Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for December 23rd, 2008

Hack the Panopticon to Punish Your Enemies

with 3 comments

Hack the Panopticon to Punish Your Enemies

By Bruce Sterling EmailDecember 22, 2008 | 5:10:04 PM
http://yro.slashdot.org/article.pl?sid=08/12/21/1751210

High school students in Maryland are using speed cameras to get back at their perceived enemies, and even teachers. The students duplicate the victim’s license plate on glossy paper using a laser printer, tape it over their own plate, then speed past a newly installed speed camera. The victim gets a $40 ticket in the mail days later, without any humans ever having been involved in the ticketing process. A blog dedicated to driving and politics adds that a similar, if darker, practice has taken hold in England, where bad guys cruise the streets looking for a car similar to their own. They then duplicate its plates in a more durable form, and thereafter drive around with little fear of trouble from the police.

NICE!

Written by Krypt3ia

2008/12/23 at 18:36

Posted in Uncategorized

Cyber War Games Confirm Flaws In US Security

leave a comment »

participating in a two day cyber war simulation last week, government and industry officials said that the United States is ill-equipped to cope with a major attack against computer networks Reuters reports.

The cyber war game brought together 230 representatives of government agencies, private companies and other groups, and revealed failings in leadership, planning, and communications.

Mark Gerencser, vice president of Booz Allen Hamilton, the consulting service which ran the simulation said: “There isn’t a response or a game plan; there isn’t really anybody in charge.”

The threats are serious. Earlier this year, federal prosecutors charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what appeared to be the largest hacking and identity theft network ever exposed.

Chairman of the Homeland Security Subcommittee on Cybersecurity, US Representative James Langevin said that a successful attack could lead to failure of banking or national electrical systems.

“We’re way behind where we need to be now,” said Langevin. “This is equivalent in my mind to before September 11 … we were awakened to the threat on the morning after September 11.”
Mock War Game Findings Similar to CSIS Report

The mock cyber attack follows the December 8 release of the CSIS Cybersecurity Commission report, Securing Cyberspace for the 44th Presidency which found that America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.

The report claims that there has been immense damage to the national interest, citing major intrusions to various government departments during 2007 alone:

* The unclassified e-mail of the Office of the Secretary of Defense was hacked

* The Department of State had lost terabytes of information

* Homeland Security suffered break-ins in several of its divisions

* NASA had to impose e-mail restriction before shuttle launches and had allegedly seen designs for new launches compromised

* The Department of Commerce was forced to take the Bureau of Industry and Security offline for several months

* The White House recently dealt with unidentifiable intrusions in its networks

Slashdot Puts Questions to Rep. Langevin

With the 98 page CSIS report raising more questions than answers, Slashdot solicited questions for Langevin in an attempt to better understand some of the recommendations. Yesterday Slashdot posted his reply.

The key points include:

* The advantages of moving towards a more operational-focused testing environment like red/blue teams and penetration testing

* The need to develop and issue standards and guidance for securing three specific critical cyber infrastructures – telecom, finance, and energy

* Whether or not cyber operations should be run by the White House

Having witnessed President Elect Obama’s capabilities when it comes to all things Web, and having heard his intent to renew our information superhighway, we suspect he understands the importance of focusing on our cyber security issues and continues to build a stronger Internet for the citizens of the United States.

Ok, so how many years have they been doing this? How many times have we failed? Failed miserably? I have heard of about 5 cases of this in my time as an INFOSEC operator that this has been the case. So when are we going to learn?

One hopes that the Big O there will be willing to work on the problem… Get some hackers, some policy wonks, and operators together. Mandate them and empower them to shake things up and make a difference.

Wait and see…

Written by Krypt3ia

2008/12/23 at 18:18

Posted in Uncategorized

Cyber War Games Confirm Flaws In US Security

leave a comment »

participating in a two day cyber war simulation last week, government and industry officials said that the United States is ill-equipped to cope with a major attack against computer networks Reuters reports.

The cyber war game brought together 230 representatives of government agencies, private companies and other groups, and revealed failings in leadership, planning, and communications.

Mark Gerencser, vice president of Booz Allen Hamilton, the consulting service which ran the simulation said: “There isn’t a response or a game plan; there isn’t really anybody in charge.”

The threats are serious. Earlier this year, federal prosecutors charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what appeared to be the largest hacking and identity theft network ever exposed.

Chairman of the Homeland Security Subcommittee on Cybersecurity, US Representative James Langevin said that a successful attack could lead to failure of banking or national electrical systems.

“We’re way behind where we need to be now,” said Langevin. “This is equivalent in my mind to before September 11 … we were awakened to the threat on the morning after September 11.”
Mock War Game Findings Similar to CSIS Report

The mock cyber attack follows the December 8 release of the CSIS Cybersecurity Commission report, Securing Cyberspace for the 44th Presidency which found that America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.

The report claims that there has been immense damage to the national interest, citing major intrusions to various government departments during 2007 alone:

* The unclassified e-mail of the Office of the Secretary of Defense was hacked

* The Department of State had lost terabytes of information

* Homeland Security suffered break-ins in several of its divisions

* NASA had to impose e-mail restriction before shuttle launches and had allegedly seen designs for new launches compromised

* The Department of Commerce was forced to take the Bureau of Industry and Security offline for several months

* The White House recently dealt with unidentifiable intrusions in its networks

Slashdot Puts Questions to Rep. Langevin

With the 98 page CSIS report raising more questions than answers, Slashdot solicited questions for Langevin in an attempt to better understand some of the recommendations. Yesterday Slashdot posted his reply.

