Smart
homes that let residents control alarms, locks and more over the
internet are opening doors for crooks with hacker skills, according to
computer security specialists.
"The smart home trend is growing, and it evolves quickly into a story
of security," Trustwave managing consultant Daniel Crowley told AFP.
"Connecting things to a network opens up a whole range of vectors of
attack, and when you are talking door locks, garage doors, and alarm
controls it gets scary."
Crowley and Trustwave colleague David Bryan found security "pretty poor" on the home networking devices they studied.
"If someone can access your home network, but doesn't have a key to
your home, they can still unlock your door and get in," Crowley said of
what he found in gear on the market.
Trustwave researchers will share their findings Thursday with peers at a
the Black Hat security conference in Las Vegas and at the infamous Def
Con hacker gathering taking place in that city through the weekend.
A vulnerability of particular concern to the researchers was that once
hackers joined local home networks, perhaps through poorly protected
wireless routers or using malware slipped onto computers, they could
control devices with no password or other authentication required.
"The fact that you need to be on someone's local network to exploit
these things is not as big a hurdle as you'd imagine," Crowley said.
And the trend of providing people with smartphone applications for
controlling smart home devices while away means that crooks who hack
into handsets could potentially grab the reins, according to the
researchers.
There are also ways to use computer "IP" numbers to figure out
real-world addresses, and some smart home applications, themselves,
reveal location information, according to Trustwave.
Combing that capability with hacking tools could put an Internet age twist on home burglaries, the researchers said.
"I don't think this will be something that enables the ordinary
criminal to do something they weren't doing before," Crowley said.
"The big risk is that a compromise could give you access to hundreds of
thousands of homes all at once; I could see that as an attack someone
could actually use to launch a crime spree."
Information Security, Ethical Hacking, website Security, Database Security, IT Audit and Compliance, Security news, Programming, Linux and Security.
Wednesday, 31 July 2013
Overview of NSA's Gigantic Surveillance Program Xkeyscore
In a story no doubt timed to the keynote speech from NSA Director General Keith Alexander at this year's Black Hat conference, the Guardian has released information on Xkeyscore, a surveillance program run by the NSA. Massive in scope, it's being called the largest program of its kind.
Xkeyscore was first discussed earlier this month, when it was revealed that Australian intelligence agencies were a part of the program. According to NSA PowerPoint presentations released by the Guardian—complete with 3D text art—the system encompasses "over 700 servers" spread across "150 sites." The presentation was apparently related to US, Australian, Canadian, Great Britain, and New Zealand intelligence efforts.
Just How Much Data?
Based off information provided by PRISM leaker Edward Snowden, the Guardian describes a system which sucks in huge amounts of data. "One NSA report from 2007 estimated that there were 850bn 'call events' collected and stored in the NSA databases, and close to 150bn internet records," writes the Guardian. "Each day, the document says, 1-2bn records were added."
Because of the sheer bulk of information, actual content (presumably intercepted information) only remains in Xkeyscore for three to five days but metadata lasts up to 30 days. The information involved appears to cover just about anything traveling through HTTP—from emails to Facebook chats to browser histories—and more. Pertinent information can be flagged by investigators for longer storage, apparently in other systems with names like Trafficthief, Pinwale, and MARINA.
Amazingly, Xkeyscore also makes it searchable in a number of unique ways with apparently little oversight.
Google For Intercepted Data
An obvious problem with data collection of any kind is making the information actually useful. In the NSA PowerPoint presentation posted by the Guardian, Xkeyscore is made to look like a veritable Google for intercepted data, easily sorting and parse vast amounts of information in shocking ways.
Much of the actual operating of Xkeyscore is difficult to discern from the PowerPoint presentation, as it seems to presume an enormous amount of foreknowledge on the part of the reader. A series of scenarios towards the end of the presentation makes the potential of the program clear.
One slide asks, "my target speaks german but is in Pakistan - how can I find him?" This uses what the NSA calls an anomalous event—finding German amidst a primarily non-German dataset. The answer, from the same slide: "HTTP activity plugin extracts and stores all HTML language tags which can then be searched."
Another slide has a more magic-mirror scenario, where someone using Xkeyscore says, "show me all the exploitable machines in country X." Interestingly, the answer is "fingerprints from TAO are loaded into Xkeyscore application/fingerprint ID engine."
Who Watches the…You Know
Beyond the creepiness factor, the biggest issues associated with Xkeyscore and programs like it is the legality of the surveillance. The 2008 Fisa law should, in theory, prevent the NSA from monitoring US citizens without a warrant. Non-citizens in other countries are fair game. But according to the Guardian, "NSA analysts are permitted to intercept the communications of such individuals without a warrant if they are in contact with one of the NSA's foreign targets." Analysts using Xkeyscore could select reasons for their investigations from a pull-down menu.
A big piece of PRISM and Xkeyscore is building connections between individuals—who spoke to who when, who emailed who when, etc.—so it's not surprising that US citizens would get Hoovered up along with NSA targets.
In a statement to the Guardian, the NSA describes the program as essential. The agency writes:
NSA's activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests.
XKeyscore is used as a part of NSA's lawful foreign signals intelligence collection system.
Allegations of widespread, unchecked analyst access to NSA collection data are simply not true. Access to XKeyscore, as well as all of NSA's analytic tools, is limited to only those personnel who require access for their assigned tasks … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring.
Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.
These types of programs allow us to collect the information that enables us to perform our missions successfully – to defend the nation and to protect US and allied troops abroad.
In one of the NSA PowerPoint presentations, a slide covering success stories crows that, "over 300 terrorists captured using intelligence generated from XKEYSCORE."
Black Hat 2013: NSA Chief Reveals Details About PRISM as Hecklers Call Him a Liar
In 2009, the National Security Agency intercepted an email sent from someone in Pakistan to an individual in Denver, Colorado discussing a recipe for explosives. NSA analysts identified the Denver phone number and tracked other phone numbers the person had called. The NSA handed the information over to the Federal Bureau of Investigation, who arrested the co-conspirators and thwarted a planned attack against New York City's subway system.
This was just one of the several terrorist-related activities the NSA helped detect and disrupt under the PRISM program, General Keith Alexander, NSA chief and leader of US Cyber Command, told attendees in his keynote speech at the Black Hat conference on Wednesday. The subsequent arrest of Najibullah Zazi and Adis Medunjanin by the FBI based on the intelligence gathered by the NSA helped stop the subway attack, he said.
If the conspirators had succeeded, "it would have been the biggest attack in the United States since 9/11," Alexander said.
"I Promise You The Truth."The general was at Black Hat to provide some details behind the data collection programs and answer questions "to the fullest extent possible," he said. "I promise you the truth," he said.
Recent media disclosures had tarnished the reputation of the NSA, when "the tools and things we use are very much the same tools you use in securing networks," he said. "The difference is the oversight and compliance that we have in these programs. That part is missing in much of the discussion," Alexander said.
Alexander never referenced ex-Booz Hamilton contractor Edward Snowden by name, but everyone in the room knew who he was talking about.
"I believe it's important for you to hear that, for you to understand what these people have to do to do their job to defend the nation and the oversight regime we have with the courts, Congress and the administration. You need to understand that to get a full understanding of what we do and do not do," he said.
For the most part, the audience was fairly respectful throughout the general's nearly one-hour talk, although one person shouted out in towards the end, "You lied to Congress. How do we know you're not lying to us right now?"
The general calmly replied, "I've never lied to Congress."
"What I'm saying is that we don't trust you," someone shouted during the speech.
Explaining What the NSA CollectsAlexander leaned heavily on the counter-terrorism explanation to justify the programs, saying the level of data collection was necessary to stop terrorism. He insisted, however, that there were safeguards built in to protect civil liberties, and that oversight from the courts, Congress, and the White House was in place to prevent any abusive behavior by NSA analysts.
The Section 215 Authority, the business records program, collects only telephone metadata and is used only for counterterrorism purposes, Alexander said. The NSA collects the data and time of the call, the phone number initiating the call and the number of the recipient, the duration of the call, and the source and site of the call—such as carrier name. The NSA does "not collect the content of the communications," such as recording the calls or intercepting the SMS messages. Identifying information such as names, addresses, or credit card information, are not collected. Location data is also not used.
If the NSA gets a tip that a certain phone number may be used in connection to terrorist activity, thebusiness records related to that number is passed to the FBI, who has the legal authority to investigate and take action, Alexander said.
In 2012, only 300 phone numbers were approved to be queried against the database, which resulted in 12 reports to the FBI, he said. The reports resulted in less than 500 numbers. "Not thousands, not hundreds of thousands," he said.
Section 702 of the FISA Amendment Act, is used for foreign intelligence purposes and applies only to communications of "foreign persons abroad," and does not target and US citizens anywhere in the world. Intercepting email communications and phone calls, "requires a valid documented foreign intelligene purpose such as counterterrorism," Alexander said.
The programs were launched in 2007 largely because the intelligence agencies had failed to connect the dots on information about various terrorism-related activities prior to the September 11 attacks. With these programs, the United States has identified or disrupted 54 attacks, with 25 in Europe, 13 in the US, 11 in Asia, and five in Africa, Alexander said.
Can We Trust the NSA?Less than 30 analysts are authorized to access the information, and they have to undergo rigorous examination and training process first. Agents are not authorized to listen to communications and that a Senate Select Committee review of the program found no "willful or knowledgeable violations of the law under this program," he said.
"There are allegations [the NSA] listen to all our emails; that's wrong. We don't," Alexander said. Even if someone did go rogue, because analysts are required to provide sufficient evidence and are audited regularly, there is 100 percent accountability, he said.
There are accusations that the NSA is collecting everything, which is not true. There are also people saying that NSA could collect everything. "The fact is, [we] don't," Alexander said.
Internet companies share data only when compelled to do so by a court order, Alexander said.
It was important to understand that "virtually all countries have lawful intercept programs," Alexander said, but the key difference was that the US has strict oversight by the courts, Congress, and the White House to make sure the government is not abusing the information gathered.
Limited Q&A
There was no open question-and-answer session at the end of the keynote. Instead, Trey Ford, the general manager of Black Hat, asked several questions solicited from its advisory board and select people in the security community.While it wasn't a free-for-all session, there were less softballs than was expected.
When Ford asked if the NSA could intercept his mother's phone calls, Gen. Alexander replied, "No Trey, we can't intercept your calls to your mom." He noted that he had four daughters, and he couldn't intercept their emails, either. "You guys probably can, though," he joked to the audience.
"You want to help get this to work, be part of that discussion," Alexander said, saying the NSA wants the security community to help make the counter-terrorism efforts better. "If you disagree with what we are doing, then you should help us twice as much," he said.
