Hacking

now browsing by tag

 
 

HACKING #NUCLEAR SYSTEMS IS THE #ULTIMATE #CYBER THREAT. ARE WE #PREPARED?

Source: National Cyber Security – Produced By Gregory Evans

The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.

A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.

It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.

Though the exercise was conducted in a simulated coal plant, not a nuclear one, the tactile nature of the demonstration — the act of donning rubber boots to fix the flooding — drove home the potential physical consequence of a cyberattack on critical infrastructure. “The next step for them is to go back home and train in their real environment,” Erik Biverot, a former lieutenant colonel in the Swedish army who planned the event, told The Verge.

The drill, which took place this past October at a research facility 110 miles southwest of Stockholm, was the most technically sophisticated cyber exercise in which the UN’s nuclear watchdog — the International Atomic Energy Agency (IAEA) — has participated.

Security experts say more of these hands-on demonstrations are needed to get an industry traditionally focused on physical protection to think more creatively about growing cyber threats. The extent to which their advice is heeded will determine how prepared nuclear facilities are for the next attack.

“Unless we start to think more creatively, more inclusively, and have cross-functional thinking going into this, we’re going to stay with a very old-fashioned [security] model which I think is potentially vulnerable,” said Roger Howsley, executive director of the World Institute for Nuclear Security (WINS).

The stakes are high for this multibillion-dollar sector: a cyberattack combined with a physical one could, in theory, lead to the release of radiation or the theft of fissile material. However remote the possibility, the nuclear industry doesn’t have the luxury of banking on probabilities. And even a minor attack on a plant’s IT systems could further erode public confidence in nuclear power. It is this cruelly small room for error that motivates some in the industry to imagine what, until fairly recently, was unimaginable.

The Nuclear Threat Initiative, a Washington-based nonprofit co-founded by Ted Turner, has tallied about two-dozen cyber incidents since 1990, at least 11 of which were malicious. Those include a December 2014 attack in which suspected North Korean hackers stole blueprints for South Korean nuclear reactors and estimates of radiation exposure to local residents. The affected power company, which provides 30 percent of the country’s electricity, responded by carrying out cyber drills at plants around the country.

In another attack, hackers posing as a Japanese university student sent malicious emails to researchers at the University of Toyama Hydrogen Isotope Research Center, one of the world’s top research sites on the radioactive isotope that makes a hydrogen bomb. From November 2015 to June 2016, the hackers stole over 59,000 files, according to media reports, including research on the ill-fated Fukushima nuclear plant.

Any list of cyber incidents in the nuclear sector, however, is very likely incomplete. The US Nuclear Regulatory Commission, for example, only requires operators to report to the commission cyber incidents that affect the safety, security functions, or emergency preparedness of the plant, excluding potentially significant attacks on IT systems. It is, in general, extremely difficult for a hacker to breach a plant’s inner control systems implicated in the former category, but not nearly as challenging to penetrate the non-critical IT networks included in the latter.

“We are absolutely undercounting [the number of non-safety-related incidents] and we’re not looking so we can’t pretend that our count is accurate,” said Robert M. Lee, a former Air Force cyber officer and founder of Dragos, a firm specializing in industrial control systems (ICS) cybersecurity. By probing their networks for more of these lower-level threats, nuclear operators can bolster their security, he added.

Regulatory requirements have strengthened US nuclear plants’ cybersecurity, and most plants were built decades ago on analog systems that are shielded from direct internet-based attacks. But the growing digitization of the industry is opening up new potential vectors for hackers.

One of the first known cyber incidents at a nuclear plant took place in 1992 when rogue programmer Oleg Savchuk deliberately infected the computer system of a plant in Lithuania with a virus. Savchuk was arrested and became a precautionary footnote in the history of nuclear security. It would take a set of much more seismic events to illuminate the danger of cyber threats to nuclear operators.

