Category Archives: Cyber Issues

Can a bunch of hackers really take on ISIS?

writes: For John Chase, the breaking point came on Jan. 7, when al Qaeda-linked militants gunned down 12 people at the Paris office of Charlie Hebdo. Subsequent attacks by a gunman affiliated with the Islamic State would take five more lives. Watching triumphant jihadi messages bounce across Twitter, the 25-year-old Boston native was incensed. They needed to be stopped.

Although Chase’s formal education ended with high school, computers were second nature to him. He had begun fiddling with code at the age of 7 and freelanced as a web designer and social media strategist. He now turned these skills to fighting the Islamic State, also known as ISIS. Centralizing other hacktivists’ efforts, he compiled a database of 26,000 Islamic State-linked Twitter accounts. He helped build a website to host the list in public view and took steps to immunize it against hacking counterattacks by Islamic State sympathizers. He even assumed an appropriately hacker-sounding nom de guerre, “XRSone,” and engaged any reporter who would listen. In doing so, Chase briefly became an unofficial spokesman for #OpISIS — and part of one of the strangest conflicts of the 21st century.

For more than a year, a ragtag collection of casual volunteers, seasoned coders, and professional trolls has waged an online war against the Islamic State and its virtual supporters. Many in this anti-Islamic State army identify with the infamous hacking collective Anonymous. They are based around the world and hail from every walk of life. They have virtually nothing in common except a passion for computers and a feeling that, with its torrent of viral-engineered propaganda and concerted online recruiting, the Islamic State has trespassed in their domain. The hacktivists have vowed to fight back.

The effort has ebbed and flowed, but the past nine months have seen a significant increase in both the frequency and visibility of online attacks against the Islamic State. To date, hacktivists claim to have dismantled some 149 Islamic State-linked websites and flagged roughly 101,000 Twitter accounts and 5,900 propaganda videos. At the same time, this casual association of volunteers has morphed into a new sort of organization, postured to combat the Islamic State in both the Twitter “town square” and the bowels of the deep web.

Chase, who has since shifted his focus to other pursuits, boasts a story typical of those volunteers who work to track and counteract the Islamic State’s online propaganda apparatus. Few of these hacktivists are hood-wearing, network-cracking, Internet savants. Instead, they are part-time hobbyists, possessed of a strong sense of justice and a disdain for fundamentalists of all stripes. Many, but not all, are young people — some are more seasoned, former military or security specialists pursuing a second calling. The oldest is 50. These hacktivists speak of a desire to “do something” in the fight against the Islamic State, even if that “something” may sometimes just amount to running suspicious Twitter accounts through Google Translate.

This is something new. Anonymous arose from the primordial, and often profane, underground web forums to cause mischief, not to take sides in real wars. The group gained notoriety for its random, militantly apolitical, increasingly organized hacking attacks during the mid-2000s. Its first “political” operation was an Internet crusade against the Church of Scientology following its suppression of a really embarrassing Tom Cruise video.

In time, however, Anonymous operations became less about laughs and more about causes, fighting the establishment and guaranteeing a free and open Internet. [Continue reading…]

Facebooktwittermail

Our web history reveals what we think and do. Shouldn’t that remain private?

By Paul Bernal, University of East Anglia

An overlooked aspect of the draft Investigatory Powers Bill is the significance of demanding that service providers store 12 months’ internet connection records. A record of every website visited and internet service connected to, the government presents this as the online equivalent of an itemised phone bill. But this is a false analogy: internet connection records carry far more detail than a phone book, and the government’s move to claim them represents an unprecedented intrusion into our lives.

Supporters of the bill suggest that this data provides a way of checking that someone accessed Facebook at a particular time, just as phone records can reveal that a user called a particular number at a certain time. But while this is true, it misunderstands the role the internet has in our lives, and consequently underplays how much it can reveal.

The phone is a communications tool, but we have complex online lives and use the internet for many things other than “communication”. We do almost everything online: we bank online, we shop, find relationships, listen to music, watch television and films, plan our holidays, read about and indulge our interests.

Access to the websites we visit, for an entire year, is not at all comparable to having an itemised telephone bill. It’s more equivalent to tailing someone as they visit the shops, the pub, the cinema, listen to the radio, go to the park and on holiday, read books and magazines and newspapers, and much more.

It’s not just the data that’s revealing, it’s the sort of direct, logical inferences that can be made given a web browsing history. For example, from the fact that someone visits sites connected with a particular religion, one can infer that they follow that religion. If they visit sites regarding a particular health condition, it’s possible to infer that they may suffer from that condition, or are worried about their health.

Continue reading

Facebooktwittermail

U.S. detects flurry of Iranian hacking

The Wall Street Journal reports: Iran’s powerful Revolutionary Guard military force hacked email and social-media accounts of Obama administration officials in recent weeks in attacks believed to be tied to the arrest in Tehran of an Iranian-American businessman, U.S. officials said.

The Islamic Revolutionary Guard Corps, or IRGC, has routinely conducted cyberwarfare against American government agencies for years. But the U.S. officials said there has been a surge in such attacks coinciding with the arrest last month of Siamak Namazi, an energy industry executive and business consultant who has pushed for stronger U.S.-Iranian economic and diplomatic ties.

Obama administration personnel are among a larger group of people who have had their computer systems hacked in recent weeks, including journalists and academics, the officials said. Those attacked in the administration included officials working at the State Department’s Office of Iranian Affairs and its Bureau of Near Eastern Affairs.

“U.S. officials were among many who were targeted by recent cyberattacks,” said an administration official, adding that the U.S. is still investigating possible links to the Namazi case. “U.S. officials believe some of the more recent attacks may be linked to reports of detained dual citizens and others.”

Friends and business associates of Mr. Namazi said the intelligence arm of the IRGC confiscated his computer after ransacking his family’s home in Tehran. [Continue reading…]

Facebooktwittermail

Putin’s mafia statecraft

Brian Whitmore writes: In the past couple years, Russian hackers have launched attacks on a French television network, a German steelmaker, the Polish stock market, the White House, the U.S. House of Representatives, the U.S. State Department, and The New York Times.

And according to press reports citing Western intelligence officials, the perpetrators weren’t rogue cyber-pranksters. They were working for the Kremlin.

Cybercrime, it appears, has become a tool of Russian statecraft. And not just cybercrime.

Vladimir Putin’s regime has become increasingly adept at deploying a whole range of practices that are more common among crime syndicates than permanent members of the UN Security Council.

In some cases, as with the hacking, this involves the Kremlin subcontracting organized crime groups to do things the Russian state cannot do itself with plausible deniability. And in others, it involves the state itself engaging in kidnapping, extortion, blackmail, bribery, and fraud to advance its agenda. [Continue reading…]

Facebooktwittermail

Everything you need to know about the vast network of undersea cables that makes the Internet global

The Washington Post reports: Russians submarines and spy ships are “aggressively operating” near the undersea cables that are the backbone of the global Internet — worrying some U.S. intelligence and military officials who fear the Russians may sabotage them if a conflict arises, the New York Times reports.

For all the talk about the “cloud,” practically all of the data shooting around the world actually relies on a series of tubes to get around — a massive system of fiber-optic cables lying deep underneath the oceans.

The network connects every continent other than Antarctica, carrying e-mails, photos, videos and emoji around the globe. Here’s what that looks like in the style of a vintage maritime map, courtesy of TeleGeography: [Continue reading…]

Facebooktwittermail

Unheeded cybersecurity threat leaves nuclear power stations open to attack

By Nasser Abouzakhar, University of Hertfordshire

There has been a rising number of security breaches at nuclear power plants over the past few years, according to a new Chatham House report which highlights how important systems at plants were not properly secured or isolated from the internet.

As critical infrastructure and facilities such as power plants become increasingly complex they are, directly or indirectly, linked to the internet. This opens up a channel through which malicious hackers can launch attacks – potentially with extremely serious consequences. For example, a poorly secured steel mill in Germany was seriously damaged after being hacked, causing substantial harm to blast furnaces after the computer controls failed to shut them down. The notorious malware, the Stuxnet worm, was specifically developed to target nuclear facilities.

The report also found that power plants rarely employ an “air gap” (where critical systems are entirely disconnected from networks) as the commercial and practical benefits of using the internet too often trump security.

In one case in 2003, an engineer at the Davis-Besse plant in Ohio used a virtual private network connection to access the plant from his home. While the connection was encrypted, his home computer was infected with the Slammer worm which infected the nuclear plant’s computers, causing a key safety control system to fail. A more serious incident in 2006 at the Browns Ferry plant in Alabama nearly led to a meltdown.

Continue reading

Facebooktwittermail

If you’re not paranoid, you’re crazy

Walter Kirn writes: I knew we’d bought walnuts at the store that week, and I wanted to add some to my oatmeal. I called to my wife and asked her where she’d put them. She was washing her face in the bathroom, running the faucet, and must not have heard me—she didn’t answer. I found the bag of nuts without her help and stirred a handful into my bowl. My phone was charging on the counter. Bored, I picked it up to check the app that wirelessly grabs data from the fitness band I’d started wearing a month earlier. I saw that I’d slept for almost eight hours the night before but had gotten a mere two hours of “deep sleep.” I saw that I’d reached exactly 30 percent of my day’s goal of 13,000 steps. And then I noticed a message in a small window reserved for miscellaneous health tips. “Walnuts,” it read. It told me to eat more walnuts.

It was probably a coincidence, a fluke. Still, it caused me to glance down at my wristband and then at my phone, a brand-new model with many unknown, untested capabilities. Had my phone picked up my words through its mic and somehow relayed them to my wristband, which then signaled the app?

The devices spoke to each other behind my back—I’d known they would when I “paired” them—but suddenly I was wary of their relationship. Who else did they talk to, and about what? And what happened to their conversations? Were they temporarily archived, promptly scrubbed, or forever incorporated into the “cloud,” that ghostly entity with the too-disarming name?

It was the winter of 2013, and these “walnut moments” had been multiplying—jarring little nudges from beyond that occurred whenever I went online. One night the previous summer, I’d driven to meet a friend at an art gallery in Hollywood, my first visit to a gallery in years. The next morning, in my inbox, several spam e-mails urged me to invest in art. That was an easy one to figure out: I’d typed the name of the gallery into Google Maps. Another simple one to trace was the stream of invitations to drug and alcohol rehab centers that I’d been getting ever since I’d consulted an online calendar of Los Angeles–area Alcoholics Anonymous meetings. Since membership in AA is supposed to be confidential, these e‑mails irked me. Their presumptuous, heart-to-heart tone bugged me too. Was I tired of my misery and hopelessness? Hadn’t I caused my loved ones enough pain? [Continue reading…]

Facebooktwittermail

AP sues over access to FBI records involving fake news story

The Associated Press reports: The Associated Press sued the U.S. Department of Justice Thursday over the FBI’s failure to provide public records related to the creation of a fake news story used to plant surveillance software on a suspect’s computer.

AP joined with the Reporters Committee for Freedom of the Press to file the lawsuit in U.S. District Court for the District of Columbia.

At issue is a 2014 Freedom of Information request seeking documents related to the FBI’s decision to send a web link to the fake article to a 15-year-old boy suspected of making bomb threats to a high school near Olympia, Washington. The link enabled the FBI to infect the suspect’s computer with software that revealed its location and Internet address.

AP strongly objected to the ruse, which was uncovered last year in documents obtained through a separate FOIA request made by the Electronic Frontier Foundation. [Continue reading…]

Facebooktwittermail

Two-factor authentication phishing from Iran

The Daily Beast reports: Iranian hackers have now found a way to get around Google’s two-step verification system and infiltrate GMail’s most elaborate consumer security system, according to a new report.

The Citizen Lab’s John Scott-Railton and Katie Kleemola outlined a few new ways that Iranian hackers can compromise the accounts of political dissidents, or even everyday citizens.

“Their targets are political, and include Iranian activists, and even a director at the Electronic Frontier Foundation,” said Scott-Railton in an email, referring to the digital rights organization. “In some cases they even pretend to be Reuters journalists calling to set up interviews.”

The report says attacks on political targets are new. But the methodology of the hack has been going on for years, especially as reliance on so-called “two-factor authentication” — using something in addition to a password to get into your account — has gone up. [Continue reading…]

Facebooktwittermail

War in space may be closer than ever

Scientific American reports: The world’s most worrisome military flashpoint is arguably not in the Strait of Taiwan, the Korean Peninsula, Iran, Israel, Kashmir or Ukraine. In fact, it cannot be located on any map of Earth, even though it is very easy to find. To see it, just look up into a clear sky, to the no-man’s-land of Earth orbit, where a conflict is unfolding that is an arms race in all but name.

The emptiness of outer space might be the last place you’d expect militaries to vie over contested territory, except that outer space isn’t so empty anymore. About 1,300 active satellites wreathe the globe in a crowded nest of orbits, providing worldwide communications, GPS navigation, weather forecasting and planetary surveillance. For militaries that rely on some of those satellites for modern warfare, space has become the ultimate high ground, with the U.S. as the undisputed king of the hill. Now, as China and Russia aggressively seek to challenge U.S. superiority in space with ambitious military space programs of their own, the power struggle risks sparking a conflict that could cripple the entire planet’s space-based infrastructure. And though it might begin in space, such a conflict could easily ignite full-blown war on Earth.

The long-simmering tensions are now approaching a boiling point due to several events, including recent and ongoing tests of possible anti-satellite weapons by China and Russia, as well as last month’s failure of tension-easing talks at the United Nations. [Continue reading…]

Facebooktwittermail

Cyber attack: How easy is it to take out a smart city?

New Scientist reports: When is a smart city not so smart? With cities worldwide racing to adopt technologies that automate services such as traffic control and street lighting, many aren’t doing enough to protect against cyberattacks.

That’s according to security researchers who have hacked into countless pieces of city infrastructure, from ATMs to power grids, looking for weaknesses.

One such researcher is Cesar Cerrudo of security consultancy IOActive Labs, based in Seattle. Inspired by how hackers switched traffic lights at will in Die Hard 4.0, Cerrudo decided to see if he could do the same to a smart traffic control system in use around the world. He found that the devices didn’t use any encryption or authentication, and he could feed fake data to their sensors from a drone flying overhead.

Cerrudo was so alarmed by his discovery that he joined with others to set up the Securing Smart Cities initiative, which plans to bring together governments, security firms and technology companies. [Continue reading…]

Facebooktwittermail

Why the fear over ubiquitous data encryption is overblown

Mike McConnell, former director of the National Security Agency and director of national intelligence, Michael Chertoff, former homeland security secretary, and William Lynn, former deputy defense secretary, write: More than three years ago, as former national security officials, we penned an op-ed to raise awareness among the public, the business community and Congress of the serious threat to the nation’s well-being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation.

In the wake of global controversy over government surveillance, a number of U.S. technology companies have developed and are offering their users what we call ubiquitous encryption — that is, end-to-end encryption of data with only the sender and intended recipient possessing decryption keys. With this technology, the plain text of messages is inaccessible to the companies offering the products or services as well as to the government, even with lawfully authorized access for public safety or law enforcement purposes.

The FBI director and the Justice Department have raised serious and legitimate concerns that ubiquitous encryption without a second decryption key in the hands of a third party would allow criminals to keep their communications secret, even when law enforcement officials have court-approved authorization to access those communications. There also are concerns about such encryption providing secure communications to national security intelligence targets such as terrorist organizations and nations operating counter to U.S. national security interests.

Several other nations are pursuing access to encrypted communications. In Britain, Parliament is considering requiring technology companies to build decryption capabilities for authorized government access into products and services offered in that country. The Chinese have proposed similar approaches to ensure that the government can monitor the content and activities of their citizens. Pakistan has recently blocked BlackBerry services, which provide ubiquitous encryption by default.

We recognize the importance our officials attach to being able to decrypt a coded communication under a warrant or similar legal authority. But the issue that has not been addressed is the competing priorities that support the companies’ resistance to building in a back door or duplicated key for decryption. We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring. [Continue reading…]

Facebooktwittermail

What’s inside the Justice Department’s secret cybersecurity memo?

National Journal reports: Sen. Ron Wyden has many problems with the cybersecurity bill that the Senate may take up before the August recess.

But he can only talk about some of them publicly. Other reservations remain strictly classified.

Wyden, the Democratic privacy hawk from Oregon, claims that a classified Justice Department legal opinion written during the early years of the George W. Bush administration is pertinent to the upper chamber’s consideration of cyberlegislation — a warning that reminds close observers of his allusions to the National Security Agency’s surveillance powers years before they were exposed publicly by Edward Snowden. [Continue reading…]

Facebooktwittermail

Hackers remotely hijack a Jeep on the highway — with me in it

Andy Greenberg writes: I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. [Continue reading…]

Facebooktwittermail

Despite repeated alarms on hacking, U.S government computer systems remain vulnerable

The New York Times reports: In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets.

But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.

In an effort to highlight its corrective actions, the White House will announce shortly that teams of federal employees and volunteer hackers have made progress over the last month. At some agencies, 100 percent of users are, for the first time, logging in with two-factor authentication, a basic security feature, officials said. Security holes that have lingered for years despite obvious fixes are being patched. And thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off. [Continue reading…]

Facebooktwittermail

MIT report: Giving government special access to data poses major security risks

MIT’s Computer Science and Artificial Intelligence Lab: In recent months, government officials in the United States, the United Kingdom, and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes.

Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?

That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — just published by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.

The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.” [Continue reading…]

Facebooktwittermail

Hacks of OPM databases compromised 22.1 million people, federal authorities say

The Washington Post reports: Two major breaches last year of U.S. government databases holding personnel records and security-clearance files exposed sensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends, U.S. officials said Thursday.

The total vastly exceeds all previous estimates, and marks the most detailed accounting by the Office of Personnel Management of how many people were affected by cyber intrusions that U.S. officials have privately said were traced to the Chinese government.

But even beyond the rising number of apparent victims, U.S. officials said the breaches rank among the most potentially damaging cyber heists in U.S. government history because of the abundant detail in the files. Officials said hackers accessed not only personnel records of current and former employees but also extensive information about friends, relatives and others listed as references in applications for security clearances for some of the most sensitive jobs in government. [Continue reading…]

Facebooktwittermail

Cyber attack on U.S. power grid could cost economy $1 trillion: report

Reuters reports: A cyber attack which shuts down parts of the United States’ power grid could cost as much as $1 trillion to the U.S. economy, according to a report published on Wednesday.

Company executives are worried about security breaches, but recent surveys suggest they are not convinced about the value or effectiveness of cyber insurance.

The report from the University of Cambridge Centre for Risk Studies and the Lloyd’s of London insurance market outlines a scenario of an electricity blackout that leaves 93 million people in New York City and Washington DC without power.

The scenario, developed by Cambridge, is technologically possible and is assessed to be within the once-in-200-year probability for which insurers should be prepared, the report said. [Continue reading…]

Facebooktwittermail