SUMMARY: Facebook’s news feed algorithm learns in great detail what we like, and then strives to give us more of the same -- and it's that technology that can be taken advantage of to spread junk news like a virus. Science correspondent Miles O'Brien begins a four-part series on Facebook’s battle against misinformation that began after the 2016 Presidential election.
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.
The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.
And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.
In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.
And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
So what does the FBI recommend? As ransomware techniques and malware continue to evolve—and because it’s difficult to detect a ransomware compromise before it’s too late—organizations in particular should focus on two main areas:
- Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls; and
- The creation of a solid business continuity plan in the event of a ransomware attack. (See "Tips for Dealing with the Ransomware Threat" below)
“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBI will continue working with its local, federal, international, and private sector partners to combat ransomware and other cyber threats.
If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.
Tips for Dealing with the Ransomware Threat
While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.
Prevention Efforts
- Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
- Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
- Disable macro scripts from office files transmitted over e-mail.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
Business Continuity Efforts
- Back up data regularly and verify the integrity of those backups regularly.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
More info
SUMMARY: One of the greatest threats to private cybersecurity today is ransomware -- a cyberattack that blocks access to a computer until the hacker is paid a ransom. The problem recently took on new urgency when a hospital in Los Angeles had its entire network shut down for hours, putting hundreds at risk; another high-profile breach hit L.A.’s health department last week. William Brangham reports.
GWEN IFILL (NewsHour): But, first, a look at what’s become the latest threat to our cyber-security.
The problem took on new urgency recently when a hospital in Los Angeles had its entire computer network, including all its digital medical records, locked up by hackers. They demanded a ransom before they’d release the computers. It was the second such attack this month. L.A.’s Health Department was hit last week.
These types of computer attacks, which usually target individual computer users, are on the rise.
The “NewsHour's” William Brangham reported on this threat last year, and now he brings us an update.
WILLIAM BRANGHAM (NewsHour): Inna Simone is retired. She’s a mother and grandmother from Russia who now lives outside of Boston. In the fall of 2014, her home computer started acting strangely.
INNA SIMONE, Retiree: My computer was working terribly. It was not working. I mean, it was so slow.
WILLIAM BRANGHAM: A few days later, while searching through her computer files, Inna saw dozens of these messages — they were all the same. They read: “Your files are encrypted. To get the key to decrypt them, you have to pay $500.”
Her exact deadline, December 2 at 12:48 p.m., was just a few days away.
All her files were locked , tax returns, financial papers, letters, even the precious photos of her granddaughter Zoe. Inna couldn’t open any of them.
INNA SIMONE: It says, “If you won’t pay, your fine will double. If you won’t pay by then, all your files will be deleted and you will lose them forever and never will get back.”
WILLIAM BRANGHAM: Inna Simone, like thousands of others, had been victimized by what’s known as a ransomware attack. Hackers — who law enforcement believe come mainly from Eastern Europe or Russia — manage to implant malicious software onto your computer, usually when you mistakenly open an infected e-mail attachment, or visit a compromised Web site.
That software then allows the hackers to lock up your files, or your entire computer, until you pay them a ransom to give it back.
Justin Cappos is a computer security expert at New York University.
JUSTIN CAPPOS, New York University: It will actually lock you out of the files, the data on your computer.
So, you’d be able to use the computer but those files have been encrypted by the attacker with a key that only they possess. It’s frustrating because you know the data is there. You know the files are there. You know your photos and everything is there and could be accessible to you. But you have no way of being able to get at it because of this encryption that the attackers are using.
WILLIAM BRANGHAM: This is exactly what happened at Hollywood Presbyterian Hospital in Los Angeles. According to officials, about a month ago, their computerized medical records were locked up by one of these malicious programs, and a hacker demanded $17,000 in ransom to unlock them.
During this time, medical staff were forced to use paper and pen for their record-keeping, but they say no patient files were compromised. The hospital decided to pay the ransom. Their computers were unlocked, and the FBI is now investigating.
Many software developers are cribbing code, and its flaws, that someone else created. And the problem is only getting harder to keep up with.
It's easy to assume that hackers work way above our pay grade. Electronic intruders must be able to exploit vulnerabilities in the software we use because they're evil geniuses, right?
That may be the case in some very sophisticated attacks, experts say, but in others, not so much. Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work. The problem: they're not vetting the code for security problems.
Working more as code assemblers than as writers, programmers are sourcing about 80 percent to 90 percent of the code in any given software application from third parties, many experts estimate. Sometimes programmers buy code from other companies, and sometimes they use open-source code that's free for anyone to use.
The problem affects all software, which means everything from the mobile apps on your smartphone to your favorite website to the programs you run on your computer. Everything except for the operating system on a device or computer is likely composed of building blocks of code rather than created wholly new, said Chris Wysopal, co-founder and executive at software security company Veracode.
The priority for all those highly paid programmers is speed, not security, Wysopal said. His company, which assesses software for businesses, released a report Tuesday analyzing its own clients' habits when it comes to software use.
Veracode found 6.9 million flaws in more than 200,000 inspections of code used by its clients over the last year. Those clients fixed 4.7 million of the flaws. While in-house programmers likely wrote some of that code, industry numbers suggest the vast majority of it came from elsewhere.
"That's the trend -- to reuse as much code as possible," Wysopal said. It speeds up production time and lets software programmers work on solving new problems instead of reinventing the wheel.
"Everything is good about that except for the inheriting-vulnerabilities part," Wysopal said.
Feds and flaws
Lowest ranking among the industries Veracode checked for security flaws was the federal government. "Part of the reason for this is that the government still uses older programming languages," Veracode researchers wrote in the report.
That might not come as a surprise to those following news of multiple breaches of federal government workers' personal records, which compromised the Social Security numbers of millions of current and former federal workers and revealed sensitive personal information on everyone who has applied for a security clearance.
The problem of flawed source code is bad enough that Veracode has made a business out of checking software components for problems, and other companies are similarly offering to vet software components for those speed-hungry programmers.
One of those companies is Sonatype, and its chief technology Joshua Corman says he's on the side of the programmers hitting Ctrl-V, the keyboard shortcut for "paste."
Are programmers lazy? No, Corman says, just efficient.
"The best way to put this is the time value of money," he said. "You want to spend your unique talent pool on different problems."
Some companies are using services like Sonatype and Veracode, and some are hiring security "fellows" whose paychecks are dependent on finding security flaws in code.
Corman's company provides a repository of open-source code, but it also focuses on finding and eliminating problems in the code. In fact, Corman went so far as to check out a major government project for flaws to see if it was vulnerable to hackers.
That project was Healthcare.gov, the website rolled out by the Obama administration to get people signed up for the health insurance mandated by the Affordable Care Act.
The website was notoriously buggy when it first went live, and Corman decided to look at the building blocks used by the government contractors who built it to see if hackers might have an avenue into it.
He looked at the third-party code accessed by the developers and concluded it contained some vulnerabilities. But he wasn't sure if those flaws made it into the website's final code. Nonetheless, this news alarmed lawmakers, Corman said.
Eventually, those lawmakers learned that federal law doesn't explicitly require software programmers contracted by the government to vet code they didn't write themselves. A proposed fix to the problem-- a bill called H.R. 5793 -- would have required software developers to give the government a list of third-party code, assurance that all the code was free of known flaws, and a guarantee to fix any vulnerabilities that come up later.
Rep. Edward Royce (R-Calif.) introduced the bill in December at the end of the congressional session. The bill never made it to a vote, and Corman said he thinks it might be better suited for an executive order.
Other industries have problems with faulty source code, too, according to Veracode's research. Retail and hospitality companies that use Veracode to vet their software had a poor track record with their efforts to encrypt data, for example. Again, this isn't surprising news given the breach of customer information at major retailers like revealed by Target and the Home Depot over the past year.
The pace of software development is only speeding up, meaning the problem is harder to keep up with, Wysopal said.
"New languages and new environments to write code in are continuously being invented, and companies want to push software out the door as quickly as possible," he said. But speed doesn't have to sacrifice security, he argued.
"They don't need to be mutually exclusive. If you build security processes in or if you require vendors to build it in, you can still go fast," Wysopal said. But, he noted, "It can't be an afterthought."
Last week, German journalists revealed that the National Security Agency has a program to collect information about people who use privacy-protecting services, including popular anonymizing software called Tor. But it's not clear how many users have been affected.
So we did a little sleuthing, and found that the NSA's targeting list corresponds with the list of directory servers used by Tor between December 2010 and February 2012 – including two servers at the Massachusetts Institute of Technology. Tor users connect to the directory servers when they first launch the Tor service.
That means that if you downloaded Tor during 2011, the NSA may have scooped up your computer's IP address and flagged you for further monitoring. The Tor Project is a nonprofit that receives significant funding from the U.S. government.
The revelations were among the first evidence of specific spy targets inside the United States. And they have been followed by yet more evidence. The Intercept revealed this week that the government monitored email of five prominent Muslim-Americans, including a former Bush Administration official.
It's not clear if, or how extensively, the NSA spied on the users of Tor and other privacy services.
After the news, one of Tor's original developers, Roger Dingledine, reassured users that they most likely remained anonymous while using the service: "Tor is designed to be robust to somebody watching traffic at one point in the network – even a directory authority." It is more likely that users could have been spied on when they were not using Tor.
For its part, the NSA says it only collects information for valid foreign intelligence purposes and that it "minimizes" information it collects about U.S. residents. In other words, NSA may have discarded any information it obtained about U.S. residents who downloaded Tor.
However, according to a recent report by the Privacy and Civil Liberties Oversight Board, the NSA's minimization procedures vary by program. Under Prism, for example, the NSA shares unminimized data with the FBI and CIA.
In addition, the NSA can also later search the communications of those it has inadvertently caught in its Prism dragnet, a tactic some have called a " backdoor" search. It's not clear if similar backdoors exist for other types of data such as IP addresses.
In response to the Tor news, the NSA said it is following President Obama's January directive to not conduct surveillance for the purpose of "suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion."
[Disclosure: Mike Tigas is the developer of an app that uses Tor, called the Onion Browser.]
Just down the road from Google’s main campus here, engineers for the company are accelerating what has become the newest arms race in modern technology: They are making it far more difficult — and far more expensive — for the National Security Agency and the intelligence arms of other governments around the world to pierce their systems.
As fast as it can, Google is sealing up cracks in its systems that Edward J. Snowden revealed the N.S.A. had brilliantly exploited. It is encrypting more data as it moves among its servers and helping customers encode their own emails. Facebook, Microsoft and Yahoo are taking similar steps.
After years of cooperating with the government, the immediate goal now is to thwart Washington — as well as Beijing and Moscow. The strategy is also intended to preserve business overseas in places like Brazil and Germany that have threatened to entrust data only to local providers.
