Jun 152013
 

Pressure builds on US over Hong Kong civilian hacking allegations

Politicians on all sides say the US needs to answer allegations it hacked targets including territory’s businesses and universities

The Guardian
by Tania Branigan & Jonathan Kaiman  (Hong Kong)
June 13, 2013

 

Protesters shout slogans in support of Edward Snowden in Hong Kong  (Photograph: Philippe Lopez/AFP/Getty Images)

Protesters shout slogans in support of Edward Snowden in Hong Kong (Photograph: Philippe Lopez/AFP/Getty Images)

 

Political pressure on the United States to address claims that it hacked hundreds of targets in Hong Kong has begun to build in the territory.

Pro-Beijing politicians on Thursday urged the US to clarify whether it had carried out such surveillance, as NSA whistleblower Edward Snowden alleged, and if so, immediately cease. Among the pan-democrats, Democratic party chairwoman Emily Lau suggested lawmakers should ask the US “what the hell they’re up to” and a colleague said he would like Snowden to give evidence to the legislative council.

Snowden said that the US had hacked Hong Kong targets including public officials, businesses, a university and students, as well as entities on the mainland. His claims were made in an interview with the city’s South China Morning Post, which said it had seen a document that Snowden said supported his claims. The Post added that it had not verified the material, and has not published it.

The allegations followed a string of revelations in the Guardian based on top-secret documents provided by the 29-year-old, who had worked as a computer technical assistant for Booz Allen Hamilton, on contract to the National Security Agency.

Thursday’s statement from the Democratic Alliance for Betterment and Progress of Hong Kong (DAB) – the largest pro-Beijing party in the Legislative Council – said his claims had aroused strong concern and anxieties in the territory.

It urged “that the US government immediately clarify whether it has, in accordance with its intelligence and surveillance program plans, gathered intelligence or conducted surveillance of local individuals, groups and organisations via their computers or any other communication equipment; and whether in doing so, any material has been seized.

“If the US government ever invaded or monitored any local computers or communications equipment, that it should immediately cease relevant behavior, and furthermore destroy any material that it has acquired by this means.”

It also called on the Hong Kong government to tackle the incident as soon as possible, determining whether there had been any legal violations so that Hong Kong’s privacy and freedom of communication could be protected.

James To Kun-sun, a Democrat and vice-chair of the legislature’s security panel, said that while it was perfectly legitimate for the US to carry out counter-terrorism work, the alleged hacks were unacceptable.

“I can’t imagine that the US government should hack into, say, a Hong Kong government official’s computer for anti-terrorism [purposes]. And of course I can’t imagine that our Chinese University of Hong Kong has any form of association with terrorists,” he said.

He said he wanted to understand how vulnerable the city’s systems were and to ask Snowden in more detail about his claims, but added that he would take soundings from colleagues.

Emily Lau, the chairwoman of his party, added: “Our concern is what the US government is doing to harm Hong Kong’s interests. One thing to do is to invite Snowden to come and tell us. But the most direct way would probably be to contact the US government and ask them what the hell they’re up to.”

Pan-democrat Charles Mok suggested Snowden would be unlikely to come forward given his current situation, noting that lawmakers had no powers to summon individuals.

Cyd Ho of the Labour party said that politicians should request Snowden’s own wishes, arguing the priority was making sure he received fair treatment before the law.

Snowden checked out of his hotel in Hong Kong after revealing his identity in a video posted by the Guardian on Sunday, moving to a more secure location. But he told the Post he would stay in Hong Kong and fight any US request for his surrender.

On Wednesday, Jen Psaki, a spokeswoman for the State Department in Washington, said it was not aware of the hacking claims and could not comment directly.

Snowden said his claims revealed “the hypocrisy of the US government when it claims that it does not target civilian infrastructure, unlike its adversaries”.

But Psaki added: “There is a difference between going after economic data and the issues of surveillance that the president has addressed, which are about trying to stop people doing us harm.”

Direct Link:  http://www.guardian.co.uk/world/2013/jun/13/hong-kong-demands-us-answer-hacking-allegations

May 282013
 

Homeland Security database leaks employee information


PC World

by Ellen Messmer
May 26, 2013

Homeland Security database leaks employee information

Homeland Security database leaks employee information

 

The Department of Homeland Security (DHS) said lat week it has notified employees and others with DHS clearance to be on alert for potential fraud due to a vulnerability discovered in software used by a vendor to process personally identifiable information (PII) for background investigations. The software hole in had been there since July 2009.

