Thursday 17 July 2014

U.S. Accuses Chinese Executive of Hacking to Mine Military Data


 
An F-35A Joint Strike Fighter takes off on a training sortie in Florida in 2012. Reuters
WASHINGTON—The Justice Department has charged the owner of a Chinese aviation technology company with stealing reams of information from U.S. defense contractors about key American technology—the latest in an effort to criminally prosecute what American officials allege is rampant Chinese industrial espionage.
The charges against Su Bin, a Chinese citizen living in Canada, shed new light on an alleged hacking ecosystem that officials have long said poses a threat to many U.S. companies.
Tensions between the U.S. and China over cyberespionage remain high. Secretary of State John Kerry, visiting China this week, raised the "chilling effect" hacking has on U.S. firms. The Chinese, in turn, see themselves as victims of cyberespionage. On Friday, state broadcaster China Central Television called a location-tracking function offered by Apple Inc. AAPL -0.57% 's iPhone a "national security concern."
Prosecutors in Los Angeles unsealed a 50-page complaint accusing Mr. Su of working with two co-conspirators in China between 2009 and 2013 to break into computers at Boeing Co. BA -1.30% and other defense contractors, steal technology and pass it to entities in China, sometimes for a price.

The trio allegedly stole sensitive information about Boeing's C-17 military transport plane and two of the Pentagon's most advanced fighter jets, the F-22 and F-35, built by Lockheed Martin Corp. LMT -0.66% , among other projects.
Unlike five Chinese military officers who were charged in May with hacking into U.S. companies, Mr. Su appears to have been working for himself, according to the complaint
After a request from the U.S., Mr. Su was arrested June 28 in Canada, a spokeswoman for the Canadian Department of Justice said. He faces extradition proceedings. A lawyer for Mr. Su didn't respond to a request for comment.
The F-35 has been a long-standing target of suspected overseas hackers. The Wall Street Journal reported in 2009 that hackers, possibly Chinese, had penetrated Pentagon computers containing information about the program.
The complaint helped to answer one question about China's sprawling hacking-industrial complex. The country's cyberwarriors, some of whom work for the military and others on their own, hit so many targets and vacuum up so much information, that it can at times it can be hard to tell who is directing them, a former U.S. official said.
Many hackers work as freelancers, sometimes during off hours, then try to sell stolen information to state-owned firms.
"It's the equivalent of the [Tennessee Valley Authority] going out and hiring hackers to go spy on China," said James Lewis, a former State Department official and a cybersecurity expert at the Center for Strategic and International Studies.
In the Boeing case, the effort appeared to be directed not by China's central government but by Mr. Su, owner of a firm named Beijing Lode Technology Co. Ltd.
The firm describes itself as an aerospace technology company on its website. The complaint said the company "is in contact with military and commercial entities involved in aerospace technology" in China.
It remains unclear who employs the two unnamed Chinese hackers listed as co-conspirators. Most of China's cyberespionage activities are controlled by the Chinese army, U.S. officials say.


A spokesman for the Chinese embassy in Washington said he wasn't aware of Mr. Su's case, but said that in recent meetings, U.S. and Chinese officials have discussed the issue and that China told the U.S. to take a "constructive approach."
The complaint describes one of the unnamed hackers as the other's supervisor in various organizations. When picking targets, the duo saw "military technology intelligence as a main focus," according to an internal report cited in the complaint.
The complaint doesn't say how the two alleged hackers came to know Mr. Su.
The alleged hackers gave Mr. Su a 1,467-page list of the Boeing files they could steal, according to the complaint. Mr. Su would then tell them which files he thought would interest state-owned aerospace firms in China.
For instance, Mr. Su apparently wasn't interested in the "C-17 Demilitarization Plan" draft but wanted the "C-17 Hangar Requirements," according to the complaint.
Selling the allegedly stolen plans to Chinese businesses was sometimes challenging, according to the complaint. After repeated emails from one of the hackers, Mr. Su responded, "I understand that it's very urgent for you. It's not easy to sell the information."
He reminded his colleague that "the big money" could come later, according to the complaint
Two former U.S. officials said Chinese hackers often are paid little and take on side projects to make money.
"The value is decent," Mr. Su wrote of allegedly stolen information they were trying to sell to a Chinese company, according to the complaint. "In China, this information is what [an unnamed Chinese aircraft maker] needs. They are too stingy!"

