Showing posts with label cyber crime. Show all posts
Showing posts with label cyber crime. Show all posts

Wednesday, 23 December 2015

Researchers think that a dangerous 'back door' in software used by the US government was caused by the NSA

Juniper is a hardware manufacturer that makes networking equipment. The internet relies on equipment like this to function.
A backdoor is an intentional hole in a security system that allows someone to get in when they shouldn't be able to. Think of a robber slipping in the backdoor of your house because you never lock it.
Juniper announced that it found a backdoor into its systems that it didn't place there. To continue my analogy above, imagine one day you found a new door into your house that you never knew existed, and that you don't even have a key for.
There is speculation that the NSA was responsible for putting this backdoor into Juniper's system, but nothing concrete yet.

Two "back doors" hidden in security software used by US government agencies and corporations that left them open to attack may have been caused by the NSA, security researchers claim.
Last week, news broke about "unauthorised code" in devices sold by Juniper, which builds firewalls, intended to protect the user from attacks and unwanted intrusions. Wired reports that security consultancy Comsecuris' founder Ralf-Phillipp Weinmann's research indicates that the NSA may be responsible for this - by introducing code that was exploitable by others.

Matthew Green, a cryptography lecturer at John Hopkins University, has come to a similar conclusion. In a blog post also outlining the scale of the vulnerability, he wrote:

To sum up, some hacker or group of hackers attacker noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional -- you be the judge! They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone -- maybe a foreign government -- was able to decrypt Juniper traffic in the U.S. and around the world.

If correct, the NSA likely introduced this back door in order to give them a way to surreptitiously monitor traffic: It allowed them to decrypt otherwise-encrypted data, for a start. But someone else - we don't yet know who - found it, and took advantage.

Juniper has since released patches addressing the vulnerabilities, and is urging customers to upgrade.

This isn't just some abstract theoretical breach. Often, when there's a hack, or leak, or vulnerability, there's no evidence it was ever exploited by anyone other than the security researcher who found it. But in this case, the code was actively put there by an as-yet unknown hacker - and attackers are now actively probing for unpatched Juniper firewalls to exploit.

Researchers at the SANS Internet Storm Center built a "honeypot," PC World reports - that is, a fake server that pretends to be a real Juniper firewall so they can monitor if anyone is fooled into trying to attack it. Sure enough, they say they are "detecting numerous login attempts against our ssh honeypots using the ScreenOS backdoor password."

The Juniper back door comes at a time of heated debate over the ethics and feasibility of introducing back doors into software. As more and more big tech companies (Apple, Google, Facebook, etc.) incorporate strong encryption into their products, there has been a pushback from law enforcement who want to be able to retain access to data and communications when required.

But, technologists and privacy activists counter, any back door will inevitably be open to abuse by third parties. You can't build a back door that only good guys can use, the saying goes. In Juniper, encryption enthusiasts may have found a very powerful example to prove their point.
Read more ...

Wednesday, 17 June 2015

Fed agency blames giant hack on 'neglected' security system

Office of Personnel Management (OPM) Director Katherine Archuleta testifies on Capitol Hill
The agency that allowed hackers linked to China to steal private information about nearly every federal employee — and detailed personal histories of millions with security clearances — failed for years to take basic steps to secure its computer networks, officials acknowledged to Congress on Tuesday.

Democrats and Republicans on the House Oversight and Government Reform Committee spoke in unison to describe their outrage over what they called gross negligence by the Office of Personnel Management. The agency's data was breached last year in two massive cyberattacks only recently revealed.

The criticism came from within, as well. Michael Esser, the agency's assistant inspector general for audit, detailed a yearslong failure by OPM to adhere to reasonable cybersecurity practices, and he said that that for a long time, the people running the agency's information technology had no expertise.

Last year, he said, an inspector general's audit recommended that the agency shut down some of its networks because they were so vulnerable. The director, Katherine Archuleta, declined, saying it would interfere with the agency's mission.