Even with theheckling and scattered applause in support of the comments, Gen. Alexander remained calm, polite, and focused. In many ways, his lack of aggressiveness went a long way towards getting a lot of the audience's support, or at least, cooperation, during his speech.
Some people took to Twitter to criticize the hecklers, calling for civilized discourse and respectful conversation. Others defended the hecklers, noting that it is difficult to have a honest conversation with a party that has been shown to be deceitful.
At the end, someone shouted, "You should read the Constitution!" The general, without missing a beat, said, "I have. You should, too.
CloudFlare at Black Hat: Don't Be an Unwilling DDoS Participant
"The neat thing about Spamhaus is that they're a really open organization," said Prince. "Most of our customers don't like us talking about attacks, but the Spamhaus guys said hey, tell the story."
Prince reviewed the stages of the attack, which went through a few days of low-level DDoS that didn't cause problems, but eventually ramped up to a hitherto-unprecedented 309 Gbps (gigabits per second). While media reported that the attack came from a bunker in the Netherlands, Prince pointed out this wasn't the actual mastermind. "Hey, he talked to the New York Times!" quipped Prince. It turns out the brains behind the attack belonged to a 15-year-old London boy, now in custody.
What resourced did this kid need? "You don't need a botnet," said Prince, "and you don't need a lot of people, like Anonymous." He went on to say that the attack didn't need a lot of technical expertise. "It's like a caveman beating up your network." He went on to display a very simple line of network instructions that would demonstrate the kind of attack used.
All you need for this kind of attack is a list of open DNS resolvers and access to some servers that allow source IP spoofing. "Those are the ingredients," said Prince. "If you have those two things, even a tiny number, you can launch large attacks. And nothing has changed since the Spamhaus attack."
Prince exhorted attendees to clean up their own networks, making sure they're not part of the problem. "Check your own IP space at OpenResolver.com," said Prince, "and fix any misconfigured devices. You may be surprised to find that you do have a problem." "A simple flag in your edge routers will prevent IP spoofing," he continued. "There's no excuse for not doing this." He finished with a number of more technical recommendations for network hygiene.
Alas, the Internet as a whole is not taking this advice. Since the Spamhaus attack the number of known open DNS resolvers has grown from 21 million to 28 million. Prince pointed out a very simple change that could have made multiplied the traffic in the Spamhaus attack by ten, or even 100. Let's hope the good guys can stay ahead of the game.
Black Hat: Researchers hack femtocells to grab voice, data and SMS traffic
Las Vegas: Researchers
are calling on mobile operators worldwide to drop support for femtocell
units following harrowing proof-of-concept demonstration.
Security firm iSEC Partners drew a packed
house at the conference when it demonstrated a simple system which
compromised aVerizon femtocell unit and then used the system to gather
nearby mobile traffic.
The real-time demo included the capture
of voice calls, a display of SMS messages sent by volunteers in the
audience and even a video demonstrating an attack in which web data
traffic could be pulled to harvest user credentials.
The stakes were only raised further as
the demonstration progressed, with researchers using the hacked
femtocell to collect unique device identifiers for mobile handsets. The
collected data was then used to 'clone' a test handset, potentially
allowing an attacker to eavesdrop on coversations and place calls from
the account of the cloned system.
While US carrier Verizon has since
patched the vulnerability in question and was said by the researchers to
be very cooperative, iSec researcher Doug DePerry warned that the
exploit method used in the attack could be modified in the future or
other modes of entry could be found to take over other femtocell units.
Rather, iSec believes that in order to
prevent these sort of attacks network operators need to drop support for
femtocells altogether and implement their security protections at the
network level rather than rely on the relatively weak security of
embedded devices.
“Your phone will associate to a femtocell without your knowledge,” explained DePerry.
“This is not like Wi-Fi, you do not have a choice.”
The researcer noted that certain Android
devices provide users with an icon to notify them when their handset is
connected to a femtocell network, though other popular models such as
the iPhone do not.
For users who are looking for protection
against possible femtocell attacks, the company said it is developing a
free application which will force a handset to go into airplane mode
when a femtocell detection is detected. The researchers noted that the
app is largly precautionary and not intended for novice users.
Twitter : Governments demands for user data as U.S Leads
Twitter revealed on Wednesday that government demands for information
about users rose in the first half of this year, with US authorities
accounting for more than three-quarters of the requests.
Governments submitted a total of 1,157 requests for information about Twitter accounts, with 78 percent of those queries coming from the United States, according to a transparency report issued by the globally popular one-to-many test messaging service.
Twitter reported that it gave US authorities what they sought in 67 percent of the cases.
Japan was second when it came to requesting information from Twitter during the first six months of 2012, accounting for eight percent of the total.
The number of requests from governments has risen in each of the three Twitter transparency reports issued since the San Francisco-based firm began publishing them last year.
Twitter said the requests typically were made in connection with criminal investigations and lamented that it was barred by law from revealing anything about information demanded through US national security letters.
"An important conversation has begun about the extent to which companies should be allowed to publish information regarding national security requests," Twitter legal policy manager Jeremy Kessel said in a blog post.
"We have joined forces with industry peers and civil liberty groups to insist that the United States government allow for increased transparency into these secret orders."
Apple, Facebook, Microsoft and other top Internet and technology companies have come under heightened scrutiny since word leaked of a vast, covert Internet surveillance program US authorities insist targets only foreign terror suspects and has helped thwart attacks.
US lawmakers last week vowed to step up their campaign against government surveillance programs after narrowly failing in a bid to end spying practices they have decried as unconstitutional.
Twitter said that the number of requests by governments to remove user content rose to 60 from 42 in the prior six-month period, and just six in the first transparency report issued in July of last year.
"Governments generally make removal requests for content that may be illegal in their respective jurisdictions," the report explained.
"For example, we may receive a court order requiring the removal of defamatory statements, or law enforcement may ask us to remove prohibited content.
Meanwhile, notices to take down copyrighted material surged to 5,753 in the first half of this year from 3,268 in the last six months of last year, according to Twitter.
Governments submitted a total of 1,157 requests for information about Twitter accounts, with 78 percent of those queries coming from the United States, according to a transparency report issued by the globally popular one-to-many test messaging service.
Twitter reported that it gave US authorities what they sought in 67 percent of the cases.
Japan was second when it came to requesting information from Twitter during the first six months of 2012, accounting for eight percent of the total.
The number of requests from governments has risen in each of the three Twitter transparency reports issued since the San Francisco-based firm began publishing them last year.
Twitter said the requests typically were made in connection with criminal investigations and lamented that it was barred by law from revealing anything about information demanded through US national security letters.
"An important conversation has begun about the extent to which companies should be allowed to publish information regarding national security requests," Twitter legal policy manager Jeremy Kessel said in a blog post.
"We have joined forces with industry peers and civil liberty groups to insist that the United States government allow for increased transparency into these secret orders."
Apple, Facebook, Microsoft and other top Internet and technology companies have come under heightened scrutiny since word leaked of a vast, covert Internet surveillance program US authorities insist targets only foreign terror suspects and has helped thwart attacks.
US lawmakers last week vowed to step up their campaign against government surveillance programs after narrowly failing in a bid to end spying practices they have decried as unconstitutional.
Twitter said that the number of requests by governments to remove user content rose to 60 from 42 in the prior six-month period, and just six in the first transparency report issued in July of last year.
"Governments generally make removal requests for content that may be illegal in their respective jurisdictions," the report explained.
"For example, we may receive a court order requiring the removal of defamatory statements, or law enforcement may ask us to remove prohibited content.
Meanwhile, notices to take down copyrighted material surged to 5,753 in the first half of this year from 3,268 in the last six months of last year, according to Twitter.
NorthKorea Trojan horse penetrates SKorea through open doors
Authorities’ investigation has found that 110,000 personal computers
in South Korea were transformed into zombie PCs because the head of an
information technology company in the South handed over the right to
access a domestic computer network to spies from the North’s
intelligence bureau and hacker. “Cyber invaders” planted by the enemy
have virtually been waiting for a tall order from the North. It reminds
us of the Trojan horse. Greece, which failed to conquer Troy in intense
fortress battles for nearly 10 years, defeated the enemy by using the
wooden horse. Greek soldiers hiding inside the wooden horse only
numbered 30.
It remains unknown on what purpose the head of an IT company, identified by his last name Kim, acted to serve interest of the North. Kim, a former anti-government activist in the South, reportedly contacted North Korean spies while he was working with a South-North IT joint venture in China in the late 1990s. If there is any force behind his spying act, they should be rooted out as well.
It is not the first time that a South Korean handed over the right to access a domestic server to the North. Last year, a game program producer and trader, Cho, was sentenced to two years in prison for handing over the right to access a computer network to a spy from North Korea’s intelligence bureau and enabling the North to transform more than 6,000 PCs in the South into zombie PCs.
Since the early 2000s, the North has been aggressively strengthening its capacity to conduct cyber warfare against the South. South Korea is an IT powerhouse but is vulnerable in cyber security. Hence, freezing a computer network could wreck a bigger havoc than bombing a bridge or road in the South Korean society. The North has nurtured more than 3,000 hackers, and is constantly seeking an opportunity to launch a cyber attack on the South. Cyber attacks on South Korean organizations in March and June this year, and denial of access attacks on July 7, 2009, and on March 4, 2011 are found to have been committed by Pyongyang.
The question of why the South has hopelessly fallen victim to the North’s cyber attacks over the past years is being gradually answered as well. If there is someone who colludes with the North within the South, the latter cannot protect its cyber territory, no matter how strong bulwark it constructs.
Park Chan-am, chief of Raon Secure’s security technology team who is considered one of the best white hackers in the South, blasted the government for its negligent response. “There would be far more incidents of the North’s hacking that the South suffers even without recognizing them,” Park said. It is important that the South Korean society increase sense of alertness to counter the North’s full-blown cyber attacks that could come through multiple channels en masse and thoroughly prepare itself.
It remains unknown on what purpose the head of an IT company, identified by his last name Kim, acted to serve interest of the North. Kim, a former anti-government activist in the South, reportedly contacted North Korean spies while he was working with a South-North IT joint venture in China in the late 1990s. If there is any force behind his spying act, they should be rooted out as well.
It is not the first time that a South Korean handed over the right to access a domestic server to the North. Last year, a game program producer and trader, Cho, was sentenced to two years in prison for handing over the right to access a computer network to a spy from North Korea’s intelligence bureau and enabling the North to transform more than 6,000 PCs in the South into zombie PCs.
Since the early 2000s, the North has been aggressively strengthening its capacity to conduct cyber warfare against the South. South Korea is an IT powerhouse but is vulnerable in cyber security. Hence, freezing a computer network could wreck a bigger havoc than bombing a bridge or road in the South Korean society. The North has nurtured more than 3,000 hackers, and is constantly seeking an opportunity to launch a cyber attack on the South. Cyber attacks on South Korean organizations in March and June this year, and denial of access attacks on July 7, 2009, and on March 4, 2011 are found to have been committed by Pyongyang.
