Tag Archives: hacking

Space Weapons and Space Law

moon

“Policy, law and understanding of the threat to space is lagging behind the reality of what is out there,” warned Mark Roberts, a former Ministry of Defence official who was in charge of government space policy and the UK’s “offensive cyber portfolio”.….

The disabling of satellites would have a disastrous impact on society, knocking out GPS navigation systems and time signals. Banks, telecommunications, power and many infrastructures could fail, Roberts told the conference….Agreements such as the 1967 Outer Space treaty and the 1979 Moon treaty are supposed to control the arms race in space. Some states have signed but not ratified them, said Maria Pozza, research fellow at the Lauterpacht Centre for International Law at Cambridge University.  Existing treaties do not specify where air space ends and outer space begins – although 100km (62 miles) above the Earth is becoming the accepted limit.

The Navstar constellation of satellites was used to provide surveillance of Iraq during the Gulf war in 1991. Was that, asked Pozza, an aggressive use of space, a “force-multiplier”? Satellites may have also been used to photograph and locate al-Qaida bases, Osama bin Laden or even assess future strikes against Syria.

The Chinese government has recently moved to support a 2012 EU code of conduct for space development, which, Pozza said, was a softer law. The draft Prevention of the Placement of Weapons in Outer Space treaty has not yet been agreed. “Are we dismissing the possibility of a hard law or giving it a good chance?” Pozza asked.

The Chinese tested an anti-satellite weapon in 2007 that destroyed a defunct orbiting vehicle and showered debris across near Earth orbits. Other satellites have been jammed by strong radio signals. BBC transmissions to Iran were disrupted during this year’s elections through ground signals ostensibly sent from Syria.

In 2011, hackers gained control of the Terra Eos and Landsat satellites, Roberts said. The orbiting stations were not damaged. “The threat can now be from a laptop in someone’s bedroom,” he added.

Professor Richard Crowther, chief engineer at the UK Space Agency, said scientists were now exploring the possibility of robotic systems that grapple with and bring down disused satellites or laser weapons to clear away debris in orbit.  Both technologies, he pointed out, had a potential dual use as military weapons. 3D printing technologies would, furthermore, allow satellite operators to develop new hardware remotely in space.

The UK is formulating its space security policy, group captain Martin Johnson, deputy head of space policy at the MoD, said. Fylingdales, the Yorkshire monitoring station, has been cooperating for 50 years with the USA to enhance “space awareness” and early warning systems. The UK, Johnson said, was now working with the EU to develop a complementary space monitoring system.

Excerpt, Owen Bowcott, legal affairs correspondent, The Guardian, Sept. 11, 2013

Hacking Back: controlling hackers from defense to offense

CrowdStrike is a vocal advocate of “active defence” technologies that are generating much buzz in the cyber-security world. Their proponents argue that those who think firewalls, antivirus programmes and other security software are enough to keep their networks safe are kidding themselves. Instead, companies should work on the assumption that their systems have been breached, and take the fight to the hackers. The methods they prescribe include planting false information on their systems to mislead data thieves, and creating “honeypot” servers, decoys that gather information about intruders.  There are worries that such talk of active defence may encourage companies to go further, and “hack back” at their tormentors, even though many countries have laws that forbid such activity. In a survey of 181 delegates at last year’s Black Hat event, just over a third said they had already engaged in some form of retaliation against hackers.

Concerns about cyber-vigilantism have not deterred financiers from investing in tech firms that see active defence as a money-spinning opportunity. Take the case of Endgame, a secretive outfit that is adapting technology developed for intelligence agencies for commercial use. In March it raised $23m in a second round of funding and added Kenneth Minihan, a former director of America’s National Security Agency, to its board. Endgame has reportedly developed a system called “Bonesaw” that detects which software is being used by devices connected to the web. This could be used defensively by companies to detect vulnerabilities on their own devices, but could also be used to spot them on someone else’s.

Like many other information-technology businesses, the active-defence firms are deploying cloud computing (the delivery of software and data storage over the internet) and big-data crunching. CrowdStrike has developed a cloud-based service that scoops in intelligence about online threats from across the web and merges them with analysis from its own research team. It charges its customers from $25,000 to hundreds of thousands of dollars a year for its services. At the Black Hat conference researchers from Endgame demonstrated a system dubbed “BinaryPig”, which crunches huge amounts of data swiftly to help identify and understand hackers by seeking patterns in the “malware” that they use to enter others’ systems.

Other companies are concentrating on technology to foil software that hackers use to enter websites to indulge in wholesale “scraping”, or extraction, of their content. CloudFlare, one such start-up, has developed a service called Maze, which it proudly describes as “a virtual labyrinth of gibberish and gobbledygook”. The service detects content-scrapers and diverts them from the site’s useful material into dummy web pages with useless content.

John Strand, an expert in active-defence techniques at SANS Institute, a computer-security training outfit, says the goal of all these technologies is to drive up the costs that hackers incur in the hope this will deter them in future. It is not to wreak havoc in enemy servers. “We deal in poison, not venom,” he says.

But some security boffins argue that companies should be given more legal latitude to probe those servers. Stewart Baker, a former Department of Homeland Security official who now works for Steptoe & Johnson, a law firm, thinks firms should be allowed to “investigate back” in certain carefully prescribed situations. “There’s a difference between being a vigilante and a private investigator,” he insists. He also suggests that governments should consider licensing specialist firms to conduct investigations according to strict guidelines, rather than relying solely on their own cyber-detectives.

Other voices in the industry give warning that letting private companies hack into others’ servers, even to protect their own property, could lead to trouble. “It’s a foolish strategy to up the ante when you don’t know who you are attacking,” says Jeffrey Carr of Taia Global, a security consultancy. Mr Carr notes that hackers who are provoked might strike back even harder, triggering an escalation of hostilities.  Even some of the techniques employed by firms such as CrowdStrike could land firms in trouble. For instance, it might seem cunning for a company to try to trick hackers into losing money, by planting dummy accounts somewhere on their system that made the company’s financial health seem much worse than it is. But if instead of just using the misinformation to make unwise trades, the hackers leaked the figures to the financial markets, the company could find itself in hot water with regulators.

In spite of such risks, which can be minimised through close co-ordination between companies’ IT and legal teams, security experts are predicting that the popularity of active-defence techniques will grow. One reason is that businesses are making increasing use of cloud computing and mobile devices such as smartphones, which make it harder to establish clear defensive perimeters around their IT systems. “If you don’t really know where your castle starts and ends, you can’t really build an effective wall and moat around it,” explains Nils Puhlmann, formerly chief security officer of Zynga, a social-gaming company, and a founder of the Cloud Security Alliance, an industry group.

Business and cyber-crime: Firewalls and firefights, Economist, Aug. 10, 2013, at 53

Cyberespionage in South Korea 2009-2013

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded. The study by the firm McAfee  (Dissecting Operation Troy: Cyberespionage in South Korea) stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated attacks, including efforts to wipe away traces that could lead to detection.  “The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group,” said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea’s military intelligence agency was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks….

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.  “One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets,” Walter said.  The report said the attacks, known first as Dark Seoul and now as Operation Troy were “more than cybervandalism… South Korean targets were actually the conclusion of a covert espionage campaign.”  McAfee concluded that two groups claiming responsibility for the attack were not credible.  “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.  He added that up to now, the cyber espionage effort “has been very successful in being under the radar” and that “what we see now was a more visible activity that is coupled with a distraction campaign.”

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.”The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools,” the report said.  “Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009… We call this Operation Troy, based on the frequent use of the word ‘Troy’ in the compile path strings in the malware.”  McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that temporarily took a number of its official websites offline.  It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test in February.

South Korean cyber attacks tip of the iceberg: McAfee, Associated Press, Agence France Press, July 10, 2013

Hackers in Demand: industrial espionage

keep calm and self destruct

American firms wage private cyber-combat against Chinese rivals…precisely that scenario is being considered by former senior American officials, who report that intellectual property (IP) is being stolen on an unprecedented scale, and that passive defences no longer work.  Annual losses from the theft of American IP are probably on a similar scale to America’s total exports to Asia, at around $300 billion a year, concludes a report by a Commission on the Theft of American Intellectual Property, a private initiative led by Dennis Blair, Barack Obama’s first director of national intelligence, and Jon Huntsman, a former ambassador to China and unsuccessful contender for the 2012 Republican presidential nomination. “Extraordinary” numbers of commercial and government entities are bent on stealing American IP. Between half and 80% of them are Chinese, depending on the sector, commissioners say. They also

To date victims have been loth to retaliate. Companies do not want to be seen as “weak” and fear being singled out for punishment as they seek access to Chinese markets, says Mr Huntsman. Companies under attack also face legal constraints that defy common sense, says Admiral Blair. Victims face prosecution if they accidentally damage hackers’ American-hosted computers when trying to recover stolen files, let alone if they deliberately tell files to self-destruct.

Changing the law to permit aggressive counter-measures would be controversial…, recommendations include denying repeat offenders access to America’s banking system, or blocking IP abusers from making big American investments.

Intellectual property:Fighting China’s hackers, Economist, May 25, 2013 at 31

How the United States is Persecuting the Hacktivists

hacktivism

The government is treating hackers who try to make a political point as serious threats.   [T]he state has come down on them with remarkable force. This is in large measure evidence of how poignant, and troubling, their message has been.

Hacktivists, roughly speaking, are individuals who redeploy and repurpose technology for social causes. In this sense they are different from garden-variety hackers out to enrich only themselves. People like Steve Jobs, Steve Wozniak and Bill Gates began their careers as hackers — they repurposed technology, but without any particular political agenda. In the case of Mr. Jobs and Mr. Wozniak, they built and sold “blue boxes,” devices that allowed users to defraud the phone company. Today, of course, these people are establishment heroes, and the contrast between their almost exalted state and the scorn being heaped upon hacktivists is instructive.

For some reason, it seems that the government considers hackers who are out to line their pockets less of a threat than those who are trying to make a political point. Consider the case of Andrew Auernheimer, better known as “Weev.” When Weev discovered in 2010 that AT&T had left private information about its customers vulnerable on the Internet, he and a colleague wrote a script to access it. Technically, he did not “hack” anything; he merely executed a simple version of what Google Web crawlers do every second of every day — sequentially walk through public URLs and extract the content. When he got the information (the e-mail addresses of 114,000 iPad users, including Mayor Michael Bloomberg and Rahm Emanuel, then the White House chief of staff), Weev did not try to profit from it; he notified the blog Gawker of the security hole.  For this service Weev might have asked for free dinners for life, but instead he was recently sentenced to 41 months in prison and ordered to pay a fine of more than $73,000 in damages to AT&T to cover the cost of notifying its customers of its own security failure.  When the federal judge Susan Wigenton sentenced Weev on March 18, she described him with prose that could have been lifted from the prosecutor Meletus in Plato’s “Apology.” “You consider yourself a hero of sorts,” she said, and noted that Weev’s “special skills” in computer coding called for a more draconian sentence. I was reminded of a line from an essay written in 1986 by a hacker called the Mentor: “My crime is that of outsmarting you, something that you will never forgive me for.”  When offered the chance to speak, Weev, like Socrates, did not back down: “I don’t come here today to ask for forgiveness. I’m here to tell this court, if it has any foresight at all, that it should be thinking about what it can do to make amends to me for the harm and the violence that has been inflicted upon my life.”  He then went on to heap scorn upon the law being used to put him away — the Computer Fraud and Abuse Act, the same law that prosecutors used to go after the 26-year-old Internet activist Aaron Swartz, who committed suicide in January.  The law, as interpreted by the prosecutors, makes it a felony to use a computer system for “unintended” applications, or even violate a terms-of-service agreement. That would theoretically make a felon out of anyone who lied about their age or weight on Match.com.

The case of Weev is not an isolated one. Barrett Brown, a journalist who had achieved some level of notoriety as the “the former unofficial not-spokesman for Anonymous,” the hacktivist group, now sits in federal custody in Texas. Mr. Brown came under the scrutiny of the authorities when he began poring over documents that had been released in the hack of two private security companies, HBGary Federal and Stratfor. Mr. Brown did not take part in the hacks, but he did become obsessed with the contents that emerged from them — in particular the extracted documents showed that private security contractors were being hired by the United States government to develop strategies for undermining protesters and journalists, including Glenn Greenwald, a columnist for Salon. Since the cache was enormous, Mr. Brown thought he might crowdsource the effort and copied and pasted the URL from an Anonymous chat server to a Web site called Project PM, which was under his control…..

Other hacktivists have felt the force of the United States government in recent months, and all reflect an alarming contrast between the severity of the punishment and the flimsiness of the actual charges. The case of Aaron Swartz has been well documented. Jeremy Hammond, who reportedly played a direct role in the Stratfor and HBGary hacks, has been in jail for more than a year awaiting trial. Mercedes Haefer, a journalism student at the University of Nevada, Las Vegas, faces charges for hosting an Internet Relay Chat channel where an Anonymous denial of service attack was planned. Most recently, Matthew Keys, a 26-year-old social-media editor at Reuters, who allegedly assisted hackers associated with Anonymous (who reportedly then made a prank change to a Los Angeles Times headline), was indicted on federal charges that could result in more than $750,000 in fines and prison time, inciting a new outcry against the law and its overly harsh enforcement. The list goes on.

In a world in which nearly everyone is technically a felon, we rely on the good judgment of prosecutors to decide who should be targets and how hard the law should come down on them. We have thus entered a legal reality not so different from that faced by Socrates when the Thirty Tyrants ruled Athens, and it is a dangerous one. When everyone is guilty of something, those most harshly prosecuted tend to be the ones that are challenging the established order, poking fun at the authorities, speaking truth to power — in other words, the gadflies of our society.

Excerpts, By PETER LUDLOW, Hacktivists as Gadflies, NY Times, April 13, 2013

The Secret Bugs: Exploits

computer code

Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

Exploits themselves are generally legal. Several legitimate businesses sell them. A Massachusetts firm called Netragard last year sold more than 50 exploits to businesses and government agencies in America for prices ranging from $20,000 to more than $250,000. Adriel Desautels, Netragard’s founder, describes some of the exploits sold as “weaponised”. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government.

More than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out “what we’re allowed to do offensively”.Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at America’s National Security Agency (NSA) who went on to found Immunity, a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws—it is, after all, language expressed as strings of zeros and ones.

Moreover, tracking down exploits is hard. Hackers keep them secret so that the intended victim doesn’t identify and fix the vulnerability, thereby rendering the exploit worthless. As a French exploit developer puts it, those liable to be rapidly detected are about as useful as a “disposable gun” that can be fired just once. Secrecy surrounding the design, sale and use of exploits makes protecting computer networks from them akin to finding “unknown unknowns”, says Kenneth Geers, a cyber-security specialist at America’s Naval Criminal Investigative Service.

Several governments want firms to develop exploits. In 2010 a computer worm called Stuxnet was revealed to have attacked Iran’s nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably America or Israel), says David Lindahl, an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnet remained undetected for years by quietly erasing its tracks after “planting sabotage charges at exactly the right place” in Iran’s uranium-enrichment centrifuges, Mr Lindahl says.

Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligence for France’s army until 2009. Computer experts who years ago would reveal software vulnerabilities for mere prestige have realised that they were treating “diamonds as pebbles”, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in Laval. His lab is partly financed by France’s defence ministry to provide it with exploits.

The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. They vary greatly, depending on three main factors: how hard the exploit is to develop; the number of computers to which it provides access; and the value of those computers. An exploit that can stealthily provide administrator privileges to a distant computer running Windows XP, a no-longer-fashionable operating system, costs only about $40,000. An exploit for Internet Explorer, a popular browser, can cost as much as $500,000 (see chart).

Software firms also buy exploits to identify and repair vulnerabilities in their products before others take advantage of them. A small Vancouver firm called Tarsnap, for example, has paid 30 people who pointed out flaws in its encryption software for online PC backups. To develop better defences for its clients’ computer systems, HP, an American giant, has spent more than $7m since 2005 buying hundreds of “zero days”, as undiscovered exploits are also known in hacker slang. (Once discovered, an exploit’s days are numbered, literally: it becomes a “one day”, then a “two day”, and so on until the vulnerability it exploits is patched.)

Such “bug bounty” schemes, however, will struggle to compete with buyers who want to exploit rather than seal vulnerabilities. Tarsnap’s biggest payout was just $500. Last year Google offered Vupen, a French firm, $60,000 for an exploit that burrowed into its Chrome browser. Vupen’s boss, Chaouki Bekrar, balked, noting that he could get more elsewhere.

Other reputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that America’s spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspace as a “new battle domain”, says Matt Georgy, head of technology at Endgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups.

On March 12th the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction.

Developing exploits in-house reduces the risk that a double-dealing vendor will resell code meant to be exclusive. Even so, the trade isn’t likely to fade away. When developers work out a trick that gives them control over the targeted software, they like to yell out a celebratory “who’s your daddy?” notes Pierre Roberge, boss of Arc4dia, a Quebec firm that sells exploits to spy agencies. Exploit trading will continue as long as people pay big money for the opportunity to utter the same joke—this time at the expense of a victim who has been hacked.

Cyber-security: The digital arms trade, Economist, Mar. 30, 2013, at 65.