Thursday, November 29, 2012

Evolving DDoS Attacks Force Defenders To Adapt


In the past, attackers using distributed denial-of-service (DDoS) attacks to take down Web sites or network servers typically adopted one of two tactics; flooding the site with a deluge of data or overwhelming an  application server with seemingly valid requests.

Yet increasingly, attackers are using a hybrid approach, using multiple vectors to attack. The attacks that hit financial firms in September and October, for example, often used a massive flood of data packets that would overwhelm a victim’s network connection, while a much smaller subset of traffic would target  vulnerable applications functions, consuming server resources.

The one-two punch is potent. Many financial firms thought they had the defenses in place to defeat such attacks but had problems staying accessible during the onslaught. Companies prepared to handle application-layer attacks or smaller volumetric attacks could not handle the 20Gbps or more that saturated their Internet connection. A recent report from network-security firm Prolexic found that the average attack bandwidth increased to nearly 5Gbps, with 20Gbps attacks quite common. In a year, the average volume of attacks had doubled, the firm found.

Read more: DDos Attacks More Potent These Days

Tuesday, September 25, 2012

White House said to plan executive order on cybersecurity

SAN FRANCISCO (Reuters) - The White House is preparing to direct federal agencies to develop voluntary cybersecurity guidelines for owners of power, water and other critical infrastructure facilities, according to people who said they had seen recent drafts of an executive order.

The prospective order would give the agencies 90 days to propose new regulations and create a new cybersecurity council at the Department of Homeland Security with representatives from the Defense Department, Justice Department, Director of National Intelligence and the Department of Commerce, a former government cyber-security official told Reuters.

"It tells those who have the ability to regulate to go forth and do so," said the person, who is currently outside the government and spoke on condition of anonymity in order to preserve access to government officials.

The draft executive order includes elements of what had been the leading cybersecurity overhaul bill in the Senate, which was defeated this summer amid opposition from industries opposed to increased regulation.

Senate Homeland Security Committee Chairman Joe Lieberman, an independent and one of the principal authors of that bill, on Monday urged the White House to issue such an order.
"The Department of Homeland Security has clear authority, if directed by you, to conduct risk assessments of critical infrastructure, identify those systems or assets that are most vulnerable to cyber attack and issue voluntary standards for those critical systems or assets to maintain adequate cybersecurity," Lieberman wrote to President Barack Obama.

The document has been circulating among the agencies and might go to top officials for their comments as soon as this week, another person involved in the process said.
A spokeswoman for the administration's National Security Council, Caitlin Hayden, confirmed that an order was being considered but would not provide details. "We're not commenting on the elements," Hayden said.

PUBLIC-PRIVATE COOPERATION

Former White House cybersecurity policy coordinator Howard Schmidt said the proposed order would also ask DHS to confer with independent agencies, such as electric regulators and others that don't answer to the president, to see who would take responsibility on cybersecurity.

The hope, said Schmidt, who has seen a recent draft, is that if those agencies won't let DHS act they would do it themselves, as the Securities and Exchange Commission did in October when it issued guidance on when companies should disclose cyber attacks.

The Commerce Department and the Pentagon declined to comment. Spokespeople for Lieberman and for Senator John Rockefeller, another Democratic leader on the issue who has asked for an executive order, said their offices had not been given copies of the draft.
Cybersecurity has become a major issue in Congress and for the White House, with intelligence officials warning of constant exploration of protected computer systems by hackers and both past incursions and the likelihood of more damaging future attacks on electric plants, banks and stock exchanges.

As of two weeks ago, the planned order did not include any penalties for companies that fail to adhere to the standards. or rewards for those who do. "There are no carrots or sticks," one person with a recent copy said.

If the order emerges before the election in November, it could become an issue in the campaign. Leading Republicans faulted the Lieberman bill as too onerous. The U.S. Chamber of Commerce, which also criticized that bill, declined to comment on Monday on the merits of a prospective order.

But Lieberman said his bill had been watered down in pursuit of a compromise and asked in his letter Monday that Obama explore means for making the standards mandatory.
Both Lieberman and administration officials have said they will still seek legislation, which could go further in many ways. It might, for example, provide liability protection for companies that share information with government officials or that meet the standards but still get hacked.

