CyberCity lets government hackers train to thwart attacks

CyberCity has all the makings of a regular town. There’s a bank, a hospital and a power plant. A train station operates near a water tower. The coffee shop offers free WiFi.

But only certain people can get in: government hackers preparing for battles in cyberspace.

The town is a virtual place that exists only on computer networks run by a New Jersey-based security firm working under contract with the Air Force. Computers simulate communications and operations, including email, heating systems, a railroad and an online social networking site dubbed FaceSpace.

Think of it as something like the mock desert towns that were constructed at military facilities to help American soldiers train for the war in Iraq. But here, the soldier-hackers from the Air Force and other branches of the military will practice attacking and defending the computers and networks that run the theoretical town. In one scenario, they will attempt to take control of a speeding train containing weapons of mass destruction.

To those who participate in the practice missions, the digital activity will look and feel real. The “city” will have more than 15,000 “people” who have email accounts, work passwords and bank deposits. The power plant has employees. The hospital has patients. The coffee shop’s customers will come and go, using the insecure WiFi system, just as in real life.

To reinforce the real-world consequences of cyberattacks, CyberCity will have a tabletop scale model of the town, including an electric train, a water tower and a miniature traffic light that will show when they have been attacked.

“It might look to some people like a toy or game,” Ed Skoudis, founder of Counter Hack, the security firm in central New Jersey that is developing the project, said recently while giving a reporter a tour of the fledgling system. “But cyberwarriors will learn from it.”

More available from the Washinton Post: http://www.bendbulletin.com/article/20121128/NEWS0107/211280353/

DARPA Reveals National Cyber Test Range

The Defense Advanced Research Projects Agency (DARPA) on Tuesday announced yet another computing advance: the “National Cyber Range (NCR),” essentially a testing grounds for national cyber weapons, tools and security measures — a kind of cyber firing range.

Or as DARPA alternatively describes it “a secure, self-contained facility where complex defense and commercial networks can be rapidly emulated for cost-effective and timely validation of cyber technologies,” and “a new range for the cyber domain that realistically emulates complex global networks, enabling cyber researchers to test tools and capabilities.”

The open announcement comes after reports that the U.S. and Israeli jointly developed the malware strains known as Stuxnet and Flame in an effort to thwart Iran’s unclear program.

It’s unclear whether DARPA’s new testing facility will be used for anything like those projects, but the purpose of the announcement Tuesday was to note that the NCR had “executed…seven large-scale cyber experiments for multiple DoD organizations” in a test phase and had now moved the NCR over to the control of the Deputy Assistant Secretary of Defense for Developmental Test and Evaluation.

from TalkingPointsMemo @ http://livewire.talkingpointsmemo.com/entry/darpa-reveals-national-cyber-test-range

A smartphone app to stop surveillance

A new “surveillance proof” application aims to make encryption easy for the general public and businesses alike.

How far governments across the globe can go in order to protect the public without invading their privacy is a concern made paramount by modern technology. “Big Brother” — Nineteen eighty-four notwithstanding — ranges from wire tapping to drones, but for the general public, email, device location and online activity surveillance can make us nervous.

However, would-be eavesdroppers don’t have everything their own way. A team of security experts — including Apple’s disk-encryption system designer Jon Callas — led by former Navy SEAL commando Mike Janke have developed what they describe as new, worldwide encryption tools.

The encryption service known as “Silent Circle” is subscription-based access to four services — Silent Phone, Silent Text, Silent Eyes and Silent Mail. Every communication is processed through a peer-to-peer service, which means there is no central database where data or keys are stored. When you make a call or send a text, an individual key is generated by the service, and then immediately deleted once the data is processed. In addition, a “burn” function lets you set an auto-timer on messages sent — almost like a self-destruct function.

For optimal encryption, both sender and receiver need to have the app installed. If not, then data is encrypted until it reaches the device service provider. In case of emails, this is not necessary.

According to the developers of Silent Circle, the app is simple enough to use for the general public. They believe that for governments, media, celebrities and businesses operating in China the app will be especially useful — but the general public can also benefit.

If you’re worried about third-party snooping, access will cost you $20 a month. Apps for the iPhone and iPad are available. Windows, Android and an email service are promised to soon follow.

From SmartPlanet at http://www.smartplanet.com/blog/bulletin/the-spy-free-app-you-can-use-to-stop-surveillance/3237

FBI unveils Next Generation Cyber Initiative

The FBI is doing its part in combating national security threats. Just last week the FBI’s Cyber Crime Division announced its latest program. Deemed the “Next Generation Cyber Initiative,” this program is designed to enable an advanced rapid response to isolate and address cyber threats. (See Note 1).

The team is made up of specially selected and highly trained computer scientists. Working around the clock these specialists can respond to issues any time of the day or night. Any findings can be immediately sent to the FBI’s Cyber Division for review and dissemination to other agencies. (See Note 2). The main goal is to identify problems and identify the source and motivation behind the particular attack. (See Note 3). The target is criminals, spies, terrorists, and hackers attempting to compromise national security. (See Note 4).

This project has been in the works for over a year. (See Note 1). It is part of the efforts to adapt the FBI’s Cyber Division to the needs posed by today’s highly sophisticated cyber threats. (See Note 3). The FBI is also expanding its resources and adding personnel.

Proactive efforts to strengthen national security against cyber threats provide a significant step in the right direction. Threats from cyber space are present around the clock and having a dedicated team to combat these threats and coordinate appropriate responses is paramount to keeping the country safe. Investments of money, personnel, and time into projects such as this are worthwhile. Expanding currently available resources and facilitating greater collaboration efforts can only help the situation. The FBI is taking appropriate steps. So why is it that the country still lacks a unified and mandatory Cyber Security Act?

While an executive order is in the works by the current Obama administration, further delays only create a bigger gap for hackers to continue. Not to mention that a new president could put the current executive order on hold indefinitely much like Congress’ deathblow to the Cyber Security Act over the summer. (See Note 5). Efforts like those being taken by the FBI could be much more effective if conducted against a backdrop of a mandatory nation-wide Cyber Security Act. Until then, actions by individual government agencies can accomplish only so much.

It is time for the United States to take action. Why efforts continue to be delayed makes no sense. Sitting by merely talking about change does nothing if those words are never translated into actual change. We cannot continue to remain idle. In today’s age of advanced technology, guarding against cyber threats should be a top policy concern. Large-scale action needs to be taken. When it is national security at stake, proactive and pre-emptive approaches make more sense. A national policy and further efforts such as those taken by the FBI should be replicated and expanded across the country. There is just too much to lose for inaction to continue. Time will tell how the U.S. measures up in the cyber security wars.

For additional information please email Ian N. Friedman, Esq., Friedman & Frey, L.L.C., at ifriedman@faflegal.com or visit www.faflegal.com.

1. Danielle Walker, FBI Rolls Out Round-the-clock Cyber Crime Team, SCMAGAZINE.COM (2012), http://www.scmagazine.com/fbi-rolls-out-round-the-clock-cyber-crime-team….

2. Aliya Sternstein, FBI Starts New Initiative to Name Hackers, NEXTGOV.COM (2012), http://www.nextgov.com/cybersecurity/2012/10/fbi-starts-new-initiative-n….

3. J. Nocholas Hoover, FBI Expands Cybercrime Division, INFORMATIONWEEK.COM (2012), http://www.informationweek.com/government/security/fbi-expands-cybercrim….

4. Podcast, FBI.GOV (2012), http://www.fbi.gov/news/podcasts/thisweek/next-generation-cyber.mp3/view.

5. Ian N. Friedman, Cyber Security Act fails in Senate: Yet even U.S. military admits vulnerability, EXAMINER.COM (2012), http://www.examiner.com/article/cyber-security-act-fails-senate-yet-even….

From the Examiner: http://www.examiner.com/article/national-cyber-security-fbi-unveils-next-generation-cyber-initiative

US Desperately seeking cybersecurity pros

The calls for a beefed-up workforce that specializes in cybersecurity are not new. In this highly critical arena, the demand for talent is sky-high and insatiable. But with a nationwide shortage of students of science, technology, engineering and math (STEM), where will tomorrow’s workforce – which is needed already – be found?

Leaders from across the federal government are following up on their calls for digital-era employees with a renewed sense of urgency, and with a range of initiatives designed to educate, train and incentivize work in the cyber field. They also are emphasizing that it is not just computer science majors and technological whizzes they seek.

“There’s a wide range of functions and skills that are required for us, whether you’re in industry, other elements of government, military – all across the board, there are a wide range of skills and functions we need,” said Army Maj. Gen. John Davis, senior military adviser for cyber to the under secretary of defense at the Defense Department. “Every person who touches a keyboard is in some way associated with the cyber domain, because there are disciplines and standards associated with protecting against the threats.”

Davis, who spoke Oct. 26 at the Center for Strategic and International Studies in Washington, noted that DOD, like the rest of the federal government, is feeling the shortage. That gap between supply and demand has deep roots, he said, and the problem begins with defining the need itself.

More from FCW.com at http://fcw.com/articles/2012/10/26/cyber-workforce.aspx

Security experts say new electronic voting machines can be hacked

Rapid advances in the development of cyberweapons and malicious software mean that electronic-voting machines used in the 2012 election could be hacked, potentially tipping the presidential election or a number of other races.

Since the machines are not connected to the Internet, any hack would not be a matter of someone sneaking through cyberspace to change ballots. Rather, the concern is that an individual hacker, a partisan group, or even a nation state could infect voting machines by gaining physical access to them or by targeting the companies that service them.

The 2010 discovery of the Stuxnet cyberweapon, which used a thumb drive to attack Iran’s nuclear facilities and spread among its computers, illustrated how one type of attack could work. Most at risk are paperless e-voting machines, which don’t print out any record of votes, meaning the electronically stored results could be altered without anyone knowing they had been changed.

In a tight election, the result could be the difference between winning and losing. A Monitor analysis shows that four swing states – Pennsylvania, Virginia, Colorado, and Florida – rely to varying degrees on paperless machines.

“The risk of cyber manipulation of these machines is quite real,” says Barbara Simons, a computer researcher and author of “Broken Ballots,” a book documenting e-voting vulnerabilities. “Most people don’t understand that these computer-based voting machines can have software bugs or even election-rigging malicious software in them.”

There are plenty of software vulnerabilities to exploit, says Matt Blaze, a computer scientist at the University of Pennsylvania in Philadelphia. In 2007, he was on a team investigating touch-screen and other voting systems for California and Ohio. The resulting study concluded “virtually every important software security mechanism is vulnerable.”

The paperless machines, however, stand out as particularly vulnerable.

“If there’s no paper trail, you can have the corrupted software display on the voting-machine screen whatever you want to display – and then after the voter leaves, record something completely different inside,” says Richard Kemmerer, a computer scientist who heads the University of California, Santa Barbara, Computer Security Group.

From the The Christian Science Monitor (http://s.tt/1r7Gh)

HSBC bank hit by ‘large scale’ cyber attack

Banking giant HSBC said Friday some of its websites had been hit by a “large scale” cyber attack that disrupted online services, but it assured customers that their data were not compromised.

The bank said in a statement that HSBC servers came under a “large scale denial of service attack” on Thursday.

It said a number of sites were affected around the world but did not give an exact number or say where they were.

“This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including Internet banking,” the bank said.

“We are taking appropriate action, working hard to restore service,” the bank added. It said some of the sites are back up and running.

A denial of service attack typically involves sites being saturated with requests.

The London-headquartered, Asia-focused lender said it is working with authorities to investigate the incident. It gave no indication of who it believed might be behind the attack.

From RawStory.com: http://www.rawstory.com/rs/2012/10/19/banking-giant-hsbc-websites-hit-by-large-scale-cyber-attack/

New version of cyberspying Flame virus uncovered

A new cyberespionage tool linked to the Flame virus has been infecting computers in Lebanon, Iran and elsewhere, security researchers said Monday.

Kaspersky Lab, which was credited with revealing the Flame virus earlier this year, dubbed the new malware “miniFlame,” and said it was “a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations.”

Russian-based Kaspersky said miniFlame “is based on the same architectural platform as Flame,” widely reported to be part of a US-Israeli effort to slow Iran’s suspected nuclear weapons drive.

The smaller version “can function as its own independent cyber espionage program or as a component” inside Flame and related malware.

Unlike Flame, which is designed for “massive spy operations,” miniFlame is “a high precision, surgical attack tool,” according to Alexander Gostev at Kaspersky Lab.

“Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack.”

Kaspersky Lab data indicates the total number of infections worldwide is just 50 to 60, including computers in Lebanon, France, the United States, Iran and Lithuania.

MiniFlame operates “as a backdoor designed for data theft and direct access to infected systems,” according to Kaspersky, which said development of the malware might have started as early as 2007 and continued until the end of 2011, with several variations.

“We believe that the developers of miniFlame created dozens of different modifications of the program,” Kaspersky said. “At this time, we have only found six of these, dated 2010-2011.”

From RawStory.com: http://www.rawstory.com/rs/2012/10/15/new-version-of-cyberspying-flame-virus-uncovered/

Number of cyber attacks against the U.S. has doubled in the last three years

The number of cyberattacks targeting US organizations has doubled over the past three years, leading to hefty losses, a study released Monday showed.

The study conducted by the Ponemon Institute and sponsored by Hewlett-Packard said most of the attacks involve malicious code, denial of service, stolen or hijacked devices, or “malevolent insiders.”

“The occurrence of cyberattacks has more than doubled over a three-year period, while the financial impact has increased by nearly 40 percent,” the report said.

The 2012 study showed organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010.

Among the organizations surveyed which were hit by successful cyberattacks, the average losses was $8.9 million, up six percent from 2011 and 38 percent increase over 2010.

“Organizations are spending increasing amounts of time, money and energy responding to cyberattacks at levels that will soon become unsustainable,” said HP’s Michael Callahan.

More from RawStory.com: http://www.rawstory.com/rs/2012/10/08/study-number-of-cyber-attacks-against-u-s-doubled-in-three-years/

U.S. needs offensive weapons in cyberwar

The United States needs to develop offensive weapons in cyberspace as part of its effort to protect the nation from cyber attacks, a senior military official said Thursday.

“If your defense is only to try to block attacks you can never be successful,” General Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, told a Washington symposium.

“At times, the government has to look at what you have to do to stop an attack — stop it before it happens. Part of our defense has to consider offensive measures.”

Alexander, who spoke at a cybersecurity summit sponsored by the US Chamber of Commerce, said any offensive cyber action would need to follow rules of engagement similar to those in other military situations.

More from RawStory,com at http://www.rawstory.com/rs/2012/10/04/nsa-director-u-s-needs-offensive-weapons-in-cyberwar/