Category Archives: United States

No, Department of Justice, 80 Percent of Tor Traffic Is Not Child Porn

No, Department of Justice, 80 Percent of Tor Traffic Is Not Child Porn

The debate over online anonymity, and all the whistleblowers, trolls, anarchists, journalists and political dissidents it enables, is messy enough. It doesn’t need the US government making up bogus statistics about how much that anonymity facilitates child pornography. At the State of the Net conference in Washington on Tuesday, US assistant attorney general Leslie Caldwell discussed what […]

The post No, Department of Justice, 80 Percent of Tor Traffic Is Not Child Porn appeared first on WIRED.



The FBI, Sony and the Attribution Problem, Part 1- Why?

Leave a reply

The recent attack on Sony has publicly paraded one of the predominant problems in incident response. While the immediate issue in incident response is of course the remediation of compromised systems and bringing these systems and IT services back online, it is entirely human to look for somewhere to cast blame. Let’s begin by fleshing out the “why” of attribution before engaging with the “how”.

Why Attribution?

For an affected entity, and for the security professionals working within it, attribution of the attacker(s) is only an ancillary concern. Certainly steps taken (or not taken) during the direct remediation of the breach are important and even essential to the later attribution effort, but priority of work must be on restoration of service. After service is restored, and the breach points corrected, the attribution process begins. Here are some reasons to perform attribution:

1. Attacker Centered Defense– If the attacker can be identified or at least have their tactics, techniques and procedures characterized, it may be possible to take steps to make their next intrusion more difficult and time consuming.

2. Legal/Governmental Retribution– Bringing criminal charges or taking other action against the attacker may deter future attackers, or may have deterrence against the current attackers if they are in a jurisdiction where criminal charges cannot be brought, but are vulnerable to intergovernmental or other pressures.

3. “Hacking Back”– This is an operation pregnant with a host of legal and ethical concerns. It may appear advantageous in the midst of an attack to attack back, but the technical reasons for doing so need to be looked at carefully. There are two scenarios where hacking back could reduce the impact of an ongoing hacking attack. One of these is a DDOS attack, where hacking back into the command and control systems of the attributed botnet may be a viable method to stem the attack. In the second scenario, stolen data belonging to the attacked entity has been definitively located (through attribution efforts) on a server, and then the entity performs a hacking operation to delete that data before it can be copied or moved. Both of these operations are patently illegal in the U.S.  due to the Computer Fraud and Abuse Act. Both also carry a low probability of success or advantage for the attacked entity. If a DDOS operation is disrupted, other botnets can be easily employed by the attacker at short notice, or they may regain control of the compromised botnet. The command and control servers may also be innocent bystanders who are unknowingly playing host to malware. Taking down the servers of a hospital or local government  or foreign military could have extremely serious human and geopolitical downsides.  In the second scenario, the attacked entity would have to be extremely proactive to get the toothpaste back into the tube. In fact, it is so difficult it may as well be regarded as functionally impossible, and there is little chance of getting all the data before it is further disseminated.

Looking at the limited reasons for attribution  and given especially the weakness of the third reason, it may be entirely reasonable for an attacked entity to decide not to pursue attribution. In the end, even having your attacker arrested will not undo the damage caused in the attack. The process of attribution is also not cost free. Additionally, any major actions taken on the basis of the attribution performed may only result in more reputation damage for the entity as the original breach and security failure is further publicized.

Why Attribute the Sony Hack? 

Obviously an attack as devastating as Sony’s–which will probably involve hundreds of millions of dollars in damage to Sony Pictures Entertainment, in addition to a substantial erosion of their reputation and personal damage to many of their prominent employees–should be answered. To decide to not attribute the attackers would make their actions seem tacitly permitted, and probably contribute to further devastating attacks against other entities. This Public Order justification is the purview of the FBI, who has taken a lead role in the investigation of the attack. Sony, of course, probably wishes nothing more than for this incident to go away and may be leaning more towards active disinterest in attribution. It isn’t as if any future lawsuit will recover their lost capital, and their threats of legal action against those who published the more tabloid-friendly portions of their internal emails are at serious risk of the Streisand Effect.

Of course, SPE is not the only actor involved. There are cyber security companies and the U.S. Government at work here as well. Attribution is in the interests of cyber security companies for reputation and prestige reasons, as a proof of their aptitude and ability. On the government side attribution can be a marker of aptitude as well, however, retribution is also a significant influence. In the global and domestic political arenas strong attribution can aid in the pursuit of other interests. Attribution has been used by the U.S. Government previously to pressure the Chinese Government in regards to their cyber espionage campaigns, and charges have been filed in the U.S. against a number of their operators.  So it comes to this. The primary reasons for attribution are political, as support for past and future actions and as an instrument of geopolitical pressure. The actions supported by attribution may include legislative efforts, international sanctions, and even electronic and physical attacks.

In Part Two of this work, having established the interests of the actors involved in attribution, we will look at the “How” of the SPE hack attribution as far as it is known publicly.

 

 

 

 

 

Drunken Spy Satellite Agency Employee Crashed Drone on White House Lawn

The curious incident of the drone in the night-time has been made a bit less mysterious today, as the Secret Service revealed new details into their investigation—including a confession by the pilot himself. According to the Secret Service, an unnamed employee of the National Geospatial Intelligence Agency (NGA) claimed responsibility for crashing a remote-controlled quadrocopter into a tree on the grounds of the White House.

The yet-unnamed employee reported the incident to his superiors at NGA. He claimed to have been drinking at an apartment near the White House when he decided early Monday morning to fly a friend’s new DJI Phantom drone. He claimed that he then lost control of the drone. Soon after the drone slipped unnoticed over the White House fence, it was spotted flying low over the grounds before it crashed into a tree.

The White House has a radar system to detect incoming aerial threats, but it did not detect the drone, which has the radar cross-section of a large bird at best. According to The New York Times, the Secret Service has been studying ways for the past few years to develop a defense against small drones, which could conceivably carry small explosives or other threats.

Read 1 remaining paragraphs | Comments

US Expands Spy Program on American Drivers Beyond Border Region

Since at least 2010, the Drug Enforcement Agency (DEA) has been expanding a regional license plate reader (LPR) program to the entire United States. Previously the program was only known to be concentrated in the border region of the American Southwest.

The revelation comes from new documents obtained and published late Monday by the American Civil Liberties Union (ACLU) under the Freedom of Information Act. The documents also show the DEA captured over 793 million license plates from May 2009 through May 2013 with the stated goal of drug-related asset forfeiture.

“The government has essentially created a program of mass tracking,” Catherine Crump, a former ACLU lawyer who now teaches at the University of California, Berkeley, told Ars. “The US has created a system where the government can track you and the American public simply has to accept it as a fait accompli.”

Read 9 remaining paragraphs | Comments

Silk Road Judge ‘Eviscerates’ Defense’s Evidence That Mt. Gox CEO Was a Suspect

Silk Road Judge ‘Eviscerates’ Defense’s Evidence That Mt. Gox CEO Was a Suspect

Just as quickly as the Silk Road’s defense created an alternate theory that the massive drug market was run by Mt. Gox CEO Mark Karpeles, the prosecution and judge in the case have now shoved key elements of the story back into the closet.

The post Silk Road Judge ‘Eviscerates’ Defense’s Evidence That Mt. Gox CEO Was a Suspect appeared first on WIRED.



US (Sort of) Points to “Smoking Gun” Linking North Korea to Sony Hack

Citing anonymous sources in and close to the US government, The New York Times reports that the fingering of North Korea as responsible for the attack on the network of Sony Pictures Entertainment was through evidence gathered by National Security Agency surveillance. This includes software taps into networks associated with North Korea’s network warfare and espionage unit, Bureau 121, among others. The actual evidence, however, will likely never see the light of day because of the highly classified nature of how it was obtained.

David Sanger and Martin Fackler of the Times report that the NSA started to ramp up efforts to penetrate North Korea’s networks in 2010 to monitor the growth of Bureau 121 and the rest of the country’s “computer network exploitation” capabilities:

A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.

The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified NSA operation.

The NSA’s Tailored Access Office, according to the report, “drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers, and penetrated directly into the North with the help of South Korea and other American allies.” According to NSA documents released by Der Spiegel, some of South Korea’s initial assistance was not voluntary—the NSA secretly exploited South Korea’s existing hacks of North Korea to gain intelligence information. But despite the level of access they gained, according to an unnamed investigator into the Sony Pictures attack, the NSA and other US agencies “couldn’t really understand the severity” of the attack that would be launched against Sony when they began on November 24.

Read on Ars Technica | Comments

NSA Secretly Hijacked Existing Malware to Spy on N. Korea, Others

A new wave of documents from Edward Snowden’s cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations’ hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.

The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Spiegel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea’s networks—which initially leveraged South Korean “implants” on North Korean systems, but eventually consisted of the NSA’s own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.

Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out “Tailored Access Operations” on a variety of targets, while also building the capability to do permanent damage to adversaries’ information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed by the NSA and possibly other members of the “Five Eyes” intelligence community, which was also included in the dump. The code appears to be from the Five Eyes joint program “Warriorpride,” a set of tools shared by the NSA, the United Kingdom’s GCHQ, the Australian Signals Directorate, Canada’s Communications Security Establishment, and New Zealand’s Government Communications Security Bureau.

Read 8 remaining paragraphs | Comments

Real or Not, Purported Hack on US Military is a Coup for Islamic Extremists

The Twitter and YouTube accounts belonging to the US Central Command were compromised on Monday by people who claimed they hacked sensitive US military PCs and leaked confidential material in support of the Islamic State.

The compromised CENTCOM Twitter account contained graphics and text supporting the Islamic State in Iraq and Syria (ISIS), and it warned the US to expect more hacks. It was carried out by a person or group dubbed the CyberCaliphate. Central Command is one of nine unified commands in the US military. With its area of responsibility covering Afghanistan, Iraq, Syria, and Iran, it leads the US campaign against Islamic State extremists. Monday’s attacks appeared to be carried out by the same group that earlier this month commandeered the Twitter accounts of CBS affiliate WBOC-TV and the Albuquerque Journal.

At the time this post was being prepared, there was conflicting evidence supporting the claim that anything more than CENTCOM’s Twitter and YouTube accounts were compromised. Files linked in a post on Pastebin contained what appeared to be rosters of US military personnel, including contact information for Army commands and retired Army generals. A separate series of documents, contained in a folder titled war-scenarios, showed PowerPoint slides that appeared to be related to war games exercises involving China, North Korea, and regions in Africa, Indonesia, and the Caspian. One slide in a file titled SOCOM_Africa_Scenario.ppt was dated January 12, 2015. It proposed a CIA operation in Congo and Southern Africa dubbed “Operation Cakewalk” to seize yellowcake uranium. CENTCOM officials confirmed the compromise of the social networking accounts but told CNN none of the leaked documents appeared to be classified.

Read 2 remaining paragraphs | Comments

Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity

Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity

Twitter and YouTube accounts belonging to the military’s US Central Command were hacked on Monday. Hackers supportive of the terrorist group Islamic State, also known as ISIS, took credit and issued a warning to the U.S. military.

The post Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity appeared first on WIRED.