Inside the Cyberattack That Shocked the US Government

[Note: This item comes from friend Steve Goldstein. DLH]

Inside the Cyberattack That Shocked the US Government
Oct 23 2016

The US OFFICE of Personnel Management doesn’t radiate much glamour. As the human resources department for the federal government, the agency oversees the legal minutiae of how federal employees are hired and promoted and manages benefits and pensions for millions of current and retired civil servants. The core of its own workforce, numbering well over 5,000, is headquartered in a hulking Washington, DC, building, the interior of which has all the charm of an East German hospital circa 1963. It’s the sort of place where paper forms still get filled out in triplicate.

The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit. Since the previous December, OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.

Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called ­opm­ But the agency owned no such domain. The OPM-related name suggested it had been created to deceive. When Saulsbury and his colleagues used a security program called Cylance V to dig a little deeper, they located the signal’s source: a file called mcutil.dll, a standard component of software sold by security giant McAfee. But that didn’t make sense; OPM doesn’t use McAfee products. Saulsbury and the other engineers soon realized that mcutil.dll was hiding a piece of malware designed to give a hacker access to the agency’s servers.

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers.

Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem, which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyber­espionage division. (In 2014 a federal grand jury in Pennsylvania indicted five people from one of that division’s crews, known as Unit 61398, for stealing trade secrets from companies such as Westinghouse and US Steel; all the defendants remain at large.)

Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives. “Everyone can always say, ‘Oh, yeah, the Pentagon is always going to be a target, the NSA is always going to be a target,’” says Michael Daniel, the cybersecurity coordinator at the White House, who was apprised of the crisis early on. “But now you had the Office of Personnel Management as a target?”

To figure out why the hackers had trained their sights on OPM, investigators would have to determine what, if anything, had been stolen from the agency’s network over the preceding year. But first they had to hunt down and eliminate the malware on its network, an archaic monstrosity that consisted of as many as 15,000 individual machines.


Murder in the Library of Congress

[Note: This item comes from friend David Rosenthal. David’s comment:’Should have said, this isn’t something I agree with Orlowski on. Copyright office has been classic regulatory capture.’ DLH]

Murder in the Library of Congress
Copyright chief removed, moved sideways
By Andrew Orlowski
Oct 24 2016

The US Copyright Office has been given a brutal Silicon Valley-style sacking, the first time the Copyright Register has been dismissed in 119 years.

Maria A Pallante was locked out of her computer on Friday, according to Billboard, on the instructions of her boss, a new Obama appointee, Carla Hayden, the Librarian of Congress.

“Officially, Pallante has been appointed as a senior adviser for digital strategy for the Library of Congress, although it’s clear she was asked to step down,” Billboard’s Robert Levine notes.

Critics see the move as in line with Silicon Valley asserting its influence over the US Government via its agencies in the dog days of the Obama Administration. Just last month, as Hayden started the post, the Google-funded group Public Knowledge attacked the Copyright Office for upholding the copyright laws.

“Pallante was the only one standing between Google and what is left of the copyright system,” wrote David Lowery on the Trichordist blog, which campaigns for better deals for songwriters and musicians.

Controversial decisions by the Department of Justice, the Federal Trade Commission, and the Federal Communications Commission have all resulted in proposals or decisions that advanced the business interests of Silicon Valley’s biggest companies.

For example, after an investigation of Google for anti-competitive practices, FTC staff concluded there was sufficient evidence to indict – but the Obama-appointed trade commissioners abandoned this for a voluntary deal instead.

The FCC, run by former industry lobbyist and major Obama fundraiser Tom Wheeler, has introduced a flood of measures that benefit huge web companies and constrain telcos, the most significant of which is Title II reclassification, which gives the bureaucrats wide-ranging authority over internet practices and private contracts. The DoJ was found to have kept Obama’s office closely involved on antitrust investigations – which has never happened before.

What’s the Register of Copyright and why has it annoyed Google

Congress created the post of The Register of Copyright at the end of the 19th Century, when copyright protection required an author to register a work (Registration of a work is now not needed if a country is a signatory to the Berne Convention, but in the USA, it entitles the owner to statutory damages.) The role of the Copyright Register has evolved to provide Congress with expert impartial advice. The legal duty of the Register is to uphold a functioning rights marketplace, something Silicon Valley isn’t keen to see, as the windfall profits of today’s giant web companies come from aggregation rather than trade.

Although the Library of Congress (as the name implies) reports to Congress, its boss is a Presidential appointee. Barack Obama appointed a librarian from his base of Chicago who rose to be head of the librarians’ association the ALA. Her appointment welcomed by anti-copyright crusaders.

But two pieces of advice from the Copyright Register in particular will have infuriated Google, which in each case sought radical changes in the operation of the copyright system.

On the advice of DoJ antitrust attorney, the DoJ recommended that part-authors of a song should lose the ability to say no to digital deals they don’t like.

The move came from Google’s former key antitrust lawyer Renata Hesse, who had moved from Wilson Sonsini Goodrich & Rosati to become acting Attorney General for antitrust issues. Songwriters come out worst out of any negotiation with The Man, and the move, called “100 per cent licensing”, weakened their position further.


Someone Is Learning How to Take Down the Internet

[Note: Given the events of last week, I thought it was appropriate to post this item from September by Bruce Schneier to the list. DLH]

Someone Is Learning How to Take Down the Internet
By Bruce Schneier
Sep 13 2016

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it’s overwhelmed. These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.

I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”

There’s more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.

Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.


As Artificial Intelligence Evolves, So Does Its Criminal Potential

As Artificial Intelligence Evolves, So Does Its Criminal Potential
Oct 23 2016

Imagine receiving a phone call from your aging mother seeking your help because she has forgotten her banking password.

Except it’s not your mother. The voice on the other end of the phone call just sounds deceptively like her.

It is actually a computer-synthesized voice, a tour-de-force of artificial intelligence technology that has been crafted to make it possible for someone to masquerade via the telephone.

Such a situation is still science fiction — but just barely. It is also the future of crime.

The software components necessary to make such masking technology widely accessible are advancing rapidly. Recently, for example, DeepMind, the Alphabet subsidiary known for a program that has bested some of the top human players in the board game Go, announced that it had designed a program that “mimics any human voice and which sounds more natural than the best existing text-to-speech systems, reducing the gap with human performance by over 50 percent.”

The irony, of course, is that this year the computer security industry, with $75 billion in annual revenue, has started to talk about how machine learning and pattern recognition techniques will improve the woeful state of computer security.

But there is a downside.

“The thing people don’t get is that cybercrime is becoming automated and it is scaling exponentially,” said Marc Goodman, a law enforcement agency adviser and the author of “Future Crimes.” He added, “This is not about Matthew Broderick hacking from his basement,” a reference to the 1983 movie “War Games.”

The alarm about malevolent use of advanced artificial intelligence technologies was sounded earlier this year by James R. Clapper, the director of National Intelligence. In his annual review of security, Mr. Clapper underscored the point that while A.I. systems would make some things easier, they would also expand the vulnerabilities of the online world.

The growing sophistication of computer criminals can be seen in the evolution of attack tools like the widely used malicious program known as Blackshades, according to Mr. Goodman. The author of the program, a Swedish national, was convicted last year in the United States.

The system, which was sold widely in the computer underground, functioned as a “criminal franchise in a box,” Mr. Goodman said. It allowed users without technical skills to deploy computer ransomware or perform video or audio eavesdropping with a mouse click.

The next generation of these tools will add machine learning capabilities that have been pioneered by artificial intelligence researchers to improve the quality of machine vision, speech understanding, speech synthesis and natural language understanding. Some computer security researchers believe that digital criminals have been experimenting with the use of A.I. technologies for more than half a decade.

That can be seen in efforts to subvert the internet’s omnipresent Captcha — Completely Automated Public Turing test to tell Computers and Humans Apart — the challenge-and-response puzzle invented in 2003 by Carnegie Mellon University researchers to block automated programs from stealing online accounts.

Both “white hat” artificial intelligence researchers and “black hat” criminals have been deploying machine vision software to subvert Captchas for more than half a decade, said Stefan Savage, a computer security researcher at the University of California, San Diego.


Inside The Strange, Paranoid World Of Julian Assange

[Note: This item comes from friend David Isenberg. DLH]

Inside The Strange, Paranoid World Of Julian Assange
The WikiLeaks founder is out to settle a score with Hillary Clinton and reassert himself as a player on the world stage, says BuzzFeed News special correspondent James Ball, who worked for Assange at WikiLeaks.
By James Ball
Oct 23 2016

On 29 November 2010, then US secretary of state Hillary Clinton stepped out in front of reporters to condemn the release of classified documents by WikiLeaks and five major news organisations the previous day.

WikiLeaks’ release, she said, “puts people’s lives in danger”, “threatens our national security”, and “undermines our efforts to work with other countries”.

“Releasing them poses real risks to real people,” she noted, adding, “We are taking aggressive steps to hold responsible those who stole this information.”

Julian Assange watched that message on a television in the corner of a living room in Ellingham Hall, a stately home in rural Norfolk, around 120 miles away from London.

I was sitting around 8ft away from him as he did so, the room’s antique furniture and rugs strewn with laptops, cables, and the mess of a tiny organisation orchestrating the world’s biggest news story.

Minutes later, the roar of a military jet sounded sharply overhead. I looked around the room and could see everyone thinking the same thing, but no one wanting to say it. Surely not. Surely? Of course, the jet passed harmlessly overhead – Ellingham Hall is not far from a Royal Air Force base – but such was the pressure, the adrenaline, and the paranoia in the room around Assange at that time that nothing felt impossible.

Spending those few months at such close proximity to Assange and his confidants, and experiencing first-hand the pressures exerted on those there, have given me a particular insight into how WikiLeaks has become what it is today.

To an outsider, the WikiLeaks of 2016 looks totally unrelated to the WikiLeaks of 2010. Then it was a darling of many of the liberal left, working with some of the world’s most respected newspapers and exposing the truth behind drone killing, civilian deaths in Afghanistan and Iraq, and surveillance of top UN officials.

Now it is the darling of the alt-right, revealing hacked emails seemingly to influence a presidential contest, claiming the US election is “rigged”, and descending into conspiracy. Just this week on Twitter, it described the deaths by natural causes of two of its supporters as a “bloody year for WikiLeaks”, and warned of media outlets “controlled by” members of the Rothschild family – a common anti-Semitic trope.

The questions asked about the organisation and its leader are often the wrong ones: How has WikiLeaks changed so much? Is Julian Assange the catspaw of Vladimir Putin? Is WikiLeaks endorsing a president candidate who has been described as racist, misogynistic, xenophobic, and more?

These questions miss a broader truth: Neither Assange nor WikiLeaks (and the two are virtually one and the same thing) have changed – the world they operate in has. WikiLeaks is in many ways the same bold, reckless, paranoid creation that once it was, but how that manifests, and who cheers it on, has changed.


That Map of the Internet Failing You Saw on Friday Didn’t Tell the Story at All (and Here’s What Really Did Happen)

That Map of the Internet Failing You Saw on Friday Didn’t Tell the Story at All (and Here’s What Really Did Happen)
By Glenn Fleishman
Oct 23 2016

It was a convenient picture, and one that I found compelling, too: a heatmap showing outages across the Internet due to an Internet of Things (IoT) botnet attack that was crippling a private Internet infrastructure company’s ability to respond to requests. The map apparently showed Level 3’s network; Level 3 is one of the largest network providers, transiting data among networks large and small. A congestion or outage would degrade everyone’s ability to reach certain networks.

Except the map we all shared, including me, didn’t show the status of Level 3’s network at all—its network and others were not under attack. Sites weren’t unreachable because the Internet was overloaded. I’ll explain below what actually happened on Friday.

The map was from Downdetector, which continues today (Sunday, October 23) to show the same pattern of outages for Level 3.

Downdetector doesn’t probe routes and check for connectivity at network interchanges, as other Internet health maps do, like Internet Traffic Report, Keynote’s Internet Health Report, and Akamai’s Real-Time Web Monitor. Rather, it compiles reports of outages and plots them on a map.

Downdetector collects status reports from a series of sources. Through a realtime analysis of this data, our system is able to automatically determine outages and service interruptions at a very early stage. One of the sources that we analyse are reports on Twitter.
The number of reports is tiny. Flip to the chart view instead of the map view, and you see that dozens of reports result in a map that looks like major parts of the U.S. Internet are unreachable.

Some appearances of this chart went so far as to attribute the map to Level 3, despite Downdetector’s disclaimer:

Downdetector and its parent company Serinus42 are not associated with any service, corporation or organisation that we monitor.
What appeared to confuse many reporters and editors working on this story into using this map, and even attributing it to Level 3, is that the Downdetector result was shared early by those trying to figure out what was going on; it appears at the top of Google results for “Level 3 outages”; and the labeling of the map, which uses Level 3’s corporate mission statement and logo, makes it appear official. One clue it wasn’t? The site shows Level 3 (space between Level and 3 in all its official text uses) as “Level3” without a space. (I’ll be surprised if Downdetector doesn’t get a demand from Level 3 and others to display more prominently a disclaimer about its unofficial status.)

Level 3 doesn’t offer an outage map, so it doesn’t appear in Google results; and the map confirmed people’s expectations of how the Internet was behaving.

Level 3 went so far as to host a Periscope session with its chief security officer to go through the details, because the map was being used so widely.

What the map showed is that people across the U.S. were having trouble reaching popular sites, some of which rely on Level 3. But what really happened had nothing to do with “routing”—getting data packets from one point to another on the Internet. Rather, it was about phone directories.


Re: Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

[Note: This comment comes from a reader of Dave Farber’s IP List. DLH]

From: Brett Glass <>
Date: Sunday, October 23, 2016
Subject: [Dewayne-Net] Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

Dave, and everyone:

While my small ISP couldn’t do much about the massive denial of service attacks that plagued the Internet this week (except to answer the phone calls from frustrated customers who could not use Twitter, Disqus, and other services which relied on Dyn as a DNS provider), we could at least make sure that we were not contributing to the attacks — and we did.

We blocked incoming attacks by the Mirai worm (which was creating the botnet that executed the DDoS attacks), monitored our network for vulnerable camera systems that were attempting to participate in it (there was only one — a cheap, Chinese DVR rebranded and resold by a company in New Jersey to one of our rural customers), and set up a honeypot to capture the code.

The thing which was embarrassing (or should have been) was that the code for the worm was simpler and easier to analyze than that of the infamous Morris worm, which was released on the Internet in 1988. It simply brute-forced certain vulnerable systems via Telnet, using default passwords, and then wormed its way into the affected systems via the shell. No need for “stack smashing” exploits or fancy, hand-assembled machine code; the systems were such sitting ducks that none of that was necessary to turn them into bots.

The owner of the infected DVR had no idea that he’d bought a vulnerable piece of equipment, one for which software updates were not available and whose security holes could not be closed — only shielded from outside attacks via a firewall and VPN. He was incredulous that anyone would even be ALLOWED to sell a device that insecure, or that the FCC — via its unwise and illegal “network neutrality” regulations — would require ISPs like me to leave them exposed to attacks by default.

As an ISP, an engineer, and an embedded system developer, all I can say is, “I told you so.”

–Brett Glass

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
By Brian Krebbs
Oct 21 2016