But even a task that never ends has to have a beginning, and more often than not it goes something like this: What do I have that needs to be protected, and how well or not is it protected now? Sometimes the best thing to do is call in someone from the outside to look at it all with fresh eyes. And sometimes the answers can be shocking.

It’s the sort of thing that Rapid7, a fast-growing security firm based in Boston, specializes in. While some security firms are more the cops on the beat, hired to keep things in check based on established rules and policies, Rapid7 is one you call when you want to know how the bad guys will try — and try they will — to get through whatever security measures are already in place.

The firm also owns Metasploit, an open source service that’s essentially an early-warning system about new vulnerabilities. Twice in the last year, new research by Rapid7 — released to the wider world through Metasploit — has caught my attention: Once it was about Java, and the other item was about how the methods employed in Stuxnet could be used to create new ways to attack public infrastructure.

I recently had a chance to ask Rapid7 CEO Mike Tuchen some questions about his company and the interesting role it’s playing in trying to clear up a lot of ambiguity about IT security that so many CIOs find frustrating. My first question was to ask Tuchen to explain from a high level what Rapid7 does.

AllThingsD: Mike, the thing I always think of when I talk to security companies is that the scope of the problem is constantly moving. If I were to use a football metaphor, it would be that the goalposts are always changing. And yet there’s another metaphor that fits as well: That of a medical triage, because once you know you have problems, there’s the matter of determining which one to fix first. What does Rapid7 do to help companies sort all this out?

Tuchen: We think of the security market as breaking out into “front-end” and “back-end” activities. Front-end activities are the assessments we do to proactively answer questions like: What’s my security posture? Where am I strong, and where am I vulnerable? What should I do to become more secure? That’s where we fit. 

Back-end activities are the enforcement and remediation efforts to protect data or networks that typically act in real time in response to threats detected including firewalls, anti-virus applications and so on.

We’re finding that as the threats are constantly growing and changing, there’s a lot of interest in assessment. The reality is that we’re seeing a new breach on average of once per day for the last 18 months or so. So when things are moving that fast, who wouldn’t want to know where their weaknesses are and what are the most important things they need to do to lower the chance of a being one of those companies breached? Our customers are telling us that once they’ve done the assessment, they’re able to set their priorities for the next 12 to 24 months. If you haven’t done an assessment, there’s a good chance you’ll buy a back-end product that doesn’t solve all your problems because you never knew what all the problems were in the first place. That’s how budgets tend to spin out of control.

So one big question around security is around the shift to the cloud. There are still a lot of people who don’t trust systems they can’t touch, but with the cost savings, the shift is looking more real every day. What does that shift mean for you and for your clients?

The first question you have to ask is “what do I have?” It’s kind of self-evident: You can’t secure what you don’t know about. Cloud services can make this trickier by adding another question into the mix: “Where is it?” And it gets even dicier when you take into consideration all the virtual machines that can be turned on and off at will and moved from one physical machine to another. The boundaries get a lot less well-defined. So the first step is discovery: What do you have, where is it, and what controls are in place? 

The next step is determining what types of threats you’re likely to face and figuring out what’s working to head them off and what’s not. After that you put together a strategy for improvement. 

Generally speaking, the best approaches we’ve seen start with basic hardening techniques. You take some concrete actions that are designed to make it more costly and difficult for attackers to establish a beachhead on your systems. Next, you lock down the perimeter as tightly as possible, and train employees to recognize and resist social engineering attacks.

When it comes to assessing the security of cloud offerings and software-as-a-service applications, it’s a matter of getting comfortable with the security that the vendor has in place. Our own experience with this has been pretty bleak. It’s clear that the industry as a whole has work to do there. 

Like what?

Attackers have the advantage right now. Even the largest and most sophisticated companies are getting breached on a regular basis. I think there are three things that need to happen: We need to do a better job of information-sharing about risks, methods, and actors so that companies don’t have to start from scratch. We also need to make security simpler. Right now it’s way too complex, and there are too many products that target specific problems that tend to be important to only the biggest of companies. And even those companies can barely stitch them all together into a coherent solution. For everyone else in the world it’s pretty much impossible to do that.

We’re working on a lot of this. We run an annual conference called UNITED to bring together innovative defenders to share ideas. It stands for “Using New Ideas To Enhance Defense.” We’ve committed $100,000 to sponsor some projects we like to call the “Magnificent7” and there will be no strings attached to the funding.

Washington seems to have finally awakened to the wider IT security threats. We hear a lot of talk coming out of Congress about cybersecurity. What, if anything, do you expect to come out of these efforts?

There are two security bills, SOPA and CISPA, that have gained a fair amount of attention lately. SOPA focuses on the illegal downloading of music, videos, software and other counterfeit goods that affect a wide variety of industries. These are the low-hanging fruit when it comes to online crime.

CISPA focuses on sharing private sector consumer data with the government to protect national security interests. The intent with CISPA is to legally protect private companies when they share consumer information with government and law enforcement entities. This information would not be available to the public at large and is highly scrutinized by privacy advocates. The information would be used to try to protect the country’s critical infrastructure. But if it were to become law, it won’t change the status quo of organizations and consumers fending for themselves when it comes to information security.

Also if they’re passed, they only affect U.S. citizens. These laws will not prevent foreign entities from engaging in piracy or breaching U.S. corporate or civilian assets. Companies will still be under non-stop attacks from persistent adversaries.

You raised a big bunch of funding last fall with a $50 million investment led by TCV. What are you going to do with all that money?

We’ll use it for three major initiatives: First, we’re doubling down on expanding our existing engineering teams. We doubled the team in 2010, nearly doubled it in 2011, and plan to double it again in 2012. Second, we’re accelerating our international expansion. We just hired a regional VP for Europe and are expanding our European and Asia-Pacific operations with new offices in Amsterdam, Hong Kong and Sydney. Finally, we’re looking to acquire terrific companies with passionate teams that want to join forces with Rapid7 to change the security world.

You acquired the Metasploit Project in 2009. How has that deal worked out and what does it say about the companies you may yet acquire? What are your plans for future acquisitions?

Metasploit has been great for Rapid7. We first started thinking about Metasploit when Chad Loder, one of our co-founders, came up with the idea of integrating an existing product with Metasploit. We discussed it with HD Moore, the founder of Metasploit, and he was equally excited about the idea of integrating the products together. In a week or two we had a working prototype. Right then we realized that we’d found something special: A passionate, driven entrepreneur who shared a lot of our vision and values, a product that logically works together with our existing product, a huge and engaged community of expert security insiders and a business that was ready to be commercialized. We asked HD if he’d like to join forces with us, and he agreed. We were able to build a team around HD, and together we’ve built the Metasploit business into a leader in its category. 

In that case we learned that founder and team are critical. It also made it easier to build the rest of the team around HD from the bottom up. Now we’re actively looking for companies that play in markets that make sense for us, and products that have a solid foundation for the future. We haven’t yet found another opportunity that fits all of these areas.

I get that Rapid7 is growing; you’ve got an impressive list of customers that includes Anadarko Petroleum, Teradyne, Liz Claiborne and the U.S. Postal Service. Can you share some basic metric that shows how much you’re growing?

Our revenue for the last seven years is over 90 percent per year, and we’ve grown more than 70 percent in each of the last two years. And we have more than 2,000 customers. We’ve been lucky to be in a market where the demand is increasing because threats are escalating.

There’s an interesting new fundamental thought emerging among computer security companies. The logic goes like this: First, your digital assets are going to be attacked. Second, no matter what preparations you make to defend those assets, a determined attacker is going to find a hole or a method of penetrating your defenses that you didn’t think of.

Most attacks are relatively cheap to carry out, because they’re not that sophisticated. More often than not, attackers copy the methods they use from each other. Attacks are inexpensive, and most attackers have the luxury of limitless time.

The exception is attacks using so-called “zero day” vulnerabilities, where a previously unknown vulnerability, usually in the operating system, is used to gain access to a system. Most — but not all — of the time, once a zero-day vulnerability is seen and documented, the weaknesses it reveals are patched, making it the type of weapon that can be used only once.

As such, zero-day vulnerabilities are often traded on the black market and sold at a high price. For example, when the Stuxnet worm — the malware that was used to attack and sabotage the Iranian nuclear program — was first discovered, security researchers were impressed that it used no fewer than four distinct zero-day vulnerabilities in Microsoft Windows. So many used at once indicated that the cost to carry out the attack was high, leading to the conclusion that only a state-sponsored attacker would have the funds to carry it out. This led to the logical conclusion that either the U.S. or Israel had been behind Stuxnet.

I bring it up because Stuxnet is an example of the conclusion of this new fundamental thought I mentioned at the start. Why not make attacks expensive for the attackers? The early estimates on Stuxnet put its cost at $3 million, and it is believed that it required a team of 10 skilled programmers and as long as six months to develop. It was not a cheap attack. It was expensive.

That’s the idea behind Shape Security, which today announced that it has landed a $6 million Series A round of venture capital funding led by Kleiner Perkins Caufield & Byers and TomorrowVentures, the fund led by Google Chairman Eric Schmidt.

Peter Wagner, a former partner at Accel Partners, as well as executives from LinkedIn, Twitter, and Facebook, will also join the round. Ted Schlein, managing partner at Kleiner Perkins, has joined the board of directors, along with Gaurav Garg, a limited partner at Sequoia Capital and personal investor in the round.

We don’t as yet know a great deal about Shape Security or its intentions. But we do know who’s running it: According to this filing with the U.S. Securities and Exchange Commission, its CEO is Derek W. Smith. Another key exec and director is Sumit Agarwal, the former head of Google’s mobile product management, who in 2010 took a post in the Department of Defense as senior adviser for Cyber Innovation.

Another key exec is Troy Tribe, who appears to be the same person who used to be VP for business development at Solera Networks, which specializes in network-security analytics and forensics.

This is the second time in as many weeks that I’ve noticed a security company talking about changing the economics for attackers. The first was Crowdstrike, which announced that it had hired Shawn Henry from the FBI and landed a $26 million investment from Warburg Pincus. Neither has said yet exactly what you do to make launching a computer attack more expensive. I’m certainly eager to know more.

The company has signed Shawn Henry, the FBI’s former executive assistant director of the Criminal, Cyber, Response, and Service Branch, as the new president of its services subsidiary, CrowdStrike Services. Henry is a 24-year FBI veteran who led some of the Bureau’s biggest cybercrime cases.

Crowdstrike was launched by two veterans of McAfee, the security software concern that’s now a unit of chip giant Intel: George Kurtz, McAfee’s former CTO, and Dmitri Alperovitch, its former Vice President of Threat Research.

Not a great deal has yet been disclosed about Crowdstrike’s approach to security, but in the February 22 blog post announcing the launch of the company, Kurtz explained that, having seen the results of investigations into several high-profile cyber attacks, the current state of security practice is akin to the old French Maginot Line that was intended to keep out the Germans.

Kurtz argued that once you know your enemy — the party that’s attacking you — the key to success in stopping their attacks on your digital assets is to raise the cost of the human-powered portions of their attacks. “The only way to accomplish that is by forcing them to change the way they conduct the human-led parts of their intrusions, such as reconnaissance, lateral movement, identification of valuable assets, and exfiltration,” Kurtz wrote.

Henry did a short video announcing his move, and I embedded it below.

By my scorecard, the article amounts to the first public comment Apple has made on the subject, period. And it’s very interesting indeed, especially in light of all the flak the company had been taking over what appeared, to some eyes, to have been an inadequate response.

First and foremost, Apple says, it is working on software to detect and remove the malware from an infected machine. Secondly, the company says it is working with Internet service providers around the world to disable the servers that are being used as the “command and control” network that’s basically telling compromised machines what to do.

Apparently it’s this effort that has caused trouble for the security outfit Dr. Web, which originally discovered the vulnerability in the first place: In working on shutting down the C&C servers, Apple apparently got servers that Dr. Web had used to track the spread of the outbreak shut down as well, according to this report on Forbes.com.

The vulnerability that allowed the malware to get through in the first place wasn’t in Apple’s Mac OS X itself, but in Oracle’s Java. Apple agrees with me at least with regard to machines running older versions of Mac OS: Disable it.

Anyway, here’s Apple’s article, in its entirety:

About Flashback malware
Summary

A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.

Products Affected

Java, Mac OS X 10.6, OS X Lion

A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.

Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. By default, your Mac automatically checks for software updates every week, but you can change that setting in Software Update preferences. You can also run Software Update at any time to manually check for the latest updates.

Apple is developing software that will detect and remove the Flashback malware.

In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.

Additional Information

For Macs running Mac OS X v10.5 or earlier, you can better protect yourself from this malware by disabling Java in your web browser(s) preferences.

That remains the reality, even after a bunch of media reports on how a vulnerability in Java has led to the creation of a Mac botnet about 600,000 strong.

Today I’ve been getting calls from people who say something roughly in line with the following: “I thought you said Macs didn’t get viruses? What about this?”

No, I explain, I never said Macs will never get viruses or other Malware. But historically its record versus other platforms compares favorably. As is the case with investment instruments, past results are no guarantee of future performance, and let’s face it, there’s no such thing as a perfectly secured computing platform.

But let’s look closely at the facts around the Flashback Trojan causing all this consternation, and clear up what it is versus what it is not, and put the results of the incident in perspective.

Yes it’s true that some 600,000 Macs are confirmed to have been infected. The claim, first made by Dr. Web, an outfit I had never heard of, has since been corroborated by Kaspersky Labs, whose research and analysis capabilities are well-respected. More than half of the compromised machines are in the U.S., 95,000 in Canada, 47,000 in the U.K., and 41,000 in Australia.

The trojan targets a vulnerability in software that is not even an Apple product: Java. You’ll recall that Java is add-on software created by Sun Microsystems and now the property of the software giant Oracle. Rather common, it is no longer shipped as a default add-on to Apple’s Mac OS X beginning in 2011, when Apple first shipped Lion.

Through this hole in Java, certain Web sites are serving up malicious Java applets. Once inserted on the machine, the software then prompts the user to enter the password they use to run the machine. It attempts to trick the user by appearing as an update to Adobe’s Flash video and animation software.

If the user doesn’t fall for the trick, it tries something else. Here again it checks to see if there are any Microsoft Office applications on the machine, or Skype. If there are, it deletes itself.

Then it does something interesting. It scans the contents of the Mac’s hard drive to determine if certain applications are present, and if they are, it deletes itself. Among those applications are security tools such as Little Snitch, a networking security tool, or Packet Peeper, another security tool. It also deletes itself if it sees the user has installed XCode Mac developers tools, and any kind of anti-virus software.

Presuming it finds none of them, it proceeds to contact a command-and-control server for the purpose of downloading and installing more malware. That malware is being used to commandeer the Macs and generate Web traffic to boost revenue for some pay-per-click ads on Web sites, making money for someone who’s behind the scheme. Nothing surprising there.

Apple has issued a fix to Mac OS X that closes the hole in Java, and you can protect yourself by running Software Update from within your machine’s System Preferences. Today would be a good day to do that if you haven’t already. Once you’ve done this you’re no longer vulnerable to the attack.

If you’re among the 600,000 already compromised you can turn to third parties to help you remove it. F-Secure has some instructions here for determining if your machine is affected. If you’re comfortable running some commands in the Mac’s terminal program, there are also some good instructions here at ArsTechnica.

So what does all this say about the state of security on the Mac? Nothing that wasn’t true already. No system is perfectly secure, and this, along with MacDefender, amounts to exactly the second security incident worth mentioning to hit the Mac in about a year. The number of machines affected is less than 1 percent of the 63 million Macs currently in use around the world.

The conventional wisdom has often held that Macs are targeted by malware less often than Windows machines because of their relatively small market share. This still has some merit, but the fact is that Windows is also where the vulnerabilities are. Historically, Mac OS X has been substantially less vulnerable to this sort of thing than Windows.

Does that let Apple off the hook entirely? No, though to its credit, Apple had a fix ready within a week of learning of this vulnerability. That’s not exactly a pokey response, especially when the problem lies not directly within Apple’s software, but in Oracle’s.

Here’s a thought: Turn off Java in your Web browsers. You probably won’t miss it. Here’s some instructions for that.

Those fears were theoretical for a while. If you could attack the industrial computers controlling nuclear centrifuges and make them explode, as happened in the case of Stuxnet, you could, in theory, use the same approach to attack industrial computers controlling critical infrastructure in the U.S. The only thing needed is knowledge about vulnerabilities lurking in those systems.

The bad news is that, as of yesterday, those vulnerabilities are no longer a theory. The good news is that the good guys found them first.

Yesterday, researchers for a volunteer program called Project Basecamp have discovered three vulnerabilities inside a common model of industrial computer known as a programmable logic controller (PLC). These PLCs basically sit between a regular computer running Windows and a big piece of industrial equipment — say, a pump or a generator or a nuclear centrifuge.

PLCs are part of a larger set of industrial computers known as Supervisory Control And Data Acquisition (SCADA) systems. Security research into SCADA systems has increased dramatically since the revelation of the Stuxnet worm in 2010.