The question of why the South has hopelessly fallen victim to the North’s cyber attacks over the past years is being gradually answered as well. If there is someone who colludes with the North within the South, the latter cannot protect its cyber territory, no matter how strong bulwark it constructs.
Park Chan-am, chief of Raon Secure’s security technology team who is considered one of the best white hackers in the South, blasted the government for its negligent response. “There would be far more incidents of the North’s hacking that the South suffers even without recognizing them,” Park said. It is important that the South Korean society increase sense of alertness to counter the North’s full-blown cyber attacks that could come through multiple channels en masse and thoroughly prepare itself.
7000 Starbucks WiFi network goes Google
Google give free WiFi connections to all 7,000 company-operated
Starbucks stores in the United States over the next 18 months,Posted
Kevin Lo, General Manager, Google Access on a Blog.
Google start rolling out the new WiFi networks this August.
Google has long invested in helping the Internet grow stronger, including projects to make Internet access speedier, more affordable, and more widely available.
The free Internet connection at Starbucks has become an important part of many communities over the years, such as in the aftermath of Hurricane Sandy, or for students without Internet at home who do their homework at Starbucks.
Google start rolling out the new WiFi networks this August.
Google has long invested in helping the Internet grow stronger, including projects to make Internet access speedier, more affordable, and more widely available.
The free Internet connection at Starbucks has become an important part of many communities over the years, such as in the aftermath of Hurricane Sandy, or for students without Internet at home who do their homework at Starbucks.
More NSA Telephone Metadata Documents Released By U.S. DNI
Office of the Director of National Intelligence Declassifies and Releases Telephone Metadata Collection Documents.
One document says "these programs are authorized to collect in bulk certain dialing, routing, addressing, and signaling information about telephone calls and electronic communications, such as telephone numbers or e-mail addresses.
In the interest of increased transparency, the Director of National Intelligence has authorized the declassification and public release of the attached documents pertaining to the collection of telephone metadata pursuant to Section 215 of the PATRIOT Act. DNI Clapper has determined that the release of these documents is in the public interest.
One document says "these programs are authorized to collect in bulk certain dialing, routing, addressing, and signaling information about telephone calls and electronic communications, such as telephone numbers or e-mail addresses.
In the interest of increased transparency, the Director of National Intelligence has authorized the declassification and public release of the attached documents pertaining to the collection of telephone metadata pursuant to Section 215 of the PATRIOT Act. DNI Clapper has determined that the release of these documents is in the public interest.
- Cover Letter and 2009 Report on the National Security Agency’s Bulk Collection Program for USA PATRIOT Act Reauthorization
- Cover Letters and 2011 Report on the National Security Agency’s Bulk Collection Program for USA PATRIOT Act Reauthorization
- Primary Order for Business Records Collection Under Section 215 of the USA PATRIOT Act
Black Hat: NSA boss Keith Alexander defends PRISM programme
Las Vegas: The head
of the US National Security Administration (NSA) took to an audience of
thousands of security professionals to explain his agency's
controverisal surveillance programmes.
Gen. Keith Alexander told attendees at
the 2013 Black Hat conference that the agency's FISA and PRISM
procedures are being carried out with far more discretion and oversight
than commonly believed and are solely used for the purpose of gathering
data on known or suspected terrorists.
“Their intention is not to go after our
communications, their intention is to find the terrorists that walk
among us,” Alexander said of the NSA.
“We comply with court orders and do this exactly right, and if we make a mistake we hold ourselves accountable and report it.”
According to Alexander, the NSA operates
under a strict set of limitations and is subject to regular audits which
pore over all collected data, much of which is highly anonymised.
According to screen shots provided by the NSA, phone data is limited to
dates and times, origin and destination numbers, and means of
collection. No audio, SMS or account information is harvested at any
point in the process.
The number of people in charge of
actually the surveillance information is limited as well. Alexander said
that just 22 inividuals within the NSA are allowed to authorise the
colllection of data, and just 35 analysts are authorised to view phone
data collected through the FISA programme.
Alexander also talked up the strict
judicial regulations that govern the programme and require the NSA to
obtain authorisation from Federal Courts for all surveillance
activities. Contrary to popular belief, says Alexander, the NSA often
finds itself with a skeptical audience when it seeks judiciary approval.
“They want to make sure that what we are
doing comports with the constitution and federal law, and they are dead
serious about it,” Alexander told attendees.
“These are tremendous judges, they are not a rubber stamp.”
The NSA boss was not without his
detractors, however. Sporadic heckling from the crowd roasted Alexander
for issues ranging from the constitutionality of the programme to the US
policies behind its Middle East activities.
Ultimately, however, Alexander would
reach out to the audience, inviting security professionals to submit
their questions and comments with the administration and help it to
revise and improve its policies.
“We need to hear from you because the
tools and the things we use are very much the same as the tools you use
in securing your networks,” he said.
“The difference is the oversight and compliance we have in these programmes, that part is missing in much of the discussion.”
PRISM: NSA used XKeyscore software to trawl billions of email and internet records
Revealed by the Guardian today, screenshots reportedly show an NSA tutorial presentation detailing how to use the software. The article claims that analysts connected to the browser-based system could search through the NSA's records without any review process, meaning data searching was effectively a free-for-all for employees and contractors.
The Guardian says that the purpose of the software was "to allow analysts to search the metadata as well as the content of emails and other internet activity". Screenshots show specific applications which could be used to monitor Facebook users' messaging history simply "by entering the Facebook user name and a date range into a simple search screen".
The software also claims to be able to rifle through user search history simply by referring to HTTP activity, and makes examples of the BBC website as one potential source of information, as well as Wikipedia, Twitter and Yahoo.
It is claimed that the software searched through 850 billion so-called "call events" such as emails and phone conversations as well as a further 150 billion internet records. The Guardian says one to two billion records were added every day, with all data only stored for around for three to five days. The paper quotes a former NSA mathematician as saying that the NSA had assembled 20 trillion transactions between US citizens.
Finally, it alleges that exchanges between foreign citizens are stored in the same database as those which involve US citizens, meaning records of non-US citizens are just as accessible without a warrant.
In a statement to the Guardian, the NSA said that the use of XKeycore was legal and justified, and insisted that allegations of "widespread, unchecked analyst access to NSA collection data are simply not true".
The former NSA contractor and whistleblower Edward Snowden, who initially released the documents relating to PRISM, is still seeking asylum and is currently believed to be in Russia.
PhishMe launches Phish Reporter tool to let staff alert IT to malware scams
The company unveiled the new service at Black Hat in Las Vegas, promising it will help companies better defend themselves from phishing and drive-by attacks.
Phish Reporter, is an Outlook extension designed to add a new alert button to the email client's toolbar that, when clicked, marks a message as suspicious. The service automatically uses PhishMe network data and incoming company information to scan the email and check if it is suspicious before forwarding it on to the firm's security team, stopping employees overloading administrators with requests.
PhishMe claims the data collected by the tool can be used by companies to retrieve time-stamped entries of reported phishing emails, create in-depth incident reports showing which emails have been flagged as suspicious over an extended period of time, improve phishing message filtering policies and improve attack detection times. This will reportedly help companies reduce incident response costs across the board.
PhishMe chief executive officer and co-founder, Rohyt Belani said the tool will let companies make the most of cyber-savvy employees who are not directly tied to their security department.
"With the new Phish Reporter button, organisations can effectively turn their employees into spear-phishing sensors," he said. "Many of our customers have successfully created an awareness culture in which employees can identify spear-phishing emails, but they lacked a fast, effective way to report these emails to the appropriate department within the organisation. Phish Reporter will help fill this void."
PhishMe chief technology officer and fellow co-founder, Aaron Higbee added that the tool will also provide feedback to the users who reported phishing incidents, letting them know if the messages were in fact dangerous. He said the feedback will have an added educational value, improving companies' overall cyber security awareness.
"PhishMe has established a unique methodology for scoring a user's ability to identify phishing attempts," he said. "With each employee being a potential sensor, they can now become proactive contributors to the threat-detection process and security teams can prioritise their analysis based on a user's scoring history."
Phish Reporter's unveiling follows widespread rumblings within the security community that suggest the phishing threat facing businesses is growing. Most recently Kaspersky Lab reported that crooks are targeting an average of 3,000 Brits with phishing messages every day in its The evolution of phishing attacks 2011-2013 report.
The Cyber Espionage Blueprint
This week the RSA FirstWatch team released research that explores the
realities associated with long-term Advanced Persistent Threat (APT)
analysis.
The report, The Cyber Espionage Blueprint Understanding Commonalities in Targeted Malware Campaigns, is the culmination of a year’s worth of research from the RSA FirstWatch team. In that time they collected approximately 2400 samples that span 60 different families of Trojans (including first-stage Remote Access Tool (RAT) and second stage backdoors) used in Cyber Espionage campaigns.
The malware collected were assembled from a variety of sources including but not limited to, current events and media, global data mining of open source intelligence, public information sharing groups and private information sharing groups.
Every sample identified and analyzed in the report was used in a targeted attack and we matched all associated Cyber Espionage attacks forensically matched for accuracy. What we found is that there are many commonalities in Cyber Espionage malware that help form an attacker “blueprint“ for these advanced campaigns.
By understanding this Cyber Espionage attacker “blueprint” organizations can craft effective best practices for detection and response at both the host and network level. Through doing so, the playing field can be leveled to put defenders at less of a disadvantage relative to attackers.
So what are some of these commonalities? When looking at over 2000 malware samples we found that:
We will be presenting these findings at the RSA booth at BlackHat this week, and if you aren’t in Las Vegas to hear from us first hand, we urge you to read the research and share it with others in the trenches.
The report, The Cyber Espionage Blueprint Understanding Commonalities in Targeted Malware Campaigns, is the culmination of a year’s worth of research from the RSA FirstWatch team. In that time they collected approximately 2400 samples that span 60 different families of Trojans (including first-stage Remote Access Tool (RAT) and second stage backdoors) used in Cyber Espionage campaigns.
The malware collected were assembled from a variety of sources including but not limited to, current events and media, global data mining of open source intelligence, public information sharing groups and private information sharing groups.
Every sample identified and analyzed in the report was used in a targeted attack and we matched all associated Cyber Espionage attacks forensically matched for accuracy. What we found is that there are many commonalities in Cyber Espionage malware that help form an attacker “blueprint“ for these advanced campaigns.
By understanding this Cyber Espionage attacker “blueprint” organizations can craft effective best practices for detection and response at both the host and network level. Through doing so, the playing field can be leveled to put defenders at less of a disadvantage relative to attackers.