The hackers were already inside her networks, she later acknowledged.

"You failed utterly and totally," said committee Chairman Jason Chaffetz, a Utah Republican. "They recommended it was so bad that you shut it down and you didn't."

Archuleta, stumbling occasionally under withering questions from lawmakers, sought to defend her tenure and portray the agency's problems as decades in the making as its equipment aged. She appeared to cast blame on her recent predecessors, one of whom, John Berry, is the U.S. ambassador to Australia.

Offered chances to apologize and resign, she declined to do either.

Chaffetz said the two breaches "may be the most devastating cyberattack in our nation's history," and said OPM's security policy was akin to leaving its doors and windows unlocked and expecting nothing to be stolen.

"I am as distressed as you are about how long these systems have gone neglected," Archuleta said, adding at another point, "The whole of government is responsible and it will take all of us to solve the issue."

Archuleta and the other witnesses offered few new details about the breaches in the public hearing, deferring most questions about methods and damage to a later, classified session.

After that session, Rep. Elijah Cummings of Maryland, the committee's ranking Democrat, demanded that the committee hear testimony from two OPM contractors, KeyPoint and USIS, that fell victim to hacks last year. Earlier, Cummings and other lawmakers questioned whether the OPM network was compromised first through hacking of the contractors, and OPM officials declined to answer.

During the open hearing, Donna Seymour, the agency's chief information officer, confirmed that personnel information on 4.2 million current and former federal employees had been stolen, not just accessed.

The number of security clearance holders whose data has been taken is not yet known, she said. But the records go back to 1985 and include contractors as well as federal employees. Some government officials estimate the number could be up to 14 million.

And because their security clearance applications contain personal information about friends and family, those people's data is vulnerable as well.

Seymour also disclosed that any federal employees who submitted service history records to OPM, whether or not their personnel records are kept by the agency, likely had their information stolen. That raised the specter that intelligence agency employees who were not kept in the main personnel system for security reasons may have been exposed anyway.

Another fear is that covert intelligence officers working undercover as government employees may have been made vulnerable. If their names are not in the federal employee database, that could be revealing to foreign adversaries; there also could be holes in any bogus employee record built for spying cover purposes.

Andy Ozment, a top Department of Homeland Security cyber official, said the hackers gained access to OPM's network using stolen credentials.

That was important because many lawmakers and outside experts had criticized OPM for failing to take the obvious step of encrypting sensitive data, including Social Security numbers. Ozment said attackers with network credentials could have accessed encrypted data, anyway.

Rep. Will Hurd, a Texas Republican and former covert CIA officer, said he didn't doubt the good intentions of the OPM witnesses, but "the execution has been horrific."

China denies involvement in the cyberattack, and no evidence has been aired publicly proving Chinese involvement although the government says it has "moderate confidence" China was involved.

Lawmakers voiced fears Tuesday that China will seek to gain leverage over Americans with access to secrets by pressuring their overseas relatives and contacts, particularly if they happen to be living in China or another authoritarian country.

"China now has a list of Chinese citizens worldwide who are in close contact with American officials and they can use that for espionage purposes," said Rep. Ron DeSantis, a Florida Republican.

In the cyberattack targeting federal personnel records, hackers are believed to have obtained the Social Security numbers, birth dates, job actions and other private information on every federal employee and millions of former employees and contractors.

In the other attack, which the Obama administration acknowledged on Friday after downplaying the possibility for days, the cyber spies got detailed background information on millions of military, intelligence and other personnel who have been investigated for security clearances.

Applicants for security clearances are required to list drug use, criminal convictions, mental health issues, and the names and addresses of their foreign relatives.

"The 'friends and family' dataset is ultimately the most useful for a hostile intelligence service," said Richard Zahner, a retired lieutenant general and former top NSA official. Tie the information to what's publicly available, and other intelligence the adversary has already collected, "and you have insights that few services have ever achieved."

