Thursday, August 26, 2010

Mark Fiore: The Enchanted Financial Forest

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

U.S. Military Wants to Exert Influence Over Private Cyber Infrastructure

Tim Greene writes on NetworkWorld:

The U.S. military wants to exert more influence over the protection of power grids, transportation networks and financial network systems, a Pentagon official says in a broad-ranging essay published in Foreign Affairs.

To do so the Pentagon is urging that its defense expertise be put in play beyond the .mil domain to include .gov and .com and wants policy makers to figure out how best to do that.

The reasons are that the military relies on these networks to deal with suppliers and that these networks could become military targets, says William J. Lynn III, undersecretary of defense, in the essay called "Defending a New Domain."

"Protecting those networks and the networks that undergird critical U.S. infrastructure must be part of Washington's national security and homeland defense missions," Lynn says.

Because the military relies on these networks, the expertise it has developed should be made available to them, he says, but he doesn't describe exactly how that would happen in practice.

More here.

Note: Considering how the U.S. Military can't even protect it's own networks against well-known USB malware, I find this suggestion laughable. - ferg

Wednesday, August 25, 2010

Charlie Miller: EU Cyber Assault Would Cost €86 Million

Andrew Rettman writes on

A malicious foreign power could - given €86 million, 750 people and two years to prepare - launch a devastating cyber attack on the EU, a US security expert has said.

The assault would begin with a member of staff at, say, the London Stock Exchange or the French electricity grid operator, RTE, opening a PDF attachment in an email which looks as if it had been sent by a colleague.

The PDF would contain software enabling a hacker on a different continent to silently take over his computer. Over time, the hacker would monitor the employees' keystrokes, sniff out passwords, and use the information to take over computers higher up the command chain, eventually putting him in a position to switch off the target's firewalls, leaving it open to DOS (Denial of Service) attacks, and to install RATs (Remote Administration Tools), which control its hardware.

Around 18 to 21 months down the line, with enough targets compromised, the assault could take place.

The EU 27 countries would wake up to find electricity power stations shut down; communication by phone and Internet disabled; air, rail and road transport impossible; stock exchanges and day-to-day bank transactions frozen; crucial data in government and financial institutions scrambled and military units at home and abroad cut off from central command or sent fake orders.

Normal life could be restarted in a few days' time. But the damage done to administrative capacity, consumer confidence and the economy by loss of vital data would last years.

More here.

New Secrecy Battle: China Bars Banks, Other Companies From Using Foreign Security Technology

An AP newswire article by Joe McDonald, via Canadian Business Online, reports:

China has ordered its banks and other major companies to limit use of foreign computer security technology, setting up a possible trade clash with the United States and Europe while adding to strains over high-tech secrecy as some nations threaten to curtail BlackBerry service.

Beijing's restrictions cite security concerns but are also consistent with its efforts to build up Chinese technology industries by shielding them from competition and pressing global rivals to hand over know-how.

The United States and the European Union have raised questions in the World Trade Organization about the rules. An American industry group is criticizing them as an attempt to shut competitors out of a promising market. Authorities are inspecting companies to enforce the restrictions and some have been told to replace foreign technology.

"These are legitimate security concerns, but the Chinese are going way too far," said Steven Kho, a trade lawyer for law firm Akin Gump in Washington. "You cannot say from the outset, `All foreign products are a security risk.'"

More here.

Tuesday, August 24, 2010

U.S. DoD Official Discloses Cyber Attack

Ellen Nakashima writes in The Washington Post:

Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.

In an article to be published Wednesday discussing the Pentagon's cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," he says in the Foreign Affairs article.

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

Lynn's decision to declassify an incident that Defense officials had kept secret reflects the Pentagon's desire to raise congressional and public concern over the threats facing U.S. computer systems, experts said.

More here.

Windows DLL Load Hijacking Exploits Go Wild

Gregg Keizer writes on ComputerWorld:

Less than 24 hours after Microsoft said it couldn't patch Windows to fix a systemic problem, attack code appeared Tuesday to exploit the company's software.

Also on Tuesday, a security firm that's been researching the issue for the past nine months said 41 of Microsoft's own programs can be remotely exploited using DLL load hijacking, and it named two of them.

On Monday, Microsoft confirmed reports of unpatched -- or zero-day -- vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.

Microsoft also declined to reveal whether any of its own applications contain bugs that attackers could exploit, saying only that it is investigating.

More here.

Ad Firm Sued for Allegedly Re-Creating Deleted Cookies

Ryan Singel writes on Wired's Epicenter:

Specificmedia, one of the net’s largest ad-serving and tracking companies, has been hit with a federal lawsuit accusing the company of violating computer intrusion laws by secretly re-creating cookies deleted by users.

The lawsuit [.pdf], filed in California’s Central District federal court last Wednesday, is the third such suit filed this month by privacy attorney Joseph Malley. The first “zombie” cookie suit targeted sites ranging from MTV to Scribd that used technology from a company called Quantcast, while the second suit went after Disney and Demand Media for their use of similar tech from Clearspring Technologies.

At issue is the use of Adobe Flash to keep copies of a user’s browser cookies in order to re-spawn cookies after users clear them. The lawsuits allege that the companies did not explain to users how they were using Flash and that using the storage capabilities of Flash for this purpose violates federal privacy and computer security laws.

