Tag

government

Browsing

Earlier this week I conducted a follow-up discussion with an industry colleague about global cyber attack activity, specifically related to Russia and the situation in Syria. It was a valuable conversation so I want to share my thoughts on the topics we debated.

Our dialog began with a simple query: will Russia escalate its cyber attacks against the United States in retaliation for the military response the U.S. took against Syria after Assad’s chemical weapons attack against its very own citizens?

This is an interesting question for a few reasons. The chief issue with this specific question, and with discussions surrounding this topic in general, is there is no agreed upon, clear definition of what exactly constitutes a cyber attack. There is no way to answer the question before defining the term cyber attack. So lets start there.

Is a cyber attack defined as the mere exploitation of a vulnerability, and subsequent acquisition of access to a target network? Does an actor need to perform some malicious activity after obtaining access before the compromise is considered an attack?

In the context of attacking the electric power industry, is attacking the power grid and causing an outage, like what transpired in Ukraine in December’s 2015 and 2016, the demarcation line between what is and is not a cyber attack? Is sending phishing emails with malicious attachments, ultimately leading to establishing a foothold into a network for potential use later, a cyber attack?

This is where the media, the security industry, governments, and certain professionals tend to disagree on terminology. I feel it is important to dissect the words to better understand the original question. In the above, I would argue the latter – a phishing campaign resulting in mere command-and-control capabilities on a network – is not a cyber attack. Is most definitely is a network breach. I argue it is considered network exploitation or offensive cyber operations, but not necessarily a cyber attack. Generally it is part of a much larger, potentially multi-faceted campaign, but just breaching a network is not a cyber attack.

Just like breaking into a vehicle does not assume intent to steal the car, remotely accessing a network is likely equivalent to breaking and entering or trespassing. There may be intent to steal intellectual properly, disrupt network operations, surveil, participate in a botnet, or a host of other activities potentially rising to the level of a cyber attack. But mere access to a network cannot assume the actors intent.

Now back to the original question about the possibility of Russia increasing cyber attacks against the United States in retaliation for the airstrikes in Syria.

I do not believe Russian cyber attacks will increase as a direct result of the U.S. military actions in Syria. While Russia is likely not pleased with the airstrikes, there is no specific strategic reason for a cyber response from Russia. United States critical infrastructure is already purported to have been attacked on multiple recent occasions by Russia, most recently by leveraging a major Cisco router vulnerability.

Russia has already demonstrated sophisticated cyber operations capability, with the potential to own deliberate targets in the United States. However, they have yet to establish malicious intent. For the moment they have simply conducted a show of force, signifying their strength. This is the military equivalent of sending an aircraft carrier with an airwing aboard, accompanied by a battle group, off the coast of Russia. It suggests power and superiority.

It is unlikely Russia will currently attempt any cyber attack leading to major damage or disruption. In the short term they will continue to pursue network access, especially strategic targets within critical infrastructure, but doubtful anything beyond.

On the one hand, Russia has a high degree of cyber sophistication. Hypothetically, the Putin regime may explore false flag operations against the United States, but if the attack were ever unequivocally attributed to Russia then it may not end well. Although in this era of crying fake news left and right, even indisputable evidence of a Russian plot may not be convincing.

On the other hand, Russia could directly attack the United States. The problem with this approach is the U.S. policy on response. A cyber attack does not necessitate an in-kind response. Just because an adversary uses the cyber domain to attack, the United States does not limit its response to the same domain.

Put another way, if the U.S. is the victim of a major nation state backed cyber attack, it will likely respond kinetically. The U.S. government has stated on multiple occasions it has the option to respond via military force if it determines a cyber attack is above an as-yet publicly defined damage threshold. Expect bombs to be dropped, missiles to be launched, or troops to be engaged if the U.S. feels its sovereignty has been attacked.

Putin is most certainly cognizant of this, and is leveraging the ambiguity cyberspace offers to continue conducting operations and demonstrating Russian nation state capability. These minor operations will continue in the short term, but I find it hard to believe an actual attack will occur in the near future. Russia most assuredly does not want a traditional conflict with the United States. Russia will continue to pick at the proverbial scab since there are no repercussions.

Expect to see Russian cyber exploitation remain in the news cycle for the foreseeable future. Awareness of this threat is an important factor in ensuring U.S. government agencies, critical infrastructure, and businesses are prepared for the possibility of an attack. Resilient, proactive defensive measures and situational awareness will go a long way in limiting risk and potential exposure for the inevitable attack that will unquestionably materialize at some strategic time in the future.

The New York Post reports on the Obama Administration using the cyber hotline to Russia to warn Putin against interfering in the 2016 US Presidential election:

Michael Daniel, Obama’s cyber czar, said administration officials used the channel — added to the nuclear hotline in 2013 so the countries could communicate about hacking and cyberattacks — to tell the Kremlin to “knock it off.”

“We know that you are carrying out these kinds of activities. And stop. Knock it off,” Daniel told CBS’ “60 Minutes” about the call on Oct. 7, 2016.

Asked if Russia got the message, Daniel said he thinks so.

“The fact that this was the first time we had ever exercised this channel, which was supposed to be, you know, for very serious cyber incidents and cyber issues — I think that, in and of itself — sent a message,” he said.

The Obama administration resorted to using the hotline after earlier the same day, it released its first public statement about how Russia was behind the hacking of the Democratic National Committee.

I do not get the impression the average US citizen truly comprehends the problems the country faced in 2016 with the Russian interference. Too many people see this as a US-only political issue, meaning US politicians are using the interference to discredit President Trump, discredit Hillary Clinton, and even discredit and blame former FBI Director James Comey.

That is far too short-sighted and completely misses the point. It is time to look at the Russian interference from a wide-ranging, multi-faceted strategic level. This is objectively an attack on US sovereignty and its democracy.

The country needs to put aside its like or dislike for a particular political candidate, and focus on how a foreign country – in this case, the one foreign country who was the primary US adversary during the Cold War – interfered with a sovereign states election process to sow doubt and discord, effectively using propaganda to confuse citizens from understanding the true issues. Ostensibly the goal was to make sure Clinton was not elected given her relationship with Putin and position on Russia, not necessarily to get Trump elected.

It is time for the country to take a step back, take a deep breath, and take a look at this issue with renewed vigor, unshackled from the constraints of political affiliation and focus on it objectively. This attack unquestionably took place, unquestionably interfered with the election, and unequivocally played a pivotal role in the outcome of who was ultimately elected as the 45th President of the United States.

The time for playing partisan politics ended long ago. It is time to protect the future of the American democratic process. Enough with the games.

ZDNet discusses how Iranian hackers are breaching Singapore universities to access research data:

At least 52 accounts were affected across the Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore Management University, and Singapore University of Technology and Design, according to a joint statement Tuesday by Cyber Security Agency of Singapore (CSA) and Ministry of Education (MOE).

Hackers had used phishing attacks to harvest credentials from affected staff members and used these to gain access to the institutes’ online libraries and research articles published by the academic staff.

Based on their investigations, CSA and MOE said no sensitive data had been stolen and the attacks did not appear to be linked to the APT attacks against NUS and NTU last year.

They were, however, believed to be part of last month’s attacks against education institutions worldwide including 144 universities in the US, after which the US Deputy Attorney General unveiled a series of indictments and financial sanctions against Iranians. The US government had identified nine Iranians thought to be part of the cyberattacks.

Iran is stepping up their cyber attack profile, hitting more locations outside their immediate vicinity. It is interesting to witness Iran maturing from a strong localized actor to a more globalized one. Likely the success of Chinese, Russian, and North Korean nation state backed actors is likely motivation enough for Iran, who wants to be recognized as a world cyber power.

In addition, Iran is well behind the rest of the globe in research. Much like how China primarily leverages cyber attacks for economic gain, to forego the need to spend a lot of time and money on research and development, Iran possibly sees the benefit of such an approach. By stealing intellectual property from research institutions like major Universities, Iran could potentially gain an economic advantage, or even a military one, depending on the application of the data they are focusing on collecting.

Bloomberg is reporting the United Kingdom publicly announced its first major government-backed cyber attack, conducted in 2017, targeted Islamic State:

Jeremy Fleming, the director of GCHQ, which is better known for its communications interception work, said his agency had worked with the Ministry of Defence to make “a significant contribution to coalition efforts” against the al-Qaeda splinter group. He said that as well as making it “almost impossible” for the group to spread its message, the attack had protected forces on the battlefield.

“This is the first time the U.K. has systematically and persistently degraded an
adversary’s online efforts as part of a wider military campaign,” Fleming told a cybersecurity conference in Manchester, England, “Did it work? I think it did.”

He said other operations might “look to deny service, disrupt a specific online activity, deter an individual or a group, or perhaps destroy equipment and networks.”

Notice the qualifying “as part of a wider military campaign” added to the statement? What this likely means is this attack against Islamic State is not the first time the UK has conducted cyber attacks, but one in which a cyber attack was only one aspect of a multi-faceted, multi-domain operation.

There is no doubt the UK has conducted previous cyber attacks. Although the nation has never publicly proclaimed so, the country is one of the stronger purveyors of cyber capabilities, and absolutely leverages them when necessary. Since the inception of the UK NCSC, which is part of the GCHQ, this operation was likely the first time the organization worked in tandem with the Ministry of Defence for this strategic opportunity.

ZDNET explores nation state actors not just breaching critical network assets, but their attempt to undermine trust in the entire system:

“We’ve really got to think about the fact our adversaries are attacking more than just our technology. Our adversaries are now starting to critically undermine the trust that our stakeholders have,” said Cooper.

There are many in the cybersecurity industry who would argue that technology alone can solve this problem — protect systems with the relevant tools to keep them safe from attacks. But this is perhaps ignoring the wider issue: there isn’t an antivirus product to protect against declining faith in big institutions, or to defend against fake news.

“The bigger system, that’s the thing we have to defend, not just the technology. While we’re focusing on protecting the technology, our adversaries are focused on attacking the system. And by attacking the system, they’re critically undermining the trust in that system,” said Cooper.

In order to achieve that, it can’t just be about “looking for our technology comfort blanket,” he said, adding: “we’re going to find it lacking”.

The idea nation state actors are eroding trust in the entire system is an insightful distinction many people overlook. It is the difference between viewing an attack through a tactical lens versus a strategic one.

All too often nation state backed breaches are part of a much larger, multi-faceted operation rather than a singular goal. We need to always consider attacks from this perspective so we can better understand a potential end state. Merely focusing on the obvious goal will not allow us this insight and will ultimately cement failure to adequately defend the crown jewels.

This is where solely employing technological cyber defense is inadequate. Leveraging threat intelligence will be far better at allowing an organization to craft the right strategy to defend against a variety of attacks, actors, and vectors. There is no one-size-fits-all solution to cyber defense. There are some basic tactics, but using a combination of technology and strategy will almost always be the correct mix.

Bloomberg offers more details on the previous pipeline data system cyber attack:

While the EDI systems may be entry points for hackers, they are likely not the ultimate target, said Jim Guinn, managing director and global cybersecurity leader for energy, utilities, chemicals and mining at Accenture PLC, a technology consulting company.

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious,” Guinn said by telephone Tuesday. “All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting.”

He also said there is nothing inherently different about oil and gas EDI systems.

US oil and gas pipelines have previous been seen as attractive cyber attack targets:

This isn’t the first time U.S. pipelines have been targeted. In 2012, a federal cyber response team said in a note that it had identified a number of “cyber intrusions” targeting natural gas pipeline sector companies. The group, the Industrial Control Systems Cyber Emergency Response Team, is a division of Homeland Security.

“It’s important to recognize that this does not appear to be an attack on an operational system,” said Cathy Landry, a spokeswoman for the Interstate Natural Gas Association of America. “An attack on a network certainly is inconvenient and can be costly, and something any company – whether a retailer, a bank or a media company — wants to avoid, but there is no threat to public safety or to natural gas deliveries.”

Bloomberg discusses a recent spate of cyber attacks against specific critical infrastructure targets that effectively shut down a pipeline data system:

A cyber attack that hobbled the electronic communication system used by a major U.S. pipeline network has been overcome.

Energy Transfer Partners LP was confident that, after 6 p.m. New York time on Monday, files could safely be exchanged through the EDI platform provided by third-party Energy Services Group LLC, the pipeline company said in a notice. Earlier in the day, it reported a shutdown of the system because of an attack, while saying there was no effect on the flow of natural gas.

The EDI system conducts business through a computer-to-computer exchange of documents with customers. Though it’s not clear who was responsible for the attack, it comes after U.S. officials warned in March that Russian hackers are conducting a broad assault on the nation’s electric grid and other targets. Last month, Atlanta’s municipal government was hobbled for several days by a ransomware attack.

Energy Transfer, run by billionaire Kelcy Warren, isn’t the only pipeline company using EDI. Other operators with similar systems include Kinder Morgan Inc. and Tallgrass Energy Partners LP, according to their websites. Representatives for Kinder and Tallgrass said the companies’ systems weren’t affected.

It is important to note the distinction here: a communications network was attacked, not the actual gas pipeline operational network itself. Although light on details, it seems there was no actual method for the attackers to disrupt the pipeline, only inflicting damage to the communications infrastructure.

Expect more similar attacks to occur in the future. Causing outages on the communications networks could leads to operational issues. Often times the operators will bring down the operational networks to ensure personnel safety or avoid physical damage due to lack of adequate monitoring capabilities. There will likely be no direct damage.

In these situations the operational capabilities may end up as collateral damage, not the primary target.

Wired discusses the recent Atlanta ransomware attack and how actors leveraging SamSam are selective about their targets, often choosing organizations it believes will end up paying the ransom:

Attackers deploying SamSam are also known to choose their targets carefully—often institutions like local governments, hospitals and health records firms, universities, and industrial control services that may prefer to pay the ransom than deal with the infections themselves and risk extended downtime. They set the ransoms—$50,000 in the case of Atlanta—at price points that are both potentially manageable for victim organizations and worthwhile for attackers.

And unlike some ransomware infections that take a passive, scattershot approach, SamSam assaults can involve active oversight. Attackers adapt to a victim’s response and attempt to endure through remediation efforts. That has been the case in Atlanta, where attackers proactively took down their payment portal after local media publicly exposed the address, resulting in a flood of inquiries, with law enforcement like the FBI close behind.

From an attackers point-of-view, it is just smart business to set the ransom price at a point within reach for the victim. The actors are banking on the victims believing it is far more expedient and less expensive to pay the ransom rather than endure a lengthy outage.

Although it appears easier to pay a ransom to rapidly resume operations, the overall economics of a ransomware attack are not that simple. Even if a victim pays a ransom they will need to essentially rebuild their entire network from the ground up to ensure they completely eradicate any trace of the attackers. Merely paying a ransom does not guarantee the actors did not leave a backdoor somewhere within the network.

Performing a cost-benefit analysis is important in these situations, weighing the difference in lost revenue due to the ransomware attack, lost productivity, cost to pay the ransom versus cost to remediate the infection. This is no easy task, with no black-and-white answer. The chosen route ultimately depends on the business and the types of daily operations it undertakes. Ransomware attacks are not one size fits all.

In the specific case of Atlanta, it sounds like mission critical data was encrypted in the ransomware attack. That the city cannot recover this data through local or cloud-based backups demonstrates a situation faced all too often: lack of proper foresight and planning. Had the city safely stored mission critical data off site in addition to its local storage, then forgoing payment and merely rebuilding would be an easy choice. But it seems the situation is much more complicated.

The City also suffered a cyberattack in April 2017, which exploited the EternalBlue Windows network file sharing vulnerability to infect the system with the backdoor known as DoublePulsar—used for loading malware onto a network. EternalBlue and DoublePulsar infiltrate systems using the same types of publicly accessible exposures that SamSam looks for, an indication, Williams says, that Atlanta didn’t have its government networks locked down.

“The DoublePulsar results definitely point to poor cybersecurity hygiene on the part of the City and suggest this is an ongoing problem, not a one time thing.”

Though Atlanta won’t comment on the details of the current ransomware attack, a City Auditor’s Office report from January 2018 shows that the City recently failed a security compliance assessment.

This is the issue: Atlanta lacks the necessary security professionals to keep the systems IT assets safe from modern attacks. This is a good lesson to be learned for other similar city governments. Get your act together and ensure security is a priority and baked into IT operations otherwise expect successful attacks to continue to hinder operations.

The Daily Beast dissects a recent leak of a classified National Security Agency document outlining how Russian intelligence interfered with the 2016 Presidential election through its highly comprehensive information warfare campaign:

The dumped intelligence report offered some of the best confirmation of Russian meddling in the U.S. election, providing more evidence to tamp down the claims of President Trump and his legions that it was China or a guy in a basement that hacked the Democratic National Committee and many other current and former American officials.

The techniques targeting election officials—spam that redirects recipients to false email login pages yielding passwords to Russian hackers—appear eerily familiar to those used by the GRU against many other U.S. targets in 2015 and 2016.

To the disappointment of Trump’s biggest haters, the NSA leak provides no evidence that Russia changed any votes. And that makes sense, as Russian altering of the tally in favor of their preferred candidate Donald Trump would be sufficient justification for war—one Russia would lose against the U.S.

The Kremlin sought instead to create the perception among Americans that the election may not be authentic in order to push their secondary election effort: Undermine the mandate of Hillary Clinton to govern, should she win.

The idea that Russia hacked actual electronic voting machines is a non-story. That is not how Russian intelligence interfered with the election. Russia did not use the traditional concept of computer hacking to effectively undermine the Clinton campaign. Instead, their comprehensive strategy was old fashioned information warfare, something Russia is extremely capable at executing.

Through the skilled use of video manipulation, meme creation, small cells targeting specific conversations on various social networks, and a wide array of automated bots, Russia effectively mounted one of the most dynamic and well executed information warfare campaigns in history. The only outstanding question at this juncture is whether or not there was any collusion, quid pro quo or otherwise, between the Trump campaign and Moscow. This remains to be seen based on whatever Special Council Mueller and his team is capable of finding.

In America, it sought not to alter the tally, but to create the perception that it’s possible—and instill doubt among Americans in the process. Hacking of voter rolls rather than machines creates an impression in the voters’ psyches without provoking the U.S. into open conflict.

This is likely going to be one of the longest lasting affects of Russian interference in the US election: sowing doubt and discord among the American populace, so much so it begins to break down the trust in governmental institutions, potentially leading towards a collapse of the Republic itself.

That may sound over the top, but it is exactly the outcome Putin desires. He would like America and Russia on a level playing field once again. Since the decline of the Soviet Union, America has constantly been atop Russia, overshadowing it in every aspect of political and military capability. That is, until Putin came into power and changed the game once again.

At this point one has to wonder exactly how capable the United States is with offensive cyber operations. Is the US capable of pulling off a similar campaign in a major country like what Russia did in 2016?

The Seattle Times is reporting a Boeing manufacturing plant was hit with the ostensibly North Korean developed WannaCry ransomware even though the malware was unleashed over a year ago, and a patch has been available from Microsoft since March 2017:

Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alarming alert about the virus calling for “All hands on deck.”

“It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” VanderWel wrote, adding his concern that the virus could hit equipment used in functional tests of airplanes ready to roll out and potentially “spread to airplane software.”

VanderWel’s message said the attack required “a batterylike response,” a reference to the 787 in-flight battery fires in 2013 that grounded the world’s fleet of Dreamliners and led to an extraordinary three-month-long engineering effort to find a fix.

So an assembly plant was affected, but no word on how the WannaCry ransomware penetrated the operational network. This vital piece of information is necessary to better comprehend exactly what happened, why it happened, and how to prevent future similar breaches.

CSO Online reports on how the GoScanSSH malware is targeting Linux operating systems but somehow manages to avoid government and military operated servers:

For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.

After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service “in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.”

The researchers determined the attack has been ongoing for at least nine months — since June 2017 — and has at least 250 domains; “the C2 domain with largest number of resolution requests had been seen 8,579 times.”

This sounds like a particularly nasty type of attack, but one that ought to be fairly simple to prevent. Considering it is easy to determine what the target system types are, and how the malware functions, deploying the right defense strategy is actually quite straightforward.

A quick couple of very simplistic examples immediately come to mind:

  1. Delete all unnecessary users from the above list or rename unneeded ones. In most cases guest, oracle, osmc, pi, test, ubnt, ubuntu, and user are unnecessary and can be removed. If they need to be kept, as I said, rename the accounts.
  2. For all the needed accounts, ensure ssh access is turned off. There is never a reason to SSH directly as root. This is the entire point of the sudo and su commands – login as another user and then use one of those commands to perform functions as root or other users.

There are plenty of other methods for combating this attack to make it more difficult to be breached. But simple actions like the above are often overlooked.

Talos provided both an IP blacklist and a domain blacklist that the malware uses to determine if it should continue attempts to compromise the system. Some of those domains include: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.

