Wednesday, 21 May 2014

Behind Blackshades: a closer look at the latest FBI cyber crime arrests

The FBI made big headlines yesterday with its announcement of a high profile malware takedown related to a RAT called Blackshades (of which more in a moment). Hopefully this move, involving 97 arrests in 16 countries, will discourage the use of spyware by criminals. RAT stands for remote access tool and Blackshades is not unlike the DarkComet RAT that I wrote about in 2012. You can see DarkComet accessing a webcam in the illustration above, with a big hat tip to my colleague Cameron Camp, whose hand that is, captured during a live demonstration of how to defeat hacking tools during Interop Las Vegas in 2012.
[Note: All ESET products protect against Blackshades, detected as Win32/VB.NXB since February 2009, and also as Win32/AutoRun.VB.ANQ since October 2011. See “What is BlackShades and does ESET protect me from it?” in the ESET Knowledgebase.]

Bad RAT, good RAT?

Nobody wants a stranger spying on them, particularly when that spying includes surreptitiously watching them via their own web camera, hence the immediate public applause for this FBI operation. There were also cheers from people like myself and my colleagues in the security industry who are dedicated to keeping spyware and other malicious code off computers, including tablets and smartphones.
However, we do need to be careful when we talk about remote access tools as malware as they are a classic case of malice being in the intent of the user. Spying on an innocent person by sneaking a remote access tool onto their computers is clearly a malicious act, not to mention uber-creepy and generally despicable. Used for this purpose, a remote access tool is malware. But there are also positive and legitimate uses for remote access tools, such as remote computer support. And of course, a lot of spyware used by both state and non-state actors falls into the RAT category (part of a class of code that I like to call “righteous malware” because those who use it believe they are right to do so, whereas the owners of computers onto which it is secretly placed tend to see it differently).
Many RAT packages have appeared over the years and been put to use by criminals, but they are not all treated the same way, as my colleague David Harley points out: “There’s a difference here between BlackShades and more ‘professional’ malware like Zeus and Citadel. Its users constituted a relatively easy target by operating within an area seen as legally ‘grey’. Apparently, some of those involved were often less scrupulous about covering their tracks and their malicious intent than the career criminals associated with more heavyweight malware.” One indication of this says Harley: “There was an awful lot of chatter about Blackshades on forums, whereas conversations about more sophisticated tools used for criminal activity tended to be far more discreet.”
The implications? I think people pushing Blackshades might have been an easier target for law enforcement than some other players. However, I don’t think there’s any call for headlines like the one used by the Daily Beast (“FBI’s Huge Hacker Bust Could Be Bogus“). That said, Quinn Norton’s article does raise some important points about RAT deployments in conflict zones, citing Morgan Marquis-Boire and Seth Hardy of Citizen Lab in Toronto who, along with the EFF, reported that Blackshades was used by the Syrian government to target anti-government activists (research article is here in PDF and EFF article, with Eva Galperin, is here). Norton also makes the very important point that, in terms of criminality, using a RAT for malicious purposes is way different from simply possessing it.

Maintaining perspective

I am firmly on the record when it comes to applauding law enforcement efforts to stem illegal abuse of computers and information systems, and I have previously predicted that such efforts will be stepped up (although that article from 2012 was as much wishful thinking as prediction). However, given limited law enforcement resources, it is vital that the right criminals are targeted. I’m not sure that the creators of Blackshades are as much criminals as the folks who broke into Target and stole tens of millions of credit card records. And there are clearly some non-criminals among those who purchased, acquired, or simply possessed the Blackshades codes. I hope to see prosecutions proceed with these distinctions in mind.
Where I do think we could see a welcome effect from the FBI Blackshades crackdown is at the margins and in the markets, discouraging those who are currently contemplating cybercrime or dabbling in the purchase of cybercrime tools on the underground markets. Seriously people, there are some very cool and potentially lucrative things you can do with coding and network skills that don’t involve serious risk of a heavy knock on your front door,
Finally, it is clear that public needs to do its homework to fully understand stories like these. After all, the FBI itself has been using surreptitious access to webcams to pursue criminals and terrorists “for years” using remote access tools. And this Powerpoint slide from “No Place to Hide“, Glenn Greenwald’s bestseller about the Snowden revelations, purportedly shows the NSA’s efforts to “implant” malware on some 50,000 computers. Malware that would probably fall into the RAT category of “righteous malware”.