It is unclear what data, if any, Mr. Su allegedly eventually sold into China. But the hackers boasted about the heist in internal memos, suggesting someone benefited from the data.The government says it didn't find evidence indicating whether Mr. Su took classified information, though the complaint said some of the data was subject to laws that restrict the export of military technology.
Boeing said it was informed by the FBI and Air Force investigators of the alleged breaches in 2012 and was continuing to cooperate with authorities. Lockheed said it is cooperating with the U.S. government.
Boeing delivered the first C-17 to the U.S. Air Force in 1993. The four-engine jet, able to carry troops and equipment to and from small airfields, won overseas orders from allies including the U.K., Australia and Canada.
But after a dearth of new orders, Boeing said last year it would end production and close the Long Beach, Calif. factory that assembles the jet in 2015.
China's state-controlled Xian Aircraft Corp. is developing its own four-engine military cargo jet, dubbed the Y-20, that flew for the first time last year. Western defense experts have said the plane bears similarities to the C-17, though other military transport planes also share attributes.
Any security breaches involving fighter jets are likely to cause more alarm. Pentagon officials have in recent months expressed concerns that the U.S. is losing its technological superiority in some areas.
"We remain deeply concerned about cyber-enabled theft of sensitive information," a Justice Department spokesman said. "The conspirators are alleged to have accessed the computer networks of U.S. defense contractors without authorization and stolen data related to military aircraft and weapons systems."

Hamas hacks Israeli TV sat channel to broadcast pics of Gaza wounded

Gaza leaders Hamas took over an Israeli satellite channel for few minutes on Monday to broadcast pictures of Gaza wounded.
Viewers who tuned into Israeli Channel 10 reported seeing images of people wounded from Israeli airstrikes on Gaza as well as propaganda messages promising more rocket strikes on Israel from Hamas' military wing.
The pictures of wounded were accompanied by a commitment to retaliate by Palestinian militants: "Your government chose the opening hour of this campaign. If your government does not agree to our terms, then prepare yourself for an extended stay in shelters.”
Israeli broadcast authorities said that Hamas was able to take over a satellite feed supplying Channel 10. Terrestrial broadcasts were not affected, so viewers watching the station using digital converters did not see the messages, according to Israeli media reports.
Hamas has hijacked TV broadcasts before. It took over Channel 10 and Channel 2 during Operation Pillar of Defense, a week-long Israeli armed forces operation in Hamas-governed Gaza Strip two years ago that was justified as an attempt to stop rocket attacks against Israeli civilians.
These propaganda efforts are far from a one-way street. Israeli military forces reportedly hacked into a Hamas-run TV station to broadcast propaganda back in 2009, for example.
Audiences were treated to clips featuring the gunning down of Hamas leadership, accompanied by a message in Arabic: "Time is running out".

Flaw in Google's Dropcam sees it turned into SPYCAM

Hackers could inject fake video into popular home surveillance kit Dropcam and use the system to attack networks, researchers Patrick Wardle and Colby Moore say.
The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into cameras - handy for home robberies - intercept video, and exploit the Heartbleed vulnerability to pull passwords and SSL server's private key.
Dropcam makes a video monitoring platform and was last month snapped up by Google's Nest Labs for $US555 million.
Wardle (@patrickwardle) and Moore (@colbymoore) of security firm Synack, California, reverse-engineered Dropcam hardware and software and discovered vulnerabilities that could allow malware to be implanted on the devices which would attack home or corporate networks.
"If someone has physical access, it's pretty much game over," Wardle told DarkReading.
"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the Dropcam DNS server, and the camera would beacon out."
The duo will describe how Dropcam could morph into an attack point within a users' network during a talk Optical surgery; Implanting a Dropcam at the upcoming DEF CON 22 conference in Las Vegas next month.
They would recount their reverse-engineering effors which lead to the "full compromise of a DropCam" that with physical access and "some creative hardware and software hacks" would allow any malware to be persistently installed on the devices. The duo would also reveal how to infect Windows or Mac OS X boxes that were used to configure hacked Dropcams.
Wardle said the cameras should be subject to the same security checks as regular computers given their capabilities and vulnerabilities.
Dropcam was found to be running Heartbleed-vulnerable versions of OpenSSL and the Unix utility suite BusyBox.

Mandatory data breach laws back on Australian agenda

Australia's on-again, off-again debate about data breach notification laws is on again, courtesy of a report into financial system regulation, at least until the government cans the idea (again).
Register readers will recall that a Privacy Alerts bill was proposed by the previous government before the 2013 election, then delayed, re-introduced in March, and abandoned in June by the current government.
Now, the federal government's Financial System Inquiry has issued an interim report (PDF) that recommends the government re-examine the issue.
As the report states “Access to growing amounts of customer information and new ways of using it have the potential to improve efficiency and competition, and present opportunities to empower consumers. However, evidence indicates these trends heighten privacy and data security risks”.
To cover these risks, the report unequivocally backs “mandatory data breach notifications to affected individuals and the Australian Government agency with relevant responsibility under privacy laws”.
At the same time, the report seems to take issue with current attitudes to cloud computing – particularly in relation to offshore storage of Australian data. The Australian Prudential Regulatory Authority, it says, should be advised of “continuing industry support for a principles-based approach to setting cloud computing requirements”, and the government should review record keeping rules that currently inhibit “cross-border information flows”.
Digital identities are also highlighted in the report, with the government urged to pursue “a national strategy for promoting trusted digital identities”.
The FSI is seeking comment on the interim report until 26 August 2014, and has until November 2014 to issue its final report.