“During the week of May 20, 2013, DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit reports,” the DHS said in its statement “Privacy Response to Potential PII Incident.” DHS says a vulnerability in software that an unnamed vendor uses to maintain a database of background investigations had a hole in it that left open to potential unauthorized access information that includes name, Social Security number, and date of birth.

DHS says the software vulnerability has now been fixed and there’s no evidence that this PII released to DHS clearances has been stolen from the vendor-maintained database. (See also “Ten Best Practices to Prevent Data and Privacy Breaches.”)

* Follow-up resources offered

DHS has set up a call center to address any employee concerns related to the notifications and is advising affected individuals concerned about potential fraud to consider taking certain measures, such as letting potential creditors know to contact them before opening a new account in their name. DHS also listed the three credit reporting firms, Equifax, Experian, and TransUnion, saying an individual can place a fraud alert.

DHS also indicated it’s in a legal confrontation with the unnamed vendor with this background investigations database and has raised a “stop work request” while engaging with the “vendor’s leadership to pursue all costs incurred mitigating the damages.” DHS is in talks with this unspecified vendor on “notification requirements for current contractors, inactive applicants and former employees and contractors.”

DHS was alerted by a law enforcement partner of the potential vulnerability, and says it took immediate steps to address the problem with the vendor. Though DHS does not know that PII related to this security hole has been stolen, it’s investigating the matter.

Employees who submitted background investigation information, and individuals who received a DHS clearance between July 2009 and May 2013, primarily for positions at the DHS headquarters, Customs and Border Protection (CBP), and Immigration and Customs Enforcement, may be affected.

* Spreading word to former contacts

DHS also says it is making “every possible effort” to reach out to former employees, applicants, former contractors, and “similar individuals who received a DHS clearance that may be impacted.”

In its privacy notification alert, DHS sought to address concerns, such as whether employees should alert the contacts they provided for the background investigation. DHS says it has no reason to believe that kind of step is needed.

As to whether DHS will continue to work with the unnamed vendor whose software had the security hole, the Department indicated the CBP has put the brakes on work at this time while DHS is “evaluating all legal options.”

 

Direct Link:  http://www.pcworld.com/article/2039752/homeland-security-database-leaks-employee-information.html

May 162013
 

The incredible U.S. military spy drone that’s so powerful it can see what type of phone you’re carrying from 17,500ft

Daily Mail / UK
by Damian Gayle
January 28, 2013

  • The ARGUS-IS can view an area of 15 sq/miles in a single image
  • Its zoom capability can detect an object as small as 6in on the ground
  • Developed by BAE as part of a $18million DARPA project
  • System works by stringing together 368 digital camera chips

A sinister airborne surveillance camera gives the U.S. military the ability to track movements in an entire city like a real-time Google Street View. The ARGUS-IS array can be mounted on unmanned drones to capture an area of 15 sq/miles in an incredible 1,800MP – that’s 225 times more sensitive than an iPhone camera. From 17,500ft the remarkable surveillance system can capture objects as small as 6in on the ground and allows commanders to track movements across an entire battlefield in real time.

 

Beat that, Google: An image taken from 17,500ft by the U.S. military's ARGUS-IS array, which can capture 1,800MP zoomable video feeds of an entire medium-sized city in real time

Beat that, Google: An image taken from 17,500ft by the U.S. military’s ARGUS-IS array, which can capture 1,800MP zoomable video feeds of an entire medium-sized city in real time

 

‘It is important for the public to know that some of these capabilities exist,’ said Yiannis Antoniades, the BAE engineer who designed the system, in a recent PBS broadcast. The aerospace and weapons company developed the ARGUS-IS array as part of a $18.5million project funded by the Pentagon’s Defense Advanced Research Projects Agency (Darpa).

In Greek mythology, Argus Panoptes, guardian of the heifer-nymph Io and son of Arestor, was a primordial giant whose epithet, ‘Panoptes’, ‘all-seeing’, led to his being described with multiple, often one hundred, eyes. Like the Titan of myth, the Pentagon’s ARGUS-IS (a backronym standing for Autonomous Real-time Ground Ubiquitous Surveillance-Imaging System) works by stringing together an array of 368 digital camera imaging chips. An airborne processor combines the video from these chips to create a single ultra-high definition mosaic video image which updates at up to 15 frames a second.

