At What Point Do Our Cyberwar Toys become WMD?

/3 Comments/in /by

The other day, Ellen Nakashima reported on new cyberwar acquisition guidelines that will allow DOD, under certain circumstances, to deploy targeted exploits without the regular testing or oversight process.

The rapid process will take advantage of existing or nearly completed hardware and software developed by industry and government laboratories. This approach could take several months in some cases, or a few days in others.

[snip]

Under the rapid plan, weapons can be financed through the use of operational funds, in “days to months,” and some steps that ordinarily would be required would be eliminated. These include some planning documents and test activities, according to the report.

The weapons may be designed for a single use or for some other limited deployment, and they would be used in offensive cyber operations or to protect individual computer systems against specific threats, said the report.

As she describes it, this rapid development will (is supposed to?) only be used in fairly targeted cases.

But what are the chances the speed and limited oversight lead to mistakes? What are the chances that our rush to roll out exploits leads us to set off some unintended consequences?

Consider Richard Clarke’s explanation for how StuxNet escaped the narrow confines of the Natanz centrifuge facility it targeted.

“It got loose because there was a mistake,” [Clarke] says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”

“Why wouldn’t it have worked?”

“TTL operates off of a date on your computer. Well, if you are in China or Iran or someplace where you’re running bootleg software that you haven’t paid for, your date on your computer might be 1998 or something because otherwise the bootleg 30-day trial TTL software would expire.

“So that’s one theory,” Clarke continues. “But in any event, you’re right, it got out. And it ran around the world and infected lots of things but didn’t do any damage, because every time it woke up in a computer it asked itself those four questions. Unless you were running uranium nuclear centrifuges, it wasn’t going to hurt you.”

“So it’s not a threat anymore?”

“But you now have it, and if you’re a computer whiz you can take it apart and you can say, ‘Oh, let’s change this over here, let’s change that over there.’ Now I’ve got a really sophisticated weapon. [first brackets mine, all others original]

Here’s a cyberweapon presumably developed under the existing “deliberate” process, with full testing and oversight. If Clarke’s description of the problem is correct, it’s not so much a testing problem as an inadequate understanding of the environment–a failure to account for all those computers on which, because their clocks were not set properly, the TTL orders malfunctioned. And while StuxNet itself may not have done collateral damage, who knows what hackers who have gotten the code did with it?

So while StuxNet, with the benefit of time and testing, didn’t do excessive damage when DOD’s plans proved to be inadequate, who’s to say that an exploit deployed with far less time–purchased for use–won’t do more damage?

Also, note how much more quickly DOD appears to be moving to make sure it has lots of cyberweapons to deploy than it has moved to make sure it has the most rudimentary defenses against exploitation. Probably, when our cyberwar toys turn into a WMD, they’ll hurt people in the Middle East or China. But given our rush into offensive cyberwar before we’ve protected ourselves, who knows?

Who Brought Key Al Qaeda Forums Down?

/1 Comment/in , , /by

A number of al Qaeda’s online jihadist forums have gone down for extended periods.

Al-Qaeda’s main Internet forums have been offline for more than a week in what experts say is the longest sustained outage of the Web sites since they began operating eight years ago.

No one has publicly asserted responsibility for disabling the sites, but the breadth and the duration of the outages have prompted some experts to conclude that the forums have been taken down in a cyberattack — launched perhaps by a government, a government-backed organization or a hackers’ group.

US Cyber Command denied to the WaPo that it–or other US government agencies–were responsible.

There is still some uncertainty about whether a cyberattack caused the recent outages, and skeptics note that some prominent al-Qaeda forums remain online. U.S. government agencies, including U.S. Cyber Command, had no role in the outages, according to officials who would speak about the issue only on the condition of anonymity.

Still, Will McCants, a former State Department

Whereas government sources CNN contacted (Barbara Starr, CNN’s resident DOD mouthpiece, is bylined) declined to comment.

No entity has claimed responsibility and U.S. officials contacted by CNN would not comment.

Ssort of.

A U.S. official said the United States has been aware of the al Qaeda websites being down and finds it “of interest to us.”

But the WaPo also describes our government using foreign government assistance in the past.

In the past, U.S. officials have also relied on diplomatic channels to dismantle extremist sites that are viewed as a threat to American personnel or interests, according to former U.S. officials familiar with the episodes.