Crooks fling banking Trojan at Japanese smut site fans

Cybercrooks are targeting Japanese smut site aficionados with a new banking Trojan run.
The Aibatook malware is targeting customers of Japanese banks who are also visitors on some of the country's most popular pornographic websites.
Security researchers at anti-virus firm ESET estimated that more than 90 smut sites have been contaminated with malicious code.
The malware relies on exploiting a Java security flaw that was patched more than a year ago to push Aibatook onto the machines of Windows PCs. More specifically users visiting compromised sites, are redirected towards an exploit page that attempts to take advantage of Java vulnerability (CVE-2013-2465) patched in June 2013. Attacks involved displaying an 404 error page to mask the fact that the PC is silently running a malicious Java applet.
The whole attack relies on a single Java exploit rather than the standard approach of planting an exploit kit on a compromised websites. Exploit kits attempt to exploit a raft of common browser and other application software vulnerabilities (Adobe Flash, Java etc) to drop malware onto PCs that are not up to date with their patches.
Once the Aibatook malware is installed, it waits for victims to log into online banks with Internet Explorer (the most widely used browser in Japan). The malicious code is designed to inject fraudulent forms onto page that are designed to trick banking customers into handing over confidential banking login information.
Stolen data is then sent to the criminals behind the Aibatook malware campaign via a command-and-control server. The attack - explained in greater depth in a blog post by ESET here - illustrates the importance of keeping up to date with patches.
ESET researchers warn the same crooks behind the Aibatook attack have created newer versions of the malware, capable of stealing credentials from users of web-hosting services and domain resellers.

Botnets infecting 18 systems per second, warns FBI

The high infection rate of criminal botnets costs the US and global economies billions of dollars
Criminals are developing increasingly sophisticated attack strategies that let them infect as many as 18 systems per second with their botnet armies, according to the FBI.
FBI assistant director Joseph Demarest revealed the statistic while briefing a Senate sub-committee about the agency's current and future anti-cyber crime strategy on Tuesday. He said the news is troubling as the botnets' high infection rate costs the US and global economies billions of dollars.
"The use of botnets is on the rise. Industry experts estimate that botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major US businesses," he said.
"The impact of this global cyber threat has been significant. Botnets have caused over $9bn in losses to US victims and over $110bn in losses globally. Approximately 500 million computers are infected globally each year, translating into 18 victims per second."
Demarest added this is doubly troubling as many of the botnets are currently rentable and could be used by a variety of criminals or terrorist organisations.
"As you well know, we face cyber threats from state-sponsored hackers, hackers for hire, organised cyber syndicates and terrorists. They seek our state secrets, our trade secrets, our technology and our ideas – things of incredible value to all of us," he said.
"They may seek to strike our critical infrastructure and our economy. The threat is so dire that cyber security has topped the Director of National Intelligence's list of global threats for the second consecutive year."
The FBI assistant director's claim follows the discovery of a new Energetic Bear hack campaign targeting critical infrastructure. The threat was so severe that at the start of July the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning urging firms involved in critical infrastructure to check their systems.
Demarest said the FBI is already developing new technologies and techniques to help mitigate the growing threat, but argued that increased collaboration between law enforcement agencies and the public and private sector is needed to deal with the problem.
"The FBI's overall goal is to remove, reduce, and prevent cyber crime by attacking the threat through the identification of the most significant cyber criminal actors. Our success can only be attained through co-ordination of our overall cyber criminal strategy amongst all FBI Cyber Division's existing and emerging entities," he said.
"The FBI cyber criminal strategy also includes working closely with our international partners to develop a holistic assessment of the threat posed by cyber criminals and organisations to partner countries.
"Through this collaborative process, the FBI hopes to launch aggressive and comprehensive mitigation strategies through joint investigations and operational partnerships with law enforcement partners, private industry, and academia."
Demarest highlighted the recent success of the recent international Gameover Zeus takedown as proof of his claim. "In June 2014, the FBI announced a multinational effort to disrupt the Gameover Zeus botnet, the most sophisticated botnet that the FBI and its allies had ever attempted to disrupt," he said.
"This effort to disrupt it involved impressive co-operation with the private sector and international law enforcement. The FBI is proud of these successes, but we recognise that we must constantly strive to be more efficient and effective. Just as our adversaries continue to evolve, so too must the FBI.
Experts within the security community have been less positive about the Gameover Zeus operation, though. Speaking to V3 after the takedown many warned the operation could spur the botnet's owners to develop more dangerous attack strategies.
The warnings proved right on 11 July when an evolved, more resilient version of the Gameover Zeus botnet was discovered.

