Congress tables six new bills aimed at improving the security of the core internet
April 23, 2012
Internet highjacking and pirating today isn't just a threat to your bank account or personal computer-- it's a serious problem of national security, says Congress, and now it wants to take immediate action while it still can.
To be sure, spies from other countries and organized criminals are already inside of virtually every U.S. company's network, and some firms don't even know about it. The U.S. government's top cybersecurity advisors widely agree that cyber criminals and internet terrorists already have the capability to take down the country's critical financial, energy and communications infrastructure.
"The reality is that our current infrastructure is being colonized, whether we like it or not" says Tom Kellerman, former commissioner of President Obama's cyber security council.
"Worse, is the fact that governments no longer have a monopoly on this capability, and that's really the frightening element here. There is code out there that puts it in anyone's hands," added Kellerman.
Using the web to take over our infrastructure, turn off our electricity or release dangerous toxins would amount to a full-fledged war against the country or countries who initiated such an action.
Much of America's critical infrastructure is currently owned by businesses. Gaining intelligence on cyber threats-- both in advance and after an attack has been launched, requires strong cooperation from companies and, often, from private individuals.
That's why Congress is taking up as many as six different new cyber bills this week that deal with that issue: improving the overall security of our core infrastructure, but without infringing on the privacy of corporations and the people that work in those companies. And it won't be easy, since we all know how privacy is a strong subject in the U.S.
There are some key differences between the bills, and lawmakers are furiously trying to merge them together. The bill most policy analysts focus on right now and is the likeliest to pass is the Cyber Intelligence Sharing and Protection Act (CISPA), introduced by Representative Mike Rogers, chairman of the House Intelligence Committee.
It passed his committee with strong bipartisan support (a 17-1 vote) in December 2011, and it has more than 100 co-sponsors on both sides of the aisle.
At the bill's core are direct incentives for private businesses that control core, critical infrastructure, particularly in the finance and energy sectors. Those businesses would receive some compelling tax breaks if they share related data with one another and the U.S. government about potential attacks.
To be specific, there are rules that would force them to strip out any non-crucial information from customers or business partners. A rival Senate bill, sponsored by Senator Joseph Lieberman, would instead mandate information sharing through government regulation.
Not surprisingly, that bill is also supported by President Barack Obama, but most speakers at the conference thought it had little chance of passing, nevertheless.
Critics have attacked all six bills both for being too lenient on privacy and for being too rigorous at the same time. The bills have been blasted by both civil liberties organizations, and, interestingly, those in the intelligence community.
"All six bills on the Hill are grossly insufficient," said Mike McConnell, formerly President Bush's national intelligence director. "We say we don't want to infringe on privacy rights or burden industry in any way, so the result is we don't do anything."
At a corporate security conference in March, FBI Director Robert Mueller warned attendees: "There are only two types of companies: those that have already been hacked, and those that will be soon."
McConnell thinks it will take a "catastrophic event" to force changes. "We are incredibly vulnerable," he said. "If we don't make our policy makers think about this seriously, we'll be dealing with something like 9/11."
Other countries and organized crime have more and better intelligence on U.S. citizens and businesses than the U.S. government itself does, in McConnell's view. That's a major policy dilemma, and something that all U.S. citizens should take very seriously.
Privacy advocates like the American Civil Liberties Union counter that the Rogers bill would kick off a free-for-all in sharing of customer records. The bill would "create a cybersecurity exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government," the ACLU wrote in a December letter to Rogers and others in Congress.
It added: "We will vigorously oppose this legislation as inconsistent with the long tradition of Americans' reasonable expectations of privacy." Yet other internet security professionals stressed that we have to rethink privacy in a world where hackers have already infiltrated all our systems and know everything about us.
"And let's get real here," said Kellerman. "Let's be honest about this. We have 100,000 Big Brothers. Meanwhile, the United States is fighting this with one hand behind its back. We have been juvenile about the discussion of privacy."
"This is an issue of leadership. If we don't take it seriously, we're going to have a serious attack," added Kellerman.
"We have to change our perspective on what's permissible and what's not," said Colonel Cedric Leighton, a former military intelligence officer with the U.S. Air Force. "It's not a lost cause, but only if we know what we're facing."
The bills aren't perfect, but even opponents of the Rogers bill said something needs to be done, and done fast. "We don't all have to agree on everything to do something," said Howard Schmidt, President Obama's current cybersecurity coordinator.
"We talk about it and talk about and talk about it, and all we're doing is just admiring the problem. We need the authority to do the things we've been talking about for quite a while," he added.
In other internet security news
Kaspersky Lab security researcher Costin Raiu has discovered a new Mac OS X trojan virus again. Called Backdoor.OSX.SabPub.a or just SabPub, for short, the new virus uses Java exploits to infect a Mac computer, then connects to a remote Web site, and wait for instructions that include taking screenshots of the user's Mac and executing commands.
"The Java exploits appear to be pretty standard, however, and they have been obfuscated using Zelix Klass Master, a flexible and quite powerful Java obfuscator," said Raiu. "This was obviously done in order to avoid detection from anti-malware products."
Raiu's new discovery comes as Mac users are on high alert over the Flashback Trojan, which reportedly infected over 600,000 Macs globally in the past few weeks. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their Web browser or some applications.
Apple on Friday released a tool designed to remove Flashback from infected computers. Prior to that launch, it was believed that 270,000 Mac desktops were infected with the Trojan, down significantly from its height.
In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February.
The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions in a manner very similar to Flashback.
Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 security vulnerability related to a stack-based buffer overflow in Office on the Mac.
"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named 8958.doc." Raiu said. "This suggests that it was extracted from a Word document or was distributed as a Doc-file."
In other internet security news
The hacktivist and pressure group Anonymous has finally turned its attention to China, claiming to have defaced more than 480 websites over the past few days including several government sites, while urging Chinese hackers to join its cause.
Anonymous began its campaign in China with the launch of its Anonymous-China Twitter account, which seems to have began tweeting on or about March 30th. In a list posted to PasteBin, the group claims to have defaced close to 500 web sites, including several belonging to regional Chinese government organizations in areas such as Chengdu and Dalian.
In several other separate posts, Anonymous also claims to have hacked and leaked user names, password details, phone numbers and emails from various government sites. All the sites on the list we tried now appear to have been taken down, although the Wall Street Journal managed to take a screen grab showing the following message in English that reads:
"Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall. So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you. With no mercy."
According to the WSJ, the message also contained a link to an Anonymous site detailing how Chinese web users can bypass the Great Firewall, although at the time of writing this, the site appears to have been killed, most likely by Chinese government officials.
Not too happy with that, Anonymous also posted another message to PasteBin, urging the Chinese people to revolt. “So, we are writing this message to tell you that you should protest, you should be protesting and who has the skills for hacking and programming and design and other ‘computer things’ come to our IRC,” the note read.
This is the first major Anonymous campaign targeting China, which is somewhat strange given the government’s hardline stance on internet censorship and human rights-- two very strong issues guaranteed to get the group's immediate and undivided attention.
To be sure, the hacking of several minor regional government sites is unlikely to cause much consternation at Communist Party headquarters, and the group’s messages on PasteBin and posted on the defaced sites will largely have failed to reach their audience given that they were written in English.
Anonymous seems to be working on the latter issue, however, having sent a tweet out calling for help from would-be translators. Given China’s strict web controls on social media, it’s unlikely that the group will be able to broadcast its message on platforms such as Sina Weibo and Tencent Weibo, so for the time being it’ll have to stick to Twitter-– banned in China, and to the prospect of defacing even more websites in that country.
In other internet security news
In the last two weeks, Brandon Price, an alleged U.S. Army deserter has been charged with stealing the identity of Microsoft co-founder Paul Allen to run a bank fraud scam, and was arrested late yesterday.
In January 2012, Price allegedly conned Citibank call centre employees into changing Allen’s mailing address to that of Price’s modest home, as well as changing the phone number associated with his card. And just days later, he also persuaded Citibank workers to send a replacement debit card in Allen's name to the fake address.
"An individual identifying himself as Paul Allen called the customer service department of Citibank. The caller stated that he had misplaced his debit card at his residence, but did not want to report it stolen. The individual then successfully ordered a new debit card on the account of Paul Allen and had it sent via UPS," said FBI agent Joseph Ondercin.
However, the complaint fails to explain what personal information was used to successfully impersonate Allen. As a high-profile public figure, a great deal of personal information about Allen is in the public domain and his address and even his social security number might not have been that be hard to determine in the first place.
Overall, Citibank is defending its handling of the case, pointing out that the bank's anti-fraud systems quickly spotted something was wrong and blocked further fraud from the account.
“Through our own security procedures, Citibank correctly identified the actions of fraudulent account transactions and turned the matter over to law enforcement. We will continue to work with the FBI and the police in the ongoing investigation,” said Catherine Pulley, a CitiBank spokeswoman.
Prosecutors in the case say that Price used the debit card the same day UPS delivered it on January 13 to make a $658 payment into his Armed Forces Bank loan account before unsuccessfully attempting to use it to pay for the wire transfer of Western Union and attempted purchases from Gamestop and Family Value stores in Pittsburgh.
Source: The U.S. Congress.
You can link to the Internet Security web site as much as you like.