The Cyber Attack on the Ukrainian Electrical Infrastructure: Another Warning

By Gabi Siboni and Zvi Magen –

Gabi SiboniZvi Magen

On December 23, 2015, malfunctions were reported in portions of the electrical network in western Ukraine, after the operations of 27 distribution stations and three power plants were disrupted, causing the electricity supply system to crash. This was not a routine power outage: the Ukrainian authorities believe that a cyber attack originating in Russia caused the malfunction, and the Security Service of Ukraine has blamed Russia for the power outages. The conclusions of several security companies confirm the suspicion linking the attack to Sandworm, which according to the security company iSight is a Russian group affiliated with the Russian government. Hypotheses regarding a possible motive also support the suspicion that Russia is the party responsible for the attack, perhaps as part of the Russian campaign against cutting off the Crimean Peninsula, annexed by Russia, from electricity supplied by Ukraine. Cyberspace operations also enable Russia to continue denying its involvement in Ukraine, while at the same time persisting in efforts to attack it.

For some time, security experts have warned that critical services – for example, electricity and water supplies – can be attacked through cyberspace. The assumption is that such action requires sophisticated capabilities in cyber intelligence, technology, and operations, and possession of such capabilities is usually attributed to countries that have invested heavily in their development. Until now, even if in possession of such capabilities, most countries have shown restraint in using cyber tools to materially disrupt essential services and critical infrastructure in enemy countries. Events in Ukraine, however, question whether this assumption of restraint is still valid. On December 23, 2015, malfunctions were reported in portions of the electrical network in western Ukraine, after the operations of 27 distribution stations and three power plants were disrupted, causing the electricity supply system to crash. Many homes were cut off from the network. This was not a routine power outage: the Ukrainian authorities believe that a cyber attack originating in Russia caused the malfunction, and the Security Service of Ukraine (SBU) has blamed Russia specifically for the power outages.

Ukrainian Nationalists and a cheering crowd after the toppling of the statue of Communist leader Grigory Petrovsky, Dnipropetrovsk, January 29, 2016. Photo: Stanislas Vedmid / AFP

It is difficult to prove with certainty who was behind the attack, but presumably the relevant authorities in Ukraine, with the help of Western agencies, will ultimately uncover the attacker’s identify. The Ministry of Energy in Kiev has appointed a committee to investigate the affair. Thus far assessments concerning the party responsible for the attack are based on forensic examinations carried out on the damaged computers, which indicates that components in them were previously used by Russian groups. Furthermore, not surprisingly the technological capabilities point to a Russian element.

The conclusions of several security companies confirm the suspicion linking the attack to Sandworm, which according to the security company iSight is a Russian group affiliated with the Russian government. iSight has monitored Sandworm for over a year, and discovered that the group has collected information from the computers of Ukrainian administration officials, and from agencies in the European Union and NATO. Other security experts reported that the group was also focusing on attacking industrial control systems. According to the security company ESET, located in Bratislava, the attackers used backdoor software that makes it possible to conduct operations on the target computers through a remote control server. In the Ukrainian case, use was made of a BlackEnergy component – a Trojan horse used as early as 2014 – to spy on Ukrainian administration computers and plant a malware program called KillDisk on power station computers in western Ukraine.

Hypotheses regarding a possible motive also support the suspicion that Russia is the party responsible for the attack, perhaps as part of the Russian campaign against cutting off the Crimean Peninsula, annexed by Russia, from electricity supplied by Ukraine. In addition, there is a great deal of information about the presence of advanced cyber warfare capabilities possessed by Russia and affiliated organizations, with Russia taking the lead in developing a combat doctrine that encompasses both kinetic and cybernetic activity. In the case of Ukraine, cyberspace operations enable Russia to continue denying its involvement in its neighbor, while at the same time persisting in efforts to attack it.

Effective wielding of the cyber weapon against sensitive targets in another country, in this case Ukraine, is likely to have far reaching consequences, not only for the future course of the particular conflict, but also for conflicts between other countries, or between countries and non-state organizations able to procure both offensive and defensive cyber capabilities. To be sure, similar cases of cyber attacks were recorded in the past. One of the best known examples of attack against infrastructure facilities that caused actual physical damage was the attack on Iranian nuclear installations with the Stuxnet software – alleged by some to have been carried out by Israel and the United States. Attacks in the Baltic states designed to prevent service were attributed to Russia. Nevertheless, the cyber attack in western Ukraine clearly reflects the use of this weapon against critical civilian infrastructure on a larger scale. This event, a precedent tantamount to crossing the Rubicon, is liable to serve as a model for imitation by other countries and perhaps organizations as well, while eroding the barriers of restraint that previously existed. In other words, it appears that the Ukraine incident is a sign that an especially important threshold has been crossed. Espionage, the theft of commercial information, financial crime, and denial of services are tolerable; although bothersome, they do not materially and directly harm the substance of daily life. An attack against the electrical infrastructure, however, can damage critical infrastructure and jeopardize human life. It therefore constitutes a quantum leap in the will to cause damage, in this case by a state.

Like other countries threatened in cyberspace, Ukraine will have to consider how to improve its defensive capabilities against similar events in the future. Israel can provide an example here. Over the past decade, Israel has been able to develop advanced defensive capabilities for its critical infrastructure. Its defensive envelope includes gathering and analyzing intelligence and distributing it to the relevant agencies, as well as monitoring by the Israel Security Agency. This has created an environment of ongoing improvement and enhancement in defensive capabilities. Still, the proliferation of cyber capabilities, which has accelerated in recent years, enables new-old players – terrorist organizations and criminal elements – to acquire capabilities previously considered the exclusive province of nations. Concern is therefore growing that these non-state actors, which lack restraint mechanisms and state-like considerations, will attempt to imitate the model demonstrated in the attack on the electricity infrastructure in Ukraine.

