Joseph Menn | Vox

Security Researcher Who Hacked Moving Jeep Leaves Twitter

2019-03-06T05:33:42-05:00

The security researcher who hacked into a moving Jeep earlier this year has resigned as an engineer at Twitter after three years on the job, a person familiar with the matter said.

Charlie Miller, a former National Security Agency hacker who is the one of the world’s best-known security experts, declined to comment on his departure or say what he would do next.

A Twitter spokesman could not immediately be reached for comment.

Miller’s latest feat, breaking into a moving Jeep as it drove on the highway, was done with IOActive researcher Chris Valasek and was the subject of talks at this month’s security conferences in Las Vegas.

Their efforts, which were coordinated with manufacturer Fiat Chrysler Automobiles, prompted the first vehicle recall to protect drivers from possible malicious hacking.

FCA USA LLC recalled 1.4 million vehicles to install software intended to prevent hackers from emulating the experiment, which used the cellular network to enter the entertainment system and then win control of the engine, brakes and steering.

Shares in Twitter, which is seeking a permanent chief executive officer, have fallen by more than 40 percent from the first day of trading in 2013 level and set a record low as the broader market sank on Monday.

This article originally appeared on Recode.net.

Russian Antivirus Firm Faked Malware to Harm Rivals

2019-03-06T05:30:52-05:00

Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.

They said the secret campaign targeted Microsoft, AVG Technologies, Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers’ PCs.

Some of the attacks were ordered by Kaspersky Lab’s co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said.

“Eugene considered this stealing,” said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation.

Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives.

“Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing,” Kaspersky said in a statement to Reuters. “Such actions are unethical, dishonest and their legality is at least questionable.”

Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them.

The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran’s nuclear program in 2009 and 2010.

The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky’s selection of competitors to sabotage.

“It was decided to provide some problems” for rivals, said one ex-employee. “It is not only damaging for a competing company but also damaging for users’ computers.”

The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects.

Their chief task was to reverse-engineer competitors’ virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said.

The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other’s virus-detection engines, swapped samples of malware and sent suspicious files to third-party aggregators such as Google’s VirusTotal.

By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other’s work instead of finding bad files on their own.

Kaspersky Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent.

In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies.

Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.

When Kaspersky’s complaints did not lead to significant change, the former employees said, it stepped up the sabotage.

Injecting Bad Code

In one technique, Kaspersky’s engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

VirusTotal had no immediate comment.

In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an “unknown third party” manipulated Kaspersky into misclassifying files from Tencent, Mail.ru and the Steam gaming platform as malicious.

The extent of the damage from such attacks is hard to assess because antivirus software can throw off false positives for a variety of reasons, and many incidents get caught after a small number of customers are affected, security executives said.

The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company’s lead in detecting malicious files. They declined to give a detailed account of any specific attack.

Microsoft’s antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in “quarantine.”

Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well.

Over the next few months, Batchelder’s team found hundreds, and eventually thousands, of good files that had been altered to look bad. Batchelder told his staff not to try to identify the culprit.

“It doesn’t really matter who it was,” he said. “All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed.”

In a subsequent interview on Wednesday, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack.

As word spread in the security industry about the induced false positives found by Microsoft, other companies said they tried to figure out what went wrong in their own systems and what to do differently, but no one identified those responsible.

At Avast, a largely free antivirus software maker with the biggest market share in many European and South American countries, employees found a large range of doctored network drivers, duplicated for different language versions.

Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and “wanted to have some fun” at the industry’s expense. He did not respond to a request on Thursday for comment on the allegation that Kaspersky had induced false positives.

Waves of Attack

The former employees said Kaspersky Lab manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013.

It is not clear if the attacks have ended, though security executives say false positives are much less of a problem today.

That is in part because security companies have grown less likely to accept a competitor’s determinations as gospel and are spending more to weed out false positives.

AVG’s former chief technology officer, Yuval Ben-Itzhak, said the company suffered from troves of bad samples that stopped after it set up special filters to screen for them and improved its detection engine.

“There were several waves of these samples, usually four times per year. This crippled-sample generation lasted for about four years. The last wave was received at the beginning of the year 2013,” he told Reuters in April.

AVG’s chief strategy officer, Todd Simpson, declined to comment on Wednesday.