The key points include:

* The advantages of moving towards a more operational-focused testing environment like red/blue teams and penetration testing

* The need to develop and issue standards and guidance for securing three specific critical cyber infrastructures – telecom, finance, and energy

* Whether or not cyber operations should be run by the White House

Having witnessed President Elect Obama’s capabilities when it comes to all things Web, and having heard his intent to renew our information superhighway, we suspect he understands the importance of focusing on our cyber security issues and continues to build a stronger Internet for the citizens of the United States.

Ok, so how many years have they been doing this? How many times have we failed? Failed miserably? I have heard of about 5 cases of this in my time as an INFOSEC operator that this has been the case. So when are we going to learn?

One hopes that the Big O there will be willing to work on the problem… Get some hackers, some policy wonks, and operators together. Mandate them and empower them to shake things up and make a difference.

Wait and see…

Written by Krypt3ia

2008/12/23 at 18:18

Posted in Uncategorized

Excuses Excuses

with 2 comments

The Channel Wire
December 22, 2008

Microsoft Cites Lack Of Training For Missing Critical IE Bug
Microsoft researchers said that they overlooked a critical Internet Explorer bug because of inadequate processes and training that would have allowed them to detect the source of the error.

Microsoft released an emergency, out-of-band security patch last week repairing a critical error affecting the IE Web browser. The vulnerability stemmed from a fundamental flaw in the browser’s data-binding function that ultimately left a gaping hole in the memory space that could be accessed and exploited by remote hackers.

In Microsoft’s “Security Development Lifecycle” blog post, Michael Howard, the company’s principal security program manager, said that researchers overlooked some critical factors that would have led to the bug’s detection. The oversight was due, in part, to lack of training and an inadequate review process.

“Every bug is an opportunity to learn, and the security update that fixed the data-binding bug that affected Internet Explorer users is no exception,” Howard said. “We really don’t know how the bug was found, but some of the security people in Internet Explorer and the Trustworthy Computing Security teams suggest that the bug was either ‘stumbled upon’ or found through directed fuzzing.”

Howard said that this particular IE flaw fell outside researchers’ realm of training — the bug wasn’t a heap corruption vulnerability and therefore standard detection procedures were ineffective. While proper testing could have detected the error, the process would have been challenging and complex, Howard said.

“Memory related TOCTOU bugs are hard to find through code review; we teach TOCTOU issues and we teach memory corruption issues and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues,” he said. “In theory, fuzz testing could find this bug. But today there is no fuzz test case for this code.”

“Triggering the bug would require a fuzzing tool that builds data streams with multiple data-binding constructs with same identifier,” he added.

Despite the emergency update, Microsoft was unable to prevent a spate of attacks by hackers who exploited the vulnerability by reverse engineering the patch. Security researchers first saw evidence of attacks shortly following Microsoft’s “Patch Tuesday” monthly security bulletin release Dec. 9, and have since seen active exploitation rapidly spread in the wild.

Unlike other exploits that require users to download malicious software or open an infected file, users have only to visit a Web site infused with Trojans or other malware in order to become infected. Hackers can also lure victims to open a specially crafted site, typically with some kind of phishing or social engineering play, or by installing malicious code that exploits vulnerabilities on legitimate sites.

However, there were defenses that worked to protect users from becoming infected — namely Internet Explorer’s Protected Mode on Windows Vista.

Howard said Microsoft planned to update its training to accommodate these kinds of memory errors.

“If there is one other lesson from this, it’s that we, the software industry, need to work harder to make sure applications take advantage of the defenses offered in Windows today,” Howard said.

“This is one of those things that makes security hard — security is a highly asymmetric problem. Software developers must get the code right 100 percent of the time in a very short amount of time, while attackers can spend as long as they want to find one bug,” he said. “This isn’t an excuse; it’s a fact of life.”

Uhh yeah, how about your coding sucks and you should take security seriously?

Written by Krypt3ia

2008/12/23 at 18:08

Posted in Uncategorized

Industrial Espionage Escalates as 60% of redundant workers take secrets!

with one comment

Industrial Espionage Escalates as 60% of redundant workers take secrets!

Published 23rd December 2008

Companies warned to safeguard competitive and sensitive data from disgruntled employees facing redundancy
London 22nd December 08 – Sixty percent of office workers faced with redundancy or the sack admit they will take valuable data with them, if they could get away with it! 40% are downloading sensitive company secrets right now under their bosses nose in anticipation that they could lose their job. That’s the findings of a survey by IT security experts Cyber-Ark from research they carried out into “The recession and its effects on work ethics” amongst 250 office workers in London’s busy Canary Wharf.

Workers scheming behind their bosses backs

40% of workers who admit to already downloading competitive corporate data will use it as a negotiating tool to secure their next post as they know the information will be very useful to future employers.

Top of the list of desirable information that is currently being extracted from employers is the customer and contact databases, with plans and proposals, product information, and access / password codes all proving popular choices. HR records and legal documents were the least most favoured data that employees were interested in taking.

Redundancy is a sore word and rumours that they were looming would send 47% of workers scurrying about prepared to do anything to try and obtain the redundancy list. Half said they’d try using their own IT access rights to snoop around the network and, if this failed, they’d consider bribing a ‘mate’ in the IT department to do it for them or bribe their friends in HR.

