Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[tiedotusosasto]

Kaleva.fi

Hybridikeskuksen rakentaminen Suomeen näyttää lähes varmalta – nämä maat mukana

KOTIMAA 21.11.2016 13:10
JUHA VAINIO

Suomeen suunnitellun Euroopan hybridiosaamiskeskuksen perustaminen näyttää lähes varmalta. EU-asioiden alivaltiosihteeri Jori Arvonen sanoo, että hybridiosaamiskeskuksen perustamista Suomeen tukevat vahvasti useat suuret maat. Osa maista on jo lupautunut mukaan hybridikeskuksen toimintaan.

Näitä maita ovat Saksa, Ranska, Britannia, Espanja, Baltian maat, Ruotsi, Puola ja Yhdysvallat.

– Näiden maiden kanssa olemme käyneet keskusteluja, ja ne ovat ilmaisseet vahvan tukensa keskuksen perustamiselle. Osalla maista on vielä kansallinen päätöksenteko kesken, mutta tilanne näyttää erittäin hyvältä, Arvonen sanoo, muttei suostu tarkentamaan, mitkä maat ovat käytännössä varmuudella mukana.

Jo keväästä asti on ollut tiedossa, että Suomi haluaa hybridiosaamiskeskuksen Suomeen, minkä avulla on tarkoitus vastata erilaisiin hybridiuhkiin. Suomi on asettanut ehdoksi osaamiskeskuksen rakentamiselle sen, että siihen tulee mukaan riittävän paljon merkittäviä maita.

– Halusimme, että meillä on riittävä maantieteellinen kate myös Euroopassa, Arvonen sanoo.

Osaamiskeskus on tarkoitus perustaa virallisesti vuoden 2018 alusta alkaen, mutta Arvosen mukaan keskuksen työtä aiotaan aloittaa jo keväällä 2017 samalla, kun keskuksen perustamistyötä tehdään.

Osaamiskeskuksen tarkoituksena on vahvista mukana olevien maiden vastustuskykyä ja varautumista hybridiuhkiin. Hybridiuhkia voivat olla esimerkiksi erilaiset valtiollisten tai ei-valtiollisten toimijoiden disinformaatiokampanjat ja radikalisoitumisen edistäminen.

– Tästä ei tule keskusta, joka olisi toimija tilanteessa, jossa jokin valtio joutuisi näyttävän hybridi-iskun kohteeksi. Siihen on olemassa toiset järjestelyt, Arvonen sanoo ja kertoo, että kyse on ennen kaikkea valtioiden välisen tiedonvälityksen ja tietoisuuden lisäämisestä, jotta valtioiden viranomaiset oppisivat tunnistamaan hybridiuhkia.

Alivaltiosihteeri Arvonen sanoo, että hybridiosaamiskeskuksen vuosibudjetiksi on arvioitu kaksi miljoonaa euroa vuodessa, josta Suomi isäntämaana kattaisi merkittävän osan.

– Se, miten kustannukset tulisivat jakautumaan eri osallistujien kesken, riippuu siitä, kuinka monta meitä on lopulta mukana ja mikä tulee olemaan näiden toimijoiden osuus, Arvonen sanoo.

Eli toisin sanoen kustannukset riippuvat hybridiosaamiskeskuksen jäseniksi lähtevien maiden lukumäärästä ja maiden roolista verkostossa.

Kaikkia EU-maita ei kuitenkaan ole alkuvaiheessa pyydetty mukaan hybridiuhkien tietojenvaihtoverkostoon. Sen sijaan esimerkiksi Yhdysvallat on EU:n ulkopuolisena valtiona mukana ainakin tukemassa verkoston perustamista.

Miksi?

– Olemme lähestyneet tiettyä maaryhmää, emme kaikkia. Olemme keskustelleet siitä, keillä on jo olemassa olevaa osaamista hybridiuhkiin liittyen ja mitkä olisivat sellaisia maita, jotka olisivat potentiaalisesti kiinnostuneita. Mietimme myös, mitkä maat olisi ainakin hyvä olla mukana, ja katsoimme myös maantieteellistä kattavuutta, että samalla isoja maita olisi mukana, mutta että saisimme myös keskuksen toiminnan käyntiin ketterästi, Arvonen sanoo.


Miksi tällainen keskus halutaan nimenomaan Suomeen?

– Suomen kokonaisturvallisuuden malliin on kiinnitetty huomiota. Harjoittelemme ja varaudumme kriiseihin poikkihallinnollisesti. Hyvä esimerkki on tämä hybridikeskuksen perustamishanke, jossa meillä on ollut mukana valtioneuvoston kanslia tiiviisti yhteistyössä muun muassa ulkoasiainministeriön ja puolustusministeriön kanssa.



Mikä merkitys sillä on, että Venäjä on naapurimaamme?

– En tiedä, onko sillä itsessään merkitystä. Onhan muitakin maita Venäjän rajanaapurina. Se, mitä minulle on sanottu, että miksi Suomen suuntaan on käännytty, johtuu siitä, että meillä on oltu aktiivisia hybridiuhkien torjunnassa.



Mitkä valtiolliset tai ei-valtiolliset toimijat on sanottu ääneen, jotka harjoittavat hybridisodankäyntiä?

– Meillä on ollut puhetta Venäjästä ja ei-valtiollisena Isisistä.



Suomessa ollaan uudistamassa tiedustelulainsäädäntöä. Kuinka tärkeä tämä lakiuudistus on hybridiuhkien toimintakeskuksen kannalta?

– Se ei ole ollut keskuksen perustamisen osalta millään tavalla esillä. Se on oma hankkeensa, jota muut hoitavat.



Miten päätöksenteko Suomessa etenee, jotta hybridiosaamiskeskukselle saadaan lupa Suomessa?

– Valtioneuvoston esitys viedään eduskuntaan päätettäväksi. Uskon, että hybridiuhkiin vastaaminen ja yhteistyö on tässä maassa ollut laajan yhteisymmärryksen kohteena. En näe siinä haasteita.



Koska tällainen esitys tehdään?

– Tehdään hallituksen esitys siinä vaiheessa, kun meillä on sovittuna perustamissopimus eri maiden välillä. Siinä vaiheessa viemme esityksen eteenpäin. Tämä tapahtuu ensi keväänä.

 

[ctg]

Can a non-state actor take down critical infrastructure with a cyberattack? If it is not possible today, will it be possible in the future? Experts disagree about the capabilities of non-state actors in cyberspace, let alone agree on their future capability.

There is debate within cybersecurity community and academia whether cyber weapons are getting cheaper and thus within the reach of the self-proclaimed Islamic State or other non-state groups. Although there is some general consensus that offensive cyber operations will be less expensive in the future, there is very little understanding of what influences the cost of a cyber weapon. Making sense of the inputs and defensive environment that drive the cost of a cyber weapon is essential to understanding what actors—whether state, non-state, or criminal—will attain what kinds of cyber capability in the future.

There are four processes that make cyber weapons cheaper. First, labor becomes more efficient; attackers become more dexterous in that they spend less time learning, experimenting, and making mistakes in writing code. The observation has been made that Iranian cyber activities are not necessarily the most sophisticated. Yet, since the Shamoon virus wiped the hard drives of 30,000 workstations at Saudi Aramco in 2012, there have been significant improvements in their coding. Whereas Shamoon contained at least four significant coding errors, newer malware seems to be more carefully designed.

Second, developers standardize their malware development process and become more specialized. Some parts of cyber weapons have become increasingly standardized, such as exploit tool kits, leading to an increase in efficiency. The growth of offensive cyber capabilities in militaries allows for greater specialization in cyber weapon production. The U.S. Cyber Command now has 133 teams in operation, making it easier to dedicate specialized units to specific types of cyber operations—even if these units need to be integrated within a general force structure. According to one report, Russia was able to do the same thing for its cyber campaigns against Ukraine.

Third, reusing and building upon existing malware tools allows attackers to learn to produce cyber weapons more cost effectively. The wiper cases Groovemonitor (2012), Dark Seoul (2013), and Destover (2014) are illustrative of this process. Actors who seem to have relatively limited resources have in recent years been getting more bang for their buck.

Fourth, there are shared experience effects, which allow lessons from one piece of malware to shed light on other offensive capabilities. Cyber weapons are generally part of a large collection of capabilities—sharing vulnerability, exploits, propagation techniques, and other features. Stuxnet’s ‘father’, for example, is thought to be USB worm Fanny, and Stuxnet has also been linked to espionage platforms like Duqu, Flame, miniFlame, Gauss, and Duqu 2.0.

In sum, many of the drivers that can make cyber weapons cheaper come from ‘experience’ and ‘learning curve’ effects, where malware developers learn from the work of others.

Although attackers might rejoice at the prospect of weapons getting cheaper, there are significant barriers that can hamper the cost reduction. The defensive measures put in place as a result of advanced persistent threats have forced attackers to develop more complex capabilities to remain effective. Although it is still the case that most computer breaches could have been avoided by simple patching, basic measures such as network segmentation, firewall implementation, and the use of secure remote access methods are becoming increasingly common. Furthermore, IT security professionals communicate more regularly with management about cyber threats than they did a decade ago.

At a recent Royal United Services Institute conference, a military cyber commander clearly stated that the main problem for conducting effective operations is “people, people, people.” For a government, attracting the brightest minds does not come cheap—especially when a person has the opportunity to work in the private sector for a much higher salary. Historically, foreign intelligence agencies have needed foreign language professionals. Today, they need people able to interpret and write code. However, since coding is a highly transferable skill, these people are able to switch to the private sector easily—making the government’s job of retaining them much harder.

Finally, a cyber weapon program requires continuous production, not just intermittent projects. The malleability of cyberspace gives these weapons a highly transitory nature; they’re only effective for a short while. Therefore, the development of cyber weapons must be unceasing and resources must be constantly available. Ideally, cyber weapons would be produced on an assembly line, ensuring that when one weapon becomes ineffective, the next can be put to use. However, it is hard to estimate the costs of maintaining a cyber capability. Because vulnerabilities can be patched, cyber weapons can suddenly lose their effectiveness, unlike traditional weapons where their effectiveness decays over time.

In 2006, sixty-one years after the first atomic bomb was dropped on Hiroshima, Robert Harney and his colleagues published “Anatomy of a Project to Produce a First Nuclear Weapon.” They outlined almost 200 tasks required to produce a nuclear weapon. Undertaking a similar exercise to identify the costs and barriers to the development of a cyber weapon may be challenging considering the rapid pace of technological change, but it should be done nonetheless. Until military strategists, policymakers and intelligence officials understand the cost drivers for cyber weapons, they will not have any basis to claim whether cyber tools are getting cheaper or who can access them. In other words, unless policymakers have a better understanding of the cost of a cyber weapon, they won’t be able to know whether the Islamic State has the capability to develop and deploy one.

http://www.defenseone.com/ideas/201...-cost-nobody-knows/133320/?oref=DefenseOneTCO

 

[ctg]

European Union (EU) citizens can now get an idea of what their governments want – and are doing about – cryptography regulation.

The new opportunity comes courtesy of an freedom of information request by Bits of Freedom, summarised by privacy researcher Lukas Olejnik here.

The news is bleak: the responses to a survey sent to EU governments indicate widespread support for restricting citizens' access to encrypted communications.

As the freedom of information (FOI) cover letter from the Council of the EU's transparency unit explains, the survey was sent to members in September, following a discussion about crime. So far, 25 countries have completed the questionnaire, and 11 provided their responses for publication.

Of those published in the FOI so far, what's particularly revealing to The Register is the disparity between different law enforcement agencies' views on encryption.

It's quite accurate, for example, for the Italian response to note that it's seeing HTTPS all over the place, given the concerted push by 'net luminaries to persuade site operators to employ it and therefore offer better protection to sensitive data.

However, even other countries that say their law enforcement often encounters encryption didn't nominate HTTPS as something they encountered in the course of their investigations (Finland and Poland, for example). It's feasible, even likely, that such countries didn't tick the “HTTPS” box because peoples' day-to-day banking isn't the topic of investigation – rather, it's the communications over Tor, or in comms apps like Skype and WhatsApp, that they want to crack.

However, as Olejnik notes, there's pretty broad support for backdoors or pushing the tech sector to weaken their crypto algorithms.

Poland, for example, said it uses Hashcat, brute force, and dictionary attacks to try and get at encrypted data, but apparently these aren't working as well as it would like. So it wants to “encourage software/hardware manufactures to put some kind 'backdoors' for LEA or to use only relatively weak cryptographic algorithms”.

Italy's response says it uses some kind of wiretap compromise where it can - and that means it dislikes the iPhone. We'll spare you quotes from that document, which was authored with the CAPS-LOCK ON.

There is, as Olejnik notes, a common complaint among EU countries that they don't have the money, technology, or skills to fight cybercrime (reading the responses we have to agree there's a lack of skills).

Which is probably why if Sweden wants to decrypt a device, its approach is to question the user [Hopefully not using rubber-hose decryption - Ed]

http://www.theregister.co.uk/2016/11/24/foi_sparks_backdoor_debate_in_europe/

 

[ctg]

Japanese defence officials are investigating a reported penetration of the country's high-speed Defence Information Infrastructure (DII) network.

The attacks, which Bloomberg attributes to a possible state-based actor, took place in September but have only now come to light.

The DII network is shared by the country's Defence Ministry and its Self-Defence Forces, and according to the South China Morning Post, that allowed the intruders to also penetrate the Ground Self-Defence Force.

The SCMP story says the discovery was confirmed by unnamed ministry officials on Sunday morning.

The attacker first got access to a network shared between Japan's National Defence Academy and its National Defence Medical College, which provided access to the DII network.

The Defence Information Infrastructure comprises two networks, one connected to the Internet, and a second more-protected internal network.

Penetrating into the private network is why the reports believe it was sophisticated enough to justify the “state actor” tag.

The incident led to a temporary ban on personnel on Self-Defence Force personnel using the Internet.

http://www.theregister.co.uk/2016/11/28/japan_investigating_defence_network_breakin/

 

[ctg]

“The technique, dubbed 'rowhammer', rapidly writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system. By repeatedly recharging one line of RAM cells, bits in an adjacent line can be altered, thus corrupting the data stored.

“This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges.”

With access to the physical RAM, the Project Zero attackers could then bypass memory protection and security mechanisms, and tamper with operating system structures to take over the machine.

As the new paper's authors write, most protections against Rowhammer involved either modifying hardware, or ran heuristics-based counters against CPUs to raise alerts.

The Duisburg-Essen group has taken a different approach: their G-CATT (Generic CAn't Touch This) is built on their x86-only B-CATT (Bootloader CAn't Touch This), which extended the bootloader to disable vulnerable physical memory.

The bootloader approach, however, was Rowhammer-specific: “it does not yet tackle the fundamental problem of missing memory isolation in physical memory” – which is why the researchers extended their work to try and make it “generic”.

G-CATT takes a different angle: instead of isolating memory, it defeats Rowhammer by stopping an attacker from exploiting its effects, by ensuring attackers can only flip bits in memory already under their control.

That restriction “tolerates Rowhammer-induced bit flips, but prevents bit flips from affecting memory belonging to higher-privileged security domains” (such as the OS kernel, or co-located virtual machines); “to do so, G-CATT extends the physical memory allocator to partition the physical memory into security domains.”

http://www.theregister.co.uk/2016/11/29/a_rowhammer_banhammer_for_all_and_its_all_in_software/

 

[gnomeofdestruction]

 

[ctg]

naapuri on valinnut meidän käyttiksen heidän viralliseksi mobiilialustakseen

The future for one of the few remaining alternative mobile OS platforms, Jolla’s Sailfish OS, looks to be taking clearer shape. Today the Finnish company which develops and maintains the core code, with the aim of licensing it to others, announced Sailfish has achieved domestic certification in Russia for government and corporate use.

https://techcrunch.com/2016/11/29/j...rtified-as-russias-first-android-alternative/

 

[ctg]

An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed.

The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we're told. If your camera is one of the at-risk devices, and it can be reached on the web, then it can be attacked, infected with malware and spied on. Network cameras typically use UPnP to drill through to the public internet automatically via your home router.

Proof-of-concept code to exploit the vulnerable web server in the cameras can be found right here on GitHub. It was published a few hours ago by a security pro going by the name of Slipstream, who reverse-engineered the cams' firmware and discovered the hole. Slip has previously appeared in these pages for exposing security shortcomings in UK school software, Dell computers and Microsoft's Secure Boot. The web server is present to allow owners to configure their cameras from their browsers.

It appears the exploited bug is thus: if the URL query string contains a parameter called "basic", its value is copied byte by byte from the URL into a fixed a 256-byte buffer on the stack. If you send a query longer than 256 bytes, you overflow the buffer and start overwriting the stack. An attacker can do this to prime the stack with memory addresses to control the flow of execution.

Instead of doing what its programmers told it to do, the server starts dancing to the hacker's tune – such as opening a remote-control backdoor. It's a textbook stack buffer overflow with return-oriented programming to hijack the server.

http://www.theregister.co.uk/2016/11/30/iot_cameras_compromised_by_long_url/

 

[ctg]

State-sponsored hackers have conducted a series of destructive attacks on Saudi Arabia over the last two weeks, erasing data and wreaking havoc in the computer banks of the agency running the country’s airports and hitting five additional targets, according to two people familiar with an investigation into the breach.

Saudi Arabia said after inquiries from Bloomberg News that “several” government agencies were targeted in attacks that came from outside the kingdom, according to state media. No further details were provided.

https://www.bloomberg.com/news/arti...strike-saudi-arabia-posing-challenge-to-trump

The ferocity of the attacks appears to have caught Saudi officials by surprise. Thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, erasing critical data and bringing operations there to a halt for several days, according to the people familiar with the investigation.

Air travel, airport operations and navigation systems weren’t disrupted by the attack, the authority said in response to questions. The attack affected office administration systems only, it said.

The people familiar with the probe didn’t identify the other targets but one said they were all inside Saudi Arabia and included other government ministries in the kingdom, where information is highly controlled. Extensive damage occurred at four of the entities but the virus was halted by defensive measures at the other two.

“Anyone who did this attack knows it has implications for the nuclear deal,” said James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington.

Lewis was responding to a description of the incident but didn’t have direct knowledge of it. He said the attacks“could be a shot over the bow by Iran” or possibly the work of another country mimicking Iran in hopes of derailing the accord with a provocative act.

 

[magitsu]

Puolustusvoimain komentaja KSML:lle: Puolustusvoimat kohottaa valmiuttaan kyberuhkia vastaan
http://www.ksml.fi/kotimaa/Puolustu...ohottaa-valmiuttaan-kyberuhkia-vastaan/886318

 

[Torrakko]

the latest was perpetrated by detonating a cyber weapon inside the networks of several targets at once

Vai että ihan cyber-aseen detonointi.. Äkkiä vinkatkaa keltaiselle lehdistölle niin nähdään sekin ihme kun lukee "Naton anti-kyber ase ei pysty ampumaan alas Putinin uutta superviruspommia!!"

 

[ctg]

ROFL- Mistä ihmeestä mr t aikoo hieraista nuo sata tuhatta tietoturvaexperttiä?

Train 100,000 cybersecurity specialists by 2020. This is a huge number that some cybersecurity experts think is unrealistic. There's currently a severe shortage of computer scientists who know how to hack -- and to defend from hackers. As a result, salaries are skyrocketing, making it even harder for the government to hire cybersecurity experts. In fact, lots of the talented hackers at the FBI and NSA are leaving for the private sector. It's something FBI Director James Comey has voiced concern about. Security specialists tell CNNMoney they're worried that rushing to flood the job market would merely result in lower quality, less talented workers -- not the elite cybersecurity experts the country needs.

http://money.cnn.com/2016/12/02/technology/commission-on-enhancing-national-cybersecurity/index.html

 

[ctg]

Kun tuli ensimmäisen bbcllä eteen, niin pistetään jakoon

South Korea's military cyber command, set up to guard against hacking, appears to have been breached by North Korea, the military has said.

A spokesman told the BBC that classified information was thought to have been stolen, although it is not clear exactly what data was accessed.

The North has previously been accused of hacking into banks and media outlets but never the South's military.

Pyongyang has in the past rejected allegations of cyber crime involvement.

http://www.bbc.co.uk/news/world-asia-38219009

 

[ctg]

Mikään ei ole pyhää verkkovakoilussa.

American and British spies have since 2005 been working on intercepting phone calls and data transfers made from aircraft, France's Le Monde newspaper reported on Wednesday, citing documents from former U.S. spy agency contractor Edward Snowden. According to the report, also carried by the investigative website The Intercept, Air France was targeted early on in the projects undertaken by the U.S. National Security Agency (NSA) and its British counterpart, GCHQ, after the airline conducted a test of phone communication based on the second-generation GSM standard in 2007. That test was done before the ability to use phones aboard aircraft became widespread.

"What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combatting proliferation target have in common? They all used their everyday GSM phone during a flight," the reports cited one NSA document from 2010 as saying. In a separate internal document from a year earlier, the NSA reported that 100,000 people had already used their mobile phones in flight as of February 2009, a doubling in the space of two months. According to Le Monde, the NSA attributed the increase to "more planes equipped with in-flight GSM capability, less fear that a plane will crash due to making/receiving a call, not as expensive as people thought."

Le Monde and The Intercept also said that, in an internal presentation in 2012, GCHQ had disclosed a program called "Southwinds," which was used to gather all the cellular activity, voice communication, data, metadata and content of calls made on board commercial aircraft.

http://www.reuters.com/article/us-airlines-data-surveillance-idUSKBN13W2Q0

 

[ctg]

Isot yhtiöt petraavat heidän tiimejään hakemalla mustahattuja offensiiviseen toimintaan. Asiaa ei sanota suoraan, mutta kiinnostus FBllä ja Googlella on hankkia henkilö suoraan vastapuolelta hoitamaan offensiivisiä toimenpiteitä kentällä.

Valtiolliset eivät ole puhuneet hirveästi heidän pumppujensa kokoonpanoista taikka millaisia henkilöitä heillä on eri tiimeissä mutta loogisella tämä tuntuu järkevältä, tosin hiukka riskiltä, koska henkilökohtaisesti tuntemani mustahatut ovat kaikki arvaamattomia ja paranoia on yleistä.

Facebook is hiring an Offensive Security Engineer, and not the sort inclined to disparage the length of your keys or your choice of encryption algorithm.

"Facebook's Security team is looking for an offensive security engineer that can deliver technical leadership for our offensive security team and execute tactical, offensive assessments across our environments," a recent company job posting says.

Facebook isn't looking join the dark side, subverting systems and launching denial of service attacks through a botnet. Nor is it aiming to retaliate against attackers, a model pursued and abandoned a decade ago by Blue Security.

Rather, it's looking for an individual versed in attack techniques: a penetration tester.

While this isn't a new development at Facebook – the social network has had a "red team" tasked with penetration testing for years – it appears to be at Microsoft, at least in its Windows and Devices group.

Microsoft in September posted a job "seeking top-notch talent to lead a new team focused on offensive security research in the Windows and Devices group at Microsoft."

Facebook and Microsoft declined to comment.

Apple is also looking to fill at least three positions that involve penetration testing.

Joyce Brocaglia, CEO of cybersecurity recruiting firm Alta Associates, in a phone interview with The Register, said her firm has recently been retained to perform multiple personnel searches for companies looking to hire senior security executives and to build security operations centers. She said that there's growing interest in hiring security engineers versed in penetration testing.

"We absolutely see that happening more often," Brocaglia said. "A lot of companies in the past had been outsourcing that function and are now bringing it inside." Brocaglia said not only are companies looking for security engineers capable of penetration testing, but they want people skilled enough to build their own tools.

Asked about possible reasons for the interest in staff hackers, Brocaglia suggested that some of it is cyclical and that outsourcing is just less appealing at the moment.

Alan Paller, founder and director of research for the SANS Institute, in an email to The Register said that the initial surge in internal penetration testing began about ten years ago and was focused on testing applications for internal and external use, to minimize flaws.

Firms complemented internal efforts with external application testers, Paller said, noting that most of the time, systems and network penetration testing was handled by outside firms and represented a source of business for security consulting companies.

"But the confidence that people had in the completeness of outside system and network penetration testing has been lessened," Paller said. "Part of that is due to the increased skill set that many companies are developing for their internal staff, recognizing that to do good defense you have to understand offense."

Another reason to hire security personnel with an affinity for offense, Paller suggested, is that putting security staff through hacking courses isn't worth the money. "Both for cost savings and for privacy, [companies] like doing internal penetration testing," he said, adding that the exception is when senior leadership or auditors require security testing conducted by outsiders.

http://www.theregister.co.uk/2016/12/07/offensive_security_engineer_wanted/

 

[ctg]

En usko että palvelunesto (Denial-of-Service) koskaan katoaa kokonaan vaikka yritystä riittää sen niittämiseen. Periaatteessa fyysisen resurssin puute on palvelun estoa. Verkkosodassa valtiollinen voi ohjata tehtaan raaka-aineet menemään ristiin toisen tuotanto laitoiksen kanssa, kadottaa koko kirjanpidon, aiheuttaen huollolle ongelman mikä jatkuu eteenpäin aina rintamalle saakka.

Solve the DDoS problem? No problem. We’ll just get ISPs to rewrite the internet. In this interview Ian Levy, technical director of GCHQ’s National Cyber Security Centre, says it’s up to ISPs to rewrite internet standards and stamp out DDoS attacks coming from the UK. In particular, they should change the Border Gateway Protocol, which lies at the heart of the routing system, he suggests.

He’s right about BGP. It sucks. ENISA calls it the “Achilles’ heel of the Internet”. In an ideal world, it should be rewritten. In the real one, it’s a bit more difficult.

Apart from the ghastly idea of having the government’s surveillance agency helping to rewrite the Internet’s routing layer, it’s also like trying to rebuild a cruise ship from the inside out.

Just because the ship was built a while ago and none of the cabin doors shut properly doesn’t mean that you can just dismantle the thing and start again. It’s a massive ship and it’s at sea and there are people living in it.

In any case, ISPs already have standards to help stop at least one category of DDoS, and it’s been around for the last 16 years. All they have to do is implement it.

Reflecting on the problem
Although there are many subcategories, we can break down DDoS attacks into two broad types. The first is a direct attack, where devices flood a target with traffic directly.

The second is a reflected attack. Here, the attacker impersonates a target by sending packets to another device that look like they’re coming from the target’s address. The device then tries to contact the target, participating in a DDoS attack that knocks it out.

The attacker fools the device by spoofing the source of the IP packet, replacing their IP address in the packet header’s source IP entry with the target’s address. It’s like sending a letter in someone else’s name. The key here is amplification: depending on the type of traffic sent, the response sent to the target can be an order of magnitude greater.

ISPs can prevent this by validating source addresses and using anti-spoofing filters that stop packets with incorrect source IP addresses from entering or leaving the network, explains the Mutually Agreed Norms for Routing Security (MANRS). This is a manifesto produced by a collection of network operators who want to make the routing layer more secure by promoting best practices for service providers.

Return to sender
One way to do this is with an existing standard from 2000 called BCP 38. When implemented in network edge equipment, it checks to see whether incoming packets contain a source IP address that’s approved and linked to a customer (eg, within the appropriate block of IPs). If it isn’t, it drops the packet. Simple. Corero COO & CTO Dave Larson adds, “If you are not following BCP 38 in your environment, you should be. If all operators implemented this simple best practice, reflection and amplification DDoS attacks would be drastically reduced.”

There are other things that ISPs can do to choke off these attacks, such as response rate limiting. Authoritative DNS servers are often used as the unwitting dupe in reflection attacks because they send more traffic to the target than the attacker sends to them. Their operators can limit the number of responses using a mechanism included by default in the BIND DNS server software, for example, which can detect patterns in incoming traffic and limit the responses to avoid flooding a target.

The Internet of Pings
We’d better sort this out, because the stakes are rising. Thanks to the Internet of Things, we’re seeing attackers forklift large numbers of dumb devices such as IP cameras and DVRs, pointing them at whatever targets they want. Welcome to the Internet of Pings.

We’re at the point where some jerk can bring down the Internet using an army of angry toasters. Because of the vast range of IP addresses, it also makes things more difficult for ISPs to detect and solve the problem.

We saw this with the attack on Dyn in late October, which could well be the largest attack ever at this point, hitting the DNS provider with pings from tens of millions of IP addresses. Those claiming responsibility said that it was a dry run.

Bruce Schneier had already reported someone rattling the Internet’s biggest doors. “What can we do about this?” he asked. “Nothing, really.”

Well, we can do something. We can implore our ISPs to pull their collective fingers out and start implementing some preventative technology. We can also encourage IoT manufacturers to impose better security in IoT equipment.

Let’s get to proper code signing later, and start with just avoiding the use of default login credentials first. When a crummy malware strain like Mirai takes down half the web using nothing but a pre-baked list of usernames and passwords, you know something’s wrong.

How do we persuade IoT vendors to do better? Perhaps some government regulation is appropriate. Indeed, organizations are already exploring this on both sides of the pond.

Unfortunately, politicians move like molasses, while DDoS packets move at the speed of light. In the meantime, it’s going to be up to the gatekeepers to solve the problem voluntarily.

http://www.theregister.co.uk/2016/12/08/can_isps_step_up_and_solve_the_ddos_problem/

 

[ctg]

Valtiollinen asialla

German steel maker ThyssenKrupp AG on Thursday said trade secrets were stolen in a cyber-attack earlier this year.

The company characterized the incursion in a statement as "a professional attack, apparently from the Southeast Asian region."

The attackers sought to steal technological and research data related to ThyssenKrupp's Business Area Industrial Solutions, a division responsible for the design, construction, and service of industrial plants and associated systems.

A company spokesperson, in an email to The Register, said that "data fragments have been stolen," but declined to confirm additional details presented in a Reuters report.

The company said it doesn't have an estimate about the extent of the intellectual property loss, apart from "certain project data in an operative engineering company." No further information about the nature of this project has been disclosed.

Germany's Federal Office for Information Security (BSI) did not immediately respond to a request for comment.

According to Reuters, the attack was detected in April and is believed to have started in February. The company reportedly delayed publicizing the attack in order to address the issue across its facilities all at once.

In its statement, ThyssenKrupp said the attack was not attributable to security failings or to human error. It went to far as to claim that it couldn't have mounted a successful defense against skilled attackers.

"Experts say that in the complex IT landscapes of large companies, it is currently virtually impossible to provide viable protection against organized, highly professional hacking attacks," the company said.

The company's spokesperson declined to comment further on the nature of the attack or what allowed it to succeed.

ThyssenKrupp said affected IT systems have been updated and are now subject to ongoing monitoring to detect subsequent attacks. It also stressed that IT systems for its submarine business and for its blast furnaces and power plants in Duisburg were not affected.

This may not have been the case two years ago, when Germany's BSI issued a report [PDF] stating that a blast furnace in the country, operated by an undisclosed company, suffered massive physical damage as a result of a cyber attack.

Citing unnamed sources, Bloomberg at the time said ThyssenKrupp was the company in question. ThyssenKrupp, however, denied that claim.

In 2012, German magazine Der Spiegel reported that ThyssenKrupp had been targeted by Chinese hackers interested in industrial espionage.

Citing a recent BIS survey, ThyssenKrupp said 66 per cent of respondent organizations have been targeted by online attacks, and only 44 per cent of those companies mounted a successful defense.

http://www.theregister.co.uk/2016/12/08/hackers_steal_steelmaker_secrets/

 

[ctg]

Jengi on lähdössä urakalla Non Such Agencysta pihalle.

Low morale at the National Security Agency is causing some of the agency's most talented people to leave in favor of private sector jobs, former NSA Director Keith Alexander told a room full of journalism students, professors and cybersecurity executives Tuesday. The retired general and other insiders say a combination of economic and social factors including negative press coverage -- have played a part... "I am honestly surprised that some of these people in cyber companies make up to seven figures. That's five times what the chairman of the Joint Chiefs of Staff makes. Right? And these are people that are 32 years old. Do the math. [The NSA] has great competition," he said.

The rate at which these cyber-tacticians are exiting public service has increased over the last several years and has gotten considerably worse over the last 12 months, multiple former NSA officials and D.C. area-based cybersecurity employers have told CyberScoop in recent weeks... In large part, Alexander blamed the press for propagating an image of the NSA that causes people to believe they are being spied on at all times by the U.S. government regardless of their independent actions.

https://slashdot.org/submission/6546553/nsas-best-are-leaving-in-big-numbers-insiders-say

 

[Nurkantakanen]

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

WASHINGTON — When Special Agent Adrian Hawkins of the Federal Bureau of Investigation called the Democratic National Committee in September 2015 to pass along some troubling news about its computer network, he was transferred, naturally, to the help desk.
His message was brief, if alarming. At least one computer system belonging to the D.N.C. had been compromised by hackers federal investigators had named “the Dukes,” a cyberespionage team linked to the Russian government.
The F.B.I. knew it well: The bureau had spent the last few years trying to kick the Dukes out of the unclassified email systems of the White House, the State Department and even the Joint Chiefs of Staff, one of the government’s best-protected networks.

Yared Tamene, the tech-support contractor at the D.N.C. who fielded the call, was no expert in cyberattacks. His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion.
By his own account, he did not look too hard even after Special Agent Hawkins called back repeatedly over the next several weeks — in part because he wasn’t certain the caller was a real F.B.I. agent and not an impostor.
“I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I.

http://www.nytimes.com/2016/12/13/u...ackage-region&region=top-news&WT.nav=top-news

 

[ctg]

The Obama administration has failed to renegotiate portions of an international arms control arrangement to make it easier to export tools related to hacking and surveillance software — technologies that can be exploited by bad actors, but are also used to secure computer networks.

The rare U.S. move to push for revisions to a 2013 rule was derailed earlier this month at an annual meeting in Vienna, where officials from 41 countries that signed onto it were meeting. That leaves it up to President-elect Donald Trump's administration whether the U.S. will seek revisions again next year.

U.S. officials had wanted more precise language to control the spread of such hacking tools without the unintended negative consequences for national cybersecurity and research that industry groups and lawmakers have complained about for months. Critics have argued that the current language, while well meaning, broadly sweeps up research tools and technologies used to create or otherwise support hacking and surveillance software.

Rep. Jim Langevin, D-R.I., said in a statement Monday that he is "deeply disappointment" by the plenary's decision and hoped the incoming administration will continue the effort. Langevin co-chairs the Congressional Cybersecurity Caucus.

"U.S. cybersecurity and that of our allies will be imperiled if companies and researchers are not able to quickly share defensive tools," said Langevin, who co-chairs of the Congressional Cybersecurity Caucus.

http://abcnews.go.com/Technology/wi...iate-arms-control-rule-hacking-tools-44285213

Under the new wording, security researchers will have to go through the tedious process of getting an export license if they want to, say, email a network penetration exploit to a colleague or client overseas to use as part of an audit.

After protests from the infosec community, the US Commerce Department agreed to look at the rules again and has added ethical hackers to its negotiating team. However, the latest round of talks with other nations has failed to reach a conclusion on the best way forward for legit computer security researchers, so the arrangement is still up in the air.

Essentially, changes have been made to the arrangement that could require export licenses for some computer security tools, and countries part of the pact are now free to enforce the rules. Negotiations with the US and other nations to improve the wording have fallen through, so the infosec industry is in limbo and unsure of how to proceed legally.

It's not likely to be resolved for at least another year or so due to the change in administration in the White House. Meanwhile, as we've said, countries can start cracking down as per the agreement.

"I am deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development," said US negotiator Congressman Jim Langevin (D-RI).

"For over a year, I have led my colleagues in Congress in calling for a careful review of these controls, which could harm our nation's cybersecurity by making it more difficult to quickly share defensive tools and close vulnerabilities."

There was some small progress, however. The countries did agree that command and control software for botnets should be included in the export ban, although Langevin said this wouldn't do much to address the concerns of the IT industry.

http://www.theregister.co.uk/2016/12/21/wassenar_negotiations_fail/