Side by Side: Timeline of NSA’s Communications Collection and Cyber Attacks

/32 Comments/in /by

In all the reporting and subsequent hubbub about the National Security Administration’s ongoing collection of communications, two things stood out as worthy of additional attention:

— Collection may have been focused on corporate metadata;

— Timing of NSA’s access to communications/software/social media firms occurred alongside major cyber assault events, particularly the release of Stuxnet, Flame, and Duqu.

Let’s compare timelines; keep in mind these are not complete.

Date

NSA/Business

Cyber Attacks

11-SEP-2007

Access to MSFT servers acquired

15-NOV-2007

Stuxnet 0.5 discovered in wild

XX-DEC-2007

File name of Flame’s main component observed

12-MAR-2008

Access to Yahoo servers acquired

All 2008 (into 2009)

Adobe applications suffer from 6+ challenges throughout the year, including attacks on Tibetan Government in Exile via Adobe products.

11-JAN-2009

Stuxnet 0.5 “ends” calls home

14-JAN-2009

Access to Google servers acquired

Mid-2009

Operation Aurora attacks begin; dozens of large corporations confirming they were targets.

03-JUN-2009

Access to Facebook servers acquired

22-JUN-2009

Date Stuxnet version 1.001 compiled

04-JUL-2009

Stuxnet 0.5 terminates infection process

07-DEC-2009

Access to PalTalk servers acquired

XX-DEC-2009

Operation Aurora attacks continue through Dec 2009

12-JAN-2010

Google discloses existence of Operation Aurora, said attacks began in mid-December 2009

13-JAN-2010

Iranian physicist killed by motorcycle bomb

XX-FEB-2010

Flame operating in wild

10-MAR-2010

Date Stuxnet version 1.100 compiled

14-APR-2010

Date Stuxnet version 1.101 compiled

15-JUL-2010

Langner first heard about Stuxnet

19-SEP-2010

DHS, INL, US congressperson informed about threat posed by “Stuxnet-inspired malware”

24-SEP-2010

Access to YouTube servers acquired

29-NOV-2010

Iranian scientist killed by car bomb

06-FEB-2011

Access to Skype servers acquired

07-FEB-2011

AOL announces agreement to buy HuffingtonPost

31-MAR-2011

Access to AOL servers acquired

01-SEP-2011

Duqu worm discovered

XX-MAY-2012

Flame identified

08-JUN-2012

Date on/about “suicide” command issued to Flame-infected machines

24-JUN-2012

Stuxnet versions 1.X terminate infection processes

XX-OCT-2012

Access to Apple servers acquired (date NA)

Again, this is not everything that could be added about Stuxnet, Flame, and Duqu, nor is it everything related to the NSA’s communications collection processes. Feel free to share in comments any observations or additional data points that might be of interest.

Please also note the two deaths in 2010; Stuxnet and its sibling applications were not the only efforts made to halt nuclear proliferation in Iran. These two events cast a different light on the surrounding cyber attacks.

Lastly, file this under “dog not barking”:

Why aren’t any large corporations making a substantive case to their customers that they are offended by the NSA’s breach of their private communications through their communications providers?

What an Overbroad Section 215 Order Looks Like

/30 Comments/in , , /by

Screen shot 2013-06-05 at 10.02.05 PMGlenn Greenwald has a tremendous scoop, for the first time I know of publishing a Section 215 warrant — in this case one asking for all US-based traffic metadata from Verizon Business Services from April until July.

Now, I think that this actually affects just a subset of all Verizon traffic: the business-focused traffic rather than Verizon Wireless or similar consumer products most people subscribe to (and if that’s so, the shitstorm that is about to break out will be all the more interesting given that rich businessmen will be concerned about their privacy for once).

Also, this does not ask for call content. It asks only for metadata, independent of any identifying data.

In other words, they’re using this not to wiretap the conversations of Occupy Wall Street activists but to do pattern analysis on the telecom traffic of (I think) larger businesses.

The request does, however, ask for location data (and Verizon does offer bundles that would include both cell and cloud computing). So maybe the FBI is analyzing where all Verizon’s business customers are meeting for lunch.