The approach has worked in more than a dozen cases and in each instance was backed by at least the implicit threat of a cyberattack by the U.S. military if the Web site’s host country failed to act, the officials said. The countries that cooperated were in Europe, the Persian Gulf and the Pacific, they said.

“We’ve never had a country refuse us,” said James Cartwright, the former vice chairman of the Joint Chiefs of Staff, speaking at a U.S. China Economic and Security Review Commission hearing at George Mason University last week. “But if they did, then you can invoke the right of self-defense.”

It reports the sites in question are hosted in Malaysia, Costa Rica and Gaza.

Meanwhile, Will McCants suggests to CNN that the outage may be related to Spain’s arrest of alleged Al Qaeda propagandist Mudhar Hussein Almalki

Zelin speculated the outage could be tied to the recent arrest of Mudhar Hussein Almalki in Spain. Almalki maintained the Ansar al-Mujahidin Forum, according to a Spanish police document provided to CNN. The police document alleges Almalki ran the site and oversaw who could access it, spread information to jihadists and maintained private chat rooms to “carry out meetings with others to give out instructions,” according to a translation of the document.

Read more

Richard Clarke Also Suggests Hacking Has Made F-35 Ineffective

/12 Comments/in /by

A number of people have pointed to this interview for Richard Clarke’s suggestion that the US, not Israel, bears most of the responsibility for the StuxNet attack.

But I’m just as interested in his assessment that hacking threatens to undercut our ability to deploy our fanciest war toys.

“I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong,” he tells me. “Every major company in the United States has already been penetrated by China.

“What?”

“The British government actually said [something similar] about their own country. ”

Clarke claims, for instance, that the manufacturer of the F-35, our next-generation fighter bomber, has been penetrated and F-35 details stolen. And don’t get him started on our supply chain of chips, routers and hardware we import from Chinese and other foreign suppliers and what may be implanted in them—“logic bombs,” trapdoors and “Trojan horses,” all ready to be activated on command so we won’t know what hit us. Or what’s already hitting us.

“My greatest fear,” Clarke says, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China….After a while you can’t compete.”

But Clarke’s concerns reach beyond the cost of lost intellectual property. He foresees the loss of military power. Say there was another confrontation, such as the one in 1996 when President Clinton rushed two carrier battle fleets to the Taiwan Strait to warn China against an invasion of Taiwan. Clarke, who says there have been war games on precisely such a revived confrontation, now believes that we might be forced to give up playing such a role for fear that our carrier group defenses could be blinded and paralyzed by Chinese cyberintervention. [my emphasis]

The other day, I suggested that our inability to protect our defense and defense contractor networks means we’re wasting billions on hacking-related rework.

That’s not the only way our vulnerability to hacking will rot our national security supremacy. As Clarke notes, it will make all the defenses we build into our weapons systems less effective. All of which won’t stop us from dumping the national treasure into already-compromised toys. It’ll just make those toys more expensive.

Does NCTC Have the Minimal Data Security to Guard Its New Not-Terrorist-Terrorist Database?

/4 Comments/in , , , /by

As I noted here and here, yesterday the Director of National Intelligence and DOJ rolled out new Guidelines allowing the National Counterterrrorism Center to acquire non-terrorist datasets from federal agencies–including US person data–so they can do pattern analysis on those datasets and pass off the resulting data to other agencies.

When intelligence officials wanted to explain to Charlie Savage how this would work, they pointed to a State Department dataset–visa applications–as one dataset NCTC might now access directly.

A person from Yemen applies for a visa and lists an American as a point of contact. There is no sign that either person is a terrorist. Two years later, another person from Yemen applies for a visa and lists the same American, and this second person is a suspected terrorist.

Under the existing system, they said, to discover that the first visa applicant now had a known tie to a suspected terrorist, an analyst would have to ask the State Department to check its database to see if the American’s name had come up on anyone else’s visa application — a step that could be overlooked or cause a delay. Under the new rules, a computer could instantly alert analysts of the connection.

The State Department is, of course, still reportedly recovering from the fact that because of DOD’s lax network security, 250,000 diplomatic cables got liberated for the world to see.

