10.10.12
Posted in Culture of Lickspittle, Cyberterrorism at 12:20 pm by George Smith
Where, I ask you, would we be without these fellows and their inquisitive minds, redolent with the pure warm milk of human kindness?
In a post titled ‘James Bond’s Dry Erase Marker,’ hotel hacker Matthew Jakubowski [demonstrated] how anyone can build this pocket-sized device which will open the lock on an estimated 4 million hotel rooms.
‘I guess we wanted to show that this sort of attack can happen with a very small concealable device,’ says Jakubowski …
The device exploits a vulnerability in Onity locks, a cheap lock used on millions of hotel room doors.
Onity’s site boasts their locks are used in 22,000 hotel worldwide.
He guesses “we wanted to show,” did he? Was he not sure? Or did “they” just kinda accidentally coincidentally develop a jimmy to get into hotel rooms?
Boy, who knows what you could do in the service of mankind with a box of these and a crew on the evening of the BCS National Championship Game in Miami this bowl season!
Permalink
10.03.12
Posted in Culture of Lickspittle, Cyberterrorism at 1:41 pm by George Smith
Except for the Cult of Cyberwar and selected computer security companies sending out press releases.
I’ve tried to stay away from this one but the media has insisted on waging it.
The greatest denial of service attack in history — until next month or the month after — was aimed at America’s monster banks. And the worst the enemy could do?
Well, let me leave it to excerpts from one story:
In the past two weeks, customers of top U.S. banks including Bank of America, JPMorgan Chase & Co, Wells Fargo & Co, U.S. Bancorp and PNC Financial Services have reported having trouble accessing their websites, as unusually high traffic volumes appeared to crash or slow down the systems.
No thefts have been tied to hacked sites, but an untold number of customers were not able to pay bills or transfer money from their computers, leaving banks with remediation expenses and customer irritation as the biggest costs.
When customer irritation and trouble accessing websites are the worst things happening, it spoils the soup of previous stories which predict dire consequences for the country when the financial infrastructure is attacked in cyberspace.
Raise your hand if customer irritation accurately describes how you often feel when dealing with your giant bank.
I’m a customer of one of the banks that were targeted.
As I’ve maintained, if you polled ordinary citizens, in depth, on how they really felt about their financial institutions, you would find little regard for them.
We don’t want our financial servants protected from denial of service attacks as much as we want to be protected from the business practices of the banks.
Cyberwar against banks is a two-edged sword, one that doesn’t cut very finely or deeply. While it may be hard on the websites of financial institutions, it’s not optimum for alleged Middle East hackers because banks aren’t sympathetic entities in this country. There is no horrification at the news, perhaps a vague feeling of annoyance. At worst, for those who believe every bit of cant on cyberwar, some unease.
Big banks in this country do not inspire confidence and love in their customers. Many people hate them.
In overlooking this the attackers have probably also put a little too much in the claims from our cyberwar salesmen, specifically the assertion that America could be gravely damaged, or easily brought down by attacking its banks.
So what is resented more?
Middle East hacktivists, or Iran, making your bank’s website run slower, which you may or may not have noticed? An inconvenience?
Or the fees a bank automatically levees on your account every month, like clockwork, picking your pocket for any variety of conditions imposed by the bank in the tricks and traps economy?
Really. It’s a serious question.
The Cult of Cyberwar — from the archives.
Permalink
09.25.12
Posted in Crazy Weapons, Culture of Lickspittle, Cyberterrorism at 9:49 am by George Smith
The new fad is mini-series TV for the web. A couple months ago Yahoo rolled out “Electric City,” an animated science-fiction drama starring its bank roller, Tom Hanks as the central figure. I watched two episodes, as thrilling as watching mud dry.
Today Yahoo started “Cybergeddon,” a very poor woman’s “24,” underwritten by Symantec.
You know what it’s all about. Push software button remote terrorism, with all the scenarios and myths the salesmen and fear-mongers have delivered over the last ten years.
Since the episodes are only 10 minutes long, there’s a lot of push-buttoning to be shoehorned into each segment.
The premier, uniquely entitled “Push of a Button,” has its central character, a young lady of the FBI who has just nabbed her first cyber-terrorist in Prague, dumping her boyfriend special agent because she prizes her career track more.
The cyberterrorist is sent to prison in the Ukraine where his term is cut short because he has a smartphone which he pushes a button on to deposit a quarter of a million dollars in the accounts of his guards.
A deal’s a deal — so instead of beating him to death and keeping the cash — the jailers let him out.
Upon which he pushes another button on his smartphone to launch an attack on the, wait for it, water systems of southern California. A virus, said to be like Stuxnet, you know — the one we wrote to attack Iran, has been activated in Los Angeles.
It’s a laughable subterfuge, regularly peddled by cybersecurity salesmen.
Water in Los Angeles county is not centrally controlled or even in one spot. It’s all over, in the little sub-communities and tracts, in the valleys and the foothills, and the smaller to medium-sized cities of the Los Angeles metropolitan complex.
It’s distributed, there’s no way to centrally attack it, or to even attack one piece that would immediately threaten to endanger millions of people. Sadly for terrorists, if not scriptwriters or cybersecurity salesmen, water is durable in the US.
From a month or so ago, when the usual quacks were peddling the idea in hopes of getting some cybersecurity legislation passed:
For example, my brain tells me, and it’s usually pretty good at these things, that it would be virtually impossible to affect water in Los Angeles County short of destroying the Owens Valley, the Los Angeles Aqueduct, the Colorado River and the Colorado River Aqueduct. It would take an almost irreversible blackout in California to hinder the flow of water into LA County.
What, could hackers or cyber-soldiers blow up Pasadena Water & Power or make the complex unusable and all the water unpotable?
Contrary to what may be popular belief, huge vats of poison are not stored right with water so that a “the push of a button” can contaminate it. Too much chlorine, or adding a little too much alum, would have only negligible effects.
Southern California would ignore you, “Push of a Button” cyberterrorist.
The traffic on the freeway through Pasadena would start jamming around three, as usual. The sun would blast the concrete on the el Molino bridge as I walk over it, maybe to Bobby’s for a soda and a taco.
And that’s all I have to say about this piece of pandering crap. I jumped on the grenade.
Cybergeddon — “The Push of a Button” — is here.
Permalink
09.18.12
Posted in Culture of Lickspittle, Cyberterrorism at 1:39 pm by George Smith
Wall Street was responsible for the economic collapse in 2008-2009. That collapse inflicted more damage on the American middle class in lost income and jobs than any amount of cybercrime.
I’ve long argued all newspaper stories in which “experts” show up to maintain Wall Street needs to be protected from “cybercrime,” that the nation is at risk from a calamity-causing attack on the financial system, are shoeshine for the 1 percent.
It’s a covering tactic, one with almost no basis in reality, trotted out when there is legislation on the table that would increase business to arms manufacturers and computer security firms.
Global cybercrime is very real. But it is not one of the primary problems threatening the existence, even the day-to-day well being, of what’s left of the middle class in the US.
So if you took an honest poll and asked people if they wanted the US financial system to be protected from digital Pearl Harbor or to simply be protected from the US financial system, themselves, I bet you’d get many more for the latter.
At Rolling Stone magazine, Matt Taibbi briefly discusses an insider book which purports to explain why the US government would not take on Wall Street over the economic collapse.
There is a quote near the end, one in which Taibbi mentions cybercrime. And it’s pure shoeshine:
Again, those interested in understanding the mindset of the people who should be leading the anti-corruption charge ought to read this book. It’s the weird lack of concern that shines through, like Khuzami’s comment that he’s “not losing sleep” over judges reprimanding his soft-touch settlements with banks, or then Southern District of New York U.S. Attorney Ray Lohier’s comment that the thing that most concerned him – this is the period of 2008-2009, the middle of a historic crimewave on Wall Street – was “cyber crime.”
Permalink
09.07.12
Posted in Culture of Lickspittle, Cyberterrorism at 5:09 pm by George Smith
The quote most deserving of today’s horselaugh (believe me, there’s always a lot to choose from):
“Some of today’s national cyber actors don’t seem to be bound by any sense of restraint” — Debora Plunkett, head of the NSA’s Information Assurance Directorate
From NBC News:
[Plunkett] told a university audience that “we’re starting to see nation-state resources and expertise employed in what we would characterize as reckless and disruptive, destructive behaviors.”
Sort of like being scolded to stop smoking by someone with a lit cigarette in the mouth who’s absent-mindedly reaching for still another pack.
“U.S. standing to complain about other nations’ cyber attacks has been undermined, however, by disclosures that Washington, along with Israel, launched sophisticated offensive cyber operations of its own against Iran …” reads the piece.
Permalink
09.06.12
Posted in Culture of Lickspittle, Cyberterrorism at 3:13 pm by George Smith
Above photo, nabbed from standard rot on “DARPA” wanting to make cyberwar and planning for it “routine” with “X” at Wired. (No link.)
The pic, unintentionally hilarious as an inside joke, shows NSA director, Keith Alexander, in Afghanistan. Where everyone knows the Taliban is just loaded with cyberwarriors. Why, the Iranians and al Qaeda in Pakistan are probably attacking, too.
Then there’s the actual world where the US has real and much bigger problems — like the Afghan military and militia forces being trained by the US are seen as potentially riddled with insurgents.
American special operations forces have suspended the training of new recruits to an Afghan village militia until the entire 16,000-member force can be rescreened for possible links to the insurgency, U.S. officials said Sunday.
The move is the latest repercussion from a series of “insider” shootings carried out by members of the Afghan police and army against Western troops. Forty-five NATO service members have been killed in such attacks this year, and the U.S. toll in August alone was 12 dead.
“[Plan X] means building tools to help warplanners assemble and launch online strikes in a hurry,” informs Wired’s DangerRoom.
By golly!
Readers will remember General Keith Alexander’s national publicity tour to gin up fear of cyberwar against the American heartland in support of cybersecurity legislation recently. The legislation was defeated.
Permalink
08.28.12
Posted in Cyberterrorism at 4:15 pm by George Smith
In the real world, it’s not hackers, or foreign national states. It’s weather, mechanical failure, Enron, and bizarrely:
A man wandering around a Delmar, Md., poultry farm in a drunken stupor turned off the power to three chicken houses, causing the deaths of nearly 70,000 chickens, sheriff’s officials said.
The property owner who made the grisly discovery found the man, identified as Joshua D. Shelton, 21, of Delmar, Md., passed out on the floor of the power control shed, wearing only a T-shirt and boxer shorts.
“This subject was also lying in a pool of his own urine …”
Shelton had been at the owner’s property the previous evening with a group of people that included the owner’s daughter …
“The daughter thought he left but instead he wandered into the shed where all the power controls and breakers were and turned it off,??? [one man] told NBC News on Tuesday.
Permalink
08.26.12
Posted in Cyberterrorism at 2:58 pm by George Smith
The Press a Software Button & Blow Something Up in America meme is a constant in mainstream news on cybersecurity and the often very alleged vulnerability of the infrastructure. It has become so omnipresent that many implicitly believe all such assertions, often in the almost complete absence of compelling evidence.
It is unsurprising that the Congressional Research Service be asked to issue something on such matters, or that it would independently perform an analysis, because the subject is topical.
And so Steve Aftergood’s Secrecy Blog has posted a recent CRS report entitled Pipeline Security: Federal Policy.
It is a short report — 13 pages — because there is no information on pipelines in the national infrastructure being damaged by cyberattack.
Since this is the case, the CRS must resort to doing what everyone else generally does when left with a paucity of material: cite from poor sources, take examples from standard industrial accidents, mention trivial al Qaeda net propaganda and discuss only generally network intrusion and the US-made malware, Stuxnet.
Problems exist with such an approach.
First, there have been no acts of terrorism perpetrated against US pipelines through cyberspace.
Small collections of news reports of cases in which Americans interested in aiding al Qaeda in the last ten years in aspirational conventional bomb plots against pipelines, which the CRS mentions, are irrelevant.
Citation of brief, mostly fact free, news reports on an al Qaeda video urging an audience to attack the infrastructure of the US electronically is not compelling evidence of anything, particularly in light of the fact that the terror organization has never demonstrated capability in this area.
It is, however, some evidence of a standard wishful, or aspirational thinking.
Wanting to attack the infrastructure through cyberspace, because terrorists may have read in western sources that it is easy to do so does not confer a capability or demonstrate a vulnerability.
Historically, al Qaeda has published many exhortations for followers to attack the United States in a multiplicity of ways, often reacting to mainstream western news in which experts say or imply such strikes would be easy. While the issuing of such calls has occurred with regularity it has not been backed up by significant action.
If and when a federal assessment in 2011 concluded “with high confidence that the threat to the US pipeline industry is low,??? it may actually be true.
Citation of three industrial accidents caused by worker error and industrial breakdowns in the US pipeline industry do not demonstrate that the same industry is vulnerable to cyberattack.
Computer network intrusions in the pipeline industry, unless the details are specifically described, do not imply or, worse, prove the pipeline infrastructure can be damaged through remote attack.
Malware and intrusions occur everywhere there are networked computers, daily. They are security problems that must continually be dealt with, and the risk managed.
Citation of a report by a computer security company, McAfee, on the nature of threat or risk, in this case on cyberattacks against global energy companies, should always be accompanied by caveats that such reports are well known to be untrustworthy.
A recent ProPublica news article on such security software industry reports contained the quote, from researchers at Microsoft, which, as a rule, does not issue these kinds of things: “Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings.???
And if the Stuxnet virus is going to be used in a discussion to imply vulnerability in US systems, it should also be noted that it is now widely accepted that this particular piece of malware was engineered by an American military or intelligence team of programmers specifically to attack the Iranian nuclear program. While the program was successfully attacked, there are conflicting views on the degree of setback it received due to Stuxnet. Despite the presence of the malware, the program continues — as shown by this large collection of recent news cuttings.
The same team responsible for Stuxnet is also recognized to be continuing to write and dispense malware for infiltration and potential strike against various infrastructures in Middle Eastern nations with confusing and difficult to assess or cryptic results.
Permalink
08.13.12
Posted in Cyberterrorism at 10:27 am by George Smith
Or “Never send a virus to an ex-virus writer.” They sure don’t make ’em like they used to.
Permalink
08.09.12
Posted in Cyberterrorism at 11:34 am by George Smith
Are you tired of the child-like nerd’s naming convention for computer viruses?
Yeah, me too. Years and years of it.
On the Gauss virus, from SecurityNewsDaily (me included):
Kaspersky Lab, the Moscow-based anti-virus firm which co-discovered the Flame state-sponsored spyware, says it’s found another cyberweapon: a sophisticated banking Trojan that Kaspersky has dubbed “Gauss.”
Gauss is designed to steal credentials for bank accounts at half a dozen Lebanese banks, Kaspersky says, and shares a USB-stick infection method with another state-sponsored bug — the Stuxnet worm that the U.S. and Israel used to attack Iran.
“After looking at Stuxnet, [the Stuxnet relative] Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories,'” Kaspersky said in a FAQ posted on its website. “All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware.'”
It’s not entirely clear that Gauss is indeed state-sponsored. The evidence that Kaspersky presents proves that Gauss is fairly sophisticated, yet not out of the reach of the creators of such well-known criminal-controlled banking Trojans …
“Differences in degree of sophistication are probably not particularly important at this stage,” George Smith, a senior fellow with the Alexandria, Va.-based defense-policy research organization GlobalSecurity.org, told SecurityNewsDaily. “[Gauss] looks like it’s fitting into the historical pattern. Just because the malware writers are working for a country doesn’t make them different than their older brethren” …
“Maybe it’s a criminal tool,” Smith said. “However, the national arguments about cyberwar have always talked about opposing nations hitting banking and financial systems. So it is not really a surprise they would be making things to do the same.”
In addition to the Lebanese banks, Gauss is also engineered to steal online credentials for Citibank and PayPal …
The US government has put in place sanctions proscribing banks from
doing business for Iran. Using cyberspace to hit middle eastern banks clandestinely would conceptually fit into such a strategy.
Or maybe it’s all just coincidence.
If you follow these stories at a more fine grain level you’re now seeing a resentment, perhaps fueld by a covetous envy, towards Kaspersky Labs in competing vendors and experts.
Related, earlier today…
Permalink
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »