The Cyberwar Thread

[bugwar]

From the article:
A federal judge ruled Monday that the National Security Agency's bulk collection of phone records likely violates the Constitution, in a major setback for the controversial spy agency.
U.S. District Court Judge Richard Leon granted a preliminary injunction sought by plaintiffs Larry Klayman and Charles Strange.
However, he also stayed his decision "pending appeal," giving the U.S. government time to fight the decision over the next several months.

Source: http://www.foxnews.com/politics/2013/12/16/judge-deals-nsa-defeat-on-bulk-phone-collection/

 

[Glassfan]

Surveillance program is now Obama's to own

Washington (CNN) -- President Barack Obama stands at a significant crossroad.

On Wednesday, he received a set of recommendations from a panel he appointed to review the government's surveillance programs -- a decision he made after Edward Snowden's blockbuster leaks about National Security Agency spying triggered outrage.

The choices he makes will permanently place his signature on the intelligence initiative and help define his legacy as a chief executive who promised a more open and transparent government when he entered the White House nearly five years ago.

Will he be the chief executive who truly champions civil liberties or one who cements government surveillance of its citizens in the name of national security.

How does the President balance the legitimate needs of national security against the wants of Americans to preserve their civil liberties? How do we secure safety and freedom?

 

[bugwar]

From the Article:

According to the leaked document on DROPOUTJEEP from 2008 (below), the NSA installed this software through “close access methods” – meaning they needed physical access to the device, which was likely achieved by rerouting shipments of iPhones purchased by targeted customers.
The document also explains that the NSA planned a “future release” of DROPOUTJEEP that would allow for remote installation.

Source: http://www.digitaltrends.com/mobile/nsa-iphone-spyware-apple/

 

[Glassfan]

Visual Media Reasoning Program Gleans Intel from Cyberspace

WASHINGTON, Jan. 10, 2014 – Software that can extract information from digital photos and videos that adversaries might post has made “finding a needle in a haystack” much easier, an analyst said during the Defense Advanced Research Projects Agency’s Congressional Tech Showcase here yesterday.

Mike Geertsen, DARPA program manager for the visual media reasoning program, said he and his team took state-of-the-art computer vision technology from around the world, synchronized it and added “DARPA reasoning” that allows them to search for valuable intelligence in unprecedented ways.

In the May 2011 Osama bin Laden raid, for example, analysts recovered scores of thumb drives, cameras and laptops with thousands of images on them – some of which might be valuable, Geertsen said.

The task to extract and analyze vital information in that incident alone could be daunting. But visual search reasoning filters the DARPA team has developed can scan thousands of images in seconds and can include weapons, facial recognition, vehicles, and even logos.

Similarly, documents with key phrases now yield information based on some 65 different algorithms from various universities, all in communication with each other for the first time.

“Within seconds, I can look at 100,000 images, find 186 that have documents, and click on one to see why it’s similar,” Geertsen said. “It’s another quick way we’re creating for analysts and warfighters to visually search and explore massive amounts of media.”

The nascent program still has another year or so left in development, but law enforcement, the National Media Exploitation Center, U.S. Southern Command and others agencies are anxious for the program to be deployed, Geertsen noted.

 

[bugwar]

From the article:

... and note that many of the tools rely not on an internet connection, but on a secretly inserted radio transmitter, which can be picked up by a device in an "oversized suitcase" that can be placed miles away.
...
Again, these activities certainly seem more in line with what you'd expect the NSA to be doing, and raise (yet again) the question of why the NSA needs to "collect it all" when it appears that programs like these can be quite effective in doing targeted surveillance against those actually seeking to attack the US in some manner?
...
At that session, Mr. Obama tried to differentiate between conducting surveillance for national security — which the United States argues is legitimate — and conducting it to steal intellectual property.

