Jun 152013
 

Pressure builds on US over Hong Kong civilian hacking allegations

Politicians on all sides say the US needs to answer allegations it hacked targets including territory’s businesses and universities

The Guardian
by Tania Branigan & Jonathan Kaiman  (Hong Kong)
June 13, 2013

 

Protesters shout slogans in support of Edward Snowden in Hong Kong  (Photograph: Philippe Lopez/AFP/Getty Images)

Protesters shout slogans in support of Edward Snowden in Hong Kong (Photograph: Philippe Lopez/AFP/Getty Images)

 

Political pressure on the United States to address claims that it hacked hundreds of targets in Hong Kong has begun to build in the territory.

Pro-Beijing politicians on Thursday urged the US to clarify whether it had carried out such surveillance, as NSA whistleblower Edward Snowden alleged, and if so, immediately cease. Among the pan-democrats, Democratic party chairwoman Emily Lau suggested lawmakers should ask the US “what the hell they’re up to” and a colleague said he would like Snowden to give evidence to the legislative council.

Snowden said that the US had hacked Hong Kong targets including public officials, businesses, a university and students, as well as entities on the mainland. His claims were made in an interview with the city’s South China Morning Post, which said it had seen a document that Snowden said supported his claims. The Post added that it had not verified the material, and has not published it.

The allegations followed a string of revelations in the Guardian based on top-secret documents provided by the 29-year-old, who had worked as a computer technical assistant for Booz Allen Hamilton, on contract to the National Security Agency.

Thursday’s statement from the Democratic Alliance for Betterment and Progress of Hong Kong (DAB) – the largest pro-Beijing party in the Legislative Council – said his claims had aroused strong concern and anxieties in the territory.

It urged “that the US government immediately clarify whether it has, in accordance with its intelligence and surveillance program plans, gathered intelligence or conducted surveillance of local individuals, groups and organisations via their computers or any other communication equipment; and whether in doing so, any material has been seized.

“If the US government ever invaded or monitored any local computers or communications equipment, that it should immediately cease relevant behavior, and furthermore destroy any material that it has acquired by this means.”

It also called on the Hong Kong government to tackle the incident as soon as possible, determining whether there had been any legal violations so that Hong Kong’s privacy and freedom of communication could be protected.

James To Kun-sun, a Democrat and vice-chair of the legislature’s security panel, said that while it was perfectly legitimate for the US to carry out counter-terrorism work, the alleged hacks were unacceptable.

“I can’t imagine that the US government should hack into, say, a Hong Kong government official’s computer for anti-terrorism [purposes]. And of course I can’t imagine that our Chinese University of Hong Kong has any form of association with terrorists,” he said.

He said he wanted to understand how vulnerable the city’s systems were and to ask Snowden in more detail about his claims, but added that he would take soundings from colleagues.

Emily Lau, the chairwoman of his party, added: “Our concern is what the US government is doing to harm Hong Kong’s interests. One thing to do is to invite Snowden to come and tell us. But the most direct way would probably be to contact the US government and ask them what the hell they’re up to.”

Pan-democrat Charles Mok suggested Snowden would be unlikely to come forward given his current situation, noting that lawmakers had no powers to summon individuals.

Cyd Ho of the Labour party said that politicians should request Snowden’s own wishes, arguing the priority was making sure he received fair treatment before the law.

Snowden checked out of his hotel in Hong Kong after revealing his identity in a video posted by the Guardian on Sunday, moving to a more secure location. But he told the Post he would stay in Hong Kong and fight any US request for his surrender.

On Wednesday, Jen Psaki, a spokeswoman for the State Department in Washington, said it was not aware of the hacking claims and could not comment directly.

Snowden said his claims revealed “the hypocrisy of the US government when it claims that it does not target civilian infrastructure, unlike its adversaries”.

But Psaki added: “There is a difference between going after economic data and the issues of surveillance that the president has addressed, which are about trying to stop people doing us harm.”

