How smart home devices are being hijacked to attack Internet

The huge cyberattack that crippled the Internet and disabled dozens of websites Friday appeared to be the biggest attack of its kind that the world has ever seen.

But it may not hold that title for for long.

What made last week’s Internet takedown so effective — and, some would say, sinister — was how the attackers weaponized everyday devices like security cameras, digital video recorders and baby monitors.
By exploiting the devices’ Web connections, hackers could infect them with malicious software and use them to paralyze huge portions of the Internet with a barrage of junk data in what is known as a distributed denial of service, or DDoS, attack.
For many, the breach was a stark demonstration of just how insecure the Internet remains. To some, it also felt like a call to action.
At a time when everything from televisions to refrigerators to kids’ toys are being equipped with an Internet connection, experts and legislators said, something ought to be done to ensure the security of these devices.

Yet there is little consensus around who should bear that responsibility.

“There aren’t just one or two types (of Internet of Things devices), there are tens of millions,” said Jeremiah Grossman, SentinelOne’s chief of security strategy. “So what we can expect going forward is a lot more of the same. ... Look out election day. Look out Cyber Monday.”

The Internet of Things encompasses a wide array of electronics: smart washing machines that will text you when your clothes are done, refrigerators that can order more groceries, wearable tech that can monitor your biorhythms, and talking toys that respond to words uttered by children.

Every year, more and more appliances are being made that connect to the Internet. Securing them is often an afterthought, experts said.

Many consumers, for instance, don’t see the danger in leaving a default password on a smart microwave, said Brian White, the chief operating officer for security firm RedOwl Analytics.

This is the attitude hackers bank on. If they can crack into a device using an easy-to-guess password, they can turn an everyday DVR into a zombie device enslaved to malicious software that can be used in attacks such as Friday’s assault.

“We are putting an enormous amount of compute capability in the average home, and it is very difficult for the average consumer to ensure their home is securely networked and their devices are updated,” White said.

Companies have long been held accountable for securing their own websites — banks, for instance, have security systems in place. But Internet of Things manufacturers are not required to guarantee a base level of security in the devices they create.

And when the priority is making the most inexpensive device possible, Grossman said, makers often skimp on things like security features.

Information security people “have been screaming bloody murder about this for years,” Grossman said. “Everything from cameras to toasters, refrigerators, microwaves. And because there’s no regulation, the manufacturers don’t need to make sure these devices ship with any security whatsoever.”

No single government agency oversees the devices or practices of the Internet of Things, though several have limited authority over parts of it.

Since Friday’s Internet blitz, some legislators have begun calling for greater government intervention.

“Not only does this kind of attack limit access to important information, delay financial transactions, and disrupt our nation’s commerce flows, but it also points to significant vulnerabilities in our national security,” Rep. Jerry McNerney, D-Stockton, said in a statement Saturday.

Friday’s attack targeted Dyn, an Internet infrastructure firm that, among other things, provides domain name services and online traffic management to hundreds of companies, including Amazon, CNN, GitHub, Twitter, Netflix, PayPal, Reddit, Zendesk and the New York Times, among many others.

In a DDoS attack, hackers typically deploy a botnet, or a network of compromised computers, to send phony traffic to a specific site or server with the intent of overwhelming it so it cannot respond to queries from real people.

What made the attack different was that it used a botnet seen only once before — last month in a record-size attack against cybersecurity journalist Brian Krebs’ website. The botnet, known as Mirai, used infected cameras spread across the world to send waves of traffic at Dyn’s DNS system at unprecedented rates.

Mirai continually scans the Internet for devices and then attempts to gain access to them by using a known default password or exploiting a weakness in outdated software.

Kyle York, Dyn’s chief strategy officer, said in a statement Saturday that the company was able to mitigate the first two waves in a matter of hours and fended off a third without customers seeing an impact.

But Dyn’s attackers may not have been using the full brunt of Mirai’s force.

Level 3 Communications, an Internet service provider based in Colorado, began monitoring the Mirai assault in the midst of its attack on Dyn. Level 3 reported that only about 10 percent of devices compromised by Mirai were deployed in Friday’s attack.