The work was done by researchers at Digital Bond, a security research firm specializing in work on SCADA systems. What they built was a software module called “modiconstux,” which carries out a Stuxnet-like attack on a PLC device called a Modicon Quantum, made by Schneider Electric.

Borrowing techniques learned from the Stuxnet worm, modiconstux does two things: It downloads the current set of instructions the PLC is using — a set of programming commands known as “ladder logic” — giving the attacker the ability to understand what the PLC is doing day in and day out. This is key: If you’re going to hijack a PLC to make the machine it’s controlling explode, you have to first understand the process you’re going to sabotage.

The second thing that modiconstux does is upload new ladder logic. The classic example I think of in explaining this comes from the first public demonstrations of Stuxnet carried out by researchers at Symantec. In that case, a Siemens PLC had been programmed to blow up a balloon by instructing a pump to send a certain amount of air to the balloon and then stop. After being hijacked by Stuxnet, the logic was changed in such a way that the pump didn’t stop, and the balloon popped. Not very menacing, but if you use your imagination, you can see that popping balloon as a metaphor for a lot of very dangerous outcomes.

What’s even scarier than the outcome is the fact that the exploit works without any actual computer hacking having to take place beforehand. Dale Peterson, Digital Bond’s CEO, said the attack works because the PLC is insecure in the first place. There isn’t so much as a password required to download the existing ladder logic, nor to upload the altered ladder logic. And if that PLC is connected to the Internet in any way, it is wide open to attack.

The team also released two other vulnerabilities. One tells the same Scheider Electric PLC to stop, essentially freezing it in place until it can be reset. The third is a vulnerability for a type of PLC device made by General Electric.

The vulnerabilities have been released to the wider world through Metasploit, an open source vulnerability monitoring service that’s owned by Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. Metasploit subscribers can download the exploit code and test it on their own systems, and demonstrate simulated attacks that in all likelihood will scare the heck out of their bosses.

It should also scare the heck out of legislators and policymakers who have talked incessantly about the need to prepare for a “cyberattack.” Chances are, the next time there’s a serious conflict, attacks carried out by way of a computer will be used to sabotage infrastructure, sow confusion, interfere with logistics and so on. Stuxnet proved what could be done, and what to that point had generally been considered only a theory.

Created by parties unknown — though the smart money says it was Israel, with some help from the U.S. — the Stuxnet worm burrowed its way into PLCs at an Iranian nuclear installation, made the centrifuges spin too fast, and caused some of them to explode. The Iranian nuclear enrichment program was thought to be set back by anywhere from one to two years.

Since then, researchers have been on the lookout for the next Stuxnet, assuming that a second worm would be easier to construct. They’ve also been studying the inherent weaknesses in SCADA systems like PLCs. What they’re finding should give us all pause.

The news, released Sunday night in a statement, came after the company received a fresh blow over the weekend when Visa Inc. yanked its seal of approval from the company.

Read the rest of this post on the original site »

Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is “unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them, he said.

Read the rest of this post on the original site »

At a meeting in Washington, the Senate Armed Services Subcommittee on Emerging Threats and Capabilities heard testimony from experts that, essentially summarized, goes like this: The attackers already have access to the systems, so rather than try to lock them out, it’s now a matter of managing them, now that they’re in. Just as in the real world, spies are going to get into the country whether you want them to or not. So, knowing that they’re there, it makes more sense to make their day-to-day spying activities as difficult and costly as you can. DOD security practices currently focus on trying to keep intruders out.

“I think we have to go to a model where we assume that the adversary is in our networks,” James Peery, director of the Information Systems Analysis Center at the Sandia National Lab, told legislators, as reported by Threatpost, a blog produced by security firm Kaspersky Labs. “They’re on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”

The hearing echoed some things we’ve been hearing on the security front from the likes of Art Coviello, the EMC vice president and former CEO of RSA Security, who spoke to AllThingsD recently.

Current practice calls for perimeter-based defenses that aim to put a defensive ring around a network to keep intruders out. That thinking is out of date and in need of a significant rethink, the panelists said. It should be noted that most of the agencies represented at the hearing were doing what government executives usually do when they go before the U.S. Senate: Jockeying for more funding.

That is, except for one agency: Michael Wertheimer, director of research and development at the super-secret National Security Agency (NSA), an agency whose budget is classified to begin with, said that current levels are sufficient, but that money needs to be spent more wisely. Then again, the NSA just built a massive data center in the Utah desert, which didn’t exactly come cheap.

You can watch a video of the 81-minute hearing here.

I’m working on getting copies of the criminal complaints, and will add them here when I do, but here’s the rundown: It looks like one of the group’s insiders got caught and probably made some kind of misstep in covering his tracks, and then worked secretly with the government to inform on other members. This is exactly what I said was likely to happen in this case, way back in June.

According to Fox, the one who turned is a New Yorker named Hector Xavier Monsegur, who worked under the handle Sabu. He’s 28 years old and the father of two, and lives on the Lower East Side of Manhattan. This is his Twitter feed. He’s been a cooperating witness since June, which coincides nicely with the moment when the first rumors started to emerge that the FBI had penetrated the group.

Fox says that according to documents that will be unsealed in a New York federal court today, Monsegur pleaded guilty in August to several hacking-related crimes. His cooperation led to charges against five more people in Chicago, the U.K. and Ireland. Among them is Jake Davis, the 18-year-old resident of the Shetland Islands, who went by the handle Topiary, and whom police in the U.K. collared on Aug. 1.

The other four are Ryan Ackroyd, who went under the handle “Kayla.” He’s a Londoner. Two people from Ireland were also charged: Darren Martyn, whose handle was “pwnsauce,” and Donncha O’Cearrbhail, who called himself “palladium.” Jeremy Hammond of Chicago went by the handle “Anarchaos.”

The news makes the following tweet by Monsegur, a.k.a. Sabu, seem sort of ironic. Among his final tweets, before word emerged that he had helped turn in his comrades, were several railing against informants and other “cowards.” Clearly, he was keeping up a brave public face:

Without informants or companies bending over+giving up their customer data the feds would be further behind than they are now. Ride up.

March 5, 2012 7:59 am via Twitter for BlackBerry®ReplyRetweetFavorite

@anonymouSabu

The Real Sabu

Anonymous, the wider hacker group with which LulzSec teamed up last year, was quick to urge its followers to block Sabu’s Twitter account.

@anonymouSabu is now controlled by feds. We have blocked the account and we suggest you do as well. #BlockAnonymouSabu

March 6, 2012 10:38 am via TweetDeckReplyRetweetFavorite

@anonops

AnonOps

Hammond, the one in Chicago, was said to be the one who led the hack against the private intelligence company Stratfor. He was profiled by Chicago Magazine in 2007 and portrayed as something of a digital Robin Hood.

Ackroyd is said to be the one who found the weaknesses in the servers of the U.S. Senate that led to its being attacked in June. Hacking federal computer systems is considered a serious crime in the U.S., but is something that LulzSec said, in the posting to Pastebin at the time, that they carried out “just for kicks.”

Update: So the US Attorney’s Office in New York has issued its press release confirming most of what Fox reported. Here it is.

Six Hackers in the United States and Abroad Charged for Crimes Affecting Over One Million Victims

Four Principal Members of “Anonymous” and “LulzSec” Charged with Computer Hacking and Fifth Member Pleads Guilty; “AntiSec” Member also Charged with Stealing Confidential Information from Approximately 860,000 Clients and Subscribers of Stratfor

U.S. Attorney’s Office March 06, 2012

Five computer hackers in the United States and abroad were charged today, and a sixth pled guilty, for computer hacking and other crimes. The six hackers identified themselves as aligned with the group Anonymous, which is a loose confederation of computer hackers and others, and/or offshoot groups related to Anonymous, including “Internet Feds,” “LulzSec,” and “AntiSec.”

RYAN ACKROYD, a/k/a “kayla,” a/k/a “lol,” a/k/a “lolspoon”; JAKE DAVIS, a/k/a “topiary,” a/k/a “atopiary”; DARREN MARTYN, a/k/a “pwnsauce,” a/k/a “raepsauce,” a/k/a “networkkitten”; and DONNCHA O’CEARRBHAIL, a/k/a “palladium,” who identified themselves as members of Anonymous, Internet Feds, and/or LulzSec, were charged in an indictment unsealed today in Manhattan federal court with computer hacking conspiracy involving the hacks of Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service (“PBS”). O’CEARRBHAIL is also charged in a separate criminal complaint with intentionally disclosing an unlawfully intercepted wire communication.

HECTOR XAVIER MONSEGUR, a/k/a “Sabu,” a/k/a “Xavier DeLeon,” a/k/a “Leon,” who also identified himself as a member of Anonymous, Internet Feds, and LulzSec, pled guilty on August 15, 2011 in U.S. District Court to a 12-count information charging him with computer hacking conspiracies and other crimes. MONSEGUR’S information and guilty plea were unsealed today. The crimes to which MONSEGUR pled guilty include computer hacking conspiracy charges initially filed in the Southern District of New York. He also pled guilty to the following charges: a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of California related to the hacks of HBGary, Inc. and HBGary Federal LLC; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Central District of California related to the hack of Sony Pictures Entertainment and Fox Broadcasting Company; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Northern District of Georgia related to the hack of Infragard Members Alliance; and a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of Virginia related to the hack of PBS, all of which were transferred to the Southern District of New York, pursuant to Rule 20 of the Federal Rules of Criminal Procedure, in coordination with the Computer Crime and Intellectual Property Section (“CCIPS”) in the Justice Department’s Criminal Division.

Late yesterday, JEREMY HAMMOND, a/k/a “Anarchaos,” a/k/a “sup_g,” a/k/a “burn,” a/k/a “yohoho,” a/k/a “POW,” a/k/a “tylerknowsthis,” a/k/a “crediblethreat,” who identified himself as a member of AntiSec, was arrested in Chicago, Illinois and charged in a criminal complaint with crimes relating to the December 2011 hack of Strategic Forecasting, Inc. (“Stratfor”), a global intelligence firm in Austin, Texas, which may have affected approximately 860,000 victims. In publicizing the Stratfor hack, members of AntiSec reaffirmed their connection to Anonymous and other related groups, including LulzSec. For example, AntiSec members published a document with links to the stolen Stratfor data titled, “Anonymous Lulzxmas rooting you proud” on a file sharing website.

The following allegations are based on the indictment, the information, the complaints, and statements made at MONSEGUR’s guilty plea:

Hacks by Anonymous, Internet Feds, and LulzSec

Since at least 2008, Anonymous has been a loose confederation of computer hackers and others. MONSEGUR and other members of Anonymous took responsibility for a number of cyber attacks between December 2010 and June 2011, including denial of service (“DoS”) attacks against the websites of Visa, MasterCard, and PayPal, as retaliation for the refusal of these companies to process donations to Wikileaks, as well as hacks or DoS attacks on foreign government computer systems.

Between December 2010 and May 2011, members of Internet Feds similarly waged a deliberate campaign of online destruction, intimidation, and criminality. Members of Internet Feds engaged in a series of cyber attacks that included breaking into computer systems, stealing confidential information, publicly disclosing stolen confidential information, hijacking victims’ e-mail and Twitter accounts, and defacing victims’ Internet websites. Specifically, ACKROYD, DAVIS, MARTYN, O’CEARRBHAIL, and MONSEGUR, as members of InternetFeds, conspired to commit computer hacks including: the hack of the website of Fine Gael, a political party in Ireland; the hack of computer systems used by security firms HBGary, Inc. and its affiliate HBGary Federal, LLC, from which Internet Feds stole confidential data pertaining to 80,000 user accounts; and the hack of computer systems used by Fox Broadcasting Company, from which Internet Feds stole confidential data relating to more than 70,000 potential contestants on “X-Factor,” a Fox television show.

In May 2011, following the publicity that they had generated as a result of their hacks, including those of Fine Gael and HBGary, ACKROYD, DAVIS, MARTYN, and MONSEGUR formed and became the principal members of a new hacking group called “Lulz Security” or “LulzSec.” Like Internet Feds, LulzSec undertook a campaign of malicious cyber assaults on the websites and computer systems of various business and governmental entities in the United States and throughout the world. Specifically, ACKROYD, DAVIS, MARTYN, and MONSEGUR, as members of LulzSec, conspired to commit computer hacks including the hacks of computer systems used by the PBS, in retaliation for what LulzSec perceived to be unfavorable news coverage in an episode of the news program “Frontline”; Sony Pictures Entertainment, in which LulzSec stole confidential data concerning approximately 100,000 users of Sony’s website; and Bethesda Softworks, a video game company based in Maryland, in which LulzSec stole confidential information for approximately 200,000 users of Bethesda’s website.

The Stratfor Hack

In December 2011, HAMMOND conspired to hack into computer systems used by Stratfor, a private firm that provides governments and others with independent geopolitical analysis. HAMMOND and his co-conspirators, as members of AntiSec, stole confidential information from those computer systems, including Stratfor employees’ e-mails as well as account information for approximately 860,000 Stratfor subscribers or clients. HAMMOND and his co-conspirators stole credit card information for approximately 60,000 credit card users and used some of the stolen data to make unauthorized charges exceeding $700,000. HAMMOND and his co-conspirators also publicly disclosed some of the confidential information they had stolen.

The Hack of International Law Enforcement

In January 2012, O’CEARRBHAIL hacked into the personal e-mail account of an officer with Ireland’s national police service, the An Garda Siochana (the “Garda”). Because the Garda officer had forwarded work e-mails to a personal account, O’CEARRBHAIL learned information about how to access a conference call that the Garda, the FBI, and other law enforcement agencies were planning to hold on January 17, 2012 regarding international investigations of Anonymous and other hacking groups. O’CEARRBHAIL then accessed and secretly recorded the January 17 international law enforcement conference call, and then disseminated the illegally-obtained recording to others.

***

MONSEGUR, 28, of New York, New York, pled guilty to three counts of computer hacking conspiracy, five counts of computer hacking, one count of computer hacking in furtherance of fraud, one count of conspiracy to commit access device fraud, one count of conspiracy to commit bank fraud, and one count of aggravated identity theft. He faces a maximum sentence of 124 years and six months in prison.

ACKROYD, 23, of Doncaster, United Kingdom; DAVIS, 29, of Lerwick, Shetland Islands, United Kingdom; and MARTYN, 25, of Galway, Ireland, each are charged with two counts of computer hacking conspiracy. Each conspiracy count carries a maximum sentence of 10 years in prison.

O’CEARRBHAIL, 19, of Birr, Ireland, is charged in the indictment with one count of computer hacking conspiracy, for which he faces 10 years in prison. He is also charged in the complaint with one count of intentionally disclosing an unlawfully intercepted wire communication, for which he faces a maximum sentence of five years in prison.

HAMMOND, 27, of Chicago, Illinois, is charged with one count of computer hacking conspiracy, one count of computer hacking, and one count of conspiracy to commit access device fraud. Each count carries a maximum sentence of 10 years in prison.

DAVIS is separately facing criminal charges in the United Kingdom, which remain pending, and ACKROYD is being interviewed today by the Police Central e-crime Unit in the United Kingdom. O’CEARRBHAIL was arrested today by the Garda.

The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of New York. The investigation was initiated and led by the FBI, and its New York Cyber Crime Task Force, which is a federal, state, and local law enforcement task force combating cybercrime, with assistance from the PCeU; a unit of New Scotland Yard’s Specialist Crime Directorate, SCD6; the Garda; the Criminal Division’s CCIPS; and the U.S. Attorneys’ Offices for the Eastern District of California, the Central District of California, the Northern District of Georgia, and the Eastern District of Virginia; as well as the Criminal Division’s Office of International Affairs.

The charges contained in the indictment and complaints are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

And here’s the initial indictment on Hector Monsegur, initially filed in the US District Court for the Southern District of New York in August of last year. I’m gathering up documents on the other people charged in this and will share it as I get it.

Monsegur

It has been almost two years since the infamous and mysterious computer worm known as Stuxnet was first detected by a team of researchers in Belarus.

Opinions on this vary, but the worm that is said to have caused explosions at certain nuclear installations in Iran is thought to have set that country’s alleged nuclear energy and weapons ambitions back by as much as two years.

The fascination persists. Although no one has ever taken official responsibility for it — the leading suspects in its creation are Israel and the U.S., acting together or independently — Stuxnet is widely considered to have been the most successful and innovative weapon of digital warfare ever seen.

And though numerous media accounts have, with the help of anonymous sources, filled in some of the narrative around its development, the subject of the covert cyber campaign against the Iranian nuclear program has generally remained outside the attention envelope of mainstream TV audiences.

That will change Sunday night when CBS’s popular television news documentary show “60 Minutes” turns its attention on Stuxnet, and the concept of offensive cyberwar generally.

If you’re not familiar with the particulars of Stuxnet, here’s a brief explanation: It’s a sophisticated worm that experts say required several months and millions of dollars to design. Via long-since-patched vulnerabilities in Microsoft Windows, it is designed to burrow its way into specialized industrial computers called programmable logic controllers, made by the German industrial company Siemens. These PLCs sit between conventional computers and industrial machinery like factory equipment, generators and centrifuges used to create nuclear fuel. PLCs and systems like them are widely used and, in many cases, not well secured, in part because they were never designed to be connected to the Internet.

(I first wrote about it at my last job in 2010 in stories found here and here.)

The story goes that the worm was first introduced to Iran via infected flash drives that were dropped around the outside of certain targeted facilities. The worm was carefully programmed to target a specific installation and to remain inert until it found its target. When it did, it seized control of some 1,000 Iranian nuclear centrifuges at Natanz, about 200 miles south of Tehran. While displaying seemingly normal operating conditions to workers there, the centrifuges were forced to spin out of control and effectively destroy themselves.

In a preview video released today (embedded below), “60 Minutes” correspondent Steve Kroft appears to get a tour of the U.S. Cyber Command, the military nerve center for U.S. cyberwar operations. And, in what’s likely to be considered a not-so-subtle message in certain circles, as you see Kroft getting his tour, it’s hard not to notice the screen behind him. Plus, his host shows a Google Maps image of Iran with lots of orange dots on it.

The report, for which CBS presumably got a lot of cooperation from the Pentagon, comes not long after the Obama Administration officially declared cyberspace as a theater of war. That means, the military can conduct both defensive and offensive operations, and that an attack on certain computer systems by other countries or terrorists is essentially equivalent to an attack against U.S. territory, property and people.

It’s not the first time that “60 Minutes” has tackled the subject of cyberwar. In 2009, it first introduced TV viewers to the concept of using digital weapons to seize control of industrial infrastructure in order to sabotage it, including some once-classified footage of a test at the Idaho National Lab where a generator was destroyed using nothing more than computer code (although the same report contains references to a 2007 power outage in Brazil which Wired has said wasn’t caused by digital saboteurs after all, though CBS has said it stands by its reporting.) Aside from that, CBS’s older report serves as something of a lead-up to tomorrow’s story on Stuxnet.

It will be interesting to see if “60 Minutes” has unearthed anything new on Stuxnet that fills in more of the picture surrounding its development and use. Neither the U.S. nor Israel has ever acknowledged any involvement in its creation or use. But Israeli officials have occasionally been described as “breaking into broad smiles” when asked about the subject. It will also be interesting to see if the program asks any important questions about the state of cyberwar post-Stuxnet. It’s pretty safe to assume that other parties have learned as much as they can about how it was created and how another worm like it might be created again.

What’s impossible to guess is where the next target is.

Update: I added a link above to a Wired story that disputed some of CBS’s reporting on the 2007 Brazilian blackout. In short, Wired says the real cause of that blackout was poor maintenance and not an attack by hackers, although CBS has said it stands by its reporting on that subject.

Here’s the short preview of tomorrow’s “60 Minutes” report.

Anonymous is a handful of geniuses surrounded by a legion of idiots.

– Cole Stryker, an author who has researched the hacker group

It went on to explain some of the circumstances of the attack, a little bit about what data was taken, and then later conceded that at least some of that information was used to launch an ultimately unsuccessful attack against the defense contractor Lockheed Martin.

Last year was a tough one for RSA. Its security tokens, which generate six-digit numbers that act as a second constantly-changing password to help keep intruders out of sensitive computer systems, are the backbone of the security systems of many companies and government agencies.

Art Coviello, the onetime CEO of RSA and now executive vice president of its parent EMC, will be giving a keynote address tomorrow at the annual RSA Security Conference in San Francisco. I thought it might be a good chance to talk with him about the legacy of the attack on RSA, see if there was anything new he could share about what was learned about the attack, and how what happened is shaping RSA’s thinking about the computer security landscape.

AllThingsD: Art, You’ll be speaking at RSA about a year after the infamous attack on your company. How are you approaching the speech, and what are you going to say?

Coviello: Part of what I’ll be talking about is the renewed sense of dedication we have to our mission, our responsibility to customers to regaining and maintaining their confidence. And also applying the lessons learned and sharing them vigorously, not only with our attack, but some of the other attacks that we have privileged insight into. And the bottom line is that we do hope, in the final analysis, that people have more of a sense of urgency in protecting themselves, because the truth of the matter is that we weren’t alone. The theme will be how security has to change from the kind of perimeter defenses that seemed to be dissolving even before our attack, to the requirement for more resilient security based on intelligence that you can get on a more real-time basis. So I’ll be outlining RSA’s vision for intelligence-driven security.

It will be a fairly strong call to action for the industry. We’ve had a great run in creating a trusted digital world, for all its weaknesses and idiosyncrasies. But as you see with trends like the consumerization of IT, we’ve never had a generation of employees and consumers that has been as technology-savvy as we have today, and in many instances they’re getting ahead of the enterprise IT organization’s ability to absorb the technologies they use day in and day out. And that puts an even bigger burden, from a security perspective, on IT organizations. And so they need to manage what they can’t directly control, and secure what they can’t directly control, and that means perimeters are nonexistent. So how do you get the intelligent controls you do have deployed more intelligently, so that even if things are out of reach, they’re not out of your ability to secure them? Our attack did not only raise awareness, but also the action level of people.

The attack that RSA suffered last year caught a lot of people by surprise. For those who haven’t kept track, have there been any new disclosures or information disclosed since, or is there anything new that you’ve learned?

No. And the funny part about it, as with all things in the press, if nothing bad happens, nothing gets written about. To date, there has been only one instance where it has been suggested that the information stolen from us has been used in another attack. And that was Lockheed Martin. And that attack was unsuccessful. There have been no other attacks, and believe me, we have stayed close with law enforcement and other sources, and have run down every one of these that has been reported, and there’s no substantiation of even another attempted attack, let alone a successful one. So we stand by the original decision we made in March, which was to announce that information had been stolen, to announce that you couldn’t launch a direct attack with the information stolen, and that if you took the remediation steps that we advised our clients to take, you’d be fine.

I think — and this is my theory — the attacker thought that they would be able to get in, steal the information they got from us without being caught, and then steal information from others, and combine them. And, quite frankly, because of our quick action in detecting that we were breached and some information stolen, we blew their cover. I can’t think of a reason to explain why they would go to all that trouble and you would only see one instance of a follow-up attack, and that one instance was stopped. And that got lost in all the coverage.

The impression I got was that the attacker seemed to get that this was an attack that was only partially successful, and that whoever it was — the speculation was that it was China — they only got a little of what they had hoped to get, and once detected, the jig was up. Is that more or less how you see it?

I couldn’t put it better than that. And we said that everything we saw pointed to a nation-state, but we never had the smoking gun to point to a particular country as the source of the attack.

So then what happened after the attack was that, since a lot of people and companies and government agencies had put a lot of faith in the RSA dongles and your system to keep people out, there was a bit of a crisis with that faith.

Totally true, let me step in here. That was one of the issues we had to wrestle with when the Lockheed incident happened. Because of the Lockheed thing, people thought we had to issue new tokens to everyone. That was not the case. We continued to stand by the remediation. But we had to recognize the angst and the perception among customers. And that is why we had to offer to replace the tokens. And sure, there were a number of customers who did, but the vast majority did not. No one likes the fact that it happened, but our concern right from day one was for the customers. The proof of the pudding is that our customers are still taking tokens. We’ve lost a negligible number of customers. And, in fact, we’ll be talking this week about some surveys showing that people are still buying tokens.

So you say in your remarks you plan to talk about real-time security intelligence, which is something I’ve talked about with IBM recently. Is real-time intelligence the direction where the entire security industry has to go?

First of all, the NetWitness — and this is another irony in all this — I signed the purchase and sale agreement to purchase NetWitness just a few days before the attack on RSA. And one of the reasons we bought it is that we had it deployed all across EMC. And we viewed it as being very effective in spotting anomalies in network traffic. So the issue today, especially with the porous perimeters that we have, is not whether or not you can or will be breached, because you can be breached. The issue is how fast can you spot it.

The Verizon data-breach report (PDF here) says that more than 90 percent of exfiltrations occur within hours or days of the initial breach. But about 79 percent of breaches aren’t spotted until weeks after they occur. We were able to see the attack in progress, which is why we were able to minimize the information that did get out, and we were within a blink of an eye of stopping the attack altogether. And it was based on this NetWitness technology. But since we acquired it, we have been leveraging it to see not just movements of packets, but to combine with our (Security Event Management) product to not just log information, but ingest all kinds of contextual information. This is unprecedented in security technology and, frankly, IBM doesn’t have it.

And one of the things that I’ll be saying in the keynote is that the age of Big Data has arrived for security, and it has. It is a Big Data problem. If you’re going to be able to spot these attacks in real time and have a resilient security system, as opposed to one that breaks and doesn’t bend, which is what the perimeter defenses do today, then you have to have real-time analytical capability. Only today do we have the storage and analytical capability, and the ability to deploy it at scale. One disadvantage of the attackers is that they are not legitimate. There will always be something in how they get access, or what they do, that will allows us to find them out.

The observation I made in talking with IBM last week is that there are so many new problems and threats emerging that it’s not only difficult to keep track of them, but it’s also hard to filter security vendors who offer conflicting visions and products they all say are a panacea. CIOs are getting confused, and are having a hard time calibrating their priorities. How do they find any clarity these days?

Let me read a line from my keynote: We have to stop being linear thinkers, blindly adding controls on top of failed models. It’s the model itself that is broken. If a vendor is coming to you, saying, “I’ve got this new control, just add it to this uncoordinated silo of controls that already exist,” then they are not doing you much of a service. What we’re advocating is that people double down on some of the qualitative things that have nothing do with technology. So the first element of having what we call an intelligence-driven security system is doing a better job of assessing and managing risk. And I’m going to put a challenge out to the audience, and I’m going to say that no one does this meaningfully, and no one does it well.

So what needs to change?

When I talk about understanding the threats outside-in, as well as inside-out, what I mean is not only understanding what your material assets are, but marrying that knowledge to an understanding of who might attack you, how they might come at you. The next step is getting leverage from the controls that you have. You have to disinvest in some. Let’s face it, 10 or 12 years ago, antivirus signatures numbered in the tens of thousands. Now they number in the tens of millions. How can that make any sense? As soon as you have a signature, someone has a new virus to overcome it. It’s these static models that don’t bend, but break, that have to change. The controls that we have have to be more intelligent.

CIOs, for their part, will be confused and irritated because of the scale of the problem they face — which is deciding which security problems actually affect them, and then prioritizing which ones they’re going to respond to — and hope that what they choose to buy doesn’t break anything already running on their systems.

If any of the above sounds familiar, then the people of IBM would like to have a word with you. Big Blue is getting ever more serious about security as the days go on.

On one hand, it’s some news about a new product — specifically, a new platform dubbed QRadar — that brings to bear something that IBM is exceedingly good at, which is powerful data analytics in sifting through security threats. But, with the platform, IBM is sending an important signal about the strategic importance that security is going to play across its lines of business going forward.

The sad fact facing anyone who’s in charge of fending off the intentions of hackers and other digital miscreants is that, essentially, it’s impossible to comfortably keep up with the changing landscape of security threats. IBM’s approach is to track the latest info on threats in real time and do the analytical work that identifies the ones that actually apply to a given organization. The point is to protect your organization against the threats that are actually worth worrying about.

IBM knows a little something about this: Its various security operations monitor something like 13 billion security incidents every day. If you think that gathering information from that, analyzing it and pouring the results into a product might be worth something, then you get what IBM is trying to do.

Last week, I talked with Brendan Hannigan, the general manager of IBM Security Systems — which is, I’m told, the name of a new IBM business unit that is going to be a big deal going forward, and which is also a creation of IBM’s new CEO, Ginni Rometty. Hannigan told me that IBM will not only bring its analytics capabilities to the security business, but it will combine it with its capabilities in the managed-IT services for which IBM is also universally known.

It turns out that, over the years, IBM has either grown internally or acquired (Hannigan comes from Q1 Labs, which IBM acquired last year) several strong bits of security technology. Now, under the banner of IBM Security Services, those disparate bits will be combined into a single unified offering that spans the enterprise. “The point is to look at security holistically and in a big-picture manner,” Hannigan told me. Doing so, he argues, will give organizations the ability to anticipate attacks before they happen, rather than have to repair the damage after the fact — which, to me, sounds like what the entire concept of security is all about.

That’s the finding of a new research report from the networking concern Juniper Networks. Its 2011 Mobile Threats Report found that the amount of malware created for mobile devices across all operating systems more than doubled in 2011 over the previous year. Juniper said it found nearly 28,500 samples of malware, up from a little more than 11,000 in 2010. Most of them — more than 46 percent, in excess of 13,000 samples — targeted Google’s Android operating system, Juniper said. Another 41 percent targeted the older Java ME operating system.

And what kind of malware was it? Spyware, mostly — stuff designed to capture information and send it on to someone else. More than 63 percent of the malware found could track a phone’s location, collect financial information, and other stuff you’d probably rather your phone didn’t do without you knowing about it. Another 36 percent were Trojans sent via text message. These Trojans run in the background and send text messages to premium-rate numbers the attacker owns, then collect the fees generated for sending the message.

And what about Apple’s iOS? Apple’s tight control on the application ecosystem — the iTunes App store, where all applications have to be approved — has so far given it a pretty good record on security. That doesn’t mean it’s completely out of the woods, Juniper says. Apple doesn’t provide developers with the information they need to create security screening programs that run on the phone itself. That means that if, for some reason, its application-vetting process fails — let’s say some app contains an evil feature that no one notices before it’s too late — there’s no competitive set of third-party security companies providing software to help clean up the mess afterward.

In one example during 2011, a security researcher found a way to upload an unapproved app to iTunes by faking the code-signing process used for approved applications. It proved the point that a chink in Apple’s armor did exist, and Apple later issued a fix.

Juniper predicts that it’s going to get more complicated this year. While Google has started to actively scan applications on its Android Marketplace for malicious code, that only means that third-party app stores will become more attractive targets. And as certain apps become popular across many platforms — think office applications — attackers will go after those in much the same way they did popular applications on the PC. That smartphone you have in your hand may soon be a digital battlefield.

Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers — who appeared to be working in China — penetrated Nortel’s computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.

Read the rest of this post on the original site »

The hackers and engineers of Y Combinator are doing what hackers and engineers do to any industry, they’re efficiently and ruthlessly disrupting the traditional model of venture capital and are going to destroy far more more wealth for their contemporaries than they create for themselves, as broadband did to entertainment, Craigslist did to newspapers, and Amazon did to traditional retailers.

– WordPress founder Matt Mullenweg

AllThingsD.com

Yet now that the attacks have subsided, it’s time to see them for what they are: Nothing more than a blunt instrument that accomplishes nothing constructive.

As of today, only one of the Web sites attacked by the hacker troupe Anonymous is still apparently affected, and that belongs to the Universal Music Group recording label. It currently displays only a message saying “The Site is under maintenance. Please expect it to be back shortly.” Others that had been attacked yesterday, including the sites of the U.S. Department of Justice, the Recording Industry Association of America and the Motion Picture Association of America all seemed to be operating normally.

Thursday’s attacks, which have been described as the biggest action yet organized by Anonymous, were launched in apparent revenge for the FBI’s arrest of several people associated with the file-sharing site Megaupload.com over suspicions of online piracy. Taking place against the backdrop of a wider, more civil protest against anti-piracy legislation currently before the U.S. Congress, the atmosphere around the attacks has been politically charged.

As Molly Wood of CNET put it, the #OpMegaUpload attacks — coming as they did on the heels of Wednesday’s peaceful anti-SOPA protest — seem like an “unsettling wave of car-burning hooligans that sweep in and incite the riot portion of the play,” spurring equally unsettling reactions from the powers that be.

Many outlets have portrayed the attacks as “hacks,” implying that someone had picked a lock in order to commit some kind of sabotage. But the tactic used — a distributed denial-of-service (DDoS) attack — is more aptly compared to a blunt instrument, requiring neither skill nor knowledge, only large numbers of willing participants who team up to swarm a site with more requests than it can accommodate and thus overwhelm its ability to function normally.

The adjective “willing” is debatable, and perhaps inaccurate. Anonymous was able to generate such impressive numbers with the operation — it claimed more than 5,000 participants — by spamming a link in chat rooms and via Twitter that, when clicked, triggered a tool used to launch the attack. People tricked into following the link are given no context or information, and so may or may not have any idea that they’re participating in the execution of a crime.

For the record, it is illegal in the U.S., the U.K., Sweden and other countries to launch and participate in a DDoS attack like the one Anonymous organized. As anyone who has observed the evolution of Anonymous (and its various affiliates using the names LulzSec and AntiSec) should know, the FBI arrested 16 people last July, many of them charged with participating in a DDoS attack against PayPal in protest of its shutting down an account used by WikiLeaks.