Direct Link:  http://www.guardian.co.uk/world/2013/jun/13/hong-kong-demands-us-answer-hacking-allegations

May 282013
 

Commission suggests hacking and hijacking the computers of suspected IP pirates

PC World
by John P. Mello, Jr
May 27, 2013

Commission suggests hacking and hijacking the computers of suspected IP pirates

Commission suggests hacking and hijacking the computers of suspected IP pirates

 

Should owners of intellectual property be allowed to attack anyone they suspect of pirating their goodies? That’s a question that was raised last week by the Commission on the Theft of American Intellectual Property.

While the commission’s observation’s about IP thieving by China grabbed most of the headlines when it released its 90-page report last week, buried in the document was a disturbing analysis of the merits of offensive cyber operations by rights holders that, if given legal life, could do some serious harm to the digital lives of many consumers.

The commission—made up of former U.S. government officials and military men—is interested in protecting corporate and government networks from IP thieves, but some of their action points, if they became legal, could easily be used by groups like the protecting corporate and government networks from IP thieves to bully consumers.

2013 IP Commission Report

2013 IP Commission Report

 

A slippery, dangerous slope

At issue is something in cyber security circles known as “active network defense,” which has more to do with offense than defense.

“When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action,” the commission report [PDF] noted.

“While not currently permitted under U.S. law,” the report continued, “there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network.”

One example given is writing software designed to lock down the computer if run by unauthorized users. If you want to access your computer again, you’d have to call the cops for an unlock code. Legalized ransomware, in other words.

Corporate vigilantes need not stop there, according to the commission. They could photograph hackers using the cameras built-in to the miscreant’s computer, infect the hacker with malware, or physically disable the suspected IP thief’s computer.

No doubt, some rights holders would salivate at the thought of launching cyber attacks on outfits they say are online paradises for IP thieves and their clientele.

If counterattacks against hackers were legal, the commission said, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP theft.

“These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking these activities in the first place,” it maintained.

Keep in mind, if you have some pirated movies or songs on your computer, you could be deemed an IP thief and have nasty things done to your system by rights holders if counterattacks were legalized.

 

Slow your roll

Nevertheless, the commission pulled up short of putting its stamp of approval on online vigilantism.

“The Commission is not ready to endorse this recommendation because of the larger questions of collateral damage caused by computer attacks, the dangers of misuse of legal hacking authorities, and the potential for nondestructive countermeasures such as beaconing, tagging, and self-destructing that are currently in development to stymie hackers without the potential for destructive collateral damage,” it said.

The panel didn’t entirely shut the door on the issue, though.

“[C]urrent law and law-enforcement procedures simply have not kept pace with the technology of hacking and the speed of the Internet,” the commission said. “Almost all the advantages are on the side of the hacker; the current situation is not sustainable.”

Direct Link:  http://www.pcworld.com/article/2039902/commission-suggests-hacking-and-hijacking-the-computers-of-suspected-ip-pirates.html

Nov 282012
 

China Unveils New Killer Drones, Aims Them at Russia

WIRED
by Robert Beckhusen
November 27, 2012

 

China’s Wing Loong drone, closely modeled on the U.S. MQ-9 Reaper, on display at the China International Aviation and Aerospace Exhibition in Zhuhai. Photo: Courtesy David Cenciotti

 

Watch out, Vladimir Putin: China’s drone fleet is getting real. And judging from how Beijing is promoting its robots to the outside world, they’re aimed straight at Russia.

That’s all from a glimpse of the biennial China International Aviation and Aerospace Exhibition, held earlier his month in Zhuhai, which has become the main event for the latest in all things Chinese aircraft. It’s China’s largest aircraft expo, while also presenting an opportunity for Beijing to show off its growing robotic muscle — and potential buyers in the developing world. But until recently, the drones on display were usually mock-ups or drawings, not the real thing.