“There needs to be a much greater awareness among the public, among manufacturers,” White said. “This may have been a wake-up moment, but as with most things in the cyber realm, it may take a few more times for it to sink in.”

It has not yet been determined who was behind Friday’s attack, which came at Dyn in several waves beginning about 4 a.m. Pacific Daylight Time. But because the code behind Mirai was leaked after the attack on Krebs, it could have been anyone.

“Mirai is a DDoS-for-rent environment,” Dale Drew, Level 3 Communications’ chief Internet security officer, said in a video posted on Periscope. Hackers charge others for access to compromised machines, making it hard to determine the actual force behind a given attack.

The Department of Homeland Security and the FBI continue to investigate Friday’s cyberattack, though they have not yet identified a party responsible.

Activist hacker groups Anonymous and New World Hackers said they were responsible for the cyberassault on Dyn late Friday, telling several news organizations that it was an act of solidarity and retaliation over the Ecuadoran government’s decision to cut off WikiLeaks founder Julian Assange’s Internet connection.

“Twitter was kind of the main target. It showed people who doubted us what we were capable of doing, plus we got the chance to see our capability,” a New World Hacker member who identified himself as “Prophet” told the Associated Press on Saturday via a Twitter message.

The hacker said the group’s next target would be the Russian government in response to the cyberattacks Russia has allegedly launched against the U.S. this year.

But security experts and U.S. officials said they had their doubts about the group’s boasts.

No evidence over the weekend could link either group to the Dyn attacks, and both have taken credit for high-profile attacks in the past when they, in fact, were not involved.

“If they were just trying to prove a point, they would have done it briefly, rather than kept a series of sustained attacks going a number of times throughout the day,” Grossman said. “I mean, it’s possible. But it’s not plausible.”

Read More >>

Read More

Is There Any Particular Reason For China To Stop Cyberscrewing the US?

The massive data breach of a US government server originating from China might make for awkward conversation between President Obama and Chinese President Xi Jinping during his visit to Washington this week. But as pissed off as Obama might be, his options for fending off future Chinese hacking may be limited to incoherent mumbling and impassioned gesturing.

In July, the US Office of Personnel Management (OPM) announced it was the target of a yearlong data breach that was the largest of its kind in US government history. The records of more than 20 million people were compromised, including highly sensitive security clearance background information. Media reports citing unnamed government officials indicated the attacks originated in China, but whether the attackers had the support of the Chinese government is unclear. Though the stolen information has not shown up for sale in dark corners of the internet, reports indicate China may be compiling OPM and other stolen data into a database of US federal employees for further espionage potential, according to current and former intelligence officials.

Related: Hacks Bring Down US Background Check System — But the Worst Is Yet to Come

China's alleged cyber intrusions are not limited to traditional espionage. They also target the private sector and commercial secrets -- an issue the House and Senate leadership warned President Barack Obama about in a letter this week.

Most countries make a distinction between political and economic espionage, with the former tacitly accepted as something all nations do, while the latter is not viewed as an acceptable government activity. The Chinese government tends to conflate the two, which makes a certain amount of sense given the intimate relationship between government and private industry in China. Despite high-profile breaches like the OPM hack, the US is most concerned about halting China's economic espionage activities.

"This isn't a mild irritation, it's an economic and national security concern to the United States," National Security Advisor Susan Rice said during an address at George Washington University Monday. "Cyber-enabled espionage that targets personal and corporate information for the economic gain of businesses undermines our long-term economic cooperation, and it needs to stop."

Xi repeated what has become China's standard answer to US accusations: "China takes cybersecurity very seriously," he said. "China is also a victim of hacking. The Chinese government does not engage in theft of commercial secrets in any form, nor does it encourage or support Chinese companies to engage in such practices in any way." China has in the past expanded on these denials, citing its lack of control over independent actors — so-called "patriotic hackers" — and unsanctioned activities by local governments far from Beijing.

Determining who's doing the hacking is also challenging. Denise Zheng, deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies, said hackers "may wear a PLA [China's People's Liberation Army] hat during the day and black hat at night."

The question of how the US should respond remains tricky. Obama last week said the attacks were straining the US relationship with China, and "that we are prepared to some countervailing actions in order to get their attention."

Those actions may not necessarily take place online.

"We've made clear that we have other punitive measure available when we do see instances of cyber intrusion and cyber theft," Ben Rhodes, the deputy national security adviser, said yesterday in a conference call with reporters. "Sanctions remain a tool of the United States, and we would be prepared, if necessary, to pursue sanctions."

Related: Chinese Cyber Attacks Trigger US MIDLIFE Crisis


Follow Shannon Hayden on Twitter: @ShannonKHayden
Read More >>

Read More

US Admits Hackers Stole 5.6 Million Fingerprints in Massive Data Breach

The United States government confirmed that some 5.6 million fingerprint records were stolen during a mass hack of Defense Department security clearance data.

The Office of Personnel Management (OPM) originally reported that hackers stole 1.1 fingerprints, but updated their figures in a statement issued Wednesday.

OPM now estimates that a total of 21.5 million people had their Social Security identification numbers and other sensitive information stolen in the hacking incident earlier this spring. The discovery of additional missing fingerprints did not affect that overall total, it said.

US officials have privately blamed the breach on Chinese government hackers, but they have avoided saying so publicly. Officials also have said no evidence has surfaced yet suggesting the stolen data has been abused, though they fear the theft could present counterintelligence problems.

OPM downplayed the danger of stolen fingerprint records, saying the ability to misuse the data is currently limited. But it acknowledged the threat could increase over time as technology evolves.

"Therefore, an interagency working group with expertise in this area… will review the potential ways adversaries could misuse fingerprint data now and in the future," it said.

The group includes members of the Intelligence Community, as well as the FBI, Department of Homeland Security, and the Pentagon.

"If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach," OPM said.

The Defense Department and OPM are working together to begin mailing notifications to the people whose information was stolen, the OPM statement said.

Reuters contributed to this report

Read More >>

Read More

WIKILEAKS: TEXAS COMPANY HELPED PIMP LITTLE BOYS TO STONED AFGHAN COPS

Another international conflict, another horrific taxpayer-funded sex scandal for DynCorp, the private security contractor tasked with training the Afghan police.

While the company is officially based in the DC area, most of its business is managed on a satellite campus at Alliance Airport north of Fort Worth. And if one of the diplomatic cables from the WikiLeaks archive is to be believed, boy howdy, are their doings in Afghanistan shady.

The Afghanistan cable (dated June 24, 2009) discusses a meeting between Afghan Interior Minister Hanif Atmar and US assistant ambassador Joseph Mussomeli. Prime among Atmar's concerns was a party partially thrown by DynCorp for Afghan police recruits in Kunduz Province.

Many of DynCorp's employees are ex-Green Berets and veterans of other elite units, and the company was commissioned by the US government to provide training for the Afghani police. According to most reports, over 95 percent of its $2 billion annual revenue comes from US taxpayers.

And in Kunduz province, according to the leaked cable, that money was flowing to drug dealers and pimps. Pimps of children, to be more precise. (The exact type of drug was never specified.)

Since this is Afghanistan, you probably already knew this wasn't a kegger. Instead, this DynCorp soiree was a bacha bazi ("boy-play") party, much like the ones uncovered earlier this year by Frontline.

For those that can't or won't click the link, bacha bazi is a pre-Islamic Afghan tradition that was banned by the Taliban. Bacha boys are eight- to 15-years-old. They put on make-up, tie bells to their feet and slip into scanty women's clothing, and then, to the whine of a harmonium and wailing vocals, they dance seductively to smoky roomfuls of leering older men.

After the show is over, their services are auctioned off to the highest bidder, who will sometimes purchase a boy outright. And by services, we mean anal sex: The State Department has called bacha bazi a "widespread, culturally accepted form of male rape." (While it may be culturally accepted, it violates both Sharia law and Afghan civil code.)

For Pashtuns in the South of Afghanistan, there is no shame in having a little boy lover; on the contrary, it is a matter of pride. Those who can afford the most attractive boy are the players in their world, the OG's of places like Kandahar and Khost. On the Frontline video, ridiculously macho warrior guys brag about their young boyfriends utterly without shame.

For those that can't or won't click the link, bacha bazi is a pre-Islamic Afghan tradition that was banned by the Taliban. Bacha boys are eight- to 15-years-old. They put on make-up, tie bells to their feet and slip into scanty women's clothing, and then, to the whine of a harmonium and wailing vocals, they dance seductively to smoky roomfuls of leering older men.

After the show is over, their services are auctioned off to the highest bidder, who will sometimes purchase a boy outright. And by services, we mean anal sex: The State Department has called bacha bazi a "widespread, culturally accepted form of male rape." (While it may be culturally accepted, it violates both Sharia law and Afghan civil code.)

For Pashtuns in the South of Afghanistan, there is no shame in having a little boy lover; on the contrary, it is a matter of pride. Those who can afford the most attractive boy are the players in their world, the OG's of places like Kandahar and Khost. On the Frontline video, ridiculously macho warrior guys brag about their young boyfriends utterly without shame.
Read More >>

Read More

BREAKING: Airman Awarded Purple Heart Medal for Injuries in France Train Attack

U.S. Air Force officials compared Airman 1st Class Spencer Stone to the comic book hero "Captain America" and said he will receive the Airman's Medal and possibly the Purple Heart for helping stop a gunman on a European train.
"What the gunman didn't expect was a confrontation with our very own 'Capt. America' -- and believe it or not, that is what Airman Stone's friends nicknamed him during Air Force technical training," Air Force Secretary Deborah Lee James said during a press conference Monday at the Pentagon.
Stone was traveling on a high-speed train from Amsterdam to Paris on Friday when he, along with two of his friends and British businessman, subdued a gunman and suspected Islamic extremist who was armed with an AK-47, Luger pistol and box cutter.
Stone's unit has recommended him for the Airman's Medal, the service's highest non-combat award, and he may also receive the Purple Heart for being injured in the ordeal, officials said. He was hospitalized with cuts to his head, face and hand after the gunman attacked him with a box cutter.

The 23-year-old Stone "leapt into action" with two of his buddies from a California middle school -- National Guardsman Alek Skarlatos, 22, and Anthony Sadler, 23 -- as well as 62-year-old British businessman Chris Norman in confronting gunman who had strapped the assault rifle across his bare chest.
"Had it not been for this heroic quartet, I'm quite sure that we'd be discussing a bloodbath" rather than their heroism, James said.  "They subdued the gunman and saved lives."
The secretary said that Stone's unit had put him up for the Airman's Medal and Air Force Chief of Staff Gen. Mark Welsh said that he also may be eligible for the Purple Heart.
"We are looking at the potential, to see whether we can award the Purple Heart as well," Welsh said, but it will first have to be determined whether the train incident was an act of terrorism. The 2009 attacks at Fort Hood, Texas, by then-Army Maj. Nidal Hasan were eventually ruled to be terrorism, making victims eligible for the Purple Heart.
The gunman has been identified as 26-year-old Moroccan Ayoub El-Khazzani. He was being held and questioned by French counterterrorism police outside Paris.
French and Spanish authorities have alleged that El-Khazzani is an Islamic extremist who may have spent time in Syria. El-Khazzani's lawyer said on Sunday that he was homeless and trying to rob passengers on the train to feed himself.
Earlier Monday, French President Francois Hollande awarded Stone, Sadler, Skarlatos and Norman the French Legion of Honor, the country's highest award.
In the gilded splendor of the Elysee Palace, Hollande said, "One need only know that Ayoub El Khazzani was in possession of 300 rounds of ammunition and firearms to understand what we narrowly avoided, a tragedy, a massacre."
"Your heroism must be an example for many and a source of inspiration," Hollande said. "Faced with the evil of terrorism, there is a good, that of humanity. You are the incarnation of that."
Stone, whose thumb was severely cut by the gunman, still had his left arm in a sling as well as a bruised eye.
"I kind of just woke up from a deep sleep and my friend Alek was sitting next to me," he recalled of the incident during a press conference at the U.S. embassy in Paris, according to a CNN video. "I turned around and saw he had what looked to be an AK-47 and it looked like it was jammed or it wasn't working and he was trying to charge the weapon.
"Alek just hit me on the shoulder and said, 'Let's go.' And [I] ran down, tackled him. We hit the ground. Alek came up and grabbed the gun out of his hand while I put him in a choke hold."

Not only did he tackle the gunman, Stone is also credited with helping save a passenger who was shot in the neck and squirting blood. He said he "just stuck two of my fingers in his hole and found what I thought to be the artery, pushed down and the bleeding stopped," according to an Associated Press article. He kept the position until paramedics arrived, the article stated.

READ MORE >>

Read More

The Department of Defense Must Plan for the National Security Implications of Climate Change

The responsibility of the Department of Defense is the security of our country. That requires thinking ahead and planning for a wide range of contingencies.

Among the future trends that will impact our national security is climate change. Rising global temperatures, changing precipitation patterns, climbing sea levels, and more extreme weather events will intensify the challenges of global instability, hunger, poverty, and conflict. They will likely lead to food and water shortages, pandemic disease, disputes over refugees and resources, and destruction by natural disasters in regions across the globe.

In our defense strategy, we refer to climate change as a “threat multiplier” because it has the potential to exacerbate many of the challenges we are dealing with today – from infectious disease to terrorism. We are already beginning to see some of these impacts.

A changing climate will have real impacts on our military and the way it executes its missions. The military could be called upon more often to support civil authorities, and provide humanitarian assistance and disaster relief in the face of more frequent and more intense natural disasters. Our coastal installations are vulnerable to rising sea levels and increased flooding, while droughts, wildfires, and more extreme temperatures could threaten many of our training activities. Our supply chains could be impacted, and we will need to ensure our critical equipment works under more extreme weather conditions. Weather has always affected military operations, and as the climate changes, the way we execute operations may be altered or constrained.

While scientists are converging toward consensus on future climate projections, uncertainty remains. But this cannot be an excuse for delaying action. Every day, our military deals with global uncertainty. Our planners know that, as military strategist Carl von Clausewitz wrote, “all action must, to a certain extent, be planned in a mere twilight.”

It is in this context that today I am releasing DoD’s Climate Change Adaptation Roadmap. Climate change is a long-term trend, but with wise planning and risk mitigation now, we can reduce adverse impacts downrange.

Our first step in planning for these challenges is to identify the effects of climate change on the Department with tangible and specific metrics, using the best available science. We are almost done with a baseline survey to assess the vulnerability of our military’s more than 7,000 bases, installations, and other facilities. In places like the Hampton Roads region in Virginia, which houses the largest concentration of U.S. military sites in the world, we see recurrent flooding today, and we are beginning work to address a projected sea-level rise of 1.5 feet over the next 20 to 50 years.

Drawing on these assessments, we are integrating climate change considerations into our plans, operations, and training across the Department so that we can manage associated risks. We are considering the impacts of climate change in our war games and defense planning scenarios, and are working with our Combatant Commands to address impacts in their areas of responsibility.

At home, we are studying the implications of increased demand for our National Guard in the aftermath of extreme weather events. We are also assessing impacts on our global operations – for instance, how climate change may factor into our rebalance to the Asia-Pacific. Last year, I released the Department of Defense’s Arctic Strategy, which addresses the potential security implications of increased human activity in the Arctic – a consequence of rapidly melting sea ice.

We are also collaborating with relevant partners on climate change challenges. Domestically, this means working across our federal and local agencies and institutions to develop a comprehensive, whole-of-government approach to a challenge that reaches across traditional portfolios and jurisdictions. Within the U.S. government, DoD stands ready to support other agencies that will take the lead in preparing for these challenges – such as the State Department, the U.S. Agency for International Development, and the Federal Emergency Management Agency.

We must also work with other nations to share tools for assessing and managing climate change impacts, and help build their capacity to respond. Climate change is a global problem. Its impacts do not respect national borders. No nation can deal with it alone. Today, I am meeting in Peru with Western Hemisphere defense ministers to discuss how we can work together to build joint capabilities to deal with these emerging threats.
Politics or ideology must not get in the way of sound planning. Our armed forces must prepare for a future with a wide spectrum of possible threats, weighing risks and probabilities to ensure that we will continue to keep our country secure. By taking a proactive, flexible approach to assessment, analysis, and adaptation, the Defense Department will keep pace with a changing climate, minimize its impacts on our missions, and continue to protect our national security.

Chuck Hagel is the U.S. Secretary of Defense.

Read More >>

Read More

Pentagon Warns of Immediate National Security Threats From Climate Change

Rising sea levels, hotter global temperatures, wildly fluctuating precipitation patterns, and more frequent extreme weather systems will likely intensify global instability, hunger, and poverty. These events could very well lead to acute food and water shortages, an explosion of pandemic diseases, waves of destitute refugees, and violent conflagrations over dwindling natural resources — a likelihood that should be viewed as an immediate threat to America's national security.

Those are the sobering themes of a new report on climate change, authored not by scientists or environmentalists, but by uniformed personnel at the US Department of Defense.

"The loss of glaciers will strain water supplies in several areas of our hemisphere," US Defense Secretary Chuck Hagel said Monday during a visit to Arequipa, Peru for the Conference of the Defense Ministers of the Americas. "Destruction and devastation from hurricanes can sow the seeds for instability. Droughts and crop failures can leave millions of people without any lifeline and trigger waves of mass migration."

'It's not a political issue for the military and hopefully that will be reflected in how policy-makers approach the problem.'

The report — the 2014 Climate Change Adaptation Roadmap, which was released during Secretary Hagel's visit to Peru — proposes steps America's armed forces should take to identify and plan for the impacts of global climate change. It comes as NASA announced on Monday that September 2014 was the hottest September on record, making it increasingly likely that 2014 will become the warmest year ever documented.

"For the first time the Department of Defense is significantly engaging with the implications of climate change, specifically what to do now in terms of adapting to a new global threat," Andrew Holland, senior fellow for Energy and Climate at the American Security Project, told VICE News.

Holland says the report is not revolutionary. The Pentagon has been assessing the potential impacts of climate change for many years. What is novel about the roadmap, he says, is its emphasis on climate change as an immediate national security concern, one that should be discussed in the present rather than the future tense. And, he said, the document presents climate change as a risk not only to military personnel and equipment but to the well-being of the nation as a whole.

Study says East Coast might see tripling of flood events by 2030. Read more here.

It remains to be seen what — if any — influence the report will have on America's political class, much of which defers to the Pentagon on many issues but has resisted policies for cutting greenhouse gas emissions or preparing for rising oceans and warmer temperatures.
Francesco Femia, co-director at the Center for Climate and Security, told VICE News: "It's not a political issue for the military and hopefully that will be reflected in how policy-makers approach the problem."

'The politics of climate change are so weird right now.'

This sentiment is shared by Rhode Island Senator Sheldon Whitehouse, who co-chairs the Bicameral Task Force on Climate Change and has been an outspoken advocate for federal action aimed at addressing global warming.

"Our military leaders have for years warned of the serious threat climate change poses to our national security," Sen. Whitehouse told VICE News. "The military's new climate adaptation roadmap presents another opportunity for Republicans in Congress who deny or ignore climate change to reassess their priorities. They face a simple question: Do they trust the big polluters, or do they trust our nation's military sworn to defend us from harm?"


Holland said the Pentagon report is unlikely to be a trans formative political moment in the near-term. He added, however, that retired and active duty military personnel have begun to speak out over the past several years about climate change, which is having an impact on otherwise skeptical audiences, albeit not yet within the Beltway.

"The politics of climate change are so weird right now," Holland told VICE News. "I'd like to think that having real, credentialed national security voices talk about the threat of climate change would make a difference. But I just don't know if it's trickling up yet to politicians and policy-makers."
"For them," Holland added, "climate change is still an energy problem rather than a national security problem."
Follow Robert S. Eshelman on Twitter: @RobertSEshelman
Image via Flickr


Read More >>

Read More