My extremely wildarsed guess is that this is part of hacking investigation, possibly even the alleged Iranian hacking of power companies in the US (those stories were first reported in early May).

I say that because cybersecurity is a big part of what Verizon Enterprise (as I believe they now go by) sells to its business customers; the infographic above, warning of data breaches when you least expect it (heh), is part of one they use to fear-monger its customers. Energy consumers are one of its target customer bases. And the case studies it describes involve several Smart Grid projects. Precisely the kind of thing the government is most freaked out about right now.

After all, aside from Medicare fraud, the government simply doesn’t investigate businesses, ever. Certainly not the kind of bankster businesses we’d like them to investigate. One of the few things they investigate business activities for is to see if they’ve been compromised. Moreover, the Section 215 order requires either a counterintelligence or a counterterrorist nexus, and the government has gone to great lengths to protect large businesses, like HSBC or Chiquita, that have materially supported terrorists.

Anyway, that’s all a wildarsed guess, as I said.

Ah well. If the government can use Section 215 orders to investigate all the Muslims in Aurora, CO who were buying haircare products in 2009, I’m sure big business won’t mind if the government collects evidence of their crimes in search of Iran or someone similar.

Update: Note, this order seems to show a really interesting organizational detail. This is clearly an FBI order (I’m not sure who, besides the FBI, uses Section 215 anyway). But the FISA Court orders Verizon to turn the data over to the NSC. This seems to suggest that FBI has NSA store and, presumably, do the data analysis, for at least their big telecom collections in investigations. That also means the FBI, which can operate domestically, is getting this for DOD, which has limits on domestic law enforcement.

BREAKING: Globalization Is Dangerous

/11 Comments/in , , , , /by

Globalization is dangerous.

But not, as it turns out, because it has gutted the middle class. Not even because a globalized supply chain has made it easier for our rivals to sabotage our defense programs, or that a globalized supply chain has led to a loss of manufacturing capacity that threatens our defense, to say nothing of our distinctly American commercial sectors.

Rather, retired Admiral James Stavridis, in a more popularized version of a piece he wrote for a National Defense University volume on the topic, argues that “deviant globalization,” whether that of drug traffickers, terrorists, counterfeiters, or hackers, poses a rising threat.

Convergence may be thought of as the dark side of globalization. It is the merger of a wide variety of mobile human activities, each of which is individually dangerous and whose sum represents a far greater threat.

I’m sure it is a threat. But Stavridis makes the same mistake just about everyone else makes when they consider criminal globalized networks to be a security threat: they ignore that there is little these illicit networks do that licit ones didn’t already pioneer. They ignore that the only thing that makes them illicit is state power, the same state power that corporatized globalization has weakened.

In fact Stavridis’ fourth point telling how to combat deviant globalization is notable for what it’s missing.

Fourth, we must shape and win the narrative. Many have said there is a “war of ideas.” That is not quite the right description. Rather, the United States is a “marketplace of ideas.” Our ideas are sound: democracy, liberty, freedom of speech and religion — all the values of the Enlightenment. They have a critical role in confronting the ideological underpinnings of crime and terror. Our strategic communications efforts are an important part of keeping our networks aligned and cohesive.

You see it? In spite of using the metaphor of the market to describe the realm of ideas, Stavridis neglects to mention that one of our ideas, so-called capitalism (or the marketplace itself!), that value of Enlightenment, is precisely the logic that has made globalization imperative.

If the way to beat these criminal globalized networks is to compete ideologically, but the ideological foundation our elites cling to most desperately is the same one the criminal globalized networks are exploiting so spectacularly, haven’t we already lost the battle of ideas?

Stavridis’ choice to ignore capitalism is probably why he doesn’t get the problem with his call to “follow the money.”

Third, we must follow the money. Huge sums of cash from these trafficking activities finance terrorists and insurgents such as the Taliban, as well as corruption. The money is used to undermine fragile democracies. Efforts to upend threat financing must be fused with international initiatives, move across U.S. agency lines and have the cooperation of the private-sector institutions involved.