In March 2007, with US energy regulators looking on, engineers at the Idaho National Lab showed how 21 lines of computer code could cripple a huge generator, as journalist Kim Zetter writes in her book. It was only through this jaw-dropping experiment, known as Aurora, that some energy industry officials came to accept that digital tools are capable of physical destruction.

Before Aurora, “there were many people who simply denied the concept that any kind of physical damage could be caused or triggered by a cyber event,” Marty Edwards, an ICS expert who helped design the experiment, told The Verge. Two years later, the destructive potential shown in Aurora became a reality. The famed Stuxnet attack injected a formidable computer worm into Iran’s Natanz enrichment facility in 2009, destroying about 1,000 centrifuges. The United States and Israel are suspected of being behind the attack, which used a USB drive to deliver malware to “air gapped” systems, or those with no direct or indirect connections to the internet. In doing so, the attackers refuted the notion that such a system was immune to hacking.

Stuxnet’s creators used four “zero-days,” or previously unknown software exploits, whereas most big cyberattacks use one at most. The attackers managed the improbable feat of breaching and manipulating a nuclear facility’s heavily protected industrial controls. In doing so, they changed the cybersecurity conversation in the nuclear industry, prompting new regulations and more investments in defenses.

As instructive as Stuxnet was, nuclear officials can only learn so much from one attack and, because successful attacks are rare, there is a small pool of data from which to learn. For some, the answer is to create your own attacks in a controlled environment.

The exercise conducted this past October took advantage of the high-tech environment provided by Sweden’s Defense Research Agency. Officials from the IAEA and at least 20 of its member countries, including the US and China, watched on TV screens as offensive and defensive cyber teams did battle. The defenders grappled with everything from straightforward denial-of-service attacks to the more insidious scenario of a contractor’s laptop exposing a facility to malware.

In one instance, they used an actual Siemens programmable logic controller. In another, they modeled one of the exercise’s attacks on the 2015 hack of the Ukrainian power grid, one of the biggest energy-sector attacks since Stuxnet.

The Swedes meticulously documented what amounted to a scientific experiment. Audio and video captured participants’ every move and may be later analyzed by a research team. The biggest early takeaway from the experiment, however, was decidedly low-tech: participants had to trust each other to navigate a stressful environment.

The IT specialists who participated normally work individually rather than as a team to handle cyber incidents, according to Biverot. For each participant, knowing that “I can give this guy a call if I’m in trouble” would be invaluable during a security incident, he told The Verge.

Security experts say there is no substitute for putting an organization’s cyber teams under the gun in an intense, credible scenario. “It’s very important to understand the link between what’s happening in cyberspace and what’s happening in real life,” said Dennis Granåsen, a senior scientist at the Defense Research Agency. “If you don’t do that, it’s very easy to just think of these exercises as a game where you need to perform and get a good score and that’s it.”

The less that exercises seem like a game to participants, the better prepared they’ll be for the real thing. The challenge, however, is that exercises as technically rigorous as the Swedish one have not been the norm across the global nuclear sector. They can be expensive, take many months to plan, and may require bringing in outside cyber expertise to drill plant personnel. Exercise programs are growing in maturity and are including more red-teaming, but experts say more work is needed.

Without outside help, many operators will struggle to keep pace with cyber threats, according to Roger Brunt, a former top official at the UK’s Office for Nuclear Regulation. For that reason, Britain’s larger nuclear operators have recently begun hiring security firms to probe their computer networks for vulnerabilities, he said.

While safety and security are paramount at nuclear plants, business considerations also come into play as many plants, including the vast majority of the 61 in the US, are privately owned. The financial and reputational damage that a successful cyberattack could wreak has led some executives to walk through them in advance.

Two weeks before the Swedish exercise, a group of lawyers, insurers, and nuclear executives huddled in central London to consider an alarming scenario: malware had hit a workstation at a nuclear plant, triggering a shutdown of the reactor and a power cut for nearby residents during a dangerous heatwave.

Whereas the Swedish drill was geeks and computer code, the London one was lawyers and the lofty words of judges and defendants.

A fictional power company was on mock trial for decisions its executives had taken leading up to the made-up incident. They had failed to ensure that software on the plant had been updated and that employees were trained in security. Despite an eloquent defense from executives, the judges found the company criminally and civilly liable for the $1.7 billion in economic and other damages incurred by the power cut, and for the 10 people who died in the heat wave.

Howsley said he was surprised at the criminal verdict, thinking the bar for damning security practices would be higher. But that may be where legal norms are headed, given that companies like Uber and Anthem have been sued for allegedly shoddy cybersecurity regimes.

Among nuclear executives, “accountability is going to drive better behavior” on cybersecurity, said Kathryn Rauhut, a lawyer and nonresident fellow at the Stimson Center, which hosted the exercise.

Rauhut said that when drawing up the exercise, she considered several scenarios that might spur strong interest from nuclear executives. Nothing resonates like the threat of a civil or criminal lawsuit for bad security practices. “The CEOs said, ‘Whoa, this is huge. I didn’t know I was liable,’” she told The Verge.

Howsley, a 35-year veteran of the nuclear industry, has seen the industry adapt its safety standards after the 1986 Chernobyl disaster, its security standards after the September 11th attacks, and its cybersecurity standards after Stuxnet. The guessing game of where the next threat might come from can be maddening.

“Someone once said to me, ‘The future is actuarial, history is forensic,’” said Howsley, a cerebral Englishman with a PhD in botany. “If something awful happens at 3 o’clock this afternoon, people will look back and say, ‘How did we allow this to happen?’ But we forget all the things that we worried about and didn’t happen.”

As training in the lab and boardroom continues, hackers in the real world are sharpening their skills. The years since Stuxnet have seen an uptick in advanced hacking operations targeting energy infrastructure. The Ukrainian power grid has been a playground for hackers, some of whom analysts have traced to Russia.

A year after the December 2015 attack, which cut power for 225,000 people, the Ukrainian grid was hit again in what Dragos says was an even more sophisticated operation. “Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt,” states the firm’s analysis of the attack.

Just last week, energy software giant Schneider Electric acknowledged that hackers had exploited a flaw in its safety system software, known as Triconex, at an industrial plant, causing the plant to shut down. The company has declined to identify the plant. Triconex systems are used at a variety of plants, including oil, gas, and nuclear.

This changing digital landscape is prompting governments and energy companies to get more ambitious in how they drill for attacks. The goal is tighter communication and unalloyed trust between the government and operators of critical infrastructure, the vast majority of which is privately owned in the US.

In the event of a serious cyberattack, nuclear operators would need to have agencies on speed dial to mitigate the damage. In the waning days of the Obama administration, US and British officials tested these lines of communication in an unprecedented exercise they called Ionic Shield.

On a conference call in November 2016, officials at the White House and Downing Street watched as a piece of malware hit the administrative networks of hypothetical nuclear plants in the US and Britain. Participants tested how well they could pass the word of a spreading attack through the chain of command and take corrective action. Communication between the two governments and between government and industry went well, according to Caitlin Durkovich, a former official for the Department of Homeland Security (DHS).

However, Durkovich told The Verge, “I think we walked away with the sense we need to improve how the industry here [in the US] is communicating with the industry there [in Britain], especially as it relates to sharing threat information.”

In June 2017, DHS officials warned the energy industry that hackers had targeted the computer network of the Wolf Creek nuclear facility in Kansas. The threat was limited and did not involve safety or other critical systems, security experts told The Verge, but it served as a reminder that nuclear facilities are still very much in hackers’ crosshairs.

“The threat is not going to go away,” Howsley said. “It will get more subtle.”

Some hackers play the long game, lingering on peripheral networks for months in the hope of gaining a foothold into more critical systems. For network defenders, maintaining urgency in the absence of regular, successful attacks can be difficult. The shock value of events like Aurora and Stuxnet can only last so long as those who study them fall back into their routines. Rigorous exercises based on unnerving scenarios are critical to keeping engineers and cyber specialists on their toes.

The post HACKING #NUCLEAR SYSTEMS IS THE #ULTIMATE #CYBER THREAT. ARE WE #PREPARED? appeared first on National Cyber Security .

View full post on National Cyber Security

CISCO #STOCK #DIPS ON POSSIBLE #RUSSIAN #HACKING

Cisco Systems, Inc. (NASDAQ:CSCO) is trading lower today, after the company announced that a group of hackers have compromised more than 500,000 routers and other devices in several countries. Cisco suspects this was the work of the Russian government, and its ultimate plan was to launch a major cyber attack on Ukraine. Shares of CSCO have shed 0.8% on the news, last seen at $43.28, falling back below the 80-day moving average and pacing for their lowest close since April 13. This trendline, a previous level of support, was brought back into play by the stock’s post-earnings bear gap last Thursday.

Longer term, the networks specialist has been strong on the charts, up 36.4% over the last year. This technical success has earned the stock almost exclusively bullish attention from analysts, with 18 of the 20 in coverage saying to buy the shares. Also, the average one-year price target from this group is $49.74, which prices in upside of almost 15%.

Options traders across the International Securities Exchange (ISE), Chicago Board Options Exchange (CBOE), and NASDAQ OMX PHLX (PHLX) have been bullish, too. CSCO sports a 10-day call/put volume ratio of 3.07 across these exchanges, a number that ranks in the top quartile of its annual range. So not only has call buying tripled put buying, but such a preference for calls over puts is pretty rare.

It’s a similar setup in today’s trading, despite the pullback, with call volume tripling put volume, and the July 44 call coming in as the most popular. But considering Cisco has a Schaeffer’s Volatility Index (SVI) of 18%, which ranks in the low 12th annual percentile, even put buyers can at least rest assured they’re getting relatively low volatility premiums at the moment.

advertisement:

The post CISCO #STOCK #DIPS ON POSSIBLE #RUSSIAN #HACKING appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Champions #League #final ‘faces #hacking #threat’

Ukrainian state security accuses Russia of preparing huge attack as Cisco details VPNFilter threat
Russia is preparing a large-scale cyber attack on Saturday’s Champions League final in Kiev, according to Ukrainian state security.

The Ukrainian Security Service (SBU) accused the Russian government of “cyber aggression”, with the aim of infecting hardware and “destabilising” Ukraine’s hosting of the match between Real Madrid and Liverpool.

The statement came just hours after networking giant Cisco’s cybersecurity division, Talos, warned that hackers had infected some 500,000 internet routers and storage devices, mainly focusing on Ukraine, with state-developed malware called VPNFilter.

Talos said it was releasing the information before fully completing its investigation because of the urgent need to prevent the potential attack.

“Both the scale and the capability of this operation are concerning,” Talos said. “The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”

VPNFilter is a multi-stage, modular platform, the first stage of which can survive a device reboot, which sets it apart from other malware, Talos said. Once it gains a foothold in a device, it deploys other stages of the malware, which can steal website credentials and even cause infected devices to self-destruct.

While Talos didn’t say who was behind VPNFilter, it did say the malware shared similarities with BlackEnergy, which destroyed a huge part of Ukraine’s power grid in 2015, an attack Ukraine linked to Russia at the time.

“The type of devices targeted by this actor are difficult to defend,” Talos added, saying VPNFilter had grown quietly since 2016. “They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package.”

As yet, no details have been released as to how the attack would affect the final.

Earlier in the year, Russian spies were accused of hacking South Korea’s hosting of the 2018 Winter Olympics in South Korea. The attack caused large disruption to the opening ceremony, affecting TV and web broadcasting, knocked out display monitors, Wi-Fi networks and the Winter Olympics official website.

advertisement:

The post Champions #League #final ‘faces #hacking #threat’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Congress #gets ‘Russia #election #hacking’ #briefing, still no #evidence

With political primaries already underway and the November midterm elections fast approaching, top national security officials briefed members of Congress on Tuesday about gaps in election security.

The Trump administration has been under pressure to take stronger steps to deter Russian attempts to meddle in U.S. campaigns. Officials say election systems remain vulnerable to cyberattacks.

Intelligence agencies say Russian operatives attempted to hack 21 electoral systems in states during the 2016 campaign, breaching one system. There’s no evidence any votes were affected.

“This is an issue that the administration takes seriously and is addressing with urgency,” Homeland Security Secretary Kirstjen M. Nielsen, FBI Director Christopher Wray and Director of National Intelligence Daniel Coats said in a joint statement.

After the briefing, Nielsen was asked about intelligence agencies’ conclusions that Moscow used social media, leaks of hacked emails and other tactics in 2016 in an attempt to help Trump beat Hillary Clinton.

“That the specific intent was to help President Trump win, I’m not aware of that, but I do generally have no reason to doubt any intelligence assessment.”

Moscow “aspired to help” Trump’s campaign, according to a public report issued by intelligence agencies in January 2017. The Senate Intelligence Committee reported this month that after a 14-month investigation, it agreed with that assessment.

The committee also issued a detailed report on Russian targeting of election infrastructure during the 2016 campaign.

Chris Megerian (c)2018 Los Angeles Times, Distributed by Tribune Content Agency, LLC.

advertisement:

The post Congress #gets ‘Russia #election #hacking’ #briefing, still no #evidence appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

THE #BILLION-DOLLAR #HACKING GROUP BEHIND A #STRING OF BIG #BREACHES

THIS WEEK, SAKS Fifth Avenue, Saks Off 5th, and Lord & Taylor department stores—all owned by The Hudson’s Bay Company—acknowledged a data breach impacting more than five million credit and debit card numbers. The culprits? The same group that’s spent the last few years pulling off data heists from Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, Chipotle: A mysterious group known as Fin7.

Data breaches dog consumers every day, whether they’re ordering food from Panera, or tracking their nutrition with an Under Armour app. But if you’ve particularly had your credit card number stolen from a restaurant, hotel, or retail store in the past few years, you may have experienced FIN7 up close.

While lots of criminal hacking gangs are simply out to make money, researchers regard FIN7 as a particularly professional and disciplined organization. The group—which often appears to be Russian-speaking, but hasn’t been tied to a home country—generally works on a normal business schedule, with nights and weekends off. It has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly. In the Saks breach, FIN7 used “point of sale” malware—software secretly installed in the cash register transaction systems customers interact with—to lift the financial data, a signature move.

“They’re connected to almost every major point of sale breach,” says Dmitry Chorine, cofounder and CTO of Gemini Advisory, a threat intelligence firm that works with financial institutions and that first reported the Saks/Lord & Taylor breach. “From what we’ve learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let’s not forget they have the financial means to stay hidden. They make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.”

Name Game
Researchers have carefully tracked FIN7 for years, identifying their tools and watching their techniques evolve and advance. And many of the observers have even gone head-to-head with the group during network attacks, learning the group’s ethos by actively sparring with it.

The anonymity of cyberspace makes it difficult to pin down exactly who commits which crimes, though, and whether they’re actually all part of the same group or simply using similar tools.

As a result, FIN7 is known by many names. Many. The “FIN7” name itself is often associated with retail and hospitality credit card number heists, while another group—perhaps another division of the same entity, or a pre-existing gang that FIN7 spun off from—focuses on targeting financial organizations to directly steal and launder money. This bank heist operation has been called Carbanak or Cobalt (after a tool called Cobalt Strike), or some variation; FIN7 is sometimes called by these names as well. The security firm Crowdstrike also has its own versions of the names, Carbon Spider and Cobalt Spider. Carbon Spider targets the retail and hospitality industries; and Cobalt Spider hits financial institutions and ATMs. Adding to the confusion, Gemini Advisory also sometimes calls FIN7 “JokerStash,” after the dark web marketplace where the group sells the credit card data is steals.

It’s a mess. But while it’s virtually impossible to know the exact breakdown, all of these actors evolved from malware campaigns between 2013 and 2015 that used the banking trojans Carberp and Anunak to attack financial institutions. “There’s definitely a relationship between what we call Carbon Spider and Cobalt Spider,” says Adam Meyers, vice president of intelligence at the security firm CrowdStrike. “There’s some overlap in the malware that’s used and there are a lot of theories. Did Carbon Spider split from Cobalt? Do they have shared tooling? Did somebody leave the group and bring some of the tools with them?”

Consumate Professionals
Regardless of the name, FIN7’s effectiveness stems from a rigorous, professional approach—including devious phishing schemes that trick victims into infecting their own networks—that researchers say is more typical of nation state hacking than criminal skulduggery. The group has also demonstrated a powerful ability to quickly evolve new strategies and adapt tools. Last fall, the security firm Morphisec showed that it only took FIN7 a day to create a fileless malware attack for a newly discovered weakness in Microsoft applications.

“The feeling you get working against them on an incident response team is that they aren’t going down without a fight,” says William Peteroy, CEO of the security firm Icebrg, which has helped clients remediate FIN7 attacks. “They are very committed to getting access to certain targets, they are very committed to maintaining access to those targets, and it’s for the overall goal of pulling as much credit card data out of the environment as they can. They’re not the best-trained, best operations security people on the internet, but they are professional. They go to work in the morning and their job is to steal credit card numbers.”

Based on Icebrg’s research and firsthand experience, Peteroy sees the group’s focus on evading antivirus scans as one of its biggest assets. FIN7 constantly tests its hacking tools against malware scanners to see if they raise an alarm, and tweaks them if they do to fly under the radar for another day.

“They have a pretty incredible track record of staying one step ahead of antivirus vendors,” Peteroy says. “They do constant testing of their toolsets. You would not expect to see a technique like that from a criminal organization. But it’s really just like a business maximizing your profitability. You’re not trying to develop things that are 10 steps ahead, you’re just trying to keep one step ahead.”

So far FIN7 has largely succeeded at staying just out of reach, but it works at such a massive scale on so many heists at once that there are bound to be missteps. Just last week, Spanish police working with Europol, the FBI, and a group of other international agencies arrested what they called the “mastermind” behind Carbanak’s financial institution hacking, particularly a spree of ATM jackpotting and other money laundering. “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” Steven Wilson, the head of Europol’s European Cybercrime Centre, said of the operation last week.

Though an impressive step, researchers are skeptical that the arrest will really destabilize or neuter such a robust criminal syndicate. “Someone who was using part of the tools was arrested in Spain. He may be at a higher level of the food chain, but it definitely doesn’t necessarily mean the whole group has been dismantled,” says Gemini Advisory’s Chorine. “Even if you observe the chatter on criminal forums, there’s no clear indication of who was arrested.”

So as has been the case for years now, FIN7 will likely live to steal another credit card number. Or, more likely, millions of them.

advertisement:

The post THE #BILLION-DOLLAR #HACKING GROUP BEHIND A #STRING OF BIG #BREACHES appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The #FBI Used #Classified #Hacking #Tools in Ordinary #Criminal #Investigations

The FBI’s Remote Operations Unit (ROU), tasked with hacking into computers and phones, is one of the Bureau’s most elusive departments. But a recent report from the Office of the Inspector General (OIG) for the Department of Justice has now publicly acknowledged the unit’s existence seemingly for the first time. The report also revealed that the ROU has used classified hacking tools—techniques typically reserved for intelligence purposes—in ordinary criminal investigations, possibly denying defendants the chance to scrutinize evidence, as well as destabilizing prosecutors’ cases against suspects.

“Using classified tools in criminal cases is risky for all sides,” Ahmed Ghappour, associate professor of law at Boston University School of Law, and who has researched law enforcement hacking extensively, told Motherboard in a Twitter message.

The ROU is part of the FBI’s Operational Technology Division (OTD), which handles the Bureau’s more technical surveillance methods. The OIG’s report says ROU “provides computer network exploitation capabilities” and has “engineers and vendors who attempt to develop techniques that can exploit mobile devices.” A previous Wall Street Journal report said the FBI can use malware to remotely activate microphones on Android devices.

In 2013, then American Civil Liberties Union (ACLU) principal technologist Chris Soghoian uncovered ROU’s existence by piecing together LinkedIn profiles and sections of documents released through the Freedom of Information Act. Soghoian found that an Eric Chuang heads the ROU, and it appears Chuang is still leading the unit now—the OIG report mentions the current head became chief in 2010.

While most of the OIG’s new report focuses on how the FBI did not fully explore its technical options for accessing the iPhone of one of the San Bernardino terrorists in 2016, several sections shine more light on the ROU, and how they are using their hacking tools. One mentions the ROU chief, based on long standing policy, sees a “line in the sand” against using national security tools in criminal cases—this was why the ROU initially did not get involved at all with finding a solution to unlocking the San Bernardino iPhone. Indeed, it’s important to remember that as well as a law enforcement agency, the FBI also acts as an intelligence body, gathering information that may be used to protect the country, rather than bring formal charges against suspects.

But that line can be crossed with approval of the Deputy Attorney General to use the more sensitive techniques in ordinary investigations, the report adds.

“The ROU Chief was aware of two instances in which the FBI invoked these procedures,” a footnote in the report reads. In other words, although it seemingly only happened twice, the FBI has asked for permission to use classified hacking techniques in a criminal case.

It’s not clear which two cases the ROU Chief is referring to. However, the FBI previously deployed a Tor Browser exploit to over 8,000 computers around the world, including some in China, Russia, and Iran, based on one, legally contentious warrant. At the time of the operation in February 2015, the tool was unclassified. But as Motherboard found using court records, the following year the FBI moved to classify the exploit itself for reasons of national security, despite the case being a criminal child pornography investigation.

Motherboard’s recent investigation into the exploit industry found that an Australia-based company called Azimuth Security, along with its partner Linchpin Labs, has provided exploits to the FBI, including one for breaking through the Tor Browser.

Using classified tools in a criminal investigation may pose issues for both prosecutors and defendants. If the FBI used a classified technique to identify a suspect, does the suspect find out, and have a chance to question the legality of the search used against them?

“When hacking tools are classified, reliance on them in regular criminal investigations is likely to severely undermine a defendant’s constitutional rights by complicating discovery into and confrontation of their details,” Brett Kaufman, a staff attorney at the ACLU, told Motherboard in an email. “If hacking tools are used at all, the government should seek a warrant to employ them, and it must fully disclose to a judge sufficient information, in clear language, about how the tools work and what they will do,” he added.

And on the flip side, if the FBI uses a classified and sensitive tool in an ordinary case, and has to reveal information about it in court, the exploit may then be fixed by the affected vendor, such as, say, Apple. Some may seen that as a positive, but the FBI might have to drop their charges against a criminal as well.

“It’s also a risk for the government, who may be ordered to disclose classified information to the defense to satisfy due process, or face dismissal of the case,” Ghappour said.

With the mentioned Tor Browser attack, a judge ordered the FBI to give defense counsel the code of the exploit; the FBI refused, meaning the evidence the related malware obtained was thrown out altogether.

A spokesperson for the FBI declined to comment on the ROU’s cross-over into criminal cases, and instead pointed to page 16 of the report, which reads, in part, that “FBI/OTD has realigned mission areas for several Units in preparation for a larger re-organization.”

advertisement:

The post The #FBI Used #Classified #Hacking #Tools in Ordinary #Criminal #Investigations appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Coin #mining #hacking attacks #rose 8,500% in #2017

So called criminal ‘coin miners’ are taking control of our computers, mobiles and ‘Internet-of-Things’ devices to turn them into crypto-mining slaves

This is getting scary. Cybersecurity software company Symantec says the use of criminal “coin miners” jumped by 8,500% during 2017. A coin miner is a file or script that unknowingly steals a victim’s computer processing power or cloud CPU usage to mine cryptocurrencies.

Symantec said in its annual Internet Security Threat Report that the meteoric rise in the crypto currency market has “triggered a gold rush for cyber criminals.” Coin mining, says Symantec, slows devices, overheats batteries and, for businesses, can shutdown corporate cloud networks. Symantec says it logged 1.7 million such attacks in December alone.

“The barrier to entry for coin mining is pretty low – potentially only requiring a couple of lines of code to operate – and coin mining can allow criminals to fly under the radar in a way that is not possible with other types of cybercrime,” reports Symantec. “Victims may not even realize a coin miner is slurping their computer’s power as the only impact may be a slowdown of their device that they could easily attribute to something else.”

While malicious coin miners appear to primarily target computers, mobile phones are also vulnerable. But it is with Internet of Things (IoT) devices that Symantec is seeing the largest potential for criminal growth. During 2017, there was a 600% increase in such IoT attacks, but as malicious coin mining evolves, cyber criminals could exploit the connected nature of these devices to mine “en masse.”

Maybe it’s time to take that kettle offline and go back to gas?

advertisement:

The post Coin #mining #hacking attacks #rose 8,500% in #2017 appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Norway and #US #Busted #Hacking Russian #Networks to #Gain #Data on #Leadership

This is the first time Norwegian hacking efforts to obtain intelligence information on Russia have been documented. According to formerly classified documents, Norway and the US have been pooling their spying efforts since 2011.

Norwegian and US intelligence services have collaborated on hacking Russian networks in order to retrieve information on Russia’s political leadership and energy policy, as proceeds from the formerly classified documents by the National Security Agency (NSA) published by The Intercept.

Previously, only a small part of the three-page document was available, but now the document has been made available in its entirety.

It was in September 2011 that Norway’s Intelligence Service (NIS) first informed the NSA that they were running espionage programs in computer networks, whereupon an agreement on data-sharing was reached. The NSA would then expand and strengthen cooperation with Norway, focusing on targets in the Russian political leadership and Russia’s management of natural and energy resources.

An annual planning meeting between the NSA and the NIS was held on March 7, 2013. Some of the topics discussed were Norway’s access to data cables, data processing and external data storage, as well as obtaining information from commercial satellites.

Read More….

advertisement:

The post Norway and #US #Busted #Hacking Russian #Networks to #Gain #Data on #Leadership appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mobile #networks #investigate flaw that leaves #4G #customers open to #hacking

Source: National Cyber Security News

Security researchers have discovered a set of severe vulnerabilities in 4G LTE protocol that could be exploited to spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and even knock devices entirely offline.
A new research paper [PDF] recently published by researchers at Purdue University and the University of Iowa details 10 new cyber attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals.
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.

Unlike many previous research, these aren’t just theoretical attacks. The researchers employed a systematic model-based adversarial testing approach, which they called LTEInspector, and were able to test 8 of the 10 attacks in a real testbed using SIM cards from four large US carriers.

Authentication Synchronization Failure Attack
Traceability Attack
Numb Attack
Authentication Relay Attack
Detach/Downgrade Attack
Paging Channel Hijacking Attack
Stealthy Kicking-off Attack
Panic Attack
Energy Depletion Attack
Linkability Attack

Among the above-listed attacks, researchers consider an authentication relay attack is particularly worrying, as it lets an attacker connect to a 4G LTE network by impersonating a victim’s phone number without any legitimate credentials.

This attack could not only allow a hacker to compromise the cellular network to read incoming and outgoing messages of the victims but also frame someone else for the crime.

Read More….

advertisement:

View full post on National Cyber Security Ventures