Kaspersky said it had also improved its algorithms to defend against false virus samples. It added that it believed no antivirus company conducted the attacks “as it would have a very bad effect on the whole industry.”

“Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted,” Kaspersky said.

(Reporting by Joseph Wenn; editing by Tiffany Wu)

This article originally appeared on Recode.net.

Security Experts Hack Into Moving Car and Seize Control

2019-03-06T05:36:06-05:00

A pair of veteran cyber security researchers have shown they can use the Internet to turn off a car’s engine as it drives, sharply escalating the stakes in the debate about the safety of increasingly connected cars and trucks.

Former National Security Agency hacker Charlie Miller, now at Twitter, and IOActive researcher Chris Valasek used a feature in the Fiat Chrysler telematics system Uconnect to break into a car being driven on the highway by a reporter for technology news site Wired.com.

In a controlled test, they turned on the Jeep Cherokee’s radio and activated other inessential features before rewriting code embedded in the entertainment system hardware to issue commands through the internal network to steering, brakes and the engine.

“There are hundreds of thousands of cars that are vulnerable on the road right now,” Miller told Reuters.

Fiat Chrysler said it had issued a fix for the most serious vulnerability involved. The software patch is available for free on the company’s website and at dealerships.

“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” the company said. It didn’t immediately answer other questions.

Miller and Valasek have been probing car safety for years and have been among those warning that remote hacking was inevitable. An academic team had previously said it hacked a moving vehicle from afar but did not say how or name the manufacturer, putting less pressure on the industry.

National Highway Traffic Safety Administration chief Mark Rosekind on Tuesday said his agency is increasingly concerned about the security of vehicle control systems.

“We know these systems will become targets of bad actors,” he told a conference on autonomous and connected vehicle technology in Ypsilanti, Mich. If consumers don’t believe that connected vehicle systems are safe and secure, he said, “they will not engage it.”

Members of Congress have also expressed concern, and on Tuesday Sens. Ed Markey and Richard Blumenthal, both Democrats, introduced a bill that would direct the NHTSA to develop standards for isolating critical software and detecting hacking as it occurs.

Miller and Valasek said they had been working with Fiat Chrysler since October, giving the company enough time to construct a patch to disable a feature that the men suspected had been turned on by accident. They plan to release a paper at the Def Con security conference next month that includes code for remote access, which will no longer work on cars that have been updated.

They said the harder problem for an attacker, moving from the entertainment system to the core on-board network, would take months for other top-tier hackers to emulate.

Many Jeeps could remain unpatched, leaving them open to attack. But the researchers said hackers would need to know the Internet Protocol address of a car in order to attack it specifically, and that address changes every time the car starts.

Otherwise, “you have to attack random cars,” Valasek said.

The men stressed that it would be easy to make modest adjustments to their code and attack other types of vehicles.

They said that manufacturers, who are racing to add new Internet-connected features, should work much harder on creating safe capability for automatic over-the-air software updates, segregation of on-board entertainment and engineering networks, and intrusion-detection software for stopping improper commands.

“Anything that connects to the outside world is an attack vector, from my point of view,” Valasek said.

(Reporting by Joseph Menn, additional reporting by Joe White; Editing by Andrew Hay)

This article originally appeared on Recode.net.

U.S. Tried Stuxnet-Style Cyber Attack Against North Korea, but Failed

2019-03-06T05:01:31-05:00

The United States tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons program five years ago but ultimately failed, according to people familiar with the covert campaign.

The operation began in tandem with the now-famous Stuxnet attack that sabotaged Iran’s nuclear program in 2009 and 2010 by destroying a thousand or more centrifuges that were enriching uranium. Reuters and others have reported that the Iran attack was a joint effort by U.S. and Israeli forces.

According to one U.S. intelligence source, Stuxnet’s developers produced a related virus that would be activated when it encountered Korean-language settings on an infected machine.

But U.S. agents could not access the core machines that ran Pyongyang’s nuclear weapons program, said another source, a former high-ranking intelligence official who was briefed on the program.

The official said the National Security Agency-led campaign was stymied by North Korea’s utter secrecy, as well as the extreme isolation of its communications systems. A third source, also previously with U.S. intelligence, said he had heard about the failed cyber attack but did not know details.

North Korea has some of the most isolated communications networks in the world. Just owning a computer requires police permission, and the open Internet is unknown except to a tiny elite. The country has one main conduit for Internet connections to the outside world, through China.