Disruption of the supply of electricity is no trivial matter. It is enough to recall the events in Israel in late 2015 resulting from natural causes, and not a cyber attack: harsh winter weather caused serious disruptions over widespread areas lasting for many days. Israel is especially vulnerable in this aspect, due to the concentrated topology of its electricity grid. It is therefore necessary to continue monitoring related developments in Israel’s strategic environment and throughout the world to assess whether there is a growing trend of cyber attacks able – despite sophisticated defensive measures – to inflict serious damage, and to prepare accordingly.

EDITORS NOTE: This column originally appeared on The Institute for National Security Studies website.

National Security Agency: Spying on American Jews, Israel and the U.S. Congress

Shoshana Bryen is Senior Director at the Washington, D.C. based Jewish Policy Center.  She has been a frequent guest on The Lisa Benson Show regarding US-Israel relations, the Obama Administration and national security.  On the first program of the New Year, January 3, 2016, she appeared  to address allegations raised by a Wall Street Journal article about NSA spying on Israeli Prime Minister Netanyahu and by happenstance, Members of Congress and American Jewish leaders, “US Spy Net  on Israel Snares Congress. “  She also responded to an NER Iconoclast post on whether the Israel Defense Force was prepared to meet the threat of ISIS affiliates on both the Syrian frontier and the Egyptian Sinai. She also spoke of an emerging relationship with Putin’s Russia allowing Israeli freedom to attack Hezbollah targets in Syria.

Listen to the segment with Bryen on the Benson show Podcast of January 3, 2016 starting at the 20 minute mark:

As is our practice in producing the weekly Benson Show, we send our guests a set of suggested questions requesting they select a limited number to respond in what a fast is paced packed 44 minutes.  Bryen prepared written responses to the original of set of questions. Below are her astute and illuminating responses.

What is real story behind the Wall Street Journal report alleging NSA spying on Israeli PM Netanyahu, Congressional members and American Jewish Leaders?

Bryen:  The administration was spying on Congress; maybe still is.  The White House tried to put a layer of protection between itself and illegal NSA activity by saying “do what you want.” If there was a problem or a lawsuit over this, the White House position wouldn’t hold up. NSA was spying on Israel and vice versa – nothing new.

The real targets were Congress and American Jews. I don’t see that Congress knew about this specific spying. Surely no one up there is naive and they know they are listened to. This is important for the next points. That makes the idea that they would get on the phone with Israeli Ambassador to US Ron Dermer and allow him to bribe them over the wire totally ridiculous. Whatever NSA got, they did not get it from tapping Dermer’s phone. They probably also did not get it from tapping Congressional phones because Congress assumes it is tapped and no one was discussing bribery.  What could you bribe a Congressman with to get his/her vote on this?

There was no collusion between Ron Dermer and the American Jewish community. I was part of the machinations opposing the nuclear deal with Iran, although the Jewish Policy Center does not lobby; we are only in the information business. “The Jews” knew their talking points and didn’t need Dermer for anything. If they talked to him, that is one thing.  However, needing him for “talking points,” again, that is ridiculous. If there are intercepts of American Jews talking to Congressional members it would have to come from bugging Congress. Lee Smith, of The Weekly Standard makes the point that if there was bribery or attempted bribery involved, there would already be criminal cases. There are none, of course. So, where does that leave us?

NSA spying is only supposed to be done for issues of National Security. One can make the argument that if the US government thought Israel was going to bomb Iran, it would rise to that level. However by 2013, the US was positive Israel was not going to do that. What comes after is political.

Are the enemies of the White House are Congress and the Jews? Congress because Obama knew it opposed the deal. That is why the talks needed to be secret. Also, the talks leading to the talks needed to be secret. They were worried that Israel would spill the beans. Israel didn’t.

There were several incidents in which the Administration let people know what the problems were.  Lee Smith points in his article to a Jon Stewart interview with the President. There is also The New York Times (NYT) editorial that accused Jews of being more loyal to a foreign government than to the US. Senators Schumer and Menendez were damned as “beholden to donors” – code word for Jews.

Obama told Stewart: “If people are engaged, eventually the political system responds. Despite the money, despite the lobbyists, it still responds.” Stewart said, “What do you mean by lobbyists?” The President didn’t answer, but after the signing of the JCPOA, he said Congress would evaluate this agreement fairly, “not based on lobbying, but based on what is in the national interests of the United States of America.”

The NYT reported on a Democratic Issues Conference in Baltimore where the President said he understood the pressures that senators face from “donors and others.” However, according to the NYT, Obama urged the lawmakers to “take the long view rather than make a move for short-term political gain,” meaning money and Jewish support. Menendez was offended.

Smith actually thinks there was no specific bugging going on, but just an attempt to intimidate Congress and the Jews. I disagree.  They think they are above the law on these things. And they may be, but it doesn’t appear to matter.

Why are media accusations unfounded that American Jewish leaders and U.S. Congressional friends of Israel take their cues from the Israeli Embassy?

Bryen:   Because those accusations presume American Jews NEED someone to tell them how they are supposed to feel about a political issue. On its face that is ant-Semitic. American Jews are a sophisticated community of Americans – although I have some disagreements with where they come out on some issues – they don’t need anyone, particularly a foreign government, to tell them what to think or what to do about issues.

Have these disclosures impacted on US- Israel intelligence cooperation and weapons deliveries to maintain Israel’s Qualitative Military Edge?

Bryen:  No, there is no present impact that I can discern. First, all intelligence agencies assume that they are being spied on by both friends and enemies. It’s nothing new. Second, the relationship works both ways – the American intelligence services rely on Israel for information in the region.

What options does Congress have to bar lifting sequestered funds of Iran now that the Administration announced delays in new sanctions in view of Iran’s violation of ballistic missile testing under UN Resolutions?

They’re talking about new sanctions laws in Congress after the holiday recess. Note that Sen. Chris Coons (D-DE) is the loudest voice on this. He voted FOR the JCPOA and he’s figured out that the deal was a disaster and Secretary Kerry’s “snapback sanctions” were a joke.