So what are some of these commonalities? When looking at over 2000 malware samples we found that:
- 54% percent of cyber espionage malware sample files used random or nonsensical filenames
- 68% percent of cyber espionage malware samples used standard ports to communicate
- 67% percent of cyber espionage malware samples were installed in the user profile directory
We will be presenting these findings at the RSA booth at BlackHat this week, and if you aren’t in Las Vegas to hear from us first hand, we urge you to read the research and share it with others in the trenches.
Chinese hackers target remote conferencing gear : Dell researchers
A Chinese hacking group tied to the breach of security company RSA
two years ago has targeted a maker of audio-visual conference equipment
in a likely attempt to tap into boardroom and other high-level remote
meetings.
Security researchers at Dell Inc's SecureWorks unit were able to monitor the computers used by the group to process communications from machines infected with stealthy software for stealing data, according to a paper they are releasing today.
Although the researchers could not tell what information was being extracted, they were able to discover many of the companies and offices unknowingly transmitting information. The compromised computers were in five different offices of a global maker of conferencing equipment, said SecureWorks researchers Joe Stewart and Don Jackson.
"I think they were looking for the source code," Stewart told Reuters, because that would help them find flaws they could use to eavesdrop in further attacks.
"If your final target is this vendor's customers of the conferencing product, you would want to be able to connect on their premises."
Stewart declined to identify the manufacturer, but he has notified both the company and law enforcement. Researchers had previously found security flaws in high-end conferencing gear and the new findings suggest they are a prime target.
As a hacking strategy, such a multi-step effort would track with other major attacks, including the one on RSA, a unit of EMC Corp.
In that case, the hackers took information that helped them duplicate the rapidly changing passwords on SecurID tokens used by defence contractors and others to authenticate users when they log in remotely. The contractors were the real targets in that case, researcher said.
Stewart attributed the new round of attacks to a prolific group based in Beijing that he and others have studied for years. Stewart's paper with Jackson tracks only one of the three dozen sophisticated malicious software programs that group favours.
That one family of code has hundreds of variants and has been used in at least 64 campaigns, including the penetration of the audio-visual equipment company, Stewart said. The same program has been used against government offices and 10 industries, including mining, media and communications.
Of the infections the researchers were able to identify, the greatest number were in Japan, followed by India, South Korea, Taiwan and the United States.
Stewart said the Beijing group is probably as big as the Shanghai-based crew that drew wide attention in February after security firm Mandiant said it was a specific unit within China's People's Liberation Army. China disputed the report and said it does not hack Western companies.
Although characteristics of both the Beijing and Shanghai groups sometimes show up inside the same compromised company, the Beijing group tends to focus more on activists, including those involved with Tibetan issues, Stewart said.
He has catalogued about 275 families of malicious software to date.
Security researchers at Dell Inc's SecureWorks unit were able to monitor the computers used by the group to process communications from machines infected with stealthy software for stealing data, according to a paper they are releasing today.
Although the researchers could not tell what information was being extracted, they were able to discover many of the companies and offices unknowingly transmitting information. The compromised computers were in five different offices of a global maker of conferencing equipment, said SecureWorks researchers Joe Stewart and Don Jackson.
"I think they were looking for the source code," Stewart told Reuters, because that would help them find flaws they could use to eavesdrop in further attacks.
"If your final target is this vendor's customers of the conferencing product, you would want to be able to connect on their premises."
Stewart declined to identify the manufacturer, but he has notified both the company and law enforcement. Researchers had previously found security flaws in high-end conferencing gear and the new findings suggest they are a prime target.
As a hacking strategy, such a multi-step effort would track with other major attacks, including the one on RSA, a unit of EMC Corp.
In that case, the hackers took information that helped them duplicate the rapidly changing passwords on SecurID tokens used by defence contractors and others to authenticate users when they log in remotely. The contractors were the real targets in that case, researcher said.
Stewart attributed the new round of attacks to a prolific group based in Beijing that he and others have studied for years. Stewart's paper with Jackson tracks only one of the three dozen sophisticated malicious software programs that group favours.
That one family of code has hundreds of variants and has been used in at least 64 campaigns, including the penetration of the audio-visual equipment company, Stewart said. The same program has been used against government offices and 10 industries, including mining, media and communications.
Of the infections the researchers were able to identify, the greatest number were in Japan, followed by India, South Korea, Taiwan and the United States.
Stewart said the Beijing group is probably as big as the Shanghai-based crew that drew wide attention in February after security firm Mandiant said it was a specific unit within China's People's Liberation Army. China disputed the report and said it does not hack Western companies.
Although characteristics of both the Beijing and Shanghai groups sometimes show up inside the same compromised company, the Beijing group tends to focus more on activists, including those involved with Tibetan issues, Stewart said.
He has catalogued about 275 families of malicious software to date.
XKeyscore: NSA tool collects 'nearly everything a user does on the internet'
• XKeyscore gives 'widest-reaching' collection of online data
• NSA analysts require no prior authorization for searches
• Sweeps up emails, social media activity and browsing history
• NSA's XKeyscore program – read one of the presentations
• Sweeps up emails, social media activity and browsing history
• NSA's XKeyscore program – read one of the presentations
A top secret National Security Agency program allows analysts to
search with no prior authorization through vast databases containing
emails, online chats and the browsing histories of millions of
individuals, according to documents provided by whistleblower Edward
Snowden.
The NSA boasts in training materials that the program, called XKeyscore, is its "widest-reaching" system for developing intelligence from the internet.
The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian's earlier stories on bulk collection of phone records and Fisa surveillance court oversight.
The files shed light on one of Snowden's most controversial statements, made in his first video interview published by the Guardian on June 10.
"I, sitting at my desk," said Snowden, could "wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email".
US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden's assertion: "He's lying. It's impossible for him to do what he was saying he could do."
But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.
XKeyscore, the documents boast, is the NSA's "widest reaching" system developing intelligence from computer networks – what the agency calls Digital Network Intelligence (DNI). One presentation claims the program covers "nearly everything a typical user does on the internet", including the content of emails, websites visited and searches, as well as their metadata.
Analysts can also use XKeyscore and other NSA systems to obtain ongoing "real-time" interception of an individual's internet activity.
Under US law, the NSA is required to obtain an individualized Fisa warrant only if the target of their surveillance is a 'US person', though no such warrant is required for intercepting the communications of Americans with foreign targets. But XKeyscore provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant provided that some identifying information, such as their email or IP address, is known to the analyst.
One training slide illustrates the digital activity constantly being collected by XKeyscore and the analyst's ability to query the databases at any time.
The purpose of XKeyscore is to allow analysts to search the metadata as well as the content of emails and other internet activity, such as browser history, even when there is no known email account (a "selector" in NSA parlance) associated with the individual being targeted.
Analysts can also search by name, telephone number, IP address, keywords, the language in which the internet activity was conducted or the type of browser used.
One document notes that this is because "strong selection [search by email address] itself gives us only a very limited capability" because "a large amount of time spent on the web is performing actions that are anonymous."
The NSA documents assert that by 2008, 300 terrorists had been captured using intelligence from XKeyscore.
Analysts are warned that searching the full database for content will yield too many results to sift through. Instead they are advised to use the metadata also stored in the databases to narrow down what to review.
A slide entitled "plug-ins" in a December 2012 document describes the various fields of information that can be searched. It includes "every email address seen in a session by both username and domain", "every phone number seen in a session (eg address book entries or signature block)" and user activity – "the webmail and chat activity to include username, buddylist, machine specific cookies etc".
One top-secret document describes how the program "searches within bodies of emails, webpages and documents", including the "To, From, CC, BCC lines" and the 'Contact Us' pages on websites".
To search for emails, an analyst using XKS enters the individual's email address into a simple online search form, along with the "justification" for the search and the time period for which the emails are sought.
The analyst then selects which of those returned emails they want to read by opening them in NSA reading software.
The system is similar to the way in which NSA analysts generally can intercept the communications of anyone they select, including, as one NSA document put it, "communications that transit the United States and communications that terminate in the United States".
One document, a top secret 2010 guide describing the training received by NSA analysts for general surveillance under the Fisa Amendments Act of 2008, explains that analysts can begin surveillance on anyone by clicking a few simple pull-down menus designed to provide both legal and targeting justifications. Once options on the pull-down menus are selected, their target is marked for electronic surveillance and the analyst is able to review the content of their communications:
An NSA tool called DNI Presenter, used to read the content of stored emails, also enables an analyst using XKeyscore to read the content of Facebook chats or private messages.
An analyst can monitor such Facebook chats by entering the Facebook user name and a date range into a simple search screen.
Analysts can search for internet browsing activities using a wide range of information, including search terms entered by the user or the websites viewed.
As one slide indicates, the ability to search HTTP activity by keyword permits the analyst access to what the NSA calls "nearly everything a typical user does on the internet".
The XKeyscore program also allows an analyst to learn the IP addresses of every person who visits any website the analyst specifies.
The quantity of communications accessible through programs such as XKeyscore is staggeringly large. One NSA report from 2007 estimated that there were 850bn "call events" collected and stored in the NSA databases, and close to 150bn internet records. Each day, the document says, 1-2bn records were added.
William Binney, a former NSA mathematician, said last year that the agency had "assembled on the order of 20tn transactions about US citizens with other US citizens", an estimate, he said, that "only was involving phone calls and emails". A 2010 Washington Post article reported that "every day, collection systems at the [NSA] intercept and store 1.7bn emails, phone calls and other type of communications."
The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours."
To solve this problem, the NSA has created a multi-tiered system that allows analysts to store "interesting" content in other databases, such as one named Pinwale which can store material for up to five years.
It is the databases of XKeyscore, one document shows, that now contain the greatest amount of communications data collected by the NSA.
In 2012, there were at least 41 billion total records collected and stored in XKeyscore for a single 30-day period.
Legal v technical restrictions
While the Fisa Amendments Act of 2008 requires an individualized warrant for the targeting of US persons, NSA analysts are permitted to intercept the communications of such individuals without a warrant if they are in contact with one of the NSA's foreign targets.
The ACLU's deputy legal director, Jameel Jaffer, told the Guardian last month that national security officials expressly said that a primary purpose of the new law was to enable them to collect large amounts of Americans' communications without individualized warrants.
"The government doesn't need to 'target' Americans in order to collect huge volumes of their communications," said Jaffer. "The government inevitably sweeps up the communications of many Americans" when targeting foreign nationals for surveillance.
An example is provided by one XKeyscore document showing an NSA target in Tehran communicating with people in Frankfurt, Amsterdam and New York.
In recent years, the NSA has attempted to segregate exclusively domestic US communications in separate databases. But even NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications.
Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.
Some searches conducted by NSA analysts are periodically reviewed by their supervisors within the NSA. "It's very rare to be questioned on our searches," Snowden told the Guardian in June, "and even when we are, it's usually along the lines of: 'let's bulk up the justification'."