Google, for example, is laying its own fiber optic cable under the world’s oceans, a project that began as an effort to cut costs and extend its influence, but now has an added purpose: to assure that the company will have more control over the movement of its customer data.
A year after Mr. Snowden’s revelations, the era of quiet cooperation is over. Telecommunications companies say they are denying requests to volunteer data not covered by existing law. A.T.&T., Verizon and others say that compared with a year ago, they are far more reluctant to cooperate with the United States government in “gray areas” where there is no explicit requirement for a legal warrant.
But governments are fighting back, harder than ever. The cellphone giant Vodafone reported on Friday that a “small number” of governments around the world have demanded the ability to tap directly into its communication networks, a level of surveillance that elicited outrage from privacy advocates.
Vodafone refused to name the nations on Friday for fear of putting its business and employees at risk there. But in an accounting of the number of legal demands for information that it receives from 14 companies, it noted that some countries did not issue warrants to obtain phone, email or web-searching traffic, because “the relevant agencies and authorities already have permanent access to customer communications via their own direct link.”
The company also said it had to acquiesce to some governments’ requests for data to comply with national laws. Otherwise, it said, it faced losing its license to operate in certain countries.
Eric Grosse, Google’s security chief, suggested in an interview that the N.S.A.'s own behavior invited the new arms race.
“I am willing to help on the purely defensive side of things,” he said, referring to Washington’s efforts to enlist Silicon Valley in cybersecurity efforts. “But signals intercept is totally off the table,” he said, referring to national intelligence gathering.
“No hard feelings, but my job is to make their job hard,” he added.
In Washington, officials acknowledge that covert programs are now far harder to execute because American technology companies, fearful of losing international business, are hardening their networks and saying no to requests for the kind of help they once quietly provided.
Robert S. Litt, the general counsel of the Office of the Director of National Intelligence, which oversees all 17 American spy agencies, said on Wednesday that it was “an unquestionable loss for our nation that companies are losing the willingness to cooperate legally and voluntarily” with American spy agencies.
“Just as there are technological gaps, there are legal gaps,” he said, speaking at the Wilson Center in Washington, “that leave a lot of gray area” governing what companies could turn over.
In the past, he said, “we have been very successful” in getting that data. But he acknowledged that for now, those days are over, and he predicted that “sooner or later there will be some intelligence failure and people will wonder why the intelligence agencies were not able to protect the nation.”
Companies respond that if that happens, it is the government’s own fault and that intelligence agencies, in their quest for broad data collection, have undermined web security for all.
Many point to an episode in 2012, when Russian security researchers uncovered a state espionage tool, Flame, on Iranian computers. Flame, like the Stuxnet worm, is believed to have been produced at least in part by American intelligence agencies. It was created by exploiting a previously unknown flaw in Microsoft’s operating systems. Companies argue that others could have later taken advantage of this defect.
Worried that such an episode undercuts confidence in its wares, Microsoft is now fully encrypting all its products, including Hotmail and Outlook.com, by the end of this year with 2,048-bit encryption, a stronger protection that would take a government far longer to crack. The software is protected by encryption both when it is in data centers and when data is being sent over the Internet, said Bradford L. Smith, the company’s general counsel.
Mr. Smith also said the company was setting up “transparency centers” abroad so that technical experts of foreign governments could come in and inspect Microsoft’s proprietary source code. That will allow foreign governments to check to make sure there are no “back doors” that would permit snooping by United States intelligence agencies. The first such center is being set up in Brussels.
Microsoft has also pushed back harder in court. In a Seattle case, the government issued a “national security letter” to compel Microsoft to turn over data about a customer, along with a gag order to prevent Microsoft from telling the customer it had been compelled to provide its communications to government officials. Microsoft challenged the gag order as violating the First Amendment. The government backed down.
Hardware firms like Cisco, which makes routers and switches, have found their products a frequent subject of Mr. Snowden’s disclosures, and their business has declined steadily in places like Asia, Brazil and Europe over the last year. The company is still struggling to convince foreign customers that their networks are safe from hackers — and free of “back doors” installed by the N.S.A. The frustration, companies here say, is that it is nearly impossible to prove that their systems are N.S.A.-proof.
Most American companies said they never knowingly let the N.S.A. weaken their systems, or install back doors. But Mr. Snowden’s documents showed how the agency found a way.
In one slide from the disclosures, N.S.A. analysts pointed to a sweet spot inside Google’s data centers, where they could catch traffic in unencrypted form. Next to a quickly drawn smiley face, an N.S.A. analyst, referring to an acronym for a common layer of protection, had noted, “SSL added and removed here!”
Google was already suspicious that its internal traffic could be read, and had started a program to encrypt the links among its internal data centers, “the last chink in our armor,” Mr. Grosse said. But the slide gave the company proof that it was a regular target of the N.S.A. “It was useful to have proof, in terms of accelerating a project already underway,” he said.
Facebook and Yahoo have also been encrypting traffic among their internal servers. And Facebook, Google and Microsoft have been moving to more strongly encrypt consumer traffic with so-called Perfect Forward Secrecy, specifically devised to make it more labor intensive for the N.S.A. or anyone to read stored encrypted communications.
One of the biggest indirect consequences from the Snowden revelations, technology executives say, has been the surge in demands from foreign governments that saw what kind of access to user information the N.S.A. received — voluntarily or surreptitiously. Now they want the same.
At Facebook, Joe Sullivan, the company’s chief security officer, said it had been fending off those demands and heightened expectations.