Not surprisingly, then, the new Guidelines appear determined to reassure original dataset owners that their data won’t be compromised by sharing it with NCTC (which can then share it with other elements of the Intelligence Community and even foreign allies). You can tell they’re serious about this, because it’s one of the places they occasionally use “shall” (in other sensitive areas, they use the squishier “will”).

For access to or acquisition of specific datasets, the DNI, or the DNI’s designee, shall collaborate with the data provider to identify any legal constraints, operational considerations, privacy or civil rights or civil liberties concerns and protections, or other issues, and to develop appropriate Terms and Conditions that will govern NCTC’s access to or acquisition of datasets under these guidelines.

[snip]

In addition to the [general requirements laid out for sharing this data], at the time when NCTC acquires a new dataset or a new portion of a dataset, the Director of NCTC shall determine, in writing, whether enhanced safeguards, procedures, and oversight mechanisms are needed.

Though this bold approach almost immediately breaks down, as the Guidelines not only revert to “will,” but–worse–dig out the passive voice when describing the data transfer.

Measures will be put into place to ensure that the dataset is received and stored in a manner to prevent unauthorized access and use prior to the completion of replication.

And when the Guidelines get into specifics, they use that passive “will” again.

Access to these datasets will be monitored, recorded, and audited. This includes tracking of logons and logoffs, file and object manipulation, and changes, and queries executed, in according with audit and monitoring standards applicable to the Intelligence Community.

Who will (“shall”) implement these data security measures? What if he or she fails to do so adequately?

It’s a really, really important question because–as this year’s intelligence authorizations make clear, the Intelligence Community does not yet have insider threat detection–the kind of security that would permit these audits–and they’re not going to get it until 18 months from now. Hell, they’re not even going to start getting it until 6 months from now!

(a) Initial Operating Capability.–Not later than October 1, 2012, the Director of National Intelligence shall establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the intelligence community in order to detect unauthorized access to, or use or transmission of, classified intelligence.

Read more

BAE F-35 Hack Confirmed

/9 Comments/in , , , , /by

I’ve long complained that the government’s obsession with WikiLeaks is badly misplaced. After all, DOD and some of its contractors simply can’t keep their networks secure from Chinese hackers. So if our chief rival can take what it wants, why worry so much that actual American citizens have access to what China can take with abandon?

Case in point. The Australian has confirmed what was initially reported three years ago: China hacked BAE to steal performance information on the F-35.

CHINESE spies hacked into computers belonging to BAE Systems, Britain’s biggest defence company, to steal details about the design, performance and electronic systems of the West’s latest fighter jet, senior security figures have disclosed.

The Chinese exploited vulnerabilities in BAE’s computer defences to steal vast amounts of data on the $300 billion F-35 Joint Strike Fighter, a multinational project to create a plane that will give the West air supremacy for years to come, according to the sources.

[snip]

One of those present said: “The BAE man said that for 18 months, Chinese cyber attacks had taken place against BAE and had managed to get hold of plans of one of its latest fighters.”

This plane will have taken more than $385 billion to develop and will take $1 trillion to sustain. It is the most expensive weapons system in history. And yet for 18 months, the Chinese were just living on (at least) BAE’s networks taking what they wanted. How much of the considerable cost and rework on this program comes from the data on it China has stolen along the way?

In fact, I’m wondering whether China isn’t borrowing from our own playbook: during the Cold War, we made Russia go bankrupt by engaging in an arms race it couldn’t afford. China doesn’t need to do that. By hacking our data, they can just make us go bankrupt by setting up an arms race between our contractors and its hackers. With the result that we build a trillion dollar plane that it can already exploit.

And yet the government’s priority seems to be shutting up leakers who reveal its crimes, not networks that reveal our biggest military secrets.

Is This What Robert Mueller Meant by Cyber Expertise?

/4 Comments/in , /by

Back on February 3, I noted what I thought was the irony that, four days after FBI Director Robert Mueller bragged about FBI’s cybersecurity expertise–including its partnerships with counterparts overseas–Anonymous released an earlier hacked call between Scotland Yard and FBI.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

We now know that at the time of both the hack and Mueller’s comment, the FBI was running Hector Xavier Monsegur–Sabu–as a confidential informant–and the Scotland Yard call is one of the hacks they busted others for with his assistance last week.

