I wrote then:

“The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.”

Part of these predictions or ruminations or whatever you care to call them makes me think of the hijinks of the group that started out in the spring variously known as LulzSec, Anonymous and later adopted the moniker AntiSec. This loosely affiliated group emerged from the wake of the various attacks against Sony, and seemed to have nothing to prove but that it could make mincemeat out of whatever security measures had been put in place by Sony or whatever video game outfit it had targeted on a given day.

Sony’s Playstation Network was a favorite target, and its service was at least partially offline during two months ended in July.

Then, as summer dawned, the group’s members became aware of global politics and teamed up with Anonymous, the Wikileaks-allied band of hackers known for their campaigns of digital civil disobedience. Together they declared “immediate and unremitting war” on governments and corporations, and said their top priority would be to steal and leak any classified government information, including but not limited to email and documentation. They attacked an Arizona police agency as a way of making a statement against anti-immigrant laws in that state, and published the names and home addresses of several officers.

Later they sought to earn some street cred by stealing “secret” documents from NATO, only to learn after the fact that the documents they released had not only been released before, but weren’t even really all that secret to begin with. It wasn’t long before alleged members of the group started showing up in handcuffs, which seemed not to faze them. The prospect of body bags and real-world violence during a confrontation with Mexican drug cartels, however, did.

Yet for all the headlines they garnered and the headaches they caused, the LulzSec/Anonymous/AntiSec gang wasn’t anywhere near the scariest thing to appear on the computer security landscape in 2011. To my mind, one of the top three scariest things was the disclosure of Operation Shady RAT, which Intel-unit McAfee said appeared to be the biggest large-scale compromise ever, affecting 72 organizations and governments around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some of them dating back as far as 2006. McAfee said the attacker was a “state actor,” though it declined to name it. The candidate highest on the short list was, naturally, China.

The second truly scary incident was the attack carried out against RSA Security, a unit of the IT company EMC, the maker of the popular SecurID tokens that so many people have on their keychains and use to create an added layer of security that goes beyond the password. Months later, the U.S. defense contractor Lockheed Martin was attacked with duplicate SecurID tokens.

Finally, the Stuxnet Trojan (used by parties officially unknown, but probably Israel with a little help from the U.S.) continued to fascinate and confound security researchers in 2011. Having caused nuclear centrifuges in Iran to explode in an attempt to set back that country’s nuclear weapons research program, Stuxnet was found to have a sibling called Duqu. Unlike Stuxnet, which messed with industrial control computers and made them do things they wouldn’t normally do, Duqu’s mission was much simpler: Steal everything in sight.

And after that, it was discovered by researchers at Kaspersky labs that Stuxnet and Duqu are part of an even bigger family, with at least three more siblings still undetected by researchers, and that all five were created by the same people and with the same tools. Chances are we’ll see at least a few of those final three in 2012, particularly as tension with Iran heats up.

So while there was much to consider scary happening on the Internet in 2011, I’m grateful for being wrong on one key prediction: That we didn’t see a significant computer attack used to physically harm innocent people on a large scale. That’s one prediction I hope to miss for years to come.

Law-enforcement agencies said they are investigating the incidents, which McAfee said have been going on at least since late 2009 but may have started as early as 2007. The company said the attacks, which it dubbed “Night Dragon,” were still occurring.

McAfee said the hackers targeted five multinational firms, but wouldn’t identify the companies by name because some of them are clients. McAfee said it was sharing the findings “to protect those not yet impacted and to repair those who have been.”

Read the rest of this post on the original site »

“Such a transfer, if consummated in its originally contemplated form, will result in the massive disclosure of Huawei’s confidential information to NSN, with irreparable harm to Huawei,” the company claims in its suit. “A large number of Motorola employees, many carrying direct knowledge of Huawei’s confidential information, would become employees of NSN. Huawei hereby sues to obtain preliminary injunctive relief to prevent such harm pending an arbitration under the agreements.”

