Archive for July, 2011

Researchers Say Vulnerabilities Could Let Hackers Spring Prisoners From Cells

By Kim Zetter

Vulnerabilities in electronic systems that control prison doors could allow hackers or others to spring prisoners from their jail cells, according to researchers.

Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.

Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. — including eight maximum-security prisons — says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.

“Most people don’t know how a prison or jail is designed, that’s why no one has ever paid attention to it,” says Strauchs. “How many people know they’re built with the same kind of PLC used in centrifuges?”

PLCs are small computers that can be programmed to control any number of things, such as the spinning of rotors, the dispensing of food into packaging on an assembly line or the opening of doors. Two models of PLCs made by the German-conglomerate Siemens were the target of Stuxnet, a sophisticated piece of malware discovered last year that was designed to intercept legitimate commands going to PLCs and replace them with malicious ones. Stuxnet’s malicious commands are believed to have caused centrifuges in Iran to spin faster and slower than normal to sabotage the country’s uranium enrichment capabilities.

Though Siemens PLCs are used in some prisons, they’re a relatively small player in that market, Strauchs says. The more significant suppliers of PLCs to prisons are Allen-Bradley, Square D, GE and Mitsubishi. Across the U.S. there are about 117 federal correctional facilities, 1,700 prisons, and more than 3,000 jails. All but the smallest facilities, according to Strauchs, use PLCs to control doors and manage their security systems.

Strauchs, who lists a stint as a former CIA operations officer on his bio, became interested in testing PLCs after hearing about the systems Stuxnet targeted and realizing that he had installed similar systems in prisons years ago. He, along with his daughter Tiffany Rad, president of ELCnetworks, and independent researcher Teague Newman, purchased a Siemens PLC to examine it for vulnerabilities, then worked with another researcher, who prefers to remain anonymous and goes by the handle “Dora the SCADA explorer,” who wrote three exploits for vulnerabilities they found.

“Within three hours we had written a program to exploit the [Siemens] PLC we were testing,” said Rad, noting that it cost them just $2,500 to acquire everything they needed to research the vulnerabilities and develop the exploits.

“We acquired the product legally; we have a license for it. But it’s easy to get it off [eBay] for $500,” she said. “Anyone can do it if they have the desire.”

They recently met with the FBI and other federal agencies they won’t name to discuss the vulnerabilities and their upcoming demonstration.

“They agreed we should address it,” Strauchs said. “They weren’t happy, but they said it’s probably a good thing what you’re doing.”

Strauchs says the vulnerabilities exist in the basic architecture of the prison PLCs, many of which use Ladder Logic programming and a communications protocol that had no security protections built into it when it was designed years ago. There are also vulnerabilities in the control computers, many of which are Windows-based machines, that monitor and program PLCs.

“The vulnerabilities are inherently due to the actual use of the PLC, the one-point-controlling-many,” Rad said. “Upon gaining access to the computer that monitors, controls or programs the PLC, you then take control of that PLC.”

A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also other computers in non-essential parts of prisons, such as commissaries and laundry rooms, that shouldn’t be, but sometimes are, connected to networks that control critical functions.

“Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,” the researchers write in a paper they’ve released (.pdf) on the topic. “Access to any part, such as a remote intercom station, might provide access to all parts.”

Strauchs adds that “once we take control of the PLC we can do anything. Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.”

Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. Strauchs says a hacker could design an attack to over-ride the cascade release to open all of the doors simultaneously and overload the system.

An attacker could also pick and choose specific doors to lock and unlock and suppress alarms in the system that would alert staff when a cell is opened. This would require some knowledge of the alarm system and the instructions required to target specific doors, but Strauchs explains that the PLC provides feedback to the control system each time it receives a command, such as “kitchen door east opened.” A patient hacker could sit on a control system for a while collecting intelligence like this to map each door and identify which ones to target.

While PLCs themselves need to be better secured to eliminate vulnerabilities inherent in them, Newman says prison facilities also need to update and enforce acceptable-use policies on their computers so that workers don’t connect critical systems to the internet or allow removable media, such as USB sticks, to be installed on them.

“We’re making the connection closer between what happened with Stuxnet and what could happen in facilities that put lives at risk,” he said.


Anonymous and LulzSec attack FBI and PayPal

In a joint statement from Anonymous and LulzSec released today, the hacktivist collectives lashed out at both the FBI and PayPal, saying that they are “terrorists” enacting injustices on America.

“In recent weeks, we’ve found ourselves outraged at the FBI’s willingness to arrest and threaten those who are involved in ethical, modern cyber operations,” begins the statement. The message goes on to call law enforcement “ridiculous” for going after suspects believed to be linked to Anonymous and says that the denial of service attacks waged on websites to shut them down does not warrant 15 years behind bars of hefty fees. “What the FBI needs to learn is that there is a vast difference between adding one’s voice to a chorus and digital sit-in with Low Orbit Ion Cannon, and controlling a large botnet of infected computers. And yet both of these are punishable with exactly the same fine and sentence,” they write.

