Cyber Security Intelligence

Twitter< Follow on Twitter >

September Newsletter #3 2014

Want to Reform the NSA? Give Snowden Immunity

In 1970, Christopher Pyle disclosed in public writing that the U.S. Army was running a domestic intelligence program aimed at anti-war and civil-rights activists. His disclosure began a series of public-accountability leaks, the most famous of which was Daniel Ellsberg's leak of the Pentagon Papers. Only one leak, the clearly improper disclosure of satellite images of a Soviet aircraft carrier to Jane's Information Group, was ever prosecuted, and the norm of not prosecuting for leaks to the press was so strong that Senator Daniel Patrick Moynihan persuaded President Bill Clinton to pardon the offender who delivered the image to Jane’s.

It was only in 2002, when Jesselyn Radack disclosed that the prosecution of “American Taliban” John Walker Lindh had involved several violations of Lindh's constitutional rights that the new wave of whistleblowing and public-accountability leaks reemerged. Thomas Tamm and Russ Tice each disclosed the Bush administration's warrantless-wiretap program to The New York Times; AT&T employee Mark Klein disclosed the company’s complicity in illegal wiretapping; and William Binney, Thomas Drake, and others challenged internally—and in Drake's case disclosed publicly—early aspects of NSA dragnet surveillance. Chelsea Manning disclosed a major document cache to WikiLeaks, driven by what she viewed as American forces’ callous disregard for civilian casualties and silent complicity in Iraqi government torture. Most critically, Edward Snowden's disclosures led to the introduction of dozens of bills in Congress, a judicial opinion, and two executive-branch independent reviews that demanded extensive reforms to surveillance programs.

One thing is clear. Without the men and women of conscience who have come out over aspects of the abuses, the system would have kept on grinding.

Whistleblowing is a central pillar of the way American law deals with these dynamics of error, incompetence, and malfeasance in large organizations. From workplace-safety violations to Medicare and Medicaid fraud to anti-corruption campaigns around the world, we protect and reward those who follow both internal procedures and those who expose abuse to the public. Internal audit and review processes, while important, need the backstop of insiders with knowledge.

This is why immunity for Edward Snowden is so essential. In principle, there should be a public-accountability defense in criminal law, similar to self-defense and defense of others. But Congress should also introduce a simple direct intervention: adding retroactive immunity for Snowden to the NSA reform bill currently under consideration on Capitol Hill. Retroactive immunity would simply mirror immunity granted in the 2008 FISA Amendments Act to telecommunications companies that violated the law by collaborating with the illegal surveillance, and which the White House has sought to extend to other firms that handed over private data in the new reform bill.

NSA Reform Wait Until After the US Election

A bill that would curtail the government’s broad surveillance authority is unlikely to earn a vote in Congress before the November midterms, and it might not even get a vote during the postelection lame-duck session.

The inaction amounts to another stinging setback for reform advocates, who have been agitating for legislation that would rein in the National Security Agency ever since Edward Snowden’s leaks surfaced last summer. It also deflates a sudden surge in pressure on Congress to pass the USA Freedom Act, which scored a stunning endorsement from Director of National Intelligence James Clapper last week.

The hard-fought bill has a wide array of backing from tech companies, privacy and civil liberties groups, the White House, and even the intelligence community. But multiple sources both on and off Capitol Hill say the measure is not a top legislative priority on a jam-packed Senate calendar filled with other agenda items, including unresolved fights over a continuing resolution and the Import-Export Bank.

Malaysian Airline MH370 and MH17

Big Flight MH370 Lead - Former Malaysian PM Says CIA Covering Up the Truth! – YouTube

The stories concerning Flight 370’s disappearance have gone onto You Tube with film blogs and opinions concerning the mystery surrounding the flight’s disappearance – CIA and Boeing are said to be involvement in hijacking the plane and taking it into the high atmosphere to kill all on board and then landing it at Diego Garcia – the American base – in order to stop unique hardware and a team of IT engineers being taken to China.

MH17: search team to crash site 'before winter

The government of Malaysia is sending a team to the MH17 crash site in Eastern Ukraine to find conclusive evidence to help its argument that the plane was shot down. Malaysian Prime Minister Najib Razak has confirmed with recently visiting Australian Prime Minister Tony Abbott, that the search team would be deployed before winter.

All 298 passengers and crew on board Malaysia Airlines MH17 died on 17 July when the Kuala Lumpur-bound flight from Amsterdam crashed as it travelled over the war-torn region of eastern Ukraine.

Mr. Razak added that his government has “pretty conclusive” intelligence to suggest that it was shot out of the sky, but that it must be proved beyond any reasonable doubt before going to court.

Recent NATO Summit Declaration on Cyber

Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales from 4 to 5 September 2014

Cyber Points 72 and 73 of the NATO Report

72. As the Alliance looks to the future, cyber threats and attacks will continue to become more common, sophisticated, and potentially damaging. To face this evolving challenge, we have endorsed an Enhanced Cyber Defence Policy, contributing to the fulfillment of the Alliance’s core tasks. The policy reaffirms the principles of the indivisibility of Allied security and of prevention, detection, resilience, recovery, and defence. It recalls that the fundamental cyber defence responsibility of NATO is to defend its own networks, and that assistance to Allies should be addressed in accordance with the spirit of solidarity, emphasizing the responsibility of Allies to develop the relevant capabilities for the protection of national networks. Our policy also recognises that international law, including international humanitarian law and the UN Charter, applies in cyberspace. Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO's core task of collective defence.

A decision concerning when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.

73. We are committed to developing further our national cyber defence capabilities, and we will enhance the cyber security of national networks upon which NATO depends for its core tasks, in order to help make the Alliance resilient and fully protected. Close bilateral and multinational cooperation plays a key role in enhancing the cyber defence capabilities of the Alliance. We will continue to integrate cyber defence into NATO operations and operational and contingency planning, and enhance information sharing and situational awareness among Allies. Strong partnerships play a key role in addressing cyber threats and risks. We will therefore continue to engage actively on cyber issues with relevant partner nations on a case-by-case basis and with other international organisations, including the EU, as agreed, and will intensify our cooperation with industry through a NATO Industry Cyber Partnership. Technological innovations and expertise from the private sector are crucial to enable NATO and Allies to achieve the Enhanced Cyber Defence Policy’s objectives. We will improve the level of NATO's cyber defence education, training, and exercise activities.

We will develop the NATO cyber range capability, building, as a first step, on the Estonian cyber range capability, while taking into consideration the capabilities and requirements of the NATO CIS School and other NATO training and education bodies.

The Military Wants a Vehicle That Can Dodge Rockets

The year is 2020 and the setting is a battlefield in the Middle East. An armored Army vehicle bounds over low dunes on its way to a checkpoint when a local tribal leader fires a shoulder-mounted missile directly at the fast-moving truck. The targeting is dead on and the missile is moving too fast for the human driver to take evasive action. But the vehicle itself detects the vibrations of rocket in motion via an array of advanced sensors. Acting at the speed of electric current, the vehicle’s raised-wheel axis extends out beneath it, dropping it several feet, like a newborn falling on shaky legs. The rocket glides over the top of the vehicle missing it. The result? No casualties to report.

The above scenario is what the Defense Advanced Projects Research agency has in mind with its Ground X-Vehicle Technology (GXV-T) program. The cost of vehicle armor going up and its effectiveness going down, the military wants to build future vehicles that don’t just withstand assaults but predict and avoid them. The goal of the program is to build vehicles that weigh half as much as those of today, require half the crew, move twice as fast and can access 95 percent of the sorts of terrains that the military might encounter. The agency plans to award contracts by April of next year, which will kick off two years of funded research.

Recently the agency released a concept video to illustrate what that means. The animated footage depicts a futuristic fast-moving machine that looks straight out of Star Wars, detects missiles that are fired at and responds almost via telepathy. The same technology that enables Google’s self-driving cars, which began 10 years ago as a DARPA experiment, could enable differently designed vehicles to react not just to changes in the road ahead but to predict rapidly incoming ordinance.

The rapid growth of the Dark Net black markets

The Digital Citizen’s Alliance as provided an updating to the study, which analyzes online black markets, focusing on the sales of illegal drugs. The study analyzed the online black markets focusing monitoring sales of illegal drugs on the Darknet. After the seizure of Silk Road operated by the FBI, Agora has assumed a predominant position on the online black market together with the new version of the popular website Silk Road 2.

The investigators discovered that the total amount of drugs sold in the various black markets is greater than 16,000 items, the document also proposes data from smaller black markets and new marketplaces.

The rapid rise of the Agora black market was advantaged by problems faces by other marketplaces, beginning on December 9, Silk Road 2.0, Pandora Openmarket, and Tormarket were hit by DDOS attack that shut down access to the websites. The Pandora Openmarket also suffered a serious hack, which cause the loss of a substantial amount of bitcoin.

The updating to the previous study of the Digital Citizen’s Alliance on the evolution of the black markets was issued on August 22, 2014, the investigator also observed the shut down of Dark Bay marketplace and the born of a new website, the Andromeda Market, which has been characterized by a large growth. Within the new black markets Cloud 9 and Hydra Marketplace are the two marketplaces with greatest growth.

Hackers Threaten To Reveal Creator Of Bitcoin

A hacker known as "Jeffrey" has seemingly gained control of anonymous Bitcoin creator Satoshi Nakamoto's email account, and Wired reports that they're offering up personal details in exchange for Bitcoin.

"Satoshi Nakomoto" is the name used by the anonymous developer who created Bitcoin and published details of it online in 2008. It's unknown whether Nakamoto is a private individual, a group of hackers, or whether their real name really is Satoshi Nakamoto.

The hack first emerged after an email was sent last night from the Satoshi Nakamoto email address to someone he had collaborated with in 2010 during Bitcoin's early days. Bitcoin Forum member "theymos" warned other members that he had received a bizarre email from Nakamoto reading "Michael, send me some coins before I hitman you."

In a Pastebin post, the hacker requests 25 bitcoin (around $11,600) in return for revealing more information about the anonymous Bitcoin developer. Partially redacted screenshots of emails are included as proof that the hacker does indeed have access to the email account. This post echoes the technique used by "OriginalGuy," the porn forum user who leaked the celebrity nude photos. Edited photographs were posted to encourage users to donate bitcoin in return for the full cache of images. There is no suggestion that "Jeffrey" was also behind the iCloud photo leak.

Satoshi Nakamoto has proven to be an attractive target for hackers, largely due to rumored horde of digital currency that he is presumed to own. One estimate places Nakamoto's fortune at 1 million bitcoin, worth hundreds of millions of dollars.

Blackphone security and vulnerability unveiled

Blackphone, the carrier- and vendor-independent smartphone that was created with the goal of placing privacy and control directly in the hands of its users, is not without its flaws, the Bluebox Security team discovered while reviewing it.

The team analyzed the device running version 1.0.2 of PrivatOS, which is built on Android, and comes pre-installed with a suite of privacy-enabled applications such as Silent Circle's Silent Phone, Silent Text, and Silent Contacts for secure calling, text messaging, and contact storage, and the Security Center app that allows users to control app permissions.

The team discovered a number of problems with the device itself and the apps on it. For one, there is currently no method to update apps individually - this is an issue that will be fixed by November. Secondly, there is a lack of critical apps - for example, an app that will allow the user to open a PDF or Word document. This will force the user to install third party apps using sideloading or other untrusted methods, as the phone does not offer an app store from which a download can be trusted.

As noted before, despite what users may have been expecting, Blackphone developers knew that researchers would ultimately find vulnerabilities in the device and software on it. They were actually hoping that bug hunters would test the device and share their findings. The developer's ultimate goal is to push out patches for found vulnerabilities faster than any other OEM - fix issues as soon as they or other people find them.

NATO struggles to define cyberwarfare defence

Picture: Depositors try to use automated teller machines of Shinhan Bank while the bank's computer networks are paralyzed at a subway station in Seoul, South Korea – March 2014.

Keystrokes could soon replace Kalashnikovs as the harbinger of future wars once NATO leaders endorse an updated policy that places catastrophic cyberattacks in the same league as real-world bombs and bullets. A major digital assault against any of the alliance's 28 members would have the potential to trigger a response under NATO's collective defence clause.

The concern came into sharp focus last week with reports of a major cyberattack on U.S. banks, which defence officials blamed on Russia. While NATO has always informally retained that right, the policy codifies the practice in what's being seen as an attempt to minimize the time it takes to make important political decisions in a crisis.

When does an attack in cyberspace constitute an act of war? And should Western allies adopt an offensive posture to counter the growing, sophisticated capabilities of adversaries such as Russia and China? There are some within the alliance who advocate taking on hackers and potential adversaries with the virtual equivalent of online disruption operations, say several defence insiders.

The best example would be the 2010 use of the so-called "Stuxnet" virus on computers running Iran's nuclear program. The origin of the malware has never been revealed but several published reports, including the New York Times and the Guardian in Britain, quote experts as saying only one organization, the US National Security Agency (NSA), has the sophistication to build such a weapon.

Each nation will be required to take certain measures to protect themselves and their networks, but defence insiders say the alliance is still struggling with how to engage each country.

Russian Spyware is Tapping Ukrainian Government

Snake, an espionage tool linked to the Russian government earlier this year, has been found in the computers of Ukraine’s prime minister and various embassies of its allies in Eastern Europe.

“Sensitive diplomatic information has been made available to the perpetrators of the attack as a result,” the Financial Times reports.

Snake is being carefully targeted at security and defense systems of governments and key government partners.

The cyber assault against Eastern Europe started by infecting 84 prominent public websites, which the attackers knew were visited regularly by government, defense industry and diplomatic service employees.

“The first level of infection involved visitors to those websites being prompted to upgrade their shockwave player software,” according to the Financial Times.

Details from the computers of targets who clicked to upgrade were then sent to the spies.
The second part of the campaign involved Snake operators targeting groups of visitors whose IP addresses corresponded to institutions and organizations of interest.

These victims were subsequently infected with a piece of malware known as "wipbot".
“The wipbot malware allowed Snake's operators to determine how senior those infected were in their organizations,” the Financial Times reports. “This then allowed for a specific and targeted deployment of the full Snake malware package solely to those whose computer systems contained the most sensitive and valuable information.”

Dozens of computers in the Ukrainian prime minister's office and at least 10 of Ukraine's embassies abroad have been compromised.

The operation has also affected embassies in at least nine countries, including Germany, China, Poland and Belgium.

Reports of the cyber strategy arrive as tensions between Russia and the west escalate. Russian troop buildups on the Ukrainian border continue, as U.S. and EU officials mete out economic sanctions against Moscow.

Bitcoin Boss Pleads Guilty In Silk Road Case

Two men, including the boss of a New York-based Bitcoin firm, have admitted enabling the digital currency to be funnelled to the black market website Silk Road.

Charlie Shrem - who was chief executive of BitInstant and also a former vice president of the Bitcoin Foundation - pleaded guilty in federal court to aiding and abetting the operation of an unlicensed money transmitting business.

Robert Faiella admitted operating an unlicensed money transfer business.
Both men face up to five years in jail.

The case grew from the US government's shutdown in October 2013 of Silk Road - a 'dark' site where users could anonymously buy and sell contraband and drugs using Bitcoin, which is unregulated and therefore difficult to track but volatile in terms of value.

The men were accused of letting more than $1m (£600,000) in Bitcoins reach the website and both admitted knowing that narcotics were bought and sold there.

Prosecutors said Faiella, from Florida, ran an underground Bitcoin exchange on the Silk Road website, operating under the username "BTCKing", and he filled his orders through Shrem's company from August 2011 until July 2013.

Silk Road used a privacy-protecting Tor network to shield the identities of buyers and sellers around the world - with its 13,000 listings including categories such as "cannabis", ''psychedelics" and "stimulants".

As they busted the site, authorities seized approximately $3.6m (£2.2m) worth of Bitcoins - the largest-ever seizure of the currency - bitcoins that were later auctioned off to a single bidder.
It was alleged that Shrem never once filed a notice of concern relating to Faiella's transactions.
Sentencing of both men was due to take place in January.

How does Bit Coin work?