An unfortunate turn of events for the Motorolae, whose newfound individuality is at least partially the result of the Nokia Siemens deal. Ironic, too, considering Motorola sued Huawei for corporate espionage last year.

I can’t remember a year during which computer security stories jumped so readily from the tech and business pages to the front page.

The year 2010 was bookended by two such cases. It opened with Google’s disclosure that it had come under attack in China, an apparent attempt to penetrate the Gmail accounts of certain activists and journalists.

It ended with the WikiLeaks affair, which stemmed from the alleged theft by an Army private of classified documents stored on a government network.

And let’s not forget in mid-year came the story, as fascinating as it was sobering, of Stuxnet, a computer worm developed by parties unknown–although the smart money is on Israel–that penetrated and ultimately damaged equipment used in the Iranian nuclear program.

Computer hacking–which has for too long evoked images in the public mind-set of teenagers in basements taking digital joyrides–has finally revealed itself to everyone for what it has long been for those in the know: The domain of espionage, sabotage and possibly warfare.

In Google’s case, the attacks upon its systems raised questions about where it draws the line with authorities in Beijing about such matters as freedom of speech. When the attack was first disclosed, Google publicly mulled shutting down its operations in China.

Then in protest, it stopped censoring its search results, giving mainland Chinese access to the same search results available to residents of Hong Kong. Beijing responded by blocking access to Google’s site.

Finally, Google and China came to a new agreement, and Google appeared the loser in the battle of wills.

Computer security is one of those things that companies and governments say they take seriously, but never really seem to get a grip on, judging by the results.

In any case, there is no firewall or software in existence that could have prevented Bradley Manning from stealing the documents that he is alleged to have given to WikiLeaks. As a low-level Army intelligence analyst, he was a trusted insider who had access to this material in the course of his day-to-day job.

So, it was not technology that failed. The failure was one of internal policies that allowed him access to data not relevant to his position.

Any employee of a midsize company can see how wrong that is. Human-resources documents are limited only to those who work in that department. The same is true of people who work in the legal office, business development department and so on.

But it apparently didn’t occur to anyone in government to limit the access to what became the WikiLeaks cache to people who worked only for or closely with the State Department.

If it turns out that thousands of companies are better at protecting their business secrets than the U.S. government is, then it’s not for nothing that the Central Intelligence Agency task force investigating the WikiLeaks affair bears the initials “WTF.”

Something similar was true of Stuxnet. One of the reasons the attackers, whoever they are, succeeded was that they used several so-called “zero day” vulnerabilities in Windows.

These are undocumented weaknesses that hackers save up for special occasions as a way to open a back door into a computer and then insert a troublemaking payload, like a worm. Zero day exploits are a fact of life, and once spotted in the world, they’re usually patched.

The Stuxnet attackers used as many as four zero day exploits as a way to get their worm into targeted computers. Microsoft, to its credit, made short work of fixing them once they came to light.

Even so, the Stuxnet worm burrowed its way from Windows machines into industrial control computers known as SCADA systems, which are widely used to run factories, power plants, pipelines and all sorts of other infrastructure essential to modern life.

The worm was designed to find a specific target: The systems controlling a set of as many as 1,000 centrifuges at the uranium enrichment facility in Natanz, and make them spin faster than they were supposed to.

The ability to attack industrial computers and cause them to do things they’re not supposed to do has been a lingering fear among security experts for years. Researchers at the U.S. Department of Energy in 2007 looked at the potential for attacks on SCADA systems and proved that it was possible to seize control of an electrical generator and then make it destroy itself.

They also found that many of these systems are connected to the Internet for what seem like good reasons: Convenience and cost savings. But these connections have also opened them up to the same kind of attacks that rattled the Iranian facility in Natanz.

Another Stuxnet-like worm, the thinking goes, could be used to bring down a power grid, or poison drinking water, or shut down an oil or gas pipeline. The good news is that such an attack is expensive–Stuxnet, by one estimate, cost $10 million to create–and requires a lot of specialized insider knowledge.

The bad news is that the Stuxnet source code is circulating in the wild for anyone to study. And as the WikiLeaks case shows, there are often insiders willing to take part in criminal schemes.