Congress can pass any law it wants – sanctions included. Iran’s public interpretation of the deal is that any new sanctions would violate the JCPOA and leave Iran free to withdraw from it – or actually, continue to violate it. The White House appears to be siding with Iran including on the secure visa procedure, which is absolutely an obligation of Congress. Iran remains on the State Sponsor of Terror list because of its support for Hezbollah and Hamas. If the White House does not want more sanctions, it will threaten a veto.  Then you will have the extraordinary spectacle of a U.S. government shielding the world’s top sponsor of terror from the United States Congress.

How prepared is the IDF to contend with threats from ISIS in both Syria and the Sinai?

Bryen:  Israel is in a continual state of readiness.  For years they have had to closely identify and track the threats. They are helped by the determination of Egypt in Sinai – with which the US government should be thrilled. It is the actual implementation of the Camp David Accords. The problem for the US in the Sinai is that we have the Multilateral Force and Observers there – MFO – primarily manned by Americans. It is a holdover from Camp David designed to ensure that the Egyptians don’t move military equipment into Sinai in quantities larger than Camp David permitted. Now it is a target for ISIS and affiliated Bedouin groups.

Israel is helped on the northern front by the fact that at the moment neither the Assad government nor Hezbollah wants to open another front and Russia would not permit it. The Israel-Russia relationship is fascinating.  It is mutually beneficial right now and has the seeds of longer-lasting cooperation.

As for ISIS, while in theory killing Jews would be fine, it doesn’t need a second front either. There is a growing threat of ISIS-inspired organizations on the Syrian border, where multiple local factions have pledged allegiance to ISIS leadership. The more immediate risk, however, is most likely related to ISIS’ possible impact on Israeli Arab youth, both within Israel and in Judea and Samaria.

Given the latest killings of Israelis in Tel Aviv by an Israel Arab, what can the Netanyahu government do to prevent such deadly attacks?

Bryen: We don’t’ have all the information, including whether or not it was actually terrorism. It didn’t have the usual “fingerprints.”  The perpetrator was an Israeli Arab citizen who had served five years for a previous attack on an IDF solider. He used a firearm deliberately hitting two people, not spraying the restaurant for maximum casualties. The attack was in the heart of Tel Aviv and he fled the scene.  Israeli Police hedged on whether it was simply a criminal act. If it was a terrorist, it appears to be of the “lone wolf” variety, which means Israel has the same problem the U.S. does.

EDITORS NOTE: This column originally appeared in the New English Review.

CYBER SECURITY ALERT: Smartphone App allows access by cyber-criminals

Bret Baier from Fox News in an interview with Gary Miliefsky, CEO of SnoopWallreports that information about a popular smartphone application exposes your personal information to cyber criminals.

Read the full SnoopWall Flashlight Apps Threat Assessment Report here.

Americans Want More Protections For Emails and Online Communications

WASHINGTON, D.C. /PRNewswire-USNewswire/ — The Digital 4th coalition unveiled new poll results showing broad and diverse support for stronger email privacy protections – both nationally and in early primary states. According to a survey by Vox Populi Polling, 86% of voters nationwide support an update to the Electronic Communications Privacy Act (ECPA), the 29-year-old law setting standards for government access to emails and online communications. In Iowa, 81% of Democratic voters and 74% of Republican voters are behind ECPA reform. The numbers were similar in New Hampshire, with 84% of Democrat voters and 75% of Republicans in support.

Moreover, 77% of voters across the country believe the government should be required to get a warrant from a judge before obtaining access to emails, photos and documents stored online.

“ECPA reform is overwhelmingly bipartisan and overwhelmingly supported by Americans across the country. There is tremendous momentum with more than 300 members of Congress co-sponsoring legislation requiring a warrant for emails and online communications. The legislation would simply extend Constitutional protections online,” said Gabe Rottman, Legislative Counsel and Policy Advisor at the American Civil Liberties Union (ACLU) and a member of the Digital 4th coalition.

“What’s particularly illuminating is that more than three out of every four voters believe that the government needs to get a warrant before accessing emails and other online communications. Federal agencies like the Securities & Exchange Commission (SEC) have been advocating to circumvent the warrant requirement. It’s clear that Americans see this as nothing more than a power grab. We hope Congress stands up to federal agencies and preserves our constitutional rights online,” said Katie McAuliffe, Federal Affairs Manager at Americans Tax Reform (ATR) and member of the Digital 4th coalition.

“Support for strengthening online privacy spans across all ages, races and political affiliations. This level of support is typically unheard of in politics today. It is clear from our results that Americans want online privacy laws to be updated,” said Michael Meyers of Vox Populi Polling.

Other notable numbers from the poll include:

  • 84% of voters feel that privacy is important (63% extremely or very important) when it comes to the government accessing their online information. Only 16% of voters feel that it is not very important or not important at all.
  • 77% of voters reported that a warrant should be required to access these online communications. 78% of Democrats and 76% of Republicans supported the requirement of a warrant.
  • ECPA reform does have an effect on presidential candidate choice for a majority of American voters. 53%of all likely general election voters stated that they would be more inclined to vote for a candidate who supported strengthening online privacy through ECPA reform.

To read a memo on the full polling results, click here.

Muslim hacker to release CIA Director Brennan’s Emails

All that pandering, and the jihadis cut him no slack.

“Purported CIA email hacker pushed for ‘Free Palestine,’ praised Allah on Twitter,” Fox News, October 20, 2015:

Details are emerging about the motivations and the methods behind the alleged hack of CIA Director John Brennan’s personal AOL email account, with the supposed hacktivist identifying on Twitter as an advocate for a “free” Palestinian state — and claiming he and others broke in simply by fooling a Verizon agent.

He also praised Allah in his Twitter bio.

Meanwhile, questions are being raised about Brennan potentially having sent work-related emails through his personal account, a move one tech expert called “just plain stupid.” And if any work-related emails were sent containing classified information, it could pose a legal problem similar to the one facing Hillary Clinton.