Massive Cyber Attack on Norway’s Energy

State authorities are warning as many as 300 companies in the country’s major oil and energy industries this week that they’re the targets of the largest coordinated hacker attack ever registered in Norway. Attacks have been confirmed on around 50 companies, including Statnett, and the authorities fear more are underway, while another 250 are at risk.

Nasjonal Sikkerhetsmyndighet - Norway's National Security Authority (NSM) - has issued warnings to the companies it believes may be targeted including Statoil, the country's largest oil company. The identities of other firms that have been breached or targeted have not been disclosed at this time.

Statoil's head of press, Orjan Haraldstveit, confirmed that the company had been warned by NSM and was checking its networks and systems for evidence of a breach, in line with its internal policies.

NSM said it passed on the warnings after being tipped-off by "international contacts". The authority revealed that it had an idea who was responsible for the attacks but didn't wish to divulge that information at this time.

According to Norwegian site NewsinEnglish, Peer Olav Ostli of Statnett revealed that an employee had received an email containing a suspicious attachment.

The NewsinEnglish report quotes Hans Christian Pretorius, director of the operative division of NSM, who spoke to Norwegian newspaper Dagens Naeringsliv:

They (the hackers) have done research beforehand and gone after key functions and key personnel in the various companies. Emails that appear to be legitimate are sent to persons in important roles at the companies with attachments. If the targeted employees open the attachments, a destructive program will be unleashed that checks the target's system for various holes in its security system. If a hole is found, the program will open a communications channel with the hackers and then the "really serious attack programs" can infect the targeted company’s computer system.

The goal is to plant a Trojan or a virus on the machine. The first program just sets up contact. Then the attacker can sit outside and download damaging code.

Pretorius went on to explain that the attacker's goal was to install a keylogger, which would allow passwords to be stolen. This, he said, could ultimately be used to siphon intellectual property out of the target organisation.

This is not the first cyber attack to hit the Norwegian oil industry. In 2011 a group of hackers stole login credentials, industrial drawings and contracts from at least 10 oil and gas companies in Norway.

Whatever the reason for the attacks, this should act as a reminder to stop and pause before opening emails from unknown senders and question the inclusion of email attachments even when you know the sender.

Fake femme fatale dupes IT guys at US Gov/Agency

It was the birthday of the head of information security at a US government agency that isn't normally stupid about cyber security.

He didn't have any accounts on social media websites, but two of his employees were talking about his special day on Facebook. A penetration testing team sent the infosec head an email with a birthday card, spoofing it to look like the card came from one of his employees. The recipient opened it and clicked on the link inside.

After the head of information security opened what was, of course, a malicious birthday card link, his computer was compromised. That gave his attackers the front-door keys, according to Aamir Lakhani, who works for World Wide Technology, the company that performed the penetration test:

This guy had access to everything. He had the crown jewels in the system.
ITWorld's Lucian Constantin wrote up Lakhani's account of the successful pen test, which was performed in 2012 and sanctioned by a US government agency that Lakhani neglected to name.

Lakhani, a counter-intelligence and cyber defense specialist who works as a solutions architect for World Wide Technology, presented the results RSA Europe security conference in Amsterdam.

How did World Wide Tech crack open a US government agency that Lakhani described as being, as Constantin paraphrased it, "a very secure one that specializes in offensive cybersecurity and protecting secrets and for which, World Wide Technology had to use zero-day attacks in previous tests in order to bypass its strong defenses"?

The lynchpin, it turns out, was a spoof new hire at the agency: an attractive, smart, female graduate of MIT named Emily Williams whom World Wide Technology invented for the test.
According to the pen-test team fake social media profiles, Emily Williams, 28 years old, had 10 years of experience. They used a picture of a woman, with her approval.

Attractive women can open locked doors in the male-dominated IT industry. A parallel test with a fake male social media profile resulted in no useful connections. A majority of those who offered to help Emily Williams were men. The gender disparity in social engineering has shown up in other situations, including, for example, the 2012 Capture the Flag social engineering contest at Defcon. Anecdotal evidence from the Defcon contest suggested that females may be better at sniffing out a con.

Your existing security software and procedures can help to prevent or limit damage from a social engineering attack and of course attackers won't necessarily limit themselves to just using social engineering, or indeed any one vector.

The full web site is currently under development and will be available during 2014