Bitly hackers stole user credentials from offsite database backup

Bitly has shed a little more light on the serious security breach it suffered 2 weeks.
As you may recall, the URL-shortening service announced last week that it believed the account credentials of Bitly users could have fallen into the hands of hackers, but it fell short of answering how it determined customer privacy had been breached, how securely passwords had been stored, or – indeed – what had actually gone wrong.
Now some of those questions are being answered.
In a follow-up post entitled “More detail”, Bitly explains that it believes the hackers did *not* manage to access its production network or servers, but instead accessed the customer database from an offsite backup.
Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts.
And how did the hackers manage to access that offsite backup? They broke into an employee’s account at an unnamed hosted source code repository where they stole the login credentials for the backup of Bitly’s database.
We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.
What’s worrying about this is that – for a while at least – not only did the hackers have access to a backup of Bitly’s customer database, but they also could have compromised the company’s source code.
Bitly says it is sending an email to “all users from the domain outlining the steps to secure your account”. The fact that they have named the domain they are planning to send the warning email from underlines their concern that the hackers might attempt their own malicious campaigns, targeting customers who have had their accounts exposed through the hack.
Ironically, Bitly’s announcement of the domain name they intend to use may not actually make it trickier for any attackers to exploit the situation – as it will be child’s play for them to forge email headers and pretend the messages are coming from
My advice? Be very careful about *any* messages that you receive which claim to come from Bitly, and be wary of clicking on any links in the emails. Much better to visit the Bitly website directly, and access your account that way.
According to Bitly, the passwords stored in the exposed database were salted and hashed. Unfortunately, users who have not changed their passwords in the last few months may be at greater risk of having had their passwords cracked as Bitly strengthened the way it stored passwords in January:
If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5.
No wonder then that the firm is recommending that users change their passwords as a precaution.
In case you’re worried about your own account, here is what Bitly says you need to do:
Following are step-by-step instructions to reset your API key and OAuth token:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
Many Bitly users are believed to have connected their accounts to their social media presences on the likes of Facebook and Twitter, but users will not be able to publish via Bitly to those sites until their profiles have been reconnected following the advice above.
Two factor authentication – are you using it?
It’s good to hear that Bitly has now enabled two factor authentication for all of its employees using the source code repository, but an organisation serious about protecting its crown jewels like its source code, would have done that long ago.
I’ve explained the perils with passwords in the past, including the problems with users re-using the same password in multiple places, choosing easy to guess passwords, falling victim to spyware which hoovers up passwords as they are typed on infected computers, or having their login credentials phished from them via convincing emails.
Two-factor authentication (2FA) helps reduce these risks, requiring users to enter a unique one-time-password alongside their regular credentials.
How authentication works
Everytime you login, a new one-time-password is required.
Even if your regular password is guessed, cracked or stolen by hackers, it won’t be any use to the bad guys because they won’t know what your one-time-password is.
Furthermore, if something like a mobile phone app is generating your one-time password for you then it’s extremely unlikely it will be in the clutches of the hackers trying to break into your account.
So, I strongly recommend that whenever an online service or website offers you the option of hardening your account using two-factor authentication you should turn it on.
Furthermore, if you are an organisation running an online service or providing mechanisms for your staff to access company information remotely, it also makes sense for you to consider offering two-factor authentication to reduce the risks.
Two-factor authentication isn’t a magical solution which will stop all online criminal activity, but it certainly makes life harder for the hackers who want to break into your accounts.
Oh, and in case you were wondering, Bitly says it is “accelerating” its efforts to provide two-factor authentication for its customers account as well. That means, if users’ passwords fall into the wrong hands in future – they will be an awful lot harder for the bad guys to exploit.

Smart TVs can be infected with spyware – just like smartphones

‘Smart’ televisions with built-in microphones could be used as bugging devices by corrupting them with malware, according to software specialists NCC Group, as reported by The Register.
An attacker would not even need physical access to the television to launch an attack, security experts from the group warned.
Fooling a user into installing a malicious app is one way to gain control of the microphone – but models of televisions with built-in storage and microphones can be set to auto-update, so an attacker could feasibly create an app, then release an update containing it.
Software escrow specialists NCC recently released a white paper examining potential solutions for the problems posed by so-called “Internet of Things” devices.
‘Smart TVs’ seem to have been particularly soft targets. LG admitted that one of its models had been sending information during shows watched by their owners without informing them. After a successful hack of a Samsung Smart TV, Senator Charles E Schumer, a Democrat from New York addressed a letter to television manufacturers urging them to improve security.
“Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching TV in your living room. You expect to watch TV, but you don’t want the TV watching you.”
The latest hack was demonstrated by NCC near the Infosec conference in London last week, with journalists from The Register shown how Smart TVs can be hacked in much the same way as using a malicious app against an Android phone.
“Malicious apps could be downloaded from the manufacturer’s app store. The TV does have the option for auto-updating, so releasing a legitimate app, then releasing a malicious update, is another attack vector,” a researcher said.
“The devices contain microphones and cameras that can be utilised by applications, Skype and similar apps being good examples.”
“The TV has a fairly large amount of storage, so would be able to hold more than 30 seconds of audio – we only captured short snippets for demonstrations purposes. A more sophisticated attack could store more audio locally and only upload it at certain times, or could even stream it directly to a server, bypassing the need to use any of the device’s storage.”

Snapchat “lied to users” about privacy of vanishing photos

The photo-sharing app Snapchat, popular with youngsters for its photos which would exist briefly then “disappear forever” has admitted that the photos did not, in fact, disappear, in a settlement with the U.S. government’s FTC.
As reported by Yahoo News, the company is to be monitored for privacy for the next 20 years by independent privacy professionals. Violations could lead to fines for the company.
Time Magazine pointed out that the app’s 4.6 million users had been misled into thinking that videos sent via the app could not easily be captured – whereas they could be seen simply by plugging a smartphone into a PC. Snapchat also violated its own privacy policies by tracking geolocation information for Android users.
In a blog post, the company said, “While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community.”
Technology sites were quick to point out just how imprecise Snapchat had been about the privacy offered to its users. CNET pointed out that there were “numerous” ways to capture the supposedly “private” files.
The site wrote, “The most obvious is an easy two-button screen capture on a smartphone. The most discrete involves third-party apps that let users record onscreen behavior or log directly into the app to work around its limited privacy protections. There are also ways to dig up files in a device’s directory when the device is plugged into a computer.”
The FTC said in a statement, “Such third-party apps have been downloaded millions of times. Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.”

Former Royal reporter: “I hacked Kate Middleton’s phone 155 times”

The former Royal Editor of the now-defunct News of the World tabloid newspaper has admitted that he hacked into Kate Middleton’s mobile phone voicemail a staggering 155 times in order to snoop upon private messages.
And Clive Goodman didn’t stop there. He has also told a court in London that aside from intercepting the future Duchess of Cambridge’s private messages, he also hacked Prince William on 35 occasions and Prince Harry nine times.
It can’t have been a barrel of laughs and festive fun at Goodman’s house over Christmas 2005, as the News of the World‘s Royal Editor first accessed Kate Middleton’s voicemail on 21st December, and then continued to do so on Christmas Eve, Christmas Day and Boxing Day in his search for tabloid stories.
The first hack by Goodman against Prince William’s voicemail, meanwhile, took place at the end of January 2006.
Presumably driven by the tabloid’s thirst for news about Prince William’s then girlfriend, Goodman continued to regularly hack Miss Middleton’s mobile phone voicemail until the day before his arrest in August 2006.

How phone hacking works

Unlawful access to voicemail messages was made possible by many mobile phones using well-known default PINs as their solitary defence.
Chances are that you don’t even realise that your mobile phone voicemail has a PIN, because most mobile phone networks recognise that it is your phone ringing the voicemail service, and therefore skirts around the request for a PIN to make life more convenient for you.
However, many phone operators provide a number that you can ring to access your voicemail remotely. If your voicemail was protected by an easy-to-determine default PIN, or if operators could be tricked into resetting a PIN, then the voicemail messages could be unlocked.
Thankfully, default PINs for mobile phone voicemail systems are no longer used in the United Kingdom, making life that little more difficult for journeys hungry for a celebrity scoop.
But that doesn’t mean the problem has completely disappeared.
Another way of breaking into a mobile phone’s voicemail system might be to fake the phone number you are ringing from, tricking the voicemail system into believing it was the genuine handset collecting the messages.
As recently as last month, a journalist with The Register showed that at least two UK mobile networks remained vulnerable to having their customers’ voicemail inboxes hacked, without the attacker needing to guess a PIN.
For the highest level of security, set your voicemail up to always ask for PIN whenever you access it. Yes, it’s a pain – but it’s only four digits worth of nuisance for a greater level of privacy.