A law enforcement source confirmed to Fox News Monday that the FBI was looking into claims that Brennan’s personal AOL email was hacked.

Analysts noted the cyber-vandals may have used a tactic known as “social engineering,” and not traditional hacking. The anonymous hacker claiming credit told WIRED that he and two other people, after learning Brennan was a Verizon customer, posed as a Verizon technician to trick another Verizon employee into giving them access to the company’s customer database.

Screen Shot 2015-10-21 at 2.32.36 PM Screen Shot 2015-10-21 at 2.36.27 PM Screen Shot 2015-10-21 at 2.36.13 PMFrom there, they reportedly were able to access Brennan’s account number, his backup cell phone, the last four digits of his bank card number and his AOL email address. With that information, they were able to call AOL and gain access to the account on Oct. 12, the hacker told WIRED.

The hacktivist’s Twitter account includes links to files he says are Brennan’s contact list, a log of phone calls by then-CIA deputy director Avril Haines, and other documents.

One document purporting to come from Brennan’s AOL email account contains a spreadsheet of people, including senior intelligence officials, along with their Social Security numbers, although the hacker redacted the numbers in the version he posted on Twitter.

The hacker told the New York Post he had also obtained a 47-page version of Brennan’s application for a security clearance, known as an SF86. That document contains detailed information about past jobs, foreign contacts, finances and other sensitive personal details. No such document appears to be posted on the hacker’s Twitter account, but it’s not clear whether the hacker posted it elsewhere.

“His SF86 contains information on references on bosses, on managers, on friends. If that file gets out, it could actually put these people’s lives in danger. Their identity is not supposed to be known by the general public,” Morgan Wright, a cybersecurity expert, told Fox News.

The hacker, whom the New York Post described in an article published Sunday as “a stoner high school student,” appears to have been motivated in part by his support for a Palestinian state.

The hacker told WIRED that when they called Brennan’s cell phone, he asked them what they wanted, to which they replied: “We just want Palestine to be free and for you to stop killing innocent people.”

The supposed hacker’s Twitter page also referenced the Palestinian cause.
Screen Shot 2015-10-21 at 2.32.36 PM

In his bio on Twitter, the hacker also posted “La il laha il Allah, Muhammad a rasool Allah” which translates as “There is no god but Allah. Muhammad is the messenger of Allah” – a traditional Islamic statement of faith.

It’s unclear to what extent Brennan may have used the AOL account for work-related business. A CIA spokesman told Fox News they are aware of the claims: “We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”

As the matter is under review, the veracity of the hacker’s claims is unclear. But one tech expert told FoxNews.com that the story sounded credible.

“[Hackers] learn the jargon and pose as line workers or switch operators and get access to restricted areas of the network,” Roger Kay, of Endpoint Technologies Associates, told FoxNews.com. “Security at AOL and other networks is reasonable, but weak passwords can always be cracked, and password recovery schemes are typically based on information about people stored from questions like ‘What was the name of your first pet?’”

Kay said that, if the claims are true, the breach shows poor judgment from the man in charge of the nation’s central intelligence.

“The CIA director was just plain stupid to use a common service like AOL for sensitive communications. He really should have known better,” Kay said….

RELATED ARTICLES:

California Muslim wanted to blow up daycare center because it was “Zionist”

Trump: If elected, I would shut down certain U.S. mosques

EDITORS NOTE: This column originally appeared on PamelaGeller.com. To stay on top of what’s really happening please follow Pamela on Twitter and like her on Facebook here.

Kosovo Muslim arrested for hacking U.S. Military files for the Islamic State

“A statement from the U.S. Department of Justice said Mr Ferizi, known by his moniker ‘Th3Dir3ctorY’, hacked into a U.S. company’s systems in order to take the personal details of 1,351 U.S. military and government staff.” The repercussions of that theft could be felt for quite some time.

“Malaysia arrests Kosovo man for ‘hacking US files for IS,’” BBC, October 16, 2015 (thanks to Lookmann):

A Kosovan man has been arrested in Malaysia for allegedly hacking into a computer database and providing information on US security officials to the so-called Islamic State group.

The man, who is in his 20s, was detained on 15 September, Malaysian police said in a statement on Thursday.

Separately, the US identified him as Ardit Ferizi, thought to head a hacker group called Kosova Hacker’s Security (KHS).

Mr Ferizi will be extradited to the US.

A statement from the US Department of Justice said Mr Ferizi, known by his moniker “Th3Dir3ctorY”, hacked into a US company’s systems in order to take the personal details of 1,351 US military and government staff.

He will be charged with computer hacking and identity theft, and faces up to 35 years in jail, the statement added….

Between June and August this year, Mr Ferizi is alleged to have passed the data on to IS member Junaid Hussain, also known as Abu Hussain al-Britani, who later posted the details online along with a threat to target the officials….

Malaysia has arrested more than 100 people this year, suspected of links to IS, including ten people in August – six of them members of Malaysia’s security forces.

What? 100 people in modern, moderate Malaysia misunderstood Islam so drastically as to adhere to the Islamic State?

RELATED ARTICLES:

“Palestinian” Muslim rioters set Joseph’s Tomb on fire

51% of U.S. Muslims want Sharia; 60% of young Muslims more loyal to Islam than to U.S.

Hackers Reveil How Volkswagen Secretly Cheated Emissions Tests by Gary McGath

Cars are part of the “Internet of Things.” They run not just on gas, which you’re free to analyze, but on computer code, which you aren’t. If this sounds worrisome, it is. Internal computers can greatly improve a car’s performance and safety, but they can have problems that show no symptoms under normal circumstances.

A couple of hackers, with a knowing volunteer at the wheel, took remote control of a Jeep Cherokee over the Internet and could have wrecked it at high speed if they hadn’t stopped when asked to. More recently, Volkswagen was caught rigging its emissions-control software to cheat during EPA testing, letting them publish false information about millions of cars.