Memory Sticks the “Weapon of Choice”

Memory sticks are the smallest, easiest, cheapest and least traceable method of downloading huge amounts of data, which is why this is often considered the “weapon of choice”. Other methods were photocopying, emailing, CDs, online encrypted storage websites, smartphones, DVDs, cameras, SKYPE, iPods and, rather randomly yet quite disconcerting, 7% said they’d try and memorise the important data!

Adam Bosnian, VP of Products, Strategy and Sales of Cyber-Ark says, “The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick. With a faltering economy resulting in increased jobs cuts, deferred promotions and additional stress, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees. Our advice is only allow access to sensitive information to those that really need it, lock it away in a digital vault and encrypt the really sensitive data,” adds Bosnian.

So, this is in the UK, but the principle still applies. I think that with the layoffs already going on and the fear of more, the temptations will be big for people to just download and run. Often times we *in the trade* see (if the systems are capable) a rise in access of files/systems at odd times or in bursts before some of these folks walk off with data. Something that more companies are trying to get a handle on I suspect.

Well, just remember kids, if you are about to be laid off and you want to harvest data, do it slow like and exfil it sneaky… Of course that did not work for that Chinese chick recently *30 usb drives full of Motorola data* She’s going to federal pound her in the ass prison…

Wheee..

Written by Krypt3ia

2008/12/23 at 17:56

Posted in Uncategorized

Hacking The Hill

leave a comment »

Hacking The Hill
How the Chinese — or someone — hacked into House of Representatives computers in 2006, and what it will take to keep out the next electronic invader.

On October 26, 2006, computer security personnel from across the legislative branch were informed that the Congressional Budget Office had been hit with a computer virus. The news might not have seemed extraordinary. Hackers had been trying for years to break into government computers in Congress and the executive branch, and some had succeeded, making off with loads of sensitive information ranging from codes for military aircraft schedules to design specifications for the space shuttle.

Employees in the House of Representatives’ Information Systems Security Office, which monitors the computers of all members, staffers, and committee offices, had learned to keep their guard up. Every year of late, they have fended off more than a million hacking attempts against the House and removed any computer viruses that made it through their safeguards. House computers relay sensitive information about members and constituents, and committee office machines are especially loaded with files pertaining to foreign policy, national security, and intelligence. The security office took the information from the CBO attack and scanned the House network to determine whether any machines had been compromised in a similar fashion.

They found one. A computer in one member’s office matched the profile of the CBO incident. The virus seemed to be contacting Internet addresses outside the House, probably other infected computers or servers, to download malicious files into the House system. According to a confidential briefing on the investigation prepared by the security office and obtained by National Journal, security employees contacted the member’s office and directed staffers to disconnect the computer from the network. The briefing does not identify the member of Congress.

Apparently worried that the virus could have already infected other machines, security personnel met with aides from the member’s office and examined the computer. They confirmed that a virus had been placed on the machine. The member’s office then called the FBI, which employs a team of cyber-forensic specialists to investigate hackings. The House security office made a copy of the hard drive and gave it to the bureau.

“Somebody with a wireless device in China should expect it to be compromised while he’s there.” — Joel Brenner

Upon further analysis, the security office found more details about the nature and possible intent of the hack. The machine was infected with a file that sought out computers outside the House system to retrieve “malware,” malicious or destructive programs designed to spy on the infected computer’s user or to clandestinely remove files from the machine. This virus was designed to download programs that tracked what the computer user typed in e-mail and instant messages, and to remove documents from both the hard drive and a network drive shared by other House computers. As an example of the virus’s damage, the security office briefing cited one House machine on which “multiple compressed files on multiple days were created and exported.” An unknown source was stealing information from the computer, and the user never knew it.

Armed with this information about how the virus worked, the security officers scanned the House network again. This time, they found more machines that seemed to match the profile — they, too, were infected. Investigators found at least one infected computer in a member’s district office, indicating that the virus had traveled through the House network and may have breached machines far away from Washington.

Eventually, the security office determined that eight members’ offices were affected; in most of the offices, the virus had invaded only one machine, but in some offices, it hit multiple computers. It also struck seven committee offices, including Commerce; Transportation and Infrastructure; Homeland Security; and Ways and Means; plus the Commission on China, which monitors human rights and laws in China. Most of the committee offices had one or two infected computers. In the International Relations Committee (now the Foreign Affairs Committee) office, however, the virus had compromised 25 computers and one server.

The House security office contacted the committees’ employees and all of the members’ offices, and removed the infected computers and servers. The House’s technical-support center sent an advisory to all systems administrators, reminding them of safe computing practices, such as not opening links in e-mails from unknown sources. The House security office determined that whoever infected the machines had probably tricked users into visiting a website or clicking on a link in an e-mail or instant message that downloaded an infectious file; the virus then exploited as many of the computer’s vulnerabilities that it could detect. A diagram in the security briefing shows how the virus, once it penetrated the computer, made multiple attempts to download different kinds of malicious software.

The hacker or hackers — it’s unclear whether more than one was involved — attempted to evade detection by using an array of attack methods and downloading malicious files from various Internet addresses. The hacker was likely using many other infected machines as launching pads, making it essentially impossible to stop the attacks completely and exceptionally difficult to know where the hacker was located. It’s relatively easy for an attacker to mask his or her location by communicating through layers of infected computers and servers around the world.

