Cyberwars: The Month of Cyberattacks

hackers_securityThe month of August has been a busy time for online security specialists, due to numerous cyberattacks being reported close to each other. First came word that supermarket chain Supervalu had been hacked, followed by news of security breaches at a largest American medical group, the Nuclear Regulatory Commission and then the UPS Store. In all cases, the intrusions led to the theft of millions of users’ personal data.

The worst of the lot appears to have been the massive cyberattack on Community Health Systems, one of the largest hospital chains in the US that oversees 206 hospitals in 29 states. According to the company, the intrusion led to stolen Social Security numbers, patient names, addresses, birth dates and telephone numbers of some 4.5 million patients. And as usual, the attack is believed to have had the backing of a foreign government.

https://i2.wp.com/www.chs.net/wp-content/uploads/2013/12/hma-map.pngThis is the largest known attack to involve hospital patient information since the US government began tracking these types of data breaches in 2009. According to Elysium Digital data security expert Joseph Calandrino:

One possible goal of this attack is to facilitate future targeted attacks. The type of data that was stolen from the hospital system is often used to verify a person’s identify. The exposure of this data creates a risk that the hackers could leverage it to gain access to other accounts and information.

As is so often the case these days, it is believed the cyberattack originated in China. Security firm Mandiant, which investigated the breach in April and June, said the hackers belong to a group that targets crucial infrastructure, such as defense, engineering, financial services, and health care companies. It’s unclear if these hackers are affiliated with the Chinese government.

Unit-61398-Chinese-Army-Hacking-Jobs-With-Great-BenefitsVarious security experts have long accused China of waging a cyberwar on US government and private company websites. For example, a report that was released by Mandiant back in 2013 linked Unit 61398 of the China’s People’s Liberation Army to a large number of cyberattacks on US soil. However, the Chinese government has flatly denied that it is involved in cyber-espionage or hacking.

Community Health Systems has since reported that it stopped the cyberattack by removing the malicious software used by the hackers and is notifying its patients of the breach. It has also been reported that the hack may have been facilitated by the Heartbleed bug, a flaw in OpenSSL that hackers use to exploit to obtain encrypted data. The timing certainly seems apt, as the bug was revealed back in April and the attack took place between April and June.

nsasecurity_primary-100041064-largeHowever, this was were merely one of several breaches that took place over the past few months. In addition to the CHS, UPS, and numerous major outlets, cybersecurity firm Hold Security identified what was arguably the largest known data breach in history earlier this month. In this attack, the Russian cybergang Cybervor allegedly stole 1.2 billion username and password combinations and more than 500 million email addresses.

With these latest attacks, it appears that large-scale security breaches carried out by individual hackers and sponsored by nation-states is becoming the new normal. And as these kinds of attacks become more common, cybersecurity experts are concerned that people may suffer from “alert fatigue”, where they will basically cease caring about and not be aware of breaches that affect them.

RAND_hqIn addition, security experts would like people to keep in mind that there is a difference between a spike in activity and reporting on activity. Much like the problems of violence, teen sex and crime rates, there is likely a gap between an actual increase and the perception of one. As Lillian Ablon, a researcher for the RAND Corporation, explained:

Back during Operation Aurora [in 2009], when Google got hacked, Google coming out [in 2010] was a big step in the industry. Before that, companies didn’t really talk about being breached.

Legally, companies and government agencies are required to report security breaches to the public only when customer data is involved, and only in 47 states. Alabama, New Mexico, and South Dakota lack mandatory reporting laws, and few laws on the books extract penalties when a breach occurs. Still, whatever the magnitude of the number of security breaches, it’s also true that we are living in an increasingly uncertain world when it comes to keeping our data safe.

internetNaturally, public vigilance is a good policy, but its not exactly a solution. When the hacks at the Nuclear Regulatory Commission, the Community Health Systems, the Cybervor attack, and hack of the DHS, the attacks were suspected of coming from abroad. More and more, attacks are being staged from a location that is far removed from the source, and backed by third parties who are likely unknown.

Security experts believe that the eventual solution will require businesses to rethink how they operate, putting a much bigger emphasis on security. But the consequences of that could have global economic implications, if better security hurts competitiveness. In the short term, it means that customers who do business with companies that suffer security breaches will need to be that much more vigilant.

That means not reusing passwords for multiple accounts, using two-factor authentication when available, and keeping a close eye on bank statements and credit card activity. And as for the breaches themselves, there’s not much you can do except be prepared to hear about more of them, more often. For better or for worse, it is the age we live in, where big data means big data intrusion!

Sources: cnet.com, (2), (3)

Cyberwars: The Heartbleed Bug and Web Security

heartbleed-iconA little over two years ago, a tiny piece of code was introduced to the internet that contained a bug. This bug was known as Heartbleed, and in the two years it has taken for the world to recognize its existence, it has caused quite a few headaches. In addition to allowing cybercriminals to steal passwords and usernames from Yahoo, it has also allowed people to steal from online bank accounts, infiltrate governments institutions (such as Revenue Canada), and generally undermine confidence in the internet.

What’s more, in an age of cyberwarfare and domestic surveillance, its appearance would give conspiracy theorists a field day. And since it was first disclosed a month to the day ago, some rather interesting theories as to how the NSA and China have been exploiting this to spy on people have surfaced. But more on that later. First off, some explanation as to what Heartbleed is, where it came from, and how people can protect themselves from it, seems in order.

cyber_securityFirst off, Heartbleed is not a virus or a type of malware in the traditional sense, though it can be exploited by malware and cybercriminals to achieve similar results. Basically, it is a security bug or programming error in popular versions of OpenSSL, a software code that encrypts and protects the privacy of your password, banking information and any other sensitive data you provide in the course of checking your email or doing a little online banking.

Though it was only made public a month ago, the origins of the bug go back just over two years – to New Year’s Eve 2011, to be exact. It was at this time that Stephen Henson, one of the collaborators on the OpenSSL Project, received the code from Robin Seggelmann – a respected academic who’s an expert in internet protocols. Henson reviewed the code – an update for the OpenSSL internet security protocol — and by the time he and his colleagues were ringing in the New Year, he had added it to a software repository used by sites across the web.

Hackers-With-An-AgendaWhat’s interesting about the bug, which is named for the “heartbeat” part of the code that it affects, is that it is not a virus or piece of malware in the traditional sense. What it does is allow people the ability to read the memory of systems that are protected by the bug-affected code, which accounts for two-thirds of the internet. That way, cybercriminals can get the keys they need to decode and read the encrypted data they want.

The bug was independently discovered recently by Codenomicon – a Finnish web security firm – and Google Security researcher Neel Mehta. Since information about its discovery was disclosed on April 7th, 2014, The official name for the vulnerability is CVE-2014-0160.it is estimated that some 17 percent (around half a million) of the Internet’s secure web servers that were certified by trusted authorities have been made vulnerable.

cyberwarfare1Several institutions have also come forward in that time to declare that they were subject to attack. For instance, The Canada Revenue Agency that they were accessed through the exploit of the bug during a 6-hour period on April 8th and reported the theft of Social Insurance Numbers belonging to 900 taxpayers. When the attack was discovered, the agency shut down its web site and extended the taxpayer filing deadline from April 30 to May 5.

The agency also said it would provide anyone affected with credit protection services at no cost, and it appears that the guilty parties were apprehended. This was announced on April 16, when the RCMP claimed that they had charged an engineering student in relation to the theft with “unauthorized use of a computer” and “mischief in relation to data”. In another incident, the UK parenting site Mumsnet had several user accounts hijacked, and its CEO was impersonated.

nsa_aerialAnother consequence of the bug is the impetus it has given to conspiracy theorists who believe it may be part of a government-sanctioned ploy. Given recent revelations about the NSA’s extensive efforts to eavesdrop on internet activity and engage in cyberwarfare, this is hardly a surprise. Nor would it be the first time, as anyone who recalls the case made for the NIST SP800-90 Dual Ec Prng program – a pseudorandom number generator is used extensively in cryptography – acting as a “backdoor” for the NSA to exploit.