Car computers are formally called “electronic control units” (ECUs). One car may have over a hundred of them, running millions of lines of code, networked together. Figuring out what they do takes determination; it’s necessary to pull out their memory chips, read them, and work backwards from machine code to the design logic.

But the biggest barrier may not be technical but legal; copyright laws make it illegal to do this kind of reverse engineering, and the EPA itself has helped automakers to keep their emissions-testing code secret.

The Digital Millennium Copyright Act puts restrictions on extracting copyrighted information from computers, even for legitimate diagnostic purposes. Car makers like this; it puts serious limits on independently created diagnostic tools and gives the advantage to shops that pay for licenses.

The EPA has formally opposed a DMCA exception for car systems, arguing that it would let people modify the code to circumvent limitations on emissions. It said that “the majority of modifications to engine software are being performed to increase power and/or boost fuel economy.” That’s just what Volkswagen did, and it was harder to catch them precisely because of those prohibitions.

The Alliance of Auto Manufacturers, which includes Volkswagen, has taken the same stand. Ironically, their statement declares:

Many of the ECUs embodied in today’s motor vehicles are carefully calibrated to satisfy federal or state regulatory requirements with respect to emissions control, fuel economy, or vehicle safety.

Allowing vehicle owners to add and remove programs at whim is highly likely to take vehicles out of compliance with these requirements, rendering the operation or re-sale of the vehicle legally problematic.

John Deere explicitly opposes a free market in car software:

In contrast to the seemingly benign stated purpose of the proposed exemption, the practical effect of circumventing the TPMs [Technical Protection Measures] at issue will stifle creativity and innovation for vehicle software. Third-party software developers, pirates, and competing vehicle manufacturers will be encouraged to free-ride off the creativity and significant investment in research and development of innovative and leading vehicle manufacturers, suppliers, and authors of vehicle software.

The way to promote creativity and innovation is, apparently, to make it illegal for anyone but themselves.

ECUs can be subject to external attacks as well as internal cheatware. Some devices are connected to the Internet for purposes like traffic alerts and entertainment. If they’re part of the car’s internal network, attackers might be able to subvert the whole car, as the Cherokee hackers did. Good design requires firewalls against such attacks, but developers struggling with requirements and hardware limits may neglect security. With no other eyes on their code, it’s easy to be sloppy.

People have tinkered with cars ever since they were first made. They swap in their own parts, making their cars faster, powerful, and sometimes a lot more annoying. This tradition has helped people to learn how the original parts work and catch problems with them. Spotting flaws and cheats in computer code isn’t as easy as catching bad brakes, but it’s easier when the only barriers are technical. When the government and car manufacturers combine to keep the software secret, the rest of us are stuck in the breakdown lane.

Gary McGath

Gary McGath is a freelance software engineer living in Nashua, New Hampshire.

How the Government Makes Data Hacks a Thousand Times Worse by David M. Brown

In May of 2015, the federal government suffered a massive data breach, a hack that exposed the names and Social Security Numbers of over 21 million people.

In a press release, the Office of Personal Management reported that as a result of its “aggressive effort to upgrade the agency’s cybersecurity posture,” the agency discovered the massive theft of background records, reportedly originating in China, including

identification details such as Social Security Numbers residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.

Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

This was a new breach — not the same looting of 4.2 million of records that the agency discovered in April of this year.

The news didn’t stop OPM Director Katherine Archuleta, appointed to the post in 2013, from congratulating herself for the agency’s great strides in security. It was her “comprehensive IT strategic plan” that led to the knowledge that these incidents had happened.

Sounds like congratulations are in order. But now it’s September, Archuleta is long gone (she lasted about one day after praising herself for noticing the theft), and the latest news is that the fingerprints of 5.6 million people were also grabbed in the mega-hacking of OPM’s “cybersecurity posture.”

OPM assures us that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” As of right now… this second… as we hit the press… you probably have nothing to worry about if your fingerprints got stolen from OPM’s data banks. Hurrah.

Even Archuleta would probably concede that discovering a robbery is not quite as good as preventing it. Let’s even go so far as to say that she is less to blame for having failed to fix how her agency functions than is the nature of bureaucracy itself.

Of course, governmental organizations are not the only organizations vulnerable to being cyber-attacked in consequence of lax security. Other victims in recent years have included Target, Chase, and Sony.

But it’s the decades-old privacy-invading policies of the federal government that have routinely converted all such breaches of personal data into potentially limitless disasters for the victims.

The federal government which, decades ago, assured us on the cards stamped with our Social Security Numbers that these digits were “not to be used for purposes of identification” is the same government that now mandates the SSN’s ubiquitous deployment to monitor and tax us.

Today, the Social Security Number is like the number to a combination lock: perhaps not enough by itself to enable a bad guy to rob the safe, but a big, big help. Once your SSN-tagged info is out there in badland, your stolen data can be sold and re-sold and re-re-sold. And your cyber-housed, SSN-tagged stuff can be targeted again and again.

Yet it has become harder and harder to refrain from giving others that number. You can join a club without divulging your SSN. You can open an email account or buy a book, a hamburger, a refrigerator, or a gift card without reporting your SSN. But you cannot put ten dollars in the bank, nor open an investment account, nor apply for a credit card or a job without reporting it. Most often, you cannot rent an apartment or buy a house without reporting it.

Absent unusual efforts to protect your financial and personal privacy (of the kind outlined in J.J. Luna’s book How to Be Invisible), the most you can do by way of preventing cyber-assaults is to take such precautions as using different and non-obvious passwords for different cyber-accounts, and withholding your address, data of birth, and SSN from persons who may ardently request these data but will still do business with you if you refuse.

If your data has been grabbed, you can also — if and when you learn of the theft — arrange to monitor your credit and to block routine access to your credit reports, and perhaps take a few other barn-door-slamming measures. But you cannot, short of engaging in fraud, supply anything other than your actual Social Security Number when a government agency requires that it be supplied.

