Aletho News

ΑΛΗΘΩΣ

Crimean govt: Referendum website downed by cyber-attack from US

RT | March 16, 2014

The official website of the Crimean referendum is down due to a cyber-attack that originated from the US, Crimean authorities say.

The exact location from which the website’s servers were attacked was Illinois University, Crimean minister of information and mass communications Dmitry Polonsky told Itar-Tass news agency.

“This place turned out to be the Illinois University at Urbana-Champaign. A massive scanning of the servers took place from there before the attack,” Polonsky said.

The assault started during the night (2300 GMT Saturday). At 1000 GMT Sunday, the referendum2014.ru site still wasn’t functioning.

Polonsky stressed that the referendum website has been “DDoS-attacked regularly since its launch.” The portal with .ua domain was replaced with .ru after several attacks.

The referendum is taking place in Crimea, with the vote reported to be peaceful and with high turnout, according to both international observers and Crimean authorities.

On Friday, major Russian government web resources were attacked with DDoS malware – those included the Russian president’s website, as well as those of the Foreign Ministry and the Central Bank.

Also, state media websites – the Channel One and Russia-24 TV channels – were under attack, reportedly from Kiev. The targeted Russian media said the attacks were linked to their editorial policy in covering Ukraine.

Finally, on the same day, an attempted radio-electronic attack on Russian TV satellites from the territory of Western Ukraine was recorded by the Ministry of Communications.

DDoS is the kind of cyber-attack during which requests are sent to the attacked website from many computers, usually virus-infected.

March 16, 2014 Posted by | War Crimes | , , , , , , , | Leave a comment

NSA Claims It Doesn’t Do Online Attacks; That’s A Different Organization… Run By The NSA

By Mike Masnick | Techdirt | October 14, 2013

There are times you just shake your head and wonder who the NSA top officials think they’re kidding with their statements. Take, for example, some recent comments from the NSA’s number two guy in charge, Chris Inglis, the Deputy Director, who gave an interview to the BBC where he tried to paint the NSA as not being quite as bad as everyone says, but admitted that there could be more transparency. That’s all the usual stuff, but the following tidbit caught my eye:

The job of the NSA, Mr Inglis said, was to exploit networks to collect intelligence in cyberspace and to defend certain networks – but not carry out destructive acts.

“NSA had a responsibility from way back, from our earliest days, to both break codes and make codes,” he said. “We have a responsibility to do intelligence in a space we once called the telecommunications arena – now cyberspace – and the responsibility to make codes or to defend signals communications of interest.

“That’s different than what most people conceive as offence or attack in this space.”

That task of destructive cyber attack, if ordered, lies with the US military’s rapidly expanding Cyber Command.

Except, as we’ve noted more than a few times, US Cyber Command is the NSA. It’s run by Keith Alexander, the director of the NSA, and it’s housed in the same place as the NSA. For all intents and purposes, US Cyber Command is the NSA, and Alexander has no problem at all swapping hats depending on what’s most convenient. He regularly tries to talk about “protecting the network” when it suits him, ignoring that the same efforts he’s looking at (greater access to corporate networks) would also make it much easier for the NSA and US Cyber Command to launch offensive attacks — which Snowden’s leaks proved the NSA did hundreds of times.

Pretending the two are different, and that the NSA only focuses on “breaking codes and making codes” is yet another bogus claim from an NSA official, adding to a very long list.

Related articles

October 14, 2013 Posted by | Deception, Full Spectrum Dominance | , , , , , , | 1 Comment

US, Israel cyber attacks on Iran act of force: NATO

Press TV – March 25, 2013

NATO’s cyberwarfare center says cyber attacks launched against the Islamic Republic of Iran by the US and Israel constituted “an act of force” and were illegal under international law.

According to The Tallinn Manual on the International Law Applicable to Cyber Warfare, commissioned by NATO’s Cooperative Cyber Defense Center of Excellence in Estonia, “Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force,” The Washington Times reported on Sunday.

Michael D. Schmitt, the manual’s lead author and professor of international law at the US Naval War College in Newport, said the group of researchers who wrote the manual all agreed that the use of Stuxnet virus, that attacked Iran’s cyber structures in 2009, was an act of force.