The hacktivists add that they are outraged that PayPal continues to withhold funds belonging to WikiLeaks, and calls them out for assisting law enforcement in hunting down alleged donators.

“Quite simply, we, the people, are disgusted with these injustices. We will not sit down and let ourselves be trampled upon by any corporation or government. We are not scared of you, and that is something for you to be scared of. We are not the terrorists here: you are.”

Together, Anonymous and LulzSec urge their audience to close their PayPal accounts. “The first step to being truly free is not putting one’s trust into a company that freezes accounts when it feels like, or when it is pressured by the U.S. government. PayPal’s willingness to fold to legislation should be proof enough that they don’t deserve the customers they get. They do not deserve your business, and they do not deserve your respect,” they write.

Within hours of calling on their followers to shut down their PayPal accounts, Anonymous relayed via Twitter that a source working for the online payment site has confirmed that over 24,000 accounts had been closed.

The hacktivists are asking people to tweet photographs of their closed accounts and spread the word. “Anonymous has become a powerful channel of information, and unlike the governments of the world, we are here to fight for you,” they write.

Last year, Anonymous waged DDos attacks on PayPal, Mastercard and Visa in response to the corporations’ stance against WikiLeaks. Earlier this month, a loophole allowed the whistleblower site to momentarily receive funds sent through Visa, bringing in upwards of six-figures for WikiLeaks.

Classified information leaks onto the Internet

Experts are expecting to see new leaks of classified information online

Tatiana Shadrina

­In many agencies this morning began with “blamestorming” in connection with another scandal involving the leakage of classified information to the Internet. Google’s search engine has revealed classified documents, marked “for official use only.”  

This is not the first time classified information has appeared on the web in recent days and Rossiyskaya Gazeta (RG) experts predict it will not be the last. Some speculate that the active release of data resembles a coordinated hacker attack and, allegedly, this was intentionally done in time for implementation of amendments to the law “On personal information”. However, analysts refute this assumption.

RG’s correspondent has personally verified that with certain search queries Google search results provide links to documents from the Audit Chamber, Federal Communications Agency, Federal Migration Service, Ministry of Economic Development, Federal Service for Defense Orders, and others.

The documents are dated between 2002 and 2011 and can be opened and downloaded. But understanding just how classified the published information is can be difficult. The message that these documents are intended “for official use only” is issued by the search engine. However, the documents themselves do not contain this stamp. Federal agencies are denying that their classified documents have been released.

“Reports claiming that the Ministry of Economic Development’s documents labeled ‘secret’ or ‘for official use only’, have become available to the public are false,” Svetlana Glikman, advisor to the minister of economic development, told RG.

The content that can be found through online search engines is unclassified, and had at various times been published on the ministry’s official website, she says. For example, information about the trade and economic partnership between Russia and Morocco was published on the ministry’s website in 2010.

The Audit Chamber is providing a similar answer: “Search results that show so-called official documents of the Audit Chamber, allegedly labeled ‘for official use only’ are our official ballot materials.” The secret nature of the information is denied by other agencies as well.

But clearly against the background of other scandals, it’s hard to confirm that leakage of information from the federal agencies is impossible.

Meanwhile, director of the Coordination Center for the National Internet Domain, Andrey Kolesnikov, says that these cases should not be linked to hackers. There is no highly intellectual and well-planned conspiracy. Simply, after the first incident with Yandex, many curious Internet users have asked themselves what other secret information may be obtained in an online search, says Kolesnikov. As for this being a reaction to the amendments to the law “On personal information”, they have been long-discussed and there had been some fierce debates over a number of points, but there have not been any “random” mass releases of information, he says.

Leading virus analyst with the Kaspersky Lab, Sergey Golovanov, agrees. Moreover, he told RG, “the more data is on the web, the more search engines index information, and the more information, the higher the probability of a human error when uploading content onto the web.” All the recent leakages are connected to the human factor, argues Golovanov. And systems are simply doing their job without knowing whether the provided information is confidential or not, he says. At the same time, he does not exclude the possibility that data leakage will continue due to the high level of activity of Internet users.

Order is expected to be brought to this sphere with the amendments to the law “On personal information”. All companies working with databases with citizens’ personal information will be required to install necessary technical protection and develop internal rules on dealing with data. Failure to comply with the law will not only be punishable by fines, but also with the revoking of licenses, and citizens whose personal information becomes available to the public, will be able to seek compensation for pain and suffering.

These measures will help prevent data loss in the future. As for the recent cases, the Prosecutor General’s Office has ordered the Office of the Public Prosecutor of Moscow to inquire into the online publication of personal information of chain store buyers, as well as into the media reports about the appearance of restricted official documents of a number of federal agencies on the Internet. RG experts offer their own recipes for emergency measures. Access to search engines should be closed at the level of providers, says Golovanov.

“The overloaded systems, working in major search companies are unable to quickly classify all of their stored information as confidential. Therefore, search engines can only ban the entry of certain search queries,” he says. And Kolesnikov recalls that, in order to avoid data loss from federal agencies, all of their staff members must abide by the appropriate rules. One of the examples showing employees’ lack of discipline could be that they upload information onto free file-sharing sites, he says.

This happens when, after working on a document, a staff member does not save it on flash disk, but instead simply uploads it onto an online hosting site to share it with a colleague. And though it’s not particularly easy to find the document – access usually requires a link – with time, search engines are able to locate it. Another example of negligence, according to the expert, is working with secret documents on a home computer. Often, users fail to see whether their computer has been infected; meanwhile, “worms” and “Trojans” drag their information, making it available to the public. A flash disc could also be infected. From it, the virus travels to the owners’ or his colleagues’ work computer. And by the time computer experts identify them, information could already be copied onto the web.

“Search engines index only the open Internet pages, and if a website owner wants to make sure certain pages, or the website as a whole, do not appear in the search results, then he can easily do so by placing a special file-lock on the pages containing confidential information,” adds Alla Zabrovskaya, public communications director for Google in Russia. This can be done at any moment, and when the web robot browses the web the next time, it will not detect or index these pages in order to subsequently show them in search results.

Anonymous forces Cyber Tsar to resign

If your position at Homeland Security requires you to keep cyber attacks at a minimum, you might not have been doing your job justice as of late.

It’s no surprise then that Randy Vickers, director of the US computer emergency readiness team (CERT), resigned on Friday.

Vickers unexpected stepping-down comes after a slew of cyber crimes targeted some of the biggest — and presumably impenetrable — computer networks of the US government. In only the last few months, hacktivists collectives Anonymous and LulzSec have taken credit for attacking the websites for the CIA, Senate and FBI, among others.

The resignation was announced on Friday by way of a brief email, which noted that Vickers would forfeit his title immediately.  In the interim, US-CERT Deputy Director Lee Rock will be stepping in while a replacement is sought out.


“Lee has been the Deputy Director for US-CERT for over a year and we are confident that our organization will continue its strong performance under his leadership,” assistant secretary Roberta Stempfley writes. “We wish Randy success in his future endeavors.”

Vickers had been overseeing all aspects of CERT as director, a position he has held since 2009.

The DC-based CERT office says that the team tries to tackle the cybersecurity of the nation and coordinates cyber information sharing and proactively manage cyber risks to the nation, all the while protecting the constitutional rights of Americans.

In the wake of the hack attacks, several persons affiliated with Anonymous and Lulzsec, worldwide, have been arrested in recent weeks. The US government has reportedly been working with other international agencies to team up in an effort to thwart global cybercrime.

Earlier this month, hactivists trying to further the “AntiSec” movement released around 90,000 usernames, passwords and other private data relating to military personnel that they claim was lifted from consulting firm Booz Allen Hamilton.S

Source: RT

Department of Defense Strategy for Operating in Cyberspace

The Department of Defense released today the DoD Strategy for Operating in Cyberspace (DSOC). It is the first DoD unified strategy for cyberspace and officially encapsulates a new way forward for DoD’s military, intelligence and business operations.

The five primary pillars of the strategy are:
1st: DoD is treating cyberspace as an operational domain, like land, air, sea, and space.
2nd: DoD introducing new active cyber defenses. Active defenses use sensors, software and signatures to detect and stop malicious code; 3rd: Working with Department of Homeland Security and the private sector to protect critical infrastructure;
4th: DoD building collective cyber defenses with our allies and international partners; 5th: Enhance network security. A more secure and resilient internet is in everyone´s interest.

Dowload the document here:

New DoD Cyber Strategy Falls Short

By Cedric Leighton

The Pentagon is set to unveil its new strategy for dealing with cyber attacks. Because the cyber world now touches every aspect of our lives, the debate on what our cyber strategy should be has become one of the most important debates of its kind in our history.

We must develop a cyber strategy that leverages all the elements of national power. I’m afraid that the new cyber strategy will not go far enough. A few institutional fixes could remedy this shortfall and help us achieve our strategic goals.

Our bureaucratic structures must be reformed so that our responses to cyber attacks can be lightning fast and lethally effective. To that end, we must ensure that our cyber intelligence analysts and cyber warriors are trained to the highest standards and that only the most skilled and imaginative among them are promoted. We must ensure the Department of Homeland Security’s cyber security efforts are joined with those of the Department of Defense, so that responses to attacks emanating from both domestic and foreign sources can be dealt with expeditiously.

We must reform our legal framework for dealing with cyber crimes and cyber attacks. We must realize that computers can be both instruments of crime as well as weapons of war. Finally, from a warfighting perspective, we must recognize that cyber is its own unique domain. Just like land, sea, air and space are domains of warfare, we must extend the same recognition to the cyber world. Only when we accord domain status to the cyber world and recognize its unique properties will we be able to begin crafting a strategy that protects our interests in that world and safeguards our access to it. Without these fixes, no cyber strategy will adequately protect us.

The new strategy will seek to provide the US with a menu of response options for such attacks. Which response option is selected would depend on the severity of the attack. Just because the initial attack occurred in cyber space, the new strategy would not confine our response to the cyber realm. If we proved that an attack on our cyber infrastructure emanated from a particular country we could, for example, decide to bomb a key installation there. In essence, the new strategy is akin to the Kennedy Administration’s doctrine of “Flexible Response”, which governed our interactions with the Soviet Union during part of the Cold War. While it is a necessary tenet of any good strategy to give policymakers flexibility, the question remains whether or not the new strategy is sufficiently forward-thinking for it to be of any practical use in the world we find ourselves in.

Everything from the flow of goods and services, to banking, to the provision of healthcare, to the distribution of power, up to and including our national security, is enabled by unfettered access to the cyber realm. If that access were ever denied, life as we now know it would cease. The new strategy must seek to protect us from such a calamity and provide us the means to overcome any denial or disruption to the cyber realm. The effectiveness of the new strategy should be measured against real-world events.

Take the case of Estonia. Once this nation re-asserted its independence from Russia, the country rapidly developed a modern capitalist economy that became heavily dependent on a cyber-based backbone. Practically all banking transactions and government services were conducted via the Web. Tensions with ethnic Russians still living in Estonia remained high and reached a boiling point once the Estonians decided to move a statue honoring Soviet soldiers from the center of Tallinn to a Russian cemetery. In retaliation, Russian hackers (almost certainly with Russian government support) attacked the nation’s cyber infrastructure, bringing the banking and governmental functions Estonian society depended on to a standstill. Will the new cyber strategy protect us from similar attacks? And, if the attack is successful in spite of our best efforts, would we be able to marshal a meaningful response?

Unfortunately, these are not simply theoretical discussions. As Defense Secretary Leon Panetta has stated, the US cyber infrastructure is under attack “thousands of times” a day. Secretary Panetta has warned of a “cyber Pearl Harbor” if we do not act now to protect and defend the critical elements of our national infrastructure. A more apt historical comparison would be the fall of Singapore in World War II. Although the British had built a $500 million naval base just a few years earlier, the Japanese Imperial Army surprised the city’s defenders by entering via the “back door” of the Malaysian Peninsula.

Today we have to thoroughly understand what our “back door” cyber vulnerabilities really are. We have to craft tough, impregnable defenses that can protect multiple vulnerabilities at once. Once those defenses are breached, we have to be nimble enough to create new ones in a continual effort to stay ahead of those who would do us harm. In Singapore, the British were defeated because they were deftly outmaneuvered by an innovative enemy. Their unimaginative, bureaucratically hide-bound military leaders could not even conceive of the audacious strategy employed by the Japanese. That is precisely the danger that confronts us today in the cyber realm.

Cedric Leighton, a career Air Force intelligence officer, retired last year as a colonel. He is president of Cedric Leighton Associates, a Washington, D.C. strategic risk consultancy.

U.S. wants Lockerbie bomber deal

AMERICA wants Libyan rebels to capture the Lockerbie bomber two years after he was freed – so he can face justice in the States, it was claimed yesterday.

The secret deal between President Barack Obama and Libyan rebel leaders would see Abdelbaset al-Megrahi, 59, detained by opposition troops and then handed to US Special Forces.

Americans and families of the plane bomber’s victims were outraged after the Scottish Government freed him on “compassionate grounds”. He seemingly only had three months to live with cancer.

That decision sparked worldwide fury. Now Mr Obama wants Megrahi to face trial in the US in exchange for continued US support of Libyan rebel forces.

A White House insider yesterday said: “If he’s found guilty here, he faces life in jail without parole.”

Megrahi bombed a Heathrow to New York flight above Lockerbie in 1988, killing 270.

He is said to be living in good conditions in Tripoli.

Meanwhile, Libya’s rebel leader Mustafa Abdel Jalil – Colonel Gaddafi’s ex justice minister – said the Mad Dog could retire peacefully on Libyan soil if he quits and agrees to international supervision.