Our most personal information hasn’t always been thus exposed. Today we are so used to privacy-violating mandates like the Social Security Number tag that we take the necessity of such poisonous violations for granted. But poison does not become nutritious merely because it has become, for now, unavoidable.

David M. Brown

Dead Islamic State hacker linked to Garland, TX jihad attack

This is the kind of person that the U.S. intelligentsia was applauding and abetting when it condemned us for standing up for the freedom of speech in Garland.

“U.S. confirms Islamic State computer expert killed in air strike,” Reuters, August 29, 2015:

The U.S. military confirmed on Friday that a British hacker who was one of the Islamic State movement’s top computer experts and active in encouraging people abroad to carry out “lone wolf” attacks was killed in Syria by a U.S. air strike.

Junaid Hussain of Birmingham, England, was killed on Aug. 24 by a U.S. military air strike on the Islamic State stronghold of Raqqah, said Air Force Colonel Pat Ryder, a spokesman for U.S. Central Command.

Hussain had been involved in “actively recruiting ISIL sympathizers in the west to carry out ‘lone wolf’ style attacks,” Ryder said, using an acronym for the militant group that has seized large parts of Syria and Iraq.

Hussain was responsible for releasing personal information of around 1,300 U.S. military and government employees in recent weeks, and “sought to encourage” attacks against them, U.S. officials said.

One official, speaking on condition of anonymity, said Hussain had also been linked to the release of the names, addresses and photos of 100 U.S. service members on an Islamic State website in March.

Another official said that Washington had evidence that Hussain was in contact with two men who were shot dead when they tried to attack a “Draw Mohammed” cartoon contest in Garland, Texas in early May.

Islamic State claimed in a radio message after the shooting that the two men were “brothers” connected to the group….

RELATED ARTICLE: Former UK defense chief: Cameron lacked “balls” to head off rise of Islamic State

Islamic State Posts Names, Locations of FBI, U.S. Embassy Employees and Military Personnel

Under Obama, every American is fair game, every American a sitting duck.

Who does Obama strong arm and threaten? Those opposing his nuclear pact with the Islamic State of Iran.

Clearly, I have redacted the names and did not run the scores of names online, or the ISIS stream of downloaded personal info from their website.

Whom is the FBI targeting? Those of us who are opposing jihad terror. Mind you, ISIS has now published FBI targets, names, locations, phones, IPs, etc.

IMG_8690

 

Screen Shot 2015-08-24 at 2.26.19 PM

IMG_8691

 

Screen Shot 2015-08-24 at 2.20.25 PMIMG_8699 IMG_8700

IMG_8701

 

Screen Shot 2015-08-24 at 2.25.11 PM

 

Screen Shot 2015-08-24 at 2.31.50 PM

The Islamic State of America: White House in the Cross-Hairs

islamic-State-of-America-338x600Obama is arming a jihad state with nukes — madness.

Obama is woefully unprepared to face the threat of ISIS: he CREATED the threat by leaving Iraq precipitously and giving an opportunity to this group. Instead, he provides cover to the savages, insisting that the Islamic State has nothing to do with Islam, despite its name, and despite ISIS’s explicit threats to the US.

His airstrikes were purely cosmetic and did nothing to stop ISIS.

He has armed the Syrian rebels — many of these arms fell into the hands of ISIS, and the Syrian rebels he armed have the same jihad goal that ISIS does. But in Iraq, these people he has supported and armed became the enemy.

The most dangerous threat to America is Obama’s next move.

Thanks to Joy S.

EDITORS NOTE: This column originally appeared on PamelaGeller.com. To stay on top of what’s really happening please follow Pamela Geller on Twitter and like her on Facebook here.

Garland, TX: Islamic State Jihadi ‘radicalized’ by UK Muslim ‘computer geek’

He hacked the Pentagon. He apparently incited one of the Muslims who attacked our free speech event in Garland, Texas to do so. This is one piously lethal individual. One thing he would almost certainly deny being, however, is “British” — contrary to the witless Mailonline headline. His citizenship with the umma and only with the umma.

“British computer geek, 21, who hacked the Pentagon after fleeing to Syria is No3 on the ‘kill list’ of ISIS militants drawn up by US forces – just after Jihadi John and group leader al-Baghdadi,” by Imogen Calderwood, Mailonline, August 2, 2015:

A young computer hacker from Birmingham has been named as Number Three on the Pentagon’s ‘kill list’ of key ISIS operatives.

Junaid Hussain, 21, fled to Syria in July 2013 and is now believed to be leading the ‘Cyber Caliphate’, ISIS’ own branch of hackers.

US officials said there is an ‘intense’ desire to assassinate Hussain, who operates under the alias Abu Hussain al-Britani and was jailed in 2012 for stealing personal information of Tony Blair.

Only Mohammed Emwazi, the hostage killer known as Jihadi John, and the group’s leader Abu Bakr al-Baghdadi are higher on the list, reported The Sunday Times.

After fleeing the UK, when he was on police bail for an alleged violent disorder offence, Hussain has risen rapidly through the ISIS ranks.

He married 45-year-old Sally Jones, a former punk rocker from Chatham, Kent, who converted to Islam and fled to Syria with her 10-year-old son.

Yet another convert somehow gets the idea that Islam requires treason and violence. Yet no authorities are in the least interested in studying this phenomenon.

Jones, who now uses the nomme de guerre Umm Hussain Al-Britani, is believed to have snuck into Syria at the end of last year after an online romance with Hussain.

She is suspected of leading the violent all-female ISIS contingent, known as the Khanssaa Brigade. The group imposes strict Sharia law in the de facto capital of the so-called Islamic State, Raqqa.

The couple, who have been dubbed Mr and Mr Terror, also reportedly used Twitter and the hashtag #LondonAttack in May to incite terror in Britain.