The other bad news? Securing these systems won’t come cheap.

If history is any judge, there will likely be a barrage of computer security companies that try to spin these incidents into opportunities to make a sales pitch. That’s what security companies do, after all.

But they usually miss the point. How can you plan for a vulnerability you’ve never seen? How can you stop an otherwise trusted insider from abusing their access to sensitive information? Both are fundamentally difficult problems for which there are no easy answers.

Spending money on last year’s security vulnerabilities is like preparing to fight the last war: Circumstances inevitably change, and they certainly will in 2011. New kinds of attacks will arise, and they will catch their targets by surprise.

And the public, like the CIA, will reasonably ask, “WTF?”

The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.

And the events of 2010 point the way to a world where that’s a more realistic scenario than it ever was before.

Or at least they’d like to give that impression.

Said Udi Mokady, co-founder and CEO of Cyber-Ark: “You can install the best security systems in the world, but if your staff do not respect the information they are entrusted with, then the information will definitely go astray–just as the findings of this survey have illustrated.”

Seems there’s a little bit of BOFH (Bastard Operator From Hell) in all system administrators …

To keep you abreast of tech news while he’s away, we’re compiling a daily digest of 10 must-read tech stories. Our Tech 10 appears below.

1. Auction Action: Confirming the expected, Google announced today that it would indeed apply to bid for wireless spectrum in the Federal Communications Commission auction in January, writes Kevin J. Delaney in The Wall Street Journal, adding that if the search giant grabs a wireless license, it could become a provider of mobile phone and Internet services, among other things.
2. Facebook Gets a $60 Million Infusion… Hong Kong mogul Li Ka-shing has invested $60 million in Facebook, reports BoomTown’s Kara Swisher, who notes that the billionaire businessman has the right to invest another $60 million.
3. … And Pulls Back on Privacy: The social-networking site, under siege from Move.On and its own members, as well as from “Landmark Partner” Coca-Cola (which, says Louise Story of the New York Times, is holding off on participating in the social-advertising feature) has announced changes to its new Beacon ad system. Observes Om Malik: “Facebook finally backed down, more or less acquiescing to the demands of those concerned about its seemingly blatant abuse of privacy of its fast-growing user base.”
4. Rise and Fall of Motorola Magnate: Ed Zander, CEO of the electronics manufacturer whose mojo with the Razr cellphone brought the company big gains, is resigning in the face of equally disappointing declines to rival Nokia over the last year, The Wall Street Journal reports. Greg Brown, the company’s president and chief operating officer, will succeed Zander.
5. Sprint Rejects a Suitor: Sprint Nextel has turned down a $5 billion investment offer from Providence Equity Partners and SK Telecom of South Korea in exchange for sacking its management, according to the New York Times.
6. Big Brother Online: Government agencies worldwide are increasingly using the Internet to spy on and conduct cyber attacks on their enemies, according to an annual virtual criminology report by McAfee, writes Jon Brodkin of Network World, noting that the U.S. joins China as one of the biggest employers of Internet espionage.
7. Kiwi Teen in Botnet Probe: New Zealand police have held for questioning a teenager suspected of leading an international cyber-crime group, according to the BBC, which adds that the group allegedly hacked a million computers to steal millions from people’s bank accounts.
8. Publishers Want Web Respect: Launching an effort to bring them more power to say what content search companies may make available, publishers have developed a framework to inform online search engines that certain pages, directories or sites must not be indexed, reports eWeek, noting that supporters of the measure to respect copyright include the Associated Press, Reuters and the Association of American Publishers.
9. Sony Hears On-Demand Demands: Starting early next year, users of Sony’s PlayStation 3 will be able to download high-definition video to their devices, according to Variety, which adds that each download will cost about $1.85.
10. Exploding Cellphone Death Greatly Exaggerated:The Korean quarry worker whose death was blamed on an exploding cellphone was actually killed by a co-worker, who admitted he concocted the story after accidentally hitting his colleague with a drilling vehicle, the Associated Press reports.

