“We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.” -CIA’s Wikileaks Task Force.
So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency’s offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the world’s most secretive organizations, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today.
Adrian Lamo, the hacker probably best known for breaking into The New York Times’s network and for reporting Chelsea Manning’s theft of classified documents to the FBI, was found dead in a Kansas apartment on Wednesday. Lamo was widely reviled and criticized for turning in Manning, but that chapter of his life eclipsed the profile of a complex individual who taught me quite a bit about security over the years.
Adrian Lamo, in 2006. Source: Wikipedia.
I first met Lamo in 2001 when I was a correspondent for Newsbytes.com, a now-defunct tech publication that was owned by The Washington Post at the time. A mutual friend introduced us over AOL Instant Messenger, explaining that Lamo had worked out a simple method allowing him to waltz into the networks of some of the world’s largest media companies using nothing more than a Web browser.
When WikiLeaks on Tuesday dumped thousands of files documenting hacking tools used by the U.S. Central Intelligence Agency, many feared WikiLeaks would soon publish a trove of so-called “zero days,” the actual computer code that the CIA uses to exploit previously unknown flaws in a range of software and hardware products used by consumers and businesses. But on Thursday, WikiLeaks editor-in-chief Julian Assange promised that his organization would work with hardware and software vendors to fix the security weaknesses prior to releasing additional details about the flaws.
WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.
The Web sites for computer game giant Eidos Interactive and one of its biggest titles — Deus Ex– were defaced and plundered on Wednesday in what appears to have been an attack from a splinter cell of the hacktivist group Anonymous. The hack comes just days after entertainment giant Sony told Congress that Anonymous members may have been responsible for break-ins that compromised personal information on more than 100 million customers of its PlayStation Network and other services.
The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from companies and the U.S. government often are characterized as ultra-sophisticated, almost ninja-like in their stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the apparent Chinese developers of those attack tools left clues aplenty about their identities and locations, with one actor even Tweeting about his newly discovered vulnerability days in advance of its use in the wild.
RSA and others have labeled recent zero-day attacks as the epitome of an “advanced persistent threat” (APT), a controversial term describing the daily onslaught of digital assaults launched by attackers that are considered to be highly-skilled, determined and have a long-term perspective on their mission. Because these attacks often result in the theft of sensitive and proprietary information from the government and private industry, the details surrounding them usually become shrouded in secrecy as law enforcement and national security officials swoop in to investigate.
But an investigation of some of the open source information available on the tools used in recent attacks labeled APT indicates that some of the actors involved are doing little to cover their tracks, and that not only are they identifiable, but that they’re not particularly concerned about suffering any consequences from their actions.
A company that is helping the federal government track down cyberactivists who have been attacking business that refused to support Wikileaks has itself been hacked by the very same activists it is investigating.
At the center of the storm is a leaderless and anarchic Internet group called Anonymous, which more recently has been coordinating attacks against Egyptian government Web sites. Late last month, authorities in the U.K. and the U.S. moved against at least 45 suspected Anonymous activists. Then, on Saturday, the Financial Times ran a story quoting Aaron Barr, the head of security services firm HBGary Federal, saying he had uncovered the identities of Anonymous’ leaders using social networking sites and planned to release his findings at a security conference in San Francisco next week.
In early 2000 — ages ago in Internet time — some of the biggest names in e-commerce were brought to their knees by a brief but massive assault from a set of powerful computers hijacked by a glory-seeking young hacker. The assailant in that case, known online as Mafiaboy, was a high school student from a middle-class suburban area of Canada who was quickly arrested after bragging about his role in the attacks.
It wasn’t long before the antics from novice hackers like Mafiaboy were overshadowed by more discrete attacks from organized cyber criminal gangs, which began using these distributed denial-of-service (DDoS) assaults to extort money from targeted businesses. Fast-forward to today, and although vanity DDoS attacks persist, somehow elements in the news media have begun conflating them with the term “cyberwar,” a vogue but still-squishy phrase that conjures notions of far more consequential, nation-state level conflicts.
The Nov. 2009 blackout that plunged millions of Brazilians into darkness for up to six hours was not the result of cyber saboteurs, but instead an unusual confluence of independent factors that conspired to cause a cascading power failure, according to a classified cable from the U.S. embassy in Brazil.
Microsoft’s lawyers this week engineered a pair of important takedowns, one laudable and the other highly-charged. The software giant orchestrated a legal sneak attack against the Web servers controlling the Waledac botnet, a major distributor of junk e-mail. In an unrelated and more controversial move, Redmond convinced an ISP to shutter a popular whistleblower Web site for hosting a Microsoft surveillance compliance document.