The confidential briefing does not say where the hacker was, nor does it attribute the attack to a particular group or country. Such information is notoriously difficult for investigators to ascertain. But according to some members of Congress whose machines were infected, the attack described in the briefing emanated from China and was probably designed to steal sensitive information from lawmakers’ and committee offices.

Chinese Traces

That allegation and others about Chinese cyber-espionage lie at the heart of a simmering controversy over Chinese or China-supported hacking of U.S. government computer systems. As National Journal reported earlier this year, computer hackers, who several investigators and senior government officials believe are based in China and sometimes work on the Chinese government’s behalf, have penetrated deeply into the information systems of U.S. corporations and government agencies.

The hackers have reportedly stolen proprietary information from executives and even one Cabinet secretary in advance of business meetings in China. Some sources contend, moreover, that Chinese hackers may have played a role in two major power outages in the United States. Power companies and outside investigators call such allegations demonstrably untrue, but many cyber-security professionals express considerable anxiety about the vulnerability of U.S. networks.

Concern about China is so great that, only hours before the opening ceremonies of the Olympic Games in Beijing last summer, the United States’ top counterintelligence official, Joel Brenner, warned American visitors to leave their cellular phones and wireless handheld computers at home. “Somebody with a wireless device in China should expect it to be compromised while he’s there,” Brenner said on CBS News. “The public security services in China can turn your telephone on and activate its microphone when you think it’s off.” For those who were required or determined to take their electronic equipment, Brenner advised that they remove the batteries when they were not using the device.

Chinese sources were at the root of the hack on members of Congress in 2006, according to some lawmakers. In an interview with National Journal last summer, Rep. Mark Kirk, R-Ill., said that the virus described in the House’s confidential briefing had infected a machine in his office. House security personnel informed him of the infection, Kirk said, and he called the FBI.

Kirk then co-chaired the House U.S.-China Working Group, whose members had met with 11 Chinese business leaders less than a year earlier to discuss bilateral trade issues. The group has held monthly meetings to foster a diplomatic dialogue between Chinese and U.S. officials. Kirk said that his office’s infected computer was trying to contact Internet addresses that “eventually resolved themselves in China.” He hastened to add, “Obviously, you don’t know who is the real owner or operator of the [Internet] address.”

“On these computers was information about all of the casework I have done on behalf of political dissidents and human-rights activists around the world.” — Frank Wolf

The breach could be viewed through one of two lenses, Kirk said. “The bad view” is that Chinese intelligence sources were trying to spy on a member of Congress. The “good view” holds that Chinese citizens, who read about the commission’s work in the media, hacked Kirk’s computer out of frustration or retribution. But this attack profile, Kirk said, “looked toward the criminal side.”

“Hacking into a congressional computer is a serious offense,” he said. Although Kirk said he didn’t know what files, if any, the hacker had pilfered, he assumed that the intruder wasn’t looking for information about Kirk’s constituents in Illinois. He concluded that the hacker was more interested in his China policy. “At that point,” Kirk said, “it seemed what we had was a case of overseas espionage.”

This past June, Rep. Frank Wolf, a Republican from Northern Virginia, took to the House floor and announced that four of his office’s computers “were compromised by an outside source.”

“On these computers,” he said, “was information about all of the casework I have done on behalf of political dissidents and human-rights activists around the world.” Wolf is an outspoken critic of China’s human-rights policies.

“That kind of information, as well as everything else on my office computers — e-mails, memos, correspondence, and district casework — was open for outside eyes to see,” Wolf said. And then, without naming names, he added, “Several other members were similarly compromised.”

Wolf said he had met with staff from the House Information Resources office and with FBI officials. “It was revealed,” he said, “that the outside sources responsible for this attack came from within the People’s Republic of China.” A spokesperson for Wolf told NJ that the intrusion he spoke of on the House floor is the same attack described in the confidential briefing obtained by National Journal and prepared by the House information security office. That briefing states that Wolf was one of the eight members affected, and that four of his machines were hit — the same number that Wolf cited publicly. In his floor remarks, Wolf said that his computers were found to have been compromised in August 2006, two months before the House Information Systems Security Office scanned the network for possible infections.

Keeping It Secret

The pervasive nature of the 2006 attack begs a question: Why didn’t members of Congress publicly disclose these breaches sooner? Wolf offered one answer.

“Despite everything we read in the press, our intelligence, law enforcement, national security, and diplomatic corps remain hesitant to speak out about this problem,” Wolf said on the House floor. “Perhaps they are afraid that talking about this problem will reveal our vulnerability.” He then added, “I have been urged not to speak out about this threat.”

Wolf didn’t say who urged him to remain silent. Kirk, whose office was also hit, said he spoke with Wolf before his remarks. Wolf wanted to publicly raise the issue of cyber-security to bring more attention to the problem, Kirk said. Kirk was more interested in finding the culprits.

“My objective was to get even with these guys and nail them. My objective was to tell the FBI as much detail as I can so we can go after them.” — Mark Kirk

“My objective was to get even with these guys and nail them,” he said. “My objective was to tell the FBI as much detail as I can so we can go after them.”

In his speech, Wolf urged his colleagues to raise their level of awareness, and he exhorted the executive branch to open up. “I strongly believe that the appropriate officials, including those from the Department of Homeland Security and the FBI, should brief all members of Congress in a closed session regarding threats from China and other countries against the security of House technology, including our computers, BlackBerry devices, and phones,” Wolf said.

