The hackers and engineers of Y Combinator are doing what hackers and engineers do to any industry, they’re efficiently and ruthlessly disrupting the traditional model of venture capital and are going to destroy far more more wealth for their contemporaries than they create for themselves, as broadband did to entertainment, Craigslist did to newspapers, and Amazon did to traditional retailers.

– WordPress founder Matt Mullenweg

AllThingsD.com

Yet now that the attacks have subsided, it’s time to see them for what they are: Nothing more than a blunt instrument that accomplishes nothing constructive.

As of today, only one of the Web sites attacked by the hacker troupe Anonymous is still apparently affected, and that belongs to the Universal Music Group recording label. It currently displays only a message saying “The Site is under maintenance. Please expect it to be back shortly.” Others that had been attacked yesterday, including the sites of the U.S. Department of Justice, the Recording Industry Association of America and the Motion Picture Association of America all seemed to be operating normally.

Thursday’s attacks, which have been described as the biggest action yet organized by Anonymous, were launched in apparent revenge for the FBI’s arrest of several people associated with the file-sharing site Megaupload.com over suspicions of online piracy. Taking place against the backdrop of a wider, more civil protest against anti-piracy legislation currently before the U.S. Congress, the atmosphere around the attacks has been politically charged.

As Molly Wood of CNET put it, the #OpMegaUpload attacks — coming as they did on the heels of Wednesday’s peaceful anti-SOPA protest — seem like an “unsettling wave of car-burning hooligans that sweep in and incite the riot portion of the play,” spurring equally unsettling reactions from the powers that be.

Many outlets have portrayed the attacks as “hacks,” implying that someone had picked a lock in order to commit some kind of sabotage. But the tactic used — a distributed denial-of-service (DDoS) attack — is more aptly compared to a blunt instrument, requiring neither skill nor knowledge, only large numbers of willing participants who team up to swarm a site with more requests than it can accommodate and thus overwhelm its ability to function normally.

The adjective “willing” is debatable, and perhaps inaccurate. Anonymous was able to generate such impressive numbers with the operation — it claimed more than 5,000 participants — by spamming a link in chat rooms and via Twitter that, when clicked, triggered a tool used to launch the attack. People tricked into following the link are given no context or information, and so may or may not have any idea that they’re participating in the execution of a crime.

For the record, it is illegal in the U.S., the U.K., Sweden and other countries to launch and participate in a DDoS attack like the one Anonymous organized. As anyone who has observed the evolution of Anonymous (and its various affiliates using the names LulzSec and AntiSec) should know, the FBI arrested 16 people last July, many of them charged with participating in a DDoS attack against PayPal in protest of its shutting down an account used by WikiLeaks.

In 2009, a New Jersey man was sentenced to a year and a day in prison for launching a DDoS attack against the Church of Scientology. And in 2010, a 23-year-old Ohio man was sentenced to 30 months in prison for launching DDoS attacks against several prominent U.S. conservatives, including the author Ann Coulter, former New York City mayor Rudolph Giuliani and Fox News commentator Bill O’Reilly.

Records like that suggest to me that DDoS attacks never accomplish anything that the people who organize and carry them out attempt to do. At most, they inconvenience the people who visit and operate the targeted sites for a few hours, until the attention spans of the attackers shift elsewhere. They also generate headlines that are forgotten by nearly everyone except the targets, and sometimes law enforcement.

And so it will be this time. Mark your calendars, because the Megaupload revenge attacks will spur a series of arrests later this year. Some of those arrested will be people who didn’t know they were committing a crime. And that certainly won’t help Anonymous’ image. Nor will it further a single bit of what passes for the Anonymous agenda.

I wrote then:

“The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.”

Part of these predictions or ruminations or whatever you care to call them makes me think of the hijinks of the group that started out in the spring variously known as LulzSec, Anonymous and later adopted the moniker AntiSec. This loosely affiliated group emerged from the wake of the various attacks against Sony, and seemed to have nothing to prove but that it could make mincemeat out of whatever security measures had been put in place by Sony or whatever video game outfit it had targeted on a given day.

Sony’s Playstation Network was a favorite target, and its service was at least partially offline during two months ended in July.

Then, as summer dawned, the group’s members became aware of global politics and teamed up with Anonymous, the Wikileaks-allied band of hackers known for their campaigns of digital civil disobedience. Together they declared “immediate and unremitting war” on governments and corporations, and said their top priority would be to steal and leak any classified government information, including but not limited to email and documentation. They attacked an Arizona police agency as a way of making a statement against anti-immigrant laws in that state, and published the names and home addresses of several officers.

Later they sought to earn some street cred by stealing “secret” documents from NATO, only to learn after the fact that the documents they released had not only been released before, but weren’t even really all that secret to begin with. It wasn’t long before alleged members of the group started showing up in handcuffs, which seemed not to faze them. The prospect of body bags and real-world violence during a confrontation with Mexican drug cartels, however, did.

Yet for all the headlines they garnered and the headaches they caused, the LulzSec/Anonymous/AntiSec gang wasn’t anywhere near the scariest thing to appear on the computer security landscape in 2011. To my mind, one of the top three scariest things was the disclosure of Operation Shady RAT, which Intel-unit McAfee said appeared to be the biggest large-scale compromise ever, affecting 72 organizations and governments around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some of them dating back as far as 2006. McAfee said the attacker was a “state actor,” though it declined to name it. The candidate highest on the short list was, naturally, China.

The second truly scary incident was the attack carried out against RSA Security, a unit of the IT company EMC, the maker of the popular SecurID tokens that so many people have on their keychains and use to create an added layer of security that goes beyond the password. Months later, the U.S. defense contractor Lockheed Martin was attacked with duplicate SecurID tokens.

Finally, the Stuxnet Trojan (used by parties officially unknown, but probably Israel with a little help from the U.S.) continued to fascinate and confound security researchers in 2011. Having caused nuclear centrifuges in Iran to explode in an attempt to set back that country’s nuclear weapons research program, Stuxnet was found to have a sibling called Duqu. Unlike Stuxnet, which messed with industrial control computers and made them do things they wouldn’t normally do, Duqu’s mission was much simpler: Steal everything in sight.

And after that, it was discovered by researchers at Kaspersky labs that Stuxnet and Duqu are part of an even bigger family, with at least three more siblings still undetected by researchers, and that all five were created by the same people and with the same tools. Chances are we’ll see at least a few of those final three in 2012, particularly as tension with Iran heats up.

So while there was much to consider scary happening on the Internet in 2011, I’m grateful for being wrong on one key prediction: That we didn’t see a significant computer attack used to physically harm innocent people on a large scale. That’s one prediction I hope to miss for years to come.