 

All-seeing: This graphic illustrates how the U.S. military's ARGUS-IS array links together images streamed from hundreds of digital camera sensors to watch over a huge expanse of terrain in real time

All-seeing: This graphic illustrates how the U.S. military’s ARGUS-IS array links together images streamed from hundreds of digital camera sensors to watch over a huge expanse of terrain in real time

 

What it looks like: The ARGUS-IS (a backronym standing for Autonomous Real-time Ground Ubiquitous Surveillance-Imaging System) strings together an array of 368 digital camera imaging chips into a single unit

What it looks like: The ARGUS-IS (a backronym standing for Autonomous Real-time Ground Ubiquitous Surveillance-Imaging System) strings together an array of 368 digital camera imaging chips into a single unit

 

That tremendous level of detail makes it sensitive enough to not only track people moving around on the ground thousands of feet below, but even to see what they are doing or carrying. The ARGUS array sends its live feed to the ground where it connects to a touch-screen command room interface. Using this, operators can zoom in to any area within the camera’s field of view, with up to 65 zoom windows open at once. Each video window is electronically steerable independent of the others, and can either provide continuous imagery of a fixed area on the ground or be designated to automatically keep a specified target in the window.

 

Sinister: The system tracks all moving objects in its field of view, highlighting them with coloured boxes, allowing operators to track movements across an area as and when they happen

Sinister: The system tracks all moving objects in its field of view, highlighting them with coloured boxes, allowing operators to track movements across an area as and when they happen

 

The system automatically tracks any moving object it can see, including both vehicles and individuals on foot, highlighting them with coloured boxes so they can be easily identified. It also records everything, storing an approximate million terabytes of data a day – the equivalent of 5,000 hours of high-definition video footage. ‘So you can go back and say I’d like to see what happened at this particular location three days, two hours [and] four minutes ago, and it will actually show you what happened as if you were watching it live,’ said Mr Antoniades.

 

iPad next? The feed from the ARGUS is transmitted to a touch-screen command and control interface

iPad next? The feed from the ARGUS is transmitted to a touch-screen command and control interface

 

Windows: Operators can open a window to zoom in to any area within the camera's field of view, with up to 65 open and running at once

Windows: Operators can open a window to zoom in to any area within the camera’s field of view, with up to 65 open and running at once

 

Total surveillance: The view of Quantico, Virginia, highlighted in the PBS film

Total surveillance: The view of Quantico, Virginia, highlighted in the PBS film

 

For the PBS programme reporting the technology, Mr Antoniades showed reporters a feed over the city of Quantico, Virginia, that was recorded in 2009. The technology has been in development since 2007 but authorities are staying tight lipped about whether it has yet been deployed on the battlefield. Dr Steven Wein, director of optical sensor systems at BAE Systems, said: ‘The ARGUS-IS system overcomes the fundamental limitations of current airborne surveillance systems. ‘Very high-resolution imaging systems required for vehicle and dismount tracking typically have a “soda-straw” view that is too small for persistent coverage. ‘Existing wide-area systems have either inadequate resolution or require multiple passes or revisits to get updates.’ BAE are now said to be working on an infra-red version of ARGUS that would allow commanders total surveillance of an area even at night.

 

Direct Link:  http://www.dailymail.co.uk/sciencetech/article-2269563/The-U-S-militarys-real-time-Google-Street-View-Airborne-spy-camera-track-entire-city-1-800MP.html

Jan 142013
 
James A. Lewis of the Center for Strategic and International Studies in Washington believes that recent online attacks on American banks have been the work of Iran.

Bank Hacking Was the Work of Iranians, Officials Say

The New York Times
by Nicole Perlroth & Quentin Hardy
January 8, 2013
SAN FRANCISCO —

The attackers hit one American bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later.

James A. Lewis of the Center for Strategic and International Studies in Washington believes that recent online attacks on American banks have been the work of Iran.

James A. Lewis of the Center for Strategic and International Studies in Washington believes that recent online attacks on American banks have been the work of Iran.

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

“There is no doubt within the U.S. government that Iran is behind these attacks,” said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington.

Mr. Lewis said the amount of traffic flooding American banking sites was “multiple times” the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation.

American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.

“The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. “There have never been this many financial institutions under this much duress.”

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

They employed DDoS attacks, or distributed denial of service attacks, named because hackers deny customers service by directing large volumes of traffic to a site until it collapses. No bank accounts were breached and no customers’ money was taken.

By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale “clouds” of hundreds, even thousands, of networked computer servers.