Royal revelations

Clive Goodman, of course, was jailed in 2007 on charges of hacking royal aides. But up until now he has never claimed that the snooping was also being conducted against the Duchess of Cambridge and the royal princes.
When Goodman was asked why he had not previously told police or prosecutors about the true extent of the hacks, he said that he was simply never asked about it:
“I’ve never been asked before. The Metropolitan police, Crown Prosecution Service did not ask me these questions in 2006 and 2007. I’ve never been asked by any inquiry any time about this”
Which makes me think, maybe someone should now ask him about other Royals, and individuals romantically associated with the Royal Family.
Chelsy? Cressida? Are you confident your mobile phones’ voicemail systems are properly secured?

FBI plans worldwide crackdown on cybercrime

The FBI is gearing up for a major crackdown on cybercrime, and says that arrests of major criminals will follow in weeks.
Speaking at the Reuters Cybersecurity Summit, the FBI’s executive assistant director of cyber enforcement Robert Anderson said, “There is a philosophy change. If you are going to attack Americans, we are going to hold you responsible.”
Anderson’s speech said that the FBI’s dealings with cybercrime would now show “a much more offensive side,” and made it clear that this involved extraditions, referring to a foreign national detained at an airport in Spain for running a botnet that targeted Americans, according to Deep Dot Web’s report.
Prior to working in cyber enforcement, Anderson worked in espionage and counter-intelligence.
Anderson said, “If we can reach out and touch you, we are going to reach out and touch you.” Previously, the FBI has held back from pursuiing extradition in certain cases.
“There’s a lot of countries that will not extradite. That will not stop us from pressing forward and charging those individuals and making it public,” he said, according to Russia Today’s report.
He also said that arrested hackers could expect long jail sentences, rather than reduced terms for cooperating or becoming informants, according to the Voice of Russia.
He said that the only circumstances in which reduced sentences would be considered would be those affecting “national security”, according to Reuters. reported that the FBI was also setting up “online and in-person” cyber training courses for America’s 17,000 police forces.

Biometrics pioneer now “wary” of monster he has created

Dr Joseph Atick, a pioneer in biometrics, who co-founded early facial recognition companies such as Visionics, now fears that large companies could use new versions of his technologies for electronic surveillance – and warned of “unexpected consequences” unless the industry changed its habits.
Speaking at the Connext ID Explo, Atick, who founded several companies instrumental in turning biometrics into a $7.2 billion per year industry (figure from analysts Frost and Sullivan) said that the tecchnology has evolved so far it is now “basically robbing everyone of their anonymity,” according to the New York Times.
Speaking about a demonstration app for Google Glass which allowed users to identify people by looking at them, known as Nametag, Atick said, “We are basically allowing our fellow citizens to surveil us.”
Atick, who has served as a technical advisor to NATO, made millions from selling one of his companies, L-1 to a French military contractor. The Verge reports that he said, “Some people believe that I am maybe inhibiting the industry from growing. I disagree. I am helping industry make difficult choices, but the right choices.”
Concern has grown over companies’ such as Facebook’s use of biometric data. Facebook has invested heavily in artificial intelligence software – which can recognize if two human faces are the same person with near-human accuracy.
Atick warned that the widespread use of fingerprint and facial recognition systems could lead to uncontrollled surveillance – not only by companies and ‘data brokers’, but also goverments. “I think that the industry has to own up  If we do not step up to the plate and accept responsibility, there could be unexpected apps and consequences,” he said.
One AI company, Vicarious Software, bought by Facebook, whose software specialises in “deciphering” photographs, described its software as “like a human that doesn’t have to eat or sleep.”
For users, biometric protection has become a premium feature, available on the most expensive gadgets – for instance, iPhone’s 5S and Samsung’s Galaxy S5. Speaking to We Live Security, Phil Zimmermann, inventor of email encryption system PGP, whose company is to sell an encrypted voice phone, Blackphone, this year, said, “We are in the golden age of surveillance. Whoever wants it can enjoy total information awareness – from cameras which read number plates automatically, to who calls who, and what they say. If a politician is seen in a hotel with an attractive woman, facial recognition can pick him out.”