Identity Finder, a New York-based identity theft protection firm, has analyzed the information breached and summarized what the attackers appear to have made off with.

• 50,277 unique credit card numbers, of which 9,651 are not expired
  
• 86,594 email addresses, of which 47,680 are unique
  
• 27,537 phone numbers, of which 25,680 are unique

• 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked
• 73.7 percent of decrypted passwords were weak
• 21.7 percent of decrypted passwords were medium strength
• 4.6 percent of decrypted passwords were strong
• Average decrypted password length: 7.1 characters
• 10 percent of decrypted passwords were less than 5 characters long
• Only 4.8 percent of decrypted passwords were 10+ characters long
• Presumably the remaining non-decrypted passwords were stronger than the decrypted subset
• 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world

There are also an additional 2.7 million email messages that the attackers claim to have taken, but that have not yet been released.

Stratfor has promised to inform the customers whose information was taken no later than Dec. 28, which is tomorrow. Anonymous, ever seeking to justify its actions in the name of some higher moral purpose, said in a tweet that Stratfor, which sells subscriptions to its intelligence analysis reports to government, law enforcement agencies and businesses, isn’t “the harmless company it tries to paint itself as,” and that the emails will show that.

@techwriterjim It was conducted by #Antisec. Stratfor is not the “harmless company” it tries to paint itself as. You’ll see in those emails.

December 27, 2011 10:27 am via QwitReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Whatever. Wired reported that someone who participated in the attack said that a total of four servers were breached, and the data on them wiped. The question that then logically arises is this: What was a firm that’s ostensibly in the business of advising business and government clients on security doing about its own?

Some people claiming to represent Anonymous — the lines and affiliations are always difficult to discern — said that the information taken in the attack included user names and passwords of some Stratfor subscribers, plus another 200 gigabytes worth of other data.

Stratfor founder George Friedman confirmed the attack in an email to subscribers; I received it because I’ve been an intermittent Stratfor subscriber over the years. Here’s Friedman’s email:

Dear Stratfor Member,

We have learned that Stratfor’s web site was hacked by an unauthorized party. As a result of this incident the operation of Stratfor’s servers and email have been suspended.

We have reason to believe that the names of our corporate subscribers have been posted on other web sites. We are diligently investigating the extent to which subscriber information may have been obtained.

Stratfor and I take this incident very seriously. Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me. We are working closely with law enforcement in their investigation and will assist them with the identification of the individual(s) who are responsible.

Although we are still learning more and the law enforcement investigation is active and ongoing, we wanted to provide you with notice of this incident as quickly as possible. We will keep you updated regarding these matters.

Sincerely,
George Friedman

And here’s an update to Stratfor subscribers, from Dec. 25:

Dear Stratfor Member,

On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.

Also publicly released was a list of our members which the unauthorized party claimed to be Stratfor’s “private clients.” Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications.

We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events. Details regarding the services to be provided will be forwarded in a subsequent email that is to be delivered to the impacted members no later than Wednesday, December 28th.

In the interim, precautions that can be taken by you to minimize and prevent the misuse of information which may have been disclosed include the following:

- contact your financial institution and inform them of this incident;
- if you see any unauthorized activity on your accounts promptly notify your financial institution;
- submit a complaint with the Federal Trade Commission (“FTC”) by calling 1-877-ID-THEFT (1-877- 438-4338) or online at https://www.ftccomplaintassistant.gov/; and
- contact the three U.S. credit reporting agencies: Equifax (http://www.equifax.com/ or (800) 685-1111), Experian (http://www.experian.com/ or (888) 397-3742), and TransUnion (http://www.transunion.com/ or (800) 888-4213), to obtain a free credit report from each.

Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Checking your credit reports can help you spot problems and address them quickly.

To ease any concerns you may have about your personal information going forward, we have also retained an experienced outside consultant that specializes in such security matters to bolster our existing efforts on these issues as we work to better serve you. We are on top of the situation and will continue to be vigilant in our implementation of the latest, and most comprehensive, data security measures.

We are also working to restore access to our website and continuing to work closely with law enforcement regarding these matters. We will continue to update you regarding the status of these matters.

Again, my sincerest apologies for this unfortunate incident.

Sincerely,
George Friedman

Then came reports that whoever had taken the information — which included credit card numbers — had used the numbers to make donations in the name of the hacking victims. Here’s a link to what is said to be a screen grab following just such a donation to CARE by an employee of the Defense Intelligence Agency.

While some might applaud the apparent cleverness of Anonymous’s “steal from the rich, give to the poor” attitude, it’s unlikely that the charities in question will ever see a dime of the money that’s been “donated” to them. As Mikko Hypponen of F-Secure pointed out here, once the credit cards in question are reported stolen, the charges will be reversed and the charities will more than likely be on the hook for any fees or penalties that result.

As is often the case with a headline-making attack carried out in the name of Anonymous, there followed a series of claims and counterclaims as to whether or not this was an “official” Anonymous attack, or just the work of someone falsely claiming the Anonymous cloak. There was, for instance, this “emergency press release,” claiming that the attack on Stratfor was “most definitely not the work of Anonymous”:

Following that, Anonymous tweeted, via its semi-official Twitter account @AnonymousIRC, that it “laughed so hard” in response to that message — essentially saying it’s a fake. The group has hinted that it is going to be busy over the next several days.

RT @FiloSottile: “Anonymous denies involvement in #STRATFOR hack. http://t.co/cQ1INYlh” | We laughed so hard at this!

December 26, 2011 5:30 am via QwitReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

The break-in at the U.S. Chamber of Commerce is one of the boldest known infiltrations in what has become a regular confrontation between U.S. companies and Chinese hackers. The complex operation, which involved at least 300 Internet addresses, was discovered and quietly shut down in May 2010.

It isn’t clear how much of the compromised data was viewed by the hackers. Chamber officials say internal investigators found evidence that hackers had focused on four Chamber employees who worked on Asia policy, and that six weeks of their email had been stolen.

Read the rest of this post on the original site »

The reason? A scary vulnerability in Java that was detected over the summer, and which Oracle has subsequently fixed, is being exploited by people who create the malware and crimeware that causes so many headaches for home users and corporate IT departments.

The risk is especially acute at large companies with big fleets of desktops and notebooks to manage. If you’re a home user, the patch is easy to install. But most employees don’t have administrative privileges on their work desktops or notebooks, so someone from the IT department has to come and install the patch for them.

That’s a big, time-consuming process, says HD Moore, chief security officer at Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. He’s also the chief architect of Metasploit, which Rapid7 owns.