The practice first came to light a year ago after privacy researchers at Berkeley produced a report showing that 54 of the top 100 websites used Flash cookies, some of which were used to track users, while others simply set the default volume for streaming videos.

More here.

Just a Tad Warm Today...

Yes, it is just a bit warm today...

- ferg

Monday, August 23, 2010

Compliment of The Week

I've been told by my contacts in the Russian Underground that at least one person has said "I hate that guy" when referring to me.

That is positive traction in my business.

That is good news.

- ferg

Former TSA Employee Charged with Stealing Laptop Computers Lost at Newark Airport


A Bayonne, New Jersey woman surrendered today to face charges that she stole laptops from a Transportation Security Administration (TSA) lost and found facility and made false statements to effectuate her thefts, United States Attorney Paul J. Fishman announced.

Jennifer Steplight, 40, is charged by Complaint with one count of embezzlement by a government employee and one count of false statements, and is scheduled to make an initial appearance this afternoon before United States Magistrate Judge Patty Shwartz in Newark federal court.

Steplight was employed by TSA as a Master Transportation Security Officer-Coordination Center Officer and was responsible for maintaining records for the TSA lost and found facility that services Newark Liberty International Airport. From December 2009 through January 2010, Steplight stole four laptop computers from the lost and found facility and entered false information into TSA claim forms and inventory records to conceal her thefts.

If convicted, Steplight faces a maximum potential penalty of one year in prison and a maximum fine of $100,000 on the embezzlement charge, and a maximum potential penalty of five years in prison and a maximum fine of $250,000 on the false statement charge.

More here.

Hacker’s Arrest Offers Glimpse Into Crime in Russia

Andrew E. Kramer writes in The New York Times:

On the Internet, he was known as BadB, a disembodied criminal flitting from one server to another selling stolen credit card numbers despite being pursued by the United States Secret Service.

And in real life, he was nearly as untouchable — because he lived in Russia.

BadB’s real name is Vladislav A. Horohorin, according to a statement released last week by the United States Justice Department, and he was a resident of Moscow before his arrest by the police in France during a trip to that country earlier this month.

He is expected to appear soon before a French court that will decide on his potential extradition to the United States, where Mr. Horohorin could face up to 12 years in prison and a fine of $500,000 if he is convicted on charges of fraud and identity theft. For at least nine months, however, he lived openly in Moscow as one of the world’s most wanted computer criminals.

The seizing of BadB provides a lens onto the shadowy world of Russian hackers, the often well-educated and sometimes darkly ingenious programmers who pose a recognized security threat to online commerce — besides being global spam nuisances — who often seem to operate with relative impunity.

More here.

Sunday, August 22, 2010

Nokia Siemens to Defend Iran Spying Claims

Liam Tung writes on SC Magazine Australia:

Nokia Siemens Networks has released a statement claiming that it has been wrongly accused of helping the Iranian government spy on its citizens as it faces new litigation in a US court.

Last week, Iranian journalist, Isa Saharkhiz and his son Mehdi filed proceedings against Nokia Siemens Networks in a US court, alleging human rights abuses by the company for supplying Iran with telecommunications interception technology.

Isa Saharkhiz was arrested after Iran's highly-charged 2009 elections, following government intercepts placed on his mobile phone.

Saharkhiz has reportedly been tortured by Iranian authorities since his arrest.

Lawyers acting for Saharkhiz want Nokia Siemens Networks to cease the "unlawful support of intercepting centres of the Iranian government", hoping the US judicial system will hold the company accountable to its activities in Iran.

More here.

WikiLeaks Founder: Pentagon Behind Rape Claim

An AFP newswire article, via The Guardian, reports:

The founder of WikiLeaks, Julian Assange, was himself the subject of a rapidly spreading online story when news cascaded across the internet for several hours at the weekend mistakenly saying he was being sought in Sweden on rape charges.

Before Stockholm's chief prosecutor made clear on Saturday afternoon that Assange was in fact neither charged with rape nor due to be arrested, the story had spread, generating more than 1,200 articles, available through internet news search, that received more than 1m hits.

"It was 7am when a friend who is Swedish and has been out on the net told me about the allegations," Assange told Stockholm daily newspaper Aftonbladet, which has hired him as a columnist : "It was shocking. I have been accused of various things in recent years, but nothing so serious as this."

More here.

India: Electronic Voting Researcher Arrested Over Anonymous Source

J. Alex Halderman writes on Freedom to Tinker:

About four months ago, Ed Felten blogged about a research paper in which Hari Prasad, Rop Gonggrijp, and I detailed serious security flaws in India's electronic voting machines. Indian election authorities have repeatedly claimed that the machines are "tamperproof," but we demonstrated important vulnerabilities by studying a machine provided by an anonymous source.

The story took a disturbing turn a little over 24 hours ago, when my coauthor Hari Prasad was arrested by Indian authorities demanding to know the identity of that source.

At 5:30 Saturday morning, about ten police officers arrived at Hari's home in Hyderabad. They questioned him about where he got the machine we studied, and at around 8 a.m. they placed him under arrest and proceeded to drive him to Mumbai, a 14 hour journey.

The police did not state a specific charge at the time of the arrest, but it appears to be a politically motivated attempt to uncover our anonymous source. The arresting officers told Hari that they were under "pressure [from] the top," and that he would be left alone if he would reveal the source's identity.

More here.