(Reporting by Joseph Menn in San Francisco; editing by Todd Eastham)

Monday, August 20, 2012

Former Hacker: Today’s Hacks Are All About the Money

Former Hacker: Today’s Hacks Are All About the Money Hackers have changed since the days of The Matrix. While most hackers used to hold iconoclastic ideals, with aspirations to “shock the system” for a perceived common good, today’s hacker/cracker community is more concerned with making a quick buck...........

Friday, July 27, 2012

Rise Is Seen in Cyberattacks Targeting U.S. Infrastructure

July 26, 2012

By DAVID E. SANGER and ERIC SCHMITT (New York Times

ASPEN, Colo. — The top American military official responsible for defending the United States against cyberattacks said Thursday that there had been a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011, initiated by criminal gangs, hackers and other nations.

The assessment by Gen. Keith B. Alexander, who heads the National Security Agency and also the newly created United States Cyber Command, appears to be the government’s first official acknowledgment of the pace at which America’s electricity grids, water supplies, computer and cellphone networks and other infrastructure are coming under attack. Those attacks are considered potentially far more serious than computer espionage or financial crimes. 

General Alexander, who rarely speaks publicly, did not say how many attacks had occurred in that period. But he said that he thought the increase was unrelated to the release two years ago of a computer worm known as Stuxnet, which was aimed at taking down Iran’s uranium enrichment plant at Natanz. 

When the worm inadvertently became public, many United States officials and outside experts expressed concern that it could be reverse-engineered and used against American targets. General Alexander said he saw no evidence of that. 
General Alexander, as head of the N.S.A., was a crucial player in a covert American program called Olympic Games that targeted the Iranian program. But under questioning from Pete Williams of NBC News at a security conference here, he declined to say whether Stuxnet was American in origin; the Obama administration has never acknowledged using cyberweapons. 

General Alexander said that what concerned him about the increase in foreign cyberattacks on the United States was that a growing number were aimed at “critical infrastructure,” and that the United States remained unprepared to ward off a major attack. On a scale of 1 to 10, he said, American preparedness for a large-scale cyberattack is “around a 3.” He urged passage of legislation, which may come to a vote in the next week, that would give the government new powers to defend private computer networks in the United States. The legislation has prompted a struggle as American companies try to avoid costly regulation on their networks, and some civil liberties groups express concern about the effect on privacy. 

General Alexander said that the administration was still working out rules of engagement for responding to cyberattacks. Because an attack can take place in milliseconds, he said that some automatic defenses were necessary, as was the president’s involvement in any decisions about broader retaliation.

He confirmed that under existing authorities, only the president had the power to authorize an American-directed cyberattack. The first such attacks occurred under President George W. Bush. 

The Pentagon has said previously that if the United States retaliated for an attack on its soil, the response could come in the form of a countercyberattack, or a traditional military response. 

General Alexander spoke in a 75-minute interview at the Aspen Security Forum at the Aspen Institute here. The New York Times is a media sponsor of the four-day conference. Another conference speaker, Matthew Olsen, the director of the National Counterterrorism Center, addressed the escalating “hot war” between Israel and Iran and Iranian-backed groups like Hezbollah.

Iran has blamed Israel for assassinations of several of its nuclear scientists. Israel has accused Hezbollah operatives backed by Iran of carrying out the suicide bombing last week that killed five Israeli tourists and a local bus driver in Bulgaria. 

The United States has said Iran was behind a thwarted plot last fall to kill Saudi Arabia’s ambassador to the United States. 

“Both with respect to Iran and Hezbollah, we’re seeing a general uptick in the level of activity around the world in a number of places,” Mr. Olsen said.

Mr. Olsen did not address the Bulgaria attack, but he said the plot to kill the Saudi envoy in Washington “demonstrated that Iran absolutely had the intent to carry out a terrorist attack inside the United States.” MORE IN U.S. (12 OF 27 ARTICLES) Quiet Duo Forged Road Deal for U.S. and Pakistan Read More »

Wednesday, May 30, 2012

BTOD (Bring Your Own Device) Whitepaper

Good whitepaper: BYOD (Bring Your Own Device). See how companies are coping with the influx of these devices in the workplace. Click here.

Sunday, April 22, 2012

Cyber Intelligence Sharing and Protection Act (CISPA) H.R. 3532


The Cyber Intelligence Sharing and Protection Act (CISPA) H.R. 3532 is a new bill being introduced in Congress that is gunning to blast the ongoing cyber attacks that have occurred since internet users figured out the keyboard could be an effective weapon. If passed through Congress, the bill would allow the government access to personal correspondence of any person of their choosing. Once again, we are being fucked by those nosey neighbors in our government.

You should be very mad and very afraid because CISPA is far worse than SOPA and PIPA in its effects on the internet. The wording of this bill is mumbo jumbo, vague and broad. Reading through the nonsense, basically the act would allow Congress to circumvent existing exemptions to online privacy laws, and would allow the monitoring and censorship of any user of the internet. Peeping Toms will be wetting their pants. The real kicker (in our asses) is that it will also allow the government to stop online communications which they deem critical or disruptive to them. They can even decide they don’t like what you say about other private parties and shut you down.

The Center for Democracy and Technology states that CISPA would allow Internet Service Providers (ISPs) to “funnel private communications and related information back to the government without adequate privacy protections and controls. The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient.” Holy Bejeezers, where are Batman and Robin when you need them?

What will happen if we don’t stop CISPA?

CISPA effectively creates an exemption to all existing internet privacy laws. Pay attention here, because this means the government will have control over the entire internet, and would be able to censor anything they deem as a “threat” to national security. And what do those ding dongs deem a threat? Well, that is up for them to decide. With the power they would have, it would enable them to interpret anything as a potential “threat” if they really wanted to. Be afraid, very, very, very afraid.

This is just another trap to have our freedom stripped away even further. It is blaringly obvious that our very own government has slowly diminished the very freedoms we were promised at the inception of this “democracy.” It is painful that it may not appear obvious that each new bill that is introduced and passed in Congress contains many clauses that most Americans aren’t even aware of. This is why it is imperative we examine each new bill and law very closely. It is a shameful fact we have to protect ourselves from the very institution we pay to work in our best interest.

It blows my mind that social networks like Facebook support CISPA. Who is paying who off? Here is what Joel Kaplan, FB Vice President said was the reason they support the bill.

“One challenge we and other companies have had is in our ability to share information with each other about cyber attacks. When one company detects an attack, sharing information about that attack promptly with other companies can help protect those other companies and their users from being victimized by the same attack,” Kaplan wrote a blog post on Friday. “Similarly, if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.”

Umm, what am I missing here? You need an anti-privacy law to get off your duff and let others know if you are being attacked? It is all to crazy making and once again we have to mobilize and put the pressure needed on our government to dump this dumb bill.

POSTED BY THN REPORTER ON 4/22/2012 10:09:00 AM
By:  Patti Galle, Executive Editor

Tuesday, April 10, 2012

Richard Clarke Says Stuxnet was a U.S. Operation

Richard Clarke Says Stuxnet was a U.S. Operation

By Jack Goldsmith - Thursday, March 29, 2012 at 4:36 AM

The former counterterrorism czar reaches this conclusion because the operation had lawyers’ fingerprints on it.  From an interview with Ron Rosenbaum in Smithsonian Magazine:

“I think it’s pretty clear that the United States government did the Stuxnet attack,” [Clarke] said calmly.

This is a fairly astonishing statement from someone in his position.

“Alone or with Israel?” I asked.

“I think there was some minor Israeli role in it.  Israel might have provided a test bed, for example.  But I think that the U.S. government did the attack and I think that the attack proved what I was saying in the book [which came out before the attack was known], which is that you can cause real devices—real hardware in the world, in real space, not cyberspace—to blow up.”

Isn’t Clarke coming right out and saying we committed an act of undeclared war?

“If we went in with a drone and knocked out a thousand centrifuges, that’s an act of war,” I said. “But if we go in with Stuxnet and knock out a thousand centrifuges, what’s that?”

“Well,” Clarke replied evenly, “it’s a covert action. And the U.S. government has, ever since the end of World War II, before then, engaged in covert action. If the United States government did Stuxnet, it was under a covert action, I think, issued by the president under his powers under the Intelligence Act. Now when is an act of war an act of war and when is it a covert action?

“That’s a legal issue. In U.S. law, it’s a covert action when the president says it’s a covert action. I think if you’re on the receiving end of the covert action, it’s an act of war.”

When I e-mailed the White House for comment, I received this reply: “You are probably aware that we don’t comment on classified intelligence matters.” Not a denial. But certainly not a confirmation. So what does Clarke base his conclusion on?

One reason to believe the Stuxnet attack was made in the USA, Clarke says, “was that it very much had the feel to it of having been written by or governed by a team of Washington lawyers.”

“What makes you say that?” I asked.

“Well, first of all, I’ve sat through a lot of meetings with Washington [government/Pentagon/CIA/NSA-type] lawyers going over covert action proposals. And I know what lawyers do.

“The lawyers want to make sure that they very much limit the effects of the action. So that there’s no collateral damage.” He is referring to legal concerns about the Law of Armed Conflict, an international code designed to minimize civilian casualties that U.S. government lawyers seek to follow in most cases.

Clarke illustrates by walking me through the way Stuxnet took down the Iranian centrifuges.

“What does this incredible Stuxnet thing do? As soon as it gets into the network and wakes up, it verifies it’s in the right network by saying, ‘Am I in a network that’s running a SCADA [Supervisory Control and Data Acquisition] software control system?’ ‘Yes.’ Second question: ‘Is it running Siemens [the German manufacturer of the Iranian plant controls]?’ ‘Yes.’ Third question: ‘Is it running Siemens 7 [a genre of software control package]?’ ‘Yes.’ Fourth question: ‘Is this software contacting an electrical motor made by one of two companies?’” He pauses.

“Well, if the answer to that was ‘yes,’ there was only one place it could be. Natanz.”

“There are reports that it’s gotten loose, though,” I said, reports of Stuxnet worms showing up all over the cyberworld. To which Clarke has a fascinating answer:

“It got loose because there was a mistake,” he says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a?TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”

About the Author
Jack Goldsmith is the Henry L. Shattuck Professor at Harvard Law School, where he teaches and writes about national security law, presidential power, cybersecurity, international law, internet law, foreign relations law, and conflict of laws. Before coming to Harvard, Professor Goldsmith served as Assistant Attorney General, Office of Legal Counsel from 2003–2004, and Special Counsel to the Department of Defense from 2002–2003.

Friday, April 6, 2012

Cyber Intelligence Sharing and Protection Act (CISPA)

If you download and distribute copyrighted material on the Internet, or share any information that governments or corporations find inconvenient, you could soon be labeled a threat to national security in the United States. That’s the aim of a bill in Congress called the Cyber Intelligence Sharing and Protection Act (CISPA).

The good news is that SOPA and PIPA haven’t come to pass, but the bad news is that they could be followed by a bill that is even more invasive and could violate even more of your civil liberties. According to a press release issued last week, the bill already has over a 100 congressional co-sponsors. Yet the bill is only now beginning to appear on the public radar.

CISPA would let companies spy on users and share private information with the federal government and other companies with near-total immunity from civil and criminal liability. It effectively creates a ‘cybersecurity’ exemption to all existing laws.

CISPA, however, is nothing like SOPA, despite its recent association in the media. While SOPA included provisions that would have essentially broken the Internet by allowing the U.S. to delete domains from a central registry system, CISPA does nothing of the sort, and aims more at “cyber threat intelligence” gathering than censorship and piracy prevention.

The bill presents itself as a simple enhancement of America’s cyber-security that would amend the National Security Act to include “cyber threat intelligence” gathering. To those ends, it would tear down the firewall between private corporate networks and the National Security Agency , enabling corporations to share data with the world’s most sophisticated spy apparatus.

While the bill is openly supported by companies like AT&T, Lockheed Martin, Microsoft, Facebook, Boeing and Intel, ACLU legislative counsel Michelle Richardson cautioned last month that it is not something to be taken up lightly.