese town of Ashqout was in fact an Israeli spy.

Anonymous factions threaten cyber-war on one another over anti-NSA hacks

Hackers affiliated with the Anonymous Australia collective have posted a video warning their counterparts in Indonesia that if they do not stop infiltrating private Aussie web sites the two factions could engage in an all-out cyber-war.
The group known as “Anonymous Indonesia” took responsibility last week for hacking more than 170 websites in Australia. Anonymous Indonesia told the website Tempo that the hack was in response to a report that the Australian government granted the US National Security Agency access to its embassy in Jakarta to spy on Indonesians.
Yet instead of retaliating against the Australian government Anonymous Indonesia seems to have disturbed the operations of private Australian businesses including a dry cleaner, a bouncy castle business that provides inflatable party toys, and others that obviously had nothing to do with any NSA activity.
The warning issued Monday was not the first video addressed to the Indonesian hackers.
“Innocent businesses should not be attacked,” the first video declared. “We all bound together in an effort to bring down our tyrant governments to shape our world as a better place.”
“You have not stopped your attacks against the Australian public where we have tried to plead with you,” Monday’s video said. “What is there to prove? We do not want a cyber-war, do you? …We have been patient with you, Anonymous Indonesia. There will be no more warnings if you choose to attack again.”
The message goes on to suggest that Anonymous Indonesia instead focus its efforts on the Australian Secret Intelligence Service (ASIS), the Australian Security Intelligence Organization (ASIO), and the Australian Signals Directorate (ASD).
That advice seems to have taken hold, as the ASIS website was knocked offline for hours on Monday. The other pages seemed to be operating as normal but Heru Satudi, executive director of the Indonesian technology think tank the Indonesia ICT Institute, told the Sydney Morning Herald a distributed-denial-of-service (DDoS) attack crashed the site.
Frustration with the Australian government’s complicity in the NSA spying has stretched far past Anonymous, though. The clandestine activity was first exposed by a leak from NSA whistleblower Edward Snowden last month and reverberations from the revelations are still echoing throughout the region.
“Enough is enough,” Indonesian Foreign Minister Marty Natalegawa told reporters last week. “While [the US and Australia] are not able to confirm or deny past activities, at least they should be able, and I’m making a public expectation here, I think they should be able to henceforth say they are not going to do it anymore.
“In the absence of assurances that such [spying] activities never took place, then of course we must assume that such activities are taking place, and draw our own conclusion in terms of their view of Indonesia as a partner,” he continued.

‘Israel waging cyber war on Lebanon’

A Lebanese government committee tasked with investigating Israel’s recent spying activities in Lebanon says the Tel Aviv regime has waged a ‘cyber war’ against the country.
The Committee on Assessing the Dangers of the Israeli Telecom Towers Directed Toward Lebanese Territory briefed Lebanon’s parliament in detail over the latest Israeli spying activities along the Lebanese border, the Daily Star reported on Thursday.
According to the report, the committee told the parliament session that the Israeli regime was waging a “cyber war” on Lebanon, violating the country’s right to data privacy, safety and security.
The committee also reported that the Tel Aviv regime had infiltrated the Internet and the telecoms networks of the Lebanese army and the UN Interim Force in Lebanon (UNIFIL), denouncing such spying activities as acts of “aggression on Lebanon.”
On November 7, Lebanese caretaker Defense Minister Fayez Ghosn said Beirut is investigating reports about Israel’s stationing of spying devices along the Lebanese border. He added that Lebanon will not stand idle in the face of Israeli espionage.
The Israeli regime’s largest spying station is reportedly deployed in al-Abbad and Jal al-Alam areas, which are located near the UN-designated Blue Line.
The Lebanese investigation committee said Tel Aviv has expanded its espionage network in 39 different locations along Lebanon’s border by setting up dozens of towers and hundreds of antennas, which overlook the Lebanese soil.
The briefing session at Lebanon’s parliament was attended by a number of Lebanese ministers and high-ranking lawmakers as well as 27 foreign ambassadors including the representatives of the five permanent members of the UN Security Council and the European Union.
Following the briefing session, senior Hezbollah lawmaker Hassan Fadlallah, who headed the committee, referred to recent revelations about US spying on its allies and said, “We told the attending diplomats that their countries were the victims of spying and that none of them would accept such an action.”