One of the reasons this particular vulnerability is so bad is that even after it was detected and fixed, it wasn’t fully understood how dangerous it is, Moore says. Crimeware creators somehow figured it out ahead of most security researchers, and started adding code to Web sites designed to take advantage of it. And that’s especially dangerous at this time of the year, when people are shopping online both at home and the office. “It’s kind of like a perfect storm,” Moore told me yesterday. Add to that the fact that many companies have IT staff taking vacation during the holiday season, and the timing couldn’t be worse.

Enterprise is historically bad at patching Java vulnerabilities anyway, because it doesn’t have the same automatic update tools that Windows or Adobe Flash does. “The tools for patching Java aren’t that great,” Moore told me. “A Java update just isn’t treated with the same fervor as a Windows update.”

So how bad is this one? The National Vulnerability Database rates it a 10 out of 10 on the severity scale, and also rates it as “low” on the access complexity scale — meaning it’s really easy for the bad guys to carry out an attack using it.

Security blogger Brian Krebs discovered the vulnerability being “weaponized,” that is, built into the software that computer criminals buy on the black market. For instance, those who have bought something called the Blackhole Exploit Kit, a $4,000 software toolkit used to target Windows machines, are getting automatic updates that include tools to take advantage of the Java vulnerability.

What to do until you can get all your machines updated with the latest version of Java? Simple, really: Disable it and block it at the firewall, until all the machines on the network that need the update have it, Moore says.

Rapid7, incidentally, is a security company on the rise. Just last month it raised a $50 million series C round of funding, led by Technology Crossover Ventures and joined by previous investors Bain Capital Ventures; Tim McAdam, a TCV partner, joined Rapid7′s board.

Printers are Internet-connected devices just like computers. They have their own operating systems and software, and so, in theory, are vulnerable to attacks by hackers just as computers are. There was an old urban myth that in the run-up to the first Iraq War in 1991, hacked HP printers shipped to Iraq were instrumental in shutting down Iraqi radar systems. It wasn’t true — it was published on April 1 of that year by the trade magazine InfoWorld — but the idea stuck, and at least one group of security researchers has been studying the use of Trojans installed into printers.

The Columbia researchers had claimed that a part inside a printer called a fuser, used to dry the ink, could be remotely instructed to overheat, eventually causing paper inside the printer to turn brown and start to smoke.

Conceptually it’s not that different from the Stuxnet attack against the Iranian nuclear research program. The attackers in that case, thought to be Israel with a little help from the U.S., attacked industrial control computers known as SCADA systems that serve as the bridge between typical Windows-based machines and industrial equipment that the SCADA systems control. In the case of Stuxnet, the SCADA systems were controlled — often they have only default passwords or no passwords at all — and the machines they were connected to could be instructed to literally destroy themselves.

Some researchers at the U.S. Department of Energy’s Idaho National Lab did just that in the video below, showing in a controlled environment that a generator could be hijacked over the Internet and made to destroy itself.

But could you do the same thing with a printer? Theoretically, I’d say it’s possible. But in this case, HP says not where its printers are concerned.

Below is an internal HP memo from Vyomesh “VJ” Joshi, the head of HP’s Imaging and Printing Group, that was circulated to employees today.

First off, he says, the fire issue is not true. As noted in the public statement, HP’s printers have a component called a thermal breaker that prevents the fuser from overheating, and it can’t be overcome by a firmware upgrade.

But Joshi also spanks the Columbia researchers for turning to the media and not calling HP first, which is the way security researchers usually operate when they identify a serious vulnerability. There is, he concedes, a vulnerability to malicious firmware modifications, especially on printers that are left unprotected on a network without a firewall running. HP aims to fix that. But usually in these situations, the media doesn’t get called until a fix is ready. “Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available,” he writes.

Joshi’s full memo is below.

From: IPG, Vyomesh Joshi
Sent: Tuesday, November 29, 2011 4:40 PM
Subject: Inaccurate Printer Security Press Coverage

Dear IPG Employees,

As many of you have read today there has been sensational and inaccurate press coverage regarding potential security risks with some HP LaserJet printers. I wanted to make sure you had the most current information and context for this situation. No customer has reported unauthorized access. We have also seen speculation in the media regarding the potential for devices to catch fire due to a firmware change. This claim is inaccurate. We have issued a public statement communicating to customers and partners and refuting inaccurate information.

This information first came to us late last week from a research lab based at Columbia University. As a result, we have identified a specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall or if a malicious effort is made to modify the firmware of the device by a trusted party on the network. Our security team is taking immediate measures to build a firmware upgrade to resolve any potential risk and will be communicating this proactively to customers and partners who may be impacted.

Typically when a security issue is identified, responsible disclosure is followed so that vulnerabilities are not made public until a solution is available. Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available.

We have always taken security very seriously. In fact, HP’s reputation for security continues to be among the highest in the industry. I want to assure you that our security experts are working around the clock to mitigate any potential risk.

We will make every effort to communicate new information as it becomes available.

Regards,

VJ

Gone are the days when you’d get a company-issued BlackBerry and laptop locked down and secured to within an inch of its life. Now, everyone — from the CEO and the board of directors on down to interns — expect to get their corporate email, access to internal corporate networks and documents on their personal iPads, iPhones and Android devices.

IBM today announced a new service aimed at helping IT admins get control of the devices they’re being asked to support. Big Blue calls it IBM Hosted Mobile Device Security, and its capabilities include making sure personal devices comply with corporate security policies, protecting them against malware, tracking user activity and making sure network connections are secured. It’s working with Juniper Networks on the service. And it covers pretty much every smartphone platform you can think of: Apple’s iOS, Android, BlackBerry, Nokia’s Symbian, and Microsoft’s Windows Mobile.

The BYOD — or “bring your own device” — trend is the sort of thing that gives IT administrators night sweats. A Dell Kace survey of 750 IT managers found that 87 percent of companies have employees using some kind of personal device accessing a corporate network. The same survey found that 62 percent of IT admins feel they don’t have the tools to properly manage them all.

Phones get lost, for one thing. A lost phone that can still access confidential information is a liability. And worse, because of the value of information they can store and access, hackers are paying more attention to mobile devices than ever before. A study by IBM projects that the number of software weaknesses that can give a criminal access to data stored on or accessed by a phone or tablet will double this year over 2010. More or less nonexistent as recently as 2006, IBM’s X-Force security unit tracked 15 exploits last year and expects to see more than 30 this year. And malware on the Android platform is also on the rise.

