Cyberwar Fail

Okay, so it was pretend, could have been more realistic, and adding the natural disasters was a bit much, but today’s Cyber ShockWave proved a point, the United States is not ready to defend herself against an organized, large scale cyber-attack. The Chinese, Russians, and a myriad of other state and criminal entities probe our cyber-defenses 24 hours a day, seven days a week, looking for weaknesses. If one or more of these actors decided to launch a coordinated, sustained cyber-assault, we could be brought down to our economic knees in a crippling world of infrastructure cyberhurt.

Report: The Cyber ShockWave and its aftermath

When it comes to the protection of the nation’s infrastructure, the government is lacking in several areas. While they have the ability to act offensively, if they know who the enemy is, the trick is to collect enough information and retaliate without violating domestic and foreign policy and law. The Tech Herald was in Washington D.C. on Tuesday to witness Cyber ShockWave. Here’s what we walked away with.

What happened?

Cyber ShockWave started with a vulnerability in the operating systems used by various Smartphones. Thanks to a malicious application, celebrating the NCAA’s March Madness, Spyware was loaded onto Smartphones that included a keylogger and data intercept component. The application was then used to funnel millions of dollars to banks overseas. From there, the data and money snatching application morphs, and the malicious application turns the infected devices into bots and adds them to a telecommunications botnet.

The bots start to download videos showing The Red Army. The downloads and resulting spread of the video result flood the data networks of the major carriers, and slow them to a crawl before crippling them altogether. After that, the Malware on the Smartphones starts to replicate, thanks to sync programs linking information from the phone to a computer. Now that the computers are infected, the ISPs face the same issue the telecoms faced. In the end, both communications systems are crippled.

If this wasn’t enough, weather patterns resulting in a heat wave and hurricanes stress the electrical system. This is where things go south, on a major scale. A hurricane wrecks the petroleum refining and natural gas processing centers, and a stressed electrical grid is hurt more by Improvised Explosive Devices (IEDs) and what is assumed to be a Malware attack on the Secure Trade power trading platform.

Both incidents are deemed critical, and the former top US officials debated how to respond for most of the event. The problem is that by the end of the debates, during both sessions, there were no real answers.

Behold the confusion that is Cyber ShockWave

Can we nationalize the U.S. power system? Should the National Guard be called out? The FBI reports that they have traced the services used in the March Madness application to Russia, is retaliation called for? Two IEDs were detonated in two different power facilities, is it terrorism? According to a GNN (the news source for media information during the event), there was a cyber component to the electrical outage, later assumed to be related to patches on the Secure Trade software. Was this the work of an insider? These were the topics of note, and the confusion only led to more questions and few answers.

The downside to the ShockWave, as it were, is that there were just too many levels of attack at the same time. The Cyber ShockWave exercise was to create a possible attack scenario, but not one that is total chaos. However, by adding the botnet side to the telecom attack, adding in natural disasters as well as potential terrorism on and offline, they added too much to the “Perfect Storm” that they kept referring to it as.

The malicious application causing harm to telecom and ISP networks is one scenario that is highly likely, as more and more applications make it to market and more and more people switch to Smartphones. The odds of this happening at the same time that the power grid is attacked, and a hurricane kills off oil and gas production, is simply too high to compute.

The point of it all

The main point to take away from Cyber ShockWave, at least how we see it, is that there needs to be a solid level of cooperation inside the government first, and then after that, between the government and private sector. There is no “I” in team, and when it comes to protecting the assets within the backbone of the Internet, both private and government entities have a lot to look after.

One interesting point came up when debating the Russian server, the one the FBI said was linked to the telecom attacks. Why doesn’t the government simply shut it down? The reason is that doing so could be considered an act of war. No one knows, because there is no policy or precedence of such an action.

The mirror side to this would be the question, what if the Russian server was a jumping point to a server in the U.S.? If so, can we shut it down then? What would be the reasoning? While killing a server in a foreign country could be perceived as an act of aggression, doing so on our own soil could be a violation of various laws, unless a state of emergency is ordered. Once that happens, according to the panel, the President has a good deal of leeway.

There are few limits to what the government can do in response to a threat to national security. What limits that exist are those enforced by policy and U.S. law. What this means is that while there were several ideas passed around, many of them are without precedence, so they couldn’t be acted on.

For example there was a patch for the Smartphones, one that would fix the Malware issue. Yet, only 50-percent of consumers applied it. To prevent further attacks to the telecommunications system, you can ask the people to stop using phones, or simply force them to stop using them by turning them off. If the issue was forced, and the government did something to turn the phones off, then there would be serious consequences to deal with later.

In the end, the Bipartisan Policy Center, who put Cyber ShockWave together, had hoped that the gaps existing within the law and government policy related to cybercrime and cyberattacks would be exposed. The got their wish, as gaps in both areas were exposed. But when it comes to balance between the private and government sectors and security, it takes more than policy to make it work.

It would have added a ton of weight to the exercise if there was some sort of consultation with energy companies or telecom representatives. They were absent during the mock attacks, and their absence was felt when you consider that by the time the President was “briefed”, there was no solid plan of action as to how to deal with and recover from the incidents.

There were some smart and skilled people on the panel. Yet, the scripting made the panel come off as clueless when it came to the reach, intelligence, and overall skill of foreign attackers. The current cyber capacities of the various international terrorist groups were left completely off the table.

Overall, the Cyber ShockWave was more media hype than actual intelligence and insight. We had hoped to see some of the political heavyweights on the panel act with their full capacity and experience, but they either couldn’t or opted not to. If anything, the federal employees who attended learned that managing IT in the public world, and dealing with threats there, is nothing like attempting the same feat within the federal government.

See also:
U.S. Isn’t Prepared for Massive Cyber Attack, Ex-Officials Say
War game reveals U.S. lacks cyber-crisis skills
In a doomsday cyber attack scenario, answers are unsettling
Washington Group Tests Security in ‘Cyber ShockWave’
US networks and power grid under (mock) cyber-attack
Cyberattack simulation highlights vulnerabilities
Former officials war-game cyberattack
Former Government Officials Gather to Rehearse Cyberwar
Former top U.S. officials hold cyberattack exercise
Cyber ShockWave cripples computers nationwide (sorta)
Cyber Shockwave : Cyber-Attack to Test Government Response
Is The U.S. Ready For A Cyberwar?
25 ways to better secure software from cyber attacks
It’s Your Cyberspace Too, So Take Care Of It
Bipartisan Policy Center

/remember, this was only a test, had this been an actual emergency we would have been seriously [expletive deleted]

Advertisements

The Cyberwar Rages 24/7

Corporations’ cyber security under widespread attack, survey finds

Around the world, corporations’ computer networks and control systems are under “repeated cyberattack, often from high-level adversaries like foreign nation-states,” according to a new global survey of information technology executives.

The attacks include run-of-the-mill viruses and other “malware” that routinely strike corporate defenses, but also actions by “high-level” adversaries such as “organized crime, terrorists, or nation states,” a first-time global survey by the Center for Strategic and International Studies (CSIS) in Washington has found. More than half of the 600 IT managers surveyed, who operate critical infrastructure in 14 countries, reported that their systems have been hit by such “high-level” attacks, the survey concludes.

A large majority, 59 percent, said they believed that foreign governments or their affiliates had already been involved in such attacks or in efforts to infiltrate important infrastructure – such as refineries, electric utilities, and banks – in their countries.

Such attacks, the survey said, include sophisticated denial-of-service attacks, in which an attacker tries to so overwhelm a corporate network with requests that the network grinds to a halt.

But they also include efforts to infiltrate a company. Fifty-four percent of the IT executives said their companies’ networks had been targets of stealth attacks in which infiltration was the intent. In two-thirds of those cases, the IT managers surveyed said company operations had been harmed.

The IT managers also believed that these “stealthy” attacks were conducted by “nation states” targeting their proprietary data, says the survey’s main author, CSIS fellow Stewart Baker, in a phone interview. Mr. Baker is a cybersecurity expert formerly with the Department of Homeland Security and National Security Agency.

“It’s all the same kind of stuff – spear-phishing, malware, taking over the network and downloading-whatever-you-want kind of attack,” he says. “Over half of these executives believe they’ve been attacked with the kind of sophistication you’d expect from a nation state.”

The CSIS report describes such attacks as “stealthy infiltration” of a company’s networks by “a high-level adversary” akin to a “GhostNet,” or large spy ring featuring “individualized malware attacks that enabled hackers to infiltrate, control and download large amounts of data from computer networks.” The GhostNet attacks, which Canadian researchers attributed to Chinese state-run agencies, bear similarities to recent attacks on Google and other high-tech companies, Baker says. Google attributed attacks on it to entities in China.