Own a Cisco modem or wireless gateway? It might be owned by someone else, too

A number of Cisco home network gateways have a security bug that allows attackers to hijack the devices remotely. A firmware update to close the hole is being rolled out to ISPs to deploy.
The networking giant said that certain Wireless Home Gateway products are vulnerable to a remote-code execution attack, which is triggered by sending a specially crafted HTTP request to the web server running on the hardware.
Cisco said "the vulnerability is due to incorrect input validation for HTTP requests," which allows "an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution."
"Successful exploitation could allow the attacker to crash the web server and execute arbitrary code with elevated privileges," we're told. "There are currently no known workarounds available for this vulnerability."
The vulnerable products are:
  • Cisco DPC3212 VoIP Cable Modem
  • Cisco DPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco EPC3212 VoIP Cable Modem
  • Cisco EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco Model DPC3010 DOCSIS 3.0 8x4 Cable Modem
  • Cisco Model DPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
  • Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
  • Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
  • Cisco Model EPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
According to Cisco, the flaw is present on the devices whether they are operating as internet access gateways or as wireless routers on home or small office gateways. The bug was reported to Cisco by Chris Watts of Tech Analysis.
The networking biz has distributed a patch to broadband providers to pass onto affected home and small office customers.
The HTTP web server is provided in the devices' firmware to allow them to be configured from across the public internet. For example, the documentation for the vulnerable DPC3825 and EPC3825 models reads: "The protocol HTTP is required for remote management. To remotely access the device, enter https://xxx.xxx.xxx.xxx:8080 (the x's represent the device's public Internet IP address, and 8080 represents the specified port) in your web browser's address field."
Although this remote management feature can be disabled in the aforementioned devices, Cisco says there is no workaround for the bug.
The disclosure comes just one day after Oracle threatened to drown admins in a deluge of 113 patches, including 20 for Java. Last week, Microsoft and Adobe posted their July scheduled security updates, fixing three critical bugs in total.

German NSA probe chief mulls spy-busting typewriters

Germany's government has mulled a return to typewriters in a bid to evade US spy agencies, according to the head of the nation's National Security Agency inquiry.
The incredible decision came in response to a torrent of allegations that the NSA had spied on the German agencies and parties including Chancellor Angela Merkel.
It prompted Merkel to last week expel America's CIA chef in Berlin and fire another in a series of salvos at the US surveillance complex stating that "spying is ultimately a waste of force".
The head of the Bundestag's NSA inquiry and Christian Democrat politician Patrick Sensburg told the German Morgenmagazin program the group was seriously considering manual typewriters as a means to avoid spying.
"As a matter of fact, we have [considered typewriters] – and not electronic models either", Sensburg said.
Other committee members struck back at the remarks stating they were laughable and damaging to the integrity of the inquiry.


Opposition committee member Martina Renner said on Twitter she'd sooner get rid of the Secret Service than start using typewriters, or burning little notes after reading.
Social Democratic Party committee rep Christian Flisek also took to Twitter in opposition of the call for retro word processing labelling the idea "ridiculous" and not a normal part of counter-surveillance.
Russia was, Vulture South contends, already using mechanical typewriters and had bought a pricey fleet of 20 more post Snowden's NSA spying allegations.
It was unclear if Russia bought the Olympia and Triumph typewriters for counter-surveillance purposes or merely for nostalgia.

Flaws found in Bitdefender enterprise endpoint manager

Holes have been reported in Bitdefender's Gravity end-point protection platform that allow hackers to target corporate infrastructure.
Researcher Stefan Viehbock of SEC Consult Vulnerability Lab said the flaw affecting the latest version provided an entry point for attackers to move laterally through the network.
"Attackers are able to completely compromise the Bitdefender GravityZone solution as they can gain system and database level access," Viehbock said in an advisory.
"Furthermore attackers can manage all endpoints."
Gravity contained three vulnerabilities, two of which were patched including an unauthenticated local file disclosure in the platforms' web console and update server that allowed attackers to read arbitrary files - including cleartext passwords - "from the filesystem with the privileges of the nginx operating system user."
Bitdefender also patched missing authentication for particular scripts in the web user interface that granted attackers access to admin functions.
A remaining flaw meant the MongoDB database could be accessed and configuration data altered using hardcoded username and password credentials that users could not change.
The security vendor planned to patch the remaining flaw at the end of the month. Security researchers recommended customers stop using the platform until a patch was released and a "thorough security review" was performed by security pros.