In January 2012, O’CEARRBHAIL hacked into the personal e-mail account of an officer with Ireland’s national police service, the An Garda Siochana (the “Garda”). Because the Garda officer had forwarded work e-mails to a personal account, O’CEARRBHAIL learned information about how to access a conference call that the Garda, the FBI, and other law enforcement agencies were planning to hold on January 17, 2012 regarding international investigations of Anonymous and other hacking groups. O’CEARRBHAIL then accessed and secretly recorded the January 17 international law enforcement conference call, and then disseminated the illegally-obtained recording to others.

And meanwhile, all of the things Sabu was saying on his twitter account were closely monitored–if not written–by the FBI, including the comment about FBI’s informants, above, and the multiple “celebrations” of the Scotland Yard hack.

Read more

So It Was the FBI Threatening to Take Down the Internet, Then?

/8 Comments/in , /by

As soon as the news came out today that Sabu, the head of LulzSec, offered an FBI computer to facilitate the publication of Stratfor (no doubt set up a LulzSec-assisted indictment of Julian Assange in the future)…

Hector Xavier Monsegur, an unemployed 28-year-old Puerto Rican living in New York, was unmasked as “Sabu”, the leader of the LulzSec hacking group that has been behind a wave of cyber raids against American corporations including Rupert Murdoch’s News Corporation, the intelligence consultancy Stratfor, British and American law enforcement bodies, and the Irish political party Fine Gael.

[snip]

In a US court document, the FBI’s informant – there described as CW – “acting under the direction of the FBI” helped facilitate the publication of what was thought to be an embarrassing leak of conference call between the FBI and the UK’s Serious and Organised Crime Agency in February.

Officers from both sides of the Atlantic were heard discussing the progress of various hacking investigations in the call.

A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.

…I though back to the threat Anonymous made to TAKE DOWN THE ENTIRE INTERNET!!! Which of course made more sense understood as a ploy to help fear monger than an actual threat from actual terrorists.

Was it the FBI making such threats?

Which makes this conversation Sabu had just two weeks before he was indicted all the more interesting.

<SABU> You just said there was a claim that I may be a terrorist. You “researched” it and wrote the article

<SABU> There re claims I am with the CIA pushing to get tighter / stricter cyber-laws passed

<SABU> its literally the same shit, two different extremes.

[snip]

<SABU> The people are aware that our governments in the UK and the US have involved themselves in black operations in the past. it makes a lot of sense if lets say a rogue group of hackers suddenly began attaking national interests — spawning a massive overhaul of internet security, theoretically.

Read more

Treasury Accuses Iran of Hacking

/8 Comments/in , /by

The Treasury Department just added the Iranian Ministry of Intelligence and Security (MOIS) to the other Iranian entities listed as Specially Designated National (other entities already covered include Quds Force and the National Police and their leaders). It sanctioned MOIS for a laundry list of reasons generally categorized as support for Syria’s human rights abuses, Iran’s own human rights abuses, and support for terrorism. Under the latter section, Treasury lists the following:

  • MOIS provides financial, material, or technological support for, or financial or other services to Hizballah, a terrorist organization designated under E.O. 13224. MOIS has participated in multiple joint projects with Hizballah in computer hacking.
  • MOIS provides financial, material, or technological support for, or financial or other services to HAMAS, a terrorist group also designated under E.O. 13224.
  • MOIS has facilitated the movement of al Qa’ida operatives in Iran and provided them with documents, identification cards, and passports.
  • MOIS also provided money and weapons to al Qa’ida in Iraq (AQI), a terrorist group designated under E.O. 13224, and negotiated prisoner releases of AQI operatives.

It is the official position of our government that Iran has facilitated the travel of al Qaeda operatives (this accusation may, in fact, date to pre-9/11 transiting of Iran on the same terms as others). And, not surprising, the government says Iran helped Hamas and Al Qaeda in Iraq.

But it’s the Hezbollah claim I’m most intrigued by. Treasury says that Iran’s intelligence service “participated in multiple joint projects with Hizballah in computer hacking.”

Hacking? We’re declaring hacking a terrorist act now? Like the StuxNet project we engaged in with Israel.

And what, precisely, is Iran alleged to have hacked? Because the most public allegations pertain to … drones. You know, the drones violating Iran and Lebanon’s airspace?