Read the report:
In the Crossfire: Critical Infrastructure in the Age of Cyber War

See also:
In the Crossfire: Critical Infrastructure in the Age of Cyber War
Report: Critical Infrastructures Under Constant Cyberattack Globally
Utilities, Refineries and Banks Are Victims of Cyber Attacks, Report Says
Critical Infrastructure under Siege from Cyber Attacks
Critical Infrastructure Vulnerable To Attack
Critical Infrastructure Security a Mixed Bag, Report Finds
Report shows cyberattacks rampant; execs concerned
Key infrastructure often cyberattack target: survey
Critical infrastructure execs fear China
SCADA system, critical infrastructure security lacking, survey finds

Ironically, the more dependent we become on interconnected network technology, the more vulnerable we become too.

/so keep your fingers crossed and your computers patched against hacking and intrusion, at least you can do your part to avoid being part of the problem

North Korea And Friends Want To Play Computer Games

I can only hope we’re winning this game and not playing nice while doing it.

U.S., South Korea Targeted in Swarm Of Internet Attacks

U.S. and South Korean authorities yesterday were investigating the source of attacks on at least 35 government and commercial Web sites in the two countries, officials said.

In the United States, the attacks primarily targeted Internet sites operated by major government agencies, including the departments of Homeland Security and Defense, the Federal Aviation Administration and the Federal Trade Commission, according to several computer security researchers. But The Washington Post’s site was also affected.

South Korea’s main spy agency, the National Intelligence Service, said in a statement that it thought the attacks were carried out “at the level of a certain organization or state” but did not elaborate. The South Korean news agency Yonhap and the JoongAng Daily, a major newspaper in Seoul, reported that intelligence officials had told South Korean lawmakers that North Korea or its sympathizers were prime suspects. A spokesman for the intelligence service said that it could not confirm the report.

The attacks were described as a “distributed denial of service,” a relatively unsophisticated form of hacking in which personal computers are commanded to overwhelm certain Web sites with a blizzard of data. The effort did not involve the theft of sensitive information or the disabling of crucial operational systems, government and security experts said. But they noted that it was widespread, resilient and aimed at government sites.

Earlier this year, a number of South Korean news organizations reported that North Korea was running a cyberwarfare unit targeting military networks in South Korea and the United States. And North Korea, along with other countries, is known to be looking into U.S. cybersecurity capabilities and vulnerabilities, said Daniel T. Kuehl, an expert on information warfare at National Defense University.

See also:
US and S Korea fall victim to cyber-attack
US officials eye North Korea in cyber attack
North Korea a suspect in cyber attacks in US
North Korea may be behind White House cyberattack
Cyber Attack Finds More Targets
The U.S.-South Korea Cyberattack: How Did It Happen?
How a Brute-Force Cyberattack Works
National Intelligence Service
National Intelligence Service (South Korea)
National Defense University
National Defense University
Why Are We Not Stomping North Korea’s Guts Out?

Gee, with all their belligerent shenanigans lately, you’d think North Korea was really anxious to get their asses kicked.

/the question is, will we oblige them?

Powered By Microsoft Windows

With Bill Gates and crew protecting our ATMs with Windows, just thank God your bank accounts are insured by the FDIC up to $250,000.

ATM Vendor Halts Researcher’s Talk on Vulnerability

An ATM vendor has succeeded in getting a security talk pulled from the upcoming Black Hat conference after a researcher announced he would demonstrate a vulnerability in the system.

Barnaby Jack, a researcher with Juniper Networks, was to present a demonstration showing how he could “jackpot” a popular ATM brand by exploiting a vulnerability in its software.

Jack was scheduled to present his talk at the upcoming Black Hat security conference being held in Las Vegas at the end of July.

But on Monday evening, his employer released a statement saying it was canceling the talk due to the vendor’s intervention.

“Juniper believes that Jack’s research is important to be presented in a public forum in order to advance the state of security,” the statement read. “However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack’s presentation until all affected vendors have sufficiently addressed the issues found in his research.”

In the description of his talk on the conference web site, Jack wrote that, “The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATM’s. The presentation will explore both local and remote attack vectors, and finish with a live demonstration of an attack on an unmodified, stock ATM.”

Jack did not disclose the ATM brand or discuss whether the vulnerability was found in the ATM’s own software or in its underlying operating system. Diebold ATMs, one of the most popular brands, runs on a Windows operating system, as do some other brands of ATMs.