It is true that globalized cash flows undermine weak governments (the same ones that otherwise might make these criminal globalized networks illicit). But that’s at least as true of the money looted from poorer countries and deposited, completely legally per western elites, in secrecy regimes, or of the hot money that destabilizes the global economy more generally. Moreover, one of the biggest impediments to tracking the flows of criminal globalized networks is that the so-called licit multinational banks they use to transfer their money are more interested in the profits from the money than in cooperating with increasingly weak states. So long as HSBC can get away with a wrist slap, after all, why would any multinational bank give up its customer base to American authorities?

Stavridis ends his column by citing Hardy’s warning about icebergs.

Just over a century ago , the poet Thomas Hardy wrote “The Convergence of the Twain” about the collision of the Titanic and the iceberg that sank it. “And as the smart ship grew/ In stature, grace, and hue/ In shadowy silent distance grew the Iceberg too.” There is an iceberg out there in the form of weapons of mass destruction; what is most worrisome is the convergence of such a weapon with a sophisticated global trafficking route enabled by cybercrime and the cash it generates. That is the convergence we must do all in our power to prevent.

Stavridis almost gets it. He almost gets it that these global trafficking routes, whether deemed licit or illicit by increasingly weak states, are the iceberg that is looming.

It’s just that he chooses to ignore the iceberg he can see for the parts he can’t see.

Compare DOD’s Autonomy to Engage in Cyber-War with Obama’s Close Control over DOD Drone Targeting

/3 Comments/in , /by

It will likely be some time, if ever, before one of our enemies succeeds at doing more than launching limited, opportunistic drone strikes at the US. By contrast, every day brings new revelations of how our enemies and rivals are finding new vulnerabilities in American cyber-defense.

Which is why it is so curious to compare this account of the multi-year process that has led to an expansion of DOD’s authority to approve defensive cyber-attacks with this account of Obama’s close hold on DOD’s drone targeting.

In both cases, you had several agencies — at least DOD and CIA — in line to execute attacks, along with equities from other agencies like State.

An interagency process had been started because cyber concerns confront a variety of agencies, the intelligence community and DoD as well as State, Homeland Security and other departments, with each expressing views on how the domain would be treated.

For much of Obama’s term, it seems, both DOD drone attacks outside of the hot battlefield and cyberattacks had to be approved by the White House. With drones, Obama wanted to retain that control (over DOD, but not CIA) to prevent us from getting into new wars.

But from the outset of his presidency, Obama personally insisted that he make the final decision on the military’s kill or capture orders, so-called direct action operations. Obama wanted to assume the moral responsibility for what were in effect premeditated government executions. But sources familiar with Obama’s thinking say he also wanted to personally exercise supervision over lethal strikes away from conventional battlefields to avoid getting embroiled in new wars. As responsibility for targeted strikes in places like Yemen, Somalia, and, over time, Pakistan shifts to the military’s Joint Special Operations Command, Obama will be the final decider for the entire program.

With cyber, White House control was designed partly to limit blowback — almost the same purpose as his micromanagement of drone targeting — but also to mediate disputes between agencies.

In every instance where cyber was involved, the NSC had to be involved. That helped settle some of the disputes between agencies by limiting any independent application of cyber capabilities, but was useful neither for expediting any cyber action nor for integrating cyber into larger military capabilities. Several sources said that this has slowed the integration of cyber into broader military tactics, possibly giving rivals without the same hesitation, like China, a chance to become more adept at military cyber.

[snip]

Because every decision had to be run through the West Wing, potential political blowback limited the use of cyber tools, the former senior intelligence official said. “If they can’t be used without a discussion in the West Wing, the president’s got no place to run if something goes wrong when he uses them,” he said. Those decisions included what to do if the US confronted a cyberattack.

But over the course of the Obama Administration, DOD lobbied to increase its autonomy in both areas, in drones via the year-long process of crafting a drone rulebook, and with cyber, via the three year process of drafting new standing rules of engagement.

It had far more success in its efforts to expand autonomy with cyber.

Read more

Time to Out the Cyber-Insecure Defense Contractors

/7 Comments/in /by

In its latest update on Chinese hacking of our defense programs, WaPo provides a list of defense programs that have been compromised, which includes many of our most important and error-prone programs.

The designs included those for the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system.

Also identified in the report are vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship, which is designed to patrol waters close to shore.

Also on the list is the most expensive weapons system ever built — the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion. The 2007 hack of that project was reported previously.

WaPo also, having seen classified sections of a report that had previously been released in unclassified form, also places more emphasis on the potential impact not just of cybertheft, but cyber-sabotage, than it has in the past, basically pointing to this section of the report itself.

 

The threats described in the previous section [which focus on sabotage at the microchip level] may impose severe consequences for U.S. forces engaged in combat:

  • Degradation or severing of communication links critical to the operation of U.S. forces, thereby denying the receipt of command directions and sensor data
  • Data manipulation or corruption may cause misdirected U.S. operations and lead to lack of trust of all information Weapons and weapon systems may fail to operate as intended, to include operating in ways harmful to U.S. forces
  • Potential destruction of U.S. systems (e.g. crashing a plane, satellite, unmanned aerial vehicles, etc.).

At the national level, one could posit a large-scale attack on the U.S. critical infrastructure (e.g., power, water, or financial systems). An attack of sufficient size could impose gradual wide-scale loss of life and control of the country and produce existential consequences.

WaPo also provides a hint at our solutions and Chinese counter-responses. That is, as our prime contractors have become more adept at cyber-security, China has moved onto attack subcontractors.

In an attempt to combat the problem, the Pentagon launched a pilot program two years ago to help the defense industry shore up its computer defenses, allowing the companies to use classified threat data from the National Security Agency to screen their networks for malware. The Chinese began to focus on subcontractors, and now the government is in the process of expanding the sharing of threat data to more defense contractors and other industries.

Yet the government won’t take the obvious step of tying ongoing contracts to cyber-security, instead requiring only that contractors provide the government notice of cyber-attacks.

An effort to change defense contracting rules to require companies to secure their networks or risk losing Pentagon business stalled last year. But the 2013 Defense Authorization Act has a provision that requires defense contractors holding classified clearances to report intrusions into their networks and allow access to government investigators to analyze the breach.

What’s most interesting about all this, though, is that the report (at least the classified list the WaPo saw) didn’t identify via which contractors in the supply chain China hacked these programs. But the US is not, apparently, keeping all of that information secret from China.

U.S. officials said several examples were raised privately with senior Chinese government representatives in a four-hour meeting a year ago. The officials, who spoke on the condition of anonymity to describe a closed meeting, said senior U.S. defense and diplomatic officials presented the Chinese with case studies detailing the evidence of major intrusions into U.S. companies, including defense contractors.

[snip]

The list did not describe the extent or timing of the penetrations. Nor did it say whether the theft occurred through the computer networks of the U.S. government, defense contractors or subcontractors.

So if the government is sharing at least some details of what it knows about China’s hacks with China, then why is it keeping details about which contractors taxpayers are paying lots of money for cyber-attack induced rework to? Why can’t it provide at least skeletal information about which contractors have let China compromise our security so much?

Someone Hacked Our Memory: “Retaliation,” “Deterrence,” “Escalation”

/7 Comments/in /by

The WSJ has a story developing on earlier WSJ and NYT reporting that someone — believed to be Iran — was using cyberattacks on energy companies in preparation to sabotage operations.

And while the WSJ responsibly includes a short paragraph noting that the US “has previously launched its own cyberattacks” on Iran to sabotage its nuke program, none of the people they interview seem to remember that we struck Iran first and that this should be regarded as retaliation to our own provocation, not vice versa.

In response, U.S. officials warn that Iran is edging closer to provoking U.S. retaliation.

“This is representative of stepped-up cyber activity by the Iranian regime. The more they do this, the more our concerns grow,” a U.S. official said. “What they have done so far has certainly been noticed, and they should be cautious.”

[snip]

Underscoring the Obama administration’s growing concern, the White House held a high-level meeting late last month on how to handle the Iranian cybersecurity threat. No decisions were made at that meeting to take action, however, and officials will reconvene in coming weeks to reassess, a U.S. official said.

“It’s reached a really critical level,” said James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies, who frequently advises the White House and Capitol Hill. “We don’t have much we can do in response, short of kinetic warfare.”

The Obama administration sees the energy-company infiltrations as a signal that Iran hasn’t responded to deterrence, a former official said.

In October, then-Defense Secretary Leon Panetta issued a veiled threat to Iran, which he did not name in his speech, by warning the Saudi Aramco hack represented a dangerous escalation in cyberwarfare. Since then, the Iranian attacks have only ramped up. [my emphasis]

One of the reasons we’re likely left with little to do in response short of “kinetic warfare,” of course, is we’ve already economically sabotaged Iran’s economy with sanctions, gutting the already fewer targets we might hit to strike back. (Also, the countries that have exemptions to trade with Iran for oil likely would frown on any attempt on our part to further devastate Iran’s energy sector.)

You’d think someone would have thought of this entirely predictable state of affairs before advising the most cyber-vulnerable nation on earth to pioneer the use of syberwar to sabotage key infrastructure, huh?

The Sabotage Attack on the Syrian Coalition

/2 Comments/in /by

The NYT reportsadding to an earlier WaPo story — that hackers have attempted to sabotage a bunch of US energy companies.

A new wave of cyberattacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers’ aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East.

It ties these attacks to earlier attacks, claimed to have been launched by Iran, against ARAMCO and Qatar’s RasGas.

Two senior officials who have been briefed on the new intrusions say they were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name. That is similar to what happened to Saudi Aramco, where a computer virus wiped data from office computers, but never succeeded in making the leap to the industrial control systems that run oil production.

[snip]

At Saudi Aramco, the virus replaced company data on thousands of computers with an image of a burning American flag. The attack prompted the defense secretary at the time, Leon E. Panetta, to warn of an impending “cyber 9/11” if the United States did not respond more efficiently to attacks. American officials have since concluded the attack and a subsequent one at RasGas, the Qatari energy company, were the work of Iranian hackers. Israeli officials, who follow Iran closely, said in interviews this month that they thought the attacks were the work of Iran’s new “cybercorps,” organized after the cyberattacks that affected their nuclear facilities.

Saudi Aramco said that while the attackers had attempted to penetrate its oil production systems, they had failed because the company maintained a separation between employees’ administrative computers and the computers used to control and monitor production. RasGas said the attack on its computers had failed for the same reason.

And while the adoption of earlier sabotage approach used with ARAMCO and RasGas infrastructure to US energy producers does not mean all members of the coalition to topple Bashar al-Assad have been attacked by an entity insinuated to be Iran (unless the European parters’ energy companies have been attacked and we just don’t know about it). But this attack does seem to be an assault on the coalition trying to undercut Iran by taking down its client regime in Syria.

Which has me wondering whether this is an Iranian attack — revenge, if you will, for StuxNet, serves the US right. Or if it’s an attack launched by a coalition, possibly including Russia.

I also wonder whether the point of the sabotage isn’t on the information side of the equation, rather than the operational one.

In other news, remember how former NSA head and all-around cyberwar profiteer Mike McConnell declared digital 9/11 warning based on the ARAMCO attack and some crude DNS attacks on banks here in the US? Guess who has become a player in Saudi (and Gulf generally) cybersecurity?

During this event, Booz Allen Hamilton leadership shared their insights on global cyber security practices and the importance of a cross-border cooperative approach to protecting critical infrastructure in the Gulf.

Commenting at the event, McConnell said, “The GCC states have become global hubs in finance. However, this growth introduces increased cyber security risks by threat actors who target this region for monetary or political gain. GCC states have already experienced significant cybercrime in the recent past, it is now more important than ever to ensure that these are not repeated.”

He also added, “Financial institutions are a prime target for cyber criminals, and as a result, they need to focus on staying ahead of cyber threats by developing the right human capital, developing appropriate training programmes and retaining the right skills and technology to properly access and protect corporate data.”

Booz Allen Hamilton was recently registered by the Kingdom of Saudi Arabia Ministry of Commerce and Industry to pursue business opportunities in the Kingdom in support of domestic economic diversification. The firm will provide services to government and commercial clients on critical issues related to the Kingdom’s development, most notably in the areas of cyber security, information technology, financial services and other selected infrastructure. [my emphasis]

I’m guessing BAH’s work in KSA has a lot to do with the expanded Technical Cooperation Agreement signed with the US in January, which added a cyber component onto the previous effort to create a 35,000 person security force Mohammed bin Nayef could use to protect the kingdom’s oil infrastructure.

So if you’re bummed that BAH gets to troll American networks with abandon, rest assured that it will now be doing so in Saudi Arabia, too.

Sheldon Whitehouse: Cybertheft Is [May Be] Biggest Transfer of Wealth in History

/14 Comments/in /by

In an attempt to scare Congress into passing the cybersecurity legislation they failed to pass last year, Sheldon Whitehouse scheduled a hearing on cybersecurity today. In the hearing — and in this op-ed he penned with Lindsey Graham — he repeated a claim he has made before: cybertheft may be the biggest “illicit” transfer of wealth in history.

Almost every facet of American life is threatened when intruders exploit our cyber-vulnerabilities. And the risk is not from China alone. Foreign governments such as Iran and terrorist groups such as al-Qaida seek to worm into national infrastructure and threaten catastrophe here at home. Foreign agents raid companies, stealing plans, formulas and designs. Foreign criminal networks take money out of banks, defraud consumers with scams and sell illicit goods and products, cheating U.S. manufacturers. It may be the greatest illicit transfer of wealth in history. [my emphasis]

I think in the hearing itself, Whitehouse wasn’t as careful to always use that word “might.”

The greatest illicit transfer of wealth in history.

Don’t get me wrong: cyberattacks of all sorts are a real threat. They cost consumers a great deal of inconvenience and, at times, lots of money. They cost defense contractors far more (though of course, some of that is built into our model of defense). They cost sloppy companies as well.

But the biggest illicit transfer of wealth in history?

Ignore recent unpunished giant transfers of wealth in the wake of the financial crisis, which the Senate Judiciary Committee has largely ignored.

I guess the reason I find this so stunning is all the obviously huge transfers of wealth it ignores that were part of slavery and colonization.

Were those licit?

Those were, like Chinese or Iranian or Russian cyberattacks on the US, examples of states (and private entities) taking advantage of vulnerabilities elsewhere. They were certainly considered legitimate at the time, because Europeans got to write the history of colonization, and because they made up claptrap about “civilization” to justify it. But from a distance they look more like the kind of exploitation states often engage in if they’ve got an obvious advantage over another state or organization.

All that’s not to say Montezuma shouldn’t have resisted the Spaniards. That’s not to say we shouldn’t defend against cyberattacks.

But what really makes the US so vulnerable to cyberattacks are 1) that we’re so reliant on the Internet and 2) we’re so reliant on intellectual property (indeed, the very claim that cybertheft is the biggest transfer of wealth relies on a certain understanding of IP as wealth that itself depends on a legal infrastructure that is contingent on our relative world power). And also that so much of our critical infrastructure and IP holders are in private hands and therefore much harder to demand diligence from. That is, our vulnerability to cyberattacks is in part a fragility of our own bases for power (a vulnerability that will probably end up being less lethal than the fact that the immune systems of indigenous peoples hadn’t been exposed to European diseases).

Also, this entire discussion — which danced around the question of an international regime that might limit such attacks — completely ignored the StuxNet attack, the fact that a nation as vulnerable as we are pushed the limits of the offensive capability first. One of the witnesses (I think FBI Assistant Director Jonathan Demarast) even suggested that if our government were chartered to attack the private sector (cough, Echelon) of other countries we’d be damn good at it too — as if our attacks on the public infrastructure of Iran doesn’t count.

I get the value of a good fear campaign (I wish Whitehouse would fearmonger more in his regular addresses on climate change). But there’s fearmongering and there’s absurdity. And I think suggesting that cybertheft is worse than the stealing of entire continents is the latter.

Stephen Cambone, Hacker PWN, Used to Head DOD’s “Intelligence”

/6 Comments/in /by

Stephen Cambone was the first ever Under Secretary of Defense for something called “Intelligence.”

In that role, he oversaw a domestic spying program that targeted hippies and made GOP cronies rich. And then he went on to profit off that domestic spying program at a company called QinetiQ.

Which is why I’m having a hard time summoning much grief that Chinese hackers have pwned another US Defense Contractor — none other than QinetiQ (George Tenet, another noted “intelligence” figure, was there until 2008)!

Here are the kinds of things the hackers accessed, almost unimpeded.

The lengthy spying operation on QinetiQ jeopardized the company’s sensitive technology involving drones, satellites, the U.S. Army’s combat helicopter fleet, and military robotics, both already-deployed systems and those still in development, according to internal investigations.

And here is the kind of access QinetiQ allowed both Chinese and Russian hackers.

In 2008, a security team found that QinetiQ’s internal corporate network could be accessed from a Waltham, Massachusetts, parking lot using an unsecured Wi-Fi connection. The same investigation discovered that Russian hackers had been stealing secrets from QinetiQ for more than 2 1/2 years through a secretary’s computer, which they had rigged to send the data directly to a server in the Russian Federation, according to an internal investigation.

Read the whole thing — you won’t know whether to laugh or cry.

Meanwhile, the government seems more intent on violating my privacy to fix this kind of wholesale hacking, rather than blackballing those contractors who are incapable of securing their networks.

The State Department, which has the power to revoke QinetiQ’s charter to handle restricted military technology if it finds negligence, has yet to take any action against the company.

[snip]

In May 2012, QinetiQ received a $4.7 million cyber-security contract from the U.S. Transportation Department, which includes protection of the country’s critical transport infrastructure.

The same company that let China hack at will for years is being paid millions for cybersecurity.

That about says it all.

Hackers Penetrate Freedom; The Ship Has Already Sailed

/3 Comments/in /by

Reuters has a report I found sort of punny, about how white hat hackers had managed to break into the computer systems of the lead ship of the Navy’s Littoral Combat Ship program, the USS Freedom.

A Navy team of computer hacking experts found some deficiencies when assigned to try to penetrate the network of the USS Freedom, the lead vessel in the $37 billion Littoral Combat Ship program, said the official, who spoke on condition of anonymity.

The Freedom arrived in Singapore last week for an eight-month stay, which its builder, Lockheed Martin Corp., hopes will stimulate Asian demand for the fast, agile and stealthy ships.

It may be ironic that Lockheed had a ship get hacked just before it sent the ship out on a sales trip to Asia. (Asia! Where our most fear hacking-rival is!)

But … um, Lockheed?

Lockheed, of course, couldn’t keep the F-35 program safe from hackers either, and that time it wasn’t white hats doing the hacking.

Before the government imposes fines for companies unwilling to sacrifice the security of their systems to program in a backdoor, as the WaPo reports is being debated …

A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.

[snip]

Susan Landau, a former Sun Microsystems distinguished engineer, has argued that wiring in an intercept capability will increase the likelihood that a company’s servers will be hacked. “What you’ve done is created a way for someone to silently go in and activate a wiretap,” she said. Traditional phone communications were susceptible to illicit surveillance as a result of the 1994 law, she said, but the problem “becomes much worse when you move to an Internet or computer-based network.”

Marcus Thomas, former assistant director of the FBI’s Operational Technology Division, said good software coders can create an intercept capability that is secure. “But to do so costs money,” he said, noting the extra time and expertise needed to develop, test and operate such a service.

… Maybe we ought to instead focus on Lockheed’s apparent inability to keep the hundreds of billion dollar weapons systems it produces safe from hackers?