Washington and Tel Aviv are believed to have jointly developed the malware, although neither has accepted responsibility for the attack.

Iran has been the target of several cyber attacks over the past few years.

In June 2012, a report by the Washington Post said the US and the Israeli regime had cooperated in creating the computer virus Flame to spy on Iran. US National Security Agency, the CIA and the Israeli military worked together to create the Flame virus, the paper added.

In addition, the New York Times also revealed in the same month that US President Barack Obama secretly ordered a cyber attack with the Stuxnet computer virus against Iran in 2010 to sabotage the country’s nuclear energy program.

“From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyber weapons,” the report said.

In response to such attacks, Iran launched a cyber defense headquarters tasked with preventing computer worms from breaking into or stealing data from the country’s maximum security networks, including nuclear facilities, power plants, data centers, and banks.

Related article

March 25, 2013 Posted by | Militarism, Progressive Hypocrite, Timeless or most popular, War Crimes | , , , , , , | Leave a comment

Legal Review of Presidential Power to Engage in Preemptive Cyber Strikes to Remain Secret

By Kevin Gosztola | FDL | February 4, 2013

A recently published story from the New York Times reports a “secret legal review” has been conducted on the use of cyber warfare by the United States. It concluded President Barack Obama has “the broad power to order a preemptive strike if the United States detects credible evidence of a major digital attack looming from abroad.”

Unnamed officials involved in the review inform that the administration is moving in the coming weeks to “approve the nation’s first rules for how the military can defend, or retaliate, against a major cyber attack.” These rules, according to David Sanger and Thom Shanker, will “govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States.” If the president approves a strike, the government will be able to “attack adversaries by injecting them with destructive code — even if there is no declared war.”

It further adds, “The Pentagon would not be involved in defending against ordinary cyberattacks on American companies or individuals, even though it has the largest array of cybertools. Domestically, that responsibility falls to the Department of Homeland Security, and investigations of cyberattacks or theft are carried out by the FBI.”

The Times story points out the rules—like the rules “governing drone strikes”—are highly classified and will be kept secret. The officials from the administration providing details spoke “on condition of anonymity because they were not authorized to talk on the record.” They selectively leaked a scant amount of details on evolving cyber warfare policy to allay concerns about this power the administration is claiming.

One official claimed the US had been “restrained in its use of cyberweapons” and said, “There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done.” A “senior American official” said cyberweapons were as powerful as nuclear weapons and “should be unleashed only on the direct orders of the commander in chief.” The official added the decision to launch cyber operations will rarely be made by someone at a level “below the president,” which means “‘automatic’ retaliation if a cyber attack on America’s infrastructure is detected” has reportedly been “ruled out.”

The story suggests the Obama administration had their best and brightest minds think about preemptive attack and the ramifications of launching such strikes on a country. “One senior official” said a country could “claim it was innocent” and undermine the “justification for the attack” because it would be “very hard to provide evidence to the world that you hit some deadly dangerous computer code.” They also thought through “‘what constitutes reasonable and proportionate force’ in halting or retaliating against a cyber attack,” according to another official.

The leaking of details on the “secret legal review” comes just over a week after the Washington Post reported the FBI was engaging in a fishing expedition for journalistic communications as part of an investigation into the sources of leaks on Stuxnet or Olympic Games, the cyber warfare against Iranian nuclear enrichment facilities that was launched by Obama (which Sanger published details on in a major story in June of last year and also described in detail in his book, Confront & Conceal).

It is a bit appalling that officials are speaking without authorization when it is known the FBI has spent the past six or seven months prying into the communications of government employees, who were sources for the Times story.

Back in November, the Post reported the White House was engaged in “the most extensive” effort “to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism.” This “secret legal review” may or may not be a result of this effort that was authorized by Presidential Policy Directive 20 to make it possible for the United States military to respond more aggressively to “thwart cyberattacks on the nation’s web of government and private computer networks.” But, given what Ellen Nakashima reported, the secret directive was to “establish” a “broad and strict set of standards to guide the operations of federal agencies.” It was also to, for the first time, make “a distinction between network defense and cyber operations to guide officials charged with making often rapid decisions when confronted with threats.”