Diebold did not respond to a call for comment.

Earlier this year, Diebold released an urgent alert (.pdf) announcing that Russian hackers had installed malicious software on several of its Opteva model ATMs in Russia and Ukraine. A security researcher at SophosLabs uncovered three examples of Trojan horse programs designed to infect the ATMs and wrote a brief analysis of them. Last month another security research lab, Trustwave’s SpiderLabs, provided more in-depth analysis of malware used to attack 20 ATMs in Russia and Ukraine of various brands.

According to SpiderLabs, the attack required an insider, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM. Once that was done, attackers could insert a control card into the machine’s card reader to trigger the malware and give them control of the machine through a custom interface and the ATM’s keypad.

The malware captured account numbers and PINs from the machine’s transaction application and then delivered it to the thief on a receipt printed from the machine in an encrypted format or to a storage device inserted in the card reader. A thief could also instruct the machine to eject whatever cash is inside the machine. A fully loaded ATM can hold up to $600,000.

It’s unclear if the talk Jack was scheduled to give addresses the same vulnerability and malware or a new kind of attack.

See also:
Juniper Nixes ATM Security Talk
ATM vendor gets security talk pulled from conferences
Researcher barred from demoing ATM security vuln
Jackpotting ATM Machines courtesy of the Jolly Roger
Barnaby Jack
Barnaby Jack
Embedded Problems
Exploiting Embedded Systems, Blackhat 2006 (Barnaby Jack)
Black Hat ® : The World’s Premier Technical Security Conference
Black Hat ® Technical Security Conference: USA 2009
Juniper Networks
SophosLabs
SpiderLabs — About Us — Trustwave
Diebold

Jackpotting ATMs, kind of like playing a slot machine where you win first time, every time and it pays out in twenties.

/all I can say is that I’m sure glad Barnaby Jack is one of the good guys

Hacking Back At The Chinese And Russians, The White Hat Cavalry

Gates Creates Cyber-Defense Command

Defense Secretary Robert M. Gates issued an order yesterday establishing a command that will defend military networks against computer attacks and develop offensive cyber-weapons, but he also directed that the structure be ready to help safeguard civilian systems.

In a memo to senior military leaders, Gates said he will recommend that President Obama designate that the new command be led by the director of the National Security Agency, the world’s largest electronic intelligence-gathering agency. The current NSA director, Lt. Gen. Keith B. Alexander, is expected to be awarded a fourth star and to lead the cyber-command.

Gates or his deputy had been expected to announce the command in a speech a week ago. Analysts said making the announcement by memo is in keeping with the Pentagon’s effort to tamp down concerns that the Defense Department and the NSA will dominate efforts to protect the nation’s computer networks.

“Is it going to be the dominant player by default because the Department of Homeland Security is weak and this new unit will be strong?” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “That’s a legitimate question, and I think DoD will resist having that happen. But there are issues of authorities that haven’t been cleared up. What authorities does DoD have to do things outside the dot-mil space?”

The command will be set up as part of the U.S. Strategic Command, which is responsible for commanding operations in nuclear and computer warfare. Gates directed that the command be launched by this October and be fully operational by October 2010.

In a speech last week, Deputy Defense Secretary William Lynn stressed that the command’s mission would be to defend military networks. However, he said, “it would be inefficient — indeed, irresponsible — to not somehow leverage the unrivaled technical expertise and talent that resides at the National Security Agency” to protect the federal civilian networks, as long as it is done in a way that protects civil liberties.

See also:
Military Command Is Created for Cyber Security
Pentagon approves creation of cyber command
Defense Secretary Orders Cyberspace Command
Gates approves creation of new cyber command
US Creates Military Cyber Command to Defend Computer Networks
Pentagon: New cyber command focuses on military network
US sets up anti-computer-hacking unit
Cyberspace: The New Battlefield
Welcome to the National Security Agency – NSA/CSS
National Security Agency
National Security Agency
U.S. Strategic Command
Strategic Command
United States Strategic Command
Air Force Cyber Command
Air Force Cyber Command (Provisional)
Navy Cyber Defense Operations Command (NCDOC)
Welcome to Fort George G. Meade
Fort George G. Meade
Center for Strategic and International Studies ( CSIS )
Center for Strategic and International Studies

/since you insist on [expletive deleted] with our networks, we’ll [expletive deleted] with yours, and we’re better at it