In 2009, a New Jersey man was sentenced to a year and a day in prison for launching a DDoS attack against the Church of Scientology. And in 2010, a 23-year-old Ohio man was sentenced to 30 months in prison for launching DDoS attacks against several prominent U.S. conservatives, including the author Ann Coulter, former New York City mayor Rudolph Giuliani and Fox News commentator Bill O’Reilly.

Records like that suggest to me that DDoS attacks never accomplish anything that the people who organize and carry them out attempt to do. At most, they inconvenience the people who visit and operate the targeted sites for a few hours, until the attention spans of the attackers shift elsewhere. They also generate headlines that are forgotten by nearly everyone except the targets, and sometimes law enforcement.

And so it will be this time. Mark your calendars, because the Megaupload revenge attacks will spur a series of arrests later this year. Some of those arrested will be people who didn’t know they were committing a crime. And that certainly won’t help Anonymous’ image. Nor will it further a single bit of what passes for the Anonymous agenda.

I wrote then:

“The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.”

Part of these predictions or ruminations or whatever you care to call them makes me think of the hijinks of the group that started out in the spring variously known as LulzSec, Anonymous and later adopted the moniker AntiSec. This loosely affiliated group emerged from the wake of the various attacks against Sony, and seemed to have nothing to prove but that it could make mincemeat out of whatever security measures had been put in place by Sony or whatever video game outfit it had targeted on a given day.

Sony’s Playstation Network was a favorite target, and its service was at least partially offline during two months ended in July.

Then, as summer dawned, the group’s members became aware of global politics and teamed up with Anonymous, the Wikileaks-allied band of hackers known for their campaigns of digital civil disobedience. Together they declared “immediate and unremitting war” on governments and corporations, and said their top priority would be to steal and leak any classified government information, including but not limited to email and documentation. They attacked an Arizona police agency as a way of making a statement against anti-immigrant laws in that state, and published the names and home addresses of several officers.

Later they sought to earn some street cred by stealing “secret” documents from NATO, only to learn after the fact that the documents they released had not only been released before, but weren’t even really all that secret to begin with. It wasn’t long before alleged members of the group started showing up in handcuffs, which seemed not to faze them. The prospect of body bags and real-world violence during a confrontation with Mexican drug cartels, however, did.

Yet for all the headlines they garnered and the headaches they caused, the LulzSec/Anonymous/AntiSec gang wasn’t anywhere near the scariest thing to appear on the computer security landscape in 2011. To my mind, one of the top three scariest things was the disclosure of Operation Shady RAT, which Intel-unit McAfee said appeared to be the biggest large-scale compromise ever, affecting 72 organizations and governments around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some of them dating back as far as 2006. McAfee said the attacker was a “state actor,” though it declined to name it. The candidate highest on the short list was, naturally, China.

The second truly scary incident was the attack carried out against RSA Security, a unit of the IT company EMC, the maker of the popular SecurID tokens that so many people have on their keychains and use to create an added layer of security that goes beyond the password. Months later, the U.S. defense contractor Lockheed Martin was attacked with duplicate SecurID tokens.

Finally, the Stuxnet Trojan (used by parties officially unknown, but probably Israel with a little help from the U.S.) continued to fascinate and confound security researchers in 2011. Having caused nuclear centrifuges in Iran to explode in an attempt to set back that country’s nuclear weapons research program, Stuxnet was found to have a sibling called Duqu. Unlike Stuxnet, which messed with industrial control computers and made them do things they wouldn’t normally do, Duqu’s mission was much simpler: Steal everything in sight.

And after that, it was discovered by researchers at Kaspersky labs that Stuxnet and Duqu are part of an even bigger family, with at least three more siblings still undetected by researchers, and that all five were created by the same people and with the same tools. Chances are we’ll see at least a few of those final three in 2012, particularly as tension with Iran heats up.

So while there was much to consider scary happening on the Internet in 2011, I’m grateful for being wrong on one key prediction: That we didn’t see a significant computer attack used to physically harm innocent people on a large scale. That’s one prediction I hope to miss for years to come.

Identity Finder, a New York-based identity theft protection firm, has analyzed the information breached and summarized what the attackers appear to have made off with.

• 50,277 unique credit card numbers, of which 9,651 are not expired
  
• 86,594 email addresses, of which 47,680 are unique
  
• 27,537 phone numbers, of which 25,680 are unique

• 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked
• 73.7 percent of decrypted passwords were weak
• 21.7 percent of decrypted passwords were medium strength
• 4.6 percent of decrypted passwords were strong
• Average decrypted password length: 7.1 characters
• 10 percent of decrypted passwords were less than 5 characters long
• Only 4.8 percent of decrypted passwords were 10+ characters long
• Presumably the remaining non-decrypted passwords were stronger than the decrypted subset
• 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world

There are also an additional 2.7 million email messages that the attackers claim to have taken, but that have not yet been released.

Stratfor has promised to inform the customers whose information was taken no later than Dec. 28, which is tomorrow. Anonymous, ever seeking to justify its actions in the name of some higher moral purpose, said in a tweet that Stratfor, which sells subscriptions to its intelligence analysis reports to government, law enforcement agencies and businesses, isn’t “the harmless company it tries to paint itself as,” and that the emails will show that.

@techwriterjim It was conducted by #Antisec. Stratfor is not the “harmless company” it tries to paint itself as. You’ll see in those emails.

December 27, 2011 11:27 am via QwitReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Whatever. Wired reported that someone who participated in the attack said that a total of four servers were breached, and the data on them wiped. The question that then logically arises is this: What was a firm that’s ostensibly in the business of advising business and government clients on security doing about its own?

Some people claiming to represent Anonymous — the lines and affiliations are always difficult to discern — said that the information taken in the attack included user names and passwords of some Stratfor subscribers, plus another 200 gigabytes worth of other data.

Stratfor founder George Friedman confirmed the attack in an email to subscribers; I received it because I’ve been an intermittent Stratfor subscriber over the years. Here’s Friedman’s email:

Dear Stratfor Member,

We have learned that Stratfor’s web site was hacked by an unauthorized party. As a result of this incident the operation of Stratfor’s servers and email have been suspended.

We have reason to believe that the names of our corporate subscribers have been posted on other web sites. We are diligently investigating the extent to which subscriber information may have been obtained.

Stratfor and I take this incident very seriously. Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me. We are working closely with law enforcement in their investigation and will assist them with the identification of the individual(s) who are responsible.

Although we are still learning more and the law enforcement investigation is active and ongoing, we wanted to provide you with notice of this incident as quickly as possible. We will keep you updated regarding these matters.

Sincerely,
George Friedman

And here’s an update to Stratfor subscribers, from Dec. 25:

Dear Stratfor Member,

On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.

Also publicly released was a list of our members which the unauthorized party claimed to be Stratfor’s “private clients.” Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications.

We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events. Details regarding the services to be provided will be forwarded in a subsequent email that is to be delivered to the impacted members no later than Wednesday, December 28th.

In the interim, precautions that can be taken by you to minimize and prevent the misuse of information which may have been disclosed include the following:

- contact your financial institution and inform them of this incident;
- if you see any unauthorized activity on your accounts promptly notify your financial institution;
- submit a complaint with the Federal Trade Commission (“FTC”) by calling 1-877-ID-THEFT (1-877- 438-4338) or online at https://www.ftccomplaintassistant.gov/; and
- contact the three U.S. credit reporting agencies: Equifax (http://www.equifax.com/ or (800) 685-1111), Experian (http://www.experian.com/ or (888) 397-3742), and TransUnion (http://www.transunion.com/ or (800) 888-4213), to obtain a free credit report from each.

Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Checking your credit reports can help you spot problems and address them quickly.

To ease any concerns you may have about your personal information going forward, we have also retained an experienced outside consultant that specializes in such security matters to bolster our existing efforts on these issues as we work to better serve you. We are on top of the situation and will continue to be vigilant in our implementation of the latest, and most comprehensive, data security measures.

We are also working to restore access to our website and continuing to work closely with law enforcement regarding these matters. We will continue to update you regarding the status of these matters.

Again, my sincerest apologies for this unfortunate incident.

Sincerely,
George Friedman

Then came reports that whoever had taken the information — which included credit card numbers — had used the numbers to make donations in the name of the hacking victims. Here’s a link to what is said to be a screen grab following just such a donation to CARE by an employee of the Defense Intelligence Agency.

While some might applaud the apparent cleverness of Anonymous’s “steal from the rich, give to the poor” attitude, it’s unlikely that the charities in question will ever see a dime of the money that’s been “donated” to them. As Mikko Hypponen of F-Secure pointed out here, once the credit cards in question are reported stolen, the charges will be reversed and the charities will more than likely be on the hook for any fees or penalties that result.

As is often the case with a headline-making attack carried out in the name of Anonymous, there followed a series of claims and counterclaims as to whether or not this was an “official” Anonymous attack, or just the work of someone falsely claiming the Anonymous cloak. There was, for instance, this “emergency press release,” claiming that the attack on Stratfor was “most definitely not the work of Anonymous”:

Following that, Anonymous tweeted, via its semi-official Twitter account @AnonymousIRC, that it “laughed so hard” in response to that message — essentially saying it’s a fake. The group has hinted that it is going to be busy over the next several days.

RT @FiloSottile: “Anonymous denies involvement in #STRATFOR hack. http://t.co/cQ1INYlh” | We laughed so hard at this!

December 26, 2011 6:30 am via QwitReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

The break-in at the U.S. Chamber of Commerce is one of the boldest known infiltrations in what has become a regular confrontation between U.S. companies and Chinese hackers. The complex operation, which involved at least 300 Internet addresses, was discovered and quietly shut down in May 2010.

It isn’t clear how much of the compromised data was viewed by the hackers. Chamber officials say internal investigators found evidence that hackers had focused on four Chamber employees who worked on Asia policy, and that six weeks of their email had been stolen.

Read the rest of this post on the original site »

The reason? A scary vulnerability in Java that was detected over the summer, and which Oracle has subsequently fixed, is being exploited by people who create the malware and crimeware that causes so many headaches for home users and corporate IT departments.

The risk is especially acute at large companies with big fleets of desktops and notebooks to manage. If you’re a home user, the patch is easy to install. But most employees don’t have administrative privileges on their work desktops or notebooks, so someone from the IT department has to come and install the patch for them.

That’s a big, time-consuming process, says HD Moore, chief security officer at Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. He’s also the chief architect of Metasploit, which Rapid7 owns.

One of the reasons this particular vulnerability is so bad is that even after it was detected and fixed, it wasn’t fully understood how dangerous it is, Moore says. Crimeware creators somehow figured it out ahead of most security researchers, and started adding code to Web sites designed to take advantage of it. And that’s especially dangerous at this time of the year, when people are shopping online both at home and the office. “It’s kind of like a perfect storm,” Moore told me yesterday. Add to that the fact that many companies have IT staff taking vacation during the holiday season, and the timing couldn’t be worse.

Enterprise is historically bad at patching Java vulnerabilities anyway, because it doesn’t have the same automatic update tools that Windows or Adobe Flash does. “The tools for patching Java aren’t that great,” Moore told me. “A Java update just isn’t treated with the same fervor as a Windows update.”

So how bad is this one? The National Vulnerability Database rates it a 10 out of 10 on the severity scale, and also rates it as “low” on the access complexity scale — meaning it’s really easy for the bad guys to carry out an attack using it.

Security blogger Brian Krebs discovered the vulnerability being “weaponized,” that is, built into the software that computer criminals buy on the black market. For instance, those who have bought something called the Blackhole Exploit Kit, a $4,000 software toolkit used to target Windows machines, are getting automatic updates that include tools to take advantage of the Java vulnerability.

What to do until you can get all your machines updated with the latest version of Java? Simple, really: Disable it and block it at the firewall, until all the machines on the network that need the update have it, Moore says.

Rapid7, incidentally, is a security company on the rise. Just last month it raised a $50 million series C round of funding, led by Technology Crossover Ventures and joined by previous investors Bain Capital Ventures; Tim McAdam, a TCV partner, joined Rapid7′s board.

Printers are Internet-connected devices just like computers. They have their own operating systems and software, and so, in theory, are vulnerable to attacks by hackers just as computers are. There was an old urban myth that in the run-up to the first Iraq War in 1991, hacked HP printers shipped to Iraq were instrumental in shutting down Iraqi radar systems. It wasn’t true — it was published on April 1 of that year by the trade magazine InfoWorld — but the idea stuck, and at least one group of security researchers has been studying the use of Trojans installed into printers.

The Columbia researchers had claimed that a part inside a printer called a fuser, used to dry the ink, could be remotely instructed to overheat, eventually causing paper inside the printer to turn brown and start to smoke.

Conceptually it’s not that different from the Stuxnet attack against the Iranian nuclear research program. The attackers in that case, thought to be Israel with a little help from the U.S., attacked industrial control computers known as SCADA systems that serve as the bridge between typical Windows-based machines and industrial equipment that the SCADA systems control. In the case of Stuxnet, the SCADA systems were controlled — often they have only default passwords or no passwords at all — and the machines they were connected to could be instructed to literally destroy themselves.

Some researchers at the U.S. Department of Energy’s Idaho National Lab did just that in the video below, showing in a controlled environment that a generator could be hijacked over the Internet and made to destroy itself.

But could you do the same thing with a printer? Theoretically, I’d say it’s possible. But in this case, HP says not where its printers are concerned.

Below is an internal HP memo from Vyomesh “VJ” Joshi, the head of HP’s Imaging and Printing Group, that was circulated to employees today.

First off, he says, the fire issue is not true. As noted in the public statement, HP’s printers have a component called a thermal breaker that prevents the fuser from overheating, and it can’t be overcome by a firmware upgrade.

But Joshi also spanks the Columbia researchers for turning to the media and not calling HP first, which is the way security researchers usually operate when they identify a serious vulnerability. There is, he concedes, a vulnerability to malicious firmware modifications, especially on printers that are left unprotected on a network without a firewall running. HP aims to fix that. But usually in these situations, the media doesn’t get called until a fix is ready. “Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available,” he writes.

Joshi’s full memo is below.

From: IPG, Vyomesh Joshi
Sent: Tuesday, November 29, 2011 4:40 PM
Subject: Inaccurate Printer Security Press Coverage

Dear IPG Employees,

As many of you have read today there has been sensational and inaccurate press coverage regarding potential security risks with some HP LaserJet printers. I wanted to make sure you had the most current information and context for this situation. No customer has reported unauthorized access. We have also seen speculation in the media regarding the potential for devices to catch fire due to a firmware change. This claim is inaccurate. We have issued a public statement communicating to customers and partners and refuting inaccurate information.

This information first came to us late last week from a research lab based at Columbia University. As a result, we have identified a specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall or if a malicious effort is made to modify the firmware of the device by a trusted party on the network. Our security team is taking immediate measures to build a firmware upgrade to resolve any potential risk and will be communicating this proactively to customers and partners who may be impacted.

Typically when a security issue is identified, responsible disclosure is followed so that vulnerabilities are not made public until a solution is available. Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available.

We have always taken security very seriously. In fact, HP’s reputation for security continues to be among the highest in the industry. I want to assure you that our security experts are working around the clock to mitigate any potential risk.

We will make every effort to communicate new information as it becomes available.

Regards,

VJ

Gone are the days when you’d get a company-issued BlackBerry and laptop locked down and secured to within an inch of its life. Now, everyone — from the CEO and the board of directors on down to interns — expect to get their corporate email, access to internal corporate networks and documents on their personal iPads, iPhones and Android devices.

IBM today announced a new service aimed at helping IT admins get control of the devices they’re being asked to support. Big Blue calls it IBM Hosted Mobile Device Security, and its capabilities include making sure personal devices comply with corporate security policies, protecting them against malware, tracking user activity and making sure network connections are secured. It’s working with Juniper Networks on the service. And it covers pretty much every smartphone platform you can think of: Apple’s iOS, Android, BlackBerry, Nokia’s Symbian, and Microsoft’s Windows Mobile.

The BYOD — or “bring your own device” — trend is the sort of thing that gives IT administrators night sweats. A Dell Kace survey of 750 IT managers found that 87 percent of companies have employees using some kind of personal device accessing a corporate network. The same survey found that 62 percent of IT admins feel they don’t have the tools to properly manage them all.

Phones get lost, for one thing. A lost phone that can still access confidential information is a liability. And worse, because of the value of information they can store and access, hackers are paying more attention to mobile devices than ever before. A study by IBM projects that the number of software weaknesses that can give a criminal access to data stored on or accessed by a phone or tablet will double this year over 2010. More or less nonexistent as recently as 2006, IBM’s X-Force security unit tracked 15 exploits last year and expects to see more than 30 this year. And malware on the Android platform is also on the rise.

If it sounds like a business opportunity, you’re right. Mobile security companies have been springing up. Lookout Security is one that comes to mind. As mobile devices multiply, especially with younger people just entering the workforce, you can expect to see a lot more activity from companies large and small around making sure they’re secure. As is often the case with IT security, some of that will be wasted effort, because too often security is something you consider only after something bad has happened, not before. But not always.

(Image from Wikipedia.)