It’s Time to Write the Rules of Cyberwar

The world needs a Geneva Convention for cybercombat. In the 21st century, just about everything is vulnerable to cyberattack. A hit on a bank or a stock exchange would cause uproar in the financial sector; a strike on an electrical grid could shut down a city. And the consequences of an attack could be far more dire than mere inconvenience. If hackers disrupted operations at a nuclear power facility, they could trigger a meltdown. An attack on a hospital could leave doctors scrambling in the dark, machines failing, and patients dying in their beds.
Such scenarios are becoming ever more plausible. In 2007 the cyberwar era began in earnest, when Estonia’s government networks were hacked during a political dispute with Russia. In recent years, the United States and China have accused each other of sponsoring major cyberintrusions, and Iran has accused the United States and Israel of unleashing a worm against its nuclear installations. Before such activities escalate into cyberattacks that destroy innocent lives, we should apply the lessons of the bitter past and establish the norms of cyberconflict. We should define acceptable targets, and we could even place limits on cyber weapons, just as we did on chemical ones nearly a century ago.
I propose bringing the principles of the Geneva and Hague conventions to bear on cyberconflicts. These conventions, which reached mature form after the First World War, establish rules for the treatment of civilians, prisoners of war, and the wounded, and they also ban the use of certain weapons, such as poisonous gas. Preserving these principles is of solemn relevance to billions of people, yet there is still no clear way to apply them to cyberattacks. While it’s unlikely that nations could be convinced to sign on to a legally binding treaty, international norms could have the same effect.
To find the way forward, theEastWest Institute has created the Cyber 40, with delegates from 40 digitally advanced countries. Our think tank specializes in back-channel negotiations between countries that don’t normally cooperate, and I head the institute’sWorldwide Cybersecurity Initiative. We have issued practical recommendations on spam and hacking, many of which have already been implemented. Since we presented our first proposal for “rules of the road” for cyberconflictsin a Russia-U.S. bilateral report at the 2011 Munich Security Conference, the ideas have gained traction. Other groups are also working on the legal issues surrounding cyberattacks—most notably a NATO-related collaboration based in Tallinn, Estonia, which published its findings this March as the Tallinn Manual.
In cooperation with industry groups and think tanks in China, Russia, and other countries, we are now trying to define practical humanitarian agreements for cyberconflicts. Such agreements could, for example, designate critical civilian infrastructures like hospitals and electronic medical records as off-limits for cyber attacks. And we hope to at least begin a conversation on whether some cyberweapons are analogous to weapons banned by the Hague and Geneva conventions as offensive to “the principles of humanity and the dictates of the public conscience.”
Our international team has reviewed all 750 articles in the Geneva and Hague conventions, in each case asking whether the rule can be transferred directly from the physical world to the cyberworld. Often the situation is simpler in the material world: For example, the difference between routine intelligence gathering and warfare is relatively clear. In cyberoperations, the infiltration of a computer network could be espionage or the prelude to an offensive action—but the mechanism is the same in both cases.
Seemingly straightforward prohibitions, such as the one on attacking hospitals, become complicated when ported to cyberspace. In the physical world, military officials can easily distinguish between a hospital and an army base and can plan their campaigns accordingly. In the cyberworld, everything is intermingled. Hospital records may be stored on a server in a data center that may also store data from a military contractor. In fact, it is the ease with which data and data-searching functions can be distributed across networks that makes cyberspace valuable in the first place.
When we built the Internet, we weren’t thinking about how to implement the Geneva Conventions online. To adapt these rules to our era, we must therefore model cyberconflicts, define legitimate targets, and suggest ways of determining compliance with such guidelines.
We will have to mark nontargets in some way. The Geneva and Hague conventions direct that protected entities (such as hospitals and ambulances) and protected personnel (such as medics) be marked in a clearly visible and distinctive way, for instance, with a red cross or red crescent. Marking a hospital’s presence on readily available maps constitutes another such warning.
We’ve been conducting an assessment of special ways to designate protected humanitarian interests in cyberspace. We’re currently working with our international partners to evaluate a number of technical solutions to this challenge. For instance, one early idea was to use “.+++” to mark the Internet addresses of hospitals and health databases.
Of course, merely marking protected zones in cyberspace would not stop miscreants from barging into them; then again, neither does the presence of a Red Cross symbol cause a bomb to bounce off a medical clinic. The point is that such markers would allow a state that wanted to comply with the norm to write virus code or arrange attacks so as to avoid designated institutions.
Assuming we can devise a system to create safe havens on the Internet, another concern is how to get all the necessary parties involved. In the past, the rules of war could gain force if the major nation-states agreed to them. That’s not enough to ensure the usefulness of cyberconflict rules, however, because cyberwarriors may be nonstate actors, sometimes even individuals. In order to get those people to respect the rules, we’ll need all the world governments to come together to condemn certain acts. Such a consensus would carry enough moral force to isolate any cyberwarriors who cross the line.
I first thought about this question while serving on the National Security Telecommunications Advisory Committee for President George W. Bush. In 2002, when our group met with Vice President Dick Cheney at the White House, one member of the committee asked Cheney which countries the United States should engage with on questions of cybersecurity. His first answer was obvious: the anglophone countries that were eager to partner with us. “But the second answer will really surprise you,” he said. We never heard it. At that moment, the Secret Service descended on him and whisked him, and us, away to safety. It was all because of a false alarm that sounded when a small Cessna plane accidentally breached restricted airspace over the White House.
Ever since, I have wondered what Cheney’s second suggestion would have been—and my life’s work has come down to an attempt to find my own answer. I’ve come to the conclusion that we have to work with the difficult countries because those are the countries that matter. “Difficult countries” will mean different things to different countries; for the United States, though, the list would surely include Russia and China, both of which are formidable for their technological prowess.
The EastWest Institute’s Worldwide Cyber security Initiative has therefore begun bilateral processes with experts from the United States and Russia todefine the terms used in discussions of cyber conflicts, so that future negotiators will have a clear dictionary to help them differentiate between, for example, cybercrime and cyberterrorism.
We have also brought U.S. and Chinese experts together to produce joint recommendations for fighting spam and botnets—the networks of hijacked computers that are used in some attacks. These recommendations were adopted by the Messaging, Malware, and Mobile Anti-Abuse Working Group, which brings the world’s biggest Internet companies together to swap strategies and collaborate on projects. Most recently, we’ve worked with our Chinese counterparts to issue recommendations on how to resolve conflicts over hacking. With these efforts, we’ve prepared the way for extending the humanitarian principles of the Geneva and Hague conventions into cyberspace.
It has sometimes been argued that international norms are toothless—that countries resort to chemical and biological attacks rarely only because they fear facing retalia tion in kind. However, recent events in Syria’s civil war show that norms do matter. The Syrian government, which is not party to theChemical Weapons Convention, nevertheless felt the world’s wrath when itallegedly used poison gas against rebel forces and civilians. The United States first threatened to intervene in the war to protest the action. However, that threat was revoked when the regime’s allies— notably Russia, which was on record as opposing chemical warfare—devised a plan to take away Syria’s chemical weapons.
This case illustrates some of the problems that would face any attempt to enforce the norms of cyberwarfare, most obviously the problem of tracing an attack to its perpetrator. The Syrian government maintained that it had not broken international laws against chemical warfare, and some observers agreed that it wasn’t completely clear who had done the deed. It could even have been a provocation or, perhaps, a blunder on the part of the rebel commanders. Happily, the international community was able to agree on a practical remedy despite the lack of hard proof.
If we can set the parameters of basic human decency in time of cyberwar, then maybe we can ban aspects of such warfare altogether. At the least, we can discuss taking some cyberweapons off the table. Some of them do, after all, carry the potential for viral behavior, with a lack of discrimination regarding targets, and they all travel at computer speeds. These attributes, combined with a belligerent cause, are an understandable reason for concern.
We can bring the principles of the Geneva Conventions into the 21st century if we agree that these rules are worth preserving and agree that war need not be the infliction of maximum suffering on the enemy. Some may call me naive, but I believe mankind can be civilized even as we engage in a new era of cyberconflicts.

2 million Facebook, Gmail and Twitter passwords stolen in massive hack

facebook password 2 million passwords have been stolen, compromising accounts at Facebook, Gmail, Twitter, Yahoo and ADP.

Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week.

The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.
On Nov. 24, Trustwave researchers tracked that server, located in the Netherlands. They discovered compromised credentials for more than 93,000 websites, including:

  • 318,000 Facebook (FB, Fortune 500) accounts
  • 70,000 Gmail, Google+ and YouTube accounts
  • 60,000 Yahoo (YHOO, Fortune 500) accounts
  • 22,000 Twitter (TWTR) accounts
  • 9,000 Odnoklassniki accounts (a Russian social network)
  • 8,000 ADP (ADP, Fortune 500) accounts (ADP says it counted 2,400)
  • 8,000 LinkedIn (LNKD)accounts
Trustwave notified these companies of the breach. They posted their findings publicly on Tuesday.
"We don't have evidence they logged into these accounts, but they probably did," said John Miller, a security research manager at Trustwave.
Related: The most dangerous cyberattacks
The scary reality of hacking infrastructure
ADP, Facebook, LinkedIn and Twitter told CNNMoney they have notified and reset passwords for compromised users. Google (GOOG, Fortune 500) declined to comment. Yahoo did not provide immediate responses.
Miller said the team doesn't yet know how the virus got onto so many personal computers. The hackers set up the keylogging software to rout information through a proxy server, so it's impossible to track down which computers are infected.
Among the compromised data are 41,000 credentials used to connect to File Transfer Protocol (FTP, the standard network used when transferring big files) and 6,000 remote log-ins.
The hacking campaign started secretly collecting passwords on Oct. 21, and it might be ongoing: Although Trustwave discovered the Netherlands proxy server, Miller said there are several other similar servers they haven't yet tracked down.
Related: Adobe's abysmal security record
Want to know whether your computer is infected? Just searching programs and files won't be enough, because the virus running in the background is hidden, Miller said. Your best bet is to update your antivirus software and download the latest patches for Internet browsers, Adobe (ADBE) and Java.
Of all the compromised services, Miller said he is most concerned with ADP. Those log-ins are typically used by payroll personnel who manage workers' paychecks. Any information they see could be viewed by hackers until passwords are reset.
"They might be able to cut checks, modify people's payments," Miller speculated.
But in a statement, ADP said that, "To [its] knowledge, none of ADP's clients has been adversely affected by the compromised credentials." To top of page