Copyright © 2015 Bert N. Langford (Images may be subject to copyright. Please send feedback)
Welcome to Our Generation USA!
Cybersecurity
covers topics about the risks, prevention and resolution of cyber attacks such as the hacking of our elections to favor one candidate over another, online financial fraud (e.g., ransomware), even penetrating our infrastructure and financial institutions!
Computer security aka "Cybersecurity"
- YouTube Video: Cybersecurity 101 (Nova PBS)
- YouTube Video: How it Works: Cybersecurity (IBM Think Academy)
- YouTube Video: Election Hackers: Why Voting Technology Has to Stay Primitive | Cybersecurity Expert Kathleen Fisher
Computer security, cybersecurity or information technology security (IT security) is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
The field is becoming more important due to increased reliance on computer systems, the Internet and wireless network standards such as Bluetooth and Wi-Fi, and due to the growth of "smart" devices, including smartphones, televisions, and the various devices that constitute the "Internet of things". Owing to its complexity, both in terms of politics and technology, cybersecurity is also one of the major challenges in the contemporary world.
Vulnerabilities and attacks
Main article: Vulnerability (computing)
A vulnerability is a weakness in design, implementation, operation or internal control. Most of the vulnerabilities that have been discovered are documented in the Common Vulnerabilities and Exposures (CVE) database.
An exploitable vulnerability is one for which at least one working attack or "exploit" exists. Vulnerabilities are often hunted or exploited with the aid of automated tools or manually using customized scripts. To secure a computer system, it is important to understand the attacks that can be made against it, and these threats can typically be classified into one of these categories below:
Backdoor
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of bypassing normal authentication or security controls. They may exist for a number of reasons, including by original design or from poor configuration. They may have been added by an authorized party to allow some legitimate access, or by an attacker for malicious reasons; but regardless of the motives for their existence, they create a vulnerability.
Denial-of-service attack:
Denial of service attacks (DoS) are designed to make a machine or network resource unavailable to its intended users.
Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victims account to be locked, or they may overload the capabilities of a machine or network and block all users at once.
While a network attack from a single IP address can be blocked by adding a new firewall rule, many forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from a large number of points – and defending is much more difficult. Such attacks can originate from the zombie computers of a botnet, but a range of other techniques are possible including reflection and amplification attacks, where innocent systems are fooled into sending traffic to the victim.
Direct-access attacks
An unauthorized user gaining physical access to a computer is most likely able to directly copy data from it. They may also compromise security by making operating system modifications, installing software worms, keyloggers, covert listening devices or using wireless mice.
Even when the system is protected by standard security measures, these may be able to be by-passed by booting another operating system or tool from a CD-ROM or other bootable media. Disk encryption and Trusted Platform Module are designed to prevent these attacks.
Eavesdropping:
Eavesdropping is the act of surreptitiously listening to a private computer "conversation" (communication), typically between hosts on a network. For instance, programs such as Carnivore and NarusInSight have been used by the FBI and NSA to eavesdrop on the systems of internet service providers.
Even machines that operate as a closed system (i.e., with no contact to the outside world) can be eavesdropped upon via monitoring the faint electromagnetic transmissions generated by the hardware; TEMPEST is a specification by the NSA referring to these attacks.
Multi-vector, polymorphic attacks:
Surfacing in 2017, a new class of multi-vector, polymorphic cyber threats surfaced that combined several types of attacks and changed form to avoid cybersecurity controls as they spread. These threats have been classified as fifth generation cyber attacks.
Phishing:
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details directly from users by deceiving the users. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose "look" and "feel" are almost identical to the legitimate one.
The fake website often asks for personal information, such as log-in details and passwords. This information can then be used to gain access to the individual's real account on the real website. Preying on a victim's trust, phishing can be classified as a form of social engineering.
Privilege escalation:
Privilege escalation describes a situation where an attacker with some level of restricted access is able to, without authorization, elevate their privileges or access level. For example, a standard computer user may be able to exploit a vulnerability in the system to gain access to restricted data; or even become "root" and have full unrestricted access to a system.
Social engineering:
Main article: Social engineering (security)
Social engineering aims to convince a user to disclose secrets such as passwords, card numbers, etc. by, for example, impersonating a bank, a contractor, or a customer.
A common scam involves fake CEO emails sent to accounting and finance departments. In early 2016, the FBI reported that the scam has cost US businesses more than $2bn in about two years.
In May 2016, the Milwaukee Bucks NBA team was the victim of this type of cyber scam with a perpetrator impersonating the team's president Peter Feigin, resulting in the handover of all the team's employees' 2015 W-2 tax forms.
Spoofing:
Main article: Spoofing attack
Spoofing is the act of masquerading as a valid entity through falsification of data (such as an IP address or username), in order to gain access to information or resources that one is otherwise unauthorized to obtain. There are several types of spoofing, including:
Tampering:
Tampering describes a malicious modification of products. So-called "Evil Maid" attacks and security services planting of surveillance capability into routers are examples.
Information security culture:
Employee behavior can have a big impact on information security in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness towards information security within an organization. Information security culture is the "...totality of patterns of behavior in an organization that contribute to the protection of information of all kinds.″
Andersson and Reimers (2014) found that employees often do not see themselves as part of the organization information security "effort" and often take actions that ignore organizational Information Security best interests. Research shows information security culture needs to be improved continuously.
In ″Information Security Culture from Analysis to Change″, authors commented, ″It's a never ending process, a cycle of evaluation and change or maintenance.″ To manage the information security culture, five steps should be taken: pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.
Systems at risk:
The growth in the number of computer systems and the increasing reliance upon them by individuals, businesses, industries and governments means that there are an increasing number of systems at risk.
Financial systems:
The computer systems of financial regulators and financial institutions like the U.S. Securities and Exchange Commission, SWIFT, investment banks, and commercial banks are prominent hacking targets for cybercriminals interested in manipulating markets and making illicit gains.
Web sites and apps that accept or store credit card numbers, brokerage accounts, and bank account information are also prominent hacking targets, because of the potential for immediate financial gain from transferring money, making purchases, or selling the information on the black market.
In-store payment systems and ATMs have also been tampered with in order to gather customer account data and PINs.
Utilities and industrial equipment
Computers control functions at many utilities, including coordination of telecommunications, the power grid, nuclear power plants, and valve opening and closing in water and gas networks.
The Internet is a potential attack vector for such machines if connected, but the Stuxnet worm demonstrated that even equipment controlled by computers not connected to the Internet can be vulnerable.
In 2014, the Computer Emergency Readiness Team, a division of the Department of Homeland Security, investigated 79 hacking incidents at energy companies.
Vulnerabilities in smart meters (many of which use local radio or cellular communications) can cause problems with billing fraud.
Aviation:
The aviation industry is very reliant on a series of complex systems which could be attacked. A simple power outage at one airport can cause repercussions worldwide, much of the system relies on radio transmissions which could be disrupted, and controlling aircraft over oceans is especially dangerous because radar surveillance only extends 175 to 225 miles offshore.
There is also potential for attack from within an aircraft.
In Europe, with the (Pan-European Network Service) and NewPENS, and in the US with the NextGen program, air navigation service providers are moving to create their own dedicated networks.
The consequences of a successful attack range from loss of confidentiality to loss of system integrity, air traffic control outages, loss of aircraft, and even loss of life.
Consumer devices:
Desktop computers and laptops are commonly targeted to gather passwords or financial account information, or to construct a botnet to attack another target.
Smartphones, tablet computers, smart watches, and other mobile devices such as quantified self devices like activity trackers have sensors such as cameras, microphones, GPS receivers, compasses, and accelerometers which could be exploited, and may collect personal information, including sensitive health information.
WiFi, Bluetooth, and cell phone networks on any of these devices could be used as attack vectors, and sensors might be remotely activated after a successful breach.
The increasing number of home automation devices such as the Nest thermostat are also potential targets.
Large corporations:
Large corporations are common targets. In many cases attacks are aimed at financial gain through identity theft and involve data breaches. Examples include loss of millions of clients' credit card details by Home Depot, Staples, Target Corporation, and the most recent breach of Equifax.
Some cyberattacks are ordered by foreign governments, which engage in cyberwarfare with the intent to spread their propaganda, sabotage, or spy on their targets. Many people believe the Russian government played a major role in the US presidential election of 2016 by using Twitter and Facebook to affect the results of the election.
Medical records have been targeted in general identify theft, health insurance fraud, and impersonating patients to obtain prescription drugs for recreational purposes or resale. Although cyber threats continue to increase, 62% of all organizations did not increase security training for their business in 2015.
Not all attacks are financially motivated however; for example security firm HBGary Federal suffered a serious series of attacks in 2011 from hacktivist group Anonymous in retaliation for the firm's CEO claiming to have infiltrated their group, and in the Sony Pictures attack of 2014 the motive appears to have been to embarrass with data leaks, and cripple the company by wiping workstations and servers.
Automobiles:
See also:
Vehicles are increasingly computerized, with engine timing, cruise control, anti-lock brakes, seat belt tensioners, door locks, airbags and advanced driver-assistance systems on many models. Additionally, connected cars may use WiFi and Bluetooth to communicate with onboard consumer devices and the cell phone network. Self-driving cars are expected to be even more complex.
All of these systems carry some security risk, and such issues have gained wide attention. Simple examples of risk include a malicious compact disc being used as an attack vector, and the car's onboard microphones being used for eavesdropping. However, if access is gained to a car's internal controller area network, the danger is much greater – and in a widely publicized 2015 test, hackers remotely carjacked a vehicle from 10 miles away and drove it into a ditch.
Manufacturers are reacting in a number of ways, with Tesla in 2016 pushing out some security fixes "over the air" into its cars' computer systems.
In the area of autonomous vehicles, in September 2016 the United States Department of Transportation announced some initial safety standards, and called for states to come up with uniform policies.
Government:
Government and military computer systems are commonly attacked by activists and foreign powers. Local and regional government infrastructure such as traffic light controls, police and intelligence agency communications, personnel records, student records, and financial systems are also potential targets as they are now all largely computerized. Passports and government ID cards that control access to facilities which use RFID can be vulnerable to cloning.
Internet of things and physical vulnerabilities:
The Internet of things (IoT) is the network of physical objects such as devices, vehicles, and buildings that are embedded with electronics, software, sensors, and network connectivity that enables them to collect and exchange data – and concerns have been raised that this is being developed without appropriate consideration of the security challenges involved.
While the IoT creates opportunities for more direct integration of the physical world into computer-based systems, it also provides opportunities for misuse. In particular, as the Internet of Things spreads widely, cyber attacks are likely to become an increasingly physical (rather than simply virtual) threat.
If a front door's lock is connected to the Internet, and can be locked/unlocked from a phone, then a criminal could enter the home at the press of a button from a stolen or hacked phone.
People could stand to lose much more than their credit card numbers in a world controlled by IoT-enabled devices. Thieves have also used electronic means to circumvent non-Internet-connected hotel door locks.
Medical systems:
See also: Medical device hijack and Medical data breach
Medical devices have either been successfully attacked or had potentially deadly vulnerabilities demonstrated, including both in-hospital diagnostic equipment and implanted devices including pacemakers and insulin pumps.
There are many reports of hospitals and hospital organizations getting hacked, including ransomware attacks, Windows XP exploits, viruses, and data breaches of sensitive data stored on hospital servers.
On 28 December 2016 the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of Internet-connected devices – but no structure for enforcement.
Energy sector:
In distributed generation systems, the risk of a cyber attack is real, according to Daily Energy Insider. An attack could cause a loss of power in a large area for a long period of time, and such an attack could have just as severe consequences as a natural disaster.
The District of Columbia is considering creating a Distributed Energy Resources (DER) Authority within the city, with the goal being for customers to have more insight into their own energy use and giving the local electric utility, Pepco, the chance to better estimate energy demand.
The D.C. proposal, however, would "allow third-party vendors to create numerous points of energy distribution, which could potentially create more opportunities for cyber attackers to threaten the electric grid."
Impact of security breaches:
Serious financial damage has been caused by security breaches, but because there is no standard model for estimating the cost of an incident, the only data available is that which is made public by the organizations involved. "Several computer security consulting firms produce estimates of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general.
The 2003 loss estimates by these firms range from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks). The reliability of these estimates is often challenged; the underlying methodology is basically anecdotal."
Security breaches continue to cost businesses billions of dollars but a survey revealed that 66% of security staffs do not believe senior leadership takes cyber precautions as a strategic priority.
However, reasonable estimates of the financial cost of security breaches can actually help organizations make rational investment decisions. According to the classic Gordon-Loeb Model analyzing the optimal investment level in information security, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the expected value of the loss resulting from a cyber/information security breach).
Attacker motivation:
As with physical security, the motivations for breaches of computer security vary between attackers. Some are thrill-seekers or vandals, some are activists, others are criminals looking for financial gain. State-sponsored attackers are now common and well resourced, but started with amateurs such as Markus Hess who hacked for the KGB, as recounted by Clifford Stoll in The Cuckoo's Egg.
Additionally, recent attacker motivations can be traced back to extremist organizations seeking to gain political advantage or disrupt social agendas. The growth of the internet, mobile technologies and inexpensive computing devices that has led to a rise in capabilities but also risk to environments that are deemed as vital to operations.
All critical targeted environments are susceptible to compromise and has led to a series of proactive studies on how to migrate the risk by taking into consideration motivations by these type of actors. Several stark differences exist between the hacker motivation and that of nation state actors seeking to attack based an ideological preference.
A standard part of threat modelling for any particular system is to identify what might motivate an attack on that system, and who might be motivated to breach it. The level and detail of precautions will vary depending on the system to be secured. A home personal computer, bank, and classified military network face very different threats, even when the underlying technologies in use are similar.
Computer protection (countermeasures):
In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.
Some common countermeasures are listed in the following sections:
Security by design:
Main article: Secure by design
Security by design, or alternately secure by design, means that the software has been designed from the ground up to be secure. In this case, security is considered as a main feature.
Some of the techniques in this approach include:
Security architecture:
The Open Security Architecture organization defines IT security architecture as "the design artifacts that describe how the security controls (security countermeasures) are positioned, and how they relate to the overall information technology architecture. These controls serve the purpose to maintain the system's quality attributes: confidentiality, integrity, availability, accountability and assurance services".
Techopedia defines security architecture as "a unified security design that addresses the necessities and potential risks involved in a certain scenario or environment. It also specifies when and where to apply security controls. The design process is generally reproducible."
The key attributes of security architecture are:
Practicing security architecture provides the right foundation to systematically address business, IT and security concerns in an organization.
Security measures:
A state of computer "security" is the conceptual ideal, attained by the use of the three processes: threat prevention, detection, and response. These processes are based on various policies and system components, which include the following:
Today, computer security comprises mainly "preventive" measures, like firewalls or an exit procedure. A firewall can be defined as a way of filtering network data between a host or a network and another network, such as the Internet, and can be implemented as software running on the machine, hooking into the network stack (or, in the case of most UNIX-based operating systems such as Linux, built into the operating system kernel) to provide real-time filtering and blocking.
Another implementation is a so-called "physical firewall", which consists of a separate machine filtering network traffic. Firewalls are common amongst machines that are permanently connected to the Internet.
Some organizations are turning to big data platforms, such as Apache Hadoop, to extend data accessibility and machine learning to detect advanced persistent threats.
However, relatively few organisations maintain computer systems with effective detection systems, and fewer still have organized response mechanisms in place. As a result, as Reuters points out: "Companies for the first time report they are losing more through electronic theft of data than physical stealing of assets".
The primary obstacle to effective eradication of cyber crime could be traced to excessive reliance on firewalls and other automated "detection" systems. Yet it is basic evidence gathering by using packet capture appliances that puts criminals behind bars.
Vulnerability management:
Main article: Vulnerability management
Vulnerability management is the cycle of identifying, and remediating or mitigating vulnerabilities, especially in software and firmware. Vulnerability management is integral to computer security and network security.
Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware.
Beyond vulnerability scanning, many organizations contract outside security auditors to run regular penetration tests against their systems to identify vulnerabilities. In some sectors, this is a contractual requirement.
Reducing vulnerabilities:
While formal verification of the correctness of computer systems is possible, it is not yet common. Operating systems formally verified include seL4, and SYSGO's PikeOS – but these make up a very small percentage of the market.
Two factor authentication is a method for mitigating unauthorized access to a system or sensitive information. It requires "something you know"; a password or PIN, and "something you have"; a card, dongle, cellphone, or other piece of hardware. This increases security as an unauthorized person needs both of these to gain access.
Social engineering and direct computer access (physical) attacks can only be prevented by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Training is often involved to help mitigate this risk, but even in a highly disciplined environments (e.g. military organizations), social engineering attacks can still be difficult to foresee and prevent.
Enoculation, derived from inoculation theory, seeks to prevent social engineering and other fraudulent tricks or traps by instilling a resistance to persuasion attempts through exposure to similar or related attempts.
It is possible to reduce an attacker's chances by keeping systems up to date with security patches and updates, using a security scanner or/and hiring competent people responsible for security. (This statement is ambiguous. Even systems developed by "competent" people get penetrated) The effects of data loss/damage can be reduced by careful backing up and insurance.
Hardware protection mechanisms:
See also: Computer security compromised by hardware failure
While hardware may be a source of insecurity, such as with microchip vulnerabilities maliciously introduced during the manufacturing process, hardware-based or assisted computer security also offers an alternative to software-only computer security.
Using devices and methods such as dongles, trusted platform modules, intrusion-aware cases, drive locks, disabling USB ports, and mobile-enabled access may be considered more secure due to the physical access (or sophisticated backdoor access) required in order to be compromised. Each of these is covered in more detail below.
Secure operating systems:
Main article: Security-evaluated operating system
One use of the term "computer security" refers to technology that is used to implement secure operating systems. In the 1980s the United States Department of Defense (DoD) used the "Orange Book" standards, but the current international standard ISO/IEC 15408, "Common Criteria" defines a number of progressively more stringent Evaluation Assurance Levels.
Many common operating systems meet the EAL4 standard of being "Methodically Designed, Tested and Reviewed", but the formal verification required for the highest levels means that they are uncommon. An example of an EAL6 ("Semiformally Verified Design and Tested") system is Integrity-178B, which is used in the Airbus A380 and several military jets.
Secure coding:
Main article: Secure coding
In software engineering, secure coding aims to guard against the accidental introduction of security vulnerabilities. It is also possible to create software designed from the ground up to be secure. Such systems are "secure by design". Beyond this, formal verification aims to prove the correctness of the algorithms underlying a system; important for cryptographic protocols for example.
Capabilities and access control lists:
Main articles: Access control list and Capability-based security
Within computer systems, two of many security models capable of enforcing privilege separation are access control lists (ACLs) and capability-based security. Using ACLs to confine programs has been proven to be insecure in many situations, such as if the host computer can be tricked into indirectly allowing restricted file access, an issue known as the confused deputy problem.
It has also been shown that the promise of ACLs of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities. This does not mean practical flaws exist in all ACL-based systems, but only that the designers of certain utilities must take responsibility to ensure that they do not introduce flaws.
Capabilities have been mostly restricted to research operating systems, while commercial OSs still use ACLs. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object-oriented design. An open source project in the area is the E language.
End user security training:
The end-user is widely recognized as the weakest link in the security chain and it is estimated that more than 90% of security incidents and breaches involve some kind of human error.
Among the most commonly recorded forms of errors and misjudgment are poor password management, the inability to recognize misleading URLs and to identify fake websites and dangerous email attachments. A common mistake that users make is saving their userid/password in their browsers to make it easier to login to banking sites. This is a gift to attackers who have obtained access to a machine by some means. The risk may be mitigated by the use of two-factor authentication.
As the human component of cyber risk is particularly relevant in determining the global cyber risk an organization is facing, security awareness training, at all levels, not only provides formal compliance with regulatory and industry mandates but is considered essential in reducing cyber risk and protecting individuals and companies from the great majority of cyber threats.
The focus on the end-user represents a profound cultural change for many security practitioners, who have traditionally approached cybersecurity exclusively from a technical perspective, and moves along the lines suggested by major security centers to develop a culture of cyber awareness within the organization, recognizing that a security aware user provides an important line of defense against cyber attacks.
Digital hygiene:
Related to end-user training, digital hygiene or cyber hygiene is a fundamental principle relating to information security and, as the analogy with personal hygiene shows, is the equivalent of establishing simple routine measures to minimise the risks from cyber threats.
The assumption is that good cyber hygiene practices can give networked users another layer of protection, reducing the risk that one vulnerable node will be used to either mount attacks or compromise another node or network, especially from common cyberattacks.
As opposed to a purely technology-based defense against threats, cyber hygiene mostly regards routine measures that are technically simple to implement and mostly dependent on discipline or education. It can be thought of as an abstract list of tips or measures that have been demonstrated as having a positive effect on personal and/or collective digital security. As such, these measures can be performed by laypeople, not just security experts.
Cyber hygiene relates to personal hygiene as computer viruses relate to biological viruses (or pathogens). However, while the term computer virus was coined almost simultaneously with the creation of the first working computer viruses, the term cyber hygiene is a much later invention, perhaps as late as 2000 by Internet pioneer Vint Cerf. It has since been adopted by the Senate of the United States, the FBI, EU institutions and heads of state.
Cyber hygiene should also not be mistaken for proactive cyber defence, a military term.
Response to breaches:
Responding forcefully to attempted security breaches (in the manner that one would for attempted physical security breaches) is often very difficult for a variety of reasons:
Types of security and privacy:
Click on any of the following blue hyperlinks for more about Computer Security ("Cyber Security"):
The field is becoming more important due to increased reliance on computer systems, the Internet and wireless network standards such as Bluetooth and Wi-Fi, and due to the growth of "smart" devices, including smartphones, televisions, and the various devices that constitute the "Internet of things". Owing to its complexity, both in terms of politics and technology, cybersecurity is also one of the major challenges in the contemporary world.
Vulnerabilities and attacks
Main article: Vulnerability (computing)
A vulnerability is a weakness in design, implementation, operation or internal control. Most of the vulnerabilities that have been discovered are documented in the Common Vulnerabilities and Exposures (CVE) database.
An exploitable vulnerability is one for which at least one working attack or "exploit" exists. Vulnerabilities are often hunted or exploited with the aid of automated tools or manually using customized scripts. To secure a computer system, it is important to understand the attacks that can be made against it, and these threats can typically be classified into one of these categories below:
Backdoor
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of bypassing normal authentication or security controls. They may exist for a number of reasons, including by original design or from poor configuration. They may have been added by an authorized party to allow some legitimate access, or by an attacker for malicious reasons; but regardless of the motives for their existence, they create a vulnerability.
Denial-of-service attack:
Denial of service attacks (DoS) are designed to make a machine or network resource unavailable to its intended users.
Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victims account to be locked, or they may overload the capabilities of a machine or network and block all users at once.
While a network attack from a single IP address can be blocked by adding a new firewall rule, many forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from a large number of points – and defending is much more difficult. Such attacks can originate from the zombie computers of a botnet, but a range of other techniques are possible including reflection and amplification attacks, where innocent systems are fooled into sending traffic to the victim.
Direct-access attacks
An unauthorized user gaining physical access to a computer is most likely able to directly copy data from it. They may also compromise security by making operating system modifications, installing software worms, keyloggers, covert listening devices or using wireless mice.
Even when the system is protected by standard security measures, these may be able to be by-passed by booting another operating system or tool from a CD-ROM or other bootable media. Disk encryption and Trusted Platform Module are designed to prevent these attacks.
Eavesdropping:
Eavesdropping is the act of surreptitiously listening to a private computer "conversation" (communication), typically between hosts on a network. For instance, programs such as Carnivore and NarusInSight have been used by the FBI and NSA to eavesdrop on the systems of internet service providers.
Even machines that operate as a closed system (i.e., with no contact to the outside world) can be eavesdropped upon via monitoring the faint electromagnetic transmissions generated by the hardware; TEMPEST is a specification by the NSA referring to these attacks.
Multi-vector, polymorphic attacks:
Surfacing in 2017, a new class of multi-vector, polymorphic cyber threats surfaced that combined several types of attacks and changed form to avoid cybersecurity controls as they spread. These threats have been classified as fifth generation cyber attacks.
Phishing:
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details directly from users by deceiving the users. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose "look" and "feel" are almost identical to the legitimate one.
The fake website often asks for personal information, such as log-in details and passwords. This information can then be used to gain access to the individual's real account on the real website. Preying on a victim's trust, phishing can be classified as a form of social engineering.
Privilege escalation:
Privilege escalation describes a situation where an attacker with some level of restricted access is able to, without authorization, elevate their privileges or access level. For example, a standard computer user may be able to exploit a vulnerability in the system to gain access to restricted data; or even become "root" and have full unrestricted access to a system.
Social engineering:
Main article: Social engineering (security)
Social engineering aims to convince a user to disclose secrets such as passwords, card numbers, etc. by, for example, impersonating a bank, a contractor, or a customer.
A common scam involves fake CEO emails sent to accounting and finance departments. In early 2016, the FBI reported that the scam has cost US businesses more than $2bn in about two years.
In May 2016, the Milwaukee Bucks NBA team was the victim of this type of cyber scam with a perpetrator impersonating the team's president Peter Feigin, resulting in the handover of all the team's employees' 2015 W-2 tax forms.
Spoofing:
Main article: Spoofing attack
Spoofing is the act of masquerading as a valid entity through falsification of data (such as an IP address or username), in order to gain access to information or resources that one is otherwise unauthorized to obtain. There are several types of spoofing, including:
- Email spoofing, where an attacker forges the sending (From, or source) address of an email.
- IP address spoofing, where an attacker alters the source IP address in a network packet to hide their identity or impersonate another computing system.
- MAC spoofing, where an attacker modifies the Media Access Control (MAC) address of their network interface to pose as a valid user on a network.
- Biometric spoofing, where an attacker produces a fake biometric sample to pose as another user.
Tampering:
Tampering describes a malicious modification of products. So-called "Evil Maid" attacks and security services planting of surveillance capability into routers are examples.
Information security culture:
Employee behavior can have a big impact on information security in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness towards information security within an organization. Information security culture is the "...totality of patterns of behavior in an organization that contribute to the protection of information of all kinds.″
Andersson and Reimers (2014) found that employees often do not see themselves as part of the organization information security "effort" and often take actions that ignore organizational Information Security best interests. Research shows information security culture needs to be improved continuously.
In ″Information Security Culture from Analysis to Change″, authors commented, ″It's a never ending process, a cycle of evaluation and change or maintenance.″ To manage the information security culture, five steps should be taken: pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.
- Pre-Evaluation: to identify the awareness of information security within employees and to analyze the current security policy.
- Strategic Planning: to come up with a better awareness program, clear targets need to be set. Clustering people is helpful to achieve it.
- Operative Planning: a good security culture can be established based on internal communication, management-buy-in, and security awareness and a training program.
- Implementation: four stages should be used to implement the information security culture. They are:
- Commitment of the management
- Communication with organizational members
- Courses for all organizational members
- Commitment of the employees
- Post-Evaluation: to assess the success of the planning and implementation, and to identify unresolved areas of concern.
Systems at risk:
The growth in the number of computer systems and the increasing reliance upon them by individuals, businesses, industries and governments means that there are an increasing number of systems at risk.
Financial systems:
The computer systems of financial regulators and financial institutions like the U.S. Securities and Exchange Commission, SWIFT, investment banks, and commercial banks are prominent hacking targets for cybercriminals interested in manipulating markets and making illicit gains.
Web sites and apps that accept or store credit card numbers, brokerage accounts, and bank account information are also prominent hacking targets, because of the potential for immediate financial gain from transferring money, making purchases, or selling the information on the black market.
In-store payment systems and ATMs have also been tampered with in order to gather customer account data and PINs.
Utilities and industrial equipment
Computers control functions at many utilities, including coordination of telecommunications, the power grid, nuclear power plants, and valve opening and closing in water and gas networks.
The Internet is a potential attack vector for such machines if connected, but the Stuxnet worm demonstrated that even equipment controlled by computers not connected to the Internet can be vulnerable.
In 2014, the Computer Emergency Readiness Team, a division of the Department of Homeland Security, investigated 79 hacking incidents at energy companies.
Vulnerabilities in smart meters (many of which use local radio or cellular communications) can cause problems with billing fraud.
Aviation:
The aviation industry is very reliant on a series of complex systems which could be attacked. A simple power outage at one airport can cause repercussions worldwide, much of the system relies on radio transmissions which could be disrupted, and controlling aircraft over oceans is especially dangerous because radar surveillance only extends 175 to 225 miles offshore.
There is also potential for attack from within an aircraft.
In Europe, with the (Pan-European Network Service) and NewPENS, and in the US with the NextGen program, air navigation service providers are moving to create their own dedicated networks.
The consequences of a successful attack range from loss of confidentiality to loss of system integrity, air traffic control outages, loss of aircraft, and even loss of life.
Consumer devices:
Desktop computers and laptops are commonly targeted to gather passwords or financial account information, or to construct a botnet to attack another target.
Smartphones, tablet computers, smart watches, and other mobile devices such as quantified self devices like activity trackers have sensors such as cameras, microphones, GPS receivers, compasses, and accelerometers which could be exploited, and may collect personal information, including sensitive health information.
WiFi, Bluetooth, and cell phone networks on any of these devices could be used as attack vectors, and sensors might be remotely activated after a successful breach.
The increasing number of home automation devices such as the Nest thermostat are also potential targets.
Large corporations:
Large corporations are common targets. In many cases attacks are aimed at financial gain through identity theft and involve data breaches. Examples include loss of millions of clients' credit card details by Home Depot, Staples, Target Corporation, and the most recent breach of Equifax.
Some cyberattacks are ordered by foreign governments, which engage in cyberwarfare with the intent to spread their propaganda, sabotage, or spy on their targets. Many people believe the Russian government played a major role in the US presidential election of 2016 by using Twitter and Facebook to affect the results of the election.
Medical records have been targeted in general identify theft, health insurance fraud, and impersonating patients to obtain prescription drugs for recreational purposes or resale. Although cyber threats continue to increase, 62% of all organizations did not increase security training for their business in 2015.
Not all attacks are financially motivated however; for example security firm HBGary Federal suffered a serious series of attacks in 2011 from hacktivist group Anonymous in retaliation for the firm's CEO claiming to have infiltrated their group, and in the Sony Pictures attack of 2014 the motive appears to have been to embarrass with data leaks, and cripple the company by wiping workstations and servers.
Automobiles:
See also:
- Autonomous car § Potential disadvantages,
- Automated driving system § Risks and liabilities,
- and Automotive hacking
Vehicles are increasingly computerized, with engine timing, cruise control, anti-lock brakes, seat belt tensioners, door locks, airbags and advanced driver-assistance systems on many models. Additionally, connected cars may use WiFi and Bluetooth to communicate with onboard consumer devices and the cell phone network. Self-driving cars are expected to be even more complex.
All of these systems carry some security risk, and such issues have gained wide attention. Simple examples of risk include a malicious compact disc being used as an attack vector, and the car's onboard microphones being used for eavesdropping. However, if access is gained to a car's internal controller area network, the danger is much greater – and in a widely publicized 2015 test, hackers remotely carjacked a vehicle from 10 miles away and drove it into a ditch.
Manufacturers are reacting in a number of ways, with Tesla in 2016 pushing out some security fixes "over the air" into its cars' computer systems.
In the area of autonomous vehicles, in September 2016 the United States Department of Transportation announced some initial safety standards, and called for states to come up with uniform policies.
Government:
Government and military computer systems are commonly attacked by activists and foreign powers. Local and regional government infrastructure such as traffic light controls, police and intelligence agency communications, personnel records, student records, and financial systems are also potential targets as they are now all largely computerized. Passports and government ID cards that control access to facilities which use RFID can be vulnerable to cloning.
Internet of things and physical vulnerabilities:
The Internet of things (IoT) is the network of physical objects such as devices, vehicles, and buildings that are embedded with electronics, software, sensors, and network connectivity that enables them to collect and exchange data – and concerns have been raised that this is being developed without appropriate consideration of the security challenges involved.
While the IoT creates opportunities for more direct integration of the physical world into computer-based systems, it also provides opportunities for misuse. In particular, as the Internet of Things spreads widely, cyber attacks are likely to become an increasingly physical (rather than simply virtual) threat.
If a front door's lock is connected to the Internet, and can be locked/unlocked from a phone, then a criminal could enter the home at the press of a button from a stolen or hacked phone.
People could stand to lose much more than their credit card numbers in a world controlled by IoT-enabled devices. Thieves have also used electronic means to circumvent non-Internet-connected hotel door locks.
Medical systems:
See also: Medical device hijack and Medical data breach
Medical devices have either been successfully attacked or had potentially deadly vulnerabilities demonstrated, including both in-hospital diagnostic equipment and implanted devices including pacemakers and insulin pumps.
There are many reports of hospitals and hospital organizations getting hacked, including ransomware attacks, Windows XP exploits, viruses, and data breaches of sensitive data stored on hospital servers.
On 28 December 2016 the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of Internet-connected devices – but no structure for enforcement.
Energy sector:
In distributed generation systems, the risk of a cyber attack is real, according to Daily Energy Insider. An attack could cause a loss of power in a large area for a long period of time, and such an attack could have just as severe consequences as a natural disaster.
The District of Columbia is considering creating a Distributed Energy Resources (DER) Authority within the city, with the goal being for customers to have more insight into their own energy use and giving the local electric utility, Pepco, the chance to better estimate energy demand.
The D.C. proposal, however, would "allow third-party vendors to create numerous points of energy distribution, which could potentially create more opportunities for cyber attackers to threaten the electric grid."
Impact of security breaches:
Serious financial damage has been caused by security breaches, but because there is no standard model for estimating the cost of an incident, the only data available is that which is made public by the organizations involved. "Several computer security consulting firms produce estimates of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general.
The 2003 loss estimates by these firms range from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks). The reliability of these estimates is often challenged; the underlying methodology is basically anecdotal."
Security breaches continue to cost businesses billions of dollars but a survey revealed that 66% of security staffs do not believe senior leadership takes cyber precautions as a strategic priority.
However, reasonable estimates of the financial cost of security breaches can actually help organizations make rational investment decisions. According to the classic Gordon-Loeb Model analyzing the optimal investment level in information security, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the expected value of the loss resulting from a cyber/information security breach).
Attacker motivation:
As with physical security, the motivations for breaches of computer security vary between attackers. Some are thrill-seekers or vandals, some are activists, others are criminals looking for financial gain. State-sponsored attackers are now common and well resourced, but started with amateurs such as Markus Hess who hacked for the KGB, as recounted by Clifford Stoll in The Cuckoo's Egg.
Additionally, recent attacker motivations can be traced back to extremist organizations seeking to gain political advantage or disrupt social agendas. The growth of the internet, mobile technologies and inexpensive computing devices that has led to a rise in capabilities but also risk to environments that are deemed as vital to operations.
All critical targeted environments are susceptible to compromise and has led to a series of proactive studies on how to migrate the risk by taking into consideration motivations by these type of actors. Several stark differences exist between the hacker motivation and that of nation state actors seeking to attack based an ideological preference.
A standard part of threat modelling for any particular system is to identify what might motivate an attack on that system, and who might be motivated to breach it. The level and detail of precautions will vary depending on the system to be secured. A home personal computer, bank, and classified military network face very different threats, even when the underlying technologies in use are similar.
Computer protection (countermeasures):
In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.
Some common countermeasures are listed in the following sections:
Security by design:
Main article: Secure by design
Security by design, or alternately secure by design, means that the software has been designed from the ground up to be secure. In this case, security is considered as a main feature.
Some of the techniques in this approach include:
- The principle of least privilege, where each part of the system has only the privileges that are needed for its function. That way even if an attacker gains access to that part, they have only limited access to the whole system.
- Automated theorem proving to prove the correctness of crucial software subsystems.
- Code reviews and unit testing, approaches to make modules more secure where formal correctness proofs are not possible.
- Defense in depth, where the design is such that more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds.
- Default secure settings, and design to "fail secure" rather than "fail insecure" (see fail-safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.
- Audit trails tracking system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks.
- Full disclosure of all vulnerabilities, to ensure that the "window of vulnerability" is kept as short as possible when bugs are discovered.
Security architecture:
The Open Security Architecture organization defines IT security architecture as "the design artifacts that describe how the security controls (security countermeasures) are positioned, and how they relate to the overall information technology architecture. These controls serve the purpose to maintain the system's quality attributes: confidentiality, integrity, availability, accountability and assurance services".
Techopedia defines security architecture as "a unified security design that addresses the necessities and potential risks involved in a certain scenario or environment. It also specifies when and where to apply security controls. The design process is generally reproducible."
The key attributes of security architecture are:
- the relationship of different components and how they depend on each other.
- the determination of controls based on risk assessment, good practice, finances, and legal matters.
- the standardization of controls.
Practicing security architecture provides the right foundation to systematically address business, IT and security concerns in an organization.
Security measures:
A state of computer "security" is the conceptual ideal, attained by the use of the three processes: threat prevention, detection, and response. These processes are based on various policies and system components, which include the following:
- User account access controls and cryptography can protect systems files and data, respectively.
- Firewalls are by far the most common prevention systems from a network security perspective as they can (if properly configured) shield access to internal network services, and block certain kinds of attacks through packet filtering. Firewalls can be both hardware- or software-based.
- Intrusion Detection System (IDS) products are designed to detect network attacks in-progress and assist in post-attack forensics, while audit trails and logs serve a similar function for individual systems.
- "Response" is necessarily defined by the assessed security requirements of an individual system and may cover the range from simple upgrade of protections to notification of legal authorities, counter-attacks, and the like. In some special cases, a complete destruction of the compromised system is favored, as it may happen that not all the compromised resources are detected.
Today, computer security comprises mainly "preventive" measures, like firewalls or an exit procedure. A firewall can be defined as a way of filtering network data between a host or a network and another network, such as the Internet, and can be implemented as software running on the machine, hooking into the network stack (or, in the case of most UNIX-based operating systems such as Linux, built into the operating system kernel) to provide real-time filtering and blocking.
Another implementation is a so-called "physical firewall", which consists of a separate machine filtering network traffic. Firewalls are common amongst machines that are permanently connected to the Internet.
Some organizations are turning to big data platforms, such as Apache Hadoop, to extend data accessibility and machine learning to detect advanced persistent threats.
However, relatively few organisations maintain computer systems with effective detection systems, and fewer still have organized response mechanisms in place. As a result, as Reuters points out: "Companies for the first time report they are losing more through electronic theft of data than physical stealing of assets".
The primary obstacle to effective eradication of cyber crime could be traced to excessive reliance on firewalls and other automated "detection" systems. Yet it is basic evidence gathering by using packet capture appliances that puts criminals behind bars.
Vulnerability management:
Main article: Vulnerability management
Vulnerability management is the cycle of identifying, and remediating or mitigating vulnerabilities, especially in software and firmware. Vulnerability management is integral to computer security and network security.
Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware.
Beyond vulnerability scanning, many organizations contract outside security auditors to run regular penetration tests against their systems to identify vulnerabilities. In some sectors, this is a contractual requirement.
Reducing vulnerabilities:
While formal verification of the correctness of computer systems is possible, it is not yet common. Operating systems formally verified include seL4, and SYSGO's PikeOS – but these make up a very small percentage of the market.
Two factor authentication is a method for mitigating unauthorized access to a system or sensitive information. It requires "something you know"; a password or PIN, and "something you have"; a card, dongle, cellphone, or other piece of hardware. This increases security as an unauthorized person needs both of these to gain access.
Social engineering and direct computer access (physical) attacks can only be prevented by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Training is often involved to help mitigate this risk, but even in a highly disciplined environments (e.g. military organizations), social engineering attacks can still be difficult to foresee and prevent.
Enoculation, derived from inoculation theory, seeks to prevent social engineering and other fraudulent tricks or traps by instilling a resistance to persuasion attempts through exposure to similar or related attempts.
It is possible to reduce an attacker's chances by keeping systems up to date with security patches and updates, using a security scanner or/and hiring competent people responsible for security. (This statement is ambiguous. Even systems developed by "competent" people get penetrated) The effects of data loss/damage can be reduced by careful backing up and insurance.
Hardware protection mechanisms:
See also: Computer security compromised by hardware failure
While hardware may be a source of insecurity, such as with microchip vulnerabilities maliciously introduced during the manufacturing process, hardware-based or assisted computer security also offers an alternative to software-only computer security.
Using devices and methods such as dongles, trusted platform modules, intrusion-aware cases, drive locks, disabling USB ports, and mobile-enabled access may be considered more secure due to the physical access (or sophisticated backdoor access) required in order to be compromised. Each of these is covered in more detail below.
- USB dongles are typically used in software licensing schemes to unlock software capabilities, but they can also be seen as a way to prevent unauthorized access to a computer or other device's software. The dongle, or key, essentially creates a secure encrypted tunnel between the software application and the key. The principle is that an encryption scheme on the dongle, such as Advanced Encryption Standard (AES) provides a stronger measure of security, since it is harder to hack and replicate the dongle than to simply copy the native software to another machine and use it. Another security application for dongles is to use them for accessing web-based content such as cloud software or Virtual Private Networks (VPNs). In addition, a USB dongle can be configured to lock or unlock a computer.
- Trusted platform modules (TPMs) secure devices by integrating cryptographic capabilities onto access devices, through the use of microprocessors, or so-called computers-on-a-chip. TPMs used in conjunction with server-side software offer a way to detect and authenticate hardware devices, preventing unauthorized network and data access.
- Computer case intrusion detection refers to a device, typically a push-button switch, which detects when a computer case is opened. The firmware or BIOS is programmed to show an alert to the operator when the computer is booted up the next time.
- Drive locks are essentially software tools to encrypt hard drives, making them inaccessible to thieves. Tools exist specifically for encrypting external drives as well.
- Disabling USB ports is a security option for preventing unauthorized and malicious access to an otherwise secure computer. Infected USB dongles connected to a network from a computer inside the firewall are considered by the magazine Network World as the most common hardware threat facing computer networks.
- Disconnecting or disabling peripheral devices ( like camera, GPS, removable storage etc.), that are not in use.
- Mobile-enabled access devices are growing in popularity due to the ubiquitous nature of cell phones. Built-in capabilities such as Bluetooth, the newer Bluetooth low energy (LE), Near field communication (NFC) on non-iOS devices and biometric validation such as thumb print readers, as well as QR code reader software designed for mobile devices, offer new, secure ways for mobile phones to connect to access control systems. These control systems provide computer security and can also be used for controlling access to secure buildings.
Secure operating systems:
Main article: Security-evaluated operating system
One use of the term "computer security" refers to technology that is used to implement secure operating systems. In the 1980s the United States Department of Defense (DoD) used the "Orange Book" standards, but the current international standard ISO/IEC 15408, "Common Criteria" defines a number of progressively more stringent Evaluation Assurance Levels.
Many common operating systems meet the EAL4 standard of being "Methodically Designed, Tested and Reviewed", but the formal verification required for the highest levels means that they are uncommon. An example of an EAL6 ("Semiformally Verified Design and Tested") system is Integrity-178B, which is used in the Airbus A380 and several military jets.
Secure coding:
Main article: Secure coding
In software engineering, secure coding aims to guard against the accidental introduction of security vulnerabilities. It is also possible to create software designed from the ground up to be secure. Such systems are "secure by design". Beyond this, formal verification aims to prove the correctness of the algorithms underlying a system; important for cryptographic protocols for example.
Capabilities and access control lists:
Main articles: Access control list and Capability-based security
Within computer systems, two of many security models capable of enforcing privilege separation are access control lists (ACLs) and capability-based security. Using ACLs to confine programs has been proven to be insecure in many situations, such as if the host computer can be tricked into indirectly allowing restricted file access, an issue known as the confused deputy problem.
It has also been shown that the promise of ACLs of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities. This does not mean practical flaws exist in all ACL-based systems, but only that the designers of certain utilities must take responsibility to ensure that they do not introduce flaws.
Capabilities have been mostly restricted to research operating systems, while commercial OSs still use ACLs. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object-oriented design. An open source project in the area is the E language.
End user security training:
The end-user is widely recognized as the weakest link in the security chain and it is estimated that more than 90% of security incidents and breaches involve some kind of human error.
Among the most commonly recorded forms of errors and misjudgment are poor password management, the inability to recognize misleading URLs and to identify fake websites and dangerous email attachments. A common mistake that users make is saving their userid/password in their browsers to make it easier to login to banking sites. This is a gift to attackers who have obtained access to a machine by some means. The risk may be mitigated by the use of two-factor authentication.
As the human component of cyber risk is particularly relevant in determining the global cyber risk an organization is facing, security awareness training, at all levels, not only provides formal compliance with regulatory and industry mandates but is considered essential in reducing cyber risk and protecting individuals and companies from the great majority of cyber threats.
The focus on the end-user represents a profound cultural change for many security practitioners, who have traditionally approached cybersecurity exclusively from a technical perspective, and moves along the lines suggested by major security centers to develop a culture of cyber awareness within the organization, recognizing that a security aware user provides an important line of defense against cyber attacks.
Digital hygiene:
Related to end-user training, digital hygiene or cyber hygiene is a fundamental principle relating to information security and, as the analogy with personal hygiene shows, is the equivalent of establishing simple routine measures to minimise the risks from cyber threats.
The assumption is that good cyber hygiene practices can give networked users another layer of protection, reducing the risk that one vulnerable node will be used to either mount attacks or compromise another node or network, especially from common cyberattacks.
As opposed to a purely technology-based defense against threats, cyber hygiene mostly regards routine measures that are technically simple to implement and mostly dependent on discipline or education. It can be thought of as an abstract list of tips or measures that have been demonstrated as having a positive effect on personal and/or collective digital security. As such, these measures can be performed by laypeople, not just security experts.
Cyber hygiene relates to personal hygiene as computer viruses relate to biological viruses (or pathogens). However, while the term computer virus was coined almost simultaneously with the creation of the first working computer viruses, the term cyber hygiene is a much later invention, perhaps as late as 2000 by Internet pioneer Vint Cerf. It has since been adopted by the Senate of the United States, the FBI, EU institutions and heads of state.
Cyber hygiene should also not be mistaken for proactive cyber defence, a military term.
Response to breaches:
Responding forcefully to attempted security breaches (in the manner that one would for attempted physical security breaches) is often very difficult for a variety of reasons:
- Identifying attackers is difficult, as they are often in a different jurisdiction to the systems they attempt to breach, and operate through proxies, temporary anonymous dial-up accounts, wireless connections, and other anonymizing procedures which make back tracing difficult and are often located in yet another jurisdiction. If they successfully breach security, they are often able to delete logs to cover their tracks.
- The sheer number of attempted attacks is so large that organisations cannot spend time pursuing each attacker (a typical home user with a permanent (e.g., cable modem) connection will be attacked at least several times per day, so more attractive targets could be presumed to see many more). Note however, that most of the sheer bulk of these attacks are made by automated vulnerability scanners and computer worms.
- Law enforcement officers are often unfamiliar with information technology, and so lack the skills and interest in pursuing attackers. There are also budgetary constraints. It has been argued that the high cost of technology, such as DNA testing, and improved forensics mean less money for other kinds of law enforcement, so the overall rate of criminals not getting dealt with goes up as the cost of the technology increases. In addition, the identification of attackers across a network may require logs from various points in the network and in many countries, the release of these records to law enforcement (with the exception of being voluntarily surrendered by a network administrator or a system administrator) requires a search warrant and, depending on the circumstances, the legal proceedings required can be drawn out to the point where the records are either regularly destroyed, or the information is no longer relevant.
- The United States government spends the largest amount of money every year on cybersecurity. The United States has a yearly budget of 28 billion dollars. Canada has the 2nd highest annual budget at 1 billion dollars. Australia has the third highest budget with only 70 million dollars.
Types of security and privacy:
- Access control
- Anti-keyloggers
- Anti-malware
- Anti-spyware
- Anti-subversion software
- Anti-tamper software
- Anti-theft:
- Parental control
- Software and operating system updating
Click on any of the following blue hyperlinks for more about Computer Security ("Cyber Security"):
- Role of government
- International actions
- National actions
- Modern warfare
- Click here for more about the following Careers:
- Security analyst
Security engineer
Security architect
Security administrator
Chief Information Security Officer (CISO)
Chief Security Officer (CSO)
Security Consultant/Specialist/Intelligence
- Security analyst
- Terminology
- Scholars
- See also:
- Computer security at Curlie
- Cybersecurity Websites
- Attack tree
- Bicycle attack
- CAPTCHA
- Cloud computing security
- Common Criteria
- Comparison of antivirus software
- Computer security model
- Content Disarm & Reconstruction
- Content security
- Countermeasure (computer)
- Cybercrime
- Cybersecurity information technology list
- Cyber-Insurance
- Cyber security standards
- Cyber self-defense
- Dancing pigs
- Data security
- Defense strategy (computing)
- Disk encryption
- Exploit (computer security)
- Fault tolerance
- Hardware security
- Human–computer interaction (security)
- Identity management
- Identity theft
- Identity-based security
- Information security awareness
- Internet privacy
- Internet security
- IT risk
- Kill chain
- Keylogging
- List of computer security certifications
- Open security
- Outline of computer security
- OWASP
- Penetration test
- Physical information security
- Privacy software
- Proactive cyber defence
- Ransomware
- Sandbox (computer security)
- Separation of protection and security
- Software Defined Perimeter
Cyber Crime
- YouTube Video of The Cyber Crimes You Never Hear About (Smithsonian Channel)
- YouTube Video: What is "Cyber Crime"?
- YouTube Video: Cyber Crime Isn't About Computers: It's About Behavior | Adam Anderson | TEDxGreenville
Computer crime, or cybercrime, is crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target.
Debarati Halder and K. Jaishankar (2011) define cybercrimes as: "Offenses that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)".
Such crimes may threaten a nation's security and financial health. Issues surrounding these types of crimes have become high-profile, particularly those surrounding hacking, copyright infringement, child pornography, and child grooming.
There are also problems of privacy when confidential information is intercepted or disclosed, lawfully or otherwise. Debarati Halder and K. Jaishankar (2011) further define cybercrime from the perspective of gender and defined 'cybercrime against women' as "Crimes targeted against women with a motive to intentionally harm the victim psychologically and physically, using modern telecommunication networks such as internet and mobile phones".
Internationally, both governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Activity crossing international borders and involving the interests of at least one nation state is sometimes referred to as cyberwarfare.
The international legal system is attempting to hold actors accountable for their actions through the International Criminal Court.
A report (sponsored by McAfee) estimates that the annual damage to the global economy is at $445 billion; however, a Microsoft report shows that such survey-based estimates are "hopelessly flawed" and exaggerate the true losses by orders of magnitude.
Approximately $1.5 billion was lost in 2012 to online credit and debit card fraud in the US.
Click on any of the following blue hyperlinks for more about Cybercrime:
Debarati Halder and K. Jaishankar (2011) define cybercrimes as: "Offenses that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)".
Such crimes may threaten a nation's security and financial health. Issues surrounding these types of crimes have become high-profile, particularly those surrounding hacking, copyright infringement, child pornography, and child grooming.
There are also problems of privacy when confidential information is intercepted or disclosed, lawfully or otherwise. Debarati Halder and K. Jaishankar (2011) further define cybercrime from the perspective of gender and defined 'cybercrime against women' as "Crimes targeted against women with a motive to intentionally harm the victim psychologically and physically, using modern telecommunication networks such as internet and mobile phones".
Internationally, both governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Activity crossing international borders and involving the interests of at least one nation state is sometimes referred to as cyberwarfare.
The international legal system is attempting to hold actors accountable for their actions through the International Criminal Court.
A report (sponsored by McAfee) estimates that the annual damage to the global economy is at $445 billion; however, a Microsoft report shows that such survey-based estimates are "hopelessly flawed" and exaggerate the true losses by orders of magnitude.
Approximately $1.5 billion was lost in 2012 to online credit and debit card fraud in the US.
Click on any of the following blue hyperlinks for more about Cybercrime:
- Classifications
- Documented cases
- Combating computer crime
- Agencies
- See also:
- Computer Fraud and Abuse Act
- Computer security
- Computer trespass
- Cloud computing security
- Convention on Cybercrime
- Cyber defamation law
- Cyber-
- Cyberheist
- Darknet
- Dark web
- Deep web
- Domain hijacking
- Electronic evidence
- (Illegal) drop catching
- Economic and industrial espionage
- FBI
- Immigration and Customs Enforcement (ICE)
- Internet homicide
- Internet suicide pact
- Legal aspects of computing
- List of computer criminals
- Metasploit Project
- National Crime Agency (NCA)
- Penetration test
- Police National E-Crime Unit
- Protected computer
- Techno-thriller
- Trespass to chattels
- United States Secret Service
- White-collar crime
- Web shell
- Centre for Cyber Victim Counselling (CCVC)
- The American Society of Digital Forensics & eDiscovery – Cybercrime Information
- A Guide to Computer Crime from legal.practitioner.com
- Virtual Forum Against Cybercrime
- Cyber Crime Law Complete Information
- CyberCrime Asia Research Center – Information about computer crime, Internet fraud and CyberTerrorism in Asia
- Information and Research Center for Cybercrime Germany
- International Journal of Cyber Criminology
- Common types of cyber attacks
- Countering ransomware attacks
- Government resources:
- Cybercrime.gov from the United States Department of Justice
- National Institute of Justice Electronic Crime Program from the United States Department of Justice
- FBI Cyber Investigators home page
- US Secret Service Computer Fraud
- Australian High Tech Crime Centre
- UK National Cyber Crime Unit from the National Crime Agency
Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. It is also sometimes considered an act of Internet terrorism where terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, and other malicious software and hardware methods and programming scripts.
Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption.
Other authors prefer a broader definition, which includes cybercrime (see previous topic, above). Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.
Cyberterrorism can be also defined as the intentional use of computers, networks, and public internet to cause destruction and harm for personal objectives. Experienced cyberterrorists, who are very skilled in terms of hacking can cause massive damage to government systems, hospital records, and national security programs, which might leave a country, community or organization in turmoil and in fear of further attacks. The objectives of such terrorists may be political or ideological since this can be considered a form of terror.
There is much concern from government and media sources about potential damage that could be caused by cyberterrorism, and this has prompted efforts by government agencies such as the Federal Bureau of Investigations (FBI) and the Central Intelligence Agency (CIA) to put an end to cyber attacks and cyberterrorism.
There have been several major and minor instances of cyberterrorism. Al-Qaeda utilized the internet to communicate with supporters and even to recruit new members. Estonia, a Baltic country which is constantly evolving in terms of technology, became a battleground for cyberterror in April, 2007 after disputes regarding the removal of a WWII soviet statue located in Estonia's capital Tallinn.
Overview:
Main article: Definitions of terrorism
There is debate over the basic definition of the scope of cyberterrorism. These definitions can be narrow such as the use of Internet to attack other systems in the Internet that result to violence against persons or property. They can also be broad, those that include any form of Internetusage by terrorists ro conventional attacks on information technology infrastructures.
There is variation in qualification by motivation, targets, methods, and centrality of computer use in the act. U.S. government agencies also use varying definitions and that none of these have so far attempted to introduce a standard that is binding outside of their sphere of influence.
Depending on context, cyberterrorism may overlap considerably with cybercrime, cyberwar or ordinary terrorism. Eugene Kaspersky, founder of Kaspersky Lab, now feels that "cyberterrorism" is a more accurate term than "cyberwar". He states that "with today's attacks, you are clueless about who did it or when they will strike again. It's not cyber-war, but cyberterrorism." He also equates large-scale cyber weapons, such as the Flame Virus and NetTraveler Virus which his company discovered, to biological weapons, claiming that in an interconnected world, they have the potential to be equally destructive.
If cyberterrorism is treated similarly to traditional terrorism, then it only includes attacks that threaten property or lives, and can be defined as the leveraging of a target's computers and information, particularly via the Internet, to cause physical, real-world harm or severe disruption of infrastructure.
Many academics and researchers who specialize in terrorism studies suggest that cyberterrorism does not exist and is really a matter of hacking or information warfare. They disagree with labeling it as terrorism because of the unlikelihood of the creation of fear, significant physical harm, or death in a population using electronic means, considering current attack and protective technologies.
If death or physical damage that could cause human harm is considered a necessary part of the cyberterrorism definition, then there have been few identifiable incidents of cyberterrorism, although there has been much policy research and public concern. Modern terrorism and political violence is not easily defined, however, and some scholars assert that it is now "unbounded" and not exclusively concerned with physical damage
There is an old saying that death or loss of property are the side products of terrorism, the main purpose of such incidents is to create terror in peoples' minds and harm bystanders. If any incident in cyberspace can create terror, it may be rightly called cyberterrorism. For those affected by such acts, the fears of cyberterrorism are quite real.
As with cybercrime in general, the threshold of required knowledge and skills to perpetrate acts of cyberterror has been steadily diminishing thanks to freely available hacking suites and online courses. Additionally, the physical and virtual worlds are merging at an accelerated rate, making for many more targets of opportunity which is evidenced by such notable cyber attacks as Stuxnet, the Saudi petrochemical sabotage attempt in 2018 and others.
Defining cyberterrorism:
Assigning a concrete definition to cyberterrorism can be hard, due to the difficulty of defining the term terrorism itself. Multiple organizations have created their own definitions, most of which are overly broad. There is also controversy concerning overuse of the term, hyperbole in the media and by security vendors trying to sell "solutions".
One way of understanding cyberterrorism involves the idea that terrorists could cause massive loss of life, worldwide economic chaos and environmental damage by hacking into critical infrastructure systems.
The nature of cyberterrorism covers conduct involving computer or Internet technology that:
The term "cyberterrorism" can be used in a variety of different ways, but there are limits to its use. An attack on an Internet business can be labeled cyberterrorism, however when it is done for economic motivations rather than ideological it is typically regarded as cybercrime. Convention also limits the label "cyberterrorism" to actions by individuals, independent groups, or organizations. Any form of cyberwarfare conducted by governments and states would be regulated and punishable under international law.
The Technolytics Institute defines cyberterrorism as
"[t]he premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives."
The term appears first in defense literature, surfacing (as "cyber-terrorism") in reports by the U.S. Army War College as early as 1998.
The National Conference of State Legislatures, an organization of legislators created to help policymakers in the United States of America with issues such as economy and homeland security defines cyberterrorism as:
[T]he use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically.
Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing, Denial-of-service attacks, or terroristic threats made via electronic communication.
NATO defines cyberterrorism as "[a] cyberattack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal".
The United States National Infrastructure Protection Center defined cyberterrorism as:
"A criminal act perpetrated by the use of computers and telecommunications capabilities resulting in violence, destruction, and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a political, social, or ideological agenda.
The FBI, another United States agency, defines "cyber terrorism" as “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by subnational groups or clandestine agents”.
These definitions tend to share the view of cyberterrorism as politically and/or ideologically inclined. One area of debate is the difference between cyberterrorism and hacktivism.
Hacktivism is ”the marriage of hacking with political activism”. Both actions are politically driven and involve using computers, however cyberterrorism is primarily used to cause harm. It becomes an issue because acts of violence on the computer can be labeled either cyberterrorism or hacktivism.
Types of cyberterror capability:
In 1999 the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School in Monterey, California defined three levels of cyberterror capability:
Concerns:
Cyberterrorism is becoming more and more prominent on social media today. As the Internet becomes more pervasive in all areas of human endeavor, individuals or groups can use the anonymity afforded by cyberspace to threaten citizens, specific groups (i.e. with membership based on ethnicity or belief), communities and entire countries, without the inherent threat of capture, injury, or death to the attacker that being physically present would bring.
Many groups such as Anonymous, use tools such as denial-of-service attack to attack and censor groups who oppose them, creating many concerns for freedom and respect for differences of thought.
Many believe that cyberterrorism is an extreme threat to countries' economies, and fear an attack could potentially lead to another Great Depression. Several leaders agree that cyberterrorism has the highest percentage of threat over other possible attacks on U.S. territory.
Although natural disasters are considered a top threat and have proven to be devastating to people and land, there is ultimately little that can be done to prevent such events from happening. Thus, the expectation is to focus more on preventative measures that will make Internet attacks impossible for execution.
As the Internet continues to expand, and computer systems continue to be assigned increased responsibility while becoming more complex and interdependent, sabotage or terrorism via the Internet may become a more serious threat and is possibly one of the top 10 events to "end the human race." People have much easier access to illegal involvement within the cyberspace by the ability to access a part of the internet known as the Dark Web.
The Internet of Things promises to further merge the virtual and physical worlds, which some experts see as a powerful incentive for states to use terrorist proxies in furtherance of objectives.
Dependence on the internet is rapidly increasing on a worldwide scale, creating a platform for international cyber terror plots to be formulated and executed as a direct threat to national security. For terrorists, cyber-based attacks have distinct advantages over physical attacks. They can be conducted remotely, anonymously, and relatively cheaply, and they do not require significant investment in weapons, explosive and personnel.
The effects can be widespread and profound. Incidents of cyberterrorism are likely to increase. They will be conducted through denial of service attacks, malware, and other methods that are difficult to envision today. One example involves the deaths involving the Islamic State and the online social networks Twitter, Google, and Facebook lead to legal action being taken against them, that ultimately resulted in them being sued.
In an article about cyber attacks by Iran and North Korea, The New York Times observes, "The appeal of digital weapons is similar to that of nuclear capability: it is a way for an outgunned, outfinanced nation to even the playing field. 'These countries are pursuing cyberweapons the same way they are pursuing nuclear weapons,' said James A. Lewis, a computer security expert at the Center for Strategic and International Studies in Washington.
'It's primitive; it's not top of the line, but it's good enough and they are committed to getting it.'"
Click on any of the following blue hyperlinks for more about Cyberterrorism:
Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption.
Other authors prefer a broader definition, which includes cybercrime (see previous topic, above). Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.
Cyberterrorism can be also defined as the intentional use of computers, networks, and public internet to cause destruction and harm for personal objectives. Experienced cyberterrorists, who are very skilled in terms of hacking can cause massive damage to government systems, hospital records, and national security programs, which might leave a country, community or organization in turmoil and in fear of further attacks. The objectives of such terrorists may be political or ideological since this can be considered a form of terror.
There is much concern from government and media sources about potential damage that could be caused by cyberterrorism, and this has prompted efforts by government agencies such as the Federal Bureau of Investigations (FBI) and the Central Intelligence Agency (CIA) to put an end to cyber attacks and cyberterrorism.
There have been several major and minor instances of cyberterrorism. Al-Qaeda utilized the internet to communicate with supporters and even to recruit new members. Estonia, a Baltic country which is constantly evolving in terms of technology, became a battleground for cyberterror in April, 2007 after disputes regarding the removal of a WWII soviet statue located in Estonia's capital Tallinn.
Overview:
Main article: Definitions of terrorism
There is debate over the basic definition of the scope of cyberterrorism. These definitions can be narrow such as the use of Internet to attack other systems in the Internet that result to violence against persons or property. They can also be broad, those that include any form of Internetusage by terrorists ro conventional attacks on information technology infrastructures.
There is variation in qualification by motivation, targets, methods, and centrality of computer use in the act. U.S. government agencies also use varying definitions and that none of these have so far attempted to introduce a standard that is binding outside of their sphere of influence.
Depending on context, cyberterrorism may overlap considerably with cybercrime, cyberwar or ordinary terrorism. Eugene Kaspersky, founder of Kaspersky Lab, now feels that "cyberterrorism" is a more accurate term than "cyberwar". He states that "with today's attacks, you are clueless about who did it or when they will strike again. It's not cyber-war, but cyberterrorism." He also equates large-scale cyber weapons, such as the Flame Virus and NetTraveler Virus which his company discovered, to biological weapons, claiming that in an interconnected world, they have the potential to be equally destructive.
If cyberterrorism is treated similarly to traditional terrorism, then it only includes attacks that threaten property or lives, and can be defined as the leveraging of a target's computers and information, particularly via the Internet, to cause physical, real-world harm or severe disruption of infrastructure.
Many academics and researchers who specialize in terrorism studies suggest that cyberterrorism does not exist and is really a matter of hacking or information warfare. They disagree with labeling it as terrorism because of the unlikelihood of the creation of fear, significant physical harm, or death in a population using electronic means, considering current attack and protective technologies.
If death or physical damage that could cause human harm is considered a necessary part of the cyberterrorism definition, then there have been few identifiable incidents of cyberterrorism, although there has been much policy research and public concern. Modern terrorism and political violence is not easily defined, however, and some scholars assert that it is now "unbounded" and not exclusively concerned with physical damage
There is an old saying that death or loss of property are the side products of terrorism, the main purpose of such incidents is to create terror in peoples' minds and harm bystanders. If any incident in cyberspace can create terror, it may be rightly called cyberterrorism. For those affected by such acts, the fears of cyberterrorism are quite real.
As with cybercrime in general, the threshold of required knowledge and skills to perpetrate acts of cyberterror has been steadily diminishing thanks to freely available hacking suites and online courses. Additionally, the physical and virtual worlds are merging at an accelerated rate, making for many more targets of opportunity which is evidenced by such notable cyber attacks as Stuxnet, the Saudi petrochemical sabotage attempt in 2018 and others.
Defining cyberterrorism:
Assigning a concrete definition to cyberterrorism can be hard, due to the difficulty of defining the term terrorism itself. Multiple organizations have created their own definitions, most of which are overly broad. There is also controversy concerning overuse of the term, hyperbole in the media and by security vendors trying to sell "solutions".
One way of understanding cyberterrorism involves the idea that terrorists could cause massive loss of life, worldwide economic chaos and environmental damage by hacking into critical infrastructure systems.
The nature of cyberterrorism covers conduct involving computer or Internet technology that:
- is motivated by a political, religious or ideological cause
- is intended to intimidate a government or a section of the public to varying degrees
- seriously interferes with infrastructure
The term "cyberterrorism" can be used in a variety of different ways, but there are limits to its use. An attack on an Internet business can be labeled cyberterrorism, however when it is done for economic motivations rather than ideological it is typically regarded as cybercrime. Convention also limits the label "cyberterrorism" to actions by individuals, independent groups, or organizations. Any form of cyberwarfare conducted by governments and states would be regulated and punishable under international law.
The Technolytics Institute defines cyberterrorism as
"[t]he premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives."
The term appears first in defense literature, surfacing (as "cyber-terrorism") in reports by the U.S. Army War College as early as 1998.
The National Conference of State Legislatures, an organization of legislators created to help policymakers in the United States of America with issues such as economy and homeland security defines cyberterrorism as:
[T]he use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically.
Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing, Denial-of-service attacks, or terroristic threats made via electronic communication.
NATO defines cyberterrorism as "[a] cyberattack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal".
The United States National Infrastructure Protection Center defined cyberterrorism as:
"A criminal act perpetrated by the use of computers and telecommunications capabilities resulting in violence, destruction, and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a political, social, or ideological agenda.
The FBI, another United States agency, defines "cyber terrorism" as “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by subnational groups or clandestine agents”.
These definitions tend to share the view of cyberterrorism as politically and/or ideologically inclined. One area of debate is the difference between cyberterrorism and hacktivism.
Hacktivism is ”the marriage of hacking with political activism”. Both actions are politically driven and involve using computers, however cyberterrorism is primarily used to cause harm. It becomes an issue because acts of violence on the computer can be labeled either cyberterrorism or hacktivism.
Types of cyberterror capability:
In 1999 the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School in Monterey, California defined three levels of cyberterror capability:
- Simple-Unstructured: the capability to conduct basic hacks against individual systems using tools created by someone else. The organization possesses little target-analysis, command-and-control, or learning capability.
- Advanced-Structured: the capability to conduct more sophisticated attacks against multiple systems or networks and possibly, to modify or create basic hacking-tools. The organization possesses an elementary target-analysis, command-and-control, and learning capability.
- Complex-Coordinated: the capability for a coordinated attack capable of causing mass-disruption against integrated, heterogeneous defenses (including cryptography). Ability to create sophisticated hacking tools. Highly capable target-analysis, command-and-control, and organization learning-capability.
Concerns:
Cyberterrorism is becoming more and more prominent on social media today. As the Internet becomes more pervasive in all areas of human endeavor, individuals or groups can use the anonymity afforded by cyberspace to threaten citizens, specific groups (i.e. with membership based on ethnicity or belief), communities and entire countries, without the inherent threat of capture, injury, or death to the attacker that being physically present would bring.
Many groups such as Anonymous, use tools such as denial-of-service attack to attack and censor groups who oppose them, creating many concerns for freedom and respect for differences of thought.
Many believe that cyberterrorism is an extreme threat to countries' economies, and fear an attack could potentially lead to another Great Depression. Several leaders agree that cyberterrorism has the highest percentage of threat over other possible attacks on U.S. territory.
Although natural disasters are considered a top threat and have proven to be devastating to people and land, there is ultimately little that can be done to prevent such events from happening. Thus, the expectation is to focus more on preventative measures that will make Internet attacks impossible for execution.
As the Internet continues to expand, and computer systems continue to be assigned increased responsibility while becoming more complex and interdependent, sabotage or terrorism via the Internet may become a more serious threat and is possibly one of the top 10 events to "end the human race." People have much easier access to illegal involvement within the cyberspace by the ability to access a part of the internet known as the Dark Web.
The Internet of Things promises to further merge the virtual and physical worlds, which some experts see as a powerful incentive for states to use terrorist proxies in furtherance of objectives.
Dependence on the internet is rapidly increasing on a worldwide scale, creating a platform for international cyber terror plots to be formulated and executed as a direct threat to national security. For terrorists, cyber-based attacks have distinct advantages over physical attacks. They can be conducted remotely, anonymously, and relatively cheaply, and they do not require significant investment in weapons, explosive and personnel.
The effects can be widespread and profound. Incidents of cyberterrorism are likely to increase. They will be conducted through denial of service attacks, malware, and other methods that are difficult to envision today. One example involves the deaths involving the Islamic State and the online social networks Twitter, Google, and Facebook lead to legal action being taken against them, that ultimately resulted in them being sued.
In an article about cyber attacks by Iran and North Korea, The New York Times observes, "The appeal of digital weapons is similar to that of nuclear capability: it is a way for an outgunned, outfinanced nation to even the playing field. 'These countries are pursuing cyberweapons the same way they are pursuing nuclear weapons,' said James A. Lewis, a computer security expert at the Center for Strategic and International Studies in Washington.
'It's primitive; it's not top of the line, but it's good enough and they are committed to getting it.'"
Click on any of the following blue hyperlinks for more about Cyberterrorism:
- History
- International attacks and response
- Examples
- In fiction
- See also:
- 2007 cyberattacks on Estonia
- 2008 cyberattacks during South Ossetia war
- Anonymous (group)
- Computer crime
- FBI Cyber Division
- Patriotic hacking
- United States Computer Emergency Readiness Team (US-CERT)
- General:
- CRS Report for Congress – Computer Attack and Cyber Terrorism – 17/10/03
- Cyber-Terrorism: Propaganda or Probability?
- How terrorists use the Internet ABC Australia interview with Professor Hsinchun Chen
- Department of Defense Cyber Crime Center
- defcon.org
- RedShield Association- Cyber Defense
- Cyber Infrastructure Protection – Strategic Studies Institute
- strategicstudiesinstitute.army.mil
- Cyber-Terrorism and Freedom of Expression: Sultan Shahin Asks United Nations to Redesign Internet Governance New Age Islam
- Global response to cyberterrorism and cybercrime: A matrix for international cooperation and vulnerability assessment
- News:
Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.
It includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection, and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.
The field is of growing importance due to the increasing reliance on computer systems in most societies. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things – and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.
Below are additional Informational Links:
It includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection, and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.
The field is of growing importance due to the increasing reliance on computer systems in most societies. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things – and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.
Below are additional Informational Links:
- 1 Vulnerabilities and attacks
- 2 Systems at risk
- 3 Impact of security breaches
- 4 Attacker motivation
- 5 Computer protection (countermeasures)
- 6 Notable computer security attacks and breaches
- 7 Legal issues and global regulation
- 8 Government
- 9 Actions and teams in the US
Internet Security Software
- National Cybersecurity Awareness Month Video by President Barack Obama
- YouTube Video: McAfee Tutorial & Review - Antivirus Software
- YouTube Video: 10 Best Antivirus Software 2021
Internet security is a branch of computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole.
Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing. Different methods have been used to protect the transfer of data, including encryption and from-the-ground-up engineering.
Threats
Malicious software
A computer user can be tricked or forced into downloading software onto a computer that is of malicious intent. Such software comes in many forms, such as viruses, Trojan horses, spyware, and worms.
Denial-of-service attacks:
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. According to businesses who participated in an international business security survey, 25% of respondents experienced a DoS attack in 2007 and 16.8% experienced one in 2010.
Phishing:
Main article: Phishing occurs when the attacker pretends to be a trustworthy entity, either via email or web page. Victims are directed to fake web pages, which are dressed to look legitimate, via spoof emails, instant messenger/social media or other avenues. Often tactics such as email spoofing are used to make emails appear to be from legitimate senders, or long complex subdomains hide the real website host. Insurance group RSA said that phishing accounted for worldwide losses of $1.5 Billion in 2012.
Application vulnerabilities:
Main article: Application security Applications used to access Internet resources may contain security vulnerabilities such as memory safety bugs or flawed authentication checks. The most severe of these bugs can give network attackers full control over the computer. Most security applications and suites are incapable of adequate defense against these kinds of attacks.
Remedies:
Network layer security
TCP/IP protocols may be secured with cryptographic methods and security protocols. These protocols include Secure Sockets Layer (SSL), succeeded by Transport Layer Security (TLS) for web traffic, Pretty Good Privacy (PGP) for email, and IPsec for the network layer security.
Internet Protocol Security
IPsec is designed to protect TCP/IP communication in a secure manner. It is a set of security extensions developed by the Internet Task Force (IETF). It provides security and authentication at the IP layer by transforming data using encryption.
Two main types of transformation that form the basis of IPsec: the Authentication Header (AH) and ESP. These two protocols provide data integrity, data origin authentication, and anti-replay service. These protocols can be used alone or in combination to provide the desired set of security services for the Internet Protocol (IP) layer.
The basic components of the IPsec security architecture are described in terms of the following functionalities:
The set of security services provided at the IP layer includes access control, data origin integrity, protection against replays, and confidentiality. The algorithm allows these sets to work independently without affecting other parts of the implementation. The IPsec implementation is operated in a host or security gateway environment giving protection to IP traffic.
Security token
Some online sites offer customers the ability to use a six-digit code which randomly changes every 30–60 seconds on a security token. The keys on the security token have built in mathematical computations and manipulate numbers based on the current time built into the device.
This means that every thirty seconds there is only a certain array of numbers possible which would be correct to validate access to the online account. The website that the user is logging into would be made aware of that devices' serial number and would know the computation and correct time built into the device to verify that the number given is indeed one of the handful of six-digit numbers that works in that given 30-60 second cycle.
After 30–60 seconds the device will present a new random six-digit number which can log into the website.
Electronic mail security
Background: Email messages are composed, delivered, and stored in a multiple step process, which starts with the message's composition. When the user finishes composing the message and sends it, the message is transformed into a standard format: an RFC 2822 formatted message.
Afterwards, the message can be transmitted. Using a network connection, the mail client, referred to as a mail user agent (MUA), connects to a mail transfer agent (MTA) operating on the mail server. The mail client then provides the sender’s identity to the server. Next, using the mail server commands, the client sends the recipient list to the mail server. The client then supplies the message.
Once the mail server receives and processes the message, several events occur: recipient server identification, connection establishment, and message transmission. Using Domain Name System (DNS) services, the sender’s mail server determines the mail server(s) for the recipient(s). Then, the server opens up a connection(s) to the recipient mail server(s) and sends the message employing a process similar to that used by the originating client, delivering the message to the recipient(s).
Pretty Good Privacy (PGP):
Pretty Good Privacy provides confidentiality by encrypting messages to be transmitted or data files to be stored using an encryption algorithm such as Triple DES or CAST-128. Email messages can be protected by using cryptography in various ways, such as the following:
The first two methods, message signing and message body encryption, are often used together; however, encrypting the transmissions between mail servers is typically used only when two organizations want to protect emails regularly sent between each other.
For example, the organizations could establish a virtual private network (VPN) to encrypt the communications between their mail servers over the Internet. Unlike methods that can only encrypt a message body, a VPN can encrypt entire messages, including email header information such as senders, recipients, and subjects.
In some cases, organizations may need to protect header information. However, a VPN solution alone cannot provide a message signing mechanism, nor can it provide protection for email messages along the entire route from sender to recipient.
Multipurpose Internet Mail Extensions (MIME)
MIME transforms non-ASCII data at the sender's site to Network Virtual Terminal (NVT) ASCII data and delivers it to client's Simple Mail Transfer Protocol (SMTP) to be sent through the Internet. The server SMTP at the receiver's side receives the NVT ASCII data and delivers it to MIME to be transformed back to the original non-ASCII data.
Message Authentication Code
A Message authentication code (MAC) is a cryptography method that uses a secret key to encrypt a message. This method outputs a MAC value that can be decrypted by the receiver, using the same secret key used by the sender. The Message Authentication Code protects both a message's data integrity as well as its authenticity.
Firewalls
A computer firewall controls access between networks. It generally consists of gateways and filters which vary from one firewall to another. Firewalls also screen network traffic and are able to block traffic that is dangerous. Firewalls act as the intermediate server between SMTP and Hypertext Transfer Protocol (HTTP) connections.
Role of firewalls in web security
Firewalls impose restrictions on incoming and outgoing Network packets to and from private networks. Incoming or outgoing traffic must pass through the firewall; only authorized traffic is allowed to pass through it.
Firewalls create checkpoints between an internal private network and the public Internet, also known as choke points(borrowed from the identical military term of a combat limiting geographical feature). Firewalls can create choke points based on IP source and TCP port number.
They can also serve as the platform for IPsec. Using tunnel mode capability, firewall can be used to implement VPNs. Firewalls can also limit network exposure by hiding the internal network system and information from the public Internet.
Types of firewall:
Packet filter: A packet filter is a first generation firewall that processes network traffic on a packet-by-packet basis. Its main job is to filter traffic from a remote IP host, so a router is needed to connect the internal network to the Internet. The router is known as a screening router, which screens packets leaving and entering the network.
Stateful packet inspection: In a stateful firewall the circuit-level gateway is a proxy server that operates at the network level of an Open Systems Interconnection (OSI) model and statically defines what traffic will be allowed.
Circuit proxies will forward Network packets (formatted unit of data ) containing a given port number, if the port is permitted by the algorithm. The main advantage of a proxy server is its ability to provide Network Address Translation (NAT), which can hide the user's IP address from the Internet, effectively protecting all internal information from the Internet.
Application-level gateway:
An application-level firewall is a third generation firewall where a proxy server operates at the very top of the OSI model, the IP suite application level. A network packet is forwarded only if a connection is established using a known protocol. Application-level gateways are notable for analyzing entire messages rather than individual packets of data when the data are being sent or received.
Browser choice
Main article: Browser security: Web browser statistics tend to affect the amount a Web browser is exploited. For example, Internet Explorer 6, which used to own a majority of the Web browser market share, is considered extremely insecure because vulnerabilities were exploited due to its former popularity.
Since browser choice is more evenly distributed (Internet Explorer at 28.5%, Firefox at 18.4%, Google Chrome at 40.8%, and so on) and vulnerabilities are exploited in many different browsers.
Internet security products
Antivirus:
Antivirus software and Internet security programs can protect a programmable device from attack by detecting and eliminating viruses; Antivirus software was mainly shareware in the early years of the Internet, but there are now several free security applications on the Internet to choose from for all platforms.
Password managers
A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.
Security suites:
So called security suites were first offered for sale in 2003 (McAfee) and contain a suite of firewalls, anti-virus, anti-spyware and more. They may now offer theft protection, portable storage device safety check, private Internet browsing, cloud anti-spam, a file shredder or make security-related decisions (answering popup windows) and several were free of charge as of at least 2012.
See also:
Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing. Different methods have been used to protect the transfer of data, including encryption and from-the-ground-up engineering.
Threats
Malicious software
A computer user can be tricked or forced into downloading software onto a computer that is of malicious intent. Such software comes in many forms, such as viruses, Trojan horses, spyware, and worms.
- Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some deficiency. The term badware is sometimes used, and applied to both true (malicious) malware and unintentionally harmful software.
- A botnet is a network of zombie computers that have been taken over by a robot or bot that performs large-scale malicious acts for the creator of the botnet.
- Computer Viruses are programs that can replicate their structures or effects by infecting other files or structures on a computer. The common use of a virus is to take over a computer to steal data.
- Computer worms are programs that can replicate themselves throughout a computer network, performing malicious tasks throughout.
- Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.
- Scareware is scam software with malicious payloads, usually of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user.
- Spyware refers to programs that surreptitiously monitor activity on a computer system and report that information to others without the user's consent.
- A Trojan horse, commonly known as a Trojan, is a general term for malicious software that pretends to be harmless, so that a user willingly allows it to be downloaded onto the computer.
Denial-of-service attacks:
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. According to businesses who participated in an international business security survey, 25% of respondents experienced a DoS attack in 2007 and 16.8% experienced one in 2010.
Phishing:
Main article: Phishing occurs when the attacker pretends to be a trustworthy entity, either via email or web page. Victims are directed to fake web pages, which are dressed to look legitimate, via spoof emails, instant messenger/social media or other avenues. Often tactics such as email spoofing are used to make emails appear to be from legitimate senders, or long complex subdomains hide the real website host. Insurance group RSA said that phishing accounted for worldwide losses of $1.5 Billion in 2012.
Application vulnerabilities:
Main article: Application security Applications used to access Internet resources may contain security vulnerabilities such as memory safety bugs or flawed authentication checks. The most severe of these bugs can give network attackers full control over the computer. Most security applications and suites are incapable of adequate defense against these kinds of attacks.
Remedies:
Network layer security
TCP/IP protocols may be secured with cryptographic methods and security protocols. These protocols include Secure Sockets Layer (SSL), succeeded by Transport Layer Security (TLS) for web traffic, Pretty Good Privacy (PGP) for email, and IPsec for the network layer security.
Internet Protocol Security
IPsec is designed to protect TCP/IP communication in a secure manner. It is a set of security extensions developed by the Internet Task Force (IETF). It provides security and authentication at the IP layer by transforming data using encryption.
Two main types of transformation that form the basis of IPsec: the Authentication Header (AH) and ESP. These two protocols provide data integrity, data origin authentication, and anti-replay service. These protocols can be used alone or in combination to provide the desired set of security services for the Internet Protocol (IP) layer.
The basic components of the IPsec security architecture are described in terms of the following functionalities:
- Security protocols for AH and ESP
- Security association for policy management and traffic processing
- Manual and automatic key management for the Internet key exchange (IKE)
- Algorithms for authentication and encryption
The set of security services provided at the IP layer includes access control, data origin integrity, protection against replays, and confidentiality. The algorithm allows these sets to work independently without affecting other parts of the implementation. The IPsec implementation is operated in a host or security gateway environment giving protection to IP traffic.
Security token
Some online sites offer customers the ability to use a six-digit code which randomly changes every 30–60 seconds on a security token. The keys on the security token have built in mathematical computations and manipulate numbers based on the current time built into the device.
This means that every thirty seconds there is only a certain array of numbers possible which would be correct to validate access to the online account. The website that the user is logging into would be made aware of that devices' serial number and would know the computation and correct time built into the device to verify that the number given is indeed one of the handful of six-digit numbers that works in that given 30-60 second cycle.
After 30–60 seconds the device will present a new random six-digit number which can log into the website.
Electronic mail security
Background: Email messages are composed, delivered, and stored in a multiple step process, which starts with the message's composition. When the user finishes composing the message and sends it, the message is transformed into a standard format: an RFC 2822 formatted message.
Afterwards, the message can be transmitted. Using a network connection, the mail client, referred to as a mail user agent (MUA), connects to a mail transfer agent (MTA) operating on the mail server. The mail client then provides the sender’s identity to the server. Next, using the mail server commands, the client sends the recipient list to the mail server. The client then supplies the message.
Once the mail server receives and processes the message, several events occur: recipient server identification, connection establishment, and message transmission. Using Domain Name System (DNS) services, the sender’s mail server determines the mail server(s) for the recipient(s). Then, the server opens up a connection(s) to the recipient mail server(s) and sends the message employing a process similar to that used by the originating client, delivering the message to the recipient(s).
Pretty Good Privacy (PGP):
Pretty Good Privacy provides confidentiality by encrypting messages to be transmitted or data files to be stored using an encryption algorithm such as Triple DES or CAST-128. Email messages can be protected by using cryptography in various ways, such as the following:
- Signing an email message to ensure its integrity and confirm the identity of its sender.
- Encrypting the body of an email message to ensure its confidentiality.
- Encrypting the communications between mail servers to protect the confidentiality of both message body and message header.
The first two methods, message signing and message body encryption, are often used together; however, encrypting the transmissions between mail servers is typically used only when two organizations want to protect emails regularly sent between each other.
For example, the organizations could establish a virtual private network (VPN) to encrypt the communications between their mail servers over the Internet. Unlike methods that can only encrypt a message body, a VPN can encrypt entire messages, including email header information such as senders, recipients, and subjects.
In some cases, organizations may need to protect header information. However, a VPN solution alone cannot provide a message signing mechanism, nor can it provide protection for email messages along the entire route from sender to recipient.
Multipurpose Internet Mail Extensions (MIME)
MIME transforms non-ASCII data at the sender's site to Network Virtual Terminal (NVT) ASCII data and delivers it to client's Simple Mail Transfer Protocol (SMTP) to be sent through the Internet. The server SMTP at the receiver's side receives the NVT ASCII data and delivers it to MIME to be transformed back to the original non-ASCII data.
Message Authentication Code
A Message authentication code (MAC) is a cryptography method that uses a secret key to encrypt a message. This method outputs a MAC value that can be decrypted by the receiver, using the same secret key used by the sender. The Message Authentication Code protects both a message's data integrity as well as its authenticity.
Firewalls
A computer firewall controls access between networks. It generally consists of gateways and filters which vary from one firewall to another. Firewalls also screen network traffic and are able to block traffic that is dangerous. Firewalls act as the intermediate server between SMTP and Hypertext Transfer Protocol (HTTP) connections.
Role of firewalls in web security
Firewalls impose restrictions on incoming and outgoing Network packets to and from private networks. Incoming or outgoing traffic must pass through the firewall; only authorized traffic is allowed to pass through it.
Firewalls create checkpoints between an internal private network and the public Internet, also known as choke points(borrowed from the identical military term of a combat limiting geographical feature). Firewalls can create choke points based on IP source and TCP port number.
They can also serve as the platform for IPsec. Using tunnel mode capability, firewall can be used to implement VPNs. Firewalls can also limit network exposure by hiding the internal network system and information from the public Internet.
Types of firewall:
Packet filter: A packet filter is a first generation firewall that processes network traffic on a packet-by-packet basis. Its main job is to filter traffic from a remote IP host, so a router is needed to connect the internal network to the Internet. The router is known as a screening router, which screens packets leaving and entering the network.
Stateful packet inspection: In a stateful firewall the circuit-level gateway is a proxy server that operates at the network level of an Open Systems Interconnection (OSI) model and statically defines what traffic will be allowed.
Circuit proxies will forward Network packets (formatted unit of data ) containing a given port number, if the port is permitted by the algorithm. The main advantage of a proxy server is its ability to provide Network Address Translation (NAT), which can hide the user's IP address from the Internet, effectively protecting all internal information from the Internet.
Application-level gateway:
An application-level firewall is a third generation firewall where a proxy server operates at the very top of the OSI model, the IP suite application level. A network packet is forwarded only if a connection is established using a known protocol. Application-level gateways are notable for analyzing entire messages rather than individual packets of data when the data are being sent or received.
Browser choice
Main article: Browser security: Web browser statistics tend to affect the amount a Web browser is exploited. For example, Internet Explorer 6, which used to own a majority of the Web browser market share, is considered extremely insecure because vulnerabilities were exploited due to its former popularity.
Since browser choice is more evenly distributed (Internet Explorer at 28.5%, Firefox at 18.4%, Google Chrome at 40.8%, and so on) and vulnerabilities are exploited in many different browsers.
Internet security products
Antivirus:
Antivirus software and Internet security programs can protect a programmable device from attack by detecting and eliminating viruses; Antivirus software was mainly shareware in the early years of the Internet, but there are now several free security applications on the Internet to choose from for all platforms.
Password managers
A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.
Security suites:
So called security suites were first offered for sale in 2003 (McAfee) and contain a suite of firewalls, anti-virus, anti-spyware and more. They may now offer theft protection, portable storage device safety check, private Internet browsing, cloud anti-spam, a file shredder or make security-related decisions (answering popup windows) and several were free of charge as of at least 2012.
See also:
- Comparison of antivirus software
- Comparison of firewalls
- Cyberspace Electronic Security Act (in the US)
- Firewalls and Internet Security (book)
- Goatse Security
- Identity Driven Networking
- Internet Crime Complaint Center
- Internet safety
- Network security policy
- Outpost Security Suite
- Web literacy (Security)
- Usability of web authentication systems
Cyberwarfare, focusing specifically on Cyberwarfare in the United States
Cyberwarfare involves the battlespace use and targeting of computers and networks in warfare. It involves both offensive and defensive operations pertaining to the threat of cyberattacks, espionage and sabotage. There has been controversy over whether such operations can duly be called "war". Nevertheless, nations have been developing their capabilities and engaged in cyberwarfare either as an aggressor, defendant, or both.
Cyberwarfare has been defined as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption", but other definitions also include non-state actors, such as terrorist groups, companies, political or ideological extremist groups, hacktivists, and transnational criminal organizations.
Some governments have made it an integral part of their overall military strategy, with some having invested heavily in cyberwarfare capability. Cyberwarfare is essentially a formalized version of penetration testing in which a government entity has established it as a war-fighting capability.
This capability uses the same set of penetration testing methodologies but applies them, in the case of United States doctrine, in a strategical way to
Types of Threats:
Espionage:
Traditional espionage is not an act of war, nor is cyber-espionage, and both are generally assumed to be ongoing between major powers. Despite this assumption, some incidents can cause serious tensions between nations, and are often described as "attacks". For example:
Sabotage:
Computers and satellites that coordinate other activities are vulnerable components of a system and could lead to the disruption of equipment. Compromise of military systems, such as C4ISTAR components that are responsible for orders and communications could lead to their interception or malicious replacement.
Power, water, fuel, communications, and transportation infrastructure all may be vulnerable to disruption. According to Clarke, the civilian realm is also at risk, noting that the security breaches have already gone beyond stolen credit card numbers, and that potential targets can also include the electric power grid, trains, or the stock market.
In mid July 2010, security experts discovered a malicious software program called Stuxnet that had infiltrated factory computers and had spread to plants around the world. It is considered "the first attack on critical industrial infrastructure that sits at the foundation of modern economies," notes The New York Times.
Stuxnet, while extremely effective in delaying Iran's nuclear program for the development of nuclear weaponry, came at a high cost. For the first time, it became clear that not only could cyber weapons be defensive but they could be offensive.
The large decentralization and scale of cyberspace makes it extremely difficult to direct from a policy perspective. Non-state actors can play as large a part in the cyberwar space as state actors, which leads to dangerous, sometimes disastrous, consequences.
Small groups of highly skilled malware developers are able to as effectively impact global politics and cyber warfare as large governmental agencies. A major aspect of this ability lies in the willingness of these groups to share their exploits and developments on the web as a form of arms proliferation.
This allows lesser hackers to become more proficient in creating the large scale attacks that once only a small handful were skillful enough to manage. In addition, thriving black markets for these kinds of cyber weapons are buying and selling these cyber capabilities to the highest bidder without regard for consequences.
Denial-of-Service Attack:
Main article: Denial-of-service attack
In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks may not be limited to computer-based methods, as strategic physical attacks against infrastructure can be just as devastating.
For example, cutting undersea communication cables may severely cripple some regions and countries with regards to their information warfare ability.
Electrical Power Grid:
The federal government of the United States admits that the electric power grid is susceptible to cyberwarfare. The United States Department of Homeland Security works with industries to identify vulnerabilities and to help industries enhance the security of control system networks, the federal government is also working to ensure that security is built in as the next generation of "smart grid" networks are developed.
In April 2009, reports surfaced that China and Russia had infiltrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national security officials. The North American Electric Reliability Corporation (NERC) has issued a public notice that warns that the electrical grid is not adequately protected from cyber attack. China denies intruding into the U.S. electrical grid.
One countermeasure would be to disconnect the power grid from the Internet and run the net with droop speed control only. Massive power outages caused by a cyber attack could disrupt the economy, distract from a simultaneous military attack, or create a national trauma.
Howard Schmidt, former Cyber-Security Coordinator of the US, commented on those possibilities: "It's possible that hackers have gotten into administrative computer systems of utility companies, but says those aren't linked to the equipment controlling the grid, at least not in developed countries. [Schmidt] has never heard that the grid itself has been hacked.
On 23 December 2015, what is believed to be a first known successful cyber attack on a power grid took place in Ukraine leading to temporary blackouts. The cyber attack is attributed to the Russian advanced persistent threat group called "Sandworm" and it was performed during an ongoing military confrontation.
Click on any of the following blue hyperlinks for more about Cyberwarfare:
Cyberwarfare in the United States:
Cyberwarfare has been defined as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption", but other definitions also include non-state actors, such as terrorist groups, companies, political or ideological extremist groups, hacktivists, and transnational criminal organizations.
Some governments have made it an integral part of their overall military strategy, with some having invested heavily in cyberwarfare capability. Cyberwarfare is essentially a formalized version of penetration testing in which a government entity has established it as a war-fighting capability.
This capability uses the same set of penetration testing methodologies but applies them, in the case of United States doctrine, in a strategical way to
- Prevent cyber attacks against critical infrastructure
- Reduce national vulnerability to cyber attacks
- Minimize damage and recovery time from cyber attacks
Types of Threats:
- Cyberattacks, where immediate damage or disruption is caused are the main concern.
- Cyber espionage, which can provide the information needed to make a successful cyberattack or scandal to launch an information warfare.
Espionage:
Traditional espionage is not an act of war, nor is cyber-espionage, and both are generally assumed to be ongoing between major powers. Despite this assumption, some incidents can cause serious tensions between nations, and are often described as "attacks". For example:
- Massive spying by the US on many countries, revealed by Edward Snowden.
- After the NSA's spying on Germany's Chancellor Angela Merkel was revealed, the Chancellor compared the NSA with the Stasi.
- The NSA recording nearly every cell phone conversation in the Bahamas, without the Bahamian government's permission, and similar programs in Kenya, the Philippines, Mexico and Afghanistan.
- The "Titan Rain" probes of American defense contractors computer systems since 2003.
- The Office of Personnel Management data breach, in the US, widely attributed to China.
Sabotage:
Computers and satellites that coordinate other activities are vulnerable components of a system and could lead to the disruption of equipment. Compromise of military systems, such as C4ISTAR components that are responsible for orders and communications could lead to their interception or malicious replacement.
Power, water, fuel, communications, and transportation infrastructure all may be vulnerable to disruption. According to Clarke, the civilian realm is also at risk, noting that the security breaches have already gone beyond stolen credit card numbers, and that potential targets can also include the electric power grid, trains, or the stock market.
In mid July 2010, security experts discovered a malicious software program called Stuxnet that had infiltrated factory computers and had spread to plants around the world. It is considered "the first attack on critical industrial infrastructure that sits at the foundation of modern economies," notes The New York Times.
Stuxnet, while extremely effective in delaying Iran's nuclear program for the development of nuclear weaponry, came at a high cost. For the first time, it became clear that not only could cyber weapons be defensive but they could be offensive.
The large decentralization and scale of cyberspace makes it extremely difficult to direct from a policy perspective. Non-state actors can play as large a part in the cyberwar space as state actors, which leads to dangerous, sometimes disastrous, consequences.
Small groups of highly skilled malware developers are able to as effectively impact global politics and cyber warfare as large governmental agencies. A major aspect of this ability lies in the willingness of these groups to share their exploits and developments on the web as a form of arms proliferation.
This allows lesser hackers to become more proficient in creating the large scale attacks that once only a small handful were skillful enough to manage. In addition, thriving black markets for these kinds of cyber weapons are buying and selling these cyber capabilities to the highest bidder without regard for consequences.
Denial-of-Service Attack:
Main article: Denial-of-service attack
In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks may not be limited to computer-based methods, as strategic physical attacks against infrastructure can be just as devastating.
For example, cutting undersea communication cables may severely cripple some regions and countries with regards to their information warfare ability.
Electrical Power Grid:
The federal government of the United States admits that the electric power grid is susceptible to cyberwarfare. The United States Department of Homeland Security works with industries to identify vulnerabilities and to help industries enhance the security of control system networks, the federal government is also working to ensure that security is built in as the next generation of "smart grid" networks are developed.
In April 2009, reports surfaced that China and Russia had infiltrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national security officials. The North American Electric Reliability Corporation (NERC) has issued a public notice that warns that the electrical grid is not adequately protected from cyber attack. China denies intruding into the U.S. electrical grid.
One countermeasure would be to disconnect the power grid from the Internet and run the net with droop speed control only. Massive power outages caused by a cyber attack could disrupt the economy, distract from a simultaneous military attack, or create a national trauma.
Howard Schmidt, former Cyber-Security Coordinator of the US, commented on those possibilities: "It's possible that hackers have gotten into administrative computer systems of utility companies, but says those aren't linked to the equipment controlling the grid, at least not in developed countries. [Schmidt] has never heard that the grid itself has been hacked.
On 23 December 2015, what is believed to be a first known successful cyber attack on a power grid took place in Ukraine leading to temporary blackouts. The cyber attack is attributed to the Russian advanced persistent threat group called "Sandworm" and it was performed during an ongoing military confrontation.
Click on any of the following blue hyperlinks for more about Cyberwarfare:
- Motivations
- By region
- Cyberpeace
- Cyber counterintelligence
- Controversy over terms
- Legality, rules
- In films
- See also:
- Cash machine
- Computer security organizations
- Cyber-arms industry
- Cyber-collection
- Cyber spying
- Cyber terrorism
- Duqu
- Fifth Dimension Operations
- IT risk
- iWar
- List of cyber attack threat trends
- List of cyber-attacks
- Penetration test
- Proactive cyber defense
- Signals intelligence
- Virtual war
- United States Cyber Command
- NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)
- Cyberwar News community by Reza Rafati
- Videos
- "Sabotaging the System" video, "60 Minutes", 8 November 2009, CBS News, 15 minutes
- Articles
- ABC: Former White House security advisor warns of cyber war
- Wall Street Journal: Fighting Wars in Cyberspace
- Will There Be An Electronic Pearl Harbor, PC World by Ira Winkler, 1 December 2009
- Senate panel: 80 percent of cyberattacks preventable, Wired, 17 November 2009
- Duncan Gardham, 26 June 2009, Hackers recruited to fight 'new cold war', Telegraph UK
- Stefano Mele, Jan 2016, Cyber Strategy & Policy Brief (Volume 01 – January 2016)
- Stefano Mele, Jun 2013, Cyber-Weapons: Legal and Strategic Aspects (version 2.0)
- Stefano Mele, Sep 2010, Cyberwarfare and its damaging effects on citizens
- Cybersecurity: Authoritative Reports and Resources, US Congressional Research Service
- Why the USA is Losing The Cyberwar Against China, by Joseph Steinberg, VentureBeat, 9 November 2011
- Michael Riley and Ashlee Vance, 20 July 2011, Cyber Weapons: The New Arms Race
- The Digital Arms Race: NSA Preps America for Future Battle, Der Spiegel, January 2015
Cyberwarfare in the United States:
As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to its advanced technology and large military budget.
Cyber warfare continues to be a growing threat as more physical systems and infrastructure are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.
The United States Department of Defense recognizes the use of computers and the Internet to conduct warfare in cyberspace as a threat to national security, but also as a platform for attack.
The United States Cyber Command centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks. It is an armed forces sub-unified command subordinate to United States Strategic Command.
In April 2015, the U.S. Department of Defense (DoD) published its latest Cyber Strategy building upon the previous DoD Strategy for Operating in Cyberspace published in July 2011.
The DoD Cyber strategy focuses on building capabilities to protect, secure, and defend its own DoD networks, systems and information; defend the nation against cyber attacks; and support contingency plans. This includes being prepared to operate and continue to carry out missions in environments impacted by cyber attacks.
The DoD outlines three cyber missions:
In addition the Cyber Strategy emphasizes the need to build bridges to the private sector, so that the best talent and technology the United States has to offer is at disposal to the DoD.
The Five Pillars:
US Department of Defense Cyber Strategy, US DoD, April 2015.The five pillars is the base of the Department of Defense's strategy for cyberwarfare.
The first pillar is to recognize that the new domain for warfare is cyberspace and that it is similar to the other elements in the battlespace. The key objectives of this pillar is to build up technical capabilities and accelerate research and development to provide the United States with a technological advantage.
The second pillar is proactive defenses as opposed to passive defense. Two examples of passive defense are computer hygiene and firewalls. The balance of the attacks require active defense using sensors to provide a rapid response to detect and stop a cyber attack on a computer network. This would provide military tactics to backtrace, hunt down and attack an enemy intruder.
The third pillar is critical infrastructure protection (CIP) to ensure the protection of critical infrastructure by developing warning systems to anticipate threats.
The fourth pillar is the use of collective defense which would provide the ability of early detection, and to incorporate it into the cyberwarfare defense structure. The goal of this pillar being to explore all options in the face of a conflict, and to minimize loss of life and destruction of property.
The fifth pillar is build and maintain international alliances and partnerships to deter shared threats, and to remain adaptive and flexible to build new alliances as required. This is focused on "priority regions, to include the Middle East, Asia-Pacific, and Europe"
Cyber Attack as an Act of War:
In 2011, The White House published an "International Strategy for Cyberspace" that reserved the right to use military force in response to a cyberattack:
"When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means — diplomatic, informational, military, and economic — as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible."
In 2013, the Defense Science Board, an independent advisory committee to the U.S. Secretary of Defense, went further, stating that "The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War," and recommending, in response to the "most extreme case" (described as a "catastrophic full spectrum cyber attack"), that "Nuclear weapons would remain the ultimate response and anchor the deterrence ladder."
Click on any of the following blue hyperlinks for more about Cyberwarfare in the United States:
Cyber warfare continues to be a growing threat as more physical systems and infrastructure are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.
The United States Department of Defense recognizes the use of computers and the Internet to conduct warfare in cyberspace as a threat to national security, but also as a platform for attack.
The United States Cyber Command centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks. It is an armed forces sub-unified command subordinate to United States Strategic Command.
In April 2015, the U.S. Department of Defense (DoD) published its latest Cyber Strategy building upon the previous DoD Strategy for Operating in Cyberspace published in July 2011.
The DoD Cyber strategy focuses on building capabilities to protect, secure, and defend its own DoD networks, systems and information; defend the nation against cyber attacks; and support contingency plans. This includes being prepared to operate and continue to carry out missions in environments impacted by cyber attacks.
The DoD outlines three cyber missions:
- Defend DoD networks, systems, and information.
- Defend the United States and its interests against cyberattacks of significant consequence.
- Provide integrated cyber capabilities to support military operations and contingency plans.
In addition the Cyber Strategy emphasizes the need to build bridges to the private sector, so that the best talent and technology the United States has to offer is at disposal to the DoD.
The Five Pillars:
- Build and maintain ready forces and capabilities to conduct cyberspace operations;
- Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
- Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
- Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
- Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.
US Department of Defense Cyber Strategy, US DoD, April 2015.The five pillars is the base of the Department of Defense's strategy for cyberwarfare.
The first pillar is to recognize that the new domain for warfare is cyberspace and that it is similar to the other elements in the battlespace. The key objectives of this pillar is to build up technical capabilities and accelerate research and development to provide the United States with a technological advantage.
The second pillar is proactive defenses as opposed to passive defense. Two examples of passive defense are computer hygiene and firewalls. The balance of the attacks require active defense using sensors to provide a rapid response to detect and stop a cyber attack on a computer network. This would provide military tactics to backtrace, hunt down and attack an enemy intruder.
The third pillar is critical infrastructure protection (CIP) to ensure the protection of critical infrastructure by developing warning systems to anticipate threats.
The fourth pillar is the use of collective defense which would provide the ability of early detection, and to incorporate it into the cyberwarfare defense structure. The goal of this pillar being to explore all options in the face of a conflict, and to minimize loss of life and destruction of property.
The fifth pillar is build and maintain international alliances and partnerships to deter shared threats, and to remain adaptive and flexible to build new alliances as required. This is focused on "priority regions, to include the Middle East, Asia-Pacific, and Europe"
Cyber Attack as an Act of War:
In 2011, The White House published an "International Strategy for Cyberspace" that reserved the right to use military force in response to a cyberattack:
"When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means — diplomatic, informational, military, and economic — as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible."
In 2013, the Defense Science Board, an independent advisory committee to the U.S. Secretary of Defense, went further, stating that "The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War," and recommending, in response to the "most extreme case" (described as a "catastrophic full spectrum cyber attack"), that "Nuclear weapons would remain the ultimate response and anchor the deterrence ladder."
Click on any of the following blue hyperlinks for more about Cyberwarfare in the United States:
- Attacks on other nations
- Cyber threat information sharing
- United States Cyber Command
- Timeline of Cyber Warfare Attacks against the United States
- See also:
- Air Force Cyber Command (Provisional)
- Computer Security
- Cyber spying
- Cyber terrorism
- Cyberwarfare by Russian state
- Defense Information Systems Network
- Denial-of-service attack
- Electronic warfare
- Espionage
- Hacker (computer security)
- iWar
- Information warfare
- List of cyber attack threat trends
- Penetration testing
- Proactive Cyber Defense
- Siberian pipeline sabotage
- Signals intelligence
- Chinese Intelligence Operations in the United States
- Chinese Information Operations and Warfare
- Military-digital complex
- Economic and Industrial Espionage
- U.S. Cyber Command
- Hunt, Edward (2012). "US Government Computer Penetration Programs and the Implications for Cyberwar". IEEE Annals of the History of Computing.
- Obama Order Sped Up Wave of Cyberattacks Against Iran with diagram, 1 June 2012
Cyberwarfare by Russia
- YouTube Video: What We Know About Russian Cyber Attacks on U.S. Election (by Bloomberg Technology)
- YouTube Video:Russia Perfected Its Cyberwarfare In Ukraine — America Could Pay The Price
- YouTube Video: NYT: Cyber warfare between U.S. and Russia escalates as Washington targets power grids
Cyberwarfare by Russia includes the following:
According to investigative journalist Andrei Soldatov, some of these activities have been coordinated by the Russian signals intelligence, which is part of the FSB and was formerly a part of the 16th KGB department, but others have been directed by the Russian Ministry of Internal Affairs and the Military of Russia.
Online Presence:
US journalist Pete Earley described his interviews with former senior Russian intelligence officer Sergei Tretyakov, who defected in the United States in 2000:
Sergei would send an officer to a branch of New York Public Library where he could get access to the Internet without anyone knowing his identity.
The officer would post the propaganda on various websites and send it in emails to US publications and broadcasters. Some propaganda would be disguised as educational or scientific reports. ... The studies had been generated at the Center by Russian experts. The reports would be 100% accurate.
Tretyakov did not specify the targeted web sites, but made clear they selected the sites which are most convenient for distributing the specific disinformation. During his work in New York City in the end of the 1990s, one of the most frequent disinformation subjects was War in Chechnya.
According to a publication in Russian computer weekly Computerra, "just because it became known that anonymous editors are editing articles in English Wikipedia in the interests of UK and US intelligence and security services, it is also likely that Russian security services are involved in editing Russian Wikipedia, but this is not even interesting to prove it — because everyone knows that security bodies have a special place in structure of our [Russian] state".
Cyberattacks:
Main articles:
It has been claimed that Russian security services organized a number of denial of service attacks as a part of their cyber-warfare against other countries, most notably the 2007 cyberattacks on Estonia and the 2008 cyberattacks on Russia, South Ossetia, Georgia, and Azerbaijan.
One identified young Russian hacker said that he was paid by Russian state security services to lead hacking attacks on NATO computers. He was studying computer sciences at the Department of the Defense of Information. His tuition was paid for by the FSB.
Russian Cyberattacks on Other Countries:
Georgia:
Concerning the 2008 cyberattacks on Georgia, an independent US-based research institute US Cyber Consequences Unit report stated the attacks had "little or no direct involvement from the Russian government or military". According to the institute's conclusions, some several attacks originated from the PCs of multiple users located in Russia, Ukraine and Latvia. These users were willingly participating in cyberwarfare, being supporters of Russia during the 2008 South Ossetia war, while some other attacks also used botnets.
Germany:
In 2015 a high-ranking security official stated that it was "highly plausible" that a cybertheft of files from the German Parliamentary Committee investigating the NSA spying scandal later published by Wikileaks was conducted by Russian hackers.
In late 2016 Bruno Kahl, president of the Bundesnachrichtendienst warned of data breaches and misinformation-campaigns steered by Russia. According to him there are insights that cyberattacks occur with no other purpose than political uncertainty. Hans-Georg Maaßen, head of the country's Federal Office for the Protection of the Constitution, notes "growing evidence of attempts to influence the [next] federal election" in September 2017 and "increasingly aggressive cyber espionage" against political entities in Germany.
Russia (domestic): According to Soldatov, a hacker attack on his web site Agentura was apparently directed by the secret services in the middle of the Moscow theater hostage crisis.
Ukraine:
In March 2014, a Russian cyber weapon called Snake or "Ouroboros" is reported to have created havoc on Ukrainian government systems. The Snake tool kit began spreading into Ukrainian computer systems in 2010. It performed Computer Network Exploitation (CNE), as well as highly sophisticated Computer Network Attacks (CNA).
According to CrowdStrike from 2014 to 2016, the Russian APT Fancy Bear used Android malware to target the Ukrainian Army's Rocket Forces and Artillery. They distributed an infected version of an Android app whose original purpose was to control targeting data for the D-30 Howitzer artillery. The app, used by Ukrainian officers, was loaded with the X-Agent spyware and posted online on military forums.
CrowdStrike claims the attack was successful, with more than 80% of Ukrainian D-30 Howitzers destroyed, the highest percentage loss of any artillery pieces in the army (a percentage that had never been previously reported and would mean the loss of nearly the entire arsenal of the biggest artillery piece of the Ukrainian Armed Forces).
According to the Ukrainian army this number is incorrect and that losses in artillery weapons "were way below those reported" and that that these losses "have nothing to do with the stated cause".
The U.S. government concluded after a study that a cyber attack caused a power outage in Ukraine which left more than 200,000 people temporarily without power. The Russian hacking group Sandworm or the Russian government were possibly behind the malware attack on the Ukrainian power grid as well as a mining company and a large railway operator in December 2015.
United States:
In April 2015, CNN reported that "Russian hackers" had "penetrated sensitive parts of the White House" computers in "recent months." It was said that the FBI, the Secret Service, and other U.S. intelligence agencies categorized the attacks "among the most sophisticated attacks ever launched against U.S. government systems."
In 2015, CNN reported that Russian hackers, likely working for the Russian government, are suspected in the State Department hack. Federal law enforcement, intelligence and congressional officials briefed on the investigation say the hack of the State email system is the "worst ever" cyberattack intrusion against a federal agency.
In February 2016, senior Kremlin advisor and top Russian cyber official Andrey Krutskikh told the Russian national security conference in Moscow that Russia was working on new strategies for the “information arena” that was equivalent to testing a nuclear bomb and would “allow us to talk to the Americans as equals.”
In 2016, the release of emails from Democratic presidential candidate Hillary Clinton through the DC Leaks website were said by private sector analyst's and US intelligence services to have been of Russian origin. Also, in December 2016, Republican and Democratic Senators on the United States Armed Services Committee called for "a special select committee to investigate Russian attempts to influence the presidential election."
On December 30, 2016 Burlington Electric Department, a Vermont Utility company, announced that a code associated with the Russian hacking operation dubbed Grizzly Steppe had been found in their computers. Officials from the Department of Homeland Security, FBI and the Office of the Director of National Intelligence warned executives of the financial, utility and transportation industries about the malware code.
Later on, the Washington Post put the following disclaimer at the top of its report: "An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far."
Russia as Victim of Cyberattack:
Trans-Siberian Pipeline explosion: When Russia was still the Soviet Union in 1982, a portion of its Trans-Siberia Pipeline within its territory exploded, allegedly due to computer malware implanted in the pirated Canadian software by the Central Intelligence Agency.
The malware caused the SCADA system running the pipeline to malfunction. The "Farewell Dossier" provided information on this attack, and wrote that compromised computer chips would become a part of Soviet military equipment, flawed turines would be placed in the gas pipeline, and defective plans would disrupt the output of chemical plants and a tractor factor.
This caused the "most monumental nonnuclear explosion and fire ever seen from space." However, the Soviet Union did not blame attack on the United States.
In Popular Culture:
The alleged FSB activities on the Internet have been described in the short story "Anastasya" by Russian writer Grigory Svirsky, who was interested in the moral aspects of their work. He wrote: "It seems that offending, betraying, or even "murdering" people in the virtual space is easy. This is like killing an enemy in a video game: one does not see a disfigured body or the eyes of the person who is dying right in front of you. However, the human soul lives by its own basic laws that force it to pay the price for the virtual crime in his real life".
See Also:
- denial of service attacks,
- hacker attacks,
- dissemination of disinformation and propaganda,
- participation of state-sponsored teams in political blogs,
- internet surveillance using SORM technology,
- persecution of cyber-dissidents,
- and other active measures.
According to investigative journalist Andrei Soldatov, some of these activities have been coordinated by the Russian signals intelligence, which is part of the FSB and was formerly a part of the 16th KGB department, but others have been directed by the Russian Ministry of Internal Affairs and the Military of Russia.
Online Presence:
US journalist Pete Earley described his interviews with former senior Russian intelligence officer Sergei Tretyakov, who defected in the United States in 2000:
Sergei would send an officer to a branch of New York Public Library where he could get access to the Internet without anyone knowing his identity.
The officer would post the propaganda on various websites and send it in emails to US publications and broadcasters. Some propaganda would be disguised as educational or scientific reports. ... The studies had been generated at the Center by Russian experts. The reports would be 100% accurate.
Tretyakov did not specify the targeted web sites, but made clear they selected the sites which are most convenient for distributing the specific disinformation. During his work in New York City in the end of the 1990s, one of the most frequent disinformation subjects was War in Chechnya.
According to a publication in Russian computer weekly Computerra, "just because it became known that anonymous editors are editing articles in English Wikipedia in the interests of UK and US intelligence and security services, it is also likely that Russian security services are involved in editing Russian Wikipedia, but this is not even interesting to prove it — because everyone knows that security bodies have a special place in structure of our [Russian] state".
Cyberattacks:
Main articles:
- 2007 cyberattacks on Estonia,
- Cyberattacks during the 2008 South Ossetia war,
- Russian intervention in the 2016 United States presidential election.
It has been claimed that Russian security services organized a number of denial of service attacks as a part of their cyber-warfare against other countries, most notably the 2007 cyberattacks on Estonia and the 2008 cyberattacks on Russia, South Ossetia, Georgia, and Azerbaijan.
One identified young Russian hacker said that he was paid by Russian state security services to lead hacking attacks on NATO computers. He was studying computer sciences at the Department of the Defense of Information. His tuition was paid for by the FSB.
Russian Cyberattacks on Other Countries:
Georgia:
Concerning the 2008 cyberattacks on Georgia, an independent US-based research institute US Cyber Consequences Unit report stated the attacks had "little or no direct involvement from the Russian government or military". According to the institute's conclusions, some several attacks originated from the PCs of multiple users located in Russia, Ukraine and Latvia. These users were willingly participating in cyberwarfare, being supporters of Russia during the 2008 South Ossetia war, while some other attacks also used botnets.
Germany:
In 2015 a high-ranking security official stated that it was "highly plausible" that a cybertheft of files from the German Parliamentary Committee investigating the NSA spying scandal later published by Wikileaks was conducted by Russian hackers.
In late 2016 Bruno Kahl, president of the Bundesnachrichtendienst warned of data breaches and misinformation-campaigns steered by Russia. According to him there are insights that cyberattacks occur with no other purpose than political uncertainty. Hans-Georg Maaßen, head of the country's Federal Office for the Protection of the Constitution, notes "growing evidence of attempts to influence the [next] federal election" in September 2017 and "increasingly aggressive cyber espionage" against political entities in Germany.
Russia (domestic): According to Soldatov, a hacker attack on his web site Agentura was apparently directed by the secret services in the middle of the Moscow theater hostage crisis.
Ukraine:
In March 2014, a Russian cyber weapon called Snake or "Ouroboros" is reported to have created havoc on Ukrainian government systems. The Snake tool kit began spreading into Ukrainian computer systems in 2010. It performed Computer Network Exploitation (CNE), as well as highly sophisticated Computer Network Attacks (CNA).
According to CrowdStrike from 2014 to 2016, the Russian APT Fancy Bear used Android malware to target the Ukrainian Army's Rocket Forces and Artillery. They distributed an infected version of an Android app whose original purpose was to control targeting data for the D-30 Howitzer artillery. The app, used by Ukrainian officers, was loaded with the X-Agent spyware and posted online on military forums.
CrowdStrike claims the attack was successful, with more than 80% of Ukrainian D-30 Howitzers destroyed, the highest percentage loss of any artillery pieces in the army (a percentage that had never been previously reported and would mean the loss of nearly the entire arsenal of the biggest artillery piece of the Ukrainian Armed Forces).
According to the Ukrainian army this number is incorrect and that losses in artillery weapons "were way below those reported" and that that these losses "have nothing to do with the stated cause".
The U.S. government concluded after a study that a cyber attack caused a power outage in Ukraine which left more than 200,000 people temporarily without power. The Russian hacking group Sandworm or the Russian government were possibly behind the malware attack on the Ukrainian power grid as well as a mining company and a large railway operator in December 2015.
United States:
In April 2015, CNN reported that "Russian hackers" had "penetrated sensitive parts of the White House" computers in "recent months." It was said that the FBI, the Secret Service, and other U.S. intelligence agencies categorized the attacks "among the most sophisticated attacks ever launched against U.S. government systems."
In 2015, CNN reported that Russian hackers, likely working for the Russian government, are suspected in the State Department hack. Federal law enforcement, intelligence and congressional officials briefed on the investigation say the hack of the State email system is the "worst ever" cyberattack intrusion against a federal agency.
In February 2016, senior Kremlin advisor and top Russian cyber official Andrey Krutskikh told the Russian national security conference in Moscow that Russia was working on new strategies for the “information arena” that was equivalent to testing a nuclear bomb and would “allow us to talk to the Americans as equals.”
In 2016, the release of emails from Democratic presidential candidate Hillary Clinton through the DC Leaks website were said by private sector analyst's and US intelligence services to have been of Russian origin. Also, in December 2016, Republican and Democratic Senators on the United States Armed Services Committee called for "a special select committee to investigate Russian attempts to influence the presidential election."
On December 30, 2016 Burlington Electric Department, a Vermont Utility company, announced that a code associated with the Russian hacking operation dubbed Grizzly Steppe had been found in their computers. Officials from the Department of Homeland Security, FBI and the Office of the Director of National Intelligence warned executives of the financial, utility and transportation industries about the malware code.
Later on, the Washington Post put the following disclaimer at the top of its report: "An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far."
Russia as Victim of Cyberattack:
Trans-Siberian Pipeline explosion: When Russia was still the Soviet Union in 1982, a portion of its Trans-Siberia Pipeline within its territory exploded, allegedly due to computer malware implanted in the pirated Canadian software by the Central Intelligence Agency.
The malware caused the SCADA system running the pipeline to malfunction. The "Farewell Dossier" provided information on this attack, and wrote that compromised computer chips would become a part of Soviet military equipment, flawed turines would be placed in the gas pipeline, and defective plans would disrupt the output of chemical plants and a tractor factor.
This caused the "most monumental nonnuclear explosion and fire ever seen from space." However, the Soviet Union did not blame attack on the United States.
In Popular Culture:
The alleged FSB activities on the Internet have been described in the short story "Anastasya" by Russian writer Grigory Svirsky, who was interested in the moral aspects of their work. He wrote: "It seems that offending, betraying, or even "murdering" people in the virtual space is easy. This is like killing an enemy in a video game: one does not see a disfigured body or the eyes of the person who is dying right in front of you. However, the human soul lives by its own basic laws that force it to pay the price for the virtual crime in his real life".
See Also:
- Web brigades and Trolls from Olgino - Russian state-sponsored Internet sockpuppetry
- Operation Earnest Voice - Western state-sponsored Internet sockpuppetry
- Main Intelligence Directorate
- Information warfare
- Fake news website
- White propaganda
- Cybercrime
- Astroturfing
- Russian involvement in the 2016 United States presidential election
- The Dukes, a well-resourced, highly dedicated and organized cyberespionage group that F-Secure believe has been working for the Russian Federation since at least 2008.
- Yevgeny Prigozhin
Cyber-security regulation
Pictured: Understanding and Implementing the NIST Cybersecurity Framework
- YouTube Video: The Five Laws of Cybersecurity | Nick Espinosa | TEDxFondduLac
- YouTube Making Sense of Cybersecurity and Risk in 2019
- YouTube Video: Jim Harper Discusses Cybersecurity and Federal Regulations*
Pictured: Understanding and Implementing the NIST Cybersecurity Framework
Cyber-security regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyber-attacks.
Cyber-attacks include the following:
There are numerous measures available to prevent cyber-attacks. Cyber-security measures include:
There have been attempts to improve cybersecurity through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cybersecurity.
Industry regulators including banking regulators have taken notice of the risk from cybersecurity and have either begun or are planning to begin to include cybersecurity as an aspect of regulatory examinations.
Reasons for Cybersecurity:
The United States government believes that the security of computer systems is important to the world for two reasons. The increased role of Information Technology (IT) and the growth of the e-commerce sector, have made cybersecurity an essential component of the economy. Also, cybersecurity is vital to the operation of safety critical systems, such as emergency response, and to the protection of infrastructure systems, such as the national power grid.
Based on DHS Secretary Janet Napolitano's testimony to the Senate in 2012, in 2011 alone, the DHS U.S. Computer Emergency Readiness Team (US-CERT) received more than 100,000 incident reports, and released more than 5,000 actionable cybersecurity alerts and information products.
In January 2013, Twitter, the Wall Street Journal, New York Times, and the Department of Energy each reported that their systems had been breached.
A successful attack on critical infrastructures could be devastating to the public. Richard Clarke, the former special advisor on cybersecurity to George W. Bush, stated that within the first 48 hours of a cyber attack, the United States could experience, among other things: classified and unclassified network failures, large oil refinery fires and gas pipeline explosions, financial system collapse with no idea of who owns what, trains and subways derailing, and a nationwide blackout leaving cities in the dark.
Defense Secretary Leon Panetta stated in October 2012 that, “a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11…Such a destructive cyber terrorist attack could paralyze the nation”.
United States Federal Government Regulation:
There are few federal cybersecurity regulations, and the ones that exist focus on specific industries. The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA).
These three regulations mandate that healthcare organizations, financial institutions and federal agencies should protect their systems and information. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”.
But, these regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, these regulations do not specify what cybersecurity measures must be implemented and require only a “reasonable” level of security.
The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.
It has been suggested that the Data Quality Act already provides the Office of Management and Budget the statutory authority needed to implement critical infrastructure protection regulations through the Administrative Procedure Act rule-making process. This idea has not been fully vetted and would require additional legal analysis before a rulemaking could begin.
Click on any of the following blue hyperlinks for more about Cyber-security Regulation:
Cyber-attacks include the following:
- viruses,
- worms,
- Trojan horses,
- phishing,
- denial of service (DOS) attacks,
- unauthorized access (stealing intellectual property or confidential information)
- and control system attacks.
There are numerous measures available to prevent cyber-attacks. Cyber-security measures include:
- firewalls,
- anti-virus software,
- intrusion detection and prevention systems,
- encryption
- and login passwords.
There have been attempts to improve cybersecurity through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cybersecurity.
Industry regulators including banking regulators have taken notice of the risk from cybersecurity and have either begun or are planning to begin to include cybersecurity as an aspect of regulatory examinations.
Reasons for Cybersecurity:
The United States government believes that the security of computer systems is important to the world for two reasons. The increased role of Information Technology (IT) and the growth of the e-commerce sector, have made cybersecurity an essential component of the economy. Also, cybersecurity is vital to the operation of safety critical systems, such as emergency response, and to the protection of infrastructure systems, such as the national power grid.
Based on DHS Secretary Janet Napolitano's testimony to the Senate in 2012, in 2011 alone, the DHS U.S. Computer Emergency Readiness Team (US-CERT) received more than 100,000 incident reports, and released more than 5,000 actionable cybersecurity alerts and information products.
In January 2013, Twitter, the Wall Street Journal, New York Times, and the Department of Energy each reported that their systems had been breached.
A successful attack on critical infrastructures could be devastating to the public. Richard Clarke, the former special advisor on cybersecurity to George W. Bush, stated that within the first 48 hours of a cyber attack, the United States could experience, among other things: classified and unclassified network failures, large oil refinery fires and gas pipeline explosions, financial system collapse with no idea of who owns what, trains and subways derailing, and a nationwide blackout leaving cities in the dark.
Defense Secretary Leon Panetta stated in October 2012 that, “a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11…Such a destructive cyber terrorist attack could paralyze the nation”.
United States Federal Government Regulation:
There are few federal cybersecurity regulations, and the ones that exist focus on specific industries. The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA).
These three regulations mandate that healthcare organizations, financial institutions and federal agencies should protect their systems and information. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”.
But, these regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, these regulations do not specify what cybersecurity measures must be implemented and require only a “reasonable” level of security.
The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.
It has been suggested that the Data Quality Act already provides the Office of Management and Budget the statutory authority needed to implement critical infrastructure protection regulations through the Administrative Procedure Act rule-making process. This idea has not been fully vetted and would require additional legal analysis before a rulemaking could begin.
Click on any of the following blue hyperlinks for more about Cyber-security Regulation:
- State government regulation
- Proposed regulation
- Other United States government efforts
- Pro-regulation opinions
- Anti-regulation opinions
- See also:
- National Cyber Security Division
- United States Department of Homeland Security
- US-CERT
- CERT Coordination Center
- National Security Directive
- Cybersecurity Information Sharing Act
- National Strategy to Secure Cyberspace
- Cyber security standards
- Proactive cyber defense
- List of data breaches
- Medical device hijack
- Default password
Cyber Attacks, Including a List
YouTube Video: How Cyber Attacks Threaten To Destroy Our Infrastructure
YouTube Video: How Cyber Attacks Threaten Our Security
YouTube Video: How to protect yourself from ransomware cyber-attacks
by FoxBusiness May 15, 2017
Pictured: The Big Cyber Threats Breakdown: Types of Cyber Attacks by Cybertraining365 Blog
YouTube Video: How Cyber Attacks Threaten To Destroy Our Infrastructure
YouTube Video: How Cyber Attacks Threaten Our Security
YouTube Video: How to protect yourself from ransomware cyber-attacks
by FoxBusiness May 15, 2017
Pictured: The Big Cyber Threats Breakdown: Types of Cyber Attacks by Cybertraining365 Blog
Click here for a List of Cyberattacks.
A cyberattack is any type of offensive manoeuvre employed by nation-states, individuals, groups, or organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.
These can be labelled as either a cyber campaign, cyberwarfare or cyberterrorism in different context. Cyberattacks can range from installing spyware on a PC to attempts to destroy the infrastructure of entire nations.
Cyberattacks have become increasingly sophisticated and dangerous as the Stuxnet worm recently demonstrated. User behavior analytics and SIEM are used to prevent these attacks.
Legal experts are seeking to limit use of the term to incidents causing physical damaage, distinguishing it from the more routine data breaches and broader hacking activities.
Click below for a List of Cyber Attacks:
A cyberattack is any type of offensive manoeuvre employed by nation-states, individuals, groups, or organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.
These can be labelled as either a cyber campaign, cyberwarfare or cyberterrorism in different context. Cyberattacks can range from installing spyware on a PC to attempts to destroy the infrastructure of entire nations.
Cyberattacks have become increasingly sophisticated and dangerous as the Stuxnet worm recently demonstrated. User behavior analytics and SIEM are used to prevent these attacks.
Legal experts are seeking to limit use of the term to incidents causing physical damaage, distinguishing it from the more routine data breaches and broader hacking activities.
Click below for a List of Cyber Attacks:
- Indiscriminate attacks
- Destructive attacks
- Cyberwarfare
- Government espionage
- Corporate espionage
- Stolen e-mail addresses and login credentials
- Stolen credit card and financial data
- Stolen medical-related data
- Hacktivism
- See also:
Cybersecurity Information Technology List
- YouTube Video: How To Use Microsoft Malicious Software Removal Tool
- YouTube Video: Remove Any Virus or Malware | Windows 7, 8, 8.1, 10. And speed up your computer or laptop. FOR FREE!
- YouTube Video: TotalAV - The Ultimate Antivirus 2020
This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches.
All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals.
The general public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.
Cybersecurity is a major endeavor of the IT industry. There are a number of professional certifications given for cybersecurity training and expertise. Although billions of dollars are spent annually on cybersecurity, no computer or network is immune from attacks or can be considered completely secure. The single most expensive loss due to a cybersecurity exploit was the ILOVEYOU or Love Bug email worm of 2000, which cost an estimated 8.7 billion American dollars.
Introductory articles about cybersecurity subjects:
Cryptography:
The art of secret writing or code. A "plaintext" message is converted by the sender to "ciphertext" by means of a mathematical algorithm that uses a secret key. The receiver of the message then reverses the process and converts the ciphertext back to the original plaintext.
Steganography:
The art of hidden writing. The secret message is hidden within another object, such as a digital photograph.
Authentication and access:
The process by which a potential client is granted authorized use of an IT facility by proving its identity.
Public Key Infrastructure (PKI):
A framework for managing digital certificates and encryption keys.
Tools:
Computerized utilities designed to study and analyze the security of IT facilities and/or break into them on an unauthorized and potentially criminal basis.
Threats:
Modes of potential attacks on IT facilities.
Exploits as Violations of IT facilities:
Criminal activity:
Violation of the law by means of breaking into and/or misusing IT facilities. Laws that attempt to prevent these crimes include:
Nation states:
Countries and their governments that use, misuse, and/or violate IT facilities to achieve national goals.
End-point protection:
The securing of networked computers, mobile devices and terminals.
Network protection:
The protection of the means by which data is moved from one IT facility to another.
Processing protection:
The securing of IT facilities that manipulate data, such as computer servers, often by means of specialized cybersecurity hardware.
Storage protection:
The protection of data in its non-moving state, usually on magnetic or optical media or in computer memory.
Management of security:
The processes by which security technology is monitored for faults, deployed and configured, measured for its usage, queried for performance metrics and log files, and/or monitored for intrusions.
Standards, frameworks, & requirements:
Officially agreed architectures and conceptual structures for designing, building, and conducting cybersecurity.
All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals.
The general public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.
Cybersecurity is a major endeavor of the IT industry. There are a number of professional certifications given for cybersecurity training and expertise. Although billions of dollars are spent annually on cybersecurity, no computer or network is immune from attacks or can be considered completely secure. The single most expensive loss due to a cybersecurity exploit was the ILOVEYOU or Love Bug email worm of 2000, which cost an estimated 8.7 billion American dollars.
Introductory articles about cybersecurity subjects:
- Security
- Computer security
- Internet security
- Network security
- Information security,
- Data security
- List of computer security certifications
Cryptography:
The art of secret writing or code. A "plaintext" message is converted by the sender to "ciphertext" by means of a mathematical algorithm that uses a secret key. The receiver of the message then reverses the process and converts the ciphertext back to the original plaintext.
- History of cryptography
- Enigma machine
- Alan Turing
- Cipher
- Substitution cipher
- One-time pad
- Beale ciphers
- The Codebreakers
- Cryptanalysis
- Cryptographic primitive
- Cryptographic Service Provider
- Data Encryption Standard
- Advanced Encryption Standard
- International Data Encryption Algorithm
- HMAC
- HMAC-based One-time Password algorithm
- Cryptographic hash function
- Collision (computer science)
- List of hash functions
- Comparison of cryptographic hash functions
- Hash-based cryptography
- SHA-1
- SHA-2
- SHA-3
- SHA-3 competition
- Cryptographic nonce
- Salt (cryptography)
- Cryptographic strength
- Block cipher
- Block cipher mode of operation
- Stream cipher
- Key (cryptography)
- Key size
- Cryptographic key types
- Symmetric-key algorithm
- Public-key cryptography
- Public-Key Cryptography (conference)
- Digital signature
- Non-repudiation
- Public key certificate
- Certificate authority
- X.509
- Public key fingerprint
- RSA (cryptosystem)
- Secret sharing
- Internet key exchange
- Pretty Good Privacy
- Strong cryptography
Steganography:
The art of hidden writing. The secret message is hidden within another object, such as a digital photograph.
Authentication and access:
The process by which a potential client is granted authorized use of an IT facility by proving its identity.
- Authentication
- Login
- Password
- Passphrase
- Password strength
- One-time password
- Multi-factor authentication
- Identity management
- Identity management theory
- Identity management system
- Encrypting PIN Pad
- Shared secret
- Authorization
- Access control
- Principle of least privilege
- Cryptographic protocol
- Authentication protocol
- Public key infrastructure
- RADIUS
- Kerberos (protocol)
- OpenID
- OAuth
- Active Directory Federation Services
- Security Assertion Markup Language
- SAML-based products and services
Public Key Infrastructure (PKI):
A framework for managing digital certificates and encryption keys.
- public key infrastructure
- X.509
- Root certificate
- public key certificate
- certificate authority
- CAcert.org
- electronic signature
- certificate policy
- Certificate Practice Statement
- certificate revocation list
- Online Certificate Status Protocol
Tools:
Computerized utilities designed to study and analyze the security of IT facilities and/or break into them on an unauthorized and potentially criminal basis.
- List of security assessment tools
- Kali
- Security Administrator Tool for Analyzing Networks
- Nessus (software)
- Vulnerability scanner
- Nessus Attack Scripting Language
- OpenVAS
- Yasca
- Metasploit project
- John the Ripper
- Smeg Virus Construction Kit
- Virus Creation Laboratory
- Exploit kit
Threats:
Modes of potential attacks on IT facilities.
- Cyberattack
- STRIDE (security)
- Vulnerability (computing)
- Common Vulnerabilities and Exposures
- Privilege escalation
- Social engineering (security)
- Malware
- Spyware
- Backdoor (computing)
- Computer virus
- Computer worm
- Macro virus
- Keystroke logging
- Trojan horse
- Hardware Trojan
- Eavesdropping
- Zombie
- Botnets
- Advanced persistent threat
- Man-in-the-middle attack
- Man-on-the-side attack
- Meet-in-the-middle attack
- Length extension attack
- Replay attack
- Pre-play attack
- Dictionary attack
- Biclique attack
- Denial-of-service attack
- Resource exhaustion attack
- Brute-force attack
- Watermarking attack
- Mangled packet
- Reverse connection
- Polymorphic code
- Password cracking
- Spoofing attack
- POODLE
Exploits as Violations of IT facilities:
- Exploit (computer security)
- Timeline of computer viruses and worms
- Comparison of computer viruses
- Malware analysis
- XML denial-of-service attack
- Distributed denial-of-service attacks on root nameservers
- Linux malware
- Zero-day (computing)
- Virus hoax
- Pegasus
- Rogue security software
- List of rogue security software
- MS Antivirus (malware)
- AntiVirus Gold
- Spysheriff
- SpywareBot
- TheSpyBot
- ByteDefender
- Security Essentials 2010
- Email spam
- Phishing
- Tiny Banker Trojan
- Melissa (computer virus)
- Brain (computer virus)
- CIH (computer virus)
- ILOVEYOU
- Anna Kournikova (computer virus)
- Michelangelo (computer virus)
- Simile (computer virus)
- Stoned (computer virus)
- Acme (computer virus)
- AIDS (computer virus)
- AI (computer virus)
- Cascade (computer virus)
- Flame (computer virus)
- Abraxas (computer virus)
- 1260 (computer virus)
- SCA (computer virus)
- ReDoS
- SYN flood
- Billion laughs attack
- UDP flood attack
- Wi-Fi deauthentication attack
- Smurf attack
- Mydoom
- IP address spoofing
- Fork bomb
- WinNuke
Criminal activity:
Violation of the law by means of breaking into and/or misusing IT facilities. Laws that attempt to prevent these crimes include:
- Computer misuse act
- Cyber-security regulation
- China Internet Security Law
- Computer Crime and Intellectual Property Section
- Cyber criminals
- Cybercrime
- Security hacker
- White hat (computer security)
- Black hat (computer security)
- Industrial espionage #Use of computers and the Internet
- Phreaking
- RDP shop
- Market for zero-day exploits
- 2600 magazine
- Phrack, Google search on “hacker magazine”
- Identity theft
- Identity fraud
- Cyberstalking
- Cyberbullying
Nation states:
Countries and their governments that use, misuse, and/or violate IT facilities to achieve national goals.
- Cyber-arms industry
- Computer and network surveillance
- List of government surveillance projects
- Clipper chip
- Targeted surveillance
- United States Cyber Command
- Cybersecurity and Infrastructure Security Agency
- National Cybersecurity and Communications Integration Center
- Bletchley Park
- NSO Group
- Hacking Team
- Unit 8200
- NSA
- Room 641A
- Narus (company)
- Equation group
- Tailored Access Operations
- XKeyscore
- PRISM (surveillance program)
- Stuxnet
- Carnivore (software)
End-point protection:
The securing of networked computers, mobile devices and terminals.
- Antivirus software
- Comparison of antivirus software
- Lookout (IT security)
- Windows Defender
- Kaspersky Lab
- Malwarebytes
- Avast Antivirus
- Norton AntiVirus
- AVG AntiVirus
- McAfee
- McAfee VirusScan
- Symantec Endpoint Protection
- Microsoft Safety Scanner
- Windows Malicious Software Removal Tool
- VirusTotal
- Application firewall
- Personal firewall
Network protection:
The protection of the means by which data is moved from one IT facility to another.
- Virtual private network
- IPsec
- Internet Key Exchange
- Internet Security Association and Key Management Protocol
- Kerberized Internet Negotiation of Keys
- Firewall (computing)
- Stateful firewall
- HTTPS
- HTTP Public Key Pinning
- Transport Layer Security
- TLS acceleration
- Network Security Services
- Off the record messaging
- Secure Shell
- Circuit-level gateway
- Intrusion detection system
- Intrusion Detection Message Exchange Format
- Security information management
- Security information and event management
- Security event manager
- Router (computing) #Security
- Security log
- Intranet #Enterprise private network
- Proxy server
Processing protection:
The securing of IT facilities that manipulate data, such as computer servers, often by means of specialized cybersecurity hardware.
- Hardware security module
- Secure cryptoprocessor
- Trusted Platform Module
- Unified Extensible Firmware Interface #Secure boot
- Executable space protection
Storage protection:
The protection of data in its non-moving state, usually on magnetic or optical media or in computer memory.
- Disk encryption
- Disk encryption theory
- Disk encryption software
- Comparison of disk encryption software
- BitLocker
- Encrypting File System
- Filesystem-level encryption
- Disk encryption hardware
- Hardware-based full disk encryption
- Personal data
- General Data Protection Regulation
- Privacy policy
- Information security audit
- Information technology audit
- Information technology security audit
Management of security:
The processes by which security technology is monitored for faults, deployed and configured, measured for its usage, queried for performance metrics and log files, and/or monitored for intrusions.
Standards, frameworks, & requirements:
Officially agreed architectures and conceptual structures for designing, building, and conducting cybersecurity.
- NIST Cybersecurity Framework
- National Initiative for Cybersecurity Education
- Center for Internet Security
- The CIS Critical Security Controls for Effective Cyber Defense
- Cyber Risk Quantification
- Risk management framework
- IT risk
- Risk IT
- ISO/IEC 27000-series
- Cyber-security regulation
- Health Insurance Portability and Accountability Act #Security Rule
- Federal Information Security Management Act of 2002
Ransomware
- YouTube Video: Wana Decrypt0r (Wanacry Ransomware) - Computerphile
- YouTube Video: Ransomware 'WannaCry' attack explained (PBS)
- YouTube Video: Ransomware Attacks in 2021 And How To Prevent Them!
Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.
While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.
In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction.
Starting from around 2012 the use of ransomware scams has grown internationally. There have been 181.5 million ransomware attacks in the first six months of 2018. This marks a 229% increase over this same time frame in 2017.
In June 2013, vendor McAfee released data showing that it had collected more than double the number of samples of ransomware that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US $3 million before it was taken down by authorities, and CryptoWall was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over US $18m by June 2015.
Operation:
The concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and it was inspired by the fictional facehugger in the movie Alien. Cryptoviral extortion is the following three-round protocol carried out between the attacker and the victim.
The symmetric key is randomly generated and will not assist other victims. At no point is the attacker's private key exposed to victims and the victim need only send a very small ciphertext (the encrypted symmetric-cipher key) to the attacker.
Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a malicious attachment, embedded link in a Phishing email, or a vulnerability in a network service.
The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program). Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and "pirated" media.
Some payloads consist simply of an application designed to lock or restrict the system until payment is made, typically by setting the Windows Shell to itself, or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired. The most sophisticated payloads encrypt files, with many using strong encryption to encrypt the victim's files in such a way that only the malware author has the needed decryption key.
Payment is virtually always the goal, and the victim is coerced into paying for the ransomware to be removed—which may or may not actually occur—either by supplying a program that can decrypt the files, or by sending an unlock code that undoes the payload's changes.
A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. A range of such payment methods have been used, including:
Click on any of the following blue hyperlinks for more about Ransomware:
While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.
In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction.
Starting from around 2012 the use of ransomware scams has grown internationally. There have been 181.5 million ransomware attacks in the first six months of 2018. This marks a 229% increase over this same time frame in 2017.
In June 2013, vendor McAfee released data showing that it had collected more than double the number of samples of ransomware that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US $3 million before it was taken down by authorities, and CryptoWall was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over US $18m by June 2015.
Operation:
The concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and it was inspired by the fictional facehugger in the movie Alien. Cryptoviral extortion is the following three-round protocol carried out between the attacker and the victim.
- [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
- [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
- [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker's private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.
The symmetric key is randomly generated and will not assist other victims. At no point is the attacker's private key exposed to victims and the victim need only send a very small ciphertext (the encrypted symmetric-cipher key) to the attacker.
Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a malicious attachment, embedded link in a Phishing email, or a vulnerability in a network service.
The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program). Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and "pirated" media.
Some payloads consist simply of an application designed to lock or restrict the system until payment is made, typically by setting the Windows Shell to itself, or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired. The most sophisticated payloads encrypt files, with many using strong encryption to encrypt the victim's files in such a way that only the malware author has the needed decryption key.
Payment is virtually always the goal, and the victim is coerced into paying for the ransomware to be removed—which may or may not actually occur—either by supplying a program that can decrypt the files, or by sending an unlock code that undoes the payload's changes.
A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. A range of such payment methods have been used, including:
- wire transfers,
- premium-rate text messages,
- pre-paid voucher services such as paysafecard,
- and the digital currency bitcoin. A 2016 survey commissioned by Citrix claimed that larger businesses are holding bitcoin as contingency plans.
Click on any of the following blue hyperlinks for more about Ransomware:
Security Hacking in all its Forms
YouTube Video: how to thwart a cyber attack on your computer
Pictured: Most Important Network Security & Penetration Testing Tools for Hackers and Security Professionals
YouTube Video: how to thwart a cyber attack on your computer
Pictured: Most Important Network Security & Penetration Testing Tools for Hackers and Security Professionals
A security hacker is someone who seeks to breach defenses and exploit weaknesses in a computer system or network.
Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or to evaluate system weaknesses to assist in formulating defenses against potential hackers. The subculture that has evolved around hackers is often referred to as the computer underground.
There is a longstanding controversy about the term's true meaning. In this controversy, the term hacker is reclaimed by computer programmers who argue that it refers simply to someone with an advanced understanding of computers and computer networks, and that cracker is the more appropriate term for those who break into computers, whether computer criminal (black hats) or computer security expert (white hats). A 2014 article concluded that "... the black-hat meaning still prevails among the general public".
History:
Further information: Timeline of computer security hacker history
In computer security, a hacker is someone who focuses on security mechanisms of computer and network systems. While including those who endeavor to strengthen such mechanisms, it is more often used by the mass media and popular culture to refer to those who seek access despite these security measures. That is, the media portrays the 'hacker' as a villain.
Nevertheless, parts of the subculture see their aim in correcting security problems and use the word in a positive sense.
White hat is the name given to ethical computer hackers, who utilize hacking in a helpful way. White hats are becoming a necessary part of the information security field. They operate under a code, which acknowledges that breaking into other people's computers is bad, but that discovering and exploiting security mechanisms and breaking into computers is still an interesting activity that can be done ethically and legally. Accordingly, the term bears strong connotations that are favorable or pejorative, depending on the context.
The subculture around such hackers is termed network hacker subculture, hacker scene, or computer underground. It initially developed in the context of phreaking during the 1960s and the microcomputer BBS scene of the 1980s. It is implicated with 2600: The Hacker Quarterly and the alt.2600 newsgroup.
In 1980, an article in the August issue of Psychology Today (with commentary by Philip Zimbardo) used the term "hacker" in its title: "The Hacker Papers". It was an excerpt from a Stanford Bulletin Board discussion on the addictive nature of computer use.
In the 1982 film Tron, Kevin Flynn (Jeff Bridges) describes his intentions to break into ENCOM's computer system, saying "I've been doing a little hacking here". CLU is the software he uses for this.
By 1983, hacking in the sense of breaking computer security had already been in use as computer jargon, but there was no public awareness about such activities. However, the release of the film War Games that year, featuring a computer intrusion into NORAD, raised the public belief that computer security hackers (especially teenagers) could be a threat to national security.
This concern became real when, in the same year, a gang of teenage hackers in Milwaukee, Wisconsin, known as The 414s, broke into computer systems throughout the United States and Canada, including those of Los Alamos National Laboratory, Sloan-Kettering Cancer Center and Security Pacific Bank.
The case quickly grew media attention, and 17-year-old Neal Patrick emerged as the spokesman for the gang, including a cover story in Newsweek entitled "Beware: Hackers at play", with Patrick's photograph on the cover. The Newsweek article appears to be the first use of the word hacker by the mainstream media in the pejorative sense.
Pressured by media coverage, congressman Dan Glickman called for an investigation and began work on new laws against computer hacking. Neal Patrick testified before the U.S. House of Representatives on September 26, 1983, about the dangers of computer hacking, and six bills concerning computer crime were introduced in the House that year.
As a result of these laws against computer criminality, white hat, grey hat and black hat hackers try to distinguish themselves from each other, depending on the legality of their activities. These moral conflicts are expressed in The Mentor's "The Hacker Manifesto", published 1986 in Phrack.
Use of the term hacker meaning computer criminal was also advanced by the title "Stalking the Wily Hacker", an article by Clifford Stoll in the May 1988 issue of the Communications of the ACM.
Later that year, the release by Robert Tappan Morris, Jr. of the so-called Morris worm provoked the popular media to spread this usage. The popularity of Stoll's book The Cuckoo's Egg, published one year later, further entrenched the term in the public's consciousness.
Click on any of the following blue hyperlinks for more about Security Hacking:
Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or to evaluate system weaknesses to assist in formulating defenses against potential hackers. The subculture that has evolved around hackers is often referred to as the computer underground.
There is a longstanding controversy about the term's true meaning. In this controversy, the term hacker is reclaimed by computer programmers who argue that it refers simply to someone with an advanced understanding of computers and computer networks, and that cracker is the more appropriate term for those who break into computers, whether computer criminal (black hats) or computer security expert (white hats). A 2014 article concluded that "... the black-hat meaning still prevails among the general public".
History:
Further information: Timeline of computer security hacker history
In computer security, a hacker is someone who focuses on security mechanisms of computer and network systems. While including those who endeavor to strengthen such mechanisms, it is more often used by the mass media and popular culture to refer to those who seek access despite these security measures. That is, the media portrays the 'hacker' as a villain.
Nevertheless, parts of the subculture see their aim in correcting security problems and use the word in a positive sense.
White hat is the name given to ethical computer hackers, who utilize hacking in a helpful way. White hats are becoming a necessary part of the information security field. They operate under a code, which acknowledges that breaking into other people's computers is bad, but that discovering and exploiting security mechanisms and breaking into computers is still an interesting activity that can be done ethically and legally. Accordingly, the term bears strong connotations that are favorable or pejorative, depending on the context.
The subculture around such hackers is termed network hacker subculture, hacker scene, or computer underground. It initially developed in the context of phreaking during the 1960s and the microcomputer BBS scene of the 1980s. It is implicated with 2600: The Hacker Quarterly and the alt.2600 newsgroup.
In 1980, an article in the August issue of Psychology Today (with commentary by Philip Zimbardo) used the term "hacker" in its title: "The Hacker Papers". It was an excerpt from a Stanford Bulletin Board discussion on the addictive nature of computer use.
In the 1982 film Tron, Kevin Flynn (Jeff Bridges) describes his intentions to break into ENCOM's computer system, saying "I've been doing a little hacking here". CLU is the software he uses for this.
By 1983, hacking in the sense of breaking computer security had already been in use as computer jargon, but there was no public awareness about such activities. However, the release of the film War Games that year, featuring a computer intrusion into NORAD, raised the public belief that computer security hackers (especially teenagers) could be a threat to national security.
This concern became real when, in the same year, a gang of teenage hackers in Milwaukee, Wisconsin, known as The 414s, broke into computer systems throughout the United States and Canada, including those of Los Alamos National Laboratory, Sloan-Kettering Cancer Center and Security Pacific Bank.
The case quickly grew media attention, and 17-year-old Neal Patrick emerged as the spokesman for the gang, including a cover story in Newsweek entitled "Beware: Hackers at play", with Patrick's photograph on the cover. The Newsweek article appears to be the first use of the word hacker by the mainstream media in the pejorative sense.
Pressured by media coverage, congressman Dan Glickman called for an investigation and began work on new laws against computer hacking. Neal Patrick testified before the U.S. House of Representatives on September 26, 1983, about the dangers of computer hacking, and six bills concerning computer crime were introduced in the House that year.
As a result of these laws against computer criminality, white hat, grey hat and black hat hackers try to distinguish themselves from each other, depending on the legality of their activities. These moral conflicts are expressed in The Mentor's "The Hacker Manifesto", published 1986 in Phrack.
Use of the term hacker meaning computer criminal was also advanced by the title "Stalking the Wily Hacker", an article by Clifford Stoll in the May 1988 issue of the Communications of the ACM.
Later that year, the release by Robert Tappan Morris, Jr. of the so-called Morris worm provoked the popular media to spread this usage. The popularity of Stoll's book The Cuckoo's Egg, published one year later, further entrenched the term in the public's consciousness.
Click on any of the following blue hyperlinks for more about Security Hacking:
- Classifications
- Attacks
- Notable intruders and criminal hackers
- Notable security hackers
- Customs
- Consequences for malicious hacking in the United States
- Hacking and the media
- See also:
- Cracking of wireless networks
- Cyber spying
- Cyber Storm Exercise
- Cybercrime
- Hacker culture
- Hacker (expert)
- Hacker Manifesto
- IT risk
- Mathematical beauty
- Metasploit Project
- Penetration test
- Technology assessment
- Vulnerability (computing)
- CNN Tech PCWorld Staff (November 2001). Timeline: A 40-year history of hacking from 1960 to 2001
- Can Hackers Be Heroes? Video produced by Off Book (web series)
Phishing Attacks
- YouTube Video: "What is Phishing?"
- YouTube Video: How to Avoid Phishing (Official Dell Tech Support)
- YouTube Video: How to Spot Phishing Emails (in 2020)
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication.
Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site.
Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.
Attempts to deal with phishing incidents include legislation, user training, public awareness, and technical security measures — because phishing attacks also often exploit weaknesses in current web security.
The word itself is a neologism created as a homophone of fishing, due to the similarity of using a bait in an attempt to catch a victim.
Click on any of the following blue hyperlinks for more about Phishing Attacks:
Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site.
Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.
Attempts to deal with phishing incidents include legislation, user training, public awareness, and technical security measures — because phishing attacks also often exploit weaknesses in current web security.
The word itself is a neologism created as a homophone of fishing, due to the similarity of using a bait in an attempt to catch a victim.
Click on any of the following blue hyperlinks for more about Phishing Attacks:
- Technique
- History
- Anti-phishing
- See also:
- Anti-phishing software
- Brandjacking
- In-session phishing
- Internet fraud
- Penetration test
- SiteKey
- SMS phishing
- Typosquatting
- List of cognitive biases, many abusable by phishing
- Anti-Phishing Working Group
- Center for Identity Management and Information Protection – Utica College
- Plugging the "phishing" hole: legislation versus technology – Duke Law & Technology Review
- Know Your Enemy: Phishing – Honeynet project case study
- A Profitless Endeavor: Phishing as Tragedy of the Commons – Microsoft Corporation
- Database for information on phishing sites reported by the public – PhishTank
- The Impact of Incentives on Notice and Take-down − Computer Laboratory, University of Cambridge (PDF, 344 kB)
2020 United States Federal Government Data Breach
- YouTube Video: U.S. cybersecurity agency warns of "grave risk" after hack
- YouTube Video: Suspected Russian hack a ‘moment of reckoning’: Microsoft president
- YouTube Video: Inside Russia’s Hacker Underworld
In 2020, a major cyberattack by a group backed by a foreign government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches.
The hacking group Cozy Bear (APT29), backed by the Russian intelligence agency SVR, was identified as the likely culprit. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access.
Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.
The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce. In the following days, more departments and private organizations reported breaches.
The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware.
A supply chain attack on Microsoft cloud services provided one way for the attackers to breach their victims, depending upon whether the victims had bought those services through a reseller. A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided another avenue, if the victim used that software.
Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim resources via single sign-on infrastructure.
In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution.
U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war. President Donald Trump was silent for days after the attack, before suggesting that China, not Russia, might have been responsible for it, and that "everything is well under control"
Background:
The global data breach occurred over the course of at least 8 or 9 months during the final year of the presidency of Donald Trump. Throughout this time, the White House lacked a cybersecurity coordinator, Trump having eliminated the post itself in 2018.
When the breach was discovered, the U.S. also lacked a Senate-confirmed Director of CISA, the nation's top cybersecurity official, responsible for coordinating incident response. The incumbent, Chris Krebs, had been fired by Trump on November 18, 2020. Also at that time, the DHS, which manages CISA, lacked a Senate-confirmed Secretary, Deputy Secretary, General Counsel, Undersecretary for Intelligence and Analysis, and Undersecretary for Management; and Trump had recently forced out the Deputy Director of CISA.
Numerous federal cybersecurity recommendations made by the Government Accountability Office and others had not been implemented.
SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack.
SolarWinds did not employ a chief information security officer or senior director of cybersecurity. Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software.
In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers. And SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.
On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired. That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. The firms denied insider trading.
Methodology:
Multiple attack vectors were used in the course of breaching the various victims of the incident.
Microsoft exploits:
If you think about data that is only available to the CEO, or data that is only available to IT services, [the attacker would get] all of this data.
— Sami Ruohonen, F-Secure
The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.
At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.
Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached. This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.
Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.
Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months. This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems. The presence of single sign-on infrastructure increased the viability of the attack.
SolarWinds exploit:
This is classic espionage. It's done in a highly sophisticated way ... But this is a stealthy operation.
— Thomas Rid, The Washington Post
Here, too, the attackers used a supply chain attack. The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point.
The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019. In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion. The first known modification, in October 2019, was merely a proof of concept.
Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.
In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them. These users included U.S. government customers in the executive branch, the military, and the intelligence services (see Impact section, below).
If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers. The communications were designed to mimic legitimate SolarWinds traffic.
If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilize if they wished to exploit the system further. The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.
The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets. Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components, and seeking additional access.
Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents. This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory.
Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network. Having accessed data of interest, they encrypted and exfiltrated it.
The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others. By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security (DHS).
FBI investigators recently found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.
VMware exploits:
Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers.
As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.
Discovery:
Microsoft exploits:
During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed.
The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication. Later, in June and July 2020, Volexity observed the attacker utilising the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals.
Volexity said it was not able to identify the attacker.
Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to CrowdStrike. That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email.
Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol. This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised.
Using VirusTotal, The Intercept discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of Austin, Texas.
SolarWinds exploit:
On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker.
FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service. FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.
After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks. The NSA is not known to have been aware of the attack before being notified by FireEye. The NSA uses SolarWinds software itself.
Some days later, on December 13, when breaches at the Treasury and Department of Commerce breaches were publicly confirmed to exist, sources said that the FireEye breach was related. On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.
The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020. FireEye named the malware SUNBURST. Microsoft called it Solorigate. The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.
Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.
VMware exploits:
Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager. VMware released patches on December 3, 2020. On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.
Responsibility:
Conclusions by investigators:
SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation. Russian-sponsored hackers were suspected to be responsible. U.S. officials stated that the specific groups responsible were probably the SVR or Cozy Bear (also known as APT29).
FireEye gave the suspects the placeholder name "UNC2452"; incident response firm Volexity called them "Dark Halo". On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR. One security researcher offers the likely operational date, February 27, 2020 with a significant change of aspect on October 30, 2020.
In January 2021, cybersecurity firm Kaspersky said SUNBURST resembles the malware Kazuar, which is believed to have been created by Turla, a group known from 2008 that Estonian intelligence previously linked to the Russian federal security service, FSB.
FBI investigators found that suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers such as the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, potentially compromising the data on thousands of government employees.
The hack is separate as the suspected Chinese hackers exploited a separate bug in Orion’s code to help spread across networks that they had already comprised. Former U.S. chief information security officer Gregory Touhill compared the fact that Russia and China were targeting the same software product to Drafting in motorsport.
Statements by U.S. government officials:
On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB.
On December 18, U.S. Secretary of State Mike Pompeo said Russia was "pretty clearly" responsible for the cyber attack.
On December 19, U.S. president Donald Trump publicly addressed the attacks for the first time, suggesting without evidence that China, rather than Russia, might be responsible. The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."
On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia."
On December 21, 2020, Attorney General William Barr said that he agreed with Pompeo's assessment of the origin of the cyberhack and that it "certainly appears to be the Russians," contradicting Trump.
On January 5, 2021, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence, all confirmed that they believe Russia was the most likely culprit.
Denial of involvement:
Russia denied involvement.
The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. “China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.
Impact:
See also: List of confirmed connected data breaches
This is a much bigger story than one single agency. This is a huge cyberespionage campaign targeting the U.S. government and its interests. — U.S. government source
Discovery of the breaches at the Treasury and the Department of Commerce immediately raised concerns that the attackers would attempt to breach other departments, or had already done so. Further investigation proved these concerns to be well-founded. Within days, additional federal departments were found to have been breached.
SolarWinds said that of its 300,000 customers, 33,000 use Orion. Of these, around 18,000 government and private users downloaded compromised versions.
Compromised versions were known to have been downloaded by the Centers for Disease Control and Prevention, the Justice Department, and some utility companies.
Other prominent U.S. organizations known to use SolarWinds products, though not necessarily Orion, were the Los Alamos National Laboratory, Boeing, and most Fortune 500 companies.
Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office, National Health Service, and signals intelligence agencies; the North Atlantic Treaty Organization (NATO); the European Parliament; and likely AstraZeneca.
FireEye said that additional government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East may also have been affected.
Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted.
These investigations were complicated by: the fact that the attackers had in some cases removed evidence; the need to maintain separate secure networks as organizations' main networks were assumed to be compromised; and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks. As of mid-December 2020, those investigations were ongoing.
As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used.
Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come. Possible future uses could include attacks on hard targets like the CIA and NSA, or using blackmail to recruit spies.
Cyberconflict professor Thomas Rid said the stolen data would have myriad uses. He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the Washington Monument.
Even where data was not exfiltrated, the impact was significant. The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset. Anti-malware companies additionally advised searching log files for specific indicators of compromise.
However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review. Former Homeland Security Advisor Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime.
Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.
Through a manipulation of software keys, Russian hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on economic sanctions and interactions with the Federal Reserve.
Anonymous FBI sources revealed that internal investigations had discovered suspected Chinese attackers using computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies. They had hacked into the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, potentially compromising the data of thousands of government employees, possibly to better collect intelligence.
The NFC is responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department. Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. On its website, the NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees."
Investigations and responses:
Technology companies and business:
On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye.
On December 15, 2020, Microsoft announced that SUNBURST, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.
GoDaddy handed ownership to Microsoft of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the SUNBURST malware, and to discover which SolarWinds customers were infected.
On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks. On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to Solarwinds software.
SolarWinds unpublished its featured customer list after the hack, although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server.
Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price. Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs.
The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.
U.S. government:
On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.
Security agencies:
On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations. On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks. Russia denied involvement in the attacks.
On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the FBI to investigate. The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group. The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations.
The Federal Energy Regulatory Commission (FERC) helped to compensate for a staffing shortfall at CISA. The FBI, CISA, and the Office of the Director of National Intelligence (ODNI) formed a Cyber Unified Coordination Group (UCG) to coordinate their efforts.
On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.
On February 2, 2021, Reuters reported that anonymous FBI sources revealed that internal investigations had discovered suspected Chinese attackers using computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
Congress:
The Senate Armed Services Committee's cybersecurity subcommittee was briefed by Defense Department officials. The House Committee on Homeland Security and House Committee on Oversight and Reform announced an investigation.
Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain.
The committee's vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the hack.
Senator Ron Wyden called for mandatory security reviews of software used by federal agencies.
On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin told reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials.
Senator Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen".
On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator Richard Blumenthal asked the same of the Veterans Administration.
The judiciary:
The Administrative Office of the United States Courts initiated an audit, with DHS, of the U.S. Judiciary's Case Management/Electronic Case Files (CM/ECF) system. It stopped accepting highly sensitive court documents to the CM/ECF, requiring those instead to be accepted only in paper form or on airgapped devices.
President Trump:
President Donald Trump made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction".
On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack.
Trump then pivoted to insisting that he had won the 2020 presidential election. He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election.
Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible. Adam Schiff, chair of the House Intelligence Committee, described Trump's statements as dishonest, calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin."
Former Homeland Security Advisor Thomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the National Defense Authorization Act would be required to mitigate the damage caused by the attacks.
Russell Brandom, policy editor for The Verge, called the U.S. ill-prepared for the hack, and criticized Trump for having consistently "treated the federal cybersecurity effort as one more partisan battleground, with attacks and vulnerabilities embraced or rejected largely on the basis of their value as a political cudgel"; Brandom wrote that "this is no way to run the world’s most powerful intelligence apparatus."
Fred Kaplan, writing in Slate, criticized Trump for promoting fake claims of election fraud while "ignoring a real cybersecurity crisis," writing: "For all of Trump's wailing about fictitious hacks that stole the election, he has been otherwise notably uncurious about the nation's cybersecurity." Esquire commentator Charles P. Pierce criticized the Trump administration for being "asleep at the switch" and termed Trump a "crooked, incompetent agent of chaos."
President Biden:
Then president-elect Joe Biden said that, "A good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place. I will not stand idly by in the face of cyberassaults on our nation."
Biden said he has instructed his transition team to study the breach, will make cybersecurity a priority at every level of government, and will identify and penalize the attackers. Biden's incoming chief of staff, Ron Klain, said the Biden administration's response to the hack would extend beyond sanctions.
On December 22, 2020, Biden said that, "I see no evidence that it's under control," and reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials.
In January 2021, Biden named appointees for two relevant White House positions: Elizabeth Sherwood-Randall as homeland security adviser, and Anne Neuberger as deputy national security adviser for cyber and emerging technology.
Rest of the world:
NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks." On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK.[
The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers.
On December 23, 2020, the UK Information Commissioner's Office – a national privacy authority – told UK organizations to check immediately whether they were impacted.
On December 24, 2020, the Canadian Centre for Cyber Security asked SolarWinds Orion users in Canada to check for system compromises.
Cyber espionage or cyberattack?:
The attack prompted a debate on whether the hack should be treated as cyber espionage, or as a cyberattack constituting an act of war. Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid).
Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the Hoover Institution and Naval War College argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force.
Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks." Law professor Michael Schmitt concurred, citing the Tallinn Manual.
By contrast, Microsoft president Brad Smith termed the hack a cyberattack, stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure."
U.S. Senator Richard J. Durbin (D-IL) described the attack as tantamount to a declaration of war.
Debate on possible U.S. responses:
Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect".
They also stated that because deterrence may not effectively discourage cyber-espionage attempts by threat actors, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities).
Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks."
Cybersecurity author Bruce Schneier advocated against retaliation or increases in offensive capabilities, proposing instead the adoption of a defense-dominant strategy and ratification of the Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace.
In the New York Times, Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements. He also noted that the US is engaged in similar operations against other countries in what he described as an ambient cyber-conflict.
In Slate, Fred Kaplan argued that the structural problems that enable computer network intrusions like this had been public knowledge since 1967 and that successive U.S. governments had failed to implement the structural defenses repeatedly requested by subject experts. He pointed out that an escalatory response to espionage would be counterproductive for U.S. interests, whereas finally strengthening the defenses and drawing clear red lines in the gray areas of cyber-conflict policy would be more fruitful strategies.
See also:
The hacking group Cozy Bear (APT29), backed by the Russian intelligence agency SVR, was identified as the likely culprit. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access.
Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.
The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce. In the following days, more departments and private organizations reported breaches.
The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware.
A supply chain attack on Microsoft cloud services provided one way for the attackers to breach their victims, depending upon whether the victims had bought those services through a reseller. A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided another avenue, if the victim used that software.
Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim resources via single sign-on infrastructure.
In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution.
U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war. President Donald Trump was silent for days after the attack, before suggesting that China, not Russia, might have been responsible for it, and that "everything is well under control"
Background:
The global data breach occurred over the course of at least 8 or 9 months during the final year of the presidency of Donald Trump. Throughout this time, the White House lacked a cybersecurity coordinator, Trump having eliminated the post itself in 2018.
When the breach was discovered, the U.S. also lacked a Senate-confirmed Director of CISA, the nation's top cybersecurity official, responsible for coordinating incident response. The incumbent, Chris Krebs, had been fired by Trump on November 18, 2020. Also at that time, the DHS, which manages CISA, lacked a Senate-confirmed Secretary, Deputy Secretary, General Counsel, Undersecretary for Intelligence and Analysis, and Undersecretary for Management; and Trump had recently forced out the Deputy Director of CISA.
Numerous federal cybersecurity recommendations made by the Government Accountability Office and others had not been implemented.
SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack.
SolarWinds did not employ a chief information security officer or senior director of cybersecurity. Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software.
In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers. And SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.
On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired. That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. The firms denied insider trading.
Methodology:
Multiple attack vectors were used in the course of breaching the various victims of the incident.
Microsoft exploits:
If you think about data that is only available to the CEO, or data that is only available to IT services, [the attacker would get] all of this data.
— Sami Ruohonen, F-Secure
The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.
At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.
Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached. This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.
Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.
Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months. This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems. The presence of single sign-on infrastructure increased the viability of the attack.
SolarWinds exploit:
This is classic espionage. It's done in a highly sophisticated way ... But this is a stealthy operation.
— Thomas Rid, The Washington Post
Here, too, the attackers used a supply chain attack. The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point.
The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019. In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion. The first known modification, in October 2019, was merely a proof of concept.
Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.
In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them. These users included U.S. government customers in the executive branch, the military, and the intelligence services (see Impact section, below).
If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers. The communications were designed to mimic legitimate SolarWinds traffic.
If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilize if they wished to exploit the system further. The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.
The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets. Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components, and seeking additional access.
Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents. This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory.
Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network. Having accessed data of interest, they encrypted and exfiltrated it.
The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others. By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security (DHS).
FBI investigators recently found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.
VMware exploits:
Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers.
As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.
Discovery:
Microsoft exploits:
During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed.
The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication. Later, in June and July 2020, Volexity observed the attacker utilising the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals.
Volexity said it was not able to identify the attacker.
Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to CrowdStrike. That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email.
Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol. This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised.
Using VirusTotal, The Intercept discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of Austin, Texas.
SolarWinds exploit:
On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker.
FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service. FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.
After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks. The NSA is not known to have been aware of the attack before being notified by FireEye. The NSA uses SolarWinds software itself.
Some days later, on December 13, when breaches at the Treasury and Department of Commerce breaches were publicly confirmed to exist, sources said that the FireEye breach was related. On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.
The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020. FireEye named the malware SUNBURST. Microsoft called it Solorigate. The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.
Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.
VMware exploits:
Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager. VMware released patches on December 3, 2020. On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.
Responsibility:
Conclusions by investigators:
SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation. Russian-sponsored hackers were suspected to be responsible. U.S. officials stated that the specific groups responsible were probably the SVR or Cozy Bear (also known as APT29).
FireEye gave the suspects the placeholder name "UNC2452"; incident response firm Volexity called them "Dark Halo". On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR. One security researcher offers the likely operational date, February 27, 2020 with a significant change of aspect on October 30, 2020.
In January 2021, cybersecurity firm Kaspersky said SUNBURST resembles the malware Kazuar, which is believed to have been created by Turla, a group known from 2008 that Estonian intelligence previously linked to the Russian federal security service, FSB.
FBI investigators found that suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers such as the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, potentially compromising the data on thousands of government employees.
The hack is separate as the suspected Chinese hackers exploited a separate bug in Orion’s code to help spread across networks that they had already comprised. Former U.S. chief information security officer Gregory Touhill compared the fact that Russia and China were targeting the same software product to Drafting in motorsport.
Statements by U.S. government officials:
On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB.
On December 18, U.S. Secretary of State Mike Pompeo said Russia was "pretty clearly" responsible for the cyber attack.
On December 19, U.S. president Donald Trump publicly addressed the attacks for the first time, suggesting without evidence that China, rather than Russia, might be responsible. The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."
On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia."
On December 21, 2020, Attorney General William Barr said that he agreed with Pompeo's assessment of the origin of the cyberhack and that it "certainly appears to be the Russians," contradicting Trump.
On January 5, 2021, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence, all confirmed that they believe Russia was the most likely culprit.
Denial of involvement:
Russia denied involvement.
The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. “China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.
Impact:
See also: List of confirmed connected data breaches
This is a much bigger story than one single agency. This is a huge cyberespionage campaign targeting the U.S. government and its interests. — U.S. government source
Discovery of the breaches at the Treasury and the Department of Commerce immediately raised concerns that the attackers would attempt to breach other departments, or had already done so. Further investigation proved these concerns to be well-founded. Within days, additional federal departments were found to have been breached.
SolarWinds said that of its 300,000 customers, 33,000 use Orion. Of these, around 18,000 government and private users downloaded compromised versions.
Compromised versions were known to have been downloaded by the Centers for Disease Control and Prevention, the Justice Department, and some utility companies.
Other prominent U.S. organizations known to use SolarWinds products, though not necessarily Orion, were the Los Alamos National Laboratory, Boeing, and most Fortune 500 companies.
Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office, National Health Service, and signals intelligence agencies; the North Atlantic Treaty Organization (NATO); the European Parliament; and likely AstraZeneca.
FireEye said that additional government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East may also have been affected.
Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted.
These investigations were complicated by: the fact that the attackers had in some cases removed evidence; the need to maintain separate secure networks as organizations' main networks were assumed to be compromised; and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks. As of mid-December 2020, those investigations were ongoing.
As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used.
Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come. Possible future uses could include attacks on hard targets like the CIA and NSA, or using blackmail to recruit spies.
Cyberconflict professor Thomas Rid said the stolen data would have myriad uses. He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the Washington Monument.
Even where data was not exfiltrated, the impact was significant. The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset. Anti-malware companies additionally advised searching log files for specific indicators of compromise.
However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review. Former Homeland Security Advisor Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime.
Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.
Through a manipulation of software keys, Russian hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on economic sanctions and interactions with the Federal Reserve.
Anonymous FBI sources revealed that internal investigations had discovered suspected Chinese attackers using computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies. They had hacked into the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, potentially compromising the data of thousands of government employees, possibly to better collect intelligence.
The NFC is responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department. Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. On its website, the NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees."
Investigations and responses:
Technology companies and business:
On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye.
On December 15, 2020, Microsoft announced that SUNBURST, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.
GoDaddy handed ownership to Microsoft of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the SUNBURST malware, and to discover which SolarWinds customers were infected.
On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks. On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to Solarwinds software.
SolarWinds unpublished its featured customer list after the hack, although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server.
Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price. Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs.
The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.
U.S. government:
On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.
Security agencies:
On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations. On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks. Russia denied involvement in the attacks.
On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the FBI to investigate. The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group. The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations.
The Federal Energy Regulatory Commission (FERC) helped to compensate for a staffing shortfall at CISA. The FBI, CISA, and the Office of the Director of National Intelligence (ODNI) formed a Cyber Unified Coordination Group (UCG) to coordinate their efforts.
On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.
On February 2, 2021, Reuters reported that anonymous FBI sources revealed that internal investigations had discovered suspected Chinese attackers using computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
Congress:
The Senate Armed Services Committee's cybersecurity subcommittee was briefed by Defense Department officials. The House Committee on Homeland Security and House Committee on Oversight and Reform announced an investigation.
Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain.
The committee's vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the hack.
Senator Ron Wyden called for mandatory security reviews of software used by federal agencies.
On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin told reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials.
Senator Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen".
On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator Richard Blumenthal asked the same of the Veterans Administration.
The judiciary:
The Administrative Office of the United States Courts initiated an audit, with DHS, of the U.S. Judiciary's Case Management/Electronic Case Files (CM/ECF) system. It stopped accepting highly sensitive court documents to the CM/ECF, requiring those instead to be accepted only in paper form or on airgapped devices.
President Trump:
President Donald Trump made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction".
On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack.
Trump then pivoted to insisting that he had won the 2020 presidential election. He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election.
Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible. Adam Schiff, chair of the House Intelligence Committee, described Trump's statements as dishonest, calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin."
Former Homeland Security Advisor Thomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the National Defense Authorization Act would be required to mitigate the damage caused by the attacks.
Russell Brandom, policy editor for The Verge, called the U.S. ill-prepared for the hack, and criticized Trump for having consistently "treated the federal cybersecurity effort as one more partisan battleground, with attacks and vulnerabilities embraced or rejected largely on the basis of their value as a political cudgel"; Brandom wrote that "this is no way to run the world’s most powerful intelligence apparatus."
Fred Kaplan, writing in Slate, criticized Trump for promoting fake claims of election fraud while "ignoring a real cybersecurity crisis," writing: "For all of Trump's wailing about fictitious hacks that stole the election, he has been otherwise notably uncurious about the nation's cybersecurity." Esquire commentator Charles P. Pierce criticized the Trump administration for being "asleep at the switch" and termed Trump a "crooked, incompetent agent of chaos."
President Biden:
Then president-elect Joe Biden said that, "A good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place. I will not stand idly by in the face of cyberassaults on our nation."
Biden said he has instructed his transition team to study the breach, will make cybersecurity a priority at every level of government, and will identify and penalize the attackers. Biden's incoming chief of staff, Ron Klain, said the Biden administration's response to the hack would extend beyond sanctions.
On December 22, 2020, Biden said that, "I see no evidence that it's under control," and reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials.
In January 2021, Biden named appointees for two relevant White House positions: Elizabeth Sherwood-Randall as homeland security adviser, and Anne Neuberger as deputy national security adviser for cyber and emerging technology.
Rest of the world:
NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks." On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK.[
The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers.
On December 23, 2020, the UK Information Commissioner's Office – a national privacy authority – told UK organizations to check immediately whether they were impacted.
On December 24, 2020, the Canadian Centre for Cyber Security asked SolarWinds Orion users in Canada to check for system compromises.
Cyber espionage or cyberattack?:
The attack prompted a debate on whether the hack should be treated as cyber espionage, or as a cyberattack constituting an act of war. Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid).
Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the Hoover Institution and Naval War College argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force.
Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks." Law professor Michael Schmitt concurred, citing the Tallinn Manual.
By contrast, Microsoft president Brad Smith termed the hack a cyberattack, stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure."
U.S. Senator Richard J. Durbin (D-IL) described the attack as tantamount to a declaration of war.
Debate on possible U.S. responses:
Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect".
They also stated that because deterrence may not effectively discourage cyber-espionage attempts by threat actors, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities).
Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks."
Cybersecurity author Bruce Schneier advocated against retaliation or increases in offensive capabilities, proposing instead the adoption of a defense-dominant strategy and ratification of the Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace.
In the New York Times, Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements. He also noted that the US is engaged in similar operations against other countries in what he described as an ambient cyber-conflict.
In Slate, Fred Kaplan argued that the structural problems that enable computer network intrusions like this had been public knowledge since 1967 and that successive U.S. governments had failed to implement the structural defenses repeatedly requested by subject experts. He pointed out that an escalatory response to espionage would be counterproductive for U.S. interests, whereas finally strengthening the defenses and drawing clear red lines in the gray areas of cyber-conflict policy would be more fruitful strategies.
See also:
United States Cyber Command
- YouTube Video USCYBERCOM 10 Year Anniversary
- YouTube Video: An exclusive look behind the scenes of the U.S. military’s cyber defense
- YouTube Video: USCYBERCOM Commander on cyber security
United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integrates and bolsters DoD's cyber expertise.
USCYBERCOM was created in mid-2009 at the National Security Agency (NSA) headquarters in Fort George G. Meade, Maryland. It cooperates with NSA networks and has been concurrently headed by the director of the National Security Agency since its inception.
While originally created with a defensive mission in mind, it has increasingly been viewed as an offensive force. On 18 August 2017, it was announced that USCYBERCOM would be elevated to the status of a full and independent unified combatant command. This elevation occurred on 4 May 2018.
Mission statement:
According to the US Department of Defense (DoD):
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.
The text "9ec4c12949a4f31474f299058ce2b22a", located in the command's emblem, is the MD5 hash of their mission statement.
The command is charged with pulling together existing cyberspace resources, creating synergies and synchronizing war-fighting effects to defend the information security environment. USCYBERCOM is tasked with centralizing command of cyberspace operations, strengthening DoD cyberspace capabilities, and integrating and bolstering DoD's cyber expertise.
Organization:
USCYBERCOM is an armed forces unified command under Department of Defense (DoD).
Service components:
U.S. Cyber Command is composed of several service components, units from military services who will provide Joint services to Cyber Command:
Cyber teams:
In 2015, the U.S. Cyber Command added 133 new cyber teams. The breakdown was:
Background:
An intention by the U.S. Air Force to create a 'cyber command' was announced in October 2006. An Air Force Cyber Command was created in a provisional status in November 2006. However, in October 2008, it was announced the command would not be brought into permanent activation.
On 23 June 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command (USSTRATCOM) to establish USCYBERCOM. In May 2010, General Keith Alexander outlined his views in a report for the United States House Committee on Armed Services subcommittee:
Initial operational capability was attained on 21 May 2010. General Alexander was promoted to four-star rank, becoming one of 38 U.S. generals, and took charge of U.S. Cyber Command in a ceremony at Fort Meade that was attended by Commander of U.S. Central Command GEN David Petraeus, and Secretary of Defense Robert M. Gates.
USCYBERCOM reached full operational capability on 31 October 2010.
The command assumed responsibility for several existing organizations. The Joint Task Force for Global Network Operations (JTF-GNO) and the Joint Functional Component Command for Network Warfare (JFCC-NW) were absorbed by the command. The Defense Information Systems Agency, where JTF-GNO operated, provides technical assistance for network and information assurance to USCYBERCOM, and is moving its headquarters to Fort Meade.
President Obama signed into law, on 23 December 2016, the National Defense Authorization Act (NDAA) for fiscal year (FY) 2017, which elevated USCYBERCOM to a unified combatant command.
The FY 2017 NDAA also specified that the dual-hatted arrangement of the commander of USCYBERCOM will not be terminated until the Secretary of Defense and Chairman of the Joint Chiefs of Staff jointly certify that ending this arrangement will not pose risks to the military effectiveness of CYBERCOM that are unacceptable to the national security interests of the United States.
Concerns:
There are concerns that the Pentagon and NSA will overshadow any civilian cyber defense efforts.
There are also concerns on whether the command will assist in civilian cyber defense efforts. According to Deputy Secretary of Defense William J. Lynn, the command "will lead day-to-day defense and protection of all DoD networks. It will be responsible for DoD's networks – the dot-mil world. Responsibility for federal civilian networks – dot-gov – stays with the Department of Homeland Security, and that's exactly how it should be."
Alexander notes, however, that if faced with cyber hostilities an executive order could expand Cyber Command's spectrum of operations to include, for instance, assisting the Department of Homeland Security in defense of their networks.
Some military leaders claim that the existing cultures of the Army, Navy, and Air Force are fundamentally incompatible with that of cyber warfare. Major Robert Costa (USAF) even suggested a sixth branch of the military, an Information (Cyber) Service with Title 10 responsibilities analogous to its sister services in 2002 noting:
While no one [Instrument of National Power] operates in a vacuum... Information increasingly underpins the other three [Diplomatic, Economic and Military], yet has proven to be the most vulnerable, even as US society becomes more dependent on it in peace, conflict, and war.
To attack these centers of gravity, an adversary will use the weakest decisive point, ... the Information IOP. In addition, the other IOPs benefit from Unity of Effort--Constitutional balances of power ensure the Diplomatic and Military IOPs exercised by the President in concert with Congress are focused, while the Economic IOP achieves Unity of Action through international market controls and an international body of law.
[In 2002], [t]he Information IOP however, [was] rudderless, lacking both Unity of Action and Unity of Command.
Others have also discussed the creation of a cyber-warfare branch. Lieutenant Colonel Gregory Conti and Colonel John "Buck" Surdu (chief of staff of the United States Army Research, Development and Engineering Command) stated that the three major services are properly positioned to fight kinetic wars, and they value skills such as marksmanship, physical strength, the ability to leap out of airplanes and lead combat units under enemy fire.
Conti and Surdu reasoned, "Adding an efficient and effective cyber branch alongside the Army, Navