http://www.seeker.com/heres-how-to-stop-russian-cyber-hacking-2149775375.html
QuoteTECH Dec 16, 2016 07:04 AM ET
Here's How to Stop Russian Cyber-Hacking
The U.S. government, businesses and regular people need to step up to protect themselves against theft and political espionage.
BY ERIC NIILER
Yahoo. The Democratic National Committee. San Francisco's public transit system. Your home Internet router. It seems as though every day brings news of cyberattacks against U.S. institutions, companies and regular people. Experts say that there are ways to fight back, and that we need to do more — as individuals and a nation — to protect ourselves from cyber criminals and tech-savvy despots in the first place.
Some measures require Congress to appropriate taxpayer money, such as the $3.1 billion that President Obama requested earlier this year to upgrade the federal government's outdated computer systems with new hardware and software. It's just one aspect of a $19 billion cybersecurity overhaul across federal agencies that's part of the budget that Congress still hasn't approved.
Other initiatives are far simpler, such as educating people to not download unknown files, respond to unusual Facebook messages, or fall prey to deceptive "spear-phishing" emails that steal passwords and personal data.
"You have to teach people to wash their hands in cyberspace," said Herbert Lin, senior research scholar for cyber policy and security at Stanford University's Hoover Institution. "That's a hard thing to do. Saying: 'Don't use your technology for what it was designed to, or just don't use computers' — that's not useful."
Enforcing "cyber hygiene" would cut down on more than 80 percent of cyber attacks and cyber thefts, according to Lin. In fact, it was just that kind of mistake that a staffer at the Democratic National Committee made last year that allowed Russian hackers to infiltrate the DNC's servers in 2015, steal emails from Clinton aides, and then sow political mischief throughout the 2016 election, according to a recent New York Times report.
In October, malware embedded in residential internet routers and DVRs helped orchestrate a large-scale distributed denial of service (DDOS) attack on the East Coast that shut down Amazon, Netflix, Twitter and other major websites. The following month, a ransomware hack shut down San Francisco's public transit ticketing system for a few days after Thanksgiving.
As a member of President Obama's cybersecurity task force, Lin helped craft recommendations to prevent these kinds of attacks in a report released Dec. 1. These included a labeling system to help consumers assess the security of computer products and services, and potentially making companies liable for internet-connected devices that can be hacked and made to cause damage.
"There's no silver bullet," Lin said of the task force's work, which its members hope to present to President-elect Donald Trump's transition team.
The report states that the federal government needs to develop a roadmap for sharing information about threats with the tech industry and developing computer networks with better security, as well as imposing standards for internet-connected components in automobiles, houses, cameras and other devices that make up the "internet of things."
The task force spent eight months on the 100-page report, but with new allegations about Russia's intervention in the U.S. presidential election, some observers are wondering whether Trump or his team will even read the document. On Wednesday, intelligence officials told NBC News that Russian President Vladimir Putin was personally involved in the operation against Hillary Clinton's campaign in an attempt to help elect Trump.
Trump has repeatedly said that he doesn't believe the C.I.A.'s assessment that Russia's government hacked the Democratic National Committee to bolster Trump. The White House and members of Congress have pledged to investigate the matter.
"One thing we will have to see is whether Russia feels emboldened and hasn't suffered major consequences, at least in public," said Ben Buchanan, a postdoctoral fellow at Harvard University's Cyber Defense Project. "Maybe they will use that first round in the U.S. as a springboard for activities in Europe. That's why deterrence is such a key part. It's not just a question of defending, but establishing consequences if this kind of behavior continues."
The cybersecurity commission hopes to meet with Trump's transition team before Christmas, but no such meeting has yet been announced. In an interview with NPR that aired Friday, President Obama vowed retaliatory action against Russia for its meddling in the US presidential election.
Elections are scheduled in coming months in France, Germany, Sweden and the Netherlands and leaders there worry they could be the next target unless President Obama can make Putin stop.
"Given the audacity and the impact of the attack, it must cause a response from the United States," said Matthijs Veenendaal, strategy branch chief at NATO's Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. "There are a lot of elections coming up, there is a lot of unrest in Europe and a lot of opportunities for causing mayhem."
The problem is how to respond to Russia without stirring up a cyber-war between Russia and the West.
"It is something we are grappling with as well, all western democracies," said Veenendaal, who formerly ran the Dutch military's cyberdefense program. "This is not something easy to defend against, and it's even harder to respond against."
Instead of trying to punish Putin in some kind of cyber-based counterattack, perhaps it might be better to push Russia off the world stage until it behaves. That's an idea floated by Scott Borg, director of the U.S. Cyber-Consequences Unit, a think tank that advises federal agencies and corporate partners about ways to protect computer systems.
"We don't bribe countries to make them behave in the markets, we don't punish countries by attacking them if they behave badly in the markets," said Borg, an economist. "The main thing that keeps international economics honest is that if you aren't playing by the rules, you get shut out."
Borg suggested that Western nations consider blocking Russia from taking part in international trade pacts, meetings or treaties.
"We need to change the game," Borg said. "Otherwise the problem will get worse."
Here is another...
http://foreignpolicy.com/2016/10/12/how-to-win-the-cyber-war-against-russia/
QuoteVOICE
How to Win the Cyberwar Against Russia
Vladimir Putin's brazen attack on U.S. democracy demands that the Obama administration respond with a firm hand.
BY JAMES STAVRIDIS OCTOBER 12, 2016
The basic facts about Russia's election-year hacking of the American political system are clear. For more than a year, the Russian government has repeatedly infiltrated the computers of both parties' presidential campaigns to steal data and emails to influence the outcome of the election. In response, the Obama administration has promised a "proportional" response against Russia.
What's much less clear is what a "proportional" response could mean. This is an unprecedented situation for the American national security establishment — which means the Obama administration's response will set a precedent for future foreign-directed cyber-plots.
The first thing the U.S. government will have to determine is whether the Russian actions rise to the level of an attack — something that would require a direct U.S. response. There are many examples of cyber-infiltration that fall short of that designation, qualifying rather as nuisance activities or even garden-variety espionage. The activities in question, however, cross an important political and operational threshold by attempting to influence the American public on behalf of one of the candidates for the presidency. Most egregiously, the release of internal Clinton campaign emails violates a wide variety of U.S. laws, and the potential release of material related to her email server investigation late in the campaign season could have extraordinary impact on the election.
These are actions that affect the heart of the U.S. democratic process. They may not exhibit physical damage of the sort that we saw in North Korea's attack on Sony Pictures, which did millions of dollars of damage to hardware. But the political and symbolic meaning of Russia's actions nonetheless elevate them to something requiring a response.
When an attack has been identified, the next step is to attribute it — to determine whom to hold responsible. U.S. intelligence officials seem to have already done this, at least to the satisfaction of the White House. But it's worth remembering that attribution is especially challenging in the world of cyber-conflict. The Russians have managed to cling to a veneer of deniability, at least in public, by relying on a clever pattern of cut-out agents, ranging from Russian cyber-criminals to WikiLeaks founder Julian Assange. This is a version of the hybrid warfare we've seen used so effectively in the attacks in Ukraine and the annexation of Crimea — essentially using the cyber-equivalent of the unmarked soldiers (so-called little green men) that led the fight into Ukraine.
After attribution, the final step is to craft a response. The cybersphere is not immune to the universal legal norms that require a nation to respond to an attack in proportional fashion. In other words, you can't destroy the Russian electric grid in response to email hacks. From a strategic perspective, the response should also be timely (although at a time and place of the responder's choice) and distinctive — that is, it should bear a clear and specific relationship to the original attack that is recognizable to all.
With all this in mind, there are a variety of responses that the Obama administration should be considering against Russia.
The first response should be a definitive exposure of the Russian government's presumably high-level involvement in the attacks. The U.S. case against Russia may be convincing, but the White House has chosen so far to keep parts of it classified.The U.S. case against Russia may be convincing, but the White House has chosen so far to keep parts of it classified. Revealing the names of the officials who authorized the cyberattacks against the United States would put Moscow in an extremely uncomfortable position. Ideally, the United States could reveal emails or conversations between Russian officials that demonstrated their intent to undermine the U.S. electoral process. Such revelations would likely lead to U.N. condemnations and further economic sanctions against Russia, inflicting additional damage to its economy. They would also potentially expose U.S. intelligence sources and methods, but there are ways to sanitize the material to minimize those risks.
Second, the United States could undermine the Russian government's reliance on a wide variety of cyber-tools to censor the web within its own country by exposing them to the public. While not actively manipulating the Russian web, the National Security Agency could "out" the code and tool sets used by the Kremlin, thus permitting activists (and citizens) to avoid the manipulation and censorship more effectively. As a response to the Russian attacks on the U.S. democratic system, this would be both proportional and distinctive.
A third and more aggressive approach would be to use U.S. cyber-capabilities to expose the overseas banking accounts and financial resources of high-level Russian government officials, up to and including President Vladimir Putin, who is widely rumored to hold billions of dollars in offshore accounts shielded from his public. While Washington should refrain from destroying or manipulating financial records, which would be an escalation, simply exposing the level of corruption among the officials who authorized the political cyberattacks in the United States would be strategically and morally sound.
Fourth, the United States could use its own offensive cyber-tools to punish Russian hackers by knocking them off-line or even damaging their hardware. This response would be open to objections that it represents an unwarranted escalation. But under prevailing international law, if a nation has information of a nexus of offensive activity, has requested it to stop, and the offending nation declines to do so, that offensive center is liable for attack. The burden of proof for attribution would be higher in crafting such a response; it would be viable only if Washington had definitive information on the command and control centers that launched the hacking activity. But given the brazen level of Russian activity, this at least warrants a serious discussion by the U.S. government.
Fifth, and finally, the United States should think about how our allies can be helpful in this situation. NATO partners have significant capability and could be helpful in much of this. All democratic nations have a stake in pushing back against this blatant interference in the democratic political process.All democratic nations have a stake in pushing back against this blatant interference in the democratic political process.
All of this should be done in a very careful, measured fashion. The potential for miscalculation and escalation is high. But that potential pertains both to a possible overreaction as well as an under-reaction by the U.S. government. The president and his senior national security and economic teams will have to seriously (but, hopefully, swiftly) deliberate on a course of action. And the NSA and U.S. Cyber Command should prepare to carry out whatever actions they settle on. (Whatever else happens, these events have already proved why it's to everyone's benefit that Cyber Command will soon be elevated by the military to the status of a full combatant command.)
An old Russian saying is: "Probe with bayonets. If you encounter steel, withdraw. If you encounter mush, continue." The bayonets of today are the bits of the cybersphere. The United States needs to show some steel or face much worse to come.
http://www.csoonline.com/article/3146642/security/playing-cyber-defense-is-not-enough-to-win.html
QuotePlaying cyber defense is not enough to win
Sometimes offensive attacks are a necessary part of the game
By Kacy Zurkus
Writer, CSO | DEC 7, 2016 5:00 AM PT
While the San Francisco 49ers are leading the NFL in defense, the New Orleans Saints currently hold the number one slot for total offense. In the overall league rankings, though, neither of those two teams rank in the top 10.
What's the takeaway? Winning isn't strictly about strong offense or impenetrable defense. NFL league leaders advance to the top because they know how to balance the two; they know how to play the game.
To address the growing number of attacks on the US government and private sector systems, President-elect Donald Trump's cybersecurity plan aims to, "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately."
The proposition begs the question of whether the security industry needs to consider whether preemptive, offensive cyber attacks are the wave of the future.
Jeff Bardin, CIO of Treadstone 71, said that counterstriking is being done to some degree, though quietly. "In cybersecurity, if the team is only focused on defense, they will never be able to score. They can't win the game," said Bardin.
Those using offensive attacks do so quietly because, "The cyber laws are not clearly defined," Bardin said. "The government makes counterstrikes because they are defending the country under the laws of warfare, but they won't defend against civilian infrastructure."
Private citizens have the right to defend themselves and their homes against criminals, but "If a person tries to break into your 'cyber house', the law hasn't been clearly defined," said Bardin.
If, however, offensive attacks are viewed through a cyber/property perspective, rather than a legal perspective or even a capabilities perspective, it is reasonable to believe that offensive hacks fall within the confines of the wider idea of self defense.
In their 2011 research paper, "Mitigative Counterstriking: Self-defense and Deterrence in Cyberspace," arguing for the use of active defense, Professor Jay P. Keban and Carol M. Hayes, University of Illinois wrote, "Passive defense methods are not used consistently enough to have a perfect deterrent effect, and are all but useless against attacks utilizing zero-day exploits."
The problem with commercial offensive cyber attacks is that no private enterprise wants to talk about (or admit to using) the strategy for fear of legal liability issues. Keban and Hayes argued, "Mitigative counterstriking is also legally justifiable under several areas of domestic and international law, and can be made consistent with other areas of law by amending the law or by reinterpreting it."
Dave Aitel, CEO and owner, Immunity, agreed that while the law is pretty clear in most cases, there has traditionally been some flexibility with interpreting it. "We've been using prosecutorial discretion to make it not such a big deal for when big companies break the law for what we think are pretty good reasons," Aitel said.
When Google played a little tit for tat with the Chinese, they weren't prosecuted. "On its face, what Google did was illegal," said Aitel. It's entirely possible but far less plausible that Google is not alone in its decision to retaliate against a known attacker.
Perhaps it is time for the larger industry to have an open and honest conversation about the proper and necessary role of offensive security and to consider broader interpretations of the law?
In a recent blog post, Aitel proposed, "We want to have a chilling effect on cyber economic espionage while providing the beginnings of the ability to deal with wide ranging international systemic threats such as the Mirai worm, leveraging the deep bench of penetration testing talent and resources available in the private sector to do this without impacting our intelligence community missions."
Aitel's proposition, if it comes to fruition, could create an arm of law enforcement that would build a reliable partnership between the government and the private sector. Short of that happening, though, should enterprises be engaging in offensive attacks?
"I do believe we should do it. I think people are doing it, and a lot of people are putting structure around that," said Bardin. Because security in the commercial sector is largely about passive defense, those teams that rank top in defense aren't leading in the league overall.
"It's not working," said Bardin, "this passive defensive model of sit, wait stop, limit data. Most people don't properly build their infrastructure, most developers don't build security in."
From his experiences in law enforcement, serving as a CSO, and working as a security consultant, Larry Johnson, CSO, Cybersponse said, "Offensive is the last resort."
One concern with counter striking is that there is nothing definitive, said Johnson, so they could end up in a game of whac-a-mole. "Yes, you could wipe them out, but they could pop up somewhere else. Nothing is ever 100 percent offensive."
What's more important is being able to gather intelligence, which is best done by involving law enforcement. "You could really end up starting a cyberstorm, so I recommend always involving law enforcement, particularly because of de-conflication," said Johnson.
Conflict resolution demands concession, and in most cases diplomacy wins over many other tactics. "Law enforcement will work with the company and shortly thereafter they can go offensive, but I'd never go offensive without law enforcement," Johnson said.
Because security functions in nearly equal parts proactive and active mode, the best way to minimize potential damage is by limiting the human error through security awareness.
When those processes and procedures are in place, and they have an incident response plan, they can test them which will lead to important conversations. "They can talk about offensive attacks to disrupt attacks in process so that you know you are in compliance and that you have the right to do this or that," Johnson said.
The bigger challenge to winning the game is not in offense or defense as much as it is in planning. Johnson said, "If you plan for it and everyone has looked at it and signed off, you don't have to worry, but a lot of companies don't plan for it."
Because there seems to be some ambiguity in interpreting the law, aggressively responding might not be the most prudent path. Dana Simberkoff, chief compliance and risk officer at AvePoint, said that outside of attacking their attackers, there are lots of things enterprises can do to be proactive.
"Understand the data that you hold, the more valuable, the more likely you are to be attacked," Simberkoff said. Companies that collect more data than they need and keep it forever in the hopes that it will someday be useful are putting their data at greater risk.
"It's counterintuitive to best security practices. Even Snowden was not particularly creative. That should have been able to have been prevented," said Simberkoff. The mistakes aren't necessarily in the technical part of defense, but in the human errors.
"I've worked with privacy and security teams that definitely believe that responding in an aggressive way is the approach they should take, but I still feel like most vulnerabilities can be addressed by education and good policies and procedures," Simberkoff said.
That's why the teams that are topping the ratings charts in the NFL aren't the ones who are ranking first in either offense or defense. They are the ones that are holistically playing a better game.
(https://www.ncsc.gov/images/pii/Top_banner_Bars_Slower.gif)
https://www.youtube.com/v/X5P-VYxPNrk?list=PLfaSGHp0IgDBzfD8dnJ3CpklC2vNkbtiD
https://www.youtube.com/v/33R-W8foNlo
How to Stop Your Home From Being Hacked
Billions of new objects are being connected to the internet of things (IoT), and it's going to change your life.
However, if you are not careful, this change may not be in the positive way that is expected.
As more home devices get connected to the internet, new doors get opened for hackers to potentially access your personal information. Any hacking of this data could have dire consequences to your personal life, career, or financial security.
Today's infographic from RefiGuide gives context around IoT hacking, including the range of security concerns created by new IoT devices and suggestions on how you can protect yourself.
IOT HACKING ISN'T NEW
Did you know that former Vice President Dick Cheney had a Wi-Fi enabled pacemaker? His cardiologist disabled this feature in 2007 to ensure that hackers couldn't control his heartbeat. While this seems like the plot from the TV series Homeland (it was), that doesn't make it any less possible.
Internet security experts have been warning for years about the dangers of a more connected world. To date, we've seen the following examples of IoT hacks:
Jeep recalled 1.4 million vehicles after it was proven they could be hacked remotely
Same goes for a Ford Escape, using a physical connection and laptop
Over 100k IoT devices were used to block traffic to sites such as Twitter and Netflix in a DDoS attack
Samsung "smart fridges" were found to leave Gmail login credentials vulnerable to hackers
Despite thousands of new IoT devices hitting the market, the fact is that many lack sufficient encryption features. This makes them particularly vulnerable.
Further, connected devices provide multiple entrances for would-be hackers: the device, connected devices, data centers, and communication channels are all possible access points.
HOW TO PROTECT YOURSELF
Until manufacturers are able to guarantee that basic cybersecurity measures are in place for new IoT devices, there are a few ways you can protect yourself.
First, make strong passwords for your router and connected devices, and consider disabling them when you are away from home for extended periods of time. Don't connect devices that you don't need – consider holding off on your Wi-Fi connected "smart fridge" until it is something you truly need.
Next, create segmented networks at home for your IoT devices, PC and mobile, and guests. Give each of them different tiers of access, such that someone hacking the IoT network will not be able to tap into your personal data.
Lastly, keep your router firmware up-to-date. This is the programming it uses to function, and regularly updating firmware (either automatically or manually) means that it will be less vulnerable to hacks.
http://www.visualcapitalist.com/stop-home-iot-hacking/
(http://2oqz471sa19h3vbwa53m33yj.wpengine.netdna-cdn.com/wp-content/uploads/2017/01/infographic-stop-home-hacked.png)
U want cyber security? STOP using closed source software.
NO MORE MICROSOFT, APPLE IOS, etc.
Go GNU
http://www.visualcapitalist.com/cybersecurity-threat-insiders-outsiders/
What is the Greatest Cybersecurity Threat: Insiders or Outsiders?JEFF DESJARDINS on January 16, 2017 at 12:28 pm
QuoteIn a short two years, it is safe to say that the prospect of cybercrime has suddenly shifted to be a top concern for many decision makers around the world.
It started with the explosive hacks that rocked companies like Sony, JP Morgan, Target, and other well-known brands. More recently, it was the release of thousands of hacked emails from the DNC and John Podesta, along with the allegations of Russian hacking, that has led the news cycle.
As a result, it is not surprising that much of today's narrative on cybercrime is centered around the devastating potential of external threats to countries or businesses. The reality is, however, that there is a whole other side of things to consider.
ARE INSIDERS OR OUTSIDERS THE GREATEST CYBERSECURITY THREAT?
While external threats like cybercriminals or hackers are an ongoing concern for organizations, it is actually malicious insider attacks that tend to cause the most damage on average (in terms of costs).
Today's infographic from Digital Guardian explains the differences, methods, and typical costs associated with each kind of cybersecurity threat.
(http://2oqz471sa19h3vbwa53m33yj.wpengine.netdna-cdn.com/wp-content/uploads/2017/01/cybersecurity-threats-infographic.jpg)
QuoteIs it insiders or outsiders that pose the greatest threat to organizations? The answer seems to be both, and for very different reasons.
INSIDERS OR OUTSIDERS?
Outside threats such as cybercriminals, nation state-sponsored attacks, competition-sponsored attacks, and hacktivists are certainly more sophisticated in their approaches, but they also lack the credentials and information that insiders may hold. For that reason, the most likely root cause of data breaches involve both insider and outsider threats together.
Strictly in terms of costs, it's malicious insider attacks that pose the biggest cybersecurity threat to organizations. When weighted for attack frequency, the average annualized cost of such an attack is $144,542 per year according to the Ponemon Institute.
This puts it above DoS attacks, but by a relatively small margin:
Type of cyberattack Avg. cost per attack, weighted by frequency
Malicious insiders $144,542
Denial of services $126,545
Web-based attacks $96,424
Phishing & social engineering $85,959
Malicious code $81,500
Stolen devices $33,565
Malware $7,378
Viruses, worms, trojans $1,900
Botnets $1,075
Can we just go back to using only cash and checks now ... ?
Quote from: aldermanparklover on January 12, 2017, 06:26:24 PM
U want cyber security? STOP using closed source software.
NO MORE MICROSOFT, APPLE IOS, etc.
Go GNU
Using Open Source software does not suddenly make you secure.
True
http://www.bbc.com/news/technology-38724082
QuoteMassive networks of fake accounts found on Twitter
24 January 2017
Massive collections of fake accounts are lying dormant on Twitter, suggests research.
The largest network ties together more than 350,000 accounts and further work suggests others may be even bigger.
UK researchers accidentally uncovered the lurking networks while probing Twitter to see how people use it.
Some of the accounts have been used to fake follower numbers, send spam and boost interest in trending topics.
Hidden purpose
On Twitter, bots are accounts that are run remotely by someone who automates the messages they send and activities they carry out. Some people pay to get bots to follow their account or to dilute chatter about controversial subjects.
"It is difficult to assess exactly how many Twitter users are bots," said graduate student Juan Echeverria, a computer scientist at UCL, who uncovered the massive networks.
Mr Echeverria's research began by combing through a sample of 1% of Twitter users in order to get a better understanding of how people use the social network.
However, analysis of the data revealed some strange results that, when probed further, seemed to reveal lots of linked accounts, suggesting one person or group is running the botnet. These accounts did not act like the bots other researchers had found but were clearly not being run by humans.
His research suggests earlier work to find bots has missed these types of networks because they act differently to the most obvious automated accounts.
The researchers are now asking the public via a website and a Twitter account to report bots they spot to help get a better idea of how prevalent they are. Many bots are obvious because they have been created recently, have few followers, have strange user names and little content in the messages.
The network of 350,000 bots stood out because all the accounts in it shared several subtle characteristics that revealed they were linked.
These included:
-tweets coming from places where nobody lives
-messages being posted only from Windows phones
-almost exclusively including quotes from Star Wars novels
It was "amazing and surprising" to discover the massive networks, said Dr Shi Zhou, a senior lecturer from UCL who oversaw Mr Echeverria's research.
"Considering all the efforts already there in detecting bots, it is amazing that we can still find so many bots, much more than previous research," Dr Zhou told the BBC.
Twitter deserved praise for its work on finding and eliminating bots, he added, but it was clear that skilled hackers had found ways to avoid official scrutiny and keep the bots ticking over.
The pair's most recent work had uncovered a bigger network of bots that seemed to include more than 500,000 accounts.
"Their potential threats are real and scary due to the sheer size of the botnet," he said.
It was hard to know who was behind the collections of fake accounts, said Dr Zhou, although there was evidence that a small percentage of the accounts had been sold or rented as they were now following Twitter users outside the main bot network.
"What is really surprising is our questioning on the whole effort of bot detection in the past years," said Dr Zhou. "Suddenly we feel vulnerable and don't know much: how many more are there? What do they want to do?"
A Twitter spokesman said the social network had clear policy on automation that was "strictly enforced".
Users were barred from writing programs that automatically followed or unfollowed accounts or which "favourited" tweets in bulk, he said.
Automated responses "degraded" the experience for other users and was prohibited, he added.
"While we have systems and tools to detect spam on Twitter, we also rely on our users to report spamming," he said.
https://www.thecipherbrief.com/article/tech/cyber-proxies-central-tenet-russias-hybrid-warfare-1092?
QuoteCyber Proxies: A Central Tenet of Russia's Hybrid Warfare
FEBRUARY 24, 2017 | LEVI MAXEY
Cyber operations remain at the forefront of confrontations between the West and Moscow as relations between them continue to deteriorate. Russia initially asserted itself in 2007 with "patriotic hackers" launching a volley of distributed denial of service (DDoS) attacks on Estonian systems. Then in 2008, cyber attacks preceded the Russo-Georgian war, and again in 2014 before Russian annexation of Crimea and large swaths of eastern Ukraine.
Throughout this period, Russian President Vladimir Putin and his Kremlin cohort have shown a capacity for hybrid warfare, a blend of conventional, irregular, and cyber warfare. The term describes a way of approaching geopolitical relations with subtle deception and information operations backed by military might. This is a modern twist on Soviet-era "active measures," – intelligence agencies' movement beyond mere collection into disinformation, subversion, and use of proxy organizations, political parties, and criminals to expand Russian influence. The term hybrid warfare can be so broadly applied that it almost becomes meaningless, but two of its central tenets – the use of proxies and cyber attacks for plausible deniability – are worth exploring in the Russian context.
So how does the Kremlin work through proxies in cyberspace, and what is the character of its relationships with those entities?
Sarah Geary, a senior analyst on FireEye's Horizons team, argues "the Russian government itself is advanced in its cyber capabilities, but it also has access to Russian hackers, hacktivists, and the Russian media. These groups disseminate propaganda on behalf of Moscow, develop cyber tools for Russian intelligence agencies like the FSB and GRU, and hack into networks and databases in support of Russian security objectives."
The involvement, according the U.S. intelligence, of state-sponsored proxies in last year's Democratic National Committee breach is apparent in the sanctions placed on Russian individuals and institutions in December. Not only are two Russian intelligence agencies, the FSB and the GRU, and their leadership listed, so are two individuals, Alesksey Belan and Evgeniy Bogachev, as well as three private institutions, for providing technical assistance to Russian intelligence.
For example, code from the Zeus malware allegedly developed by Bogachev to steal banking credentials also appeared in a number of spear-phishing emails as part of Russia's politicized hacking campaign. Known criminal infrastructure, such as King Servers, acted as a launch pad for numerous political hacks in the United States, including the DNC breach. In another instance, the Kremlin's technology conglomerate, Rostek, contracted Alexander Vyarya, a programmer working at the time for the Russian cybersecurity firm Qrator, to amplify DDoS attacks, not to mitigate them. Once he witnessed the disruptive program tested on Ukraine's Defense Ministry, Vyarya fled to Finland, seeking asylum.
Geary argues, "Russian-language hackers are the main proxy group working with Russian intelligence on cyber operations. The government usually allows cybercriminals to operate from Russia as long as the criminals do not go after Russian targets. This impunity gives the government leverage over hackers for their cooperation in developing malware or pursuing targets Russian government targets." For example, Dmitry Dokuchayev, a former criminal hacker known as Forb, agreed to work for the FSB in order to avoid prosecution for credit card fraud.
However, it is not clear to what degree the Kremlin directs these proxies. Many of these examples are circumstantial – anyone can commandeer malware for their own use, hijack criminal infrastructure to launch attacks, or build an online persona to divert attention. These indicators do not, on their own, ascribe cyber operations to the Russian government, despite their use of proxies. Ed Cabrera, the Chief Cybersecurity Officer at Trend Micro and former Chief Information Security Officer at the Secret Service, argues "it is too much of a gray area and we get into a trap by saying all of these cybercriminals and all this activity is all state-sponsored."
This inability to adequately differentiate between criminal and government activity in cyberspace may be the strategic environment the Kremlin actively seeks. Cabrera argues that "maybe they encourage this gray area because it creates a level of doubt for those that might be attacked by Russian cyber espionage groups. In other words, keeping their adversaries on their toes."
"Ultimately," Cabrera maintains, "asking who is working for whom is the better question. With the amount of money being made by these cybercriminal groups, it could be a corruption issue as well as a political and espionage issue." The possibility of corrupt officials with specific skills moonlighting as cybercriminals for extra income is high in any country, let alone Russia, a country run through semi-official liaisons alongside burgeoning crime. Cabrera points out that "there have been proxies from a physical espionage perspective for years, either through companies, criminal groups, or other countries – it's normal. It appears, however, to be a newer phenomenon to work with or through proxies in cyberspace."
But while digital forensics are unable to adequately attribute proxies, both technical and traditional intelligence are capable of bridging the gap. Geary points out that "it is only by fleshing out the specific tactics, techniques, and procedures and cyber infrastructure of each proxy group, the relationships between the groups, and how the cyber operation fits in with their motivations that it becomes clearer who is ultimately behind a cyber incident."
Ultimately, Geary maintains, "intelligence is key to attribution – particularly in this tangled web of Russian cyber proxies."
https://www.thecipherbrief.com/article/tech/tallinn-manual-20-stepping-out-fog-cyberspace-1092
QuoteTallinn Manual 2.0: Stepping Out of the Fog in Cyberspace
MARCH 1, 2017 | LEVI MAXEY
Cyberspace is often portrayed as a new domain of international relations – a Wild West where there are no rules or guiding principles to govern the behavior of states. Such perceptions of anarchism have bred uncertainty over what is or is not acceptable activity among governments. This often leads to brash accusations of cyber attacks meeting the threshold of an act of war. At the same time, the blurred distinction between offensive and defensive capabilities in cyberspace creates a security dilemma, fueling a destabilizing cyber arms race.
Fortunately, there are hundreds of years of international law that can put norms surrounding cyberspace into motion. However, where does international law apply to countries' operations in cyberspace, and what can states do to mitigate uncertainty surrounding cyber operations that lead to a potentially destabilizing cyber arms race?
The effort to place cyber activity firmly within international law first began after a series of denial of service attacks targeting Estonian sites in 2007, and then again in Georgia in 2008. Following these campaigns, primarily Euro-Atlantic countries congregated in Tallinn, Estonia, to establish the NATO Cooperative Cyber Defence Centre of Excellence, a multinational hub of cyber defense and international law expertise.
Led by Michael Schmitt, a Professor at the U.S. Navel War College, the Centre published the Tallinn Manual on the International Law Applicable to Cyber Warfare in 2013. Now known as Tallinn 1.0, the manual sought to create legal clarity over the use of cyber capabilities in war. While high-risk, such instances are ultimately unlikely, with the few potential exceptions of the Stuxnet worm discovered sabotaging Iran's nuclear ambitions in 2010 and the disk-wiping malware destroying over 35,000 computers belonging to oil giant Saudi Aramco in 2012. Furthermore, having a manual that solely explored cyber activity during wartime could alone be destabilizing – hammers only see nails if the sole question is whether a cyber attack constitutes an act of war or not.
Therefore, Schmitt, and a more diverse group of international law experts, including some from countries such as China, Japan, and Thailand – as well as contributions from over 50 states through the Hague – endeavored to create Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations to explore the international legal landscape of cyber activity during peacetime – launched last month at the Atlantic Council in Washington. Wolff Heinstchel von Heinegg, the Chair of Public Law at the Europa-Universität Viadrina and one of the legal experts who worked on both Manuals, argues "the Tallinn Manual 2.0 is an honest effort aimed at identifying the legal principles and rules applicable to cyberspace, which is to provide political leaders, operators and others a basis for evaluation of the legality of their cyber operations." Tallinn 2.0 finds that there is a robust body of language governing cyber operations already, providing 154 "black letter" rules governing activity in cyberspace.
However, while experts where able to unanimously agree on the wording of such rules, their interpretation and application remain contentious, as shown in the different views displayed in the manual's commentary. Where disagreement emerges should signal a focus for states moving forward in establishing international norms in cyberspace. Under international law, for instance, states cannot direct attacks on "civilian objects," as it would constitute a war crime, but is data considered an "object"? While the manual maintains that it is not – simultaneously asserting that "essential civilian functions" are off limits – it suggests that doing so opens the door for states to interpret the law of sovereignty differently, therefore creating a legal gray area.
For example, with the breach of the Democratic National Committee in the lead-up to last year's U.S elections fresh in mind, some would argue that the attack constituted a coercive intervention into U.S. domestic affairs, as it manipulated the democratic process in ways it was not meant to be, and therefore breached the law of sovereignty. Others, however, would argue that the DNC hack and subsequent leaks do not constitute coercive intervention in U.S. domestic affairs as it was truthful information being provided to a liberal electorate.
While this legal gray zone is intentionally operated in by states, the United States should be wary of raising the standard of sovereignty in cyber operations, as doing so could restrict many U.S. actions in cyberspace. While espionage is not directly covered under international law, Rhea Siers, former Deputy Assistant Director for Policy at the National Security Agency, and Sharon Cardash, former Security Policy Advisor to Canada's Minister of Foreign Affairs, note that expert opinions in Tallinn 2.0 "diverged on the question of remotely conducted computer network exploitation, which is the mainstay of intelligence organizations like the U.S. National Security Agency."
"On this point, the manual notes that its participants 'were incapable of achieving consensus as to whether remote cyber espionage reaching a particular threshold of severity violates international law,'" they say.
International law should not only be understood as restricting, but also clarifying avenues of response. The manual provides a framework in which states can react to cyber operations against them. Should an attack remain within the bounds of international law – for example, espionage operations such as the Office of Personnel Management breach – states can respond with retorsion, or an unfriendly yet legal action such as imposing sanctions. Should a state breach international law with a cyber attack, such as a sufficient infringement on sovereignty or targeting of critical infrastructure, the law of self-defense and proportionality kick in. For example, the United States could respond to an attack with countermeasures, or acts that would otherwise be unlawful, but are carried out in response to an unlawful act to return the original offender to a lawful course of action. This could include "hacking back," such as responding to the Sony breach by targeting North Korea's cyber infrastructure and proportionally disrupting their functions, or rather than responding in-kind with cyber, instead, block legal passage of North Korean sea vessels along American shorelines.
However, Heinstchel von Heinegg notes, "the problem with countermeasures in response to unlawful cyber attacks is attribution. Only if the cyber attack can be attributed to a given state with a strong level of certainty is it possible to resort to countermeasures against that state." If attribution is wrong, the responding state will be in breach of international law and susceptible to countermeasures themselves.
The use of proxies to conduct cyber operations on behalf of states is important in this regard, as it blurs what is already a difficult process of attribution. Siers and Cardash note that "Tallinn 2.0 looks to the ways in which a state may or may not be "in effective control" of non-state actors, whereby "factors to consider include financing, equipping, and target selection." Furthermore, should cyber attacks be launched from a third party, such as North Korea attacking U.S. systems from China, then the country being used as a launch-pad has a due diligence obligation – to the extent that is feasible – to halt serious attacks emanating from their territory. Should it not adequately fulfill this obligation, the third party – in this case China – could open itself up to countermeasures. Ultimately, the level of certainty in attribution demanded depends on the situation, while the policy response depends on the certainty of attribution.
So while establishing international norms in cyberspace – much like in any other domain – has proven challenging, the portrayal of cyberspace as an ungoverned domain, wholly outside the realm of established international law, is not only misleading, but undermines the very international norms states seek to establish. The more governments have a common understanding of how each other will operate in cyberspace, the less likely cyber operations will result in escalation.
http://www.realcleardefense.com/articles/2017/05/04/cyber_wars_terror_trinity_means_motive_and_opportunity_111312.html
QuoteCyber War's Terror Trinity: Means, Motive, and Opportunity
By Ian Fairchild May 04, 2017
In March of 2003, I commanded an EC-130 Compass Call, an aircraft configured to perform tactical command, control, and communications countermeasures, over the skies of Iraq. My crew's mission was to jam enemy communications and help allied forces preserve Iraq's oil infrastructure. During these missions, we positioned ourselves some distance from the intended target, while an electronic warfare officer controlled jamming functions using a keyboard located in the back of the aircraft.
While this mission demonstrates how developments in cyber technology can be used to further US security interests, a little more than a decade later a young man named Junaid "TriCk" Hussain aligned himself with the Islamic State of Iraq and al-Sham (ISIS), and undertook his own form of electronic warfare. Sitting comfortably away from his targets, like my orbiting EC-130, he used a keyboard to launch attacks through cyberspace. Specifically, Hussain built "kill lists" of US military personnel and published them online. He leveraged the increasing power and reach of social media to call for terror attacks against Western interests. These brash moves quickly attracted the attention of the US government. Ultimately, an airstrike from an unmanned aircraft killed TriCk in 2015.
The most alarming piece of Hussain's terrorism journey is not hacking Gmail accounts, helping lead the CyberCaliphate, or even publishing a kill list. Rather, it is his willingness to undertake the actions in the first place, and the ease with which he could do so. Hackers like TriCk, and those under his tutelage, seek to combine means, motive, and opportunity to exact harm. They operate free from the legal tethering of a nation state, obfuscate their computer code to hide their origin, and have utter disregard for human life. Put simply, Hussain's actions prove a single keystroke can turn the unfathomable into reality. While Hussain is gone, many others like him threaten US security through cyber terrorism.
The means to conduct such an attack used to reside solely inside the minds of especially talented computer scientists, elite hackers, and well-resourced intelligence agencies. Today, the means are downloadable and online, lowering the barrier to entry. Search engines like Shodan, a platform for seeking out Internet-connected devices, facilitate the process of finding vulnerable infrastructure, including those within hospitals and utility companies. Once found, an attacker need only couple his or her discoveries with software such as Metasploit to launch a successful attack with relatively little skill.
Motivations are shifting. too. Terrorists no longer seek to negotiate, as might have been assumed prior to the attacks on September 11, 2001, when passengers on hijacked aircraft would likely comply with demands, under the longstanding presumption hijackers' motives were not to destroy the plane, but rather to land and conduct a ground negotiation. On that day, nineteen terrorists, motivated by the intent to kill civilians and terrorize the United States, shattered this long-held paradigm.
US medical and transportation sectors still do not approach security from the point of view which assumes malevolent actors intend to exploit vulnerabilities and cause harm. Technology and distance emboldens criminals like Hussain to engage in previously unimaginable conduct, such as live-streaming rape and broadcasting murder. Yet somehow the notion of a sustained attack, via cyberspace, against patients in a large US hospital remains all but inconceivable. In fact, despite citing unsecure medical devices as a serious threat, less than 25 percent of respondents in a recent Ponemon Institute study crafted a strategy to address the issue.
The reality is, means and motivation will eventually unite with opportunity. Opportunity for attack abounds within especially vulnerable US medical and transportation sectors. One dismaying statistic: nine out of ten hospitals still use Windows XP, an antiquated operating system that Microsoft no longer supports, and that contains well-documented vulnerabilities. Likewise, security researchers have demonstrated automobile flaws which allow remote access to acceleration and brakes. Hackers have locked medical professionals out of critical hospital systems and demanded ransom, and attacked San Francisco's Muni transportation system using similar tactics.
For those who still think terrorists will not try to kill citizens in hospitals and transportation systems via cyberspace, Hussain's activity should dispel these falsehoods and prompt all relevant stakeholders to action. Several organizations have responded accordingly. Last year, the Food and Drug Administration www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm482022.pdf (http://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm482022.pdf)">issued guidance for complying with post-market medical device regulations, the Presidential Commission on Enhancing National Cybersecurity met with a distinguished panel of advisers to discuss cybersecurity in healthcare and the protection of connected medical devices, and the Department of Health and Human Services formed a task force to address the same issue. Social media companies have also endeavored to temper hateful speech.
While laudable, these efforts are insufficient. They come to fruition in industries where incentives to secure infrastructure are misaligned or do not exist, and in settings lacking the resources to hire cybersecurity professionals. Overcoming these challenges and defending US citizens against the next Hussain will require collaborative partnerships between government and the private sector, a fundamental adjustment in existing healthcare and transportation structures, and a realization despicable tweets will likely give way to more motivated individuals conducting deliberate attacks.
Boundary-pushing ideas like software liability to hold manufacturers liable for software flaws and consumer device "nutrition labels" to help the public make informed choices on cybersecure products have the potential to propel stagnant industries towards addressing cybersecurity vulnerabilities. Still, it will take increased engagement between the private and public sectors to affect real change, in the same way such efforts to make seatbelts mandatory helped reduce fatalities on dangerous highways.
Hussain's unbridled motivation completed the triumvirate required to take life via cyberspace. Undoubtedly, others will follow, almost certainly with more sinister goals. The means for attack are low-cost, easily obtainable, and will persist. The remaining task is to make the United States the land without opportunity.
http://www.reuters.com/article/us-usa-trump-cyber-idUSKBN1872L9
QuoteTrump signs order aimed at upgrading government cyber defenses
By Dustin Volz | WASHINGTON
U.S. President Donald Trump signed an executive order on Thursday to bolster the government's cyber security and protect critical infrastructure from cyber attacks, marking his first significant action to address what he has called a top priority.
The order seeks to improve the often-maligned network security of U.S. government agencies, from which foreign governments and other hackers have pilfered millions of personal records and other forms of sensitive data in recent years.
The White House said the order also aimed to enhance protection of infrastructure such as the energy grid and financial sector from sophisticated attacks that officials have warned could pose a national security threat or cripple parts of the economy.
The directive, which drew largely favorable reviews from cyber experts and industry groups, also lays out goals to develop a more robust cyber deterrence strategy, in part by forging strong cooperation with U.S. allies in cyberspace.
White House homeland security adviser Tom Bossert said the order sought to build on efforts undertaken by the former Obama administration.
Among the notable changes, heads of federal agencies must use a framework developed by the National Institute of Standards and Technology to assess and manage cyber risk, and prepare a report within 90 days documenting how they will implement it.
'PRACTICE WHAT THEY PREACH'
The Obama administration had encouraged the private sector to adopt the voluntary NIST framework. But it did not require government agencies to do so, which opened it up to criticism as it frequently scrambled to respond to major hacks, such as the theft of more than 20 million personnel records from the Office of Personnel Management.
Government agencies would now "practice what they preach," Bossert told reporters during a White House briefing. "A lot of progress was made in the last administration, but not nearly enough."
Michael Daniel, who served as White House cyber security coordinator under former Democratic President Barack Obama, generally praised the order but said it was largely "a plan for a plan."
Trump, a Republican, has also asked agencies to review their federal workforce's cyber talent, an area where the government has faced a growing shortfall of qualified personnel in recent years.
The order calls for an examination of the impact of moving agencies toward a shared information technology environment, such as through cloud computing services. It also urges voluntary cooperation with the private sector to develop better strategies to fend off and reduce attacks from botnets, or networks of infected devices.
Before taking office, Trump said he intended to make cyber security a priority of his administration. But he has raised alarm among cyber security experts by frequently using a personal Twitter that could be hacked by an adversary. His skepticism of the conclusion by U.S. intelligence agencies that Russia hacked Democratic emails during the election to help him win has drawn criticism.