Car-Hacking Goes Viral In London

The days when thieves used clothes hangers to break into cars may soon be a thing of the past.
Nearly half the 89,000 vehicles broken into in London last year were hacked with electronic gadgets, according to London’s Metropolitan Police.
The hackers appear to be targeting higher-end cars, which commonly have more than 50 low-powered computers installed on board.
“Car crime is no longer the preserve of the opportunist but a more targeted activity towards prestige brands which are stolen to order,” said Andrew Smith, managing director at Cobra UK.
Thieves are hacking into these on-board computers using cell-phone-sized electronic devices originally designed for locksmiths.
One of the most prevalent of these devices can trick a car – “spoofing” – into thinking the owner’s electronic key is present by using radio transmitters that intercept key signals. Another type of hacking device can gain access to a car’s on-board diagnostic unit remotely, which allows thieves to program a blank key to control the engine control unit.
The whole operation takes less than 10 seconds.
The devices can apparently be purchased on the internet, primarily from websites located in Bulgaria, according to Sky News.  Video tutorials for using the device are also available online.
Picture of an electronic car-hacking device.
Meanwhile, in February, security experts in Spain created a device that can bypass any encryption on a car before running malicious code through the vehicle’s system.
The so-called “CAN Hacking Tool (CHT)” allows hackers to control lights, locks, steering and brake systems.  The price tag: $20.b

Police and FBI arrest 100 hackers over BlackShades malware case

Today, the UK’s National Crime Agency announced that the raids took place in more than 100 of countries and they have arrested more than 100 people worldwide involved in the purchasing, selling or using the Blackshades malware.
More than half million computers in more than dozens of countries were infected by this sophisticated malware that has been sold on underground forums since at least 2010 to several thousands people, which cost between 40 and 100 dollars.
The Investigation involved the law enforcement coordination agencies Europol and Eurojust said Monday that authorities raided a total of 359 houses in 13 different European countries, including Austria, Belgium, Britain, Croatia, Denmark, Estonia, Finland, France, Germany, Italy, Moldova, the Netherlands and Switzerland, as well as in the United States, Canada and Chile, and seized cash, firearms, drugs and over 1,100 data storage devices including computers, laptops, mobile phones, routers etc.
This case is a strong reminder that no one is safe while using the internet, and should serve as a warning and deterrent to those involved in the manufacture and use of this software,” said Koen Hermans, an official representing the Netherlands in the European Union’s criminal investigation coordination unit, Eurojust. “This applies not only to victims, but also to the perpetrators of criminal and malicious acts. The number of countries involved in this operation has shown the inherent value in Eurojust’s coordination meetings and coordination centres.”
the Blackshades website ( has now been seized by the FBI,‘ Blackshades’ is a remote administration tool (RAT) and is sold legally around the world but bad intention actors are using the tool as a malware for collecting private information of innocent users, including usernames and passwords for email and Web services, instant messaging applications, FTP clients and lots more.
In worst cases, the malicious program even allows hackers to take remote control of users’ computer and webcam to take photos or videos without the knowledge of the computer owner.
The infected PCs can also be hijacked by the attackers to perform DDoS attacks and other illegal activities without any knowledge of its owner. The program modifies itself in such a way so that it remains elusive for antivirus software.
In 2012, while a very serious and bloody internal war between the government and the opposition forces, the BlackShades RAT was also used to infect and Spy on Syrian activists. However, in 2012, a developer of the Blackshades team was reportedly arrested and during same time the source code of the tool was also leaked on the Internet.
BlackShades tool was actually developed by an IT surveillance and security-based company, who promoted it as a tool for parents to monitor their Children activities and for finding the cheating partners in relationship. But, as usual every weapon could be used for both purposes, killing and saving lives.

China denounces US cyber-theft charges

FBI wanted poster. 19 May 2014  
The FBI issued a "Wanted" poster for the five army officers
China has denounced US charges against five of its army officers accused of economic cyber-espionage.
Beijing says the US is also guilty of spying on other countries, including China, and accuses the US of hypocrisy and "double standards".
China has summoned the US ambassador in Beijing over the incident. It says relations will be damaged.
US prosecutors say the officers stole trade secrets and internal documents from five companies and a labour union.
The BBC's John Sudworth in Shanghai says it is extremely unlikely that any of the accused will ever be handed over to the US.
China's defence ministry put out a strongly-worded statement on its website on Tuesday saying that China's government and its military "had never engaged in any cyber espionage activities".
It also took aim at the US, saying: "For a long time, the US has possessed the technology and essential infrastructure needed to conduct large-scale systematic cyber thefts and surveillance on foreign government leaders, businesses and individuals. This is a fact which the whole world knows.
"The US' deceitful nature and its practice of double standards when it comes to cyber security have long been exposed, from the Wikileaks incident to the Edward Snowden affair."
line break
Analysis: Carrie Gracie, BBC China editor
US Defense Secretary Chuck Hagel (L) and Chinese Minister of Defense Chang Wanquan gesture to members of the media prior to their meeting at the Chinese Defense Ministry headquarters in Beijing on April 8, 2014. The two countries' defence ministers met just last month
China always insists it is a victim of hacking, not a perpetrator. And when US intelligence contractor Edward Snowden appeared in Hong Kong a year ago with evidence of US hacking into Chinese networks, Beijing felt vindicated.
The US acknowledges that it conducts espionage but says unlike China it does not spy on foreign companies and pass what it finds to its own companies.
Beijing typically shrugs this off as a smear motivated by those who find its growing technological might hard to bear. But to see five named officers of the People's Liberation Army indicted by a US grand jury is not something that can be brushed aside so easily.
China has already announced the suspension of co-operation with the US on an internet working group. And once it has had time to digest this loss of face, it is likely to consider more serious retaliation.
line break
The defence ministry added that China's military had been the target of many online attacks, and "a fair number" of those had been launched from American IP addresses.
It said the arrest of the five Chinese army officers had "severely damaged mutual trust".
A Xinhua report on Tuesday stated that between March and May this year, a total of 1.18 million computers in China were directly controlled by 2,077 machines in the United States via Trojan horse or zombie malware.
Chinese Assistant Foreign Minister Zheng Zeguang lodged a "solemn representation" with US ambassador Max Baucus on Monday night, Xinhua reported.
'US losses' On Monday US Attorney General Eric Holder said a grand jury had laid hacking charges against the Chinese nationals, the first against "known state actors for infiltrating US commercial targets by cyber means".
He identified the alleged victims as Westinghouse Electric, US Steel, Alcoa Inc, Allegheny Technologies, SolarWorld and the US Steelworkers Union.
"The alleged hacking appears to have been conducted for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States," Mr Holder said.
In the indictment brought in the western district of Pennsylvania - the heart of the US steel industry - the US named Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, all officers in Unit 61398 of the Chinese People's Liberation Army (PLA), as the alleged conspirators.
FBI officials said the hacking - between 2006 and 2014 - caused "significant losses" at the companies and that there were likely to be many more victims.
Last year, cyber-defence company Mandiant published a report on a Chinese military unit the firm said was behind the vast majority of significant attacks on American federal agencies and companies.
In March, Defence Secretary Chuck Hagel said the Pentagon planned to more than triple its cyber-security capabilities in the next few years to defend against such internet attacks.
line break
What is Unit 61398?
A file picture taken on February 19, 2013 shows a person walking past a 12-storey building alleged in a report by the Internet security firm Mandiant as the home of a Chinese military-led hacking group after the firm reportedly traced a host of cyberattacks to the building in Shanghai"s northern suburb of Gaoqiao.
• A unit of China's People's Liberation Army, to whose Shanghai address US cyber security firm Mandiant says it traced a prolific hacking team
• The team was said to have hacked into 141 computers across 20 industries, stealing hundreds of terabytes of data
• Mandiant says the team would have been staffed by hundreds, possibly thousands of proficient English speakers
• China said Mandiant's report was flawed and lacked proof

Schneider Electric asks users to patch Heartbleed again

Industrial controller vendor Schneider Electric has found that while its own kit wasn't affected by the Heartbleed OpenSSL bug, there are some third party components that need work.
In an advisory published here (PDF), the company says a third-party software component, Tableau from Wonderware, could re-introduce a Heartbleed vulnerability into its systems.
It affects “Tableau Server, versions 8.0.6 through 8.0.9 or 8.1.0 through 8.1.5. This software is provided as a component of our Wonderware Intelligence and Avantis.DSS products”, the advisory states. “Any installations that did not apply the available Tableau Server updates from Wonderware Development Network (WDN) would not be impacted by HeartBleed vulnerability”
Tableau is an analytical data visualisation suite. The vulnerable server component has now been upgraded by Tableau Software, but users that applied a recent update from Schneider may have reverted to an older version of the server.
The company continues to review its own products, and says that “no evidence of the vulnerable versions of OpenSSL were identified”.
Schneider's advisory also says the version of McAfee ePO (the policy orchestrator) that ships with its Invensys control systems is vulnerable. McAfee released patches for its vulnerable products in April.