Wolf’s outspokenness met resistance, Kirk said. “I think a number of people came to Frank and said, ‘Back off. Don’t do this,’ ” Kirk said. He declined to say who had approached Wolf. But he said that “some parts of the government” favor keeping systems open to track attackers, but they aren’t inclined to talk about it openly.

Both the intelligence community and the military use cyber-monitoring tools that are essentially the same as those directed against U.S. government systems. The Air Force, in particular, considers cyberspace to be a new battleground; the service has reportedly developed a formidable capacity to inflict damage on other nations’ computers and electronic infrastructure.

Learning Curve

Many members of Congress, it seems, may also be uninterested in talking about their cyber-vulnerabilities — not because they aren’t concerned about them but because they don’t understand them.

Wolf has said that in discussing the threat with colleagues, he has found that members don’t realize their computers are tantalizing targets. One cyber-security expert says that Wolf is probably right but that members’ ignorance doesn’t mean they’re indifferent.

“As a member of Congress, you have so many issues competing for your attention and, historically, cyber-security hasn’t been one that’s won out,” said Amit Yoran, who was the first director of the National Cyber Security Division in the Homeland Security Department. “It’s not an issue that is particularly well tracked by their constituents.”

Moreover, Yoran said, lawmakers can also fall victim to their own demands. “In Congress, you’ve got an organization full of a lot of senior executives.” Just as in the executive branch or in the private sector, members want to be treated like CEOs. They have “very high support requirements,” Yoran said. Put another way, if members of Congress want their computers to access a certain website or run a particular program, they don’t ask for technical support — they demand it.

That mind-set makes it exceptionally difficult to protect congressional computers in a uniform fashion. The House and Senate could enact the strictest security policies imaginable, but if members and their aides ignore the policies or ask for exceptions, security degrades.

No one understands that better than the office in charge of protecting members’ computers — the House Information Systems Security Office. “I can say, comfortably, that the level and quality of expertise within the security department, the IT department, of the House, is very strong,” Yoran said. “The Senate as well.” The confidential briefing on the 2006 breach bolsters Yoran’s assessment. It is clearly written and demonstrates that the security office understands the dynamic nature of cyber-intrusions.

Yoran emphasized, however, that between expertise and adequate security, “there’s a lot of ground.” Members and their staffers must decide whether to follow security procedures — and perhaps too often, they don’t want to be bothered.

Who Should Lead?

Congress is more than a tempting and sometimes easy target. Lawmakers also have oversight responsibility for the security of executive branch networks, and they make decisions that affect all U.S. telecommunications systems.

Members make the laws that set security policies and standards for government systems. They issue an annual report card and other assessments on how well the government is meeting those standards. Slowly but increasingly, lawmakers are writing statutes aimed at stiffening the penalties for computer intrusion and at defining hacking more clearly as a crime.

Yet Congress’s repeated run-ins with cyber-thieves and hackers don’t appear to have focused lawmakers’ oversight efforts. Last week, the Center for Strategic and International Studies, the Washington think tank noted for its defense policy research, released a highly anticipated cyber-security assessment for President-elect Obama. The study group included experts from a range of disciplines and industries, and was co-chaired by two members of Congress: Reps. Jim Langevin, D-R.I., and Michael McCaul, R-Texas.

The report, a year in the making, is almost entirely devoted to cyber-security recommendations for the next president. It devotes only one page to Congress’s role, perhaps with good reason. The panel essentially concludes that Congress cannot manage cyber-security.

The root of the problem, the report said, lies in Congress’s inconsistent, almost feudal, approach to oversight. “The fragmentation of oversight complicates efforts to improve homeland security, and cyber-security shares in this problem,” the authors wrote. The Homeland Security Department, which is responsible for securing civilian government networks, “has far too many oversight committees — more than 80 — exercising jurisdiction.”

The CSIS study group discussed whether that jurisdiction should be streamlined, a simple enough task on the surface. House and Senate rules don’t explicitly give jurisdiction over cyber-issues to any committees, and congressional leaders could limit responsibility to a more manageable number of lawmakers. The study group certainly thought that was a good idea. “Without rules changes that provide clear jurisdiction, responsibility for investigation, oversight, and policy development in cyber-security will depend largely on member interest and the ability of committees to coordinate with each other,” the report stated.

The study group stopped short of formally recommending that Congress take that step, however. In large measure, that’s because the CSIS recommendations were meant for the president-elect, not the speaker of the House and the majority leader of the Senate. But the panel also concluded that cyber-security — protecting critical networks not only from espionage but also from tampering and potential control by outsiders — was of such importance and magnitude that only the president could take charge of it. Indeed, the authors titled their report “Securing Cyberspace for the 44th Presidency.”

“The president could engage [congressional] leaders in a discussion to streamline jurisdiction,” the report said, “but jurisdictional consolidation would not produce the immediate improvement in cyber-security that our other recommendations offer.” The panel wants Obama to take charge of cyber-security and make the White House its political nerve center. It recommended that he create a new office for cyberspace in the Executive Office of the President that would work closely with the National Security Council, “managing the many aspects of securing our national networks while protecting privacy and civil liberties.” Any attempt to broadly secure cyberspace will, by necessity, involve close scrutiny of the information traveling through it, including e-mails, instant messages, and, increasingly, telephone calls.

The study group also recommended that Obama appoint an assistant for cyberspace and establish a Cyber-Security Directorate in the NSC. To support that directorate, the experts recommended a National Office for Cyberspace, which would be directed by the president’s cyber-assistant.