Until last year, technology companies were forbidden from acknowledging demands from the United States government under the Foreign Intelligence Surveillance Act. But in January, Google, Facebook, Yahoo and Microsoft brokered a deal with the Obama administration to disclose the number of such orders they receive in increments of 1,000.
As part of the agreement, the companies agreed to dismiss their lawsuits before the Foreign Intelligence Surveillance Court.
“We’re not running and hiding,” Mr. Sullivan said. “We think it should be a transparent process so that people can judge the appropriate ways to handle these kinds of things.”
The latest move in the war between intelligence agencies and technology companies arrived this week, in the form of a new Google encryption tool. The company released a user-friendly, email encryption method to replace the clunky and often mistake-prone encryption schemes the N.S.A. has readily exploited.
But the best part of the tool was buried in Google’s code, which included a jab at the N.S.A.'s smiley-face slide. The code included the phrase: “ssl-added-and-removed-here-; - )”
HARI SREENIVASAN (NewsHour): Earlier this week, the Federal Trade Commission issued a report that contained consumer protection recommendations concerning what’s referred to as “big data” – the companies that collect and sell billions of bits of information about all aspects of our online lives. Information that includes purchases, income, political affiliations – even religion. As FTC Chairwoman Edith Ramirez put it:
“It’s time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist.”
For some insight, we turn to Amy Schatz who covers tech policy issues for Re/code.
So, what were the things that this report uncovered that might surprise consumers?
AMY SCHATZ, Re/code: I think most of the things in the report would surprise consumers, although this isn’t necessarily a new issue – this has been going around for a couple of years – but most people don’t know that there are a bunch of data collectors out there who are collecting data about you. Whether it’s who you voted for or your political beliefs. Whether it’s your zip code or what you purchased at the store last week or what you’re lookeingat online. There are these profiles that are being created online of most Americans now and that information is being traded and shared in a way that a lot of consumers might find a little troubling.
GWEN IFILL (NewsHour): You may have heard headlines today about a major lapse in Internet security and the possibility that millions of passwords, credit card numbers, bank information, and commonly used Web sites could have been exposed.
It involves a bug or security leak called Heartbleed, which can be used to read encrypted information.
Hari Sreenivasan gets a breakdown on what you need to know.
HARI SREENIVASAN (NewsHour): Essentially, Heartbleed can be used to read the memory of computer servers, the places behind a Web site that store your information, including the lock and key system which protects your usernames and passwords.
You probably see this encryption in the form of a green lock when you conduct a transaction and exchange information. The breach was revealed this week, but apparently has existed for a long time.
Russell Brandom of The Verge, an online site covering tech news, is here to help explain.
HARI SREENIVASAN (Newshour): Another story that we wanted to follow up on tonight is the state of credit card security, or lack of it. This following discourse is about major security breaches at big retailers, including Target and Neiman Marcus. Now new details are emerging about who was behind it, and how it was accomplished. For more we are joined now, from Washington, by Mike Riley with Bloomberg News. So, there was a big report out - it started to layout the details. How do these hackers get all the credit card numbers?
MIKE RILEY, Bloomberg News: So, they have a pretty sophisticated piece of malware that goes on the point of sales system itself, so that is the terminal that sits in front the the cash register that we all swipe our cards on. So, the malware goes there and it takes advantage of a quirk, where within that machine, all that information that is taken off that card is sent from one memory chip to another. It is not encrypted in that process, and they grab it right there.
HARI SREENIVASAN: And so, who is writing this malware?
MIKE RILEY: It looks like it is Eastern European or Russian criminal gangs. Some of the most sophisticated hackers in the world are Russian or Eastern European. What they have done is they have gotten really good systems. It is like a supply chain that you can buy pieces of malware. If you are good enough, as in this case - they have bought a specific piece of malware, called Black POS. It is a pretty good piece of malware to begin with, but then they customized it. They made it better. They made it harder to find, and then they figured out a scheme to get into Target's computers, and stuck it on the point of sales system. It is also pretty clear that the same gang, or a group of different hackers using the same malware, are targeting other retailers. We have not seen the end of this.
The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.
While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.
The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.
The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.
The N.S.A. calls its efforts more an act of “active defense” against foreign cyberattacks than a tool to go on the offensive. But when Chinese attackers place similar software on the computer systems of American companies or government agencies, American officials have protested, often at the presidential level.
Among the most frequent targets of the N.S.A. and its Pentagon partner, United States Cyber Command, have been units of the Chinese Army, which the United States has accused of launching regular digital probes and attacks on American industrial and military targets, usually to steal secrets or intellectual property. But the program, code-named Quantum, has also been successful in inserting software into Russian military networks and systems used by the Mexican police and drug cartels, trade institutions inside the European Union, and sometime partners against terrorism like Saudi Arabia, India and Pakistan, according to officials and an N.S.A. map that indicates sites of what the agency calls “computer network exploitation.”
“What’s new here is the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before,” said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. “Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”
No Domestic Use Seen
There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States. While refusing to comment on the scope of the Quantum program, the N.S.A. said its actions were not comparable to China’s.
“N.S.A.'s activities are focused and specifically deployed against — and only against — valid foreign intelligence targets in response to intelligence requirements,” Vanee Vines, an agency spokeswoman, said in a statement. “We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of — or give intelligence we collect to — U.S. companies to enhance their international competitiveness or increase their bottom line.”
SUMMARY: Inside the high-tech criminal mind. It's no secret that cybercriminals are stealing personal information and credit card numbers by hacking into corporate and government computers. One school in Pittsburgh is training the next generation of cybersecurity experts to fight off the bad guys by teaching them to think the same way.
RICK KARR: The bad guys stole more than three million Social Security numbers from the State of South Carolina. As many as seventy million credit card numbers from Sony PlayStation. They got access to all of the personal details of some customers of a nationwide mortgage lending firm. But cybercriminals aren’t just looking to steal personal information and credit card numbers when they break into corporate computers -- they’re looking for other valuable information.
----
RICK KARR: All those flaws that Carnegie Mellon’s undergrads find every semester ... don’t necessarily mean that the software on your P-C or your bank’s web site is badly written. Almost every piece of software, every computer system has vulnerabilities that can be exploited -- it’s virtually impossible to make anything that’s connected to the internet perfectly secure. And today -- compared to 10 or 20 years ago, all of us have just so many more computers and smartphones and tablets -- all of them connected and vulnerable. So we’re vulnerable, too.
Carnegie Mellon’s students are so good at exploiting those vulnerabilities ... that the NSA enlisted them to create a game that teaches hacking skills to high-school-aged students -- and paid for the job. Cylab, the university’s cybersecurity institute, is home to the to-ranked competitive hacking team in the world: the Plaid Parliament of Pwning -- “pwn” is hacker-speak for “own”, as in the hacker takes a computer over and owns it. For third straight year, the team won top honors at international contests that pit teams of hackers against one another ... and utterly demolished the competition at a prestigious contest in Las Vegas.
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
The N.S.A. hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”
An intelligence budget document makes clear that the effort is still going strong. “We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.
In recent months, the documents disclosed by Mr. Snowden have described the N.S.A.’s broad reach in scooping up vast amounts of communications around the world. The encryption documents now show, in striking detail, how the agency works to ensure that it is actually able to read the information it collects.
The agency’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americans’ e-mails or phone calls without a warrant. But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be restrained by privacy technology. N.S.A. rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.
The N.S.A., which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of terrorists, foreign spies and other adversaries, the United States will be at serious risk, agency officials say.
Just in recent weeks, the Obama administration has called on the intelligence agencies for details of communications by Qaeda leaders about a terrorist plot and of Syrian officials’ messages about the chemical weapons attack outside Damascus. If such communications can be hidden by unbreakable encryption, N.S.A. officials say, the agency cannot do its work.
But some experts say the N.S.A.’s campaign to bypass and weaken communications security may have serious unintended consequences. They say the agency is working at cross-purposes with its other major mission, apart from eavesdropping: ensuring the security of American communications.
Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL, virtual private networks, or VPNs, and the protection used on fourth generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.
For at least three years, one document says, GCHQ, almost certainly in close collaboration with the N.S.A., has been looking for ways into protected traffic of the most popular Internet companies: Google, Yahoo, Facebook and Microsoft’s Hotmail. By 2012, GCHQ had developed “new access opportunities” into Google’s systems, according to the document.
“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”
Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.
“And they went and did it anyway, without telling anyone,” Mr. Kocher said. He said he understood the agency’s mission but was concerned about the danger of allowing it unbridled access to private information.
“The intelligence community has worried about ‘going dark’ forever, but today they are conducting instant, total invasion of privacy with limited effort,” he said. “This is the golden age of spying.”
A Vital Capability
The documents are among more than 50,000 shared by The Guardian with The New York Times and ProPublica, the nonprofit news organization. They focus primarily on GCHQ but include thousands either from or about the N.S.A.
Intelligence officials asked The Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others.
The files show that the agency is still stymied by some encryption, as Mr. Snowden suggested in a question-and-answer session on The Guardian’s Web site in June.
“Properly implemented strong crypto systems are one of the few things that you can rely on,” he said, though cautioning that the N.S.A. often bypasses the encryption altogether by targeting the computers at one end or the other and grabbing text before it is encrypted or after it is decrypted.
The documents make clear that the N.S.A. considers its ability to decrypt information a vital capability, one in which it competes with China, Russia and other intelligence powers.
“In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,” a 2007 document said. “It is the price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.”
The full extent of the N.S.A.’s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia and New Zealand. Only they are cleared for the Bullrun program, the successor to one called Manassas — both names of American Civil War battles. A parallel GCHQ counterencryption program is called Edgehill, named for the first battle of the English Civil War of the 17th century.
Unlike some classified information that can be parceled out on a strict “need to know” basis, one document makes clear that with Bullrun, “there will be NO ‘need to know.’ ”
Only a small cadre of trusted contractors were allowed to join Bullrun. It does not appear that Mr. Snowden was among them, but he nonetheless managed to obtain dozens of classified documents referring to the program’s capabilities, methods and sources.
Ties to Internet Companies
When the N.S.A. was founded, encryption was an obscure technology used mainly by diplomats and military officers. Over the last 20 years, with the rise of the Internet, it has become ubiquitous. Even novices can tell that their exchanges are being automatically encrypted when a tiny padlock appears next to the Web address on their computer screen.
Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.
According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the abbreviation for signals intelligence, the technical term for electronic eavesdropping.
By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws, according to the documents. The agency also expected to gain full unencrypted access to an unnamed major Internet phone call and text service; to a Middle Eastern Internet service; and to the communications of three foreign governments.
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
The 2013 N.S.A. budget request highlights “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” — that is, to allow more eavesdropping.
At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.
Microsoft asserted that it had merely complied with “lawful demands” of the government, and in some cases, the collaboration was clearly coerced. Executives who refuse to comply with secret court orders can face fines or jail time.
N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.
How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”
Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.
Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says.
Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.
A Way Around
By introducing such back doors, the N.S.A. has surreptitiously accomplished what it had failed to do in the open. Two decades ago, officials grew concerned about the spread of strong encryption software like Pretty Good Privacy, or P.G.P., designed by a programmer named Phil Zimmermann. The Clinton administration fought back by proposing the Clipper Chip, which would have effectively neutered digital encryption by ensuring that the N.S.A. always had the key.
That proposal met a broad backlash from an unlikely coalition that included political opposites like Senator John Ashcroft, the Missouri Republican, and Senator John Kerry, the Massachusetts Democrat, as well as the televangelist Pat Robertson, Silicon Valley executives and the American Civil Liberties Union. All argued that the Clipper would kill not only the Fourth Amendment, but also America’s global edge in technology.
By 1996, the White House backed down. But soon the N.S.A. began trying to anticipate and thwart encryption tools before they became mainstream.
“Every new technology required new expertise in exploiting it, as soon as possible,” one classified document says.
Each novel encryption effort generated anxiety. When Mr. Zimmermann introduced the Zfone, an encrypted phone technology, N.S.A. analysts circulated the announcement in an e-mail titled “This can’t be good.”
But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them.
By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300.
But the agencies’ goal was to move away from decrypting targets’ tools one by one and instead decode, in real time, all of the information flying over the world’s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence.
A 2010 document calls for “a new approach for opportunistic decryption, rather than targeted.” By that year, a Bullrun briefing document claims that the agency had developed “groundbreaking capabilities” against encrypted Web chats and phone calls. Its successes against Secure Sockets Layer and virtual private networks were gaining momentum.
But the agency was concerned that it could lose the advantage it had worked so long to gain, if the mere “fact of” decryption became widely known. “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability,” a GCHQ document outlining the Bullrun program warned.
Corporate Pushback
Since Mr. Snowden’s disclosures ignited criticism of overreach and privacy infringements by the N.S.A., American technology companies have faced scrutiny from customers and the public over what some see as too cozy a relationship with the government. In response, some companies have begun to push back against what they describe as government bullying.
Google, Yahoo and Facebook have pressed for permission to reveal more about the government’s secret requests for cooperation. One small e-mail encryption company, Lavabit, shut down rather than comply with the agency’s demands for what it considered confidential customer information; another, Silent Circle, ended its e-mail service rather than face similar demands.
In effect, facing the N.S.A.’s relentless advance, the companies surrendered.
Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
Statement from the Office of the Director of National Intelligence:
It should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries’ use of encryption. Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.
While the specifics of how our intelligence agencies carry out this cryptanalytic mission have been kept secret, the fact that NSA’s mission includes deciphering enciphered communications is not a secret, and is not news. Indeed, NSA’s public website states that its mission includes leading “the U.S. Government in cryptology … in order to gain a decision advantage for the Nation and our allies.”
The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity. Anything that yesterday’s disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.
America’s research universities, among the most open and robust centers of information exchange in the world, are increasingly coming under cyberattack, most of it thought to be from China, with millions of hacking attempts weekly. Campuses are being forced to tighten security, constrict their culture of openness and try to determine what has been stolen.
University officials concede that some of the hacking attempts have succeeded. But they have declined to reveal specifics, other than those involving the theft of personal data like Social Security numbers. They acknowledge that they often do not learn of break-ins until much later, if ever, and that even after discovering the breaches they may not be able to tell what was taken.
Universities and their professors are awarded thousands of patents each year, some with vast potential value, in fields as disparate as prescription drugs, computer chips, fuel cells, aircraft and medical devices.
“The attacks are increasing exponentially, and so is the sophistication, and I think it’s outpaced our ability to respond,” said Rodney J. Petersen, who heads the cybersecurity program at Educause, a nonprofit alliance of schools and technology companies. “So everyone’s investing a lot more resources in detecting this, so we learn of even more incidents we wouldn’t have known about before.”
Tracy B. Mitrano, the director of information technology policy at Cornell University, said that detection was “probably our greatest area of concern, that the hackers’ ability to detect vulnerabilities and penetrate them without being detected has increased sharply.”
Like many of her counterparts, she said that while the largest number of attacks appeared to have originated in China, hackers have become adept at bouncing their work around the world. Officials do not know whether the hackers are private or governmental. A request for comment from the Chinese Embassy in Washington was not immediately answered.
Analysts can track where communications come from — a region, a service provider, sometimes even a user’s specific Internet address. But hackers often route their penetration attempts through multiple computers, even multiple countries, and the targeted organizations rarely go to the effort and expense — often fruitless — of trying to trace the origins. American government officials, security experts and university and corporate officials nonetheless say that China is clearly the leading source of efforts to steal information, but attributing individual attacks to specific people, groups or places is rare.
The increased threat of hacking has forced many universities to rethink the basic structure of their computer networks and their open style, though officials say they are resisting the temptation to create a fortress with high digital walls.
“A university environment is very different from a corporation or a government agency, because of the kind of openness and free flow of information you’re trying to promote,” said David J. Shaw, the chief information security officer at Purdue University. “The researchers want to collaborate with others, inside and outside the university, and to share their discoveries.”
Some universities no longer allow their professors to take laptops to certain countries, and that should be a standard practice, said James A. Lewis, a senior fellow at the Center for Strategic and International Studies, a policy group in Washington. “There are some countries, including China, where the minute you connect to a network, everything will be copied, or something will be planted on your computer in hopes that you’ll take that computer back home and connect to your home network, and then they’re in there,” he said. “Academics aren’t used to thinking that way.”
Bill Mellon of the University of Wisconsin said that when he set out to overhaul computer security recently, he was stunned by the sheer volume of hacking attempts.
“We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system,” said Mr. Mellon, the associate dean for research policy. “There are also a lot from Russia, and recently a lot from Vietnam, but it’s primarily China.”
Other universities report a similar number of attacks and say the figure is doubling every few years. What worries them most is the growing sophistication of the assault.
SUMMARY: As U.S. and Chinese officials meet this week in Washington to discuss cyber issues -- as well as broader strategic and economic issues -- a number of Congress members and computer security experts say they are fed up with China stealing proprietary data from American companies. Ray Suarez reports.
JEFFREY BROWN (Newshour): And we turn to a major cyber-theft, global in scope and raising new questions about our vulnerabilities in the digital age.
The thefts took place in broad daylight at ATM machines, and the thieves wore no disguises.
U.S. ATTORNEY LORETTA LYNCH, Eastern District Of New York: This was a 21st century bank heist that reached through the Internet to span the globe.
JEFFREY BROWN: U.S. authorities say the reach of the international cyber-crime was wide; 27 countries -- Russia, Japan, Egypt, Colombia, Canada and beyond.
The criminals hacked into companies that process prepaid debit cards for two banks in the Middle East, stole the data and then copied it onto doctored cards with magnetic strips. Yesterday in New York, U.S. Attorney Loretta Lynch explained what happened next.
LORETTA LYNCH: They become a virtual criminal flash mob, going from machine to machine, drawing as much money as they can before these accounts are shut down.
JEFFREY BROWN: On Dec. 21st, thieves hit 4,500 ATMs in some 20 countries, stealing five million dollars. Then on Feb. 19th, they upped their game. In 10 hours, they stole $40 million dollars in 36,000 transactions worldwide.
In Manhattan alone, a team of eight so-called "cashers" allegedly made their way from ATM to ATM making 2,900 withdrawals totaling $2.4 million dollars.
Two of the suspects took photos of themselves and the stacks of cash they allegedly stole. To round out the crime, authorities say the suspects laundered the money by purchasing luxury goods in the form of Rolex watches, Gucci bags and expensive cars.
SUMMARY: The global network of thieves who targeted ATMs struck 2,904 machines over 10 hours in New York alone, withdrawing $2.4 million. For more on the attack and the aftermath, Jeffrey Brown talks with Loretta Lynch, the U.S. attorney for the eastern district of New York and the federal prosecutor in the heist case.
JEFFREY BROWN (Newshour): Billions of people around the world now live part of their lives online, sharing photographs, information on relationships and careers, tweets and more.
But what happens when physical lives end and life in cyberspace goes on? Of the one billion people who use the social network site Facebook, for example, an estimated three die every minute. And that can lead to some painful problems. For one thing, there's no one method or law on the books for how beneficiaries gain access to a deceased person's digital records.
Virginia dairy farmer Ricky Rash ran into that problem after his 15-year-old son Eric committed suicide in 2011.
RICKY RASH, Father: It was a complete shock, as any suicide is. But we had absolutely no warning. Eric kissed his mom good night the night before. He did his homework. He Armor All-ed the seats in that Oldsmobile that was his. He did everything under the sun to show us it was a normal night.
So, with no answers from home, no answers from school, we were just hoping that there may be something that would give us some insight as to why he chose to make the decision he did. And Facebook was literally the last frontier that we had to investigate.
When Telvent, a company that monitors more than half the oil and gas pipelines in North America, discovered last September that the Chinese had hacked into its computer systems, it immediately shut down remote access to its clients’ systems.
Company officials and American intelligence agencies then grappled with a fundamental question: Why had the Chinese done it?
Was the People’s Liberation Army, which is suspected of being behind the hacking group, trying to plant bugs into the system so they could cut off energy supplies and shut down the power grid if the United States and China ever confronted each other in the Pacific? Or were the Chinese hackers just trolling for industrial secrets, trying to rip off the technology and pass it along to China’s own energy companies?
“We are still trying to figure it out,” a senior American intelligence official said last week. “They could have been doing both.”
Telvent, which also watches utilities and water treatment plants, ultimately managed to keep the hackers from breaking into its clients’ computers.
At a moment when corporate America is caught between what it sees as two different nightmares — preventing a crippling attack that brings down America’s most critical systems, and preventing Congress from mandating that the private sector spend billions of dollars protecting against that risk — the Telvent experience resonates as a study in ambiguity.
To some it is prime evidence of the threat that President Obama highlighted in his State of the Union address, when he warned that “our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems,” perhaps causing mass casualties. Mr. Obama called anew for legislation to protect critical infrastructure, which was killed last year by a Republican filibuster after intensive lobbying by the Chamber of Commerce and other business groups.
But the security breach of Telvent, which the Chinese government has denied, also raises questions of whether those fears — the subject of weekly research group reports, testimony and Congressional studies — may be somewhat overblown, or whether the precise nature of the threat has been misunderstood.
American intelligence officials believe that the greater danger to the nation’s infrastructure may not even be China, but Iran, because of its avowal to retaliate for the Stuxnet virus created by the United States and Israel and unleashed on one of its nuclear sites. But for now, these officials say, that threat is limited by gaps in Iranian technical skills.
There is no doubt that attacks of all kinds are on the rise. The Department of Homeland Security has been responding to intrusions on oil pipelines and electric power organizations at “an alarming rate,” according to an agency report last December. Some 198 attacks on the nation’s critical infrastructure systems were reported to the agency last year, a 52 percent increase from the number of attacks in 2011.
Researchers at McAfee, a security firm, discovered in 2011 that five multinational oil and gas companies had been attacked by Chinese hackers. The researchers suspected that the Chinese hacking campaign, which they called Night Dragon, had affected more than a dozen companies in the energy industry. More recently, the Department of Energy confirmed in January that its network had been infiltrated, though it has said little about what damage, if any, was done.
But security researchers say that the majority of those attacks were as ambiguous as the Telvent case. They appeared to be more about cyberespionage, intended to bolster the Chinese economy. If the goal was to blow up a pipeline or take down the United States power grid, the attacks would likely have been of a different nature.
In a recent report, Critical Intelligence, an Idaho Falls security company, said that several cyberattacks by “Chinese adversaries” against North American energy firms seemed intended to steal fracking technologies, reflecting fears by the Chinese government that the shale energy revolution will tip the global energy balance back in America’s favor. “These facts are likely a significant motivation behind the wave of sophisticated attacks affecting firms that operate in natural gas, as well as industries that rely on natural gas as an input, including petrochemicals and steel-making,” the Critical Intelligence report said, adding that the attack on Telvent, and “numerous” North American pipeline operators may be related.
American intelligence experts believe that the primary reason China is deterred from conducting an attack on infrastructure in the United States is the simple economic fact that anything that hurts America’s financial markets or transportation systems would also have consequences for its own economy.
While most Americans were winding up their holiday weekends last Monday, the phones at the Vancouver headquarters of HootSuite, a social media management company, began to ring.
Burger King’s Twitter account had just been hacked. The company’s logo had been replaced by a McDonald’s logo, and rogue announcements began to appear. One was that Burger King had been sold to a competitor; other posts were unprintable.
“Every time this happens, our sales phone lines light up,” said Ryan Holmes, the chief executive of HootSuite, which provides management and security tools for Twitter accounts, including the ability to prevent someone from gaining access to an account. “For big brands, this is a huge liability,” he said, referring to the potential for being hacked.
What happened to Burger King — and, a day later, to Jeep — is every brand manager’s nightmare. While many social media platforms began as a way for ordinary users to share vacation photos and status updates, they have now evolved into major advertising vehicles for brands, which can set up accounts free but have to pay for more sophisticated advertising products.
Burger King and Jeep, owned by Chrysler, are not alone. Other prominent accounts have fallen victim to hacking, including those for NBC News, USA Today, Donald J. Trump, the Westboro Baptist Church and even the “hacktivist” group Anonymous.
Those episodes raised questions about the security of social media passwords and the ease of gaining access to brand-name accounts. Logging on to Twitter is the same process for a company as for a consumer, requiring just a user name and one password.
Twitter, like Facebook, has steadily introduced a number of paid advertising options, raising the stakes for advertisers. Brands that pay to advertise on Twitter are assigned a sales representative to help them manage their accounts, but they are not given any more layers of security than those for a typical user.
Ian Schafer, the founder and chief executive of Deep Focus, a digital advertising company that also fielded a few phone calls from clients concerned about the Burger King attack, argued that Twitter bore some responsibility.
“I think Twitter needs to step up its game in providing better security,” Mr. Schafer said. In a memo to his staff about such attacks, he called on social networks like Facebook, Twitter, Pinterest “and anyone else serious about having brands on their platform” to “invest time in better understanding how brands operate day to day.”
“It’s also time for these platforms to use their influence to shape security standards on the Web,” he wrote.
The risk for Twitter is in offending potential business partners as the company tries to build its advertising dollars, which make up the bulk of its revenue. In 2012, the company grew more than 100 percent, earning $288.3 million in global advertising revenue, according to eMarketer.
On Wednesday, it introduced a product that would allow advertisers to create and manage ads through third parties like HootSuite, Adobe and Salesforce.com. Advertising is estimated to account for more than 90 percent of the company’s revenue.
“This is not something we take lightly,” said Jim Prosser, a Twitter spokesman, in an interview last month. (The company declined to comment on the Burger King hacking, saying it did not discuss specific accounts.) Mr. Prosser said Twitter had manual and automatic controls in place to identify malicious content and fake accounts, but acknowledged that the practice was more art than science.
Mr. Prosser said Twitter had taken an active role in combating the biggest sources of malicious content.
Last year, the company sued those responsible for five of the most-used spamming tools on the site. “With this suit, we’re going straight to the source,” it said in a statement. “We hope the suit acts as a deterrent to other spammers, demonstrating the strength of our commitment to keep them off Twitter.”
But security experts say, and the recent hacks of Burger King, Jeep and other brands have demonstrated, that Twitter could do more.
“Twitter and other social media accounts are like catnip for script kiddies, hacktivists and serious cybercriminals alike,” said Mark Risher, chief executive at Impermium, a Silicon Valley start-up that aims to clean up social networks. “Because of their deliberately easy access and liberal content policies, accounts on these networks prove irresistibly tempting.”
I make no guarantee that any advice given on these pages will work as expected. There are just too many variables depending on Operator Systems and hardware configurations to give any advice that will always work.
Where possible, I will provide links to my source.