If the system or device is on neither set of blacklists, Talos “believes the attacker then compiles a new malware binary specifically for the compromised system and infects the new host, causing this process to repeat on the newly infected system.”

That is an interesting and novel approach to avoiding governmental systems. It is not unprecedented but definitely not a method often seen.

NPR has an update to a recent ransomware attack against the city of Atlanta stating the city has yet to fully recover and some governmental data remains encrypted while awaiting the ransom payment:

“Many city employees have been without access to Internet and email since Thursday after hackers locked some of its systems and demanded a $51,000 payment. The city says it completed part of its investigation of the cyberattack, but it’s working on restoring full service.”

Mayor Keisha Lance Bottoms told reporters that cybersecurity is now a top priority for the city.

“There’s a lot of work that needs to be done with our digital infrastructure in the city of Atlanta and we know that year after year, that it’s something that we have to focus on and certainly this has sped things up.”

Bottoms says the city has continued to operate despite the cyberattack.

Asked whether the city would pay the ransom to fully restore the city’s network, the mayor told reporters that she would confer with federal authorities on the best course of action.

What a horrible situation. It is terrible to read about a major city like Atlanta fighting to recover from a ransomware attack. The fact a breach of this nature, any breach in fact, occurred is unsettling. Ransomware in particular has been all over the news lately, and the city should have been prepared, even with the standard excuse of having limited funding available for cyber security.

There are a myriad of open source and inexpensive yet effective solutions available. Lack of funding is never a fully adequate excuse unless the actors are nation state. In that case, almost no organization or enterprise is safe.

Atlanta should have been proactively defending its IT assets rather than just waiting around for the worst to happen. That the mayor made the above statement in the middle of recovery efforts demonstrates a complete and utter lack of awareness and interest in budgeting for these events before they happen. There is almost no worse way to approach cyber security. Much like safety, it needs to be in the budget, and the correctly experienced cyber security professionals need to be employed to manage the defenses.

This is a hard-learned lesson for Atlanta, and one they likely will not forget anytime soon.

TechCrunch reports the Cambridge Analytica story may have just taken a turn for the worse with Chris Wylie, the whistle-blower responsible for these powerful allegations, stating the 50M number was merely a safe number to share with the media:

Giving evidence today, to a UK parliamentary select committee that’s investigating the use of disinformation in political campaigning, Wylie said: “The 50 million number is what the media has felt safest to report — because of the documentation that they can rely on — but my recollection is that it was substantially higher than that. So my own view is it was much more than 50M.

Somehow I am unsurprised the number will ultimately turn out to be much larger than Facebook is willing to admit. The company is in damage control, especially after having lost $60B in value since the shocking revelations were unveiled almost ten days ago.

Facebook has previously confirmed 270,000 people downloaded Kogan’s app — a data harvesting route which, thanks to the lax structure of Facebook’s APIs at the time, enabled the foreign political consultancy firm to acquire information on more than 50 million Facebook users, according to the Observer, the vast majority of whom would have had no idea their data had been passed to CA because they were never personally asked to consent to it.

Instead, their friends were ‘consenting’ on their behalf — likely also without realizing.

In my own anecdotal testing, I have while most people are conscious that Facebook is not necessarily to be trusted, they never thought these applications operated the way they do. That is to say, nobody I have spoken with understood their friends, or their friends-of-friends data would be shared with third-party applications they interacted with on Facebook. That these applications knowingly surveilling Facebook accounts is complete news to most of the people I talked to.

This whole story keeps getting worse as the days pass. I wonder how long it will take, and what else will be revealed, before it his rock bottom.

Federal News Radio reports on the US Navy’s attempt to remove a management bureaucracy layer by eliminating the previous executive-level Navy Chief Information Officer position:

A memo signed last Friday by Thomas Modly, the new undersecretary of the Navy, effectively eliminates the office of the Department of the Navy chief information officer, formerly an influential, separate position within the Secretary of the Navy’s organizational chart.

Going forward, Modly himself will take over the pro-forma title of DON CIO along with all of its responsibilities and authorities. A handful of staff will remain assigned to a restructured and downsized office, but only to handle the IT duties that federal law explicitly requires the secretaries of the military departments to perform.

The changes to the CIO role come as part of a broader management restructuring Modly directed just a few months after his confirmation as the Navy’s number-two civilian official.

The memo fully eliminates the deputy undersecretary of the Navy for management, the organization that, until last week, oversaw the DON CIO and some other functions, including its Office of Strategy and Innovation.

On the surface this sounds like a really bad idea(tm). There needs to be some senior executive leadership overseeing how the Department of the Navy handles not just information technology assets, but the associated cyber security requirements to adequately defend Navy networks.

The new arrangement appears to de-emphasize the notion that the two sea services should operate under one set of IT policies, but also reflects the realities of the different directions the Navy and Marine Corps have taken. The split was noticeable after a 2013 restructuring of what had previously been a single contract for a fully-outsourced Navy-Marine Corps Intranet (NMCI).

In the intervening years, the Navy and Marine Corps have chosen to pursue different models under the Navy’s Next Generation Enterprise Network (NGEN) contract.

The Marines have opted for a fully government owned-and-operated network known as the Marine Corps Enterprise Network (MCEN), including a cloud computing strategy that relies largely on a Marine-operated cloud computing center in Kansas City (MCEITS).

Meanwhile, the Navy has leaned toward an operating model in which it owns most of its infrastructure, but relies on the NGEN contract to perform most of the day-to-day labor involved in running its IT networks in the continental U.S.

Modly’s decision to devolve more control to the services also potentially reduces confusion about the various positions in the Navy that can lay claim to the title of CIO.

NMCI has nothing been short of an utter train wreck. It is no surprise the Marine Corp pulled out of that disaster to go their own separate, more agile way of handling IT. Not only are the Marines doing it for less cost, but the service levels have dramatically increased. I never heard a single person who was happy with NMCI.

Government owned, government operated is a far better model than allowing a contractor to come in and nickel and dime the Navy for every little thing they do. NMCI, and by extension the Overseas Navy Enterprise Network (ONE-NET), have never been truly successful. I foresee NGEN turning into the same type of disaster ONE-NET was unless there are some major modifications made to the way the contract is executed.

The Navy has, and continues, to do things its own way compared to the rest of the US military. After all, this is the department still paying Microsoft to support Windows XP because there are too many outstanding deployments of the operating system in mission critical areas. Rather than paying to upgrade those systems, the Navy is paying for security patches. This is just outright unfathomable. So maybe its makes sense the Navy has opted to eliminate the CIO position because, it could be argued, they were not doing their job to begin with.

Bottom line, removing the CIO position demonstrates a lack of understanding of what role a CIO should play in a major organization like the Department of the Navy. I am extremely concerned about the direction the Navy is going and wonder what unintended consequences there will be from this change.

Science is reporting on a major economic-focused cyber campaign alleging Iran breached 320 universities, government, and other companies for the purpose of stealing research:

Nine Iranians working on behalf of the Islamic Revolutionary Guard Corps hacked the computers of 7998 professors at 320 universities around the world over the past 5 years, an indictment filed by a federal grand jury alleges. The hackers stole 31.5 terabytes of documents and data, including scientific research, journals, and dissertations, the indictment alleges. Their targets also included the United Nations, 30 U.S. companies, and five U.S. government agencies.

The “massive and brazen cyber assault” is “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” U.S. Attorney Geoffrey Berman of the Southern District of New York, where the indictment was filed, said at a press conference this morning. The hacks came to light through investigations by the Federal Bureau of Investigation and reports from victims. “The hackers targeted innovations and intellectual property from our country’s greatest minds,” Berman said, adding that they went after data and research from many fields.

According to the indictment, 3768 of the hacked professors were at 144 U.S. universities, and the attackers stole data that cost these institutions about $3.4 billion to “procure and access.” The accused allegedly set up an institute in Iran called Mabna that coordinated and paid for the hacks. The defendants then sold the stolen data through two websites, Gigapaper and Megapaper. The institute, the indictment says, aimed to “assist Iranian universities, as well as scientific and research organizations, to obtain access to non-Iranian scientific resources.”

The indicted Iranians are not in the United States, and therefore this legal maneuver likely means very little. Although the indictment carries weight in countries where the US has extradition treaties, these Iranians are probably not in any jeopardy of being caught or having their lives ruined. So the indictment was largely a political move more than anything.

Iran has been in the news a few times lately, and it appears they are attempting to up their cyber operations. This is the first time I have heard Iran hacking for economic reasons rather than political or military oriented attacks.