“The new administration has to take rapid action to improve cyber-security, and streamlining congressional jurisdiction isn’t one of those actions,” said James Lewis, a CSIS senior fellow and the director of its public policy program. He led the study group.

“The legislative process is deliberative,” Lewis said. “It has to move at its own pace on questions like jurisdiction, but there are things the executive branch can and should do without waiting.”

Nothing really new here, but, I thought I would post another tidbit about our Chinese masters hacking the hill…

Written by Krypt3ia

2008/12/23 at 17:50

Posted in Uncategorized

Hacking The Hill

leave a comment »

Hacking The Hill
How the Chinese — or someone — hacked into House of Representatives computers in 2006, and what it will take to keep out the next electronic invader.

On October 26, 2006, computer security personnel from across the legislative branch were informed that the Congressional Budget Office had been hit with a computer virus. The news might not have seemed extraordinary. Hackers had been trying for years to break into government computers in Congress and the executive branch, and some had succeeded, making off with loads of sensitive information ranging from codes for military aircraft schedules to design specifications for the space shuttle.

Employees in the House of Representatives’ Information Systems Security Office, which monitors the computers of all members, staffers, and committee offices, had learned to keep their guard up. Every year of late, they have fended off more than a million hacking attempts against the House and removed any computer viruses that made it through their safeguards. House computers relay sensitive information about members and constituents, and committee office machines are especially loaded with files pertaining to foreign policy, national security, and intelligence. The security office took the information from the CBO attack and scanned the House network to determine whether any machines had been compromised in a similar fashion.

They found one. A computer in one member’s office matched the profile of the CBO incident. The virus seemed to be contacting Internet addresses outside the House, probably other infected computers or servers, to download malicious files into the House system. According to a confidential briefing on the investigation prepared by the security office and obtained by National Journal, security employees contacted the member’s office and directed staffers to disconnect the computer from the network. The briefing does not identify the member of Congress.

Apparently worried that the virus could have already infected other machines, security personnel met with aides from the member’s office and examined the computer. They confirmed that a virus had been placed on the machine. The member’s office then called the FBI, which employs a team of cyber-forensic specialists to investigate hackings. The House security office made a copy of the hard drive and gave it to the bureau.

“Somebody with a wireless device in China should expect it to be compromised while he’s there.” — Joel Brenner

Upon further analysis, the security office found more details about the nature and possible intent of the hack. The machine was infected with a file that sought out computers outside the House system to retrieve “malware,” malicious or destructive programs designed to spy on the infected computer’s user or to clandestinely remove files from the machine. This virus was designed to download programs that tracked what the computer user typed in e-mail and instant messages, and to remove documents from both the hard drive and a network drive shared by other House computers. As an example of the virus’s damage, the security office briefing cited one House machine on which “multiple compressed files on multiple days were created and exported.” An unknown source was stealing information from the computer, and the user never knew it.

Armed with this information about how the virus worked, the security officers scanned the House network again. This time, they found more machines that seemed to match the profile — they, too, were infected. Investigators found at least one infected computer in a member’s district office, indicating that the virus had traveled through the House network and may have breached machines far away from Washington.

Eventually, the security office determined that eight members’ offices were affected; in most of the offices, the virus had invaded only one machine, but in some offices, it hit multiple computers. It also struck seven committee offices, including Commerce; Transportation and Infrastructure; Homeland Security; and Ways and Means; plus the Commission on China, which monitors human rights and laws in China. Most of the committee offices had one or two infected computers. In the International Relations Committee (now the Foreign Affairs Committee) office, however, the virus had compromised 25 computers and one server.

The House security office contacted the committees’ employees and all of the members’ offices, and removed the infected computers and servers. The House’s technical-support center sent an advisory to all systems administrators, reminding them of safe computing practices, such as not opening links in e-mails from unknown sources. The House security office determined that whoever infected the machines had probably tricked users into visiting a website or clicking on a link in an e-mail or instant message that downloaded an infectious file; the virus then exploited as many of the computer’s vulnerabilities that it could detect. A diagram in the security briefing shows how the virus, once it penetrated the computer, made multiple attempts to download different kinds of malicious software.

The hacker or hackers — it’s unclear whether more than one was involved — attempted to evade detection by using an array of attack methods and downloading malicious files from various Internet addresses. The hacker was likely using many other infected machines as launching pads, making it essentially impossible to stop the attacks completely and exceptionally difficult to know where the hacker was located. It’s relatively easy for an attacker to mask his or her location by communicating through layers of infected computers and servers around the world.

The confidential briefing does not say where the hacker was, nor does it attribute the attack to a particular group or country. Such information is notoriously difficult for investigators to ascertain. But according to some members of Congress whose machines were infected, the attack described in the briefing emanated from China and was probably designed to steal sensitive information from lawmakers’ and committee offices.

Chinese Traces

That allegation and others about Chinese cyber-espionage lie at the heart of a simmering controversy over Chinese or China-supported hacking of U.S. government computer systems. As National Journal reported earlier this year, computer hackers, who several investigators and senior government officials believe are based in China and sometimes work on the Chinese government’s behalf, have penetrated deeply into the information systems of U.S. corporations and government agencies.

The hackers have reportedly stolen proprietary information from executives and even one Cabinet secretary in advance of business meetings in China. Some sources contend, moreover, that Chinese hackers may have played a role in two major power outages in the United States. Power companies and outside investigators call such allegations demonstrably untrue, but many cyber-security professionals express considerable anxiety about the vulnerability of U.S. networks.