These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.

“There’s a sense now that attackers are crafting their own private clouds,” either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research.

How, exactly, attackers are hijacking data centers is still a mystery. Making matters more complex, they have simultaneously introduced another weapon: encrypted DDoS attacks.

Banks encrypt customers’ online transactions for security, but the encryption process consumes system resources. By flooding banking sites with encryption requests, attackers can further slow or cripple sites with fewer requests.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks.

The group said it attacked the banks in retaliation for an anti-Islam video that mocked the Prophet Muhammad, and pledged to continue its campaign until the video was scrubbed from the Internet. It called the campaign Operation Ababil, a reference to a story in the Koran in which Allah sends swallows to defeat an army of elephants dispatched by the king of Yemen to attack Mecca in A.D. 571.

But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems. In the last three years, three sophisticated computer viruses — called Flame, Duqu and Stuxnet — have hit computers in Iran. The New York Times reported last year that the United States, together with Israel, was responsible for Stuxnet, the virus used to destroy centrifuges in an Iranian nuclear facility in 2010.

“It’s a bit of a grudge match,” said Mr. Lewis of the Center for Strategic and International Studies.

(On Wednesday, the Iranian government denied involvement in the cyberattacks. “Unlike the United States, which has per reports in the media given itself the license to engage in illegal cyber-warfare against Iran, Iran respects the international law and refrains from targeting other nations’ economic or financial institutions,” wrote Alireza Miryousefi, first secretary of the Iranian mission to the United Nations, in an e-mail.)

Researchers at Radware who investigated the attacks for several banks found that the traffic was coming from data centers around the world. They discovered that various cloud services and public Web hosting services had been infected with a particularly sophisticated form of malware, called Itsoknoproblembro, that was designed to evade detection by antivirus programs. The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims.

Botnets, or networks of individual infected slave computers, can typically be traced back to a command and control center, but security experts say Itsoknoproblembro was engineered to make it very difficult to tie it to one party. Security researchers have come up with a new name for servers infected with Itsoknoproblembro: they call them “bRobots.”

In an amateur botnet, the command and control center can be easily identified, but Mr. Herberger said it had been nearly impossible to do so in this case, suggesting to him that “the campaign may be state-sponsored versus amateur malware.”

Attackers used the infected servers to fire traffic simultaneously at each banking site until it slowed or collapsed.

By infecting data centers instead of computers, the hackers obtained the computing power to mount enormous denial of service attacks. One of the banks had 40 gigabits of Internet capacity, Mr. Herberger said, a huge amount when you consider that a midsize business may only have one gigabit. But some banks were hit with a sustained flood of traffic that peaked at 70 gigabits.

Mr. Herberger declined to say which cloud service providers had been compromised, citing nondisclosure agreements with Radware’s clients, but he said that each new bank attack provided evidence that more data centers had been infected and exploited.

The attackers said last week that they had no intention of halting their campaign. “Officials of American banks must expect our massive attacks,” they wrote. “From now on, none of the U.S. banks will be safe.”

Direct Link:   http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html?pagewanted=1&_r=1

 

Aug 102012
 

Computer hacking for 8-year-olds

 

CNN
by Heather Kelly
July 31, 2012

 

Kids learn how to search for vulnerabilities in mobile games at Def Con 20 in Las Vegas

 

Las Vegas (CNN)

The hacker who goes by the pseudonym CyFi won’t share her real name and declines to be photographed without her signature aviator sunglasses.

At the annual Def Con hacking conference here Friday, Gen. Keith Alexander, director of the National Security Agency and head of the U.S. Cyber Command, brought CyFi on stage during his keynote address and called her “the most important person for our future.”

CyFi is 11 years old.

For the second year in a row, Def Con organizers included a full schedule of Def Con Kids programs for beginner hackers ages 8 to 18. The children and teens, who must be accompanied by a parent, learned how to pick locks, competed to find the most bugs in mobile apps and learned about digital forensics by investigating a mock crime scene in a hotel room. Some skilled young hackers also taught classes and gave talks.

To kick off the conference, Def Con founder and veteran hacker Jeff Moss welcomed the kids with a talk on the ethics of hacking and rules for how to stay out of trouble with the law.

“I think it’s harder for you guys now than it was for me,” Moss told a room of kids and their parents.

Moss started the conference in 1992 because he wanted an open place for hackers to meet in person and share information. Twenty years later, the young attendees from Def Con’s early years have grown up, established careers and started families.

Now they bring their own children to Def Con to soak up the knowledge and culture, but this new generation faces a different set of rules and a maze of new laws — not to mention parents who are savvy enough to know what they’re up to and keen on keeping their progeny out of trouble.

 

Navigating the law

“I just want to open it, but don’t want to see what’s on the other side,” a young woman told and Moss and Lauren Gelman, an attorney who works in the field of Internet law and policy.

Many of Def Con Kids’ school-age hackers are driven by the challenge of finding vulnerabilities in security systems and networks, not stealing information or money, or selling their knowledge to third parties. These “white-hat” hackers report any issues they find directly to the developers or relevant companies so they can be more secure.

But good intentions aren’t always enough when it comes to staying out of legal trouble.

When Moss was starting out, computer technology wasn’t widely understood by law enforcement, and laws weren’t yet in place that classified his actions as illegal.

“Technically, I wasn’t committing any crimes. I wasn’t stealing any money, wasn’t trying to break anything,” said Moss. The U.S. and international governments have since drafted complicated laws that criminalize many aspects of hacking.

However, Gelman pointed out that in many cases, the rules are still not clear or current, and that current laws are far behind what Def Con attendees are doing. She recommended the kids avoid breaking laws by asking for permission before testing any systems, and if that’s not possible, to find a situation where they can ask for approval.

“The lawyer perspective and mother perspective and ethics perspective is you can get in a lot of trouble if you don’t ask for permission.” Gelman is married to journalist and former hacker Kevin Poulsen and has two children.

Moss has his own test for deciding whether to hack something: “My rule of thumb is, do I completely own it? If yes, I can hack it.”

If hackers are unsure whether they are breaking the law, Gelman suggests they check the Electronic Frontier Foundation’s (EFF) site, which spells out rules for everyone from bloggers to coders. The 22-year-old organization also provides legal assistance for those who do get in trouble, taking on some cases itself or referring people to attorneys.

 

Building a reputation

Breaking the law isn’t the only concern Moss, Gelman and parents have for the budding hackers — true anonymity online is harder to come by and a bad reputation can follow these kids into adulthood.

Moss warned the kids that everything they do online now until they die will be backed up to the cloud. “That makes life more difficult for you guys, because if you get in trouble now, you’re screwed.”

Twenty years ago, hackers could operate in the shadows without leaving much of a trail. Chat logs weren’t recorded for long and hackers’ handles weren’t easily traceable to their real-life identities. Now, most communications that take place online are stored permanently and some can be dug up by law enforcement and human-resources departments.

Moss was just a kid himself when he got started with computers.

At 13, his father brought home an IBM computer for the family. By 14, Moss was online creating a new identity for himself, conversing with adults who were oblivious to his real age and spoke to him like an equal.

“I couldn’t drive a car, but I could have conversations about politics with people in Russia,” he said.

In those days, if someone made a mistake or needed a fresh start, they could create a new online identity. Moss got a do-over at an early age and recreated himself online as Dark Tangent, which grew into a trusted and respected identity he still uses now.

Today, a fresh start is harder to come by and old communications can surface at any time. Facebook CEO Mark Zuckerberg learned this the hard way when embarrassing instant-message conversations from his college days were made public years later.

“Your reputation is the most important thing you own,” said Moss, urging the young hackers to behave ethically, not because it will make their parents happy, but because they are the ones who will have to live with the results.

 

Hacking for good

With so many dangers, why would parents encourage their children to hack at all? Def Con Kids organizers believe in the good that can come from hacking, including making the country more secure and helping encourage freedom of speech around the world.

“Technology can really change the world,” said Gelman, citing the liberation-technology movement that encourages hackers to help people spread messages from countries where online communication is restricted.

The U.S. government sees the potential in these bright young minds as well.

The Department of Defense ran the digital forensics program at Def Con Kids, hoping to encourage more education and interest in the field. And Alexander met with three of the children before going on stage to give his keynote address.

“This is our future,” Alexander said of the kids. “What you’re doing here to help train those folks is absolutely superb, and you should be proud.”

 

STORY HIGHLIGHTS
  • Def Con Kids is a program at the annual Def Con hackers conference in Las Vegas
  • Beginner hackers between ages 8 and 18 are taught hacking techniques and ethics
  • NSA chief Gen. Keith Alexander praises the program and its kids

 

 

Direct Link:  http://www.cnn.com/2012/07/31/tech/web/def-con-kids-2012/index.html