As I wrote, the “secret policy” was to map out a process for vetting “operations outside government and defense networks” and ensuring “US citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.” As one senior administration official told the Post, “What it does, really for the first time, is it explicitly talks about how we will use cyber operations…Network defense is what you’re doing inside your own networks. . . .Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

On May 30, 2011, the Wall Street Journal reported the Pentagon had “concluded that computer sabotage from another country” could “constitute an act of war.” WSJ suggested this would open the door to responding to sabotage with “traditional military force.” These details came from a formal cyber strategy the Pentagon had put together for responding to cyber threats to critical infrastructure. One imperious military official was quoted, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

About a week ago, the Pentagon announced it would be expanding its “cyber security unit.” Glenn Greenwald detailed how the force that was expected to go from 900 to over 4000 individuals would continue a trend of “disguising aggression as ‘defense.’”

The Pentagon now has a policy, a “cyber security” policy authorized by a presidential directive has now pushed for the development of policy and  a “secret legal review” has grappled with questions and determined preemptive strikes on countries’ infrastructure could be carried out if the president orders such attacks.

What we know about the legal questions Obama has grappled with is all secret. The development of “cybersecurity” policy or cyber warfare policies indicate a further expansion of the body of secret law under Obama.

The government has secret legal opinions on when it can and cannot kill US citizens with drones. Senator Ron Wyden of Oregon has made requests to view these opinions but the Obama administration has refused to let him see targeted killing memos, even though he is by law supposed to view them so he can conduct oversight. The ACLU has requested these memos be released but a judge ruled that the government was within its right under FOIA to not release the legal interpretations.

The Foreign Intelligence Surveillance Court makes rulings authorizing warrantless surveillance under the FISA Amendments Act (FAA). Despite efforts by Senator Jeff Merkley of Oregon to amend the reauthorization of the FAA at the end of 2012, this was rejected by the Obama administration (even though the administration had previously indicated to Wyden it would be open to a process of making the court’s secret rulings public in some form).

The government also has secret interpretations of at least one section of the PATRIOT Act—Section 215. The ACLU’s Alexander Abdo said they make it possible for “the government to get secret orders from a special surveillance court (the FISA Court) requiring Internet service providers and other companies to turn over ‘any tangible things.’” (Not to mention the fact that there are national security directives issued by President George W. Bush that to this day remain secret and could have been released at least in summary form.)

The administration’s argument for keeping the “rules” or legal basis is that sources or methods would be revealed that would make it easier for adversaries to attack the United States. That is simply an argument to provide cover for the fact that the government wants wide latitude to be able to respond without being constrained by the law or politics. It is possible to inform the public of when the administration thinks the government has the power to launch attacks and go through several hypothetical scenarios. The reality is the government just does not want to do that because, if the scenario occurred and the administration responded differently, there could be controversy if it was found out they did not follow the “rules.”

Finally, like with the drone program, President Barack Obama is presiding over the creation and development of a power that previous presidents never imagined having. The national security state is effectively appointing him and all future presidents the proverbial judge, jury and executioner when it comes to cyber warfare.

There is no indication that any group of members in Congress or judicial body will have to approve of a preemptive strike before it is carried out. As has become typical, the president wants to be able to conduct war without needing authorization.

The policy will expand the imperial presidency and the public and civil society organizations, which have a distinct interest in knowing what the government is doing, will be kept in the dark on what is legal and illegal in cyber operations. The Congress will barely make any effort to defend its right to provide oversight of this new power. And any future details on this power will mostly come from selective leaks provided by officials, who do not think they will face repercussions for talking to the press. The policy itself, the rules for cyber war, will remain concealed.

February 5, 2013 Posted by | Militarism, Progressive Hypocrite | , , , , | 1 Comment

‘Iran not involved in cyber strikes like US’

Press TV – January 10, 2013

Iran’s mission to the United Nations has dismissed allegations of the Iranian government being behind cyber attacks on the US banking system.

The mission said in a statement on Thursday that the Islamic Republic condemns any use of malware that target important service-providing institutes by violating the national sovereignty of states.