If it sounds like a business opportunity, you’re right. Mobile security companies have been springing up. Lookout Security is one that comes to mind. As mobile devices multiply, especially with younger people just entering the workforce, you can expect to see a lot more activity from companies large and small around making sure they’re secure. As is often the case with IT security, some of that will be wasted effort, because too often security is something you consider only after something bad has happened, not before. But not always.

(Image from Wikipedia.)

In a weird sort of mash-up of villains, one decidedly more evil than the other, a Mexican affiliate of Anonymous Veracruz announced that it was going to start publishing the names and addresses of the cartel’s business associates in response to the kidnapping of an Anonymous member. Anonymous had accused taxi drivers, police officers and journalists of being Zeta “servants.”

Of course, the publication of that information would give an advantage to rival cartels, who would probably have them whacked. According to a report on Stratfor, the Zetas had taken the threat seriously enough that the cartel dispatched its own computer experts to track down the people behind various anti-cartel blogs. A few people have been killed.

Having hassled Sony over the summer, attacked targets as varied as NATO and the U.S. Senate, and posted the addresses of state cops in Arizona, all Anonymous seems to have accomplished is getting some of its lesser members arrested.

TalkingPointsMemo has a pretty good rundown. Basically, it comes down to this: Anonymous didn’t have the stomach for real-world violence.

And with that story — entirely plausible but in this case a lie — a customer-service representative turned over customer account numbers and other details with a readiness that makes banks and other companies cringe.

Mr. Patten, a 35-year-old cybersecurity expert who was with the U.S. Air Force before he started working for a consulting firm in Kansas City, Mo., didn’t actually use or sell the data, which he gathered in running a test for the investment firm of its security arrangements. But the ease with which the employee was persuaded to divulge the information points to a troubling trend, security experts and law enforcement officials say.

Read the rest of this post on the original site »

Today, HP presented a new strategy intended to boost its role in the business of supplying IT security to large businesses. With two big shifts hitting the corporate computing environment — cloud computing and scores of worker-selected mobile devices entering the workplace — there are a lot of new security challenges giving CIOs headaches.

“If you look at those trends, they challenge the traditional notions of enterprise security,” says Tom Reilly, HP’s VP and general manager for Enterprise Security Products. “So we want to address those challenges.”

The traditional approach in IT security was to establish strong perimeters around the network and around a company’s computers that could keep bad guys out and let good guys in, and then setting strict rules about what people allowed access can do.

Cloud computing obviates the need for a perimeter, because all the computing resources are, well, in the cloud. They live on some virtualized server in someone else’s data center. And someone who brings their iPhone to the office expects to have the same level of access to the resources they need to do the job. The old models don’t really apply anymore.

Meanwhile, attacks are surging. A study by the Ponemon Institute — which, in fairness, was sponsored by HP’s subsidiary ArcSight — found that cyberattacks against a group of 50 large companies grew by 44 percent last year versus the prior year. The companies in the sample group — all of which had 700 or more users — were hit with a combined 72 successful attacks per week, averaging more than one per company per week. The study also found that the costs to mitigate these attacks went up by 56 percent year over year.

“The bad guys are getting better, but as we change our IT environment we’re giving them more surface area from which to launch these attacks,” Reilly says.

So HP is coming into the picture with what it says is a new approach. It turns out HP has been quietly building up its security bona fides through acquisitions. Last year it paid $1.5 billion to acquire security intelligence firm ArcSight, of which Reilly was CEO. In 2009, it acquired TippingPoint, a network security outfit that came with the $2.7 billion acquisition of 3Com. Another pair of acquisitions, Fortify and SPI Dynamics, both specialize in application security.

HP’s plan is to mix these security capabilities into its Enterprise services offerings, Reilly says. Rather than try to sell each company new firewalls or other stuff, HP can come in and augment whatever security the company is already using with better information about threats and a new set of tools that can see how the company’s infrastructure is being used, not just on-premise, but within cloud-based environments, as well.

The point, Reilly says, is not so much to sell specific new security products to companies, but to take a service-based approach that helps a company get a better handle on the new security troubles it may be facing.

The trouble is that HP hasn’t generally been viewed as a player in the IT security market, and risk-averse CIOs are usually slow to embrace new vendors, because they tend to have long-term relationships with suppliers. But with the nature of the threats changing, HP is apparently hoping to use its status as an established supplier of servers, PCs and other IT products and services, to start a conversation around security with its customers.

There has been a lot of activity around security in the last few years. Intel spent more than $7 billion to acquire the security software firm McAfee earlier this year, and IBM already offers a muscular set of security products and services. It will quickly run into competitors, for sure.

If nothing else, following as it does in the wake of HP’s plans to divest itself of PCs and its mobile device business, a robust security offering is something that enterprise customers are going to expect. If there’s really going to be a new enterprise-centric HP, expect to see more moves like this. Whether or not they’ll work is another matter.

Scotland Yard says it has nabbed two more people that it says are members of the group; one of them is said to be connected to crimes committed under cover of the online identity “Kayla.”

In a statement, police did not release the names of the two men arrested. They are aged 20 and 24, and one comes from the town of Mexborough, while the other comes from Warminster. The arrests were conducted in cooperation with local police and the FBI. In one case, a home was searched and computer equipment taken.

It was the second pair of arrests in as many days. On Thursday, police arrested two others as part of the growing worldwide investigation into the activities of LulzSec and Anonymous.

And yet the hacker crimes continue, seemingly unabated. Anonymous has dubbed today “Texas Takedown Thursday” or #TTT on Twitter. The target: Law enforcement agencies in the state of Texas, in apparent retaliation for the arrests earlier this summer of 16 people said to be associated with Anonymous.

The group says it has leaked about three gigabytes worth of email and other data from private email accounts it says belong to certain police officials in Texas. It also claimed credit for defacing a Web site belonging to the Texas Police Chiefs Association.

It’s the second such targeting of police officers in a particular state. In June, the group went after the Arizona State Police, posting home addresses of officers.

LulzSec and Anonymous, in their various contortions, have had a busy summer. The group and its sympathizers started out making Sony’s existence miserable, on the heels of an attack on the PlayStation network; the attack brought the network down for several weeks.

You’re on the most hostile network in the world. If you can perform business here, you can do it anywhere.

DEF CON attendee Brian Markus on the hacking conference’s public Wi-Fi network.

And these aren’t the kind of cyber attacks carried out by bumbling troublemakers like the LulzSec gang, which make headlines but really only cause a nuisance for companies like Sony. In these cases, networks were compromised by remote access tools — or RATs, as they’re known in the industry. These tools — and they are tools, because they have legitimate uses for system administrators — give someone the ability to access a computer from across the country or around the world. In this case, however, they were secretly placed on the target systems, hidden from the eyes of day-to-day users and administrators, and were used to rifle through confidential files for useful information. It’s not for nothing that McAfee is calling this Operation Shady RAT.

