Another day, another high profile hacking headline. In January it was Chinese hacks of newspapers, then it was think tanks, and now everyone from Beyonce and Jay-Z to First Lady Michelle Obama and Attorney General Eric Holder is having their personal data splashed upon the web. There’s one scary truth all these stories should highlight: The only reason your data hasn’t been compromised is because you haven’t been competently targeted yet.

This latest instance of hacking in and dumping someone’s personal data onto the web, a practice often called “doxxing” in hacker circles, is perhaps the strongest case yet for why you should be wary about the security of your personal information.

The full list of the compromised contains big names: Vice President Biden, LAPD Chief Charlie Beck, AG Holder, former Secretary Clinton, FBI Director Robert Mueller in addition to a string of celebrities of varying stature. Undoubtedly, the most prominent were using strong security procedures to avoid the exposure of their personal data. And yet, none of that mattered, thanks to the source of the breach according to NBCNews.com:

“The Equifax credit bureau confirmed Tuesday that criminals have stolen credit reports from AnnualCreditReport.com, the website designed to allow consumers free access to their own credit reports.

The theft suggests criminals have outfoxed AnnualCreditReport.com’s defenses, potentially giving them access to potentially 200 million Americans’ credit reports. According to the Consumer Financial Protection Bureau, 16 million consumers use AnnualCreditReport.com annually.”

AnnualCreditReport.com, a joint project between our nation’s three largest credit bureaus, itself was not hacked so to speak, but the hackers likely used a combination of trial and error and personal information that could have been gleaned from scouring the web or purchasing it from online data brokers to successfully authenticate themselves as the victims. The ease of the fraud raises a host of concerns: Consider that Equifax has assembled a private database of the employment and salary records of more than one-third of working U.S. adults. Plus, Equifax and its customers have previously agreed to pay a $1.6 million dollar Federal Trade Commission settlement for improperly selling lists of consumers late on mortgage payments. Does their data security record suggests an ability to competently secure access to that mountain of sensitive information?
Read more

Following months of headlines about the rising threat of Chinese cyber-espionage, a report released today by cybersecurity company Mandiant ties extensive corporate espionage hacking campaigns against English-language companies to the Chinese Army. The report sheds new light on the hacking group commonly referred to in the press as “Comment Crew” and as Advanced Persistent Threat 1 (APT1) by Mandiant:

“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”

According to the New York Times, this revelation lines up with a recent classified National Intelligence Estimate that “makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398.”

Here’s what you need to know about this possible Chinese cyber-army:

APT1 is likely PLA Unit 61398. Mandiant believes APT1 is the same as the 2nd Bureau of the PLA General Staff Department’s 3rd Department, commonly known by its unit distinction 61398. Unit 61398 is classified, but Chinese network security experts have mentioned it as the source of their expertise in published reports, and an internal memo from state-controlled China Telecom obtained by Mandiant details how infrastructure for their headquarters was co-built with the Unit “based on the principle that national defense construction is important.” However, there is one unlikely alternative outlined by Mandiant:

“A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

APT1 victims are mostly in the U.S. and in industries China considers strategically important. Of the 141 breaches Mandiant has studied, 115 were U.S. based companies, and 87 percent of them were headquartered in countries where English is the primary language. English proficiency appears to be a key recruiting factor for Unit 61398. APT1′s victims include companies in four of the seven strategic emerging industries China identified as key in its 12th Five Year Plan.

The resources behind the attacks and amount of data culled are huge. Mandiant “conservatively” estimates 1,000 servers would be needed to support APT1′s current attack infrastructure with potentially hundreds of human operators. While it’s hard to put a figure on how much total data the group has lifted because of how well it covers its tracks, Mandiant witnessed them steal as much as 6.5 terabytes of compressed data from just one organization over a ten-month window.

APT1 attacks are long-term infiltrations. The attacks from the group started as far back as 2006 with an average of 356 days of access to a victim’s networks. Mandiant says APT1 maintained access to one victim’s network for at least 1,764 days — over four years.

China’s denies involvement. According to the New York Times: “Contacted Monday, officials at the Chinese embassy in Washington again insisted that their government does not engage in computer hacking, and that such activity is illegal.”

If Mandiant is correct in its assertions about APT1 and Unit 61398, China wouldn’t be the only country engaged in aggressive cyber actions as international norms in the space are still being shaped: The U.S. has reportedly engaged in malware development targeting Iran’s nuclear facilities and President Obama signed a secret directive in October aimed at reclassifying some cyberactions previously considered offensive as defensive.

Cybersecurity has increasingly been seen as a major national and economic security threat. President Obama recently signed another directive and an executive order aimed at improving the security of privately owned critical infrastructure via information sharing and lawmakers on Capitol Hill reintroduced the controversial cybersecurity proposal from 2012 CISPA the next day.

Less than twenty-four hours after President Obama announced an executive order aimed at strengthening the cybersecurity of critical infrastructure and called for congressional action on cybersecurity in his State of the Union Address, Congressman Mike Rogers (R-MI) and Congressman Dutch Ruppersberger (D-MD) reintroduced the controversial Cyber Intelligence Sharing and Protection Act (CISPA) to the House.

CISPA caused widespread outcries from privacy and civil liberties advocates when it was considered in 2012 due to provisions that would in effect allow intelligence agencies a backdoor into the personal information of most Americans by allowing companies to share information about activities on their network with very little oversight. The version of the bill introduced for the 113th Congress is unchanged from the amended version from the 112th session, which President Obama threatened to veto. Indeed, press materials from the House Intelligence Committee say “the bill that was introduced today is identical to the ‘Cyber Intelligence Sharing and Protection Act’ (H.R. 3523) that passed the House by a strong bipartisan vote of 248-168 in April 2012.”

Online privacy advocates began organizing a response based on rumors of its revival earlier in the month, with Fight for the Future launching the site Cispaisback.com and Gregory T. Nojeim, Director of the Project on Freedom, Security & Technology at the Center for Democracy & Technology telling ThinkProgress “CISPA is deeply flawed” and recommending Members “seriously consider” if they wanted to re-open the debate over the bill.

President Obama signed a long rumored executive order aimed at strengthening the cybersecurity of critical infrastructure and a Presidential Directive on Critical Infrastructure Security and Resilience before the State of the Union yesterday.

The executive order creates new information sharing programs under the direction of the Department of Homeland Security (DHS) to provide threat and attack information to U.S. businesses, opens up the voluntary Enhanced Cybersecurity Services program to other sectors participating in critical infrastructure beyond the defense industrial base, and calls for the National Institute of Standards and Technology to implement a cybersecurity framework to reduce the cyber risks to critical infrastructure.

Under the order, agencies and the private companies participating in the information sharing program are also required to incorporate privacy and civil liberties safeguards based upon the Fair Information Practice Principles (FIPPS) and other applicable standards. The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS will also produce an annual report on the privacy and civil liberty impacts of the programs outlined in the order, and provide guidance on how to minimize or mitigate those risks.

Largely due to these provisions, online privacy advocates have applauded the order, in stark contrast to other cybersecurity proposals in recent years. While cybersecurity breaches have made big headlines in recent months, with the hacking of major newspapers and new revelations about the network insecurity some federal agencies, legislative efforts to address the issue languished in 2012 — although much to the dismay of privacy advocates, the most troubling of them, the Cyber Intelligence Sharing and Protection Act (CISPA), appears to be attempting a comeback.

Center for Democracy and Technology (CDT) President Leslie Harris released a statement praising the order’s protections and emphasis on sharing the government’s cybersecurity expertise with private stakeholders:

“The executive order says that privacy must be built into the government’s cybersecurity plans and activities, not as an afterthought but rather as part of the design. By explicitly requiring adherence to fair information practice principles, the order adopts a comprehensive formulation of privacy. The annual privacy assessment, properly done, can create accountability to the public for government actions taken in the name of cybersecurity [...]

CDT has long argued that one of the best things government can do to bolster cybersecurity is to share the cyberthreat insights and expertise it has with private industry. Rather than having the government monitor private networks, it is better for security and privacy to have private entities protect their own systems and networks. Better sharing of what the government knows will enhance that effort.”

The Presidential Directive accompanying the order clarifies the role of many federal agencies in cybersecurity, with DHS leading the effort and other agencies working with sector-specific industries to promote cybersecurity best practices, and outlines three major imperatives for DHS to pursue to improve the resiliency of the federal government’s critical infrastructure against cyberattacks: Define current function relationships across across government, identify baseline data and systems requirements to enable information exchange, and implement an analysis and integration function with the capability to process and respond to cyber vulnerabilities.

This is the second Presidential Directive to address cybersecurity, following a secret directive signed by the President in mid-October that redefined some military cybersecurity actions previously considered offensive as defensive around the same time Defense Secretary Leon Panetta warned of a looming “cyber-Pearl Harbor.”

Last week the Government Accountability Office (GAO) releasedan audit on the Federal Communications Commission’s (FCC) Enhanced Secured Network (ESN) project that questions the network security of the very agency that regulates online communications. Things are going so poorly with the project, the GAO couldn’t even release full findings to the public — instead, a separate report with limited distribution was prepared “making 26 recommendations associated with 21 findings to resolve technical information security weaknesses related to access controls and configuration management of the ESN.”

Sean Gallagher at Ars Technica explains the back story:

“In August of 2011, while in the middle of upgrading its network security monitoring, the Federal Communications Commission discovered it had already been hacked. Over the next month, the commission’s IT staff and outside contractors worked to identify the source of the breach, finding an unspecified number of PCs infected with backdoor malware.

After pulling the infected systems from the network, the FCC determined it needed to do something dramatic to fix the significant security holes in its internal networks that allowed the malware in. The organization began pulling together a $10 million “Enhanced Secured Network” project to accomplish that.”

But according to Gallagher, that $10 million plan was largely put together by Octo Consulting, and the GAO findings make it clear almost nothing went well:

“FCC’s efforts to effectively manage the ESN project were hindered by its inconsistent implementation of procedures for estimating costs, developing and maintaining an integrated schedule, managing project risks, and conducting oversight.”

The report concludes that as the result of this mismanagement, the FCC did not implement appropriate security controls in the initial phase of the project, nor has it consistently implemented key security procedures for managing the program to the point that the “FCC’s information remained at unnecessary risk of inadvertent or deliberate misuse, improper disclosure, or destruction” — essentially leaving the system, and thus sensitive internal FCC communications and information about the people and companies doing business with the FCC, vulnerable to the same sort of breach found in 2011 that prompted the Enhanced Secured Network project in the first place.

While the shortage of cybersecurity expertise in government is nothing new, that the very agency responsible for regulating online communications was forced to resort to outside assistance to secure its networks — and just how spectacularly that outside assistance failed — is yet another wake up call to the severity of the shortage and the real impacts it has on our government’s ability to do its job.

The Hill reports Rep. Dutch Ruppersberger (D-MD), the ranking member of the House Intelligence Committee, plans to re-introduce the Cyber Intelligence Sharing and Protection Act (CISPA), with the committee’s chairman Rep. Mike Rogers (R-MI) this year. CISPA passed the House in 2012 despite significant organized opposition from privacy advocates, but was not considered by the Senate as it focused on its own cybersecurity proposal — one which also stalled, leading to reports the White House plans to issue a cybersecurity executive order calling for the creation of a voluntary program including minimum safety standards in critical infrastructure sectors.

CISPA proposed making information sharing between private companies and the intelligence agencies easier in order to allow collaborative responses to cyberattacks, likely at the expense of internet users’ privacy. While the bill enjoyed the support of many major companies including Facebook, Microsoft, IBM, Oracle, Symantec, AT&T and Verizon, civil liberties organizations expressed major doubts about the proposal and continue to do so. In a comment about renewed interest in CISPA to ThinkProgress today, Gregory T. Nojeim, Director of the Project on Freedom, Security & Technology at the Center for Democracy & Technology said:

“CISPA is deeply flawed. Under a broad cybersecurity umbrella, it permits companies to share user communications directly with the super secret National Security Agency and permits the NSA to use that information for non-cybersecurity reasons. This risks turning the cybersecurity program into a back door intelligence surveillance program run by a military entity with little transparency or public accountability. Members should seriously consider whether CISPA — which inflamed grassroots activists last year and was under a veto threat for these and other flaws — is the right place to start.”

The White House is expected to release a cybersecurity executive order after the State of the Union, although rumors of its imminence have been floating around since September. Nojeim noted that last year there were reasons to be optimistic about the cybersecurity executive order when rumors of it first emerged — including the White House’s threat to veto CISPA.

The executive order wouldn’t be the first foray into cybersecurity for President Obama: He signed a secret directive that redefined some cybersecurity actions previously deemed offensive as defensive in October as part of an effort to enable military personal to be more proactive in thwarting cyberattacks. The move occurred around the same time Secretary of Defense Leon Panetta warned of an impending “cyber-Pearl Harbor.”

The threat of cyber attacks on public and private infrastructure is very real, as demonstrated by the huge jump in incidents involving critical infrastructure requiring the involvement of U.S. Industrial Control System Cyber Emergency Response Team jumping from 9 in 2009 to 198 in 2011.

Outside of traditionally defined critical infrastructure, other sectors have also been the target of recent high profile cybersecurity breaches, including many major newspapers and banks.

Your online habits may be less dangerous than you think if they involve the less savory aspects of the web: According to Cisco’s annual 2013 Security Report internet users are 182 times more likely to get malware from clicking on online ads than visiting a porn site. It turns out, the site on the gray or black market edges of the web most of us traditionally think of as dangerous aren’t the biggest threats to your online security, instead:

“The dangers […] are often hidden in plain sight through exploit-laden online ads that are distributed to legitimate websites, or hackers targeting the user community on the common sites they use most.”

Those common sites include online shopping and search engines, which were 21 and 27 times more likely respectively to deliver malicious content than counterfeit software sites according to Cisco. Unsurprisingly, the Pew Internet & American Life Project reports of the 81% of American adults who use the internet some 91 percent report using search engines to find information and 71 percent buy products online.

Of course, many online users (around 10 percent according to one 2012 study) are already using ad-blocking software to avoid being served possibly malicious ads. And the proportion of online resources and time devoted to racy material is up for debate, with just 4 percent of the 1 million most popular of sites in 2010 revolving around sex and 13 percent of searches being for erotic content.

Beyond the eye-catching numbers about the relative safety of surfing for porn, the Cisco report identifies a number of other emerging threats — key among them the rise of Android malware exploits and the possible info-security minefield represented by the internet of things.
Read more

The Associated Press reports the U.S. is weighing a tougher response to Chinese cyber-espionage following the revelation this week that both the New York Times and the Wall Street Journal were hacked — allegedly by hackers backed by the Chinese government:

“Two former U.S. officials said the administration is preparing a new National Intelligence Estimate that, when complete, is expected to detail the cyberthreat, particularly from China, as a growing economic problem. One official said it also will cite more directly a role by the Chinese government in such espionage.

The official said the NIE, which reflects the views of the nation’s various intelligence agencies, will underscore the administration’s concerns about the threat, and will put greater weight on plans for more pointed diplomatic and trade measures against the Chinese government. The two former officials spoke on condition of anonymity because they were not authorized to discuss the classified report.”

A New York Times story on Wednesday revealed a four month assault against the company starting after a Times investigation into the billions accumulated by Chinese Prime Minister Wen Jiabao’s family during his tenure. The Times systems were compromised, with hackers obtaining all Times employee passwords and access to 53 employee personal computers. One Times journalist, John Schwartz, noted that story explained a lot of recent security measures, including random password resets.

The hackers typically worked regular Beijing hours, according to Mandiant, the security company hired by the Times to investigate, and while chief security officer Richard Bejtlich cautions “If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’” the Times analysis identifies the Chinese government as the likely culprit.

The Wall Street Journal announced it was the victim of a similar series of attacks Thursday, noting that the hackers appeared interested in sources and information, not financial details. Chinese Embassy spokesman Geng Shuang responded to the allegations made in both stories. “It is irresponsible to make such an allegation without solid proof and evidence,” he said. “The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws.”

Read more

The web mourned the loss of internet folk hero Aaron Swartz this weekend, but some members of internet hacking group Anonymous took their pain out on MIT’s website. Swartz was a programmer and online activist, who recently took his own life while facing charges over thirty-five years in prison for allegedly mass downloading nearly five million documents from online journal database JSTOR. It is thought that Swartz wanted to liberate the data as a radical contribution to the open access movement.

While JSTOR settled its civil question regarding in July, 2011, MIT is accused by many of Swartz’s supporters of being complicit in the harsh prosecution tactics used in his case. In a statement shortly after his death, Swartz’s family wrote:

“Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. Attorney’s office and at MIT contributed to his death. The US Attorney’s office pursued an exceptionally harsh array of charges, carrying potentially over 30 years in prison, to punish an alleged crime that had no victims. Meanwhile, unlike JSTOR, MIT refused to stand up for Aaron and its own community’s most cherished principles.”

MIT released a statement on Swartz Sunday expressing sorrow for his death and announcing an investigation to “describe the options MIT had and the decisions MIT made, in order to understand and to learn from the actions MIT took.” The statement was obviously not enough to appease some members of Anonymous who took down the site for part of the night using a distributed denial of service attack (DDoS), making it inaccessible to the internet at large, but not stealing personal information or otherwise damaging the network.

Elsewhere on the web, academics made another kind of tribute focused on building up rather than taking down: They started uploading their research to share in honor of Swartz.