Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.

According to Bloomberg, documents released in the Anonymous Stratfor hack reveal QinetiQ was compromised as part of a cyber-espionage attack originating in China — and notes the breach was part of a much broader campaign targetting U.S. contractors:

“QinetiQ’s espionage expertise didn’t keep Chinese cyber- spies from outwitting the company. In a three-year operation, hackers linked to China’s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research. At one point, they logged into the company’s network by taking advantage of a security flaw identified months earlier and never fixed [...]

QinetiQ was only one target in a broader cyberpillage. Beginning at least as early as 2007, Chinese computer spies raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets, according to two former Pentagon officials who asked not to be named because damage assessments of the incidents remain classified.“

U.S. intelligence reports ranked cyber threats as the top danger facing the country for the first time in April, but tensions have been running high about the government’s ability to protect digital assets and intelligence for years. A 2011 Department of Justice report noted that only 64 percent of FBI agents assigned to national security-related cyber investigations had the appropriate skills and expertise to handle those types of cases.

Government cybersecurity contracting exploded during the Bush Administration, with many roles traditionally filled by government employees or resources outsourced to external companies over whom the government has less oversight. The Obama Administration has made efforts to curb that trend, but that expansion, combined with a lack of cybersecurity expertise in the military and federal agencies, resulted in many cybersecurity defense operations being outsourced or completed under the heavy supervision of outside contractors. This has sometimes led to much much less than ideal results”>less than ideal outcomes, despite a 2011 General Services Administration (GSA) rule requiring all contractors and subcontractors that provide federal agencies with IT services, systems, or supplies to submit a cybersecurity plan that matches government regulations.

Read more

While tensions in Syria dominate headlines about the Middle East, a quiet digital battle is brewing in Iran as the June 14 presidential election approaches.

Yesterday, the Basij force of the Iranian Revolutionary Guard claimed its websites were being targeted in a wave of cyberattacks:

“Due to the impending vote, elements of the global arrogance have launched a new round of cyberattacks against Basij websites, particularly Basij.ir.”

According to local Iranian news sources, the Basij.ir site was down for part of the day on Wednesday (May 1) and a spokesman for the group claimed its sites faced many attacks in the past three years. However, the Basij is more well known for being the aggressors in cyberattacks. In 2011 it launched a cyberattack against the “enemies” of Iran and has actively recruited hackers to boost its ranks.

Iran had over 8 million internet users in 2009 and online communications including social media and email was key to galvanizing and organizing opposition in the last Iranian Presidential election and the protests that followed. Since then, the regime has cracked down harder than ever on online communications with aggressive surveillance and filtering in what President Obama decried as an “Electronic Curtain” in 2012. Internet access was disrupted before the 2012 parliamentary elections and at other times Iranian authorities have blocked specific web services, such as Google.

While the regime cracked down on tools like virtual private networks (VPNs) many Iranians use to avoid government internet controls in March, hacktivists outside the country are helping provide alternatives to further keep online communications channels open. One group, ASL19 — an interdisciplinary lab named after Article 19 of the Universal Declaration of Human Rights that upholds the right to freedom of expression and access to information — specifically aims to “empower Iranians to communicate freely and engage in dialogue with minimal threat to personal safety.” The group reportedly helps a million Iranians a day avoid network censorship by distributing open source evasion program Psiphon.

But the regime has even been working on an internal intranet, often dubbed the “halalternet” that would be completely closed off from the larger global internet system, and is reportedly very close to being deployed on a broad scale. Chinese technology company Huawei reportedly provided the Iranian government the technological infrastructure for the intranet, and according to Reuters, attempted to sell Iranian internet providers “lawful interception” surveillance tech that they later “acquired.”

Political activists and dissidents are increasingly being targeted for digital surveillance, turning the democratizing power of innovations in communications technology against them –- and all too often it appears Western tech companies may be the ones selling that technology to countries with poor human rights records.

A new report released on Wednesday by Citizen Lab at the University of Toronto shows how the commercialization of digital spying has made it easier than ever for repressive regimes to get their hands on technology that helps authorities monitor and crack down on opposition groups:

“Companies selling surveillance and intrusion software commonly claim that their tools are only used to track criminals and terrorists. FinFisher, VUPEN and Hacking Team have all used similar language.