Concern about China is so great that, only hours before the opening ceremonies of the Olympic Games in Beijing last summer, the United States’ top counterintelligence official, Joel Brenner, warned American visitors to leave their cellular phones and wireless handheld computers at home. “Somebody with a wireless device in China should expect it to be compromised while he’s there,” Brenner said on CBS News. “The public security services in China can turn your telephone on and activate its microphone when you think it’s off.” For those who were required or determined to take their electronic equipment, Brenner advised that they remove the batteries when they were not using the device.

Chinese sources were at the root of the hack on members of Congress in 2006, according to some lawmakers. In an interview with National Journal last summer, Rep. Mark Kirk, R-Ill., said that the virus described in the House’s confidential briefing had infected a machine in his office. House security personnel informed him of the infection, Kirk said, and he called the FBI.

Kirk then co-chaired the House U.S.-China Working Group, whose members had met with 11 Chinese business leaders less than a year earlier to discuss bilateral trade issues. The group has held monthly meetings to foster a diplomatic dialogue between Chinese and U.S. officials. Kirk said that his office’s infected computer was trying to contact Internet addresses that “eventually resolved themselves in China.” He hastened to add, “Obviously, you don’t know who is the real owner or operator of the [Internet] address.”

“On these computers was information about all of the casework I have done on behalf of political dissidents and human-rights activists around the world.” — Frank Wolf

The breach could be viewed through one of two lenses, Kirk said. “The bad view” is that Chinese intelligence sources were trying to spy on a member of Congress. The “good view” holds that Chinese citizens, who read about the commission’s work in the media, hacked Kirk’s computer out of frustration or retribution. But this attack profile, Kirk said, “looked toward the criminal side.”

“Hacking into a congressional computer is a serious offense,” he said. Although Kirk said he didn’t know what files, if any, the hacker had pilfered, he assumed that the intruder wasn’t looking for information about Kirk’s constituents in Illinois. He concluded that the hacker was more interested in his China policy. “At that point,” Kirk said, “it seemed what we had was a case of overseas espionage.”

This past June, Rep. Frank Wolf, a Republican from Northern Virginia, took to the House floor and announced that four of his office’s computers “were compromised by an outside source.”

“On these computers,” he said, “was information about all of the casework I have done on behalf of political dissidents and human-rights activists around the world.” Wolf is an outspoken critic of China’s human-rights policies.

“That kind of information, as well as everything else on my office computers — e-mails, memos, correspondence, and district casework — was open for outside eyes to see,” Wolf said. And then, without naming names, he added, “Several other members were similarly compromised.”

Wolf said he had met with staff from the House Information Resources office and with FBI officials. “It was revealed,” he said, “that the outside sources responsible for this attack came from within the People’s Republic of China.” A spokesperson for Wolf told NJ that the intrusion he spoke of on the House floor is the same attack described in the confidential briefing obtained by National Journal and prepared by the House information security office. That briefing states that Wolf was one of the eight members affected, and that four of his machines were hit — the same number that Wolf cited publicly. In his floor remarks, Wolf said that his computers were found to have been compromised in August 2006, two months before the House Information Systems Security Office scanned the network for possible infections.

Keeping It Secret

The pervasive nature of the 2006 attack begs a question: Why didn’t members of Congress publicly disclose these breaches sooner? Wolf offered one answer.

“Despite everything we read in the press, our intelligence, law enforcement, national security, and diplomatic corps remain hesitant to speak out about this problem,” Wolf said on the House floor. “Perhaps they are afraid that talking about this problem will reveal our vulnerability.” He then added, “I have been urged not to speak out about this threat.”

Wolf didn’t say who urged him to remain silent. Kirk, whose office was also hit, said he spoke with Wolf before his remarks. Wolf wanted to publicly raise the issue of cyber-security to bring more attention to the problem, Kirk said. Kirk was more interested in finding the culprits.

“My objective was to get even with these guys and nail them. My objective was to tell the FBI as much detail as I can so we can go after them.” — Mark Kirk

“My objective was to get even with these guys and nail them,” he said. “My objective was to tell the FBI as much detail as I can so we can go after them.”

In his speech, Wolf urged his colleagues to raise their level of awareness, and he exhorted the executive branch to open up. “I strongly believe that the appropriate officials, including those from the Department of Homeland Security and the FBI, should brief all members of Congress in a closed session regarding threats from China and other countries against the security of House technology, including our computers, BlackBerry devices, and phones,” Wolf said.

Wolf’s outspokenness met resistance, Kirk said. “I think a number of people came to Frank and said, ‘Back off. Don’t do this,’ ” Kirk said. He declined to say who had approached Wolf. But he said that “some parts of the government” favor keeping systems open to track attackers, but they aren’t inclined to talk about it openly.

Both the intelligence community and the military use cyber-monitoring tools that are essentially the same as those directed against U.S. government systems. The Air Force, in particular, considers cyberspace to be a new battleground; the service has reportedly developed a formidable capacity to inflict damage on other nations’ computers and electronic infrastructure.

Learning Curve

Many members of Congress, it seems, may also be uninterested in talking about their cyber-vulnerabilities — not because they aren’t concerned about them but because they don’t understand them.

Wolf has said that in discussing the threat with colleagues, he has found that members don’t realize their computers are tantalizing targets. One cyber-security expert says that Wolf is probably right but that members’ ignorance doesn’t mean they’re indifferent.

“As a member of Congress, you have so many issues competing for your attention and, historically, cyber-security hasn’t been one that’s won out,” said Amit Yoran, who was the first director of the National Cyber Security Division in the Homeland Security Department. “It’s not an issue that is particularly well tracked by their constituents.”

Moreover, Yoran said, lawmakers can also fall victim to their own demands. “In Congress, you’ve got an organization full of a lot of senior executives.” Just as in the executive branch or in the private sector, members want to be treated like CEOs. They have “very high support requirements,” Yoran said. Put another way, if members of Congress want their computers to access a certain website or run a particular program, they don’t ask for technical support — they demand it.

That mind-set makes it exceptionally difficult to protect congressional computers in a uniform fashion. The House and Senate could enact the strictest security policies imaginable, but if members and their aides ignore the policies or ask for exceptions, security degrades.

No one understands that better than the office in charge of protecting members’ computers — the House Information Systems Security Office. “I can say, comfortably, that the level and quality of expertise within the security department, the IT department, of the House, is very strong,” Yoran said. “The Senate as well.” The confidential briefing on the 2006 breach bolsters Yoran’s assessment. It is clearly written and demonstrates that the security office understands the dynamic nature of cyber-intrusions.

Yoran emphasized, however, that between expertise and adequate security, “there’s a lot of ground.” Members and their staffers must decide whether to follow security procedures — and perhaps too often, they don’t want to be bothered.

Who Should Lead?

Congress is more than a tempting and sometimes easy target. Lawmakers also have oversight responsibility for the security of executive branch networks, and they make decisions that affect all U.S. telecommunications systems.

Members make the laws that set security policies and standards for government systems. They issue an annual report card and other assessments on how well the government is meeting those standards. Slowly but increasingly, lawmakers are writing statutes aimed at stiffening the penalties for computer intrusion and at defining hacking more clearly as a crime.

Yet Congress’s repeated run-ins with cyber-thieves and hackers don’t appear to have focused lawmakers’ oversight efforts. Last week, the Center for Strategic and International Studies, the Washington think tank noted for its defense policy research, released a highly anticipated cyber-security assessment for President-elect Obama. The study group included experts from a range of disciplines and industries, and was co-chaired by two members of Congress: Reps. Jim Langevin, D-R.I., and Michael McCaul, R-Texas.

The report, a year in the making, is almost entirely devoted to cyber-security recommendations for the next president. It devotes only one page to Congress’s role, perhaps with good reason. The panel essentially concludes that Congress cannot manage cyber-security.

The root of the problem, the report said, lies in Congress’s inconsistent, almost feudal, approach to oversight. “The fragmentation of oversight complicates efforts to improve homeland security, and cyber-security shares in this problem,” the authors wrote. The Homeland Security Department, which is responsible for securing civilian government networks, “has far too many oversight committees — more than 80 — exercising jurisdiction.”

The CSIS study group discussed whether that jurisdiction should be streamlined, a simple enough task on the surface. House and Senate rules don’t explicitly give jurisdiction over cyber-issues to any committees, and congressional leaders could limit responsibility to a more manageable number of lawmakers. The study group certainly thought that was a good idea. “Without rules changes that provide clear jurisdiction, responsibility for investigation, oversight, and policy development in cyber-security will depend largely on member interest and the ability of committees to coordinate with each other,” the report stated.

The study group stopped short of formally recommending that Congress take that step, however. In large measure, that’s because the CSIS recommendations were meant for the president-elect, not the speaker of the House and the majority leader of the Senate. But the panel also concluded that cyber-security — protecting critical networks not only from espionage but also from tampering and potential control by outsiders — was of such importance and magnitude that only the president could take charge of it. Indeed, the authors titled their report “Securing Cyberspace for the 44th Presidency.”

“The president could engage [congressional] leaders in a discussion to streamline jurisdiction,” the report said, “but jurisdictional consolidation would not produce the immediate improvement in cyber-security that our other recommendations offer.” The panel wants Obama to take charge of cyber-security and make the White House its political nerve center. It recommended that he create a new office for cyberspace in the Executive Office of the President that would work closely with the National Security Council, “managing the many aspects of securing our national networks while protecting privacy and civil liberties.” Any attempt to broadly secure cyberspace will, by necessity, involve close scrutiny of the information traveling through it, including e-mails, instant messages, and, increasingly, telephone calls.

The study group also recommended that Obama appoint an assistant for cyberspace and establish a Cyber-Security Directorate in the NSC. To support that directorate, the experts recommended a National Office for Cyberspace, which would be directed by the president’s cyber-assistant.

“The new administration has to take rapid action to improve cyber-security, and streamlining congressional jurisdiction isn’t one of those actions,” said James Lewis, a CSIS senior fellow and the director of its public policy program. He led the study group.

“The legislative process is deliberative,” Lewis said. “It has to move at its own pace on questions like jurisdiction, but there are things the executive branch can and should do without waiting.”

Nothing really new here, but, I thought I would post another tidbit about our Chinese masters hacking the hill…

Written by Krypt3ia

2008/12/23 at 17:50

Posted in Uncategorized

Plaxico Burres: Tips on gun ownership

with 2 comments

Written by Krypt3ia

2008/12/23 at 07:53

Posted in Uncategorized

You know, when I was a kid we used to suck on pennies.. It was a joy!”

leave a comment »

Written by Krypt3ia

2008/12/23 at 07:37

Posted in Uncategorized