“Unlike the United States, which has, per reports in the media, given itself the license to engage in illegal cyber-warfare against Iran, Iran respects the international law and refrains from targeting other nations’ economic or financial institutions,” the statement said.

The US Center for Strategic and International Studies (CSIS) has claimed that Iran has orchestrated cyber attacks on US financial institutions.

“We believe that raising such groundless accusations are aimed at sullying Iran’s image and fabricating pretexts to push ahead with and step up illegal actions against the Iranian nation and government,” the Iranian mission’s statement noted.

Related articles

January 10, 2013 Posted by | Deception, False Flag Terrorism, Mainstream Media, Warmongering | , , , , | Leave a comment

Security for the 99%

By Dan Auerbach | EFF | April 25, 2012

The House of Representatives kicked off their “cybersecurity week” yesterday with a hearing titled “America Is Under Cyber Attack: Why Urgent Action is Needed.” Needless to say, the rhetoric of fear was in full force. A lot of topics were raised by members of Congress and panelists, but perhaps the most troublesome theme came from panelist and Former Executive Assistant Director of the FBI Shawn Henry, who repeatedly urged that good cybersecurity means going on the offensive:

“the problem with existing […] tactics is that they are too focused on adversary tools (malware and exploits) and not on who the adversary is and how they operate. Ultimately, until we focus on the enemy and take the fight to them […], we will fail.”

This offensively-minded approach has major pitfalls, as it could lead to more government monitoring and control over our communications. While we think an increased focus on catching criminals using existing tools is a fine tactic that could be used by law enforcement, we fear the temptation for law enforcement to increase their surveillance capabilities in order to successfully go on the offensive in the context of computer crimes. This could mean things like breaking into people’s computers without warrants, or disrupting privacy-enhancing tools like Tor. Needless to say, we think it would be a very bad idea to link our safety to the ability for law enforcement to effectively monitor people, and that is a danger of focusing solely on an offensive strategy. Instead, we would like to offer an alternative, defensively-oriented point of view regarding security, an important view that we think was not adequately represented in yesterday’s panel.

Securing U.S. critical infrastructure networks, corporate networks, and the Internet at large depends upon securing our computers and networked devices. Fundamentally, it’s very simple: fewer software vulnerabilities means more security. Once a vulnerability is patched and an upgraded version of software is available and in use, that increases safety for all of us. Ensuring that the right mechanisms are in place to maximize this baseline security should be a major focus area of any organized effort to secure our critical and other Internet infrastructure. This means encouraging the disclosure of vulnerabilities when they are found so that they can be fixed, and no longer exploited. This is what we mean when we talk about security for everyone. This defensive strategy also takes a view of vulnerabilities that includes engineering with security in mind: if software doesn’t force good security on administrators and other humans who have a role to play to keep things secure, then that should be considered a security vulnerability in that software.

In order to understand why vulnerabilities are the foundation of insecurity and ought to be the focus of defensive efforts, let’s take a bit of time for those new to the computer security world to define bugs, vulnerabilities, exploits, and a particularly nasty class of exploits called “zero-day” exploits.

What are bugs, vulnerabilities, exploits and “zero-day” exploits?

A software bug is a general term referring to an unintentional problem with a piece of software that causes the software to work in an unexpected or unintended way. Bugs can refer to low-level issues (“we started counting from 0 over here, but from 1 over there, and now this array is messed up”), or to high-level issues (“we didn’t implement a feature allowing people to see their open orders on this website”).

Security vulnerabilities are a class of bugs in software; these are the bugs that allow an attacker to gain unauthorized access to do something that she couldn’t before. This could mean gaining access to a remote computer, or to a private network, or to other private information. Once again, these range from low-level vulnerabilities (“We weren’t expecting the user to give a name that was 4 gigabytes long; our oversight allowed the user to crash the program and execute her malicious code on the victim’s system”) to high-level (“Since we didn’t force a user to use a strong passphrase, his account could be compromised”).

Exploits are pieces of software that actually take advantage of the security vulnerability and give the user running the software unauthorized access. A security vulnerability could lead to an exploit, although not all vulnerabilities lead to exploits.