Yet a growing body of evidence suggests that these tools are regularly obtained by countries where dissenting political activity and speech is
criminalized. Our findings highlight the increasing dissonance between [United Kingdom-based Gamma International's] public claims that FinSpy is used exclusively to track ‘bad guys’ and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists.”

FinSpy, the most prominent technology detailed in the report, is malware that is part of the commercial FinFisher intrusion kit distributed by Gamma. The malware is often distributed through email phishing scams with the installer for the program disguised as a different type of file attached to an email. Once a target is infected, the malware provides broad ranging digital surveillance, from spying via webcams and microphones and monitoring of video and email communications to keylogging and harvesting files from the hard drive. The program can also hide itself from antivirus scans. It delivers this intelligence and receives orders by connecting with remote command and control (C&C) servers. Today’s report reveals that FinSpy C&C servers have been observed operating in 36 countries since initially being discovered by security researchers in 2012 — including in many with suspect human rights records like Bahrain, Vietnam and Ethiopia.

While Gamma says on its website that the surveillance suite is solely offered to Law Enforcement and Intelligence Agencies, because some regimes criminalize dissent or broadly categorize criminal activity to include organizing political opposition, the concept of distributing surveillance packages for “lawful interception capabilities” to those countries is effectively moot. Although Gamma is tight lipped about who it sells to and no nations are willing to acknowledge using the package, FinSpy continues to show up again and again being used to target activists and other political dissidents.

Last year, the New York Times reported that FinSpy was being deployed against Bahraini activists without criminal histories. Gamma blamed that incident on demonstration copies of FinSpy being stolen, despite previous denials that its product had been identified at all. FinSpy also recently surfaced in Ethiopia, where it was being distributed disguised as images of an Ethiopian opposition group and in Malaysia disguised as a list of political candidates targeting native Malay speakers. After the fall of Egyptian President Hosni Mubarak, an invoice for the FinFisher platform was found in the Egyptian State Security Headquarters, although it is unclear if a sale was completed.

Privacy International has made repeated inquiries to the United Kingdom questioning if the distribution of Gamma’s technology violates export laws, but as of yet the relevant agencies have “categorically refused to provide any details regarding any investigation into Gamma’s export practices.”

Gamma and other Western tech companies mentioned in the Citizen Lab report are not the only groups reportedly helping states with questionable human rights records establish digital surveillance. Last year it was revealed that Chinese company Huawei offered to a sell a “lawful interception solution” to an Iranian telecommunications company and supplied the technological infrastructure behind the closed intranet system Iran is currently developing.

Opponents of the controversial Cyber Intelligence Sharing and Protection Act of 2013 (CISPA) are challenging sponsor Rep. Mike Rogers (R-MI) to debate a 14-year-old about the merits of the proposal. The site, TheMikeRogersChallenge.com, was recently launched by Fight for the Future in response to Rogers’ claim that opponents of CISPA are 14-year-old “tweeters” in their basements.

Watch the video:

The site claims it is “confident that even a 14-year-old in a basement could demolish Rogers’ weak arguments for CISPA” and is also seeking an appropriate teen challenger, who must be prepared to send videos of themselves explaining CISPA and pictures of their basement as part of the application process. Fight for the Future also launched the CispaIsBack.org petition shortly after the proposal was reintroduced this year.

In March, Rep. Rogers accidentally tweeted and deleted a link to a story about how Members of the House Intelligence Committee, which Rogers chairs, “received 15 times more from pro-CISPA groups than anti-CISPA orgs.” He also used #CISPAalert in a series of pro-CISPA tweets, apparently unaware that the hashtag was set up by the Electronic Frontier Foundation and helps fund the fight against CISPA. Data released by MapLight yesterday shows House Members as a whole “have received 16 times as much money ($67,665,694) from interests supporting CISPA than from interests opposing ($4,164,596).”

CISPA is aimed at creating a functional information sharing structure for cyber threat intelligence, but civil liberties organizations, the White House, and a number of security experts and academics believe the privacy protections and regulatory definitions are seriously flawed. The bill passed the House yesterday, but is facing a presidential veto threat similar to the one that killed a 2012 proposal of the same name.

While civil liberties groups have presented a number of fixes for areas of critical concern in the legislation, amendments to resolve privacy issues were largely unsuccessful in the closed House Intelligence committee hearing and opponents remain unimpressed by the version that passed the House. Rep. Mike McCaul (R-TX) invoked the tragic bombings in Boston during the House debate over CISPA amendments yesterday, claiming that the legislation needed to be rushed through “in the name” of Boston because cyber attacks represented “digital bombs [...] bombs are on their way.”

(Photo: AP/NBC)

The House started considering the controversial Cyber Intelligence Sharing and Protection Act of 2013 (CISPA) on Wednesday and is expected to vote today — just two days since the White House threatened to veto the bill after it passed out of the House Intelligence Committee by an 18-2 vote in a closed session last week. Now a passionate policy debate is taking place about the importance of protecting civil liberties while solving a very real problem: How to allow government to provide threat intelligence information to victims of cyber attacks.

CISPA was reintroduced in February to immediate backlash from civil liberties groups, with the petition site cispaisback.org warning “the bill that would end our online privacy — is back in Congress despite public outrage and warnings from experts.” Only Reps. Jan Schakowsky (D-IL) and Adam Schiff (D-CA) voted against the proposal in committee citing the same privacy concerns and issues related to maintaining civilian control over private sector data that led the White House kill a similar proposal after it passed the House in 2012 with a veto threat much like the one currently employed.

By most assessments, privacy protections and regulatory definitions in CISPA have some gaping holes — even many security experts agree. And given the track record of government transparency surrounding surveillance tech, privacy and civil liberty advocates are understandably suspicious. The relationship between the civil liberties community, government, and telecommunications companies remains tainted by the Bush-era National Security Agency warrantless wiretapping program which led to legislation giving retroactive immunity to companies that cooperated. Clapper v. Amnesty, a case questioning the constitutionality of the wiretaps, was dismissed earlier this year due to lack of proper standing — leaving the question of their legality unresolved. So when faced with a broadly written law that could involve the NSA, it was no surprise that progressive and libertarian groups alike came out in opposition to CISPA after it was reintroduced this legislative cycle. And it looks like their concerns have have not been mitigated.

Read more

While it has long been internet common sense to be cautious on adult content sites, the BBC reports even some of the most trusted names in the online porn industry are serving malicious ads:

“The data showed that xhamster.com – listed by monitoring firm Alexa as the 46th most popular site on the internet – had malvertising on 1,067 out of 20,986 pages (5%) screened in the past 90 days[...] According to Alexa’s statistics, the average user of xhamster.com would look at 10.3 individual pages – meaning a potential 42% risk of stumbling across harmful adverts in each viewing session.

Another site, pornhub.com, was found to have dangerous advertising on 12.7% of its pages.”

The malware isn’t actually hosted by the porn sites, rather embedded ads on the sites were discovered installing harmful files without users’ knowledge. Because of the way online ad space is often bought and resold or repackaged numerous times, it’s often unclear exactly who is placing the “malvertising” — which is exactly how the people behind the ads like it.

The report continues a trend of online advertising increasingly being a method used to distribute malicious code. In fact, Cisco’s annual 2013 Security Report claimed internet users are 182 times more likely to be infected with malware by clicking on online ads than merely visiting a porn site. Although there are ad-blocking services that can help mitigate this risk, only around 10 percent of internet users actively deploy them.

CNNMoney posted an ominously titled column “Shodan: The scariest search engine on the Internet” yesterday about a search application that discovers unprotected technology connected to the internet that was promptly aggregated by other outlets like FastCompany – but not until the last third of the article did the author mention two key facts: Shodan has existed for three years and is “almost exclusively used for good.”

Make no mistake, the things Shodan can uncover are scary: It’s essentially a way find technology currently online that was never intended to be networked in the first place, or networked with such laughably thin security protocols like using default admin logins and passwords that it’s child’s play to compromise — with the vulnerable tech ranging from the seemingly mundane like home printers and garage doors to the sort of things you really don’t want to be connected to the outside world, such as citywide traffic systems and nuclear command and control centers.

And as we move closer to a world where everything from our refrigerators to our pacemakers are connected to the Internet in one way or another, these problems will only multiply: An “Internet of things” that lacks security built into the devices that join together to create that network could potentially put everyone at risk. The issue is that these vulnerabilities exist in the first place, not that Shodan can uncover them — as previous coverage of Shodan by Dave Maass in San Diego CityBeat* notes:

“The fact that somebody is basically shining a flashlight into a dark room shouldn’t be the part people are afraid of,” says Dan Tentler, a San Diego-based information-security consultant. “The part people should be afraid of is the fact that some genius decided to take, for example, a five-megawatt hydroelectric plant in France, put its control computer on the Internet and allowed everybody that knew about the IP address to connect to it and make changes to this dam, with no encryption or authentication to speak of.”

As with almost all technological developments, Shodan is neutral. In fact, the bad guys have a vested interest in keeping these types of vulnerabilities quiet so their exploitation will go unnoticed. With Shodan, security experts have a simpler way of identifying what networks are at risk and potentially taking them offline or improving security thus bettering the entire system. And security experts does mean hackers: While the word has taken on a lot of negative connotations in the media, hacking is a process of discovering vulnerabilities that is neutral. Just as it’s questionable to call Shodan scary because the things it uncovers are settling, decrying the process of hacking and all people that do it because they reveal problems with systems is equally objectionable.

There are certainly bad hackers, but there are also good hackers: Just ask Peiter Zatko (better known as Mudge) who spent the last few years as a program manager at the Defense Advanced Research Projects Agency (DARPA) focusing on cybersecurity projects. When he left last week he tweeted that he didn’t know which was neater: “getting Office of SecDef highest award, OR the positive use of ‘hackers’ in the letter!”

As tensions continue to rise on the Korean peninsula, internet hactivist collective Anonymous has joined the fray — and appears to have been very successful at penetrating North Korea’s superficial cybersecurity defenses. ReadWrite reports:

“On Tuesday, the group claimed to have stolen 15,000 passwords from the communist nation as part of what it calls Operation North Korea. Late Wednesday, as tensions rose in Kaesong over the North’s closure and seizure of a industrial park it shares with the South, along with repeated declarations of nuclear launch, Anonymous advanced its own chess pieces. The hackers allegedly seized control of North Korea’s official Twitter and Flickr accounts, in the process defacing several related websites, and making the autocratic nation look extremely unprepared for cyber attack.”

The primary North Korean propaganda site Uriminzokkiri.com also appears to be down, possibly as the result of a distributed denial of service (DDoS) attack — all with demands that Kim Jong Un step down in favor of a direct democracy regime, cease “making nukes and nuke-threats,” and allow citizens access to the open internet. All very admirable goals, although it’s highly unlikely North Korean citizens are aware of their regime’s internet embarrassment because of that very lack of internet access: Although the country did briefly open up mobile data access for tourists earlier this year, a policy it reversed very quickly, most North Koreans only have access to the nation’s intranet, Kwangmyong, if anything at all.

Security analysts are skeptical of claims that the group has infiltrated the Kwangmyong, and as others have noted, managing to gain control of social media accounts and taking down the propaganda website are more likely to result in punishments for the lower level North Korean operatives in charge of maintaining those resources than cause the regime to topple.

While Anonymous’s actions certainly demonstrate that North Korea’s cyber defense strategies on superficial sites leave something to be desired, there is also a risk that it could tip the balance of a very delicate diplomatic situation. As ThinkProgress has noted previously, the current situation may be more serious than the saber rattling status quo of Korean peninsular relations recent years: North Korea recently announced an end to the 1953 Armistice Agreement and pledged to attack the U.S. and its allies in the region. While the exact nature of the military threat North Korea poses is debatable, one of the few things that is certain is that the sheer unpredictability of the nation represents a very real threat to global security.

As amusing as Anonymous’s attacks on the country may be, hitting North Korea with the digital equivalent of pocket sand might only serve to anger the regime, possibly even making them blink in a way that is bad for everyone involved.

Another day, another high profile hacking headline. In January it was Chinese hacks of newspapers, then it was think tanks, and now everyone from Beyonce and Jay-Z to First Lady Michelle Obama and Attorney General Eric Holder is having their personal data splashed upon the web. There’s one scary truth all these stories should highlight: The only reason your data hasn’t been compromised is because you haven’t been competently targeted yet.

This latest instance of hacking in and dumping someone’s personal data onto the web, a practice often called “doxxing” in hacker circles, is perhaps the strongest case yet for why you should be wary about the security of your personal information.

The full list of the compromised contains big names: Vice President Biden, LAPD Chief Charlie Beck, AG Holder, former Secretary Clinton, FBI Director Robert Mueller in addition to a string of celebrities of varying stature. Undoubtedly, the most prominent were using strong security procedures to avoid the exposure of their personal data. And yet, none of that mattered, thanks to the source of the breach according to NBCNews.com:

“The Equifax credit bureau confirmed Tuesday that criminals have stolen credit reports from AnnualCreditReport.com, the website designed to allow consumers free access to their own credit reports.

The theft suggests criminals have outfoxed AnnualCreditReport.com’s defenses, potentially giving them access to potentially 200 million Americans’ credit reports. According to the Consumer Financial Protection Bureau, 16 million consumers use AnnualCreditReport.com annually.”

AnnualCreditReport.com, a joint project between our nation’s three largest credit bureaus, itself was not hacked so to speak, but the hackers likely used a combination of trial and error and personal information that could have been gleaned from scouring the web or purchasing it from online data brokers to successfully authenticate themselves as the victims. The ease of the fraud raises a host of concerns: Consider that Equifax has assembled a private database of the employment and salary records of more than one-third of working U.S. adults. Plus, Equifax and its customers have previously agreed to pay a $1.6 million dollar Federal Trade Commission settlement for improperly selling lists of consumers late on mortgage payments. Does their data security record suggests an ability to competently secure access to that mountain of sensitive information?
Read more

Following months of headlines about the rising threat of Chinese cyber-espionage, a report released today by cybersecurity company Mandiant ties extensive corporate espionage hacking campaigns against English-language companies to the Chinese Army. The report sheds new light on the hacking group commonly referred to in the press as “Comment Crew” and as Advanced Persistent Threat 1 (APT1) by Mandiant:

“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”

According to the New York Times, this revelation lines up with a recent classified National Intelligence Estimate that “makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398.”

Here’s what you need to know about this possible Chinese cyber-army:

APT1 is likely PLA Unit 61398. Mandiant believes APT1 is the same as the 2nd Bureau of the PLA General Staff Department’s 3rd Department, commonly known by its unit distinction 61398. Unit 61398 is classified, but Chinese network security experts have mentioned it as the source of their expertise in published reports, and an internal memo from state-controlled China Telecom obtained by Mandiant details how infrastructure for their headquarters was co-built with the Unit “based on the principle that national defense construction is important.” However, there is one unlikely alternative outlined by Mandiant:

“A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

APT1 victims are mostly in the U.S. and in industries China considers strategically important. Of the 141 breaches Mandiant has studied, 115 were U.S. based companies, and 87 percent of them were headquartered in countries where English is the primary language. English proficiency appears to be a key recruiting factor for Unit 61398. APT1′s victims include companies in four of the seven strategic emerging industries China identified as key in its 12th Five Year Plan.

The resources behind the attacks and amount of data culled are huge. Mandiant “conservatively” estimates 1,000 servers would be needed to support APT1′s current attack infrastructure with potentially hundreds of human operators. While it’s hard to put a figure on how much total data the group has lifted because of how well it covers its tracks, Mandiant witnessed them steal as much as 6.5 terabytes of compressed data from just one organization over a ten-month window.

APT1 attacks are long-term infiltrations. The attacks from the group started as far back as 2006 with an average of 356 days of access to a victim’s networks. Mandiant says APT1 maintained access to one victim’s network for at least 1,764 days — over four years.

China’s denies involvement. According to the New York Times: “Contacted Monday, officials at the Chinese embassy in Washington again insisted that their government does not engage in computer hacking, and that such activity is illegal.”

If Mandiant is correct in its assertions about APT1 and Unit 61398, China wouldn’t be the only country engaged in aggressive cyber actions as international norms in the space are still being shaped: The U.S. has reportedly engaged in malware development targeting Iran’s nuclear facilities and President Obama signed a secret directive in October aimed at reclassifying some cyberactions previously considered offensive as defensive.

Cybersecurity has increasingly been seen as a major national and economic security threat. President Obama recently signed another directive and an executive order aimed at improving the security of privately owned critical infrastructure via information sharing and lawmakers on Capitol Hill reintroduced the controversial cybersecurity proposal from 2012 CISPA the next day.