In a letter this week to senator Ron Wyden, director of national intelligence James Clapper acknowledged that NSA analysts have exceeded even legal limits as interpreted by the NSA in domestic surveillance.
Acknowledging what he called "a number of compliance problems", Clapper attributed them to "human error" or "highly sophisticated technology issues" rather than "bad faith".
However, Wyden said on the Senate floor on Tuesday: "These violations are more serious than those stated by the intelligence community, and are troubling."
In a statement to the Guardian, the NSA said: "NSA's activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests.
"XKeyscore is used as a part of NSA's lawful foreign signals intelligence collection system.
"Allegations of widespread, unchecked analyst access to NSA collection data are simply not true. Access to XKeyscore, as well as all of NSA's analytic tools, is limited to only those personnel who require access for their assigned tasks … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring."
"Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.
"These types of programs allow us to collect the information that enables us to perform our missions successfully – to defend the nation and to protect US and allied troops abroad."
The NSA boasts in training materials that the program, called XKeyscore, is its "widest-reaching" system for developing intelligence from the internet.
The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian's earlier stories on bulk collection of phone records and Fisa surveillance court oversight.
The files shed light on one of Snowden's most controversial statements, made in his first video interview published by the Guardian on June 10.
"I, sitting at my desk," said Snowden, could "wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email".
US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden's assertion: "He's lying. It's impossible for him to do what he was saying he could do."
But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.
XKeyscore, the documents boast, is the NSA's "widest reaching" system developing intelligence from computer networks – what the agency calls Digital Network Intelligence (DNI). One presentation claims the program covers "nearly everything a typical user does on the internet", including the content of emails, websites visited and searches, as well as their metadata.
Analysts can also use XKeyscore and other NSA systems to obtain ongoing "real-time" interception of an individual's internet activity.
Under US law, the NSA is required to obtain an individualized Fisa warrant only if the target of their surveillance is a 'US person', though no such warrant is required for intercepting the communications of Americans with foreign targets. But XKeyscore provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant provided that some identifying information, such as their email or IP address, is known to the analyst.
One training slide illustrates the digital activity constantly being collected by XKeyscore and the analyst's ability to query the databases at any time.
The purpose of XKeyscore is to allow analysts to search the metadata as well as the content of emails and other internet activity, such as browser history, even when there is no known email account (a "selector" in NSA parlance) associated with the individual being targeted.
Analysts can also search by name, telephone number, IP address, keywords, the language in which the internet activity was conducted or the type of browser used.
One document notes that this is because "strong selection [search by email address] itself gives us only a very limited capability" because "a large amount of time spent on the web is performing actions that are anonymous."
The NSA documents assert that by 2008, 300 terrorists had been captured using intelligence from XKeyscore.
Analysts are warned that searching the full database for content will yield too many results to sift through. Instead they are advised to use the metadata also stored in the databases to narrow down what to review.
A slide entitled "plug-ins" in a December 2012 document describes the various fields of information that can be searched. It includes "every email address seen in a session by both username and domain", "every phone number seen in a session (eg address book entries or signature block)" and user activity – "the webmail and chat activity to include username, buddylist, machine specific cookies etc".
Email monitoring
In a second Guardian interview in June, Snowden elaborated on his statement about being able to read any individual's email if he had their email address. He said the claim was based in part on the email search capabilities of XKeyscore, which Snowden says he was authorized to use while working as a Booz Allen contractor for the NSA.One top-secret document describes how the program "searches within bodies of emails, webpages and documents", including the "To, From, CC, BCC lines" and the 'Contact Us' pages on websites".
To search for emails, an analyst using XKS enters the individual's email address into a simple online search form, along with the "justification" for the search and the time period for which the emails are sought.
The analyst then selects which of those returned emails they want to read by opening them in NSA reading software.
The system is similar to the way in which NSA analysts generally can intercept the communications of anyone they select, including, as one NSA document put it, "communications that transit the United States and communications that terminate in the United States".
One document, a top secret 2010 guide describing the training received by NSA analysts for general surveillance under the Fisa Amendments Act of 2008, explains that analysts can begin surveillance on anyone by clicking a few simple pull-down menus designed to provide both legal and targeting justifications. Once options on the pull-down menus are selected, their target is marked for electronic surveillance and the analyst is able to review the content of their communications:
Chats, browsing history and other internet activity
Beyond emails, the XKeyscore system allows analysts to monitor a virtually unlimited array of other internet activities, including those within social media.An NSA tool called DNI Presenter, used to read the content of stored emails, also enables an analyst using XKeyscore to read the content of Facebook chats or private messages.
An analyst can monitor such Facebook chats by entering the Facebook user name and a date range into a simple search screen.
Analysts can search for internet browsing activities using a wide range of information, including search terms entered by the user or the websites viewed.
As one slide indicates, the ability to search HTTP activity by keyword permits the analyst access to what the NSA calls "nearly everything a typical user does on the internet".
The XKeyscore program also allows an analyst to learn the IP addresses of every person who visits any website the analyst specifies.
The quantity of communications accessible through programs such as XKeyscore is staggeringly large. One NSA report from 2007 estimated that there were 850bn "call events" collected and stored in the NSA databases, and close to 150bn internet records. Each day, the document says, 1-2bn records were added.
William Binney, a former NSA mathematician, said last year that the agency had "assembled on the order of 20tn transactions about US citizens with other US citizens", an estimate, he said, that "only was involving phone calls and emails". A 2010 Washington Post article reported that "every day, collection systems at the [NSA] intercept and store 1.7bn emails, phone calls and other type of communications."
The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours."
To solve this problem, the NSA has created a multi-tiered system that allows analysts to store "interesting" content in other databases, such as one named Pinwale which can store material for up to five years.
It is the databases of XKeyscore, one document shows, that now contain the greatest amount of communications data collected by the NSA.
In 2012, there were at least 41 billion total records collected and stored in XKeyscore for a single 30-day period.
Legal v technical restrictions
While the Fisa Amendments Act of 2008 requires an individualized warrant for the targeting of US persons, NSA analysts are permitted to intercept the communications of such individuals without a warrant if they are in contact with one of the NSA's foreign targets.
The ACLU's deputy legal director, Jameel Jaffer, told the Guardian last month that national security officials expressly said that a primary purpose of the new law was to enable them to collect large amounts of Americans' communications without individualized warrants.
"The government doesn't need to 'target' Americans in order to collect huge volumes of their communications," said Jaffer. "The government inevitably sweeps up the communications of many Americans" when targeting foreign nationals for surveillance.
An example is provided by one XKeyscore document showing an NSA target in Tehran communicating with people in Frankfurt, Amsterdam and New York.
In recent years, the NSA has attempted to segregate exclusively domestic US communications in separate databases. But even NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications.
Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.
Some searches conducted by NSA analysts are periodically reviewed by their supervisors within the NSA. "It's very rare to be questioned on our searches," Snowden told the Guardian in June, "and even when we are, it's usually along the lines of: 'let's bulk up the justification'."
In a letter this week to senator Ron Wyden, director of national intelligence James Clapper acknowledged that NSA analysts have exceeded even legal limits as interpreted by the NSA in domestic surveillance.
Acknowledging what he called "a number of compliance problems", Clapper attributed them to "human error" or "highly sophisticated technology issues" rather than "bad faith".
However, Wyden said on the Senate floor on Tuesday: "These violations are more serious than those stated by the intelligence community, and are troubling."
In a statement to the Guardian, the NSA said: "NSA's activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests.
"XKeyscore is used as a part of NSA's lawful foreign signals intelligence collection system.
"Allegations of widespread, unchecked analyst access to NSA collection data are simply not true. Access to XKeyscore, as well as all of NSA's analytic tools, is limited to only those personnel who require access for their assigned tasks … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring."
"Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.
"These types of programs allow us to collect the information that enables us to perform our missions successfully – to defend the nation and to protect US and allied troops abroad."
Nigerian Army email hacked
The Nigerian Army has announced one of its email addresses has been
hacked by cyber criminals who are now using it to solicit for funds from
unsuspecting members of the public.
In a statement, Colonel John Agim, of the Nigerian Army’s public relations directorate, encouraged members of the public to be aware of the ongoing scam.
"It has come to the notice of this directorate that some fraudsters are using our official email address to circulate messages seeking for financial assistance from the general public," Agim said.
In one of the messages, the cybercriminal claimed a close relative was involved in an accident while travelling to Kogi state.
This is the message the cybercriminal is sending through the account.
"Good morning, I'm so sorry to bother you on this, I just heard that my younger sister was involved in an accident en-route Kogi and she needs to be operated urgently and the hospital is demanding for about NGN83,000 before they commence the surgery, and I understand she is in a very bad state I can't meet up the urgency from here, please I beg of you to assist me on this?
I will refund you as soon as I get back; I can send the doctors account details to you if you can help me! Please email me back please.”
In a statement, Colonel John Agim, of the Nigerian Army’s public relations directorate, encouraged members of the public to be aware of the ongoing scam.
"It has come to the notice of this directorate that some fraudsters are using our official email address to circulate messages seeking for financial assistance from the general public," Agim said.
In one of the messages, the cybercriminal claimed a close relative was involved in an accident while travelling to Kogi state.
This is the message the cybercriminal is sending through the account.
"Good morning, I'm so sorry to bother you on this, I just heard that my younger sister was involved in an accident en-route Kogi and she needs to be operated urgently and the hospital is demanding for about NGN83,000 before they commence the surgery, and I understand she is in a very bad state I can't meet up the urgency from here, please I beg of you to assist me on this?
I will refund you as soon as I get back; I can send the doctors account details to you if you can help me! Please email me back please.”
Researchers “remote control” an $80 million yacht – and even aircraft could be vulnerable
A hi-tech GPS spoofing attack took “remote control”
of a 213-foot, $80 million superyacht – steering it off course, without
anyone touching the steering wheel. The ship’s systems gave no sign
that anything was amiss. All that was required was a suitcase-sized
device in the yacht’s rigging.
Researchers led by Todd Humphreys of Cockrell University were able to “steer” a yacht off course by broadcasting fake GPS traffic from the upper deck – successfully fooling the ship’s systems so that anyone at the controls would have seen it travelling a straight line. The vessel’s wake, meanwhile showed it was steering in a curve.
The researchers were invited on board a yacht, the White Rose of Drachs, travelling from Monaco to Rhodes, Greece – about 30 miles off the coast of Italy, and in international waters. The researchers’ device – a blue box – broadcast its own civil GPS traffic until it overwhelmed the “real” GPS signals received by the ship. If GPS systems are blocked or jammed, onboard systems will register
The “GPS spoofing” device showed how the systems can be overwhelmed by false signals – without onboard sensors identifying the threat. A series of “location discrepancies”, broadcast to the ship’s two GPS antenna, slowly “nudged” the ship onto a new course.