Posted by Associate Editor John Sullivan.

To keep you abreast of tech news while he’s away, we’re compiling a daily digest of 10 must-read tech stories. Our Tech 10 appears below.

1. Auction Action: Confirming the expected, Google announced today that it would indeed apply to bid for wireless spectrum in the Federal Communications Commission auction in January, writes Kevin J. Delaney in The Wall Street Journal, adding that if the search giant grabs a wireless license, it could become a provider of mobile phone and Internet services, among other things.
2. Facebook Gets a $60 Million Infusion… Hong Kong mogul Li Ka-shing has invested $60 million in Facebook, reports BoomTown’s Kara Swisher, who notes that the billionaire businessman has the right to invest another $60 million.
3. … And Pulls Back on Privacy: The social-networking site, under siege from Move.On and its own members, as well as from “Landmark Partner” Coca-Cola (which, says Louise Story of the New York Times, is holding off on participating in the social-advertising feature) has announced changes to its new Beacon ad system. Observes Om Malik: “Facebook finally backed down, more or less acquiescing to the demands of those concerned about its seemingly blatant abuse of privacy of its fast-growing user base.”
4. Rise and Fall of Motorola Magnate: Ed Zander, CEO of the electronics manufacturer whose mojo with the Razr cellphone brought the company big gains, is resigning in the face of equally disappointing declines to rival Nokia over the last year, The Wall Street Journal reports. Greg Brown, the company’s president and chief operating officer, will succeed Zander.
5. Sprint Rejects a Suitor: Sprint Nextel has turned down a $5 billion investment offer from Providence Equity Partners and SK Telecom of South Korea in exchange for sacking its management, according to the New York Times.
6. Big Brother Online: Government agencies worldwide are increasingly using the Internet to spy on and conduct cyber attacks on their enemies, according to an annual virtual criminology report by McAfee, writes Jon Brodkin of Network World, noting that the U.S. joins China as one of the biggest employers of Internet espionage.
7. Kiwi Teen in Botnet Probe: New Zealand police have held for questioning a teenager suspected of leading an international cyber-crime group, according to the BBC, which adds that the group allegedly hacked a million computers to steal millions from people’s bank accounts.
8. Publishers Want Web Respect: Launching an effort to bring them more power to say what content search companies may make available, publishers have developed a framework to inform online search engines that certain pages, directories or sites must not be indexed, reports eWeek, noting that supporters of the measure to respect copyright include the Associated Press, Reuters and the Association of American Publishers.
9. Sony Hears On-Demand Demands: Starting early next year, users of Sony’s PlayStation 3 will be able to download high-definition video to their devices, according to Variety, which adds that each download will cost about $1.85.
10. Exploding Cellphone Death Greatly Exaggerated:The Korean quarry worker whose death was blamed on an exploding cellphone was actually killed by a co-worker, who admitted he concocted the story after accidentally hitting his colleague with a drilling vehicle, the Associated Press reports.

Posted by Associate Editor John Sullivan.

In its annual report to Congress, the U.S.-China Economic and Security Review Commission accused China of enlisting engineers and scientists to acquire critical U.S. technology “by whatever means possible–including theft.” Said an official familiar with the report, “What the government cannot get through licit means, they are conducting an aggressive program of industrial espionage to acquire.”

To what end? Why, “cyber attacks” on American infrastructure, of course. Said Commission panelist USSTRATCOM Commander General James E. Cartwright, “I think that we should start to consider that [the sense of disruption and chaos] associated with a cyber attack could, in fact, be in the magnitude of a weapon of mass destruction.”

An unsettling hypothesis to say the least, although to be fair, not every panelist bought it. Said James Lewis from the Center for Strategic and International Studies: “The effect [of a cyber attack is] usually to solidify resistance, to encourage people to continue the fight, and if you haven’t actually badly damaged their abilities to continue to fight, all you’ve done is annoy them, and what many of us call cyber attacks [are] not weapons of mass destruction but weapons of mass annoyance.”