US officials believe he is behind the online radicalisation of at least one of the two gunmen who opened fire at a Prophet Mohammed cartoon competition in Garland, Texas, in May….

RELATED ARTICLE: Obama’s $500 million 50-man “moderate” army: half already dead, captured, out of action

How to Scam the Islamic State

Three Chechen women pretended to be jihadi brides through fake social media accounts, but kept the travel money ISIS sent them instead.

Three young Muslim women have scammed the Islamic State out of over $2,500. The Chechen women set up fake social media accounts and contacted the Islamic State, claiming to be aspirational jihadi brides, titillated by the prospect of moving to Syria.

They only required the funds for travel.

Once ISIS militants had wired them the money, the girls promptly deleted their accounts and pocketed the money.

Chechen police have now arrested them for the scam. Officer Valery Zolotaryov told Moskovsky Komsomolets “I don’t recall any precedent like this one in Chechnya, probably because nobody digs deep enough in that direction.”

He added “Anyhow, I don’t advise anyone to communicate with dangerous criminals, especially for grabbing quick money.”

For women who travel to Syria to become jihadi brides, their husbands hold complete power over them and they face the possibility of a life of sexual abuse.

For more information about the Islamic State, see Clarion Project’s Special Report: The Islamic State (ISIS: ISIL)

RELATED ARTICLES

Children at Increasing Risk of Islamist Radicalization in UK

Three ISIS Terror Trials This Week in America

ISIS: The Next Generation

Islamic State Receives $6.9 Billion in Money Transfers

Authoritarians Like Twitter, Too: Repressive Regimes Can and Do Use Social Media to Solidify Their Grip on Power by Kevin Munger

In May 2014, CNN aired footage of a Ukrainian helicopter being shot [down] by pro-Russian militants. Taken with a cell phone camera and posted on social media, the video showed compelling evidence of the scale and technological sophistication of the Ukrainian conflict.

The video was also fake — it was actually over a year old, and from Syria. CNN retracted the footage and apologized, but the “incident” was still widely discussed on Russian and Ukrainian social media.

In the wake of the Arab Spring, enthusiasm for the power of social media ran high. Nothing else had shown the same power to mobilize protestors living under repressive regimes. With information democratized, the logic ran, dissidents could outflank the centralized media control and propaganda machines so crucial to authoritarian states.

But this logic is flawed, as the faked helicopter video demonstrates. Although social media may have given tech-savvy dissidents a temporary advantage over repressive governments that were unable to keep up, Twitter and its regional analogues are now a fully mature technology.

Just like radio and television, repressive regimes can and do use social media to solidify their grips on power. As a result, the net effects of social media on the possibility of democratic revolution are at best ambiguous. They may actually be negative.

This point has been underappreciated in the enthusiasm for what social media seems to make possible. Our optimism leads us to overlook what is at stake for those in power — and their capacity to evolve new strategies using new tools. We want to believe in magic bullets, hoping that the right technological advancement will empower people to successfully rise up. But it’s at least as likely that the millions or billions of tweets sent by dissidents make them vulnerable, because they are extremely visible, while the strategic responses of government actors often go unnoticed. It’s an ironic inversion of Frédéric Bastiat’s “That Which Is Seen and That Which Is Not Seen.” Rather than people overvaluing government actions because their direct benefits mask the hidden cost borne by individual citizens, those citizens’ actions on social media allow government action to hide in their midst.

Some egregious and sophisticated uses of social media by repressive regimes have recently come to light. In a fascinating story in the New York Times Magazine, Adrian Chen explains the operations of a shady Russian “troll farm” that engages in large-scale, multiplatform acts of misinformation. At one point, they made up an explosion in a chemical plant in Louisiana, started a hashtag (#ColumbianChemicals), and relied on ordinary people to pass the story along, knowing they were unlikely to verify the details. This kind of operation, carried out on “foreign soil,” shows how seriously this Russian agency takes social media. The chemical plant explosion may simply have been an experiment, a proof of concept for what such attacks might accomplish in the future.

Their bread-and-butter social-media strategy is to pay people to pose online as regime supporters. People have acted as “sock puppets” — adopting fake personas on the Internet — since computer networks were first connected, but never at this scale, or with this degree of coordination.

Chen discusses this widespread practice in the Russian context. The existence of Chinese “50 centers” (bloggers and Weibo users paid 50 cents per pro-government post) has been known for nearly a decade. The presence of these people in online communities, voicing pro-regime sentiment, may have a profound dampening effect on protest movements.

Political scientists model the process of protest and revolution as a “coordination problem.” There are two parts to the problem: individual knowledge and common knowledge.

It makes no sense to act alone. Even if I’m completely convinced that the government is evil and needs to be overthrown, it still doesn’t make sense for me to go into the street by myself — I’ll just end up in prison, and the government will be stronger than ever.

But the main force of pro-regime sock puppetry need not be to persuade dissidents that they are wrong. All that is necessary is to confuse dissidents about what other people think. If dissidents think they are isolated, and that most other people support the regime — or even if they are merely uncertain about other peoples’ feelings — they will remain compliant. They have no way of getting accurate information about public opinion. Dissidents likely know that the people they talk to regularly are not a representative sample, and polls are either manipulated or suppressed. A horde of “50 centers” may be enough to cloak widespread resentment in a cloud of regime-supported “approval.”

And, as Duke University economics and political science professor Timur Kuran and others have argued, it’s not even enough to solve the individual knowledge problem; dissidents also must solve the common-knowledge problem. It’s not even enough for me to be convinced that everyone hates the government; unless everyone (or some threshold percentage of people) knows that everyone knows that everyone hates the government, a revolution cannot be successful.

That’s why these sock puppets and “trolls for hire” can be so powerful: they make it a lot harder to get a clear impression of what everyone else thinks, and thus whether a revolution will be successful. Because shared knowledge is so crucial to a revolution, uncertainty can be a killer.