McAfee says the attacker was a “state actor,” though it declined to name it. I’ll give you three guesses who the leading candidate is, though you’ll probably need only one: China.

Dmitri Alperovitch, McAfee’s Vice President, Threat Research, makes a statement in his blog entry on the discovery that should give everyone minding a corporate or government network pause: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.” He further divides the worldwide corporate landscape into two camps: Those who have been compromised and know it, and those who simply don’t know it yet.

This has been a particularly nasty year on the cyber security front. (I hate to say it, but I told you so.) Prior to this, the big attack whose full impact has not yet been fully sized up was the one against the RSA SecureID system, which uses popular keychain devices that create a constantly changing series of numbers that in turn create a second password for access to system resources. They’re widely used in government and military circles and among defense contractors. Google has been a regular target in recent years.

The RSA attack and Operation Shady RAT are examples, Alperovitch says, of an “Advanced Persistent Threat.” The phrase has come to be a buzzword that, loosely translated into English, means the worst kind of cyber attack you can imagine. Unlike the denial-of-service attacks and network intrusions carried out by LulzSec and its ilk, which require only minimal skill and marginal understanding of how networks and servers work, an APT is carried out by someone of very high skill who picks his targets carefully and sneaks inside them in a way that is difficult to detect, which allows access to the target system on an ongoing basis that may persist for years.

How did these attacks happen? Its very simple: Someone at the target organization received an email that looked legitimate, but which contained an attachment that wasn’t. This is called “spear phishing,” and it has become the weapon of choice for sophisticated cyber attackers. The attachments are not what they appear to be — Word documents or spreadsheets or other routine things — and contain programs that piggyback on the targeted user’s level of access to the network. These programs then download malware which gives the attackers further access. This all happens in an automated way, but soon after, live attackers log in to the system to dig through what they can find, copy what they can, and make a getaway — though they often leave the doors unlocked so they can come back for repeat visits.

Alperovitch notes — correctly, to my mind — that the phrase has been picked up and overused by the marketing departments of numerous security companies. His larger point is that too often those attacked in this way refuse to come forward and disclose what they’ve learned, thereby allowing the danger to continue for everyone else.

Alperovitch says that the data taken in Operation Shady RAT adds up to several petabytes worth of information. It’s not clear how it has been used. But, as he says, “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth.” It’s also bad for a target’s national security, because defense contractors dealing in sensitive military matters are often the targets. The best thing that can happen is that victims start talking about their attacks and sharing information with each other so that everyone can be ready for the next one, which is surely coming.

The photo, which appeared on the U.K.-based tech site shinyshiny.tv, is of Jake Davis, an 18-year-old resident of Britain’s Shetland Islands, specifically the island of Yell. The original photo appeared in the Instagram account of a user known as timbr. Update: Timbr turns out to be Tim Bradshaw of the Financial Times.

After reports surfaced suggesting that police may have been tricked into arresting the wrong person, police say they’re certain they have their man.

Davis appeared in a City of Westminster court this morning and was granted bail; he is next scheduled to appear in court on Aug. 30. He faces five charges related to distributed denial-of-service attacks against several sites, including, notably, the U.K.’s Serious Organized Crimes Agency in June.

Using the online handle “Topiary,” Davis had functioned as the group’s spokesman and gave interviews to the media about its activities. The group attracted a great deal of media attention for its numerous attacks against, among others, Sony, PBS, Nintendo, Britain’s National Health Service, the U.S. Senate, the U.S. Central Intelligence Agency, private affiliates of the FBI, and the Arizona Department of Public Safety.

The arrest in the U.K. followed a string of arrests in the United States, in which 16 people have been accused of being involved with the distributed denial-of-service attack against PayPal, the payment unit of eBay. LulzSec had in recent days been organizing a protest against PayPal, encouraging people to kill their accounts with the service.

LulzSec’s Twitter account has been quiet since July 27, the day the arrest was announced. And the Twitter account belonging to Topiary has been wiped of all messages, save for one saying “You cannot arrest an idea.” The Twitter account belonging to AnonymousIRC, the group under whose banner LulzSec briefly operated, included a message of support.

http://bit.ly/obmiaW | Stay strong, @atopiary. We will continue this, as your last tweet is truth. We, the people, silent no more. #AntiSec

August 1, 2011 3:56 am via TweetDeckReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Topiary has a Twitter account, though it appears to have only one Tweet made on July 22.

You cannot arrest an idea.

July 21, 2011 6:02 pm via webReplyRetweetFavorite

@atopiary

Topiary

The arrest occurred as LulzSec and Anonymous jointly urged their supporters to boycott PayPal by closing their accounts and withdrawing any funds held in them and to use competing online money transfer products. PayPal, the payment unit of eBay, was the alleged victim of a series of denial of service attacks late last year for which numerous people in the U.S., U.K. and The Netherlands were arrested last week. The attacks were launched in sympathy for WikiLeaks after the PayPal account through which it accepted online donations was shut down.

“We encourage anyone using PayPal to immediately close their accounts and consider an alternative,” the group said in a statement released via Pastebin, which you can read in full below. “The first step to being truly free is not putting one’s trust into a company that freezes accounts when it feels like, or when it is pressured by the U.S. government.”

Anonymous claimed via its Twitter feed that 35,000 PayPal accounts had been closed.

Received some more information: At least 35.000 PayPal accounts have been closed today, likely much more to come. Proud of you! #OpPayPal

July 27, 2011 8:14 am via TweetDeckReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

A PayPal spokesperson disputed that in an email statement: “We haven’t seen any changes to our normal operations (including account opening and closing).”

Even if Anonymous’ claim of that number of account closures were true, the impact would be minimal. PayPal says it has 100 million active accounts in 190 markets and 25 currencies around the world. A loss of 35,000 accounts would amount to 0.035 percent of the account base, and couldn’t possibly exceed the flow of account terminations in a normal day. At that number, account cancellations can’t possibly be material, so at this point don’t expect any additional statement on the subject from PayPal.

Even so, eBay shares are down about 2 percent today, but I wouldn’t draw any connection between the boycott and its share price. Google, Apple and the Nasdaq itself are all down about 2 percent today.

The hacking group Anonymous claimed via its Twitter feed to have breached servers belonging to NATO, the North Atlantic Treaty Organization military alliance that has largely been responsible for the military defense of Europe since the end of World War II.

So far, three PDF copies of documents the group claimed to have taken in the attack were circulating on a sharing site devoted to PDF documents. Two were marked “NATO Restricted” and appear to have been removed from the PDFCast site.

I haven’t seen the first two, but the Telegraph described one as a working paper on communications systems used by NATO forces in Afghanistan, and was said to include technical and procurement information. A second concerned a plan to outsource communications for NATO forces stationed in Kosovo. If it sounds exciting, then I have some news for you: It’s not.

“Restricted” may sound important. As the Register points out, in the taxonomy of document labels, “Restricted” is for documents of relatively low importance. Anonymous is crowing like it has just broken into a trove of NATO’s deepest secrets. It appears instead they’ve taken some documents relating to relatively mundane workaday operations.

Higher up the scale are documents that get stamped “Confidential,” then “Secret” and then “Top Secret.”

A third document which just emerged via the @AnonymousIRC Twitter feed is a 59-page document concerning NATO security procedures. It is marked “NATO Unclassified” which is actually even lower on the totem pole than “Restricted.” The only restriction is that they’re subject to NATO copyright and can only be released with NATO permission. Not that NATO is going to care very much. This very document has been floating around since 2006.

We are sitting on about one Gigabyte of data from NATO now, most of which we cannot publish as it would be irresponsible. But Oh NATO….

July 21, 2011 3:57 am via Power TwitterReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Hi NATO. Yes we haz more of your delicious data. You wonder where from? No hints, your turn. You call it war; we laugh at your battleships.

July 21, 2011 6:23 am via Power TwitterReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

This one isn’t restricted but ironic: http://t.co/A86jUGX | It describes security procedures within NATO. Well, seems nobody ever read them.

July 21, 2011 7:29 am via Power TwitterReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

NATO issued a statement saying that it is aware of the claim of the breach and is investigating. And it certainly will, but it’s not as if significant alarm bells are likely to be ringing at NATO Headquarters over this, at least not from the documents seen so far, though the group claims to be holding back on releasing some documents it says “most of which we cannot publish as it would be irresponsible.” It promises more releases in the coming days.

Meanwhile, if that weren’t enough, Anonymous and its ally LulzSec jointly taunted the FBI today. Responding to a quote given to National Public Radio in the story below, the groups issued a joint statement saying, “Your threats to arrest us are meaningless.” The statement appears below the radio story.

For those not keeping score, LulzSec is the group that claimed credit for attacking Sony umpteen times, then went on to attack other game companies and the U.S. Senate, then stole emails and other documents from servers belonging to the Arizona State Police. It also stole internal documents from AT&T.

LulzSec in recent weeks claimed it had been absorbed by the larger group Anonymous, but the lines appear to be blurring again, as it is at times active under its own banner. Two people connected to LulzSec’s activities were among 16 arrested in a nationwide FBI operation earlier this week. Fourteen others were arrested in connection with a denial of service attack against PayPal in sympathy with WikiLeaks.

The new statement is in reaction to a statement by an FBI assistant director saying the bureau wants to “send a message” about computer crime. The hacker group’s reaction essentially dares law enforcement to take further action. Something tells me they may get their wish.

The 14 arrested in Alabama, Arizona, California, Colorado, the District of Columbia, Florida, Massachusetts, Nevada, New Mexico and Ohio have been indicted by a federal grand jury in San Jose, California. I’ve embedded the complaint below.

Two others were arrested on similar charges on two separate complaints in Florida. The Florida case concerns the attack on InfraGard, the public-private information-sharing partnership affiliated with the FBI. The New Jersey case concerns the release of confidential documents stolen from AT&T. These would appear to be the first U.S. arrests connected with the LulzSec crew that’s been so active this summer.

Additionally, police in the U.K. arrested another person and police in The Netherlands arrested four more people in connection with the case.

The indictment names 14 people: Christopher Wayne Cooper, 23, a.k.a. “Anthrophobic;” Joshua John Covelli, 26, a.k.a. “Absolem” and “Toxic;” Keith Wilson Downey, 26; Mercedes Renee Haefer, 20, a.k.a. “No” and “MMMM;” Donald Husband, 29, a.k.a. “Ananon;” Vincent Charles Kershaw, 27, a.k.a. “Trivette,” “Triv” and “Reaper;” Ethan Miles, 33; James C. Murphy, 36; Drew Alan Phillips, 26, a.k.a. “Drew010;” Jeffrey Puglisi, 28, a.k.a. “Jeffer,” “Jefferp” and “Ji;” Daniel Sullivan, 22; Tracy Ann Valenzuela, 42; and Christopher Quang Vo, 22. One individual’s name has been withheld by the court, which suggests he or she is a juvenile.

The defendants are charged with conspiracy and intentional damage to a protected computer.

The 14 are accused of carrying out a December distributed denial of service attack against PayPal, the payment site owned by eBay. DDOS attacks are when attackers overwhelm a Web server with fake requests for attention at such a high volume that legitimate users can’t get through.

The group has also claimed responsibility for attacks against Visa, and at one point planned to attack Amazon. Various other factions connected to Anonymous have also attacked Sony and recently claimed responsibility for a hacking attack against the defense contractor Booz Allen Hamilton.

The FBI also made arrests today in the attack on the Web site of InfraGard, a non-profit group affiliated with the FBI itself. Scott Matthew Arciszewski, 21, was arrested today by FBI agents and charged with intentional damage to a protected computer. He’s been charged in the Middle District of Florida and has already appeared in a federal court in Orlando.

The complaint alleges that Arciszewski accessed without authorization the Tampa Bay InfraGard website and uploaded three files, and then Tweeted about it on Twitter.

InfraGard is a public-private partnership for critical infrastructure protection sponsored by the FBI with chapters in all 50 states.

In a related complaint unsealed in the District of New Jersey, the DOJ charged Lance Moore, 21, of Las Cruces, New Mexico with stealing confidential business information stored on AT&T’s servers and posting it on a public file sharing site. Moore is charged with one count of accessing a protected computer without authorization.

According to the New Jersey complaint, Moore, a customer support contractor for AT&T, exceeded his authorized access to AT&T’s servers and downloaded thousands of documents, applications and other files that, on the same day, he allegedly posted on a public file hosting site. That would be The Pirate Bay.

According to the complaint, on June 25, the computer hacking group LulzSec publicized that they had obtained confidential AT&T documents and made them publicly available on the Internet. The documents were the ones Moore had previously uploaded. He faces a maximum penalty of 10 years in prison and a $250,000 fine. Each count of conspiracy carries a maximum penalty of five years in prison and a $250,000 fine.