In that, and this latest bout of speculation, it is believed that the vulnerability in the encryption itself may have been intentionally created to allow spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them. And cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data.

Edward-Snowden-660x367According to documents the paper obtained from Snowden, GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time; and in 2010, there was documentation that suggested that they might have succeeded. Although this was two years before the Heartbleed vulnerability existed, it does serve to highlight the agency’s efforts to get at encrypted traffic.

For some time now, security experts have speculated about whether the NSA cracked SSL communications; and if so, how the agency might have accomplished the feat. But now, the existence of Heartbleed raises the possibility that in some cases, the NSA might not have needed to crack SSL at all. Instead, it’s possible the agency simply used the vulnerability to obtain the private keys of web-based companies to decrypt their traffic.

hackers_securityThough security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol trusted by so many to protect their data. And beyond abuse by government sources, the bug is also worrisome because it could possibly be used by hackers to steal usernames and passwords for sensitive services like banking, ecommerce, and email. In short, it empowers individual troublemakers everywhere by ensuring that the locks on our information can be exploited by anyone who knows how to do it.

Matt Blaze, a cryptographer and computer security professor at the University of Pennsylvania, claims that “It really is the worst and most widespread vulnerability in SSL that has come out.” The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”, and Forbes cybersecurity columnist Joseph Steinberg event went as far as to say that:

Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.

opensslRegardless, Heartbleed does point to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. In short, Heartbleed has shown that more oversight is needed to protect the internet’s underlying infrastructure. And the sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem.

Another problem is money, in that important projects just aren’t getting enough of it. Whereas well-known projects such as Linux, Mozilla, and the Apache web server enjoy hundreds of millions of dollars in annual funding, projects like the OpenSSL Software Foundation – which are forced to raise money for the project’s software development – have never raised more than $1 million in a year. To top it all off, there are issues when it comes to the open source ecosystem itself.

Cyber-WarTypically, projects start when developers need to fix a particular problem; and when they open source their solution, it’s instantly available to everyone. If the problem they address is common, the software can become wildly popular overnight. As a result, some projects never get the full attention from developers they deserve. Steve Marquess, one of the OpenSSL foundation’s partners, believes that part of the problem is that whereas people can see and touch their web browsers and Linux, they are out of touch with the cryptographic library.

In the end, the only real solutions is in informing the public. Since internet security affects us all, and the processes by which we secure our information is entrusted to too few hands, then the immediate solution is to widen the scope of inquiry and involvement. It also wouldn’t hurt to commit additional resources to the process of monitoring and securing the web, thereby ensuring that spy agencies and private individuals are not exercising too much or control over it, or able to do clandestine things with it.

In the meantime, the researchers from Codenomicon have set up a website with more detailed information. Click here to access it and see what you can do to protect yourself.

Sources: cbc.ca, wired.com, (2), heartbleed.com

Cyberwars: NSA Building Quantum Computer

D-Wave's 128-qubit quantum processorAs documents that illustrate the NSA’s clandestine behavior continue to be leaked, the extents to which the agency has been going to gain supremacy over cyberspace are becoming ever more clear. Thanks to a new series of documents released by Snowden, it now seems that these efforts included two programs who’s purpose was to create a ““useful quantum computer” that would be capable of breaking all known forms of classical encryption.

