The Cybersecurity Information Sharing Act of 2014 (“CISA”) was scheduled to be marked up by the Senate Intelligence Committee yesterday but has been delayed until after next week’s congressional recess. The response to the proposed legislation from the privacy, civil liberties, tech, and open government communities was quick and unequivocal – this bill must not go through.
The bill would create a massive loophole in our existing privacy laws by allowing the government to ask companies for “voluntary” cooperation in sharing information, including the content of our communications, for cybersecurity purposes. But the definition they are using for the so-called “cybersecurity information” is so broad it could sweep up huge amounts of innocent Americans’ personal data.
The Fourth Amendment protects Americans’ personal data and communications from undue government access and monitoring without suspicion of criminal activity. The point of a warrant is to guard that protection. CISA would circumvent the warrant requirement by allowing the government to approach companies directly to collect personal information, including telephonic or internet communications, based on the new broadly drawn definition of “cybersecurity information.”
While we hope many companies would jealously guard their customers’ information, there is a provision in the bill that would excuse sharers from any liability if they act in “good faith” that the sharing was lawful.
Collected information could then be used in criminal proceedings, creating a dangerous end-run around laws like the Electronic Communications Privacy Act, which contain warrant requirements.
In addition to the threats to every American’s privacy, the bill clearly targets potential government whistleblowers. Instead of limiting the use of data collection to protect against actual cybersecurity threats, the bill allows the government to use the data in the investigation and prosecution of people for economic espionage and trade secret violations, and under various provisions of the Espionage Act.
It’s clear that the law is an attempt to give the government more power to crack down on whistleblowers, or “insider threats,” in popular bureaucratic parlance. The Obama Administration has brought more “leaks” prosecutions against government whistleblowers and members of the press than all previous administrations combined. If misused by this or future administrations, CISA could eliminate due process protections for such investigations, which already favor the prosecution.
Russia accused the United States on Tuesday of violating a bilateral treaty and “kidnapping” a Russian accused of hacking into U.S. retailers’ computer systems to steal credit card data.
The U.S. Department of Homeland Security on July 5 arrested Roman Valerevich Seleznev, the son of a Russian lawmaker, for what it said were crimes carried out from 2009 to 2011.
The 30-year-old’s father Valery Seleznev, a deputy in Russia’s lower house, said in a statement he “intends to take all necessary steps to protect his lawful interests.”
Roman Seleznev was apprehended in an airport in the Maldives, the Russian Foreign Ministry said.
“We consider this as the latest unfriendly move from Washington,” it said in a statement on its website.
“This is not the first time the U.S. side, ignoring a bilateral treaty … on mutual assistance in criminal matters, has gone ahead with what amounts to the kidnapping of a Russian citizen.”
Seleznev was indicted in Washington state in March 2011 on charges including bank fraud, causing damage to a protected computer, obtaining information from a protected computer and aggravated identity theft, the U.S. agency said in a statement.
The indictment said Seleznev hacked into websites ranging from those run by the Phoenix Zoo, a branch of Schlotzsky’s Deli and many other small restaurants and entertainment venues around the country.
Imagine this: Your city has been out of electricity for a full day because the power grid is being held ransom by an international group of hackers, demanding money before electricity will be restored. While this might sound like the plot of a dystopian novel, Dr. Larry Ponemon, founder of the Ponemon Institute, says this kind of attack on an electrical grid or water system could be in our future if critical infrastructure sectors don’t improve their security systems.
“The worst case scenario is a critical infrastructure attack, and these organizations are ill prepared to deal with it,” Ponemon says. While the media focuses on security breaches in the private sector—especially retail—the vulnerability of critical infrastructure such as energy and utility receives less attention. “With the increased convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks,” says Steve Durbin, Managing Director of Information Security Forum. “They can now have physical impact in the real world.”
The most well-known example of a cyber attack on a physical infrastructure is the Stuxnet malware, which was allegedly built by the U.S. and Israeli governments and deployed on the computer systems of Iranian nuclear facilities beginning in 2008, disrupting a fifth of Iranian facilities and setting back Iran’s nuclear plans by as much as two years.
Today, a striking disparity exists between awareness of cybersecurity risks and the implementation of security protocols in critical infrastructure sectors, according to a report released Thursday by Ponemon Institute and Unisys. Titled “Critical Infrastructure: Security Preparedness and Maturity,” the report draws on responses from 599 IT security executives in 13 countries from the utility, oil and gas, alternative energy, and manufacturing sectors. According to the study, 67% of companies say they “have had at least one security compromise that led to the loss of confidential information or disruption to operations” in the past year. Additionally, 64% of companies say that they want to prevent or anticipate attacks, but only 28% say security is one of their company’s top five priorities. While 47% of security breaches occur because of negligent employees, only 6% of companies are training their employees on cybersecurity. Only 17% of respondents said their company had achieved a mature level of cyber security—defined by having most IT security programs deployed.
This problem is not unique or particularly surprising, and Unisys CISO Dave Frymier says the study provides empirical evidence to a security problem he already suspected existed. Most of us are willing to take risks when it comes to security, only regretting it when we become the victims of an attack. The international focus of this study reveals that critical infrastructure security is a global problem. The countries surveyed, including the United States, Brazil, and the UK, all had relatively similar answers, according to Frymier and Ponemon, despite differing levels of security in other sectors.
Chinese hackers broke into the federal Office of Personnel Management computer system in March, apparently targeting tens of thousands of employees who applied for top-security clearance,The New York Times reported.
The Times, citing “senior American officials,” said the breach had been tracked to China, but not necessarily the Chinese government. White House spokesman Josh Earnest said authorities have “no reason to believe that personal identifiable information was compromised.”
Hacking has been a major point of contention in the U.S.-China relationship — with each side accusing the other.
The latest revelation comes as China’s Communist Party leader Xi Jinping and U.S. Secretary of State John Kerry, meeting in Beijing, vowed to develop better economic and security cooperation. The meeting was the latest in a series of talks designed to improve the sometimes tumultuous relationship.
Kerry, asked about the Times story Thursday, said he had learned about it just as the meetings were getting underway and did not discuss specifics with Chinese officials.
“Apparently this story relates to an attempted intrusion that is still being investigated by the appropriate U.S. authorities,” Kerry said. “It does not appear to have compromised any sensitive material. And I’m not going to get into any of the specifics of that ongoing investigation, but we’ve been very clear for some time with our counterparts here that this is in larger terms an issue of concern.”
China quickly dismissed the report Thursday, The Wall Street Journal reported. TheJournal quoted China Foreign Ministry spokesman Hong Lei, at his daily briefing, as saying China opposes hacker attacks.
“Some U.S. media and U.S. cybersecurity always smear China and create the theory that China is a cyberthreat, but they can’t provide sufficient evidence of that,” he said. “We feel strongly that these kinds of reports and comments are irresponsible and not worth a comment or refuting.”
The Chinese cyber attack group Deep Panda late last month compromised “several” national security think tanks with multiple, simultaneous, and sophisticated attacks designed to collect information about foreign policy decisions, according to researchers at security firm CrowdStrike.
Deep Panda, a group that has been attacking targets in the high-tech, financial services, and government arenas since 2009, was found to be cracking think tank systems to collect data on national security policy related to southeast Asia and the Middle East — two areas where international disputes heightened in June. CrowdStrike officials declined to name the think tanks or the exact details of the data that was compromised, but the attackers breached email, directories and files, they said.
Deep Panda had been collecting information primarily on U.S. policy in southeast Asia, but suddenly shifted direction and began collecting data about Iraq and Middle East policy, according to a blog posted on the CrowdStrike site this afternoon.
“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq, and the potential disruption for major Chinese oil interests in that country,” the blog says. “In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq. In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery.”
The attacks were sophisticated, exploiting a vulnerability in Windows which allowed the group to deploy powershell scripts as scheduled tasks on Microsoft Windows machines, according to CrowdStrike. “The scripts are passed to the powershell interpreter through the command line to avoid placement of extraneous files on the victim machine that could potentially trigger AV- or Indicator of Compromise (IOC)-based detection,” the blog states.
The U.S. Secret Service has arrested a Russian man who is accused of hacking store computers to steal thousands of credit card numbers.
The agency didn’t say where the 30-year-old Moscow man, Roman Valerevich Seleznev, was arrested Saturday, but he was transported to Guam for an initial court appearance and detained for a July 22 hearing.
The U.S. attorney’s office in Seattle says an indictment unsealed Monday charges him with bank fraud, obtaining information from a protected computer, possessing stolen credit cards and identity theft.
Investigators say he installed malicious software to steal credit numbers, using computer servers all over the world.
U.S. Attorney Jenny Durkan in Seattle says the arrest shows cybercrooks can’t hide behind distant keyboards.
Seleznev also is charged in a similar but separate indictment in Nevada.
The Russian Foreign Ministry in a statement on Tuesday described Seleznev’s arrest as “yet another unfriendly gesture” of the United States.
“Neither are we notified of charges against our compatriots, nor were Russian consulate offices informed of Seleznev’s arrest,” the statement said.
The ministry said it was waiting for the United States to explain the incident and allow Russian consulate staff to visit Seleznev.
A research team led by Prof. Yizhou Yu of the Department of Computer Science at the University of Hong Kong (HKU) has developed a computer software for reconstruction of past events in three-dimensional space from surveillance videos.The software processes surveillance videos and creates an informative and easy-to-comprehend 3D reenactment of a past event to assist an incident or crime investigation. Such a reenactment, which can synchronize video footages from a large number of surveillance cameras, lets investigators have a global situational understanding of a complex scenario without the need to loop through individual cameras, and provides useful reference for situations including crime scene reconstruction. The software can further identify and track targeted figures in the videos, using features including body gestures, color and texture of clothing and belongings.Unlike existing video analytic software, the one developed by the HKU team is much more advanced in terms of three dimensional reconstruction and visualization capabilities, which allow close-up examination of the actions of suspects from all possible viewing angles.The new software can save time and manpower in investigations. The conventional way of collecting evidence from surveillance videos requires investigators to loop through images retrieved from many cameras. They have to view the footages again and again so as to have an understanding of the crime scene and identify suspects. This process can be very labour and resource intensive. The new software can help track the suspects and their collaborators in a systematic manner, to know their whereabouts under different time frames, and retrieve subtle but important details which could easily be overlooked otherwise.Places that can benefit from this system include airports, harbours, casinos, shopping malls and busy city blocks. It can be a useful tool to be used by government agencies including the police force, the immigration department, and port and airport authorities, for investigation and terrorist control purposes.“The new software is like a ‘Smart 3D SkyEye’ which integrates images from dozens of or even more surveillance cameras. It should be a lot more convenient to identify and track targeted figures using this new software than the traditional way of investigation,” says Dr. Calvin Fong, a member of the research team.
The newly installed director of the National Security Agency says that while he has seen some terrorist groups alter their communications to avoid surveillance techniques revealed by Edward J. Snowden, the damage done over all by a year of revelations does not lead him to the conclusion that “the sky is falling.”
In an hourlong interview Friday in his office here at the heart of the country’s electronic eavesdropping and cyberoperations, Adm. Michael S. Rogers, who has now run the beleaguered spy agency and the military’s Cyber Command for just short of three months, described the series of steps he was taking to ensure that no one could download the trove of data that Mr. Snowden gathered — more than a million documents.
But he cautioned that there was no perfect protection against a dedicated insider with access to the agency’s networks.
“Am I ever going to sit here and say as the director that with 100 percent certainty no one can compromise our systems from the inside?” he asked. “Nope. Because I don’t believe that in the long run.”
The crucial change, he said, is to “ensure that the volume” of data taken by Mr. Snowden, a former agency contractor, “can’t be stolen again.” But the Defense Department, of which the security agency and Cyber Command are a part, made the same vow in 2010 after an Army private, Chelsea Manning, downloaded hundreds of thousands of secret State Department and Pentagon files and released them to WikiLeaks.
Notable in his comments was an absence of alarm about the long-term effects of the Snowden revelations. Like former Secretary of Defense Robert M. Gates, who urged colleagues in the Obama administration to calm down about the WikiLeaks revelations in 2010, Admiral Rogers seemed to suggest that, as technology progressed, the agency would find new ways to compensate for the damage done, however regrettable the leaks.
Russian hackers have been systematically targeting hundreds of Western oil and gas companies, as well as energy investment firms, according to private cybersecurity researchers.
The motive behind the attacks appears to be industrial espionage — a natural conclusion given the importance of Russia’s oil and gas industry, the researchers said.
The manner in which the Russian hackers are targeting the companies also gives them the opportunity to seize control of industrial control systems from afar, in much the same way the United States and Israel were able to use the Stuxnet computer worm in 2009 to take control of an Iranian nuclear facility’s computer systems and destroy a fifth of the country’s uranium supply, the researchers said.
The Russian attacks, which have affected over 1,000 organizations in more than 84 countries, were first discovered in August 2012 by researchers at CrowdStrike, a security company in Irvine, Calif. The company noticed an unusually sophisticated and aggressive Russian group targeting the energy sector, in addition to health care, governments and defense contractors.
The group was named “Energetic Bear” because the vast majority of its victims were oil and gas companies. And CrowdStrike’s researchers believed the hackers were backed by the Russian government given their apparent resources and sophistication and because the attacks occurred during Moscow working hours.
In addition to basic hacking techniques, like sending mass emails containing malicious links or attachments, the group infected websites frequented by energy workers and investors in what is known as a “watering hole attack.”
In an 11-story office building in the Washington suburbs, hundreds of U.S. cybersecurity analysts work around the clock to foil hackers. Possible breaches of government networks show up as red flashes on screens that line the walls.
Something big is coming, some of the analysts say.
They’re speaking not of any imminent hack, but of what they see as a chance to expand their influence. So far, their five-year-oldNational Cybersecurity and Communications Integration Centerhas largely occupied itself monitoring threats to government networks. Now, with backing on Capitol Hill, it is poised to bolster its role as an anti-hacking coordinator between U.S. banks, utilities and other companies operating the networks that millions of Americans use daily.
“If we don’t know what’s going on, we can’t respond to it,” Larry Zelvin, director of the center, said in an interview. “Sometimes we don’t know about an attack until it comes up in the news or social media.”
U.S. lawmakers are fast-tracking a measure that would legally protect companies that tell the center and each other about malicious activities on their networks. The legislation is designed to address industry executives’ concerns that disclosing these vulnerabilities could expose them to lawsuits or regulators’ scrutiny, or that certain communications with competitors could invite antitrust actions.