Russia has repeatedly denied assertions it used cyber means to meddle in the U.S. election.
Bossert said Russia's alleged hacks were not a motivation for the order, adding that "the Russians are not our only adversary on the internet."
https://jamestown.org/program/russian-cyber-troops-weapon-aggression/
QuoteRussian 'Cyber Troops': A Weapon of Aggression
Publication: Eurasia Daily Monitor Volume: 14 Issue: 63
By: Sergey Sukhankin
May 11, 2017 06:03 PM Age: 15 hours
Speaking to the Russian parliament (Duma) last February, Russian Minister of Defense Sergei Shoigu announced the creation of "information operations troops" ("cyber troops") within the Armed Forces. He emphasized that state "propaganda should be smart, accurate and effective" and that that these new formations "will be much more efficient than the 'counter-propaganda' department that operated during the Soviet period" (TASS, February 22). It is dubious, however, that the responsibilities of "cyber troops" will be reduced solely to "propaganda." Rather, it seems that this unit is to become the main tool of Russia's offensive cyber operations as a part of "information warfare."
The official history of the Russian cyber troops goes back to 2012, when Dmitry Rogozin (at the time heading the Russian Foundation for Advanced Research Projects in the Defense Industry) addressed the issue publicly for the first time. In 2013, an anonymous source confided that formations of this kind had been established under the umbrella of the Russian Armed Forces (RBC, February 22), but at the time there was no solid evidence available. Then, in April 2015, the official state news agency TASS reported that a unit of Russian "information operations forces" were deployed to the territory of the Crimean Peninsula (TASS, April 17, 2015). Nonetheless, in the meantime, the Russian side continued to deny the existence of cyber troops. For instance, in January 2017, the first deputy director of the Russian Duma Defense Committee, Alexander Sherin, claimed that "Russia does not have such formations." Similar statements were made by top-ranking Russian officials related to security and mass communications, such as Viktor Ozerov and Alexey Volin (Interfax, January 16). This silence was interrupted only by Defense Minister Shoigu's official announcement in February.
Commenting on the main tasks of the cyber troops, Franz Klintsevych, a high-ranking member of the Russian Federation Council (upper house of parliament), identified the disclosure of subversive activities by foreign intelligence services in electronic, paper and TV media outlets. He suggested that the cyber troops would deal with such hacker attacks as their main responsibility. But this assessment fails to fully reflect the true essence and tasks of the new unit. According to Yaakov Kedmi—who used to head Nativ, the former Israeli intelligence service charged with facilitating the immigration of Jews from the Soviet Bloc—"cyber troops" exist in "all serious armies" and are subordinated to their respective defense ministries. Their main tasks are "propagandist" (propaganda and counter-propaganda) and "operational" (activities designed to distract the adversary by providing false information). Yet, he also highlighted that so-called "political propaganda" falls outside the range of responsibilities for such formations (Kommersant, February 22).
Another revealing bit of information on the secretive cyber troops can be found in research conducted by Zecurion Analytics, a Russian software company established in 2001. According to a report the firm published several months ago, Russia may be placed in the top five countries with the "most powerful" cyber troop units, in terms of the number of personnel employed (which Zecurion Analytics estimates at approximately 1,000) and financial expenditures (around $300 million per annum). The company's head, Vladimir Ylianov, has stated that the main tasks of Russian "cyber troops" include espionage, cyber attacks, and informational warfare (Kommersant, January 1). This assessment, however, also may underestimate the real capabilities of these cyber forces. Thanks to introduction of so-called "research units," Russian cyber defense is inseparable from the Armed Forces and its resources, which exponentially increases its offensive potential (see EDM, November 30, 2016).
A somewhat different opinion was expressed by pro-Kremlin cyber security specialist Igor Panarin. He hopes that the creation of the cyber troops will allow Russia to overcome its inferiority in the cyber domain compared to other countries, like the United States, and beef up its offensive capabilities. According to the expert, the 2008 Russian-Georgian War in fact demonstrated that Russian failed to act efficiently when it came to offense, and it instead relied on "defense and containment" in its cyber operations. Panarin suggested that unlike the Department of Information and Mass Communication, which was created under the umbrella of the Ministry of Defense in 2016 and tasked with defensive activities, the cyber troops—which could and should act in concert with the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR)—will be specifically charged with conducting offensive operations in the "cyber sphere" (kiber prostranstvo) (Militarynews.ru, February 22). If accurate, this demonstrates Russia's continuing development of offensive cyber capabilities and a delineation between "cyber" and "information" operations.
Panarin also outlined a number of supplementary steps Russia needs to take, which included the following elements (Vz.ru, February 28, 2017):
The establishment of a State Council (that is to include various governmental structures, public diplomacy organizations, media sources, representatives of business, political parties and non-governmental organizations) tasked with issues related to "information confrontation" (informatsionnoye protivoborstvo—understood as a struggle in the information sphere with the broad aim of achieving information dominance over one's opponent);
The establishment of a position of a "Presidential Advisor" on information operations, tasked with the coordination of informational-analytical units connected with the "cyber troops," the Ministry of Defense, FSB, Federal Protective Service (FSO), SVR and other key ministries;
The creation of a media holding—based on existing media resources of Russian TV Channel One, All-Russia State Television and Radio Broadcasting Company (VGTRK), RT and others—subordinated to the Ministry of Foreign Affairs of the Russian Federation. It is imperative to copy the US experience while implementing this initiative, Panarin alleged; and finally
The formation of separate centers of information operations pertaining to the FSB, FSO and SVR.
Panarin's suggested program should be seen as an extremely ambitious and far-reaching strategy, fully complying with the steps and activities already conducted by the Russian side in the domain of cyber security and information operations. Within this development of the country's cyber capabilities, the Russian cyber troops should be seen mainly as an offensive operations force, and not as a defensive mechanism.
If you see this... you are infected...
(http://www.techspot.com/images2/news/bigimage/2017/05/2017-05-14-image.jpg)
(https://krebsonsecurity.com/wp-content/uploads/2017/05/wanna-580x285.png)
Quote12
MAY 17
U.K. Hospitals Hit in Widespread Ransomware Attack
At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim's documents, images, music and other files unless the victim pays for a key to unlock them.
It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft.
In a statement, the U.K.'s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks.
"This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors," the NHS said. "At this stage we do not have any evidence that patient data has been accessed."
According to Reuters, hospitals across England are diverting patients requiring emergency treatment away from the affected hospitals, and the public is being advised to seek medical care only for acute medical conditions.
NHS said the investigation is at an early stage but the ransomware that hit at least 16 NHS facilities is a variant of Wana Decryptor (a.k.a. "WannaCry"), a ransomware strain that surfaced roughly two weeks ago.
Lawrence Abrams, owner of the tech-help forum BleepingComputer, said Wana Decryptor wasn't a big player in the ransomware space until the past 24 hours, when something caused it to be spread far and wide very quickly.
"It's been out for almost two weeks now, and until very recently it's just been sitting there," Abrams said. "Today, it just went nuts. This is by far the biggest outbreak we have seen to date."
For example, the same ransomware strain apparently today also hit Telefonica, one of Spain's largest telecommunications companies. According to an article on BleepingComputer, Telefonica has responded by "desperately telling employees to shut down computers and VPN connections in order to limit the ransomware's reach."
An alert published by Spain's national computer emergency response team (CCN-CERT) suggested that the reason for the rapid spread of Wana Decryptor is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March.
According to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another.
That SMB flaw has enabled Wana Decryptor to spread to more than 36,000 Windows computers so far, according to Jakub Kroustek, a malware researcher with Avast, a security firm based in the Czech Republic.
"So far, Russia, Ukraine, and Taiwan leading," the world in new infections, Kroustek wrote in a tweet. "This is huge."
Abrams said Wana Decryptor — like many ransomware strains — encrypts victim computer files with extremely strong encryption, but the malware itself is not hard to remove from infected computers. Unfortunately, removing the infection does nothing to restore one's files to their original, unencrypted state.
"It's not difficult to remove, but it also doesn't seem to be decryptable," Abrams said. "It also seems to be very persistent. Every time you make a new file [on an infected PC], it encrypts that new file too."
Experts may yet find a weakness in Wana that allows them to way to decode the ransomware strain without paying the ransom. For now, however, victims who don't have backups of their files have one option: Pay the $300 Bitcoin ransom being demanded by the program.
Wana Decryptor is one of hundreds of strains of ransomware. Victims who are struggling with ransomware should pay a visit to BleepingComputer's ransomware help forum, which often has tutorials on how to remove the malware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom Project also includes an online tool that enables ransomware victims to learn if a free decryptor is available by uploading a single encrypted file.
Update, May 13, 9:33 a.m.: Microsoft today took the unusual step of releasing security updates to fix the SMB flaw in unsupported versions of Windows, including Windows XP, Windows 8, and Windows Server 2003. See this post for more details.
As we used to say in the 1990's;
"Protect your floppy, before you copy"
https://motherboard.vice.com/en_us/article/dont-draw-the-wrong-conclusions-from-the-wannacry-ransomware-outbreak
QuoteThe damage done was due to a cultural failure of corporate and government IT departments to deploy available security patches. In some measure that failure was driven by a lack of resources, driven in turn by a lack of understanding of the importance of computer and embedded systems security by management and politicians alike.
Perhaps this question is rhetorical but "Why can't we catch the *expletive deleted* that are collecting the money from these ransomware viruses?"
Some of these people have what appear to be official call centers to offer support and service to their "customers"! Where are the tomahawk missles!? :-)
I am sure we and others are trying. Pseudo state sponsored criminals are hard to arrest... many countries do not have the resources. Following the bitcoin isn't as easy as follow the money??
http://nypost.com/2017/06/05/top-secret-nsa-doc-details-russian-election-hacking-effort-report/
QuoteFederal worker busted for leaking top-secret NSA docs on Russian hacking
By Chris Perez June 5, 2017 | 5:14pm
(https://thenypost.files.wordpress.com/2017/06/usa-trump_russia-leaks.jpg?quality=90&strip=all&w=664&h=441&crop=1)
A 25-year-old Federal contractor was charged Monday with leaking a top secret NSA report — detailing how Russian military hackers targeted US voting systems just days before the election.
The highly classified intelligence document, published Monday by The Intercept, describes how Russia managed to infiltrate America's voting infrastructure using a spear-phishing email scheme that targeted local government officials and employees.
It claims the calculated cyberattack may have even been more far-reaching and devious than previously thought.
The report is believed to be the most detailed US government account of Russia's interference to date.
It was allegedly provided to the Intercept by 25-year-old Reality Leigh Winner, of Augusta, who appeared in court Monday after being arrested at her home over the weekend.
She was charged with removing and mailing classified materials to a news outlet, DOJ officials said.
"Releasing classified material without authorization threatens our nation's security and undermines public faith in government," Deputy Attorney General Rod J. Rosenstein explained in a statement. "People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation."
Winner, who works as contractor at Pluribus International Corporation, allegedly leaked the report in early May. A federal official told NBC News that she had, in fact, given it to the Intercept.
According to the document, it was the Russian military intelligence that conducted the cyber attacks last year.
Specifically, operatives from the Russian General Staff Main Intelligence Directorate, or GRU, are said to have targeted employees at a US election software company last August and then again in October.
While the name of the company is unclear, the report refers to an undisclosed product made by VR Systems — an electronic voting services and equipment vendor in Florida that has contracts in eight states, including New York.
The hackers were given a "cyber espionage mandate specifically directed at U.S. and foreign elections," the report says.
On August 24, 2016, the group sent the employees fake emails, which were disguised as messages from Google. At least one of the workers was believed to be compromised.
In late October, the group established an "operational" Gmail account and posed as an employee from VR Systems — using previously obtained documents to launch another spear-phishing attack "targeting US local government organizations," the report says.
According to the NSA, the hackers struck on either October 31 or November 1, sending spear-fishing emails to at least 122 different email addresses "associated with named local government organizations."
They were also likely sent to officials "involved in the management of voter registration systems," the report says.
The emails were said to have contained weaponized Microsoft Word attachments, which were set up to appear as unharmful documentation for the VR Systems' EViD voter database — but were actually embedded with automated software commands that are secretly turned on as soon as the user opens the document.
The hack ultimately gave the Russians a back door and the ability to deliver any sort of malware or malicious software they wanted, the report says.
In addition, the NSA document also describes two other incidents of Russian meddling prior to the election.
In one, the hackers posed as a different voting company, referred to as "US company 2," from which they sent phony test emails — offering "election-related products and services."
The other operation was said to be conducted by the same group of operatives, and involved sending emails to addresses at the American Samoa Election Office, in the attempt to uncover more existing accounts before striking again.
It is ultimately unclear what came of the cyberattack, but the NSA report firmly states that the Russians had been intent on "mimicking a legitimate absentee ballot-related service provider."
"It is unknown, whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor," the NSA states of the result of the hacking.
While the government employees were only hit with simple login-stealing tactics, experts told the Intercept that such operations could prove even more dangerous than malware attacks in some instances.
VR Systems doesn't sell voting machines, but holds contracts in New York, California, Florida, Illinois, Indiana, North Carolina, Virginia, and West Virginia — making it a prime target for those who want to disrupt the vote and cause chaos come election day.
"If someone has access to a state voter database, they can take malicious action by modifying or removing information," Pamela Smith, president of election integrity watchdog Verified Voting, told the Intercept.
"This could affect whether someone has the ability to cast a regular ballot, or be required to cast a 'provisional' ballot — which would mean it has to be checked for their eligibility before it is included in the vote," she said. "And it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed."
At least one US intelligence official admitted to the Intercept that the Russian hackers described in the NSA report could have disrupted the voting process on November 8, by specifically targeting locations where VR Systems' products were in use. They cited the simple possibility of compromising an election poll book system, which could cause widespread damage in certain places.
"You could even do that preferentially in areas for voters that are likely to vote for a certain candidate and thereby have a partisan effect," explained Alex Halderman, director of the University of Michigan Center for Computer Security and Society.
In response to the report, VR Systems' Chief Operating Officer Ben Martin told the Intercept: "Phishing and spear-phishing are not uncommon in our industry. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company."
In light of recent news... this is very On Target... 8)
https://thestrategybridge.org/the-bridge/2018/7/18/social-engineering-as-a-threat-to-societies-the-cambridge-analytica-case
SOCIAL ENGINEERING IS A THREAT TO POLITICAL STABILITY AND FREE, INDEPENDENT DISCOURSE.