According to the documents, which were published by The Washington Post earlier this month, there are at least two programs that deal with quantum computers and their use in breaking classical encryption — “Penetrating Hard Targets” and “Owning the Net.” The first program is funded to the tune of $79.7 million and includes efforts to build “a cryptologically useful quantum computer” that can:

sustain and enhance research operations at NSA/CSS Washington locations, including the Laboratory for Physical Sciences facility in College Park, MD.

nsa_aerialThe second program, Owning the Net, deals with developing new methods of intercepting communications, including the use of quantum computers to break encryption. Given the fact that quanutm machinery is considered the next great leap in computer science, offering unprecedented speed and the ability to conduct operations at many times the efficiency of normal computers, this should not come as a surprise.

Such a computer would give the NSA unprecedented access to encrypted files and communications, enadling them to break any protective cypher, access anyone’s data with ease, and mount cyber attacks with impunity. But a working model would also vital for defensive purposes. Much in the same way that the Cold War involved ongoing escalation between nuclear armament production, cybersecurity wars are also subject to constant one-upmanship.

quantum-computers-The-Next-GenerationIn short, if China, Russia, or some other potentially hostile power were to obtain a quantum computer before the US, all of its encrypted information would be laid bare. Under the circumstances, and given their mandate to protect the US’s infrastructure, data and people from harm, the NSA would much rather they come into possesion of one first. Hence why so much attention is dedicated to the issue, since whoever builds the worlds first quantum computer will enjoy full-court dominance for a time.

The mathematical, cryptographical, and quantum mechanical communities have long known that quantum computing should be able to crack classical encryption very easily. To crack RSA, the world’s prevailing cryptosystem, you need to be able to factor prime numbers — a task that is very difficult with a normal, classical-physics CPU, but might be very easy for a quantum computer. But of course, the emphasis is still very much on the word might, as no one has built a fully functioning multi-qubit quantum computer yet.

quantum-entanglement1As for when that might be, no one can say for sure. But the smart money is apparently anticipating one soon, since researchers are getting to the point where coherence on a single qubit-level is becoming feasible, allowing them to move on to the trickier subject of stringing multiple fully-entangled qubits together, as well as the necessary error checking/fault tolerance measures that go along with multi-qubit setups.

But from what it’s published so far, the Laboratory for Physical Sciences – which is carrying out the NSA’s quantum computing work under contract – doesn’t seem to be leading the pack in terms of building a quantum computer. In this respect, it’s IBM with its superconducting waveguide-cavity qubits that appears to be closer to realizing a quantum computer, with other major IT firms and their own supcomputer models not far behind.

hackers_securityDespite what this recent set of leaks demonstrates then, the public should take comfort in knowing that the NSA is not ahead of the rest of the industry. In reality, something like a working quantum computer would be so hugely significant that it would be impossible for the NSA to develop it internally and keep it a secret. And by the time the NSA does have a working quantum computer to intercept all of our encrypted data, they won’t be the only ones, which would ensure they lacked dominance in this field.

So really, thess latest leaks ought to not worry people too much, and instead should put the NSAs ongoing struggle to control cyberspace in perspective. One might go so far as to say that the NSA is trying to remain relevant in an age where they are becoming increasingly outmatched. With billions of terabytes traversing the globe on any given day and trillions of devices and sensors creating a “second skin” of information over the globe, no one organization is capable of controlling or monitoring it all.

So to those in the habit of dredging up 1984 every time they hear about the latest NSA and domestic surveillance scandal, I say: Suck on it, Big Brother!

Source: wired.com

Cyberwars: Stuxnet and Cryptolocker

cyber_security1It’s been quite the year for cybercops, cybercriminals, and all those of us who are caught in between. Between viruses which continue to involve and viruses that target sensitive information in new ways, it seems clear that the information age is fraught with peril. In addition to cyberwars raging between nations, there is also the danger of guerrilla warfare and the digital weapons running amok.

Consider the Stuxnet virus, a piece of programming that made headlines last year by sabotaging the Iranian nuclear enrichment program. At the time, the target – not to mention its source (within the US) – seemed all too convenient to have been unintentional. However, this year, Stuxnet is once again garnering attention thanks to its latest target: the International Space Station.

ISSApparently, this has been the result of the virus having gone rogue, or at least become too big for its creators to control. In addition to the ISS, the latest reports state that Stuxnet is hitting nuclear plants in countries for which the virus was not originally intended. In one case, the virus even managed to infect an internal network at a Russian power planet that wasn’t even connected to the internet.

According to Eugene Kaspersky, famed head of IT security at Kaspersky Labs, the virus can travel through methods other than internet connectivity, such as via optical media or a USB drive. Kaspersky claims that this is apparently how it made its way aboard the ISS, and that it was brought aboard on more than one occasion through infected USB drives.

computer-virus.istockFor the moment, it is unclear how this virus will be taken care of, or whether or not it will continue to grow beyond any single organization’s ability to control it. All that is clear at this point is that this particular virus has returned to its original handlers. For the time being, various nations and multinational corporations are looking to harden their databases and infrastructure against cyber attack, with Stuxnet in mind.

And they are not the only ones who need to be on their guard about protecting against intrusion. Average consumers are only at risk of having their databases being accessed by an unwanted digital visitor, one that goes by the name of Cryptolocker. Designed with aggressive salesmanship – and blackmail – in mind, this virus is bringing fears about personal information being accessed to new heights.

cryptolockerBasically, the Cryptolocker works by finding people’s most important and sensitive files and selling it back to them. After obtaining the files its needs, it then contacts a remote server to create a 2048-bit key pair to encrypt them so they cannot be recovered, and then contacts the owner with an ultimatum. People are told to pay up, or the virus will begin deleting the info.

When the virus first emerged in October of this year, victims were given three days to cough up roughly $200 via BitCoin or MoneyPak currency transfer. If the virus’ authors did not receive payment within 72 hours, they said, a single line would be deleted from a text file on some hidden foreign server, forever erasing the only string of numbers that could ever bring the affected files back from the dead.

cyber_virusSome users responded by simply setting their system’s internal clock back. A temporary measure, to be sure, but one which worked by tricking the virus into thinking the deadline had not expired. In addition, the three-day deadline worked against the viruses makers, since it’s proven restrictive to the types of people who mostly contract a virus like this – i.e. senior citizens and people working on corporate networks.

Such people are more vulnerable to such scams, but seldom have the computer-savvy skills to to set up BitCoin or other such accounts and transfer the money in time. Meanwhile, infecting a corporate server means that a bloated corporate bureaucracies will be responsible for making the decision of whether or not to pay, not an individual who can decide quickly.

virus-detected-640x353So basically, the designers of Cryptolocker were facing a catch-22. They could not extend the deadline on the virus without diminishing the sense of panic that makes many people pay, but would continue to lose money as long as people couldn’t pay. Their solution: If a victim does not pay up in time, the hackers simply raise the ransom – by a factor of 10!

This allows people more time to mull over the loss of sensitive data and make a decision, but by that time – should they decide to pay up – the price tag has gone up to a bloated $2000. Luckily, this has revealed a crucial bluff in the virus’s workings by showing that all the keys to the encrypted files are in fact not deleted after the three day time limit.

???????????????As such, the security industry is encouraging people to hold on to the useless, encrypted files and waiting for the criminal server to be someday seized by the authorities. Since any ransom paid is a de-facto encouragement to hackers to write a similar virus again — or indeed to re-infect the same companies twice – people are currently being told to simply hold out and not pay up.

What’s more, regular backups are the key to protecting your database from viruses like Cryptolocker. Regular backups to off-network machines that do not auto-sync will minimize the virus’ potential for damage. The best defense is even simpler: Cryptolocker infects computers via a bogus email attachment disguised as a PDF file, so simple email safety should keep you immune.

Alas, its a world of digital warfare, and there there are no discernible sides. Just millions of perpetrators, dozens of authorities, and billions of people fearing for the safety and integrity of their data. One can only wonder what an age of quantum computers, graphene and nanotube processors will bring. But more on that later!

Sources: extremetech.com, (2), fastcoexist.com