In contrast, Iranians surfed the Net broadly and had interactions with companies from around the globe.

A spokeswoman for the NSA declined to comment for this story. The spy agency has previously declined to comment on the Stuxnet attack against Iran.

The United States has launched many cyber espionage campaigns, but North Korea is only the second country, after Iran, that the NSA is now known to have targeted with software designed to destroy equipment.

Washington has long expressed concerns about Pyongyang’s nuclear program, which it says breaches international agreements. North Korea has been hit with sanctions because of its nuclear and missile tests, moves that Pyongyang sees as an attack on its sovereign right to defend itself.

U.S. Secretary of State John Kerry said last week that Washington and Beijing were discussing imposing further sanctions on North Korea, which he said was “not even close” to taking steps to end its nuclear program.

Experts in nuclear programs said there are similarities between North Korea’s and Iran’s operations, and the two countries continue to collaborate on military technology.

Both countries use a system with P-2 centrifuges, obtained by Pakistani nuclear scientist A.Q. Khan, who is regarded as the father of Islamabad’s nuclear bomb, they said.

Like Iran, North Korea probably directs its centrifuges with control software developed by Siemens AG that runs on Microsoft’s Windows operating system, the experts said. Stuxnet took advantage of vulnerabilities in both the Siemens and Microsoft programs.

Because of the overlap between North Korea and Iran’s nuclear programs, the NSA would not have had to tinker much with Stuxnet to make it capable of destroying centrifuges in North Korea, if it could be deployed there.

Despite modest differences between the programs, “Stuxnet can deal with both of them. But you still need to get it in,” said Olli Heinonen, senior fellow at Harvard University’s Belfer Center for Science and International Affairs and former deputy director general of the International Atomic Energy Agency.

NSA Director Keith Alexander said North Korea’s strict limitations on Internet access and human travel make it one of a few nations “who can race out and do damage with relative impunity” since reprisals in cyberspace are so challenging.

When asked about Stuxnet, Alexander said he could not comment on any offensive actions taken during his time at the spy agency.

David Albright, founder of the Institute for Science and International Security and an authority on North Korea’s nuclear program, said U.S. cyber agents probably tried to get to North Korea by compromising technology suppliers from Iran, Pakistan or China.

“There was likely an attempt” to sabotage the North Korean program with software, said Albright, who has frequently written and testified on the country’s nuclear ambitions.

The Stuxnet campaign against Iran, code-named Olympic Games, was discovered in 2010. It remains unclear how the virus was introduced to the Iranian nuclear facility in Natanz, which was not connected to the Internet.

According to cyber security experts, Stuxnet was found inside industrial companies in Iran that were tied to the nuclear effort. As for how Stuxnet got there, a leading theory is that it was deposited by a sophisticated espionage program developed by a team closely allied to Stuxnet’s authors, dubbed the Equation Group by researchers at Kaspersky Lab.

The U.S. effort got that far in North Korea as well. Though no versions of Stuxnet have been reported as being discovered in local computers, Kaspersky Lab analyst Costin Raiu said that a piece of software related to Stuxnet had turned up in North Korea.

Kaspersky had previously reported that the software, digitally signed with one of the same stolen certificates that had been used to install Stuxnet, had been submitted to malware analysis site VirusTotal from an electronic address in China. But Raiu told Reuters his contacts had assured him that it originated in North Korea, where it infected a computer in March or April 2010.

Some experts said that even if a Stuxnet attack against North Korea had succeeded, it might not have had that big an impact on its nuclear weapons program. Iran’s nuclear sites were well known, whereas North Korea probably has at least one other facility beyond the known Yongbyon nuclear complex, former officials and inspectors said.

In addition, North Korea likely has plutonium, which does not require a cumbersome enrichment process depending on the cascading centrifuges that were a fat target for Stuxnet, they said.

Jim Lewis, an adviser to the U.S. government on cyber security issues and a senior fellow at the Center for Strategic and International Studies, said there are limitations to cyber offense.

A cyber attack “is not something you can release and be sure of the results,” Lewis said.

(Editing by Tiffany Wu)

This article originally appeared on Recode.net.

U.S. Aims to Limit Exports of Undisclosed Software Flaws

2019-03-06T04:55:45-05:00

The U.S. Commerce Department proposed new export controls Wednesday that would treat unknown software flaws as potential weapons, a move aimed at reducing the security industry’s aid to rival nations.

