The US Defense Depart is reportedly developing a portable cyber-warfare device designed to be used by non-technically advanced soldiers in the battle field. This device is small enough to be carried in a backpack yet powerful enough to penetrate, infiltrate or shutdown local wireless data networks. There are many possible uses for such a device, as more and more enemies depend on wireless networks to carry voice (VOIP), data, and control commands. One of the primary targets intended for this device is the SCADA (Supervisory, Control and Data Acquisition) systems that controls crucial enemy infrastructure.
The device works by scanning the local area for wireless network nodes. It can temporarily disrupt the network and listen for it to come back online. This process will help the device to identify weak points in the network and allow for attack strategy analysis. Soldiers can then choose a mode of attack and command the device into action. There are several settings that can be adjusted by the soldiers to fit each mission requirement. For more cover operations the device can be set to low detection mode while operations that require immediate and drastic effects can be set to maximum effective mode.
Perhaps the most impressive aspect of this device is the user-friendliness. Even soldiers without much technical training should be able to operate this device. It will contain a touch screen interface that requires only some basic inputs in order to operate. Coupled with the small size and mobile nature of the device it should be an important tool in the arsenal in any modern military force.
Source: http://news.softpedia.com/news/U-S-Military-Developing-Hacking-for-Dummies-Cyber-Warfare-Device-112483.shtml
CNN today carried perhaps the first main stream media article outlining the issue of cyber warfare that I have seen this year. In the article, the author cites various security experts that say a “cyber cold war” may have already begun.
Article here: http://www.cnn.com/2009/TECH/11/17/cnet.cyberwar.internet/index.html
The article points out that U.S., Israel, Russia, China, and France all have begun programs to study vulnerabilities of other nation states and to amass cyber arsenals. This brings memory of the quote by a Chinese general that we studied in class that the Chinese armed forces should be focusing on building a cyber attack force.
Although no definitive incidents of cyber warfare can be cited, many have pointed to possible ones. The July 4th attacks on South Korea and US communications could possibly be a North Korean test to see if they can successfully disrupt communications and affect the US military in case of ware on the peninsula. The unavailability of Estonian websites in 2007 and Georgian websites last year can both be orchestrated military cyber attacks even though they were reportedly perpetrated by civilians. What’s the likelihood of those civilians were acting under orders of the Russian government? Is it really that farfetched?
Conspiracies aside, it is fact that many governments and military agencies around the world are preparing for cyber warfare. The NSA has been actively recruiting people with such skills both on the offense and defense sides. It is not likely that a future cyber war will be bloody and gory like traditional warfare, but it may impact us in the safety of our own homes. That, maybe be more scary.
Something interesting developed over at Facebook this week. Some users figured out a security hole in Facebook’s group function that allows a group to be taken over by ANYONE once the administrator of the group steps down. Two self-described activists then proceeded to take over almost 300 groups and modified it to display “Control your info” apparently in an attempt to warn others of this Facebook shortcoming.
Story here http://www.cnn.com/2009/TECH/11/10/facebook.groups.hacked/index.html
I read some of the comments that have been posted. Some people feel it is a non-issue since they didn’t break anything and were only doing what Facebook allowed them to do. Some others feel that they are common criminals. I don’t have any concrete understanding of the laws but my understanding is that they may have exceeded their authorization and violated their user agreements when they modified the groups to display the unsolicited message. It is reasonable to assume the groups did not want their group to be modified in such away, that would consitute unsolicited action. The “hactivists” also purposely joined those groups as members for the sole purpose of taking over the groups, which should be interpreted as “unauthorized access” or “exceeding authorized access”. I believe if Facebook or the government are inclined to do so they would be charged and perhaps quite convictable. It would ironic if the “hacktivists” wanted to protect others’ privacy and personal information by committing digital intrusion and fraud.
Facebook did announce that no sensitive information were lost, and the perpetrators’ accounts have been disabled. Any changes to the groups have also been reversed. The incident does underscore the issue of ethics in computer security. I think many activists (in many fields) have fuzzy ethics… But perhaps the law needs to remind them that the end does not justify the means. These misguided folks are just as dangerous as the people who would exploit the same security loophole. Wait, they did do it!
ICANN, International Corporation for Assigned Names and Numbers, the group that controls domain names is poised to open up Internet domain name to non-Latin language codes on Nov 16. This is huge news to everyone who does not live in an English speaking country. For more than a decade people from around the globe were forced to learn English based domain names. People from places like China, Russia, India and others had to type in English to visit websites, and businesses in those countries had to convert their name to English equivalents to be able to register for a website. This will all change after Nov 16 as they will be able to register domain names in their native languages.
Story here: http://www.cnn.com/2009/TECH/10/29/internet.domains.languages/index.html
Although it will be a great convenience for people around the world who can’t understand English to be able to use their native language to browse the Internet, what does it mean for the US consumers? How would the American public be able to tell a trusted foreign site from a non-trusted one if they can’t read the URL? Would this actually limit access for English-only users while increasing the security risk of a malicious website disguising as a trusted one since English-only users may not be able to tell them apart? It seems like this presents a new challenge for security experts.
A California federal judge found on Thurs that master spammer Sanford Wallace was guilty of bombarding the social networking website Facebook.com. Facebook was rewarded $711 million in damages. The judge also referred the case to the US Attorney’s office for further investigations and perhaps federal criminal charges.
Story here: http://money.cnn.com/2009/10/30/technology/facebook_spammer/index.htm?postversion=2009103017
Although Facebook concedes that it may never collect any of the damages from Sanford Wallace since he is under bankruptcy protection, it is an important victory in the fight against spam. The court’s decision shows that spammers are financially liable for damages caused by their mass messages and websites can successfully bring suits against spammers. If Wallace is criminally charged in this matter in the future, it could further serves as deterrent to other spammers. The federal charges would carry the possibility of prison terms, which would transform the fight against spamming from a purely civil matter to criminal matter. Although Wallace has lost similar lawsuits brought by other companies before, it never totally stopped his spamming activities, partially because civil judgments are dischargeable under bankruptcy and the threat of fines, restitutions and other civil liabilities just don’t carry the same weight as a prison sentence. This is a step forward in the fight against spam, but stronger measure still need to be taken against the ever proliferating business of SPAM.
Experts are now talking about smartphone security issues. There are many facets to this discussion. With the invent of iPhones, PDA Phones and other cell phones that are not merely telephone handsets, users are essentially holding a mini computer, some of which had more computing powers and storage than a desktop computer had 15 years ago. The potential for security issues are great.
On one hand, the devices can be used to petetrate computer crimes. Everyone has a cell phone nowadays, and we can carry our phones into any offices or buildings, even sensitive locations. With a simple USB cable, these devices can be turned into spy devices used to syphon and steel sensitive digital data.
On the other hand, users are putting increasing amount of sensitive, personal and professional data on their handheld phones. Calendars, emails, address books, contact lists, to-do lists, professional documents, personal financial information and more are now stored on their phones. But users still treat their phones as phones rather than computers, and the potential for loss is great. Very few phones are password protected. They are so small that they are frequently lost or stolen. They lack extensive security measures to guard against spyware, malware, viruses and other ill programs.
As the havoc caused by the Sidekick dataloss tells us, it is time for smartphone users to take a more active role in securing their devices against potential harm because they are just as vunerable to instrusion and loss as desktop computers, if not more so.
CNN News story for more details: http://www.cnn.com/2009/TECH/10/25/smartphone.security/index.html
Federal Communications Commission’s unanimously voted this week to begin developing open internet regulation, thus bringing the issue of net neutrality to the front page. Story here: http://www.cnn.com/2009/TECH/10/24/net.neutrality.politics/index.html On the same day, Senator John McCain (R. AZ) also introduced legislation – Internet Freedom Act of 2009, which will bar the FCC from developing internet regulations. Senator McCain stated that he believes regulations will stifle innovations while a free and open Internet would be the best stimulus under the current economic environment. The two side of the issue apparently have been at odds over the net neutrality issue for over 3 years, with various pieces of legislation proposed but not approved by the legislatures. It is very interesting to say the least, to observe both sides arguing over how best to achieve the exact purpose – to keep the Internet open and free. Personally I find it almost comical to suggest that the best way to keep the Internet open and free is through a set of legislation and regulations… I thought regulations are meant to regulate, and free is meant to be … well free. But I suppose to codify the free-ness of the Internet in an effort to preserve it wouldn’t be a bad thing, but giving a traditionally heavy-handed and over-bearing regulatory agency doesn’t exact inspire confidence. It is apparent that this issue will have to be debated, decided and challenged in court before we can all know where it is going. Under the current circumstances, I am not sure how long the process will take, and it is entirely possible that the Internet would have already evolved into something beyond the control of a nation state. Although the FCC has been allowed to regulate the airwaves, but the Internet is neither local nor regional, and is beyond the scope of a single agency or a single nation. I guess we will have to wait and see.
Here is an interesting piece of news from England: http://scitech.blogs.cnn.com/2009/10/19/internet-service-provider-fights-copyright-law/. A newly proposed copyright law aims to require ISP’s to police their traffic to disallow downloading or transmitting of copyright protected data. This sounds similar to the logic behind the Digital Millennium Copyright Act, on first glance it should help to turn the tide against illegal file sharing among peer to peer network users. I agree that something should be done about this. Millions of users around the globe routinely abuse their ISP accounts in conducting unauthorized transmission of digital data. In doing so they violate their user agreement with the ISP’s and contribute to the ever growing problem we face. However the burden to deal with this problem should not rest with the ISP. A lot of ISP’s are small independent businesses who lack the power or resources to keep track of what’s being transmitted on their data networks. A legislation requiring them to monitor the data transmissions would be like requiring the telephone companies to monitor every caller’s conversations for any illegal activities being discussed, no matter how small the matter. In the US, warrantless wiretapping after 9/11 has been controversial at best, and that aims to defend the country against terrorist attacks. To require a commercial service to wiretap phone lines to fend off criminal offenses is already pretty unthinkable, to require it to monitor against civil violations is just unimaginable. I don’t think the crime of violating copyright materials would justify the gross violation of everyone’s privacy, for the innocent or the guilty. It would probably be similar to rounding up all the Japanese in camps so to prevent spies from transmitting critical info: we all know how that’s being perceived today, and that move had much more noble and critical goals.
It would seem that the fight against digital piracy and copyright abuse continues, but we have yet to find the best way to conduct the battle.
To follow the story on the Sidekick data loss story, here is a piece of news about Apple computers. (Link here: http://news.cnet.com/8301-31021_3-10373064-260.html). Apparently some Apple users with Snow Leopard OS have been suffering similar problems. After signing into other, non-primary accounts on their Apple computers, the users would return to their regular, primary user account to find all kinds of data loss, which of course would be big problems for anyone who is productive. Although Apple has owned up to the problem, it has not offered any remedies or fixes. “We are aware of the issue, which occurs only in extremely rare cases, and we are working on a fix,” said an Apple representative. Some users on web forums have reportly reinstalled/downgraded to Leopard OS to avoid facing such issues.
The two recent stories about data loss has underscored the importance of data/information assurance today. As we move more and more toward digital productivity, we need to have complete confidence in the integrity of the data we create. Many hours of work must have been loss in those two incidents. Even if the data were not lost to a third party, if someone were to be able to trigger such a catastrophic data loss on crucial networks, the result would be unthinkable. While information warfare may still sound a bit science fiction to most people today, the headlines of today may offer just a slight glimpse of what could be possible in the near future.
During the past week or so, there has been a really big story in the mobile computing community. (story link here: http://www.cnn.com/2009/TECH/10/13/cnet.sidekick.data/index.html ). Apparently there was a huge problem with T-Mobile’s sidekick devices which runs a Microsoft developed OS. It was reported that over 1.5 million users were affected. In mild cases, people lost the ability to access data services and their phones were rended into a … phone. In the most extreme cases, all user data, presummably including addresses, messages, calender, documents and more were lost completely. It was such a great problem as Microsoft admits that the error cause both the primary and system backup files to be lost, which makes recovery pretty much impossible. I read through several reports from different sources, and no one have yet announced a precise cause. Microsoft was quoted saying it was a “hardware failure”, but that doesn’t quite make too much sense since a memory failure akin to a hard disk failure would render the OS useless too, not just the data files. T-Mobile announced that it was a massive server failure, which would explain the data access problems, but it would have nothing to do with the local data being lost. The sinister side of me think there is always the possility of a software problem, intentional or unintentional, that caused the OS to wipe the data and backup files. Imagine if this was an attack from an external source, a bug, a virus, a piece of malware? What if the data files were not completely lost, but rather have been retrieved by a third party? Then the online and mobile lives of 1.5 million people would be in the hands of some guy laughing wildly on the other side of the globe! Unthinkable.
Microsoft is urging everyone who still have their data to back up immediately, to an independent source. It would be the better practice since backing up on the same device still leaves you vunerable to the weakness of the deivice, since it is so mobile. But creating backups in other places also exposes your data to more risks of being access by others.
One thing is clear, it seems that there are approximately 1.5 million people this week looking at new mobile devices from RIM (Blackberry), Apple (iPhone) and Palm. If this turns out to be a case of industrial war, an attack to eliminate competition, wouldn’t that be something!
Cyber.Tech.Secure.Crime | dafanz | 
November 21, 2009 11:11 PM | 
Comments (0) 
Subscribe