We’ve made that a terrorist act now?

Alan Gross and Jacob Appelbaum

/8 Comments/in , , /by

This AP story describing the backstory of USAID contractor Alan Gross’s imprisonment in Cuba is interesting in its own right. Past reporting had made it clear that Cuba had declared Gross a spy because he was setting up secure communications technology for Cuba’s Jewish community.

Gross’ company, JBDC Inc., which specializes in setting up Internet access in remote locations like Iraq and Afghanistan, had been hired by Development Associates International Inc. of Bethesda, Maryland, which had a multimillion-dollar contract with USAID to break Cuba’s information blockade by “technological outreach through phone banks, satellite Internet and cell phones.”

The AP story describes the vast array of telecom equipment Gross and some Jewish humanitarian groups he partnered with smuggled into Cuba, where some of it is explicitly prohibited:

12 iPods, 11 BlackBerry Curve smartphones, three MacBooks, six 500-gigabyte external drives, three Internet satellite phones known as BGANs, three routers, three controllers, 18 wireless access points, 13 memory sticks, three phones to make calls over the Internet, and networking switches.

And it explains what it was that finally got Gross arrested: his importation of a “discreet” SIM card that would make it impossible to track satellite phone transmissions.

On his final trip, he brought in a “discreet” SIM card — or subscriber identity module card — intended to keep satellite phone transmissions from being pinpointed within 250 miles (400 kilometers), if they were detected at all.

The type of SIM card used by Gross is not available on the open market and is distributed only to governments, according to an official at a satellite telephone company familiar with the technology and a former U.S. intelligence official who has used such a chip. The officials, who spoke on condition of anonymity because of the sensitivity of the technology, said the chips are provided most frequently to the Defense Department and the CIA, but also can be obtained by the State Department, which oversees USAID.

So Gross was arrested for trying to make sure a subset of Cuba’s population could access the Internet in privacy.

Back when Alan Gross was “convicted,” the White House officially condemned the decision, as they’ve condemned his treatment repeatedly since.

Alan Gross has been unjustly detained and deprived of his liberty and freedom for the last 14 months. Instead of releasing Mr. Gross so he can come home to his wife and family, today’s decision by Cuban authorities compounds the injustice suffered by a man helping to increase the free flow of information, to, from, and among the Cuban people.

We remain deeply concerned for Mr. Gross’ well being and that of his family and reiterate our call for his immediate release.

Gross’ case would make you think the government inherently valued secure Internet communication.

But compare their treatment of Gross with the treatment they’ve given Jacob Appelbaum, the Tor researcher who they’ve treated like a suspected terrorist.

Tor, like the communications equipment Gross was installing, makes it easier for dissidents and other members of civil society to communicate freely.

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor’s hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization.

And like Gross, Appelbaum has traveled internationally to help foster such private communications. If you follow him on Twitter, you can even see him tracking and responding to attacks on secure networks in the Middle East.

So if Administration expressions of concern about the free flow of information were sincere, you’d think they’d be celebrating Appelbaum’s efforts.

Instead, partly because of his ties to WikiLeaks, they routinely harass him. Not only have they subpoenaed his Twitter IP information and a slew of other data as part of their WikiLeaks investigation, but every time he returns to the country, they temporarily detain him. Read more

FBI Director Mueller Boasts of FBI’s Cyber Expertise before Anonymous Hacks Cyber Call

/13 Comments/in , /by

As you may have heard, Anonymous hacked into and released a conference call between the FBI and Scotland Yard discussing their efforts to crack down on the hackers’ group.

What makes the hack all the more ironic is its release comes just days after Robert Mueller bragged of the FBI’s cyber expertise at the Threat Assessment hearing on Tuesday (the actual call took place on January 17, which makes me wonder whether they have gotten subsequent calls as well). In response to MD (and therefore NSA’s) Senator Barbara Mikulski’s suggestion that the NSA was the only entity able to investigate cybercrime, Mueller insisted (after 2:01) the FBI can match the expertise of NSA. He even bragged about how important partnering with counterparts in other countries–like Scotland Yard–was to the FBI’s expertise.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

I don’t want to sell the FBI short or anything. But regardless of their expertise in investigating cybercrimes, it sure seems like they’ve got the same crappy security the rest of the Federal government has.