Zero-day exploits are exploits that take advantage of an undisclosed vulnerability. Suppose there is a publicly known vulnerability in the browser Internet Explorer 6. Then any exploit based on that vulnerability is NOT considered a zero-day, and you can (often, theoretically) protect yourself from such a vulnerability. In this case, for example, you could do so by downloading Internet Explorer 9. However, if there is a “zero-day” in Internet Explorer 9, there’s nothing you can knowingly do as a user to protect yourself. This makes this type of vulnerability especially scary, since it could be used not just against unwitting users who haven’t upgraded their software, but against anyone.

Ok, got it. To make us safer, we need to patch vulnerabilities and prevent exploits, especially zero-day exploits. Does CISPA encourage this?

Unfortunately, the “cybersecurity” bill CISPA and other legislation under debate does NOT focus on this baseline security. Instead of encouraging the patching of vulnerabilities as quickly as possible, or offering solutions to improve the general security of networked computers, the bill encourages broad surveillance of personal data by companies and the government. This type of information sharing is largely unrelated to the core issue of vulnerabilities that need to be patched at the software level. It’s certainly possible that by mining that data one could come across an exploit or an unknown vulnerability and share it with the vendor, but the bill is NOT about sharing vulnerabilities so that they can be patched – it’s about sharing raw data in a way that could legitimize a public-private surveillance partnership. And this data sharing between companies and the government in no way encourages security vulnerabilities themselves to be shared with the relevant software vendors and developers so that they can be patched. In other words, it just doesn’t attack the root of the problem.

Why is fixing vulnerabilities at odds with taking an offensive approach to security?

If we take an offensive approach as Mr. Henry suggests, a “security for the 1%” situation seems likely to arise, in which vulnerabilities are sometimes kept secret, and mitigations or fixes for these vulnerabilities are selectively doled out by the government or other private security firms only to critical infrastructure or paying clients (the “1%” deemed worthy of protection). The government might even deploy black box systems to companies and infrastructure designed to mitigate exploits based on secret vulnerabilities while giving as little information as possible about those underlying vulnerabilities, even to the companies they are protecting. Either way, the vendor would not be told about the vulnerability and so anyone who wasn’t a recipient of the “privileged” information would be hung out to dry.

What is a better approach to security?

Changing the incentives and culture to encourage the right sort of information sharing concerning vulnerabilities is a complex problem, and we do not purport to have a complete solution. There are many pieces to the puzzle: what should be done about vendors who don’t care about security? What about users who don’t upgrade software, or go out of their way to be vulnerable? What about security researchers who discover vulnerabilities, and choose to sell this knowledge to the highest bidder, instead of ensuring that the vendor knows about the vulnerability and it gets fixed?

There are some common sense tactics that the government can take to help solve these problems. For starters, the government can itself commit to disclosing any known vulnerabilities to vendors so that they are promptly patched. Next, incentives could be put in place to encourage research that has broad beneficial effects for everyone’s security. For example, suppose a researcher invents a new testing technique that reduces how many exploitable vulnerabilities there are in software in general. This is a win for everyone, and we think the government should strongly encourage such research.1

But beyond these common sense suggestions, the main point we want to raise in this post is not to offer a solution to these problems, but rather suggest that anyone interested in security at the national and international level should be thinking hard about them. Taking an offensive approach has the potential to put our civil liberties in danger, and could create a situation in which our safety ebbs and flows with how well the intelligence community can spy on us. This precarious and undesirable situation can be avoided if instead we take a defensive approach to stop the problem at its core, working to ensure that everyone is maximally protected. Mr. Henry suggests that “offense outpaces the defense.” That seems like an oversimplification, but even if one accepts it to be true, we should not take this to be an immutable property of the world. Instead, we should work to change it by increasing our defensive efforts. Unfortunately, the “cybersecurity” debate does not seem to be addressing this point of view, but we hope that somebody brings it up during “cybersecurity week”.

In the mean time, please speak out against the misguided cybersecurity legislation by taking action against CISPA.

Related articles

April 26, 2012 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , | Leave a comment