Here’s the indictment.

Indictment 7.19.11

[Image via Foxnews.com]

I’ve spoken with contacts at three FBI field offices — one here in New York, one in Los Angeles and another in San Francisco. I’m told that in New York search warrants were executed on homes in Brooklyn and in the towns of Baldwin and Merrick on Long Island. A source familiar with the investigation says that IP addresses that have come under scrutiny in the course of the investigation have led agents to search those addresses, but that no arrests have yet been made in New York.

Agents in California have made arrests, though the number and the names of those arrested have not yet been released. Additionally, Fox News is reporting that the FBI made arrests related to the investigation this morning in Florida and New Jersey, and that as many as a dozen people have been arrested in the operation nationwide. Obviously more information will be forthcoming as the situation develops.

The investigation is related specifically to the distributed denial-of-service attacks that were carried out last year and early this year against several companies in the U.S. The attacks were in sympathy with Wikileaks, which had just started disclosing its cache of leaked U.S. diplomatic cables. Visa, the credit card company, was one of its victims.

The group has grown recently as it absorbed another group of hackers calling itself LulzSec, which had harassed Sony in response to its lawsuits against a person who reverse engineered the security on the Playstation gaming console.

Arrests of Anonymous members have previously been reported in the U.K. , in Turkey and in Spain.

Fox has some raw video from the scene where one of the search warrants was executed on Long Island today. It’s below.

[Image and video via Fox News]

After surviving numerous devastating wars throughout history, humanity is well acquainted with war in the physical realm.

But we’re still unfamiliar with the concept of cyberwar. In 1998, John Arquilla, professor at the Naval Postgraduate School, tried to envision it in a piece for Wired Magazine, The Great Cyberwar of 2002, in which a loose coalition of rogue states, terrorist groups and drug cartels team up to prod the United States into a war with China and Russia by knocking out power grids, blowing up chemical plants and causing airliners to collide in midair.

It was fiction, but the scariest fiction is always based in part on plausible fact.

So what exactly would cyberwar look like in the real world?

It’s an important question to answer now, after the U.S. Department of Defense announced last week that it now considers “cyberspace” — an obviously dated word referring to the Internet and networking computer environments, but which has recently regained currency in government circles — a theater of warfare similar to land, sea, air and space.

In a speech this week at the National Defense University in Norfolk, Va., Deputy Secretary of Defense William Lynn announced that the United States now considers attacks on certain computer networks and systems by foreign powers and terrorists as the equivalent of a traditional attack with guns and bombs. It thus reserves the right to retaliate, both in the cyber-realm or with traditional force.

(You can see Lynn’s speech, which runs about 45 minutes, in the video below, courtesy The Pentagon Channel. And below that I’ve embedded the 19-page policy document.)

The striking declaration raises some fundamental questions about warfare, including: What would war in cyberspace look like? How would it be fought? Would those not directly involved in the fighting even know it’s going on or which side is winning? Would we even know who the enemy is?

We have some hints. At its basest level, we know that unknown parties are probing U.S. government and private networks, stealing what they can and leaving the doors unlocked for future visits.

U.S. officials have complained in private and in public about alleged attacks against government networks and those belonging to defense contractors.

Privately and in diplomatic cables, they most frequently blame China, which has always denied any involvement. An April 21 Reuters story citing U.S. State Department diplomatic cables obtained by WikiLeaks showed officials estimating that hackers working for China’s People’s Liberation Army had stolen terabytes worth of information, and that efforts to put down the attacks, dubbed “Operation Byzantine Hades,” were ongoing.

Overall, the Government Accountability Office says that intrusions on government computer networks have climbed from 5,503 incidents in 2006 to 41,776 in 2010.

The examples are numerous.

In March, the SecurID system made by RSA, a unit of storage giant EMC, came under attack. A subsequent attack was launched against defense contractor Lockheed Martin. The same RSA tokens are widely used at government agencies and at innumerable corporations.

In June, Google disclosed that its Gmail email service had come under attack from someone in China, a claim which that country’s government denied.

And just this month several U.S. Department of Energy facilities — including the Pacific Northwest National Laboratory in Richland, Wash. — severed their connections to the Internet following a series of attacks using “Zero Day” vulnerabilities, which exploit previously unknown weaknesses.

All of these incidents seem to scream out the need for a more active defense, which the new policy is intended to create. To date there’s never been a penalty for attacking U.S. government and private networks, in part because it’s hard to hit back when you don’t know precisely who’s hitting you in the first place.

This is known as the attribution problem.

If you’re able to solve that issue, there are some hints about what a retaliation might look like. Consider Stuxnet: A powerful piece of carefully-targeted malware, supposedly designed by Israel, it burrowed deep via Microsoft Windows into the industrial control computers running Iran’s nuclear centrifuges.

With its target located — it was designed to seek out a specific installation — Stuxnet made those centrifuges, which are used to enrich uranium, spin faster than they were supposed to. The resulting damage set the Iranian nuclear program back by two years or more.

That’s not a bad outcome, perhaps, but Stuxnet opened a Pandora’s box. And while experts who have analyzed it closely have said it would have taken a team of highly skilled programmers several million dollars and several months to design it, you can bet that cyberwarriors in every nation on Earth are combing through the Stuxnet code hoping to build their own version of it. All these could conceivably be used against our own power grids and factories and more.

And in an odd way that’s an encouraging thought. Where we might end up is with the digital equivalent of mutually assured destruction.

If we reach a point where we can destroy and disrupt the networks and infrastructure upon which our potential enemies rely and they can do the same thing to us with relative parity, the fear of a devastating reprisal becomes a deterrent to the temptation to launch an attack.

Similar assumptions about nuclear war prevented the Cold War between the U.S. and the Soviet Union from turning hot, and made nuclear war ultimately unthinkable for both sides.

Without electrical power and thus the ability to communicate or conduct commerce, any society breaks down quickly. Consider the thought of six weeks without a working cellphone network, without the ability to access funds in your bank account or without power.

If that scares you — and it should — it should scare our potential enemies just as much, and thus give them pause. That’s the hope, anyway.

d20110714cyber

Yesterday, Booz Allen confirmed that its network had been attacked. On Monday, the hacker group Anonymous announced that it had penetrated Booz Allen’s network and posted to the file-sharing site The Pirate Bay a file containing some 90,000 email addresses of military personnel, plus “password hashes.” A hash is generally an encrypted version of a password, one that can’t be easily reversed to obtain the actual password.

AnonymousIRC is the new name of the gang formerly known as LulzSec. By working under the flag of Anonymous, the LulzSec hackers, who gained notoriety for repeated attacks against Sony, are associating themselves with the amorphous group that has harassed such targets as the Church of Scientology, PayPal and credit card companies. The group is promising at least two more data dumps this week.

Booz Allen downplayed the incident, saying in a statement, “at this time, we do not believe that the attack extended beyond data pertaining to a learning management system for a government agency.” A learning management system (LMS) is used to track the training of workers on the job, and it’s something Booz Allen helps the federal government with regularly. For instance, it works with the Office of Personnel Management to help federal agencies with on-the-job training.

As computer security breaches go, this one probably rates fairly low on the severity scale. It’s not clear from Booz Allen’s statement what the system was used for, or whether it was connected to any sensitive government work.

The larger concern is that military personnel whose addresses have been published in the file will next be targeted for attack via “spear phishing,” in which legitimate-looking email messages are sent to the target, containing attachments that look routine but are really malware that can capture a password. If they know what’s good for them, the folks whose addresses were leaked have changed their passwords and will carefully scrutinize email messages that contain attachments.

There is, however, a pretty good chance that many of the addresses publicized are out of date. Mililtary personnel move around a lot, and their email addresses often change when they move from one facility to another. By chance, I saw this message on Twitter from Phillip Stewart, who’s serving in the U.S. Air Force:

Ha! I just noticed my old Schriever.af.mil email is in the list, but I left Schriever a year ago. @egulley316 @AnonymousIRC #AntiSec

July 12, 2011 10:53 am via webReplyRetweetFavorite

@pmsyyz

Phillip Stewart

Booz Allen shares dipped a bit on the news, falling to $18.95 Monday from its Friday closing price of $19.39, but the shares recovered Tuesday to $19.54. Booz Allen listed its shares on the NYSE last year but is majority-owned by the Carlyle Group.

This isn’t the first time — nor will it be the last — that Booz Allen has been targeted for a cyber attack. A 2008 Businessweek cover story detailed how a legitimate-seeming email, appearing to have come from someone at the Pentagon and addressed to a Booz Allen executive, contained in an attachment malware called “Poison Ivy” that was designed to give the attacker remote control over the target’s PC. The email was traced to a sender in China. It’s incidents like this — which we rarely hear about — that are far more worrying than the ones we do hear about, day in and day out, from the likes of Anonymous.

As product endorsements go, it wasn’t one that CloudFlare CEO Matthew Prince would have sought. Nevertheless, it showed in a very public way that the company was onto something potentially big.

Now we get an idea of how big it might be. CloudFlare has been running so far on a relatively small Series A investment of $2 million from Venrock and Pelion Venture Partners. Today it announced that it has landed a beefy $20 million Series B round, led by New Enterprise Associates, with Venrock and Pelion also participating. Scott Sandell, a general partner at NEA, will join CloudFlare’s board of directors.

NEA has backed companies as varied as Atheros, the wireless chip company now owned by Qualcomm; Fusion-io, the chip-based server storage concern; and Groupon.

So what does CloudFlare do? Webmasters can — for free — point their domain name servers to CloudFlare’s, rather than those operated by their Web hosting provider. The result of that simple change adds the site to CloudFlare’s distributed network, which protects against common attacks by hackers and spammers and makes a site resistant to distributed denial-of-service attacks that typically overwhelm servers and knock sites offline.

CloudFlare evolved out of Project Honey Pot, a nonprofit project that aimed to fight spam by creating a distributed system to find and track spammers and the bots they use to harvest email addresses. Launched in 2004, it was basically a hobby for Prince and the other founders — until the day in 2007 that the Department of Homeland Security called to say it saw real value in the data the project had collected on how fraud is conducted online.

And like Project Honey Pot before it, CloudFlare gets better as more people use it. Hosted in 12 Equinix data centers around the world, it has the computing muscle to keep its customers’ sites online when a server crashes or a hacker with a botnet attacks. Pretty much anyone who operates a Web site can have it up and running in minutes. On top of its free service, CloudFlare offers a Pro account for $20 a month. A more powerful offering aimed at enterprises is coming in the fall, Prince says.

But there’s more to it than just security. It turns out, through an unexpected benefit of programming, that CloudFlare also has a tendency to make sites load faster than they do from their main servers. The initial worry was that adding a layer between the user and the site’s hosting servers would slow things down. Some obsessive attention to the code, intended to prevent that slow-down, had an interesting effect: Sites started loading 30 to 40 percent faster. From these two benefits comes the mantra you’ll hear Prince repeat often: “We help the Internet run faster and safer.”

Did I say CloudFlare is onto something? Prince reckons that about 200 million users visit CloudFlare-protected sites every month. He declined to say exactly how many sites are using CloudFlare, but characterized it as in the tens of thousands. He did say the service is adding roughly 1,000 new customers a day, from small personal sites to huge companies.

So what’s the plan for all that money? To build out CloudFlare’s team and create new services, some aimed at large enterprises, says Prince, who notes that a business-class service is coming soon. “We’ll be adding a lot of new features that our business customers have been asking for,” he says. After that comes the enterprise-class offering.

Beyond that lie some interesting services aimed at making the Web business easier. Case in point: SSL, or Secure Socket Layer, the Web’s primary security technology. “Right now it’s way too hard for Web masters to deploy SSL on their sites, and there are too few sites using it,” Prince says. “We think we can do something important to address that.” Another thing that’s too hard: The looming transition from IPv4 to IPv6. “The solutions that are being provided right now are too complicated, and we can do something about that,” Prince says.

One recent addition was the official election results site for the nation of Turkey, which held its general election on June 12. On the night before the election, its site administrator joined CloudFlare. “The next day we saw a lot of traffic from Turkey,” Prince says. Traffic from 75 million Turkish citizens all hitting “refresh” every few minutes would have brought nearly any Web site down, and at first it looked like a massive new distributed denial-of-service attack coming out of Turkey. “We quickly figured out what it was,” Prince says, “and suddenly we were really proud that we were able to keep that site online while the whole nation was coming through the service.”

In May, Sony started restoring services to many regions with the exception of a few countries, such as Japan. As of tomorrow, the PlayStation Network and Qriocity services will have been restored in all countries, Sony says.

The Japanese electronics giant was the subject of one of the biggest network attacks in history with nearly every one of its online gaming and entertainment properties getting hit, stretching back to March.

Since then, it has been busy conducting an investigation and adding considerable security enhancements to prevent such attacks in the future.

The attacks were reportedly conducted by LulzSec, a hacking troupe, that has targeted a number of gaming companies, including Nintendo, Eve Online and Bethesda Softworks.