NSA, privacy group, respond to cell phone recordings in Bahamas

The controversy surrounding the NSA and its mass surveillance efforts expanded to the Caribbean on Monday as a report by Glenn Greenwald and others at The Intercept revealed that the federal agency has been secretly recording cell phone conversations in the Bahamas.
Practically every single call made into, out of and within the Bahamas is being logged so that analysts can pull up recordings at will for intelligence gathering purposes, the report indicates, citing documents provided by NSA whistleblower Edward Snowden.
“All of NSA's efforts are strictly conducted under the rule of law and provide appropriate protection for privacy rights,” according to a Tuesday NSA statement emailed to, which did not specifically answer a question asking if The Intercept report was true.
In the statement, the agency said it ensures the protection of the U.S. and its allies by pursuing “valid foreign intelligence targets,” as well as by working with other nations under “specific and regulated conditions.”
According to The Intercept report, the NSA surveillance had been carried out unbeknownst to officials in the Bahamas using an advanced surveillance system known as SOMALGET, which enables the NSA to record and replay all cell phone calls for about a month.
The office of Frederick Mitchell, Bahamas Minister of Foreign Affairs & Immigration, did not respond to a request for comment, but Mitchell was reportedly seeking further information from the U.S. government on Tuesday.
The Snowden documents did not provide Greenwald and his team enough information to pinpoint exactly how the NSA is recording calls, but reports did indicate that the agency worked with the U.S. Drug Enforcement Administration (DEA) to open backdoors in the Bahamas' cell phone network.
According to The Intercept report, a memo suggests that SOMALGET data is compiled through DEA “accesses,” or “lawful intercepts,” which is possible because international law enforcement cooperation enables the DEA to tap overseas phone networks.
“The SOMALGET documents are over a year old,” Nadia Kayyali, a member of the Electronic Frontier Foundation's (EFF) activism team, told in a Tuesday email correspondence. “Since they specifically note that the Bahamas site is 'being used as a test bed for systems deployments, capabilities, and improvements,' it seems the logical conclusion is that SOMALGET technology is, or will be used, elsewhere.”
The SOMALGET surveillance efforts in the Bahamas appear to mostly be helping the NSA's drugs and crime unit locate “international narcotics traffickers and special-interest alien smugglers,” according to NSA documents sourced in the report.
This particular point bothered Kayyali, who pointed out that the NSA typically touts how its advanced surveillance efforts are used to counter terrorism and protect national security.
“Incredibly pervasive technology is being focused on a country that we have traditionally had a good relationship with, and is being used as a weapon in the war on drugs,” Kayyali said. “When NSA defenders talk about intelligence gathering, they talk about keeping the country safe, but this is a clear example of why that justification should ring false.”
She added, “These revelations are likely to further damage the United States's reputation and relationship, not only with the named countries, but with other countries as well. The global community is increasingly concerned about U.S. surveillance, and until the President and Congress address NSA overreach, we will not repair those relationships.”

China bans Windows 8 from government computers

Government ties the decision to security concerns, though it's unclear what will replace the still-widely-used Windows XP.
The Chinese government has officially banned Windows 8 from use on all government computers, reports out of the country claim.
The Xinhua news agency, one of the government's media mouthpieces, reported that the move was designed to improve security on government computers. Neither the government nor Xinhua explained how the ban would ensure security, Reuters noted.
The news comes at a time when animosity between China and the US is high. On Monday, the US charged several Chinese government officials with allegedly hacking networks in the US. China quickly responded by saying that the US has engaged in cyberespionage and cried foul on the charges.
The decision to nix Microsoft's operating system on government computers was made last week, Reuters reports, so it didn't relate to Monday's charges.
For Microsoft, the ban is just the latest in a long line of issues the company has faced in China. Microsoft has long accused China of being a center of Windows piracy. In July 2012, Microsoft accused nine Chinese computer resellers of running unlicensed software ahead of the launch of Windows 8. The company has also tried working with the government to ease the effect of illegal copying, but those efforts have yet to bear fruit.
It's not clear from the reports what the Chinese government will use for computer operating systems now that Windows 8 is off the table. Windows XP is still widely used in China, but after Microsoft ended support for that platform in April, it too would present a security risk to the government. Windows 7 is still an option, but Xinhua did not say what the government has decided.