Crossroads Blog | CYBER SECURITY LAW AND POLICY

Current Affairs, cyber attack, Cyber Command, Cyber Exploitation, Cyber Jihad, Michael Hayden, warfare

Cyber Roundup (9/27): CyberComm says Chinese targeting Pentagon, Cyberwarfare emerges from the shadows, cyber bringing us back to the dark ages, social engineering, hackers breach Adobe, and much more . . .

Quite a few interesting articles tonight . . .

On 9/27, Jim Wolf reported for Reuters on comments by Rear Admiral Samuel Cox, CyberComm’s director of intel, on efforts by the Chinese to penetrate Pentagon computer networks.  Specifically, Admiral Cox said that “[The Chinese] level of effort against the Department of Defense is constant . . . It’s continuing apace . . . In fact, I’d say it’s still accelerating.”

Admiral Cox also said that CyberComm is continuing to move towards full combatant command status.  Right now it falls under StratComm.

***

The New York Times’ Scott Shane wrote a very comprehensive article on how the U.S. cyberwarfare program is “emerging from the shadows for public discussion.”  Noting that U.S. officials had previously been reticent, “[t]he chorus of official voices speaking publicly about American cyberattack strategy and capabilities is steadily growing,” possibly allowing the U.S. to “stake out legal and ethical rules in the uncharted territory of computer combat.”  Shane went on to cite the public announcement of DARPA’s Plan X, Harold Koh’s recent comments on how international law applies to cyberwar, the USAF’s recent public solicitation for cyberweapons that could “‘destroy, deny, degrade, disrupt, deceive, corrupt or usurp’ an enemy’s computer networks,” and news that a Marine commander had already used cyberattacks while in Afghanistan as evidence that the discourse on U.S. cyberoperations is becoming public.

This, according to Matthew Waxman of Columbia Law, may be a good thing.  The White House was largely silent on the use of drones, thereby “ced[ing] a lot of ground to critics to shape the narrative and portray U.S. practices as lawless.” By contrast, the U.S. can “seize the opportunity to lay out a set of rules for itself and others” and craft a persuasive narrative by openly discussing cyberwar.

Check out the rest of the NYT’s article by Scott Shane here.

***

Robert O’Harrow Jr. reported for The Washington Post on social engineering.  Social engineering is a technique where hackers use a person’s personal information to trick that person into allowing the hacker access to the network.  Social engineering and spear phising (highly personalized e-mails with malicious code attached) go hand in hand.  The article presented an in-depth look at the methods and goals behind social engineering, and in doing so, really drove home the point that the most vulnerable link in the cybersecurity chain remains the human being.

There’s too much to the article to really effectively summarize (it’s 4 pages long).  General idea: social engineering is a threat, the Chinese Comment Crew (one of the two hacker groups responsible for most of the hacking against Western networks) is really good at it, and people don’t realize how vulnerable they are.  Interesting portion that really caught my eye, however, concerned some software called Maltego.  According to O’Harrow Jr., Maltego is a social engineering software.  Maltego was able to:

[L]ook[] for a person to target at Fort Meade, home to the super-secret NSA. He typed in Fort Meade’s latitude and longitude and searched for Twitter users. In a couple of steps, Maltego quickly delivered the name of a person who tweeted at the Fort Meade location.

With that, Maltego searched MySpace, a dating Web site and other resources to build a rich profile: a young Army private who served in South Korea, likes to smoke and drink, divorced and looking for a “serious relationship.” She likes Harry Potter movies and “The Cosby Show.” Maltego also turned up her name, address and birthdate.

That is crazy.

You can find a lot more to Robert O’Harrow Jr.’s WashPo article here.

There was an interesting video in the article too:

 ***

Joseph Menn for Reuters on how some cyberexperts think that uncontrolled cyberweapons could bring us back to a time without electricity.  The article quoted Eugene Kaspersky of Kaspersky Lab: if cyberweapons continue to proliferate, “somewhere in 2020, maybe 2040, we’ll get back to a romantic time – no power, no cars, no trains . . ..”

Those remarks came during a conference that also featured prior NSA/CIA Gen. Michael Hayden.  Both Kaspersky and Gen. Hayden agreed that “international treaties or even nonbinding agreements were nowhere in sight.”

***

Wired’s Kim Zetter reported that hackers breached Adobe’s code-signing system “and used it to sign their malware with a valid digital certificate from Adobe.”  Adobe has revoked the certificate.

***

The New York Time’s Nicole Perlroth on how a hacker group called Izz ad-Din al-Qassam Cyber Fighters took credit for attacking JPMorgan/BOA/Citigroup/Wells Fargo/PNC, but they probably had help (read: Iran).

***

Bloomberg’s Jordan Robertson on how the GAO has taken note that medical devices “are potentially vulnerable to being remotely controlled by hackers and should be tracked more closely . . ..”

Leave a Reply