It’s time for the Cyber Attacks Timeline for the first half of January 2014. I wish we had a better start for this Infosec year. Not even a month has passed (actually this timeline covers the first two weeks) and we have already seen several massive breaches (Snapchat) and other resounding events, maybe less relevant from a mere numeric perspective, but equally meaningful for the high profile of the victims involved (Microsoft).
Besides Snapchat, other important organizations have been targeted by Cyber crooks with very bad consequences: World Poker Tour (175,333), Staysure (93,000 individuals involved) and OpenSUSE (79,500 victims) are the most noticeable examples. On the cyber crime front other meaningful events include a wave of attacks against Video Games industries, and the hacking of Yahoo advertise network, infecting, potentially 27,000 users per hour.
Hacktivists of the Syrian Electronic Army are back with the result that even Microsoft is now part of the list of their victims (however their web site was also hacked in the same period). Other hacktivists very active in the same period include the infamous RedHack collective.
Last but not least, the control room of the Nuclear Plant of Monju in Japan was found infected with a malware capable of allegedly exfiltrate 42,000 emails.
As usual, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Find here February 2012 Cyber Attacks Timelime Part I.
With a small delay (my apologies but the end of February has been very busy for me and not only for Cybercrooks as you will soon see), here it is the second part of my compilation with the main Cyber Attacks for February 2012.
Easily Predictable, the Hacktivism is still the main concern for System Administrators, in particular for the ones of Stratfor who suffered a huge leak of 5 million of emails.
On the same front, the threats of the Anonymous for the Friday actions have come true and as a matter of fact Law Enforcement Agencies suffered other remarkable breaches in this month: Infragard for the second time and also Interpol (a new entry) that was taken down after the arrest of 25 members of the collective. Anti ACTA protest also continue to shake Europe as also the delicate economical and social situation in Greece.
Last but not least, this month has also seen an unforgettable leak, affecting potentially more than 1.000.000 Youporn users.
As usual, the chart does not include the events related to Middle East Cyber War Timeline, that you may find at this link, as they “deserve” a dedicated timeline.
Yesterday I stumbled upon a couple of really interesting news published respectively by the Chaos Computer Club, the famous German hacker community, and by CNET, concerning in both cases “new” technologies aimed to fight crime. But if the news published by the CCC is yet another example of alleged Government Malware, that is a spyware built with the purpose to spy and collect evidences on the target’s computers, the news published by CNET sounds incredible and brings our minds to the well-known scenes of Minority Report, where Police used precognition to prevent crime.
In any case, both articles mix information security, privacy and ethics, and raise many concerns about the role of technology to fight crime and its right to cross the boundaries with ethics and privacy
Let us begin from the FAST
FAST (Future Attribute Screening Technology) is the name of a project sponsored by the U.S. Department of Homeland Security which aims to prevent crime using algorithms based on ethnicity gender, breathing and heart rate (At Least no PRECOG so far). FAST seeks to develop behavioral screening technologies that will enable security officials to test the effectiveness of current screening methods at evaluating suspicious behaviors and judging the implications of those behaviors. The ultimate goal of the FAST project is to equip security officials with the tools to rapidly assess potential threats.
According to a June 2010 Document, FAST is already in operation and its test is ongoing on a Planned Limited User Evaluation after an initial test on DHS Employees. For this initial sample of Employees, the system collected video images, audio recordings, and psychophysiological measurements (i.e., heart rate, breathing pattern, thermal activity, and other physiological and behavioral cues). The data were used for Baseline. A field testing has been conducted in an undisclosed location in the Northeast, with a select group of participants on a volunteer basis.
In the latter case several data were collected such as: demographic information (age, gender, occupation, and ethnicity), medical information (heart, circulation, respiratory, and vision issues), current medications, and substance use in the last week (caffeine, tobacco, alcohol, other substances).
The document also states DHS will only have access to aggregated and anonymized data and this was confirmed to CNET by a Homeland Security spokesman.
So definitively, are the criminals really going to be captured by PRECOGs before perpetrating a crime? Not yet! DHS, provided a statement to CNET that said:
The department’s Science and Technology Directorate has conducted preliminary research in operational settings to determine the feasibility of using non-invasive physiological and behavioral sensor technology and observational techniques to detect signs of stress, which are often associated with intent to do harm. The FAST program is only in the preliminary stages of research and there are no plans for acquiring or deploying this type of technology at this time.
And Proceed with the Furious
Maybe German people would be quite furious in this moment, in knowing that they have been possible targets of a (un)lawful interception Malware allegedly crafted by the German Police Force (dubbed “0zapftis”, “Bundestrojaner” or “R2D2″) with the purpose to spy online activity and record Skype internet calls. Its discovery was announced yesterday by the Chaos Computer Club which reversed engineered and analyzed the malware.
The malware, according to its original concept, should have been a light variation of the original “Bundestrojaner” forbidden by the German constitutional court on February 27 2008. Even before this sentence, the German government introduced a less conspicuous variant of the spyware dubbed “Quellen-TKÜ” (the term means “source wiretapping” or lawful interception at the source), whose only purpose, by definition, was to wiretap internet telephony, enforced through “technical and legal” means.
Unfortunately the analysis conducted by CCC has shown that the “Bundestrojaner light” goes much further than its initial concept violating the terms set by the constitutional court and, even worse, according to the analyzers is badly written and lacks the basic security measures (for instance no mutual authentication and poor encryption), so making a malicious third party capable to intercept the captured or use the Trojan to install arbitrary programs or upload arbitrary data on the target’s computer.
This is not the first case of a Government Spyware: Sophos reports about a German state-sponsored cyber-spying in in 2008, when there were claims that German Foreign Intelligence Service deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan, and almost ten years ago when there were concerns that the FBI would ask anti-virus companies to deliberately not detect spyware that they had written – dubbed “Magic Lantern“. Even a recent occurrence also happened in Italy when, as part of an investigation against a criminal conspiracy, the police injected a spyware into the computer of an individual used to collect evidences of his role inside the conspiracy.
Easily predictable this affair will rise a political storm in Germany. Although it is not clear if it was really written by the German Police, the CCC has informed the German Ministry of the Interior. If it is true that the malware is really capable not only to gather information, but also to upload data or install other programs, it also possible that it could be (or worst has already been) used to build (and gather) artificial evidences against the target (this is the reason of my logical link with the FAST affair).
The boundary between lawful interception and privacy is blurred, maybe is time, for the legislators, to regulate the growing use of spyware for lawful interception and the consequent authorized infiltration of suspects’ computers and their secret hard drives scanning.