This year, Beijing’s most prominent new drone is the dinosaur-named Wing Loong, or Pterodactyl, according to a round-up at Defense News. The drone is reportedly operational — China has previously shown only models of the drone — and closely resembles the U.S. MQ-9 Reaper, which the Pentagon uses to bomb insurgent hideouts in Pakistan. Few foreign journalists were reportedly allowed to see it, but photos and videos that appeared online prompted ace aviation journalist David Cenciotti to remark that the Wing Loong appeared “largely copied from the U.S. version.”

But a lot cheaper. The Wing Loong reportedly comes at a rather incredible bargain price of $1 million, compared to the Reaper’s varying price tags in the $30 million range. Now, a word of caution to potential buyers: What you’re getting for that price might not be very capable. But aside from price, the Wing Loong can also reportedly fly for about 20 hours, up to a range of 2,500 miles. It also packs four “hard points” for mounting a variety of laser- and precision-guided bombs. Also pictured on Chinese television was the Wing Loong’s ground control room, similar to the ones used by U.S. drones, but with only three-screen-equipped workstations compared to the Reaper’s five.

 

 

Another drone spotted with a clear resemblance to the Reaper is the CH-4. This drone was only a scale model, but reportedly has largely similar features to the Wing Loong. Its reported maximum range is shorter: a little over 2,000 miles, but has 10 hours more endurance time. Chinese companies also showed off a number of small mini-drones, and concept photos of a number of futuristic concepts, including a robotic shark, missile-spewing drone helicopters and unmanned bombers. The tech also included plenty of non-robotic items. There was a new anti-missile missile called the FD-2000. There was a Chinese copy of the U.S. military’s line of bomb-resistant MRAP trucks, a wearable computer system for ground troops, aircraft radars and a whole mess of various machine guns, anti-aircraft cannons and bombs.

There was also a curious shift in how China was promoting its drones at Zhuhai. In recent years, a selling point for convention goers involved drones presented as U.S. warship killers. Exaggerated, yes, but a glimpse inside Chinese military thinking. In 2010, Chinese defense industries not-so-subtly advertised “bizarre renderings” that illustrated drones “swarming over aircraft carrier battle groups like angry bees,” Defense News reported. China Aerospace and Science Corporation (CASC) also displayed a mural of its WJ-600 drone firing a missile at a U.S. Arleigh Burke class destroyer.

This year, that was out. Illustrations of U.S. warships were likewise replaced by generic, stateless ships. And Russian ships. In one video seen this month, a sleek computer-animated combat drone called the Blue Shark flexed its muscles in an attack on a digitized Russian Admiral Kuznetsov class aircraft carrier.

Perhaps images of bombing the U.S. Navy was a little too politically sensitive, in a kind of reverse backtrack like what plagued the atrocious Red Dawn remake. But the boosterism about blasting American ships to the bottom has also receded as Beijing has grown more confident in showing off its working drones. In recent years, the drones on display at Zhuhai largely — and once exclusively — came in the form of models or concept art. While interesting, the mock-ups presented an optimistic picture about China’s future drone fleet like the aforementioned illustrations of drones swooping down on American warships. And as sensational as that might look, it’s a long way from a battle-ready drone fleet. But neither are operational drones sitting on the tarmac, for that matter.

But they may not necessarily need to be, if they’re for export. “We’ve been contacting many countries, especially from Africa and Asia,” Guo Qian, a director for CASC, told GlobalPost. “They are quite interested in the intermediate and short-range UAVs because they are portable and low-cost.”

Which makes sense. If you’re the leader of a small or mid-sized Latin American, African or Asian country, a relatively cheap Chinese drone (that packs a punch) might not be a bad deal — think bargain shopping for flying death robots — compared to the more pricey American or Israeli drones, which happen to lead the world market. That means even if China’s drones won’t match the U.S. anytime soon, it may still spread them far and wide. And then what happens when the drones do match the Pentagon’s ‘bots, or come close? Who knows. Though we’ll probably see it first at Zhuhai.

 

Direct Link:  http://www.wired.com/dangerroom/2012/11/zhuhai/

Nov 122012
 

Why the Government’s Cybersecurity Plan Will End in Catastrophe

 

Computer World
by Rob Enderle
October 19, 2012

 

 

CIO –

Last week Defense Secretary Leon E. Panetta presented his case for an invasive system to monitor the nation’s private systems in order to better identify and respond to cyber threats.

Panetta correctly points out that the likelihood of a 9/11 scale cyber attack is real-and if something isn’t done, large sections of the U.S. infrastructure could fail. He uses as an example the successful attack on ARAMCO, a Saudi Arabian state owned oil company, which wiped 30,000 computers, causing massive data loss and rendering them temporarily useless.

\

News: Future Cyber Attacks Could Rival 9-11, Cripple US, Warns PanettaGet the latest IT news and analysis from Constantine von Hoffman’s IT Security Hack blog

The proposed remedy is to provide the U.S. government with broad access to private systems so that malware can be quickly identified and removed and other national threats identified and stopped. The problem is that such access creates privacy issues and may itself be a bigger problem than the threat it attempts to eliminate. Not only is the requested change unlikely to happen any time soon, it may increase the potential for either a domestic or foreign cyber attack.

 

Central Network Eliminates Natural Protection

One hidden benefit in the fact that our systems often don’t share information well or have a common security structure is that attacks against infrastructure therefore have to be tightly targeted. This means an attack on one private or public system probably won’t even work on most others, since they run a variety of different security packages, operating systems and applications, all surrounded by different policies.

One of the reasons we haven’t yet had a repeat of 9/11-that is, an attack that reaches catastrophic levels-is because these systems just don’t interoperate very well or share information at a low level. The amount of work to carry out such an attack currently exceeds the resources of the attackers.

Create a central network where systems regularly and automatically share information in real time, though, and you also create a single point of access where such an attack can be perpetrated. You change an impossible problem into one that is just very difficult-and, given both public and private practices to put off spending on security until there is a credible threat or demonstrated damage, attacking this centralized system will likely get easier over time for an outside entity and may be too attractive for a properly placed disgruntled employee to pass up.

 

Commentary: Failure of Senate to Pass Cybersecurity Act Leaves Us All At RiskBlog: Security Pros Blast US Cybersecurity Laws

The government’s recent history with security is a case in point. The death of the U.S. Ambassador to Libya showcased a situation in which the risks were real, and known, yet protections were reduced. After the attack, the political system focused on finding someone to blame, not assuring that the problem wouldn’t recur.

In short, the very system Panetta is suggesting could be the key to causing the thing he is trying to avoid.

 

A Better Short-Term Cybersecurity Solution

I see several things the government could do instead.

  • Strengthen liability laws in order to fast-track the process for compensating companies that suffer damage caused by inadequate protection.
  • Assure that compensation came from the budgets of the government organizations whose systems were targeted, in a manner similar to the way insurance companies pay out settlements. This would force agencies to increase their security budgets and audit the results to ensure they aren’t too exposed.
  • Provide a common, required reporting method to report an identified attack along with a requirement for minimal legal coverage.

 

Analysis: How the U.S Can Avoid a ‘Cyber Cold War’

All this could all be done without connecting the systems or creating a central government body to access them. There would be little additional government cost and few, if any, privacy concerns for anyone not perpetrating or directly connected to an attack. In short, such a plan would promote a higher level of prevention through better-funded protection.

 

‘Cyber 9/11′ Will Only Be Followed By More, Worse Attacks

Panetta’s plan suggests that an attack is unavoidable. The problem with a method that almost assumes an attack will happen, or requires a successful attack in order to be implemented, is that it usually does more harm than good.

After 9/11, poorly planned responses crippled the airlines industry and nearly bankrupted the country-and the integration of government communication systems that could have prevented the event in the first place is still not complete.

The real concern is that we do, in fact, get hit with a 9/11 cyber attack, as the Department of Defense has anticipated, and that the response to the event either creates an even bigger financial or privacy problem or sets the stage for a much larger attack. None of these are mutually exclusive. Unfortunately, we need to anticipate such a dire outcome. If you are driven to interconnect your systems nationally, then doing it quickly, let alone at all, would be a very unwise idea.

 

Direct Link:  http://www.computerworld.com/s/article/9232604/Why_the_Government_39_s_Cybersecurity_Plan_Will_End_in_Catastrophe?taxonomyId=82

May 062012
 

Chinese Espionage: The Risks Within U.S. Companies

FORBES
Eric Savitz, Forbes Staff
Guest post by Peter J. Toren
April 24, 2012

 

 


 

Peter J. Toren is a partner with Weisbrod, Matteis & Copley in Washington, D.C. Formerly a federal prosecutor with the Computer Crime & Intellectual Property Section of the Justice Department, he is also the author of Intellectual Property & Computer Crimes.

 

 

Over the past several months, Congress has heard from a slew of witnesses who have testified about the threat posed by foreign computer hackers, particularly from China, who penetrate U.S. companies’ computers and steal valuable data and intellectual property. FBI Director Robert Mueller testified that hacking could soon replace terrorism as the FBI’s primary concern. Gen. Keith Alexander, head of the military’s Cyber Command, characterized the losses caused by cybertheft as “the greatest transfer of wealth in history.”

Less attention, however, has been given to an equally insidious threat from employees or other insiders, who steal trade secrets from their corporate employers and depart with the stolen information and provide the information to foreign governments or foreign companies, most often in China. Until recently, there has been no reliable public studies about the extent of foreign economic espionage, especially with a link to China. But the results of a detailed analysis of the prosecutions under the Economic Espionage Act establishes that economic espionage with a China connection also creates a great risk to the financial well-being of U.S. companies, and, in turn to the U.S. economy.

The government has brought about 115 prosecutions under the EEA alleging theft of trade secrets. Nine have involved claims that the defendant acted with the intent to benefit a foreign government, while the remaining 106 concern allegations that the defendant intended to economically benefit a third party.  Although the government does not have to prove foreign government sponsorship to obtain a conviction in the 106 cases, an analysis of both categories of prosecutions finds a disproportionate share with a link to China.

In particular, almost 80% of the prosecutions that concern foreign government sponsorship involve allegations of direct Chinese government sponsorship. All of the thefts also involve sophisticated technology. Most recently, the government unsealed an indictment charging that a Chinese company, the Panang Group, with ties to the Chinese government, stole trade secrets from DuPont relating to the obscure but valuable technology on how to produce titanium dioxide, a white pigment used in paints and other products. Pangang allegedly paid over $12 million to U.S. individuals for access to DuPont’s trade secret secrets.

In another egregious example, Dongfan Chung was found guilty on July 16, 2009, of stealing trade secrets from Boeing. Chung worked at Boeing, with a few breaks, from 1964 until September 11, 2006, when federal agents searched his home and discovered a trove of Boeing technical documents stored beneath his house relating to the space shuttle, Delta IV Rocket, F-15 Fighter, B-52 Bomber and Chinook Helicopter. The court found that Chung’s theft of Boeing trade secrets was intended to benefit a number of Chinese government agencies and sentenced him to 188 months imprisonment.

The government alleged in 21% of the prosecutions that did not involve state sponsorship that the purpose of the theft was to benefit a company in China. Again, nearly all of the thefts involved sophisticated and valuable technology. For example, on January 19, 2012, Yuan Li, a former Sanofi Aventis research chemist pleaded guilty to stealing the company’s trade secrets and selling them to a U.S. sales and distribution unit of a Chinese chemical company. In another significant case, Wen Chyu Liou was convicted of stealing trade secrets from Dow Chemical and offering to sell them to companies in China. Liou worked for Dow for 27 years and after he retired in 1992 he conspired with at least four current and former Dow employees to misappropriate the corporation’s trade secrets. He was sentenced last year to 60 months imprisonment.

Further, 86% of the cases that were adjudicated in 2010 under the EEA involved a link to China. This emerging trend confirms a government understanding that, as part of the development process, China’s intelligence services as well as private companies and other entities, frequently seek to exploit Chinese citizens or persons with family ties to China who can use their insider access to U.S. corporations to steal trade secrets.

What can and should be done to stem this transfer of wealth before it is too late?

First, Congress must put aside its partisan bickering and enact a comprehensive cybersecurity law that addresses the risks posed by Chinese hackers. The current version of the bill, which has been stalled in committee, does little to address Chinese cyberespionage. Congress should also amend the EEA to increase the penalties and to address questions created by a recent court decision. In addition, Congress should finally enact a civil trade secrets law with a broad extraterritorial effect that would permit companies that have been victims of economic espionage to sue in federal court. State laws do not entirely fill the holes left by the lack of a federal law especially since state laws do not have the extraterritorial reach, which may be critical where the theft involved a foreign entity. It is past time that trade secrets be accorded the same status as patent, copyrights and trademarks.

While waiting for Congress to act, there are a number of steps that the executive branch can and should do.

 

  • First, President Obama, even without authority from Congress, can issue a finding that would authorize agencies to monitor the Internet outside the United States and to block the exportation of files containing information stolen from the United States.
  • Second, the government should increase the number of prosecutors and agents charged with investigating and prosecuting thefts of trade secrets.
  • Third, the Justice Department should consider what it can do to improve how it investigates and prosecutes EEA cases. Currently, the authority to investigate EEA cases is divided depending on whether or not the cases are state sponsored. If they are, they are handled by counter-intelligence FBI agents and prosecutors from the Internal Security Section of the Justice Department, whereas non-state sponsored prosecutions are the responsibility of FBI agents skilled in investigating financial crimes and are prosecuted by special IP units in U.S. Attorney’s Offices and by the Computer Crime & Intellectual Property Section. Whether agents and prosecutors, who normally handle investigations and prosecutions involving spying against the United States, should be assigned matters where the victim is a U.S. corporation is open to debate.

 

While the government has stepped up investigating theft of trade secrets cases, companies should not rely on the government for protection.  Corporations should carefully examine whether they are doing enough to protect their intellectual property. Tangible assets can be replaced, but intangible assets if lost, are lost for good. Even companies that have sophisticated and elaborate trade secret protection programs should consistently reevaluate their programs and learn from the mistakes of other corporations that have been the victim of trade secret thefts. Legal experts should be included in this process to ensure that the company is not running afould of any laws. In many of the EEA prosecutions the theft was only discovered through luck, such as where the defendant was stopped by Customs agents, while boarding a flight to China, who only found the stolen confidential documents she was carrying, after searching her because they did not find her answers to routine questions truthful. The corporation may have discovered what she was doing earlier if they had spotted a number of red flags earlier.

Companies should also reevaluate whether or not to report thefts of trade secrets to the government. Many companies are reluctant to report trade secret thefts to the government for fear of the damage to their reputations. However, while current management may save face, non-reporting is probably not in the best long-term interests of the company. A corporate policy of always reporting thefts to the government may be the best deterrent against future thefts.

Protection of intellectual property is critical to the economic well-being of the United States. When it is not protected, we lose not only jobs, productions and profits today, but also our ability to undertake the research and the investment that lead to further technological progress tomorrow.  This hurts not only today’s workers and investors, but also future generations of U.S. citizens.

 

 

Direct Link:   http://www.forbes.com/sites/ciocentral/2012/04/24/chinese-espionage-the-risks-within-u-s-companies/