The competition between dissidents and regimes to take advantage of new technology is constantly evolving, and no one can know what the next equilibrium will be. Hopefully, one effect of greater public awareness of repressive regimes’ online strategies will be an increased skepticism of unsubstantiated claims on social media — and an increased demand for depth in how we understand the world.


Kevin Munger

Kevin Munger is a third-year PhD student in the department of politics at New York University.

The Spy in Your Pocket by Joseph S. Diedrich and Nicole Kardell

Does the government need a search warrant to know where you’ve been? Not if your cell phone provider knows. If you don’t like how that sounds, there may be ways to change it.

Take the case of Quartavious Davis, a Florida man convicted of robbing at gunpoint a pizzeria, a gas station, a drugstore, an auto parts store, a beauty salon, a fast food restaurant, and a jewelry store. The prosecution offered multiple lines of evidence, but there was one in particular that Davis’s lawyers objected to: records the government obtained from Davis’s cell phone provider, MetroPCS.

The records, which MetroPCS kept in its normal course of business, showed “the telephone numbers for each of Davis’s calls and the number of the cell tower that connected each call.” From this information, police concluded that “calls to and from Davis’s cell phone were connected through cell tower locations that were near the robbery locations, and thus Davis necessarily was near the robberies too.”

Prosecutors got their hands on the MetroPCS cell tower records using a court-ordered subpoena. In criminal cases like Davis’s, courts may grant subpoenas on “specific and articulable facts showing that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation.” Although this standard is higher than that for typical subpoenas, it’s lower than the Fourth Amendment’s probable cause standard.

Not Even a Search

On appeal, Davis argued that the cell tower records were obtained in violation of the Fourth Amendment’s prohibition on unreasonable searches and seizures. But the 11th Circuit — the federal appeals court encompassing Alabama, Georgia, and Florida — disagreed (United States v. Davis).

In fact, the government’s actions weren’t even a “search,” according to the court. In legal terms, a search occurs only when police invade a person’s reasonable expectation of privacy. For example, you have a reasonable expectation of privacy in the content of your phone conversations — what is actually said during your call — so eavesdropping on the conversation would constitute a search.

In Davis’s case, though, the police didn’t eavesdrop on his conversations. Nor did they use GPS to track his precise movements while he was making them. Because they merely obtained business records from a third party, the court says that the police didn’t invade Davis’s privacy:

Davis has no subjective or objective reasonable expectation of privacy in MetroPCS’s business records showing the cell tower locations that wirelessly connected his calls at or near the time of six of the seven robberies.… Instead, those cell tower records were created by MetroPCS, stored on its own premises, and subject to its control. Cell tower location records do not contain private communications of the subscriber. This type of non-content evidence, lawfully created by a third-party telephone company for legitimate business purposes does not belong to Davis, even if it concerns him.

Because there wasn’t a “search,” the Fourth Amendment didn’t even apply.

Outdated Doctrine Meets Modern Society

Despite the court’s logic, something about this case still makes many observers feel uneasy. Even AT&T filed a brief in the case, arguing that the government’s actions were illegal. We all turn over huge amounts of information to third parties every day, and almost all of our activities can be tracked through our “smart” devices. And as the amount of data that businesses collect on us grows, so do concerns over the government’s ability to access that data.

So when the 11th Circuit focused its decision in Davis on something called the third-party doctrine, there was reason for a little gasp. The third-party doctrine was developed by the Supreme Court in the 1970s to draw a line between a person’s “reasonable” expectation of privacy and the information that person voluntarily shares with third parties. Back then, the Supreme Court held that a person has no reasonable expectation of privacy over his or her bank records, because that information was voluntarily provided to the bank. Nor can you have a reasonable expectation of privacy over the phone numbers you dial, because you furnish those numbers to the phone company in order to place calls. And so the government may subpoena these records from the business collecting them without meeting heightened standards under the Fourth Amendment.

The Davis court discussed these cases to support the premise that when people turn over their data to third parties by virtue of using those parties’ services, that information falls outside Fourth Amendment protection. A breathtakingly low point can be found in one of the judges’ concurring opinions:

If a telephone caller does not want to reveal dialed numbers to the telephone company, he has another option: don’t place a call. If a cell phone user does not want to reveal his location to a cellular carrier, he also has another option: turn off the cell phone.

In other words, if you want your information protected by heightened privacy standards, go off the grid.

Today, that position is practically untenable. And this is what makes the 11th Circuit’s opinion troubling: it allows the government easy access to your data by virtue of your participation in modern society. The court’s holding helps grease the slippery slope that takes us away from historically reasonable expectations of privacy.

The court attempted to soften the blow by categorizing the subject information as noncontent data. In other words, the data in the Davis case was less private because it was not the actual substance of phone calls, texts, or other communications. Instead, it was the nonsubstantive cell-tower data that allowed the government to track where Davis was when he made or received calls. But we all know that a precise record of our movements reveals a lot about us, as the dissenting judge in the Davis case pointed out:

A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.

Toward Privacy

There is still a chance that the Supreme Court will reverse the 11th Circuit’s holding. Even if it doesn’t, other options exist. As mentioned in the Davisdecision, Congress can still legislate greater privacy protections.

The market provides another option. Although a court order forced MetroPCS to provide its records, “federal law did not require that MetroPCS either create or retain these business records.” As technology changes, and as we all become more attuned to privacy issues, we will look to the market for options. When this happens, cell phone providers will benefit from offering an “enhanced privacy” version of their services. Some customers will prefer that their data not be collected at all — or that it be anonymized. Providers could charge a higher price for anonymous services, or customers could forego certain personalized services.

By providing customized levels of privacy, the market can create de facto immunity from third-party “searches.”


Nicole Kardell

Nicole Kardell is an attorney with Ifrah Law, a Washington, DC-based law firm. She represents clients in government enforcement actions and other regulatory compliance matters before federal and state agencies.


Joseph S. Diedrich

Joseph S. Diedrich is a Young Voices Advocate and a law student at the University of Wisconsin.