The personnel records hack comes in a long line of other cyber breaches linked to China and targeting the personal information of Americans, including one in January against health insurer Anthem.

"The United States of America is under attack," Cummings said. "Sophisticated cyber spies, many from foreign countries, are targeting the sensitive personnel information of millions of Americans. They are attacking our government, our economy, our financial sector, our health care systems and virtually every single aspect of our lives."

Source AP
Read more ...

Tuesday, 3 June 2014

U.S. disrupts major hacking, extortion ring; Russian charged

U.S. Assistant Attorney General Leslie Caldwell (at podium) of the Justice Department's Criminal Division announces criminal charges and two global cyber fraud disruptions, Gameover Zeus and Cyrptolocker, at the Department of Justice in Washington June 2, 2014.
(Reuters) - A U.S.-led international operation disrupted a crime ring that infected hundreds of thousands of PCs around the globe with malicious software used for stealing banking credentials and extorting computer owners, the Justice Department said on Monday. Authorities in nearly a dozen countries worked with private security companies to wrest control of the network of infected machines, known by the name of its master software, Gameover Zeus. Court documents released on Monday said that between 500,000 and 1 million machines worldwide were infected with the malicious software, which was derived from the original "Zeus" trojan for stealing financial passwords that emerged in 2006. In addition to stealing from the online accounts of businesses and consumers, the Gameover Zeus crew installed other malicious programs, including one called Cryptolocker that encrypted files and demanded payments for their release. Cryptolocker alone infected more than 234,000 machines and won $27 million in ransom payments, the Justice Department said. The two programs together brought the gang more than $100 million, prosecutors said in court documents, including $198,000 in an unauthorized wire transfer from an unnamed Pennsylvania materials company and $750 in ransom from a police department in Massachusetts that had its investigative files encrypted. Other victims included PNC Bank [], Capital One Bank [COFCB.UL] and others, according to court documents. “These schemes were highly sophisticated and immensely lucrative, and the cyber criminals did not make them easy to reach or disrupt,” Leslie Caldwell, who heads the Justice Department's criminal division, told a news conference. The Gameover Zeus "botnet" - short for robot network - is the largest so far disrupted that relied on a peer-to-peer distribution method, where thousands of computers could reinfect and update each other, said Dell expert Brett Stone-Gross, who assisted the FBI. "We took control of the bots, so they would only talk with our infrastructure," Stone-Gross said. A civil suit in Pennsylvania helped authorities get court orders to seize parts of the infected network, and on May 7, Ukrainian authorities seized and copied Gameover Zeus command servers in Kiev and Donetsk, officials said. U.S. and other agents worked from early Friday through the weekend to seize servers around the world, freeing some 300,000 victim computers from the botnet so far. A criminal complaint unsealed today in Nebraska, meanwhile, accused Russian Evgeniy Mikhaylovich Bogachev and others of participating in the conspiracy. U.S. officials said Bogachev was last known to be living in the Black Sea resort town of Anapa. In an FBI affidavit filed in the Nebraska case, an agent cited online chats in which aliases associated with Bogachev claimed authorship of the original Zeus trojan, which has infected more than 13 million computers and is blamed for hundreds of millions of dollars in losses. "That's what he claimed. There were probably a number of people involved," said Dmitri Alperovitch, co-founder of security firm CrowdStrike, which also worked with the FBI. A person familiar with the case said that Bogachev's ICQ number, which is an assigned Internet chat query identifier, matched that of the known Zeus author. Attempts to reach Bogachev were unsuccessful. FBI and Justice Department officials did not immediately respond to questions about Bogachev's alleged past role with Zeus, one of the most pernicious pieces of software ever developed. Zeus's code has since been publicly released, and many variants are still being used by gangs large and small. "Zeus is probably the most prolific and effective piece of malware discovered since 2006," said Lance James, head of cyber-intelligence at consultancy Deloitte & Touche, which also helped authorities. Russia does not extradite accused criminals to other countries, so Bogachev may never be arrested. He was named as part of a new policy on aggressively exposing even those the United States has little hope of catching. The recent crackdown includes the indictment of five members of China's People's Liberation Army for alleged economic espionage, which prompted denials and an angry response from Chinese authorities. “This is the new normal,” Robert Anderson, the top FBI official in charge of combating cyber crime said at a news conference announcing the Russian action. When asked whether Russian authorities would turn Bogachev over to the U.S., Deputy Attorney General James Cole said “as far as Russia, we are in contact with them and we’ve been having discussions with them about moving forward and about trying to get custody of Mr. Bogachev,” but declined to provide further detail of those talks. The shutdown of Gameover Zeus may not last. Other botnets have resurfaced as criminals regained at least partial control of their networks. Officials at the United Kingdom's National Crime Agency said in an "urgent warning" that users might have only two weeks to clean their computers from traces of the infection. They directed users to, which was intermittently available late Monday. The U.S. Department of Homeland Security set up a website to help victims remove the malware, The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, Ukraine. Intel Corp, Microsoft Corp, security software companies F-Secure, Symantec Corp, and Trend Micro; and Carnegie Mellon University supported the operation. (Additional reporting by Julie Edwards and Alina Selyukh; Editing by Jonathan Oatis and Ken Wills)

Related posts:

Read more ...

Tuesday, 27 May 2014

China report slams U.S. for 'unscrupulous' surveillance

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013.

(Reuters) - Beijing accused the United States on Monday of "unscrupulous" cyber surveillance that included large-scale computer attacks against the Chinese government and Chinese companies.
"America's spying operations have gone far beyond the legal rationale of "anti-terrorism" and have exposed the ugly face of its pursuit of self-interest in complete disregard for moral integrity," concluded a report prepared by the China Academy of Cyber Space.
The report, titled "America's Global Surveillance Record," was published one week after the United States accused five Chinese military officers of hacking into U.S. companies to steal trade secrets.
The publication accused the United States of "waging large-scale cyber-attacks" against China. "Targets of American surveillance include the Chinese government and Chinese leaders, Chinese companies, scientific research institutes, ordinary netizens, and a large number of cell phone users," the report said.
Huawei Technologies Co, the Ministry of Commerce, the Ministry of Foreign Affairs, and Tencent Holdings Ltd's popular instant message service were among NSA targets, it said.
"U.S. spying operations penetrate every corner of China," the report said.
China last week summoned the U.S. Ambassador to China, Max Baucus, to protest against the U.S. indictment, saying it had seriously harmed relations.
The Cyber Space academy report cited foreign newspaper reports of U.S. cyber spying based on documents revealed by former National Security Agency contractor Edward Snowden.
A subsequent investigation "carried out by various Chinese government departments over several months confirmed the existence of snooping activities directed against China," the report said.
(Reporting by Matthew Miller; Editing by Ruth Pitchford)
Read more ...

Saturday, 17 May 2014

U.S. industry too complacent about cyber risks, say experts

Digital Bond Founder and CEO Dale Peterson talks during a Reuters CyberSecurity Summit in Washington, May 12, 2014.

