Two U.S. senators will propose that Congress or President Barack Obama’s administration should pursue trade and immigration sanctions against China and other countries that allegedly support cyberattacks on U.S. government agencies and businesses, the lawmakers said Wednesday.
Senators Sheldon Whitehouse, a Rhode Island Democrat, and Lindsey Graham, a South Carolina Republican, called on the administration, including the U.S. Department of Justice and Federal Bureau of Investigation, to step up efforts to battle cyberattacks.
Congress or the administration should block immigration from countries supporting cyberattacks on the U.S. and it should limit trading with those countries, Graham said during a hearing before the Senate Judiciary Committee’s crime subcommittee.
“Our Chinese friends seem to be hell bent on stealing anything they can get their hands on here in America,” Graham said. “We’re going to do something about this. We’re going to put nation states on notice that, if you continue to do this, you’ll pay a price.”
Witnesses pointed at China as the major source of cyberattacks on the U.S.
Graham asked witnesses to identify the top countries where attacks originate. Both Kevin Mandia, CEO of security vendor Mandiant, and Stewart Baker, a partner at law firm Steptoe & Johnson and former assistant secretary at the U.S. Department of Homeland Security, said China was by far the top attacker.
Russian attackers seem to abide by some rules of engagement and tend to withdraw after U.S. security professionals catch them attacking networks, Mandia said. “The Chinese are like a tank through a corn field, they just keep mowing through it,” he said.
Graham asked Mandia and Baker for two-page memos detailing Chinese attacks that he would take to officials with the Chinese embassy in Washington, D.C. “I’ll give you 100 pages, sir,” Mandia said.
Representatives of the Chinese Embassy in Washington, D.C., didn’t immediately respond to a request for comments on the hearing.
A former FBI counter-terrorism agent Tim Clemente appeared on CNN to claim that most of the great unwashed did not know the real capabilities and behavior of the US surveillance state. The comments stem out of anonymous government officials claiming that they are now focused on telephone calls between one of the Boston Bombers and his wife to see if she had prior knowledge of the plot or participated in any way.
The only problem with that was that if the calls were already made, how could the FBI listen to them. Tim Clemente, a former FBI counter-terrorism agent was asked about whether the FBI would be able to discover the contents of past telephone conversations between the two. He quite clearly insisted that they could.
He said that there were ways in national security investigations to find out exactly what was said in that conversation. It’s not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out. He said that all of that stuff is being captured as we speak whether people know it or like it or not.
EPIC already tried to get access twice last September, and now it is trying again. It said that it has sent repeated freedom of information act requests regarding the database, and that the FBI has failed to respond. Now it has filed a lawsuit for access (PDF).
It warned that the Next Generation Identification system (NGI) is a massive database that “when completed, [will] be the largest biometric database in the world”.
The NGI will use CCTV systems and facial recognition, and it includes DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other “identifying information”.
The FBI has an information page about the NGI, and there it said that photographs of tattoos are also included and that the system is designed to speed up suspect detection and response times.
“The NGI system will offer state-of-the-art biometric identification services and provide a flexible framework of core capabilities that will serve as a platform for multimodal functionality,” it said.
“The NGI Program Office mission is to reduce terrorist and criminal activities by improving and expanding biometric identification and criminal history information services through research, evaluation, and implementation of advanced technology”.
In its lawsuit EPIC said that the NGI database will be used for non law enforcement purposes and will be made available to “private entities”.
EPIC said that it has asked the FBI to provide information including “contracts with commercial entities and technical specifications”.
It said that so far it has received no information from the FBI in response to its requests.
Just days after a scandal where a South American hospital was staffed by phantom doctors who used silicon fingers of their colleagues to convince administrators’ finger print readers that they were working, Apple has decided that they are the perfect form of security.
Word on the street is that Apple is said to be planning to introduce an iPhone that can be unlocked by the owner’s fingerprint. Speculation about Apple’s plans for fingerprint recognition began last summer when the iPhone maker bought bio-metric security firm AuthenTec for $335 million.
It is believed that the iPhone 5S will have a fingerprint chip under the Home button, to “improve security and usability.” Meanwhile in an engineering journal, two Google security experts outlined plans for an ID ring or smartphone chip that could replace online passwords, which is a lot sexier than fingerprint scanning.
The U.S. Department of Justice and the Department of Homeland Security have requested more time to consider Softbank’s proposed takeover of Sprint Nextel, a move that may signal a rough road ahead for the US$20 billion deal.
In a letter to the Federal Communications Commission, dated Monday, the DOJ asked the FCC to defer action on the deal because it hasn’t finished reviewing the proposal for national security, law enforcement and public safety issues. It filed the letter in conjunction with the Federal Bureau of Investigation, which is part of the DOJ, and the Department of Homeland Security. The DOJ asked that the FCC hold off until the agencies have finished their review and requested FCC action. The filing was reported earlier Tuesday by GigaOm.
The letter didn’t change Sprint’s forecast for completion of the deal.
“This is a routine request so the appropriate federal agencies can review network security for transactions involving foreign companies. We continue to anticipate that the transaction will be completed in mid-2013,” Sprint spokesman Scott Sloat said in an email message. The FCC had no comment on the letter.
Last October, Softbank proposed investing $20 billion in Sprint and acquiring a 70 percent stake in the company. Though Japan is considered a close U.S. ally, some observers have said lawmakers might object to significant foreign ownership of Sprint, the third-largest U.S. mobile operator.
If approved, the deal would greatly strengthen Sprint to better compete against AT&T and Verizon Wireless. It would also allow Sprint to buy out the rest of partner company Clearwire and gain access to that company’s large reserves of wireless spectrum.
Burlington, Wash. officials have notified hundreds of employees and residents that their bank account information was compromised last week when hackers broke into city computer network and stole more than $400,000 from a city account at Bank of America.
Among those impacted by the breach are employees participating in Burlington’s electronic payroll deposit program and utility customers enrolled in the city’s autopay program for sewer and storm drain charges.
In an alert issued this morning, city administrator Bryan Harrison said all auto-pay customers should assume that their name, bank account number and routing number was comprised following an intrusion into a city utility billing system.
He urged affected customers to immediately contact their bank to flag or close their accounts.
All employees participating in the city’s electronic payroll deposit program have also been asked to close out their old accounts and establish a new one as a result of the breach, Harrison told Computerworld Monday.
The employees have also been asked to notify major credit-reporting agencies about the breach and to alert them about the potential for identity theft.
Investigators are trying to figure out how the intruders gained access to the Bank of America account. The account has been frozen and all of the city’s money has been temporarily moved out of Bank of America as a precaution.
Numerous other small town, municipalities and small businesses have been victimized by similar online heists over the past three or four years.
The FBI has estimated that U.S. businesses and banks have lost hundreds of millions of dollars due to such thefts in recent years.
In a move that’s will most likely cause alarm with privacy advocates, the FBI has begun searching for a tool that will allow it to gather and mine data from social networks like Facebook, Twitter and blogs.
The goal is to use the tool to keep on top of breaking events, incidents and emerging threats, the agency said in a recent Request for Information (RFI) from IT vendors.
The FBI said it’s seeking a “secure, lightweight web application portal using mashup technology.”
According to the RFI document, “The application must have the ability to rapidly assemble critical open source information and intelligence that will allow [the FBI's Strategic Information and Operations Center] to quickly vet, identity and geo-locate” potential threats to the U.S.
The FBI said the tool must have the ability to automatically search and scrape data off social networking and news sites based on specific queries. It must also be able to display alerts on geo-spatial maps and give users the ability to quickly summarize the “who, what, when, where and why” of specific threats and incidents.
The FBI hopes to use information posted on social networks to detect specific and credible threats, locate those organizing and taking part in dangerous gatherings and predict upcoming events, the FBI said.
“Social media will be a valued source of information to the SIOC intelligence analyst in a crisis because it will be both eyewitness and first response to the crisis,” the RFI said.
It noted that social media networks have been trumping police, firefighters and new media when it comes to communicating news of developing incidents and protests.
An FBI spokesman said the proposed system will be used only to monitor publicly available information, and won’t be used to focus on specific individuals or groups, according to an Associated Press report.
In the video, posted on YouTube on December 28, the group said that Sony had signed its own death warrant by supporting the controversial American act.
“Yet again, we have decided to destroy your network,” threatens the video.
“We will dismantle your phantom from the internet. Prepare to be extinguished. Justice will be swift, and it will be for the people, whether some like it or not.”
The post was updated with an image of a dog with a gun to its head, with the following message.
“Dear RIAA/MPAA, meet Sony. Sony is a dog. Sony is your dog.”
“Cease and desist in persuing [SIC] your ridiculous futile decade long crusades against grandmas, innovators, teenagers, and dead people. If not we will kill your dog.”
PlayStation Lifestyle reported that the #OpSony group within Anonymous has said that while Sony Computer Entertainment is a target the activists will not attack the PlayStation Network or consumers, instead focusing on Sony websites and employees.
Sony has actually withdrawn from supporting SOPA, although Sony/ATV Music Publishing, Sony Music Entertainment and Sony Music Nashville are still listed in official documents as supporters, and the ESA, of which Sony is a member, still backs the anti-piracy bill.
In April attacks on the PlayStation Network took the service offline for over five weeks.
Federal investigators are investigating a report that hackers managed to remotely shut down a utility’s water pump in central Illinois last week, in what could be the first known foreign cyber attack on a U.S. industrial system.
The November 8 incident was described in a one-page report from the Illinois Statewide Terrorism and Intelligence Center, according to Joe Weiss, a prominent expert on protecting infrastructure from cyber attacks.
The attackers obtained access to the network of a water utility in a rural community west of the state capital Springfield with credentials stolen from a company that makes software used to control industrial systems, according to the account obtained by Weiss. It did not explain the motive of the attackers.
He said that the same group may have attacked other industrial targets or be planning strikes using credentials stolen from the same software maker.
The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.
At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” he said, declining to elaborate further. An FBI spokesman in Illinois did not return phone calls seeking comment.
Sony has locked down 93,000 accounts on its Playstation Network (PSN), Sony Entertainment Network (SEN) and Sony Online Entertainment (SOE) service after they were compromised during a recent brute force attack.
The incident was announced by Sony’s chief information security officer Philip Reitinger, who explained that the company detected an attempt to test a massive number of credentials against its user database.
Because the attack had a very small success rate, Sony believes that the sets of usernames and passwords were stolen from other companies and were just being checked for validity on its own services.
“Given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks,” Reitinger explained.
It’s not clear how the attack was executed, since live authentication systems usually have restrictions in place that prevent many login attempts from the same IP address over short periods of time. That’s why brute force attacks are usually performed against local database copies.
Botnets can sometimes be used to bypass authentication restrictions, but given that in this case the attackers managed to validate 93,000 accounts despite a poor success rate, either the botnet must have either been huge or Sony’s systems must have lacked proper protections.
According to Reitinger, 60,000 of the affected accounts are from the PSN and SEN networks, while the other 33,000 are on SOE. All of them have been locked down and are being reviewed for unauthorized access.
In order to regain control over the accounts, their legitimate owners will need to change their passwords. The company will notify those affected via email and will instruct them on how to proceed.
“Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet,” Reitinger said.
The company advises users to choose username and password combinations that are not associated with other web sites and are hard to guess. Users should also review all their online accounts for suspicious activity on a regular basis.
SpamTitan has discovered that 70 percent of companies believe their organization has been a victim of a spear phishing attack. Spear phishing is when an email is sent to one person or several people at a particular company which appears to come from a person of authority at the same company.
Ronan Kavanagh, CEO, SpamTitan.com said that the lack of proactive measures to deal with the attacks can cost companies financially through the loss of data and system downtime. Spear phishing is a growing issue where a targeted false email that appears to be legitimate is sent to individuals or a company in order to access data.
SpamTitan customers were asked if their company has ever experienced a spear phishing attack and if said attack had been reported to their IT department for treatment. Only 32 percent of those who responded believed their organization had been exposed to a spear phishing attack but 70 percent of those were unsure whether the incident had been reported to their IT department to deal with.
Kavanagh said that most people are now aware of various prevalent banking phishing scams or similar, spear phishing is another advanced attempt at a breach of security that appears legitimate. Kavanagh added that educating employees about a range of security issues was an important step that many companies ignore.
The company is looking for two managers to bump up its “new product security”, according to the Associated Press, joining an already tight security programme that includes personnel who used to work for the FBI and other law enforcement agencies.
Apple has been tight-lipped about its security problems, but the Associated Press discovered that four San Francisco police recently joined two Apple staff at a home in Bernal Heights to search for a missing prototype, believed to be the upcoming Iphone 5.
Apple’s desperation to keep its unreleased products secret might seem, at times, a little over the top, but in a multi-billion dollar industry where many companies are looking to topple Apple from its throne, exposure of plans and product details could give rivals a competitive edge.
Apple’s security woes began again earlier this month when a prototype for its Iphone 5 was lost in a bar, a deja vu experience for the company, given that a similar thing happened to an Iphone 4 prototype in 2010, which led to the involvement of police authorities and a raid on a technology webs ite editor’s home after pictures and details were leaked at Gizmodo.
More recently pictures of the alleged Iphone 5 case have surfaced online, suggesting that someone must have their hands on the coveted device. These lost devices are supposed to be handed in when found, but they’re much too valuable for that, particularly considering the $5,000 price tag for the Iphone 4 prototype that Gizmodo bought.
The questions, of course, are how these prototypes get out of Apple buildings in the first place, and why so many Apple employees carrying them seem to spend a lot of time in bars. Regardless, it appears that Apple is no longer willing to stick with its existing security protocols, as its new security managers might introduce tougher rules for what employees can do, where they can go, and what they can take with them.
Leaked prototypes are not the only security problem for Apple, however, as the company also suffers from extensive counterfeiting in China for both its Iphone and Ipod ranges and also its Macbooks and other devices. The problem is so big that there are even fake Apple stores in China, many of which have been shut down in recent months.
Of course, when you’re making as much money as Apple is, lost or stolen prototypes and counterfeit goods are probably worth the hassle, if you’re one of the top dogs in the consumer technology industry.
Thanks to a faulty encryption component that failed to encrypt data, the PHP Group advised, as did security organisation the Sans Institute, that users resist their immediate temptation to update to PHP version 5.3.7, which was released on 18 August, and wait instead for the PHP 5.3.8 update.
Today, and earlier than expected, the group alerted users that it was releasing the PHP 5.3.8 update and had fixed the critical encryption bug as well as one other that could have caused SSL connections to hang.
The earlier release, PHP version 5.3.7, fixed many more issues and included 90 bug fixes and performance enhancements as well as at least six security updates, except of course the obvious one that caused the replacement update.
The group added that the PHP 5.2 series is no longer supported and urged all users to upgrade to PHP 5.3.8.
Kaspersky weighed in on Shady RAT, claiming that McAfee didn’t do the right thing by going public about the long-running intrusion into networks of governments, companies and non-profit organizations and that the move was alarmist. Now McAfee’s Phyllis Schneck, VP and CTO of McAfee’s Global Public Sector division has said that Kaspersky is “missing the point”.
Schneck defended McAfee’s decision to publicize Shady RAT by asking, “Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention?” Kaspersky also claimed the attack wasn’t particularly sophisticated, but Schneck said that the level of sophistication is not the point here. “It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.”
Kaspersky also claimed that Shady RAT is a botnet, something that Schneck categorically says is incorrect. Instead she labeled Shady RAT as a successful persistent threat and said it “was only as advanced as it needed to be”.
McAfee claims that it knows of 72 organizations that were affected by Shady RAT, which was a prolonged attack on many operations that the firm claims stole a large amount of data.
Whether Schneck or Kaspersky are correct about whether Shady RAT as a botnet is really beside the point. For Kaspersky to claim McAfee’s move was alarmist is a bit rich, as all security companies promote fears of doom and gloom to sell their products and services.
The fundamental question remains, why did it take a security vendor five years to find out about Shady RAT? Kaspersky’s firm and McAfee might better focus on protecting their customers rather than taking pot shots at each other.
The crack is the work of a trio of researchers at universities and Microsoft, and involved a lot of cryptanalysis – which is somewhat reassuring – and still does not present much of a real security threat.
Andrey Bogdanov, from K.U.Leuven (Katholieke Universiteit Leuven), Dmitry Khovratovich, who is full time at Microsoft Research, and Christian Rechberger at ENS Paris were the researchers.
Although there have been other attacks on the key based AES security system none have really come close, according to the researchers. But this new attack does and can be used against all versions of AES.
This is not to say that anyone is in immediate danger and, according to Bogdanov, although it is four times easier to carry out it is still something of an involved procedure.
Recovering a key is no five minute job and despite being four times easier than other methods the number of steps required to crack AES-128 is an 8 followed by 37 zeroes.
“To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key,” the Leuven University researcher added. “Because of these huge complexities, the attack has no practical implications on the security of user data.” Andrey Bogdanov told The INQUIRER that a “practical” AES crack is still far off but added that the work uncovered more about the standard than was known before.
“Indeed, we are even not close to a practical break of AES at the moment. However, our results do shed some light into the internal structure of AES and indicate where some limits of the AES design are,” he said.
He added that the advance is still significant, and is a notable progression over other work in the area.
“The result is the first theoretical break of the Advanced Encryption Standard – the de facto worldwide encryption standard,” he explained. “Cryptologists have been working hard on this challenge but with only limited progress so far: 7 out of 10 for AES-128 as well as 8 out of 12 for AES-192 and 8 out of 14 rounds for AES-256 were previously attacked. So our attack is the first result on the full AES algorithm.”
Bogdanov added that the crack works on all versions of AES and dispelled some myths about the technology as well.
“Unlike previous results on AES, we do not need any related keys which was a very strong and unrealistic assumption about the power of the attacker,” he explained.
“Our attacks work in the classical single-key setting and, thus, apply in every context, however, with huge complexities so far. The practical consequence is that the effective key length of AES is about 2 bits shorter than expected – it is more like AES-126, AES-190, and AES-254 instead of AES-128, AES-192, and AES-256. We think it is a significant step toward the understanding of the real security of AES.”
The attack has been confirmed by the creators of AES, Dr Joan Daemen and Professor Dr Vincent Rijmen, who also applauded it.