“The ship actually turned and we could all feel it, but the chart display and the crew saw only a straight line,” Humphreys said.
“With 90 percent of the world’s freight moving across the seas and a great deal of the world’s human transportation going across the skies, we have to gain a better understanding of the broader implications of GPS spoofing,” Humphreys said. “I didn’t know, until we performed this experiment, just how possible it is to spoof a marine vessel and how difficult it is to detect this attack.”
Humphreys and his colleagues believe that the experiment could have wider-reaching implications for transport as a whole.
“This experiment is applicable to other semi-autonomous vehicles, such as aircraft, which are now operated, in part, by autopilot systems,” Humphreys said. “We’ve got to put on our thinking caps and see what we can do to solve this threat quickly.”
Researchers led by Todd Humphreys of Cockrell University were able to “steer” a yacht off course by broadcasting fake GPS traffic from the upper deck – successfully fooling the ship’s systems so that anyone at the controls would have seen it travelling a straight line. The vessel’s wake, meanwhile showed it was steering in a curve.
The researchers were invited on board a yacht, the White Rose of Drachs, travelling from Monaco to Rhodes, Greece – about 30 miles off the coast of Italy, and in international waters. The researchers’ device – a blue box – broadcast its own civil GPS traffic until it overwhelmed the “real” GPS signals received by the ship. If GPS systems are blocked or jammed, onboard systems will register
The “GPS spoofing” device showed how the systems can be overwhelmed by false signals – without onboard sensors identifying the threat. A series of “location discrepancies”, broadcast to the ship’s two GPS antenna, slowly “nudged” the ship onto a new course.
“The ship actually turned and we could all feel it, but the chart display and the crew saw only a straight line,” Humphreys said.
“With 90 percent of the world’s freight moving across the seas and a great deal of the world’s human transportation going across the skies, we have to gain a better understanding of the broader implications of GPS spoofing,” Humphreys said. “I didn’t know, until we performed this experiment, just how possible it is to spoof a marine vessel and how difficult it is to detect this attack.”
Humphreys and his colleagues believe that the experiment could have wider-reaching implications for transport as a whole.
“This experiment is applicable to other semi-autonomous vehicles, such as aircraft, which are now operated, in part, by autopilot systems,” Humphreys said. “We’ve got to put on our thinking caps and see what we can do to solve this threat quickly.”
Apple opens support centre for iPad, iPhone and Macbook spam victims
Apple has launched a new reporting service for users to report spam
and phishing text messages on its iMessage service, following attacks
targeting the platform.
The company called for spam victims to contact Apple support staff via a new imessage.spam@icloud.com email address with a message including a screenshot of the spam, the email address or phone number of the spammer and the date and time the spam was received.
The release follows reports criminals had hit iOS developers with denial of service attacks using iMessage. The move is the latest by Apple to secure its mobile iOS 7 operating system against spam.
Prior to this the company granted users the ability to block contacts in the Messages, Phone and FaceTime apps, but this does not extend to users running devices with previous versions of iOS.
The service's launch follows widespread reports within the security community that spam levels are growing. The growth is taken as troubling as many criminal groups use spam messages as an infection tool in their phishing campaigns, loading them with malicious web links or attachments, which when clicked infect the device with malware.
Traditionally Windows PCs have been spammers' main targets, though since the arrival of smart devices, such as tablets and smartphones, criminals have begun to expand their operations.
Android is currently believed to be the main mobile target, with Finnish security firm F-Secure reporting detecting a 50 percent boom in malware families that have been targeting the ecosystem in its Q1 2013 Threat Report.
The company called for spam victims to contact Apple support staff via a new imessage.spam@icloud.com email address with a message including a screenshot of the spam, the email address or phone number of the spammer and the date and time the spam was received.
The release follows reports criminals had hit iOS developers with denial of service attacks using iMessage. The move is the latest by Apple to secure its mobile iOS 7 operating system against spam.
Prior to this the company granted users the ability to block contacts in the Messages, Phone and FaceTime apps, but this does not extend to users running devices with previous versions of iOS.
The service's launch follows widespread reports within the security community that spam levels are growing. The growth is taken as troubling as many criminal groups use spam messages as an infection tool in their phishing campaigns, loading them with malicious web links or attachments, which when clicked infect the device with malware.
Traditionally Windows PCs have been spammers' main targets, though since the arrival of smart devices, such as tablets and smartphones, criminals have begun to expand their operations.
Android is currently believed to be the main mobile target, with Finnish security firm F-Secure reporting detecting a 50 percent boom in malware families that have been targeting the ecosystem in its Q1 2013 Threat Report.
Hackers hijacking Twitter, Facebook and Google+ accounts with Chrome and Firefox add-ons
Trend Micro threat response engineer, Don Ladores reported uncovering the scam, claiming that crooks are using a variety of techniques to dupe unwary web users into downloading the bogus account hijacking extensions.
"To install these fake extensions, users would see various lures on social media sites to try to get users to install a fake video player update. In reality this player update is a malicious file detected as TROJ_FEBUSER.AA, [and it] installs a browser plugin depending on the browser currently being used," he explained.
"Once installed, it connects to a malicious URL to download a configuration file. It uses the details on that configuration file to hijack the user's social media accounts."
Ladores said the crooks use the accounts to like pages, share posts, join and invite friends to groups, chat with the users' friends and post comments. He said the end goal of these actions is to spread malware.
The Trend researcher said the attack is doubly dangerous as the extensions it uses hold digital signatures, meaning at first glance they look entirely legitimate. "One more thing to note: the fake video player update is digitally signed.
Digital signatures are a way for developers and publishers to prove that a file did come from them and has not been modified. Potential victims may take this to mean that the file is legitimate and harmless," he wrote.
"It is not yet clear if this signature was fraudulently issued, or a valid organisation had their signing key compromised and used for this type of purpose."
Ladores said numerous security products already block the extensions used in the scam, but warned Chrome and Firefox users to be extra vigilant when prompted to download a new extension.
The scam is one of many detected using advanced detection-dodging techniques. Trend Micro researchers also detected an advanced campaign using header spoofing techniques to hide their activities.
Australian defence agency brushes off Lenovo PC ban
An investigation by the Australian Financial Review (AFR) found that the alleged ban had been enforced at some point in the mid-2000s following "intensive tests", which found "back-door hardware and firmware vulnerabilities".
The report cited security sources saying that tests carried out by UK security labs found "malicious modifications" to Lenovo's chips that could "allow people to remotely access devices without the users' knowledge".
However, the AFR also maintained that the company is still a significant supplier of computers for western governments' "unclassified" networks.
The Home Office told V3 that it was unable to comment on security issues and would neither confirm or deny a ban on Lenovo products.
A Lenovo statement said that the firm had not been aware of any ban on its products: "Lenovo continues to have a strong relationship with government customers, so the claims being made are new to us. We are looking into this situation closely and we'll be sure to share updates when available."
The AFR cited an Australian source saying that Lenovo – which bought out IBM's PC business in 2005 – had never sought accreditation to supply Australian defence and intelligence services.
The report was the latest in a series of security controversies for Chinese hardware manufacturers, with Huawei recently criticised for "locking out" GCHQ security personnel from its Cyber Security Evaluation Centre, which was set up to address concerns over its supplying of hardware for BT networks.
Mozilla teams up with BlackBerry to fight browser bugs
Mozilla has teamed up with BlackBerry
to develop Peach, an application that will allow researchers to better
spot security vulnerabilities in web browsers.
The open-source browser firm and the
mobile specialist said that the tool would provide an open framework
that security researchers could use to perform “fuzzing” techniques.
Such practices are often used to seek out the memory errors which
attackers could target to trigger attacks such as denial of service and
remote code execution.
“BlackBerry has long relied on
large-scale automated testing to identify security issues across its
platform. The collaboration with Mozilla plugs directly into
BlackBerry’s existing security processes and infrastructure,” wrote Michael Coates, Mozilla's director of security assurance.
“BlackBerry regularly uses third-party
fuzzers, in addition to its own proprietary fuzzing tools, static
analysis and vulnerability research, in order to identify and address
potential security concerns across its portfolio of products and
services.”
Coates said that Mozilla would also be
releasing an additional security testing tool known as Minion. The tool
will look to streamline and reduce the time needed to test applications
by automating and reducing the reporting process and limiting the amount
of data that is returned to researchers. The company hopes that the
tool will make the security research process more efficient.
“The Minion testing platform takes a
different approach to automated web security testing by focusing on
correct and actionable results that don’t require a security
professional to validate,” explained Coates.
“Many security tools generate excessive
amounts of data, including incorrectly identified issues that require
many hours of specialised research by a security professional.”
Microsoft Windows 8.1 Enterprise Preview update brings BYOD and security tools
The update includes features relating to areas of mobility, security, management and virtualisation, Microsoft said, to try and further appeal to the needs of businesses.
Erwin Visser, senior director within the Windows Division, wrote in a blog post that the update has several notable features, such as Windows To Go Creator, which allows Windows 8.1 to be run from a bootable external USB drive.
“The drive can be used to support Bring Your Own Device scenarios or be given to contingent staff to access the corporate environment without compromising security,” he said.
Start Screen Control gives IT teams that ability to control the layout of the home screen on devices to ensure key apps are located prominently.
The Direct Access capability allows users to “access resources inside a corporate network remotely without having to launch a separate VPN", while AppLocker allows IT to “create a secure environment by restricting the files and apps that users or groups can run on a PC”, Visser wrote.
The wide-ranging updates follow on from several changes already outlined at the Tech Ed event in the US in June, such as Assigned Access and Inbox VPN Clients.
The firm also confirmed the lifecycle of Windows 8.1 will remain under the same lifecycle policy as Windows 8, meaning that support ends on 1 October 2023.
Microsoft will be hoping the addition of yet more corporate controls entice firms to try the platform, as uptake of the new operating system remains low. Microsoft revealed its first full numbers for its Surface devices this week, which showed it spent more on advertising the devices than sales brought in.
With troops and techies, U.S. prepares for cyber warfare
On the site of a former military golf course where President Dwight
Eisenhower once played, the future of U.S. warfare is rising in the
shape of the new $358 million headquarters for the military's Cyber
Command.
The command, based at Fort Meade, Maryland, about 25 miles north of Washington, is rushing to add between 3,000 and 4,000 new cyber warriors under its wing by late 2015, more than quadrupling its size.
Most of Cyber Command's new troops will focus on defense, detecting and stopping computer penetrations of military and other critical networks by America's adversaries like China, Iran or North Korea.
But there is an increasing focus on offense as military commanders beef up plans to execute cyber strikes or switch to attack mode if the nation comes under electronic assault.
"We're going to train them to the highest standard we can," Army General Keith Alexander, head of Cyber Command, told the Reuters Cybersecurity Summit last month. "And not just on defense, but on both sides. You've got to have that."
Officials and experts have warned for years that U.S. computer networks are falling prey to espionage, intellectual property theft and disruption from nations such as China and Russia, as well as hackers and criminal groups. President Barack Obama will bring up allegations of Chinese hacking when he meets President Xi Jinping at a summit in California beginning on Friday - charges that Beijing has denied.
The Pentagon has accused China of using cyber espionage to modernize its military and a recent report said Chinese hackers had gained access to the designs of more than two dozen major U.S. weapons systems in recent years. Earlier this year, U.S. computer security company Mandiant said a secretive Chinese military unit was probably behind a series of hacking attacks that had stolen data from 100 U.S. companies.
There is a growing fear that cyber threats will escalate from mainly espionage and disruptive activities to far more catastrophic attacks that destroy or severely degrade military systems, power grids, financial networks and air travel.
Now, the United States is redoubling its preparations to strike back if attacked, and is making cyber warfare an integral part of future military campaigns.
Experts and former officials say the United States is among the best - if not the best - in the world at penetrating adversaries' computer networks and, if necessary, inserting viruses or other digital weapons.
Washington might say it will only strike back if attacked, but other countries disagree, pointing to the "Stuxnet" virus. Developed jointly by the U.S. government and Israel, current and former U.S. officials told Reuters last year, Stuxnet was highly sophisticated and damaged nuclear enrichment centrifuges at Iran's Natanz facility.
NEW RULES OF ENGAGEMENT
U.S. government officials frequently discuss America's cyber vulnerabilities in public. By contrast, details about U.S. offensive cyberwarfare capabilities and operations are almost all classified.
Possible U.S. offensive cyber attacks could range from invading other nations' command and control networks to disrupting military communications or air defenses - or even putting up decoy radar screens on an enemy's computers to prevent U.S. aircraft from being detected in its airspace.
The shift toward a greater reliance on offense is an important one for a nation which has mostly been cautious about wading into the uncertain arena of cyberwar - in part because gaps in U.S. cybersecurity make it vulnerable to retaliation.
But former Homeland Security Secretary Michael Chertoff said the United States must be ready and should articulate - soon - what level of cyber aggression would be seen as an act of war, bringing a U.S. response.
"One of the things the military learned, going back to 9/11, is whether you have a doctrine or not, if something really bad happens you're going to be ordered to do something," he told the Reuters summit. "So you better have the capability and the plan to execute."
Reuters has learned that new Pentagon rules of engagement, detailing what actions military commanders can take to defend against cyber attacks, have been finalized after a year of "hard core" debate. The classified rules await Defense Secretary Chuck Hagel's signature, a senior defense official said.
The official would not give details of the rules but said, "they will cover who has the authority to do specific actions if the nation is attacked."
'A FRAGILE CAPABILITY'
At Cyber Command, military officers in crisp uniforms mix with technical experts in T-shirts as the armed forces takes up the challenge of how to fend off cyber penetrations from individuals or rival countries.
Even as overall U.S. defense spending gets chopped in President Barack Obama's proposed 2014 budget, cyber spending would grow by $800 million, to $4.7 billion while overall Pentagon spending is cut by $3.9 billion.
Until its new headquarters is ready, Cyber Command shares a home with the U.S. National Security Agency (NSA), which for 60 years has used technological wizardry to crack foreign codes and eavesdrop on adversaries while blocking others from doing the same to the United States. Alexander heads both agencies.
"The greatest concentration of cyber power in this planet is at the intersection of the Baltimore-Washington Parkway and Maryland Route 32," said retired General Michael Hayden, a former CIA and NSA director, referring to NSA's Fort Meade location.
But NSA's role in helping protect civilian, government and private networks has been controversial - and is likely to come under greater scrutiny with this week's revelation that it has been collecting telephone records of millions of Verizon Communications customers under a secret court order.
A January report by the Pentagon's Defense Science Board gave a general picture of how the United States might exploit and then attack an adversary's computer systems.
In some cases, U.S. intelligence might already have gained access for spying, the report said. From there, Cyber Command "may desire to develop an order of battle plan against that target" and would require deeper access, "down to the terminal or device level in order to support attack plans," it said.
Because gaining access to an enemy's computers for sustained periods without detection is not easy, "offensive cyber will always be a fragile capability," it said.
In cyberspace, reconnaissance of foreign networks is "almost always harder than the attack" itself because the challenging part is finding a way into a network and staying undetected, said Hayden, now with the Chertoff Group consulting firm.
PURPLE HAIR AND JEANS
Cyber Command's new Joint Operations Center, due to be complete in 2018, will pull disparate units together and house 650 personnel, officials said. Air Force, Army, Navy and Marine Corps components will be nearby and, a former U.S. intelligence official said, the complex will have power and cooling to handle its massive computing needs.
Those who have worked at Cyber Command say the atmosphere is a mixture of intensity and geek-style creativity. Military precision is present, but it is not unusual to see young civilian computer whiz kids with purple hair, a tie-dyed shirt and blue jeans.
"It's made to be a fun environment for them. These are people who are invested and want to serve their nation. But there is some military rigor and structure around all that - like a wrapper," said Doug Steelman, who was director of Network Defense at Cyber Command until 2011 and is now Chief Information Security Officer at Dell SecureWorks.
Cyber Command's growth and expanding mission come with serious challenges and questions.
For example, how to prevent U.S. military action in cyberspace from also damaging civilian facilities in the target country, such as a hospital that shares an electric grid or computer network with a military base?
And some doubt that the military can train many cyber warriors quickly enough. Alexander has identified that as his biggest challenge.
The former intelligence official said Cyber Command's new teams won't be fully ready until at least 2016 due to military bureaucracy and because it takes time to pull together people with the special skills needed.
"To be a good cyber warrior, you have to be thinking, ‘How is the attacker discovering what I'm doing? How are they working around it?' ... Cyber security really is a cat and mouse game," said Raphael Mudge, a private cybersecurity expert and Air Force reservist. "That kind of thinking can't be taught. It has to be nurtured. There are too few who can do that."
Would-be cyber warriors go through extensive training, which can take years. A recruit with proven aptitude will be sent to courses such as the Navy-led Joint Cyber Analysis Course in Pensacola, Florida, a 6-month intensive training program.
The top 10 percent of JCAC's students will be selected for advanced cyber operations training, said Greg Dixon, a vice president at private KEYW Corp, which conducts intensive training classes.
The company can train a JCAC graduate to become an analyst in five weeks, but it takes 20 weeks to become a cyber operator. Dixon would not divulge what an operator would be capable of doing after graduation, but said it would be "a lot."
"They're going to pick the cream of the crop for the 'full spectrum cyber missions'," the former U.S. intelligence official said, using a euphemism for cyber offense.
Before a future cyber warrior can begin advanced training, he or she has to pass through the arduous security clearance process, which can take six to nine months for personnel who are not already cleared.
Troops earmarked for cyber warfare have found themselves washing floors, mowing lawns and painting at military installations as they bide time waiting for a clearance.
There is the concern about retaliation for a U.S. cyber attack. Some analysts say Iran increased its cyber capabilities after being infected with Stuxnet, which was revealed in 2010.
"The old saying, he who lives in a glass house should be careful of throwing stones ... but if the stone that you threw at someone, when you live in a glass house, is a stone that in some way they could pick back up and throw back at you, that's an even dumber idea," the defense official said. "We definitely think about that as one aspect of considering action."
The command, based at Fort Meade, Maryland, about 25 miles north of Washington, is rushing to add between 3,000 and 4,000 new cyber warriors under its wing by late 2015, more than quadrupling its size.
Most of Cyber Command's new troops will focus on defense, detecting and stopping computer penetrations of military and other critical networks by America's adversaries like China, Iran or North Korea.
But there is an increasing focus on offense as military commanders beef up plans to execute cyber strikes or switch to attack mode if the nation comes under electronic assault.
"We're going to train them to the highest standard we can," Army General Keith Alexander, head of Cyber Command, told the Reuters Cybersecurity Summit last month. "And not just on defense, but on both sides. You've got to have that."
Officials and experts have warned for years that U.S. computer networks are falling prey to espionage, intellectual property theft and disruption from nations such as China and Russia, as well as hackers and criminal groups. President Barack Obama will bring up allegations of Chinese hacking when he meets President Xi Jinping at a summit in California beginning on Friday - charges that Beijing has denied.
The Pentagon has accused China of using cyber espionage to modernize its military and a recent report said Chinese hackers had gained access to the designs of more than two dozen major U.S. weapons systems in recent years. Earlier this year, U.S. computer security company Mandiant said a secretive Chinese military unit was probably behind a series of hacking attacks that had stolen data from 100 U.S. companies.
There is a growing fear that cyber threats will escalate from mainly espionage and disruptive activities to far more catastrophic attacks that destroy or severely degrade military systems, power grids, financial networks and air travel.
Now, the United States is redoubling its preparations to strike back if attacked, and is making cyber warfare an integral part of future military campaigns.
Experts and former officials say the United States is among the best - if not the best - in the world at penetrating adversaries' computer networks and, if necessary, inserting viruses or other digital weapons.
Washington might say it will only strike back if attacked, but other countries disagree, pointing to the "Stuxnet" virus. Developed jointly by the U.S. government and Israel, current and former U.S. officials told Reuters last year, Stuxnet was highly sophisticated and damaged nuclear enrichment centrifuges at Iran's Natanz facility.
NEW RULES OF ENGAGEMENT
U.S. government officials frequently discuss America's cyber vulnerabilities in public. By contrast, details about U.S. offensive cyberwarfare capabilities and operations are almost all classified.
Possible U.S. offensive cyber attacks could range from invading other nations' command and control networks to disrupting military communications or air defenses - or even putting up decoy radar screens on an enemy's computers to prevent U.S. aircraft from being detected in its airspace.
The shift toward a greater reliance on offense is an important one for a nation which has mostly been cautious about wading into the uncertain arena of cyberwar - in part because gaps in U.S. cybersecurity make it vulnerable to retaliation.
But former Homeland Security Secretary Michael Chertoff said the United States must be ready and should articulate - soon - what level of cyber aggression would be seen as an act of war, bringing a U.S. response.
"One of the things the military learned, going back to 9/11, is whether you have a doctrine or not, if something really bad happens you're going to be ordered to do something," he told the Reuters summit. "So you better have the capability and the plan to execute."
Reuters has learned that new Pentagon rules of engagement, detailing what actions military commanders can take to defend against cyber attacks, have been finalized after a year of "hard core" debate. The classified rules await Defense Secretary Chuck Hagel's signature, a senior defense official said.
The official would not give details of the rules but said, "they will cover who has the authority to do specific actions if the nation is attacked."
'A FRAGILE CAPABILITY'
At Cyber Command, military officers in crisp uniforms mix with technical experts in T-shirts as the armed forces takes up the challenge of how to fend off cyber penetrations from individuals or rival countries.
Even as overall U.S. defense spending gets chopped in President Barack Obama's proposed 2014 budget, cyber spending would grow by $800 million, to $4.7 billion while overall Pentagon spending is cut by $3.9 billion.
Until its new headquarters is ready, Cyber Command shares a home with the U.S. National Security Agency (NSA), which for 60 years has used technological wizardry to crack foreign codes and eavesdrop on adversaries while blocking others from doing the same to the United States. Alexander heads both agencies.
"The greatest concentration of cyber power in this planet is at the intersection of the Baltimore-Washington Parkway and Maryland Route 32," said retired General Michael Hayden, a former CIA and NSA director, referring to NSA's Fort Meade location.
But NSA's role in helping protect civilian, government and private networks has been controversial - and is likely to come under greater scrutiny with this week's revelation that it has been collecting telephone records of millions of Verizon Communications customers under a secret court order.
A January report by the Pentagon's Defense Science Board gave a general picture of how the United States might exploit and then attack an adversary's computer systems.
In some cases, U.S. intelligence might already have gained access for spying, the report said. From there, Cyber Command "may desire to develop an order of battle plan against that target" and would require deeper access, "down to the terminal or device level in order to support attack plans," it said.
Because gaining access to an enemy's computers for sustained periods without detection is not easy, "offensive cyber will always be a fragile capability," it said.
In cyberspace, reconnaissance of foreign networks is "almost always harder than the attack" itself because the challenging part is finding a way into a network and staying undetected, said Hayden, now with the Chertoff Group consulting firm.
PURPLE HAIR AND JEANS
Cyber Command's new Joint Operations Center, due to be complete in 2018, will pull disparate units together and house 650 personnel, officials said. Air Force, Army, Navy and Marine Corps components will be nearby and, a former U.S. intelligence official said, the complex will have power and cooling to handle its massive computing needs.
Those who have worked at Cyber Command say the atmosphere is a mixture of intensity and geek-style creativity. Military precision is present, but it is not unusual to see young civilian computer whiz kids with purple hair, a tie-dyed shirt and blue jeans.
"It's made to be a fun environment for them. These are people who are invested and want to serve their nation. But there is some military rigor and structure around all that - like a wrapper," said Doug Steelman, who was director of Network Defense at Cyber Command until 2011 and is now Chief Information Security Officer at Dell SecureWorks.
Cyber Command's growth and expanding mission come with serious challenges and questions.
For example, how to prevent U.S. military action in cyberspace from also damaging civilian facilities in the target country, such as a hospital that shares an electric grid or computer network with a military base?
And some doubt that the military can train many cyber warriors quickly enough. Alexander has identified that as his biggest challenge.
The former intelligence official said Cyber Command's new teams won't be fully ready until at least 2016 due to military bureaucracy and because it takes time to pull together people with the special skills needed.
"To be a good cyber warrior, you have to be thinking, ‘How is the attacker discovering what I'm doing? How are they working around it?' ... Cyber security really is a cat and mouse game," said Raphael Mudge, a private cybersecurity expert and Air Force reservist. "That kind of thinking can't be taught. It has to be nurtured. There are too few who can do that."
Would-be cyber warriors go through extensive training, which can take years. A recruit with proven aptitude will be sent to courses such as the Navy-led Joint Cyber Analysis Course in Pensacola, Florida, a 6-month intensive training program.
The top 10 percent of JCAC's students will be selected for advanced cyber operations training, said Greg Dixon, a vice president at private KEYW Corp, which conducts intensive training classes.
The company can train a JCAC graduate to become an analyst in five weeks, but it takes 20 weeks to become a cyber operator. Dixon would not divulge what an operator would be capable of doing after graduation, but said it would be "a lot."
"They're going to pick the cream of the crop for the 'full spectrum cyber missions'," the former U.S. intelligence official said, using a euphemism for cyber offense.
Before a future cyber warrior can begin advanced training, he or she has to pass through the arduous security clearance process, which can take six to nine months for personnel who are not already cleared.
Troops earmarked for cyber warfare have found themselves washing floors, mowing lawns and painting at military installations as they bide time waiting for a clearance.
There is the concern about retaliation for a U.S. cyber attack. Some analysts say Iran increased its cyber capabilities after being infected with Stuxnet, which was revealed in 2010.
"The old saying, he who lives in a glass house should be careful of throwing stones ... but if the stone that you threw at someone, when you live in a glass house, is a stone that in some way they could pick back up and throw back at you, that's an even dumber idea," the defense official said. "We definitely think about that as one aspect of considering action."
Snowden’s father: I’m absolutely thankful for what he did
The father of American whistleblower Edward Snowden says he is
“thankful” for what his son did - revealing US government’s spying
programs.
“As a father, it pains me what he did,” Lon Snowden said in an interview with The Washington Post. “But as an American citizen, I am absolutely thankful for what he did.’’
His interview comes after the FBI’s effort to send him to Russia to persuade his son to return home collapsed.
The FBI was trying to send Lon Snowden to Moscow where the leaker of the surveillance programs has been holed up, but the bureau failed in its effort after agents could not establish a way for the father and the son to communicate.
Lon Snowden, according to the newspaper, condemned the Obama administration and Congress for labeling his son a traitor. He said he prefers that Edward stay in Russia.
The elder Snowden said he did not know about his son’s decision to leak top-secret intelligence documents.
“We had no idea what was coming,’’ he said, noting that his son was “troubled” by the 2010 suicide of a Tunisian street vendor that helped trigger the Islamic awakening protests in Arab countries.
“It was the idea that a man who simply wanted to make a living, who sold fruits and vegetables to support himself and his family, felt so suppressed and humiliated by his government that he would set himself on fire,” Lon Snowden said, as quoted by the Post.
Edward Snowden, who has been charged in the US with espionage and theft of government property, revealed his identity last month as the principal source behind articles in the Post and British Newspaper the Guardian about the US National Security Agency’s spying programs.
Snowden, 30, revealed that the NSA collects the telephone records of Americans from US telecommunications companies and the online communications of foreign targets from Internet companies.
Snowden’s father said his son “is comfortable with who he is.” “Yes, I am certain. I know my son. He knows he has done the right thing.”
“As a father, it pains me what he did,” Lon Snowden said in an interview with The Washington Post. “But as an American citizen, I am absolutely thankful for what he did.’’
His interview comes after the FBI’s effort to send him to Russia to persuade his son to return home collapsed.
The FBI was trying to send Lon Snowden to Moscow where the leaker of the surveillance programs has been holed up, but the bureau failed in its effort after agents could not establish a way for the father and the son to communicate.
Lon Snowden, according to the newspaper, condemned the Obama administration and Congress for labeling his son a traitor. He said he prefers that Edward stay in Russia.
The elder Snowden said he did not know about his son’s decision to leak top-secret intelligence documents.
“We had no idea what was coming,’’ he said, noting that his son was “troubled” by the 2010 suicide of a Tunisian street vendor that helped trigger the Islamic awakening protests in Arab countries.
“It was the idea that a man who simply wanted to make a living, who sold fruits and vegetables to support himself and his family, felt so suppressed and humiliated by his government that he would set himself on fire,” Lon Snowden said, as quoted by the Post.
Edward Snowden, who has been charged in the US with espionage and theft of government property, revealed his identity last month as the principal source behind articles in the Post and British Newspaper the Guardian about the US National Security Agency’s spying programs.
Snowden, 30, revealed that the NSA collects the telephone records of Americans from US telecommunications companies and the online communications of foreign targets from Internet companies.
Snowden’s father said his son “is comfortable with who he is.” “Yes, I am certain. I know my son. He knows he has done the right thing.”
NASA cloud computing use blasted for security and management failings
The report from the US Office of Inspector General (OIG) stated that Nasa's cloud services "failed to meet key IT security requirements". It went on to say that of five Nasa contracts for acquiring cloud services, "none came close to meeting recommended best practices for ensuring data security."
Nasa currently spends $1.5bn annually on IT services, only $10m of which is based in the cloud. However, the agency itself predicts that 75 percent of its future IT programmes will be in the cloud, making the findings of the Office of the Inspector General even more of a cause for concern.
The report went on, listing numerous problems with the way in which the agency failed to meet federal IT security requirements. "We found that the cloud service used to deliver internet content for more than 100 NASA internal and public-facing websites had been operating for more than two years without written authorisation or system security or contingency plans," it said.
The audit also found that required annual tests of security controls had not been performed, which it said "could result in a serious disruption to Nasa operations".
Nasa chief executive Larry Sweet joined the agency in June and seemingly has a mountain to climb to reorder his department's operations, with many decisions seemingly made with his predecessor completely in the dark. "Several Nasa Centers moved Agency systems and data into public clouds without the knowledge or consent of the Agency's Office of the Chief Information Officer," the report said.
The reported noted that Sweet agreed with the findings and, with the availability of funds, will work "to improve Nasa's IT governance and risk-management practices".
Nasa has long been a supporter of cloud computing projects, lending its backing to the OpenStack open-source cloud project in 2010.
Mozilla teams up with BlackBerry on security research tools
Mozilla has teamed up with BlackBerry
to develop a tool which will allow researchers to better spot security
vulnerabilities in web browsers.
The companies said that the tool would
provide an open framework which security researchers could use to
perform “fuzzing” techniques. Such practices are often used to seek out
the memory errors which attackers could target to trigger attacks such
as denial of service and remote code execution incidents.
By combining their efforts, the
open-source browser firm and the mobile specialist hope to create a new
set of open source security research tools which can be implemented to
root out and report possible flaws in web browsers.
“BlackBerry has long relied on
large-scale automated testing to identify security issues across its
platform. The collaboration with Mozilla plugs directly into
BlackBerry’s existing security processes and infrastructure,” wrote Michael Coates, Mozilla director of security assurance.
“BlackBerry regularly uses third-party
fuzzers, in addition to its own proprietary fuzzing tools, static
analysis and vulnerability research, in order to identify and address
potential security concerns across its portfolio of products and
services.”
Coates said that Mozilla would also be
releasing an additional security testing tool known as Minion. The tool
will look to streamline and reduce the time needed to test applications
but automating and reducing the reporting process and limiting the
amount of data which is returned to researchers. The company hopes that
the tool will make the security research process more efficient.
“The Minion testing platform takes a
different approach to automated web security testing by focusing on
correct and actionable results that don’t require a security
professional to validate,” explained Coates.
“Many security tools generate excessive
amounts of data, including incorrectly identified issues that require
many hours of specialized research by a security professional.”
Subscribe to:
Posts (Atom)