Archive

Archive for March, 2011

Virtual war a real threat

The U.S. is vulnerable to a cyber attack, with its electrical grids, pipelines, chemical plants and other infrastructure designed without security in mind. Some say not enough is being done to protect the country.

When a large Southern California water system wanted to probe the vulnerabilities of its computer networks, it hired Los Angeles-based hacker Marc Maiffret to test them. His team seized control of the equipment that added chemical treatments to drinking water — in one day.

The weak link: County employees had been logging into the network through their home computers, leaving a gaping security hole. Officials of the urban water system told Maiffret that with a few mouse clicks, he could have rendered the water undrinkable for millions of homes.

“There’s always a way in,” said Maiffret, who declined to identify the water system for its own protection.

The weaknesses that he found in California exist in crucial facilities nationwide, U.S. officials and private experts say.

The same industrial control systems Maiffret’s team was able to commandeer also run electrical grids, pipelines, chemical plants and other infrastructure. Those systems, many designed without security in mind, are vulnerable to cyber attacks that have the potential to blow up city blocks, erase bank data, crash planes and cut power to large sections of the country.

Terrorist groups such as Al Qaeda don’t yet have the capability to mount such attacks, experts say, but potential adversaries such as China and Russia do, as do organized crime and hacker groups that could sell their services to rogue states or terrorists.

U.S. officials say China already has laced the U.S. power grid and other systems with hidden malware that could be activated to devastating effect.

“If a sector of the country’s power grid were taken down, it’s not only going to be damaging to our economy, but people are going to die,” said Rep. Jim Langevin (D-R.I.), who has played a lead role on cyber security as a member of the House Intelligence Committee.

Some experts suspect that the U.S. and its allies also have been busy developing offensive cyber capabilities. Last year, Stuxnet, a computer worm some believe was created by the U.S. or Israel, is thought to have damaged many of Iran’s uranium centrifuges by causing them to spin at irregular speeds.

In the face of the growing threats, the Obama administration’s response has received mixed reviews.

President Obama declared in a 2009 speech that protecting computer network infrastructure “will be a national security priority.” But the follow-through has been scant.

Obama created the position of federal cyber-security “czar,” and then took seven months to fill a job that lacks much real authority. Several cyber-security proposals are pending in Congress, but the administration hasn’t said publicly what it supports.

“I give the administration high marks for doing some things, but clearly not enough,” Langevin said.

The basic roadblocks are that the government lacks the authority to force industry to secure its networks and industry doesn’t have the incentive to do so on its own.

Meanwhile, evidence mounts on the damage a cyber attack could inflict. In a 2006 U.S. government experiment, hackers were able to remotely destroy a 27-ton, $1-million electric generator similar to the kind commonly used on the nation’s power grid. A video shows it spinning out of control until it shuts down.

In 2008, U.S. military officials discovered that classified networks at the U.S. Central Command, which oversees military operations in the Middle East and Central Asia, had been penetrated by a foreign intelligence service using malware spread through thumb drives.

That attack led to the creation in 2009 of U.S. Cyber Command, a group of 1,000 spies and hackers charged with preventing such intrusions. They also are responsible for mounting offensive cyber operations, about which the government will say next to nothing.

The head of Cyber Command, Gen. Keith Alexander, also leads the National Security Agency, the massive Ft. Meade, Md.-based spy agency in charge of listening to communications and penetrating foreign computer networks.

Together, the NSA and Cyber Command have the world’s most advanced capabilities, analysts say, and could wreak havoc on the networks of any country that attacked the U.S. — if they could be sure who was responsible.

It’s easy to hide the source of a cyber attack by sending the malware on circuitous routes through computers and servers in third countries. So deterrence of the sort relied upon to prevent nuclear war — the threat of massive retaliation — is not an effective strategy to prevent a cyber attack.

Asked in a recent interview whether the U.S. could win a cyber war, Alexander responded, “I believe that we would suffer tremendously if a cyber war were conducted today, as would our adversaries.”

Alexander also is quick to point out that his cyber warriors and experts are legally authorized to protect only military networks. The Department of Homeland Security is charged with helping secure crucial civilian infrastructure, but in practice, the job mostly falls to the companies themselves.

That would’ve been akin to telling the head of U.S. Steel in the 1950s to develop his own air defenses against Soviet bombers, writes Richard Clarke, who was President George W. Bush’s cyber-security advisor, in his 2010 book, “Cyber War: The Next Threat to National Security and What to Do About It.”

The comparison underscores the extent to which the U.S. lacks the laws, strategies and policies needed to secure its cyber infrastructure, experts say.

“If we don’t get our act together, the consequences could be dire,” said Scott Borg, who heads the U.S. Cyber Consequences Unit, which analyzes the potential damage from various scenarios.

The problem, though, is “there’s nothing that everyone agrees on,” said James Lewis, cyber-security expert at the Center for Strategic and International Studies in Washington.

For example, Lewis and other experts believe the government should mandate cyber-security standards for water systems, electric utilities and other crucial infrastructure. Some contend that major U.S. Internet service providers should be required to monitor patterns in Internet traffic and stop malware as it transits their servers.

But both ideas are viewed with suspicion by a technology industry that wants the government out of its business, and by an Internet culture that sees such moves as undermining privacy.

“There are a whole lot of things that can’t be legislated,” said Bob Dix, vice president of government affairs for Sunnyvale, Calif.-based Juniper Networks Inc., which makes routers and switches.

Yet Washington may be reaching a moment when the seriousness of the threat trumps political resistance. Sources familiar with the negotiations say the White House has promised Senate leaders that it will offer its own cyber-security legislation in a month. But any proposal that calls for far-reaching regulations would face an uphill battle.

CIA Director Leon E. Panetta told Congress recently that he worried about a cyber Pearl Harbor. Yet many who follow the issue believe that’s what it will take to force Americans to awaken to the threat.

“The odds are we’ll wait for a catastrophic event,” said Mike McConnell, former director of National Intelligence and cyber-security specialist, “and then overreact.”

ken.dilanian@latimes.com

US Gov’t Solicits Internet Propoganda Software

The US government is offering private intelligence companies contracts to create software to manage “fake people” on social media sites. Private security firms employed by the government have used the accounts to create the illusion of consensus on controversial issues.

The contract calls for the development of “Persona Management Software” which would help the user create and manage a variety of distinct fake profiles online. The job listing was discussed in recently leaked emails from the private security firm HBGary after the last attack by internet activist.

According to the contract, the software would “protect the identity of government agencies” by employing a number of false signals to convince users that the poster is in fact a real person. A single user could manage unique background information and status updates for up to 10 fake people from a single computer.

The software enables the government to shield its identity through a number of different methods including the ability to assign unique IP addresses to each persona and the ability to make it appear as though the user is posting from other locations around the world.

Included in HBGary’s leaked emails was a government proposal for the government contract. The document describes how they would ‘friend’ real people on Facebook as a way to convey government messages.

The document reads:
* “Those names can be cross-referenced across Facebook, twitter, MySpace, and other social media services to collect information on each individual. Once enough information is collected this information can be used to gain access to these individuals social circles.

* Even the most restrictive and security conscious of persons can be exploited. Through the targeting and information reconnaissance phase, a person’s hometown and high school will be revealed. An adversary can create a classmates.com account at the same high school and year and find out people you went to high school with that do not have Facebook accounts, then create the account and send a friend request. Under the mutual friend decision, which is where most people can be exploited, an adversary can look at a targets friend list if it is exposed and find a targets most socially promiscuous friends, the ones that have over 300-500 friends, friend them to develop mutual friends before sending a friend request to the target. To that end friend’s accounts can be compromised and used to post malicious material to a targets wall. When choosing to participate in social media an individual is only as protected as his/her weakest friend.”

Other documents in the leaked emails include quotes from HBGary CEO Aaron Barr saying, “There are a variety of social media tricks we can use to add a level of realness to all fictitious personas… Using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example.”

Additional emails between HBGary employees, usually originating from Barr, discuss the vulnerability social networking causes.

One employee wrote, “and now social networks are closing the gap between attacker and victim, to the point I just found (via linked-in) 112 females, wives of service men, all stationed at Hurlbert Field FL – in case you don’t know this is where the CIA flies all their “private” airlines out of. What a damn joke – the U.S. is no longer the super power in cyber, and probably won’t be in other areas soon.”

Barr also predicted a steady rise in clandestine or secret government operations to stem the flow of sensitive information. “I would say there is going to be a resurgence of black ops in the coming year as decision makers settle with our inadequacies… Critical infrastructure, finance, defense industrial base, and government have rivers of unauthorized communications flowing from them and there are no real efforts to stop it.”

The creation of internet propaganda software is only one of HBGary’s controversial activities. According to Wikileaks competitor and occasional collaborator Cryptome.org, several other progressive organizations were intended to be targeted including anti-war activist, anti-torture organizations and groups opposed to the US Chamber of Commerce.

Click here to view the government contract (PDF)
(UPDATE 3/5/11: The official web listing seems to have been removed. PDF copy is still available though)

Ethical vs Unethical: Hackers Reaping Monetary Rewards This Week

With the fifth annual Pwn2Own hacking contest underway this week at the 2011 CanSecWest conference in Vancouver, professional hackers took to reaping the monetary rewards of breaking into smartphones, web browsers and operating systems.

With $125,000 in total prize money up for grabs, Apple Safari 5 and Microsoft Internet Explorer 8 were the first browsers to shutter to the exploits of the researchers in the contest.

Meanwhile, Computerworld reports that the Pwn2Own hackers skipped out on Google’s $20,000 reward for cracking the web browser Chrome on day one of the challenge.
Remaining untouched in the contest, Computerworld reports that this will be Chrome’s third consecutive year of success at Pwn2Own.

But just as easily as the professional hackers assembled at CanSecWest this week to benefit tech giants and their consumers, the US Computer Emergency Response Team (US-CERT) is warning of another group of computer exploiters that may be planning to take advantage of a serious situation.

With the news continuing to trickle in on the devastating earthquake and tsunami in Japan, US-CERT this morning released a report to caution Internet users of the potential vulnerabilities on the web surrounding the event.

According to the report, “US-CERT would like to warn users of potential email scams, fake antivirus and phishing attacks regarding the Japan earthquake and the tsunami disasters. Email scams may contain links or attachments which may direct users to phishing or malware-laden websites. Fake antivirus attacks may come in the form of pop-ups which flash security warnings and ask the user for credit card information. Phishing emails and websites requesting donations for bogus or charitable organizations commonly appear after these types of natural disasters.”

Be advised, Cybersecurity News readers. And to all of my followers in Japan, I wish you safety and support during this difficult time.