Reuters) - After warning for years that the U.S. electric grid and other critical infrastructure are dangerously vulnerable to hacking, security experts fear it may take a major destructive attack to jolt CEOs out of their complacency.
While awareness about cybersecurity has increased in recent years, infrastructure consultants say the industry remains reluctant to spend the money needed to upgrade their aging equipment - especially in the absence of much pressure from the U.S. government, regulators or shareholders.
"I'm convinced the C-level executives don't understand the risks they're accepting,'" Digital Bond CEO Dale Peterson, a leading expert in industrial control systems, told the Reuters Cybersecurity Summit in Washington this week.
"These systems are insecure by design," said Peterson. "If they truly understood the risk they were taking, they would find it unacceptable."
Peterson and other security experts say the problem lies with tiny computers known as PLCs, or programmable logic controllers, used to control processes in energy plants, water treatment facilities, factories and other industries. The PLCs are designed to blindly obey all commands, regardless of what impact they might have, according to the experts.
To wreak havoc, someone would need only to hack into that system and send malicious instructions to the PLC, such as to cause an explosion at an energy facility or chemical plant, flood a water system, or poison food supply.
Top executives at critical infrastructure companies think of cybersecurity as a standard business risk and are reluctant to spend millions of dollars to mitigate that risk, said Stuart McClure, chief executive of cybersecurity firm Cylance.
They "can't seem to get out of their own way of paranoia to a point of paralysis," McClure told the summit. "What government does have to do, unfortunately, is to step in and provide a stick of some sort."
The Obama administration has encouraged industries to test themselves against a newly drafted set of cyber standards, and has encouraged more sharing of information about cyber threats and best practices.
Experts say that is a step in the right direction, but there is still a long way to go. Some urged the Department of Homeland Security to mandate stricter regulations, but the agency does not have that kind of enforcement power.
"I think what they benefit most from is not just hard and fast regulation: 'You shall do it this way,'" Department of Homeland Security Jeh Johnson said at the summit. "I don't believe that the answer is to regulate standards."
DHS's Industrial Control Systems Cyber Emergency Response Team says it responded to reports of 256 cyber incidents last year, more than half of them in the energy sector. While that is nearly double the agency's 2012 case load, there was not a single incident that caused a major disruption.
The incidents include hacking into systems through Internet portals exposed over the Web, injecting malicious software through thumb drives, and exploitation of software vulnerabilities, DHS said.
"I fear that things won't change until there is a major attack and people are shocked into taking action," McClure said.
Still, he and several other summit guests said they have noticed an increase in interest in cybersecurity following the data breach at Target Corp (TGT.N), which led to the departure of the U.S. retailer's chief executive, Gregg Steinhafel.
"This is ringing bells at the C-suite," said Charles Croom, vice president of cybersecurity solutions at Lockheed Martin Corp (LMT.N). "This is just the beginning of a bow wave."
While some security experts hope the government can take a stronger role on cybersecurity, some U.S. officials say the private sector needs to step up.
The new head of the National Security Agency, Admiral Mike Rogers, said he hopes industry and the government can work quickly enough to improve communication about emerging cyber threats and prevent catastrophes.
"I don't want a major disaster being the driver that pushes us," Rogers told the summit.
(Reporting by Jim Finkle and Alina Selyukh; Additional reporting by Doina Chiacu, Mark Hosenball, Joseph Menn and Andrea Shalal; Editing by Tiffany Wu)
Read more ...

Friday, 2 May 2014

Amrita Rai seeks cops' help after her photos go viral

 A day after her personal photos with Congress general secretary Digvijaya Singh were allegedly leaked online, journalist Amrita Rai approached Delhi Police with a formal complaint, crime branch sources said on Thursday.

Ravindra Yadav, additional commissioner of police (crime), confirmed that a case had been registered but did not say much. “We registered a case under section 66 of the Information Technology (IT) Act,” he said.

According to police officers, Rai approached the crime branch personally with a complaint on Thursday morning and alleged that her email account as well as her handle on popular microblogging site Twitter had been hacked and misused.

“The contents of my email have been posted on social networking sites on April 29,” Rai has stated in her complaint. “These are causing insult and outraging my modesty and are leading to threats to my safety,” the complaint goes on to state.

“According to her complaint, the person(s) who hacked her email also accessed her chat history. Selected data from there was then posted on the internet through her Twitter handle ‘@ amrritarai’. She claimed fake accounts had been created across cyberspace to destroy her reputation,” said an officer associated with the probe.

The police said they were in the process of contacting several US-based service providers to gather evidence on the matter and were mulling adding section 509 of the IPC (outraging the modesty of a woman) to the FIR.
Read more ...


Related Posts Plugin for WordPress, Blogger...