The department said it was following through on an international commitment to address the evolution of warfare to include more technology.

But some security researchers said the rules, which are subject to public comment for 60 days, would fail to curb the black market while hindering cross-border collaboration and sales of defensive products.

The regulations are broadly written and cover what are known as “zero-day” flaws, or security vulnerabilities that the software vendors do not know about.

Hackers and defense contractors often sell information about such flaws to government agencies or the maker of the software, and internal U.S. sales could continue.

But sales of zero-day and supporting capabilities would be barred without special license outside of the United States, United Kingdom, Canada, Australia and New Zealand.

One way zero-day flaws can be exploited is by repressive regimes using the holes in the software for surveillance, and the document notes human rights concerns in the trade.

“I remember thinking licensing zero-day brokers is a good idea to a degree. You prevent someone in the U.S. from selling to Iran,” said Adriel Desautels, chief executive of penetration testing firm Netragard Inc.

“Some form of licensing or regulation is useful. But the form of regulation being proposed is potentially very damaging to the security industry as a whole…It’s flat out stupid.”

The regulations come as a follow-up to a 2013 agreement among 41 nations that some penetration software should be subject to controls alongside the likes of nuclear and chemical weapons components.

Several researchers said that the large U.S. defense contractors, which find or pay for many software flaws and sell them to intelligence agencies, the military and law enforcement, would have no difficulty in hiring export lawyers to obtain licenses for some overseas sales.

But law-abiding mid-size and small security companies, along with independent researchers, will be much more likely to give up on selling across borders, leaving those markets to criminals.

“It could have major impacts against how we do vulnerability research and protecting our systems,” said Rand Corp expert Lillian Ablon, who has studied the zero-day markets. “If we are restricting the ability of the white hats to fund the vulnerabilities, it’s only making it easier for the bad guys.”

Though there exemptions for open-source software and for scientific research, if adopted the rules could have a profound impact on the legitimate markets for flaws and the tools that exploit them just as they are coming into the open and maturing.

Many more companies have recently begun paying “bug bounties” to reward researchers who find security holes in their products, instead of driving them to sell to governments or hackers. A handful of startups have brought new professionalism and structure to reporting-and-reward systems, making them practical even for smaller companies.

In the future, said Katie Moussouris, chief policy officer at one of those venture-backed companies, HackerOne, overseas corporations might have to offer researchers both cash rewards and guidance on obtaining export licenses, simply to make their own programs more secure.

(Reporting by Joseph Menn; editing by Lisa Shumaker)

This article originally appeared on Recode.net.

Destructive Hacking Attempts Target Critical Infrastructure

2019-03-06T04:53:27-05:00

Hacking attacks that destroy rather than steal data or that manipulate equipment are far more prevalent than widely believed, according to a survey of critical infrastructure organizations throughout North and South America.

The poll by the Organization of American States, to be released on Tuesday, found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system.

Those figures, provided exclusively to Reuters ahead of the official release, are all the more remarkable because only 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal.

By far the best known destructive hacking attack on U.S. soil was the electronic assault last year on Sony Pictures Entertainment, which wiped data from the Hollywood fixture’s machines and rendered some of its internal networks inoperable.

The outcry over that breach, joined by President Barack Obama, heightened the perception that such destruction was an unusual extreme, albeit one that has been anticipated for years.

Destruction of data presents little technical challenge compared with penetrating a network, so the infrequency of publicized incidents has often been ascribed to a lack of motive for attackers.

Now that hacking tools are being spread more widely, however, more criminals, activists, spies and business rivals are experimenting with such methods.

“Everyone got outraged over Sony, but far more vulnerable are these services we depend on day to day,” said Adam Blackwell, secretary of multidimensional security at the Washington, D.C.-based group of 35 nations.

The survey went to companies and agencies in crucial sectors as defined by the OAS members. Almost a third of the respondents were public entities, with communications, security and finance being the most heavily represented industries.

The questions did not delve into detail, leaving the amount of typical losses from breaches and the motivations of suspected attackers as matters for speculation. The survey-takers were not asked whether the attempted hacks succeeded, and some attacks could have been carried off without their knowledge.

The survey did allow anonymous participants to provide a narrative of key events if they chose, although those will not be published.

Blackwell said that one story of destruction involved a financial institution. Hackers stole money from accounts and then deleted records to make it difficult to reconstruct which customers were entitled to what funds.

“That was a really important component” of the attack, Blackwell said.

In another case, thieves manipulated equipment in order to divert resources from a company in the petroleum industry.

Blackwell said that flat security budgets and uneven government involvement could mean that criminal thefts of resources, such as power, could force blackouts or other safety threats.

At security company Trend Micro, which compiled the report for the OAS, Vice President Tom Kellerman said additional destructive or physical attacks came from political activists and organized crime groups.

“We are facing a clear and present danger where we have non-state actors willing to destroy things,” he said. “This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor.”

So-called “ransomware,” which encrypts data files and demands payment be sent to remote hackers, could also have been interpreted as destructive, since it often leaves information unrecoverable.

A spokesman for the U.S. Department of Homeland Security, S.Y. Lee, said the department did not keep statistics on how often critical U.S. institutions are attacked or see destructive software and would not “speculate” on whether four out of 10 seeing deletion attempts would be alarming.

U.S. political leaders cite attacks on critical infrastructure as one of their greatest fears, and concerns about protecting essential manufacturers and service providers drove a recent executive order and proposed legislation to encourage greater information-sharing about threats between the private sector and government.

Yet actual destructive attacks or manipulation of equipment are infrequently revealed. That is in part because breach-disclosure laws in more than 40 states center on the potential risks to consumers from the theft of personal information, as with hacks of retailers including Home Depot and Target.

Under Securities and Exchange Commission guidelines, publicly traded companies must disclose breaches with a potential material financial impact, but many corporations can argue that even deletion of internal databases, theft and manipulation of equipment are not material.

Much more is occurring at vital facilities behind the scenes, and that is borne out by the OAS report, said Chris Blask, who chairs the DHS-led Information Sharing and Analysis Center for cyber security issues with the industrial control systems that automate power, manufacturing and other processes.

“I don’t think the public has any appreciation for the scale of attacks against industrial systems,” Blask said. “This happens all the time.”

This article originally appeared on Recode.net.

NSA Can Hide Spyware in Hard-Disk Firmware

2019-03-06T04:56:32-05:00

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Labs, the Moscow-based security software maker that has exposed a series of Western cyber espionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyber weapon that was used to attack Iran’s uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.

A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

NSA spokeswoman Vanee Vines said the agency was aware of the Kaspersky report but would not comment on it publicly.

Kaspersky on Monday published the technical details of its research, a move that could help infected institutions detect the spying programs, some of which trace back as far as 2001.

The disclosure could hurt the NSA’s surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden’s revelations have upset some U.S. allies and slowed the sales of U.S. technology products abroad.

The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.

Peter Swire, one of five members of U.S. President Barack Obama’s Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.

“There can be serious negative effects on other U.S. interests,” Swire said.

According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.

Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.

“The hardware will be able to infect the computer over and over,” lead Kaspersky researcher Costin Raiu said in an interview.

Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.

Kaspersky’s reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital, Seagate Technology, Toshiba, IBM, Micron Technology and Samsung Electronics.

Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

“There is zero chance that someone could rewrite the [hard drive] operating system using public information,” Raiu said.

Concerns about access to source code flared after a series of high-profile cyber attacks on Google and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.

It is not clear how the NSA may have obtained the hard drives’ source code. Western Digital spokesman Steve Shattuck said the company “has not provided its source code to government agencies.” The other hard drive makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has “secure measures to prevent tampering or reverse engineering of its firmware and other technologies.” Micron spokesman Daniel Francisco said the company took the security of its products seriously and “we are not aware of any instances of foreign code.”

According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.

“They don’t admit it, but they do say, ‘We’re going to do an evaluation, we need the source code,’” said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. “It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.”

The NSA declined to comment on any allegations in the Kaspersky report. Vines said the agency complies with the law and White House directives to protect the United States and its allies “from a wide array of serious threats.”

Kaspersky called the authors of the spying program “the Equation group,” named after their embrace of complex encryption formulas.

The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kaspersky said.

Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as “zero days,” which strongly suggested collaboration by the authors, Raiu said. He added that it was “quite possible” that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

This article originally appeared on Recode.net.

Box Lets Cloud Storage Customers Control Encryption for Security

2019-03-06T04:50:55-05:00

Popular online storage service Box will let businesses control their encryption keys, the encoding tools used to keep data safe, aiding some heavily regulated industries and others who fear hacking attacks or government snooping.

Though many large companies have turned to Box and its competitors for cheap storage and to transfer files among a far flung workforce and partners, others have balked because they have no technological means of preventing access by those armed with court orders or other legal process.

Such objections intensified after former National Security Agency contractor Edward Snowden revealed dragnet spying operations outside of U.S. borders. Since then, many companies have been looking to encrypt more and increase control over their data. Still, many Web services do not offer an easy way for users to control encryption.

“We think this is really going to unlock a new set of customers and break one of the last barriers for cloud adoption,” Box CEO Aaron Levie told Reuters.

Box sold stock in an initial public offering last month. Rival Dropbox, which has many more users, remains privately held.

Dropbox does not allow customers to hold their own keys to control access, but it does steer those concerned to work with third parties to encrypt data with other keys before it is stored. That way, even if outsiders access files, they would not be able to read them unless they got the keys from the third parties.

“Allowing user control over this is something we might consider adding in the future,” Dropbox says on its website.

Levie thinks his firm’s architecture is better.

Amazon Web Services and security firm Gemalto will provide the management and hardware, respectively, but only the customers will have the keys. A test version will be broadly available in the spring, with pricing depending on the number of users at a company.

Based in Los Altos. Calif., Box claims almost half of the Fortune 500 as paying customers and more than 30 million individual users.

Levie said healthcare, finance and other industries with strict data-protection rules would be logical candidates for the new service, which also includes audit logs tracking access.

Though Levie has criticized broad collection by the NSA, he said most Box customers pushing for key ownership were not driven by that worry.

“It’s less of a response to the threat landscape and more about the regulatory environment,” Levie said.

(Reporting by Joseph Menn in San Francisco; Editing by Cynthia Osterman)

This article originally appeared on Recode.net.

Private U.S. Report Accuses Another Chinese Military Unit of Hacking

2019-03-06T06:16:14-05:00

A private U.S. cyber security company on Monday accused a unit of China’s military of conducting far-reaching hacking operations to advance the country’s satellite and aerospace programs.

Security company CrowdStrike said Shanghai-based unit 61486 of the People’s Liberation Army 12th bureau has attacked networks of Western government agencies and defense contractors since 2007.

CrowdStrike said the hacking targeted the U.S. space, aerospace and communications sectors. The cyber spying targeted “popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks,” CrowdStrike said.

Less than three weeks ago the U.S. Justice Department took the unprecedented step of unsealing indictments against five members of another People’s Liberation Army unit that allege they stole trade secrets.

CrowdStrike said it was publicizing a report previously sent to clients to show that the issue was broader than many realize.

“After the Chinese response, where they basically said this is all fabricated, we said why don’t we unleash something that’s undeniable,” said CrowdStrike co-founder Dmitri Alperovitch. He said the company had briefed U.S. intelligence agencies before publishing its report.

CrowdStrike said an individual named Chen Ping registered website domain names used in some of the intrusions. Chen’s personal blog appears to put his age as 35, and he identified himself as a soldier, the report said.

Chen’s email is tied to profiles, blogs and forum postings, CrowdStrike said. Among material on those sites was a photo album titled “office” that includes a building CrowdStrike identified as the Shanghai headquarters of the military unit in question.

Chen did not respond to requests for comment sent to the email addresses provided by CrowdStrike.

But a spokeswoman for China’s foreign ministry poured scorn on the report, saying she had a strong sense of “déjà vu” about the allegations, adding it was ridiculous to suggest any hacker would openly advertise what he did.

“I think this is both curious and puzzling. Have you ever seen a thief in the street who advertises on his chest that he is a thief? Honestly speaking, I think what the U.S. has done here cannot be accepted as correct,” spokeswoman Hua Chunying told a daily news briefing in Beijing.

Revelations by former U.S. intelligence contractor Edward Snowden that the United States carried out widespread online surveillance showed that the U.S. had no right to point fingers when it came to hacking, she added.

“The United States cannot pretend that it is the victim. They are a hacker empire. I think everyone in the world knows this,” Hua said.

CrowdStrike was founded by former senior executives at big antivirus company McAfee, now part of Intel . It has contracts and other ties to the U.S. government.

The new report is likely to add to the escalating tensions over cyber security issues between the world’s two largest economies.

Chinese officials have already responded sharply to last month’s indictments, pulling out of talks on hacking issues and accusing the United States of plundering Chinese political and military secrets.

However, China on Monday confirmed that it will participate for the first time in a major U.S.-hosted naval drill being held near the Pacific island of Guam later this month. China is sending four ships including a destroyer and frigate, regardless of deep mistrust on both sides.

(This refiled version of the story changes translation to “hacker empire” from “hacker enemy state” in paragraph 13)

(Additional reporting by David Brunnstrom in Washington and Ben Blanchard in Beijing; Editing by Cynthia Osterman and Simon Cameron-Moore)

This article originally appeared on Recode.net.

U.S. Tech Firms Beef Up Security to Thwart Mass Spying

2019-03-06T06:15:53-05:00

A year after Edward Snowden exposed the National Security Agency’s mass surveillance programs, the major U.S. technology companies suffering from the fallout are uniting to shore up their defenses against government intrusion.

Instead of aggressively lobbying Washington for reform, Google, Microsoft and other tech companies have made security advancements their top priority, adopting tools that make blanket interception of Internet activity more difficult.

“It’s of course important for companies to do the things under our own control, and what we have under our own control is our own technology practices,” Microsoft General Counsel Brad Smith told Reuters. “I don’t know that anyone believes that will be sufficient to allay everyone’s concerns. There is a need for reform of government practices, but those will take longer.”

As part of a “Reset the Net” campaign now reaching a mainstream audience, Google on Wednesday said it was releasing a test version of a program allowing Gmail users to keep email encrypted until it reaches other Gmail users, without the company decrypting it in transit to display advertising.

Google, Microsoft and Facebook moved to encrypt internal traffic after revelations by Snowden, a former NSA contractor, that the spy agency hacked into their connections overseas. The companies have also smaller adjustments that together make sweeping collection more difficult.

“Anyone trying to perform mass surveillance is going to have a much harder job today than they would have even six months ago,” said Nate Cardozo, a staff attorney with the civil liberties group Electronic Frontier Foundation.

Cardozo said the most-improved major company was Yahoo, which went from not encrypting email by default to having protection comparable to that of its peers.

BUSINESS THREAT

The topic of boosting security has gained urgency after countries such as China faulted big tech companies as tools of a powerful U.S. surveillance state, and threatened to curb purchases of American tech products.

Surveillance opponents say the companies could do much more than they have. An NSA slide released last month by journalist Glenn Greenwald, titled “NSA Strategic Partnerships,” touted “alliances with over 80 major global corporations” that supported the NSA’s cyber offensive and defensive missions.

The slide named 12 companies, including the largest U.S. telecom carriers and Microsoft, Intel, Hewlett-Packard and Cisco Systems. None of those companies have renounced working with the agency or said that they would limit their cooperation to defensive measures.

All four of the tech companies in the group said they do not deliberately incorporate spying “back doors” into their products, but that leaves open a number of possibilities, including mandated or voluntary efforts to target individual customers or groups.

“Legally, the NSA can compel you to provide access to information,” said Ashkan Soltani, a privacy researcher in Washington D.C. “The only way around this is to engineer systems to prevent access, or at least make it detectable.” Google’s new email tool is one example of that, and smaller companies are trying other formulas that retain little information about users.

PRESSING FOR REFORMS

The tech companies see improving their defenses as only the first step. Microsoft and other companies are also pressing governments to negotiate limits on cyber spying.

A group of nine major companies formed a group called Reform Government Surveillance, which on Thursday took out newspaper advertisements urging the Senate to strengthen a House reform bill and ban bulk Internet surveillance.

Both Cisco and Microsoft also have said U.S. law should clearly protect data stored elsewhere. Smith said Microsoft would fight to overturn a recent federal magistrate’s ruling forcing it to produce customer information from Dublin.

If that fails, Smith said, there are other means to draw the line at the U.S. border, including administration policy changes and new legislation.

Even if none of the three branches of government end up backing Microsoft’s position, Smith said the company can change its business processes, such as by using joint ventures instead of subsidiaries, or its technology, such as by giving only users the encryption keys to their data.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

This article originally appeared on Recode.net.