“The argument is not working,” said Peter W. Singer of the Brookings Institution, a co-author of a new book called “Cybersecurity and Cyberwar.”
“To the Chinese, gaining economic advantage is part of national security.
And the Snowden revelations have taken a lot of the pressure off” the Chinese.
Of course, if the US were focused on actually increasing security on US computing systems and networks, rather than undermining them with backdoors and vulnerabilities, perhaps we'd be more protected from the Chinese.
It's too bad that the NSA hasn't actually been helping on that front at all.

Source: http://www.techdirt.com/articles/20...rs-to-get-data-off-air-gapped-computers.shtml

 

[bugwar]

From the article:

Israeli defence computers were compromised via a malicious email attachment, a computer security firm has revealed.
The email was spoofed to look like it had been sent by Israel's Shin Bet secret service tricking several people into opening it, said Seculert.
The attack left hackers temporarily in control of 15 computers that are part of Israel's defence forces.
Pro-Palestinian hackers are believed to be behind the attack.


Source: http://www.bbc.co.uk/news/technology-25575790

 

[Glassfan]

President Obama's Full NSA Speech

Jon Stewart Skewers Obama's NSA Speech

 

[Glassfan]

GSA and DoD Announce Acquisition Cybersecurity and Resilience Recommendations

The Department of Defense and U.S. General Services Administration (GSA) jointly released a report today, “Improving Cybersecurity and Resilience through Acquisition,” announcing six planned reforms to improve the cybersecurity and resilience of the Federal Acquisition System.

The six recommended reforms are:

• Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions

• Include cybersecurity in acquisition training

• Develop common cybersecurity definitions for federal acquisitions

• Institute a federal acquisition cyber risk management strategy

• Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources

• Increase government accountability for cyber risk management

DoD and GSA are committed to implementing the recommendations through integration with the numerous ongoing related activities like supply chain threat assessments and anti-counterfeiting.

 

[bugwar]

From the article:

Several times in January Hamas, a Palestinian Islamic terrorist group that rules the Gaza Strip had its Twitter accounts suspended for violating the Twitter terms of service.
Hamas was constantly advocating genocide and the use of terrorism against civilians.
Hamas makes no secret about its desire to destroy Israel and kill any Jews who refuse to leave the region.
Twitter points out that since Hamas has been designated (since 1997) as a Foreign Terrorist Organization it is against U.S. law for American firms to provide it with any kind of support.
This is not always enforced, unless the terrorists seem to be making effective use of something and then the company in questioned is reminded of the law by the U.S. government.
...
In 2013 Somali Islamic terrorist group Al Shabaab had its twitter account shut down several times for violating Twitter terms of service.
Twitter management was particularly upset when al Shabaab used twitter to announce and discuss its involvement in a horrendous terror attack on a Nairobi, Kenya shopping mall that killed over 60 civilians.
For that al Shabaab had its twitter account shut down on September 6th.



Source: http://www.strategypage.com/htmw/htiw/articles/20140127.aspx

 

[Glassfan]

Clapper Praises Rogers’ Nomination as Next Cyber Chief

WASHINGTON, Jan. 31, 2014 – Director of National Intelligence James R. Clapper has praised President Barack Obama’s nomination of Navy Vice Adm. Michael S. Rogers to be the next commander of U.S. Cyber Command, director of the National Security Agency and chief of the Central Security Service.

The text of Clapper’s statement follows:

“Today, Secretary of Defense Chuck Hagel announced that Vice Adm. Michael S. Rogers is President Obama’s nominee to be the next commander of U.S. Cyber Command. In addition, Secretary Hagel announced that he has designated Vice Adm. Rogers to serve as director of the National Security Agency and chief of the Central Security Service.



Vice Admiral Michael S. Rogers

Rogers has served in the US Navy since graduating from Auburn University in 1981, initially working in naval gunfire support operations off Grenada, Beirut, and El Salvador. In 1986, he was selected for re-designation to cryptology.

During the 2003 U.S. invasion of Iraq, Rogers joined the military’s Joint Staff, which works for the Joint Chiefs of Staff, where he specialized in computer network attacks. In 2007, he moved to become director of intelligence for the military’s Pacific Command. Two years later he became director of intelligence for the Joint Chiefs of Staff, and then was named commander of the U.S. Fleet Cyber Command, with responsibility for all of the Navy’s cyberwarfare efforts.

In January 2014, the Obama Administration announced Admiral Rogers as its nomination for the new director of the National Security Agency and the commander of the US' offensive cyberoperations unit in the Department of Defense. In both of these roles Admiral Rogers will succeed General Keith B. Alexander, who has served as the NSA director for nine years. Although the NSA directorship does not require Senate approval, Rogers will have to be confirmed by the Senate to head the Cyber Command.

 

[Glassfan]

The Deep Web, that part not indexed by the standard search engines of the "surface Internet" - Google, Yahoo, Bing, etc. - constitutes an estimated 99% of all content, close to 8,000 terabytes. Currently one must download Tor, Freenet or other ptp software to navigate the depths, but in the near future this may become accessible by the more standard search engines. In the Deep Web one can allegedly purchase drugs, guns, and extreme porn. One can also find hitmen, terrorists and prostitutes; as well as freedom fighters, Anonymous, black hats and other extremist personalities with privacy issues. Semi-legendary sites like The Silk Road, The Hidden Wiki and Lolita City are found there. Much, however, is in flux. Sites have been taken down and are then resurrected again. Explore at your own risk.



The Deep Web: Digging Deeper

10 Things You Should Know About Deep Web

TOR is Safe No More!

The Hidden Internet - Exploring The Deep Web

The Dangerous Websites Google Hides From You

 

[bugwar]

From the article:

UAV experts at the Northrop Grumman Corp. Aerospace Systems segment in Redondo Beach, Calif., have demonstrated an internal miniature electronic attack payload on the company's Bat UAV during testing at China Lake Naval Air Weapons Station in Ridgecrest, Calif.
The demonstration in October involved equipping the Bat UAV with the Northrop Grumman Pandora electronic-attack payload, which is a low-cost derivative of the company's digital APR-39 EW payloads for electronic attack, support and protection.

Source: http://www.militaryaerospace.com/ar...g-on-role-of-electronic-warfare-aircraft.html

BAT details: http://en.wikipedia.org/wiki/Northrop_Grumman_Bat

 

[Glassfan]

Learn cyber conflict history, or doom yourself to repeat it

Spoiler :

There have been at least seven major “wake-up calls” in cyber conflict, attacks or other events that shocked and surprised defenders and decisionmakers, then were promptly forgotten until a similar shock “awakened” a new cohort of cyber leaders.

This pattern will repeat itself until policymakers and practitioners pay attention to history.

A study of the past 25 years reveals three main lessons.

The first and most important: There is, in fact, history to be learned. Contrary to received wisdom, cyber conflict, as distinct from the fast-changing technologies through which it is fought, has changed only gradually.

A second lesson is that the probability and consequences of disruptive cyber conflict have been overhyped for decades, while the impacts of intrusions have been underappreciated. How often have you heard about a “cyber Pearl Harbor,” as opposed to the data theft that is actually occurring?

Lastly, the more strategically significant a cyber conflict is, the more similar it is to conflicts on the land, in the air and on the sea. For example, when cyber warriors talk about attacks “at the speed of light,” that is only true at the tactical and technical level — tactical engagements often happen quickly in any domain of warfare. The broader cyber conflicts of which they are part unfold over weeks, months and years.

As in any domain, it is the job of senior decisionmakers to abstract these smaller tactical truths into a larger strategic whole.

Ultimately, the major difference between online and physical war is the one U.S. cyber warriors least want to recognize: Few, if any, strategic cyber conflicts have been decisively resolved by governments. Instead, it is the non-state actors (such as telecommunications providers, cybersecurity companies, and non-government cyber-sharing organizations) that have played the most central role. If there has been any “partnership,” the government has been a very junior and quite needy one.

Seven Wake-ups

Cyber conflicts are disruptions caused by malicious actors with implications far beyond mere technical or criminal problems. They occur in the overlap between national security and cyber security, where nations and non-state groups use offensive and defensive cyber capabilities to attack, defend and spy on each other, typically for political or other national security purposes.

From the U.S. perspective, there have been eight critical cyber conflicts, seven of which were “wake-up calls” that led quickly to new doctrines and organizations.

The ****oo’s Egg. In 1986, cyber intruders broke into dozens of computers at military commands and research institutions, looking for information to sell to the KGB. The case was exposed by Cliff Stoll, an astronomer-turned-system administrator, who stumbled on the hack while hunting down a $0.75 billing discrepancy.

With a handful of collaborators, Stoll tracked down the hackers in Hanover, West Germany. They were arrested and sent to prison. It wasn’t a “wake up call,” however, because few outside of the U.S. Department of Justice paid attention.

The Morris Worm. In 1988, this attack rapidly spread over trusted network connections, unintentionally taking down a considerable portion of the fledgling Internet. It became the first of the wake-up calls that led to immediate institutional changes: DoD sent funding to Carnegie Mellon University, which created the Computer Emergency Response Team, the first emergency responders for cyberspace.

The Morris Worm taught two lessons: Widespread, persistent attacks are difficult to maintain in the face of determined defenses, and the private sector, not the government, has the agility and subject-matter expertise to solve the problem.

A decade later, two events further focused the attention of senior decisionmakers.

In 1997, NSA hackers launched ELIGIBLE RECEIVER, a “no-notice interoperability exercise” in which red teams intruded into DoD networks with alarming ease. Their success accelerated plans to create a new cyber-response organizational structure and to implement DoD-wide mechanisms to defend against sustained cyber assaults.

The following year, such assaults moved from theoretical to real. A set of actual widespread attacks on unclassified DoD systems, dubbed Solar Sunrise, told Pentagon leaders that they lacked an adequate command structure for response.

The attacks also highlighted the problem of attribution. After Deputy Defense Secretary John Hamre told President Clinton that the attacks “might be the first shots of a genuine cyber war, perhaps by Iraq,” forensics determined them to be the work of California teenagers aided by an Israeli mentor.

Within a year, the first joint cyber war-fighting organization was established, a 24-person Joint Task Force for Computer Network Defense (JTF-CND) that became the first unit empowered to issue orders to computer defenders elsewhere in DoD, rather than merely asking for cooperation or providing suggestions. It was also the first joint cyber warfighting command anywhere in the world, and the predecessor for today’s U.S. Cyber Command.

The JTF-CND and other new U.S. government organizations soon coordinated on the first major cyber espionage case, the still largely classified Moonlight Maze. More than a scare, these intrusions, which appear to have started around March 1998, were deeply worrying acts of espionage. Traced to the Russian Academy of Sciences, the intruders apparently penetrated “hundreds of computers at NASA, the Pentagon, and other government agencies, as well as private universities and research laboratories.”

A few years later, Beijing began giving the impression that it was trying to steal its way into the first rank of world powers. In 2005, the press began reporting on Titan Rain, a set of Chinese espionage intrusions that appeared to have begun several years earlier against DoD, defense contractors, and the departments of Homeland Security, State, and Energy.

Additional reports emerged about other Chinese-linked intrusions: GhostNet (involving espionage into the offices of the Dalai Lama); Shadows in the Cloud (hacking into embassies and other targets of interest to China, such as national Olympic committees); Night Dragon (targeting global energy companies); and thefts of information on the F-35 Joint Strike Fighter program from Lockheed Martin, BAE Systems, and other companies.

Russia is more widely known for ignoring, encouraging or coordinating its patriotic hackers to conduct cyber operations against Estonia in 2007 and Georgia a year later.

The first campaign followed Tallinn’s decision to move a statue of a Soviet soldier used as a local rallying point by Russian nationalists. From late April to mid-May of 2007, denial-of-service attacks disrupted government websites, online financial transactions and national connectivity. As with attacks before and since, neither the Estonian nor allied governments had many direct levers to reduce their impact, and so the private companies that owned the networks did the heaviest lifting.

Though the Estonian attacks have been portrayed as a cyber disaster, they were actually a tactical and strategic defeat for the ethnic Russian attackers. The Estonian government was not coerced, the statue was still moved and the attacks caused no long-term economic damage. Instead, the attacks stained Russia’s international reputation while leading Estonia, NATO and others to improve their vigilance.

The Georgian cyber conflict coincided with Russia’s August 2008 invasion over the breakaway region of South Ossetia. The cyber assault, which began before the physical invasion, was met with complacency by the Georgian president until they grew into intrusions, defacements and large-scale botnet DDoS attacks against government, news media and other sites. At its height, Georgian leaders were essentially unable to use the Internet to communicate internally or send word to the international community about what was happening.

(Several of the Georgian government sites were transferred to the United States, apparently without the knowledge of the U.S. government, arguably violating U.S. neutrality and making those ISPs legitimate targets during a time of war.)

The ferocity of the cyber assault, its targeting and its apparent coordination with Russian military forces led some analysts to conclude that Russia was not just ignoring or encouraging its patriotic hackers (as they did in the conflict with Estonia), but were actively coordinating or directing their actions.

Yet another wake-up call was issued in 2008, via a widely read article in the journal Foreign Affairs by William Lynn, then U.S. deputy defense secretary. Lynn described an intrusion, dubbed Buckshot Yankee, into unclassified and classified networks of U.S. Central Command. Malicious software placed on a thumb drive “by a foreign intelligence agency” spread through command networks and sent information back to its controllers.

As with Moonlight Maze, reports emerged that Russia’s intelligence services were behind the intrusion. But unlike previous espionage attempts, the intruders were able to access not just unclassified military networks but also the SIPRNet network (used for passing operational commands) and the JWICS network (for the highest-classification intelligence information).

However, it was the mid-2010 revelations around the Stuxnet virus that most alarmed cybersecurity professionals. Extremely sophisticated, Stuxnet was the first malware to target industrial control (SCADA) systems. In fact, security researcher Ralph Langer discovered, Stuxnet was a “guided missile” designed to destroy industrial systems of the specific make and configuration found in the Iranian nuclear program.

White House sources quoted in the New York Times soon confirmed that Stuxnet was part of a U.S.-Israeli covert operation, codenamed OLYMPIC GAMES, meant to disrupt Iranian nuclear ambitions.

Lessons and Findings

There are clear lessons and findings from this history, each with policy implications.

Lesson 1: Cyber conflict has changed only gradually over time; thus, historical lessons derived from past cases are still relevant.

In other areas of national security, military personnel, diplomats and policymakers study the history of their fields to avoid old mistakes. But even though the U.S. military teaches young cadets and officers the implications of Gettysburg, Inchon, Trafalgar and MIG Alley, they ignore the lessons of cyber conflicts.

(Cyber history has even been intentionally falsified. The Army Cyber Command’s “Command Update” briefing from last year, for example, teaches that the main online threat prior to 2007 was “Cyber ‘Noise’ on Networks.”)

If you could get together some fighter pilots from 1918 and a similar group of F-22 or F-15 pilots, they would within minutes be telling breathless tales of dogfights, and how they had zipped through complex aerial maneuvers to shake an adversary or line up a kill shot. They can share this experience because the dynamics of dogfighting (such as the advantages of relative height, speed and maneuverability) have remained stable over time, even though a hundred years of technology has made dogfights faster, more lethal and at altitudes and ranges unimaginable to the pioneers.

So it is with cyber conflicts. Even though today’s conflicts are far more dangerous, the underlying dynamics echo what has come before. Perhaps nothing better illustrates the parallels between cyber problems then and now than comparing a few quotes about cyber security:

• “I liken it to the very first aero squadron, when they started with biplanes. We’re at the threshold of a new era. … We are not exactly sure how combat in this new dimension of cyberspace will unfold. We only know that we are the beginning.” (Lt. Col. “Dusty” Rhoads, 1996) vs. “I almost feel like it’s the early days of flight with the Wright Brothers. First of all, you need to kind of figure out that domain, and how are we going to operate and maintain within that domain.” (Maj. Gen. Webber, 2009)

• “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.” (Lt. Col. Roger Schell, 1979) vs. “[Our red teams] do get into most of the networks we target.” (NSA Red Teamer, 2008)

• “Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations … [while the perpetrators are] insulated from risks of internationally embarrassing incidents.” (Cliff Stoll in 1988) vs. “Foreign collectors of sensitive economic information are able to operate in cyberspace with relatively little risk of detection by their private-sector targets.” (NCIX Counterintelligence Report to Congress, 2010)

Despite being on average more than two decades old, the first quotes in each pair are nearly indistinguishable from the more recent quotes. Far from reminiscing about the trite concerns of days past, today’s practitioners make clear how yesterday’s problems are still with us.

Lesson 2: The probability and consequences of disruptive cyber conflicts have often been hyped, while the real effects of cyber intrusions have been consistently underappreciated.

History tells us that the most important cyber conflicts have not involved war or terror, but espionage. Cyber spying against the United States, which began no later than the mid-1980s, has grown to staggering proportions. For at least a decade, China has been stealing trade secrets, negotiating strategies and other intellectual property of companies from the United States and many other countries.

As recently splashed across the media, the United States is extremely active in its own, quieter cyber espionage for political and military (but not commercial) secrets. Yet cyber espionage has, until very recently, been nearly ignored in national debates.

Instead, the attention has focused on large-scale catastrophic disruptions. Despite two decades of warnings about a “cyber Pearl Harbor,” no one is known to have died from a cyber attack, and there is little evidence that disruptions have caused even blips in national GDP statistics.

Actual cyber incidents have so far tended to have effects that are either widespread but fleeting (such as the Morris Worm which took down an estimated 10 percent of the early Internet) or persistent but narrowly focused (like the 2007 attacks on Estonia). No attacks, thus far, have been both widespread and persistent.

Cyber attacks, as it turns out, can easily take down web pages; teenaged hackers have made plenty of headlines for defacing or blocking access to various sites. But keeping a large number of targets down over time in the face of determined defenses has thus far been beyond the capabilities of all but the most capable cyber powers.

Lesson 3: The more strategically significant a cyber conflict is, the more similar it is to conflicts on the land, in the air and on the sea – with one critical exception.

This broad lesson has the most significant implications for modern militaries and policymakers, as it flies in the face of common perceptions about cyber warfare, especially the role of the private sector as well as speed and duration, warning, attribution, and deterrence. Each of these will be discussed separately below.

• Private Sector Decisiveness: The biggest difference between cyber conflicts and their traditional equivalents is the one most often overlooked: The decisive role is played by non-state actors, not governments. In most of the conflicts, including the responses to the Morris Worm, Stuxnet and Estonia, governments are on the side while individuals, companies and cooperative volunteer groups have repeatedly used their agility and subject-matter knowledge to mitigate and prevail. Rarely do governments muster the superior resources of their unwieldy bureaucracies to make a decisive difference.

• Unfold Over Time: Many of America’s cyber leaders stress that cyber operations occur at “nearly the speed of light” or at “network speed.” It is true that tactical cyber engagements can happen as quickly as our adversaries can click the Enter key, but so what? Any tactical engagement, whether in cyberspace or in the air, on land or at sea can take place at a lightning pace. Moreover, a single tactical cyber engagement is no more likely to win a war than a single dogfight. History has shown the more strategically significant the cyber conflict, the more likely it is a string of parallel and serial tactical engagements, with both adversaries contending against each other over time, just as in traditional warfare. The attacks on Estonia lasted for weeks. Stuxnet and MOONLIGHT MAZE seem to have been going on for years. The Chinese espionage effort has been running for a decade and counting.

• Long Warning Times: Relatedly, the most strategically meaningful cyber conflicts have been part of larger geopolitical conflicts, which typically offer ample warning time to defenders. Estonia, for example, had several weeks of warning after announcing plans to move the statue of the Red Army soldier. Not only was it clear that the Russian government and nationalist movements were gearing up for protests, but Estonian officials specifically watched Russian nationalist websites as they built support. Unfortunately, this forewarning was not transmitted to NATO or the European Union in a manner that could have led either to try to convince the Kremlin to rein in its nationalist allies.

• Obvious National Responsibility: As in Estonia, the more strategically significant the conflict, the more obvious it is which nation is most responsible. Of course, at the most tactical level, attacks can be difficult to attribute, but this technical truth need not have an outsized impact on national policymaking. For national security policymakers, “who is to blame?” is usually more important than simply “who did it?”

Even if the government of that nation isn’t conducting the activity itself, it can still be pressured into helping stop the attacks, or embarrassing it in international opinion if it fails to cooperate. In Estonia, analysts determined the attacks traced back to 178 countries, including the United States. Such useless forensic facts served to muddy the obvious truth: The attacks were supported or encouraged by the Russian government and that to make the attacks stop, Western decisionmakers needed to pressure the Kremlin.

• Deterrence Works: Just as nuclear weapons provided an upper limit under which the superpowers fought all kinds of wars, regular and irregular, so there is a ceiling to cyber conflicts. Despite early fears that nations would strike at each other using surprise, strategic attacks, while relying on anonymity within the Internet, nations have proved just as unwilling to launch a strategic or surprise attack in cyberspace as they have been on the land, in the air or on the sea.

Certainly, the most cyber-capable nations, including the United States, China and Russia, have been more than willing to engage in irregular cyber conflicts against less-powerful nations or non-state groups (e.g., Stuxnet, Estonia, Georgia, and Chinese espionage and attacks on Falun Gong and the Dalai Lama). But they have steered clear of surprise attacks completely out of the blue and significant disruptive attacks against peers. By keeping themselves well under the threshold of conducting full-scale strategic cyber warfare, nations have thus created a de facto norm of restraint.

Implications

If the United States and its allies continue to ignore their history, they will likely continue to overspend on doctrine and capabilities pitched against “speed of light” attacks, while underinvesting for longer-term responses. Response plans will continue to focus on the incident of the day, with little thought to surge and sustain a countereffort over weeks or months. Equipment plans will give short shrift to long-term defenses, such as installing new networking capabilities and Internet Exchange Points. The U.S. military will train their new cyber cadres to focus on the immediate, not the strategic. Even if the United States can somehow win the first battle, it won’t have thought deeply about the next one or the longer war.

Already, this focus on “speed of light” attacks has led America’s military leaders to argue for looser rules of engagement, which would allow lower levels of military authority to “shoot back.” This relaxation of the rules is probably unnecessary, since any significant cyber attack is likely to be part of a larger geopolitical conflict. It is also potentially counterproductive, because it could allow tactically minded escalations that hurt long-term U.S. economic or military interests.

Since some form of deterrence (or at least restraint) seems to be clearly working, military thinkers should reform their questions from “is there deterrence?” to “how can we extend the deterrence already working?”

Above all, the U.S. government should shift its thinking on the role of non-state actors. In cyber conflict, non-state actors are the heart of the defense and always have been. They are the “supported command” which requires government resources to decisively defeat attacks rather than the “supporting command” which must help the government.

Policymakers are beginning to understand the importance of cybersecurity and the implications of conflict in cyberspace. This understanding benefits from the context provided by history — and the seven wake-up calls so far — which is rich with lessons for newer generations of cyber defenders and policymakers, especially since these lessons contradict the most popular views of cyber conflict. The sooner the United States and its allies begin teaching these lessons from the past, the sooner they can lay an effective new path.

 

[Glassfan]

Busting a credit card hacker

In 2007, Ukrainian Maksym Yastremsky was the most prolific credit card hacker in the world. He'd stolen over 40 million cards from mostly U.S.-based retailers. He'd cost credit card companies over $11 million.

In 2008 he was arrested in Turkey after the U.S. Secret Service infiltrated his network.

Yastremsky is now serving 30 years in a Turkish prison on charges related to the credit card thefts.

 

[Hygro]

My favorite credit card hackers used the stolen credit cards to buy their club music tracks and push them up the charts to get more folks to buy them, and give them fame to increasing touring money revenues.

It was so decadent, it was so 2000s MTVesque I had to respect.

 

[Glassfan]

Had it been your credit card hacked, it wouldn't have been so cute.

 

[Hygro]

Wow, I never thought of it like that before. You mean other people have feelings?

 

[Glassfan]

Turkish lawmakers adopt ‘Orwellian’ Internet curbs

Turkish lawmakers approved legislation late on Wednesday that will tighten government controls over the Internet, in a move roundly criticised as a fresh assault on freedom of expression, access to information and investigative journalism.

The text notably permits a government agency, the Telecommunications Communications Presidency (TIB), to block access to websites without court authorisation if they are deemed to violate privacy or promote content seen as "insulting".

The bill extends what are already hefty Internet curbs in place under a controversial 2007 law that earned Turkey equal ranking with China as the world's biggest web censor, according to a Google transparency report published in December.

Yaman Akdeniz, a law professor at Bilgi private university in Istanbul, described the powers given to the TIB as "Orwellian".

The measures, Akdeniz said, will "move Turkey away from the European Union in terms of Internet policy, perhaps a few steps closer to China", where the web is heavily censored by the communist authorities.

 

[bugwar]

From the article:

A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems.
Waking Shark II, which took place in November, was meant to test how investment banks and financial institutions held under a sustained assault by hackers.
...
the report concludes, while adding that banks' communications was hampered by a lack of an overall clearing house (co-ordinator) for cyber threat information.
...
Other problems identified during the stress-test exercise, which took place over four hours, but was designed to reflect a three day attack involving denial of service and malware elements, included confusion about the (then) Financial Services Authority.
"Attacked" banks were criticised for not calling the police, a breach of agreed procedures.
...
This all looks, at least on paper, to be fairly challenging, yet the exercise was criticised by some banks as not challenging enough.
Some participants wanted a greater emphasis on cyber-espionage and malware in future exercises.
There were also calls to involve telecom service providers, such as BT, in the exercise.
...
"We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution.
Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’.
Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.”

Source: http://www.theregister.co.uk/2014/02/06/waking_shark_ii_post_mortem/

 

[bugwar]

From the article:

The Israeli Defense Ministry recently revealed that it had been hacked and the extent of the damage done is still under investigation.
While Israel has some of the best Internet defenses on the planet, the Defense Ministry was hit with an attack method that relied more on psychology than software skill.
This method of attack is known as spear fishing (“phishing” as hackers spell it).
Despite the Defense Ministry having software and user rules in place to block spear fishing attacks there are so many email accounts to attack and you only have to get one victim to respond to a bogus email with a vital attachment that must be opened immediately.
In this case it was an email purporting to be from the Shin Bet (Security Agency) with an attachment requiring immediate attention for the specific individual who got the email and initially believed it was about something he was involved with.
...
The automated defenses are supposed to block the actions of the hacker software that is triggered when the victim clicks on the email attachment, but hackers keep finding exploitable vulnerabilities to these defenses and this creates an opening, as least until that vulnerability is recognized and patched.

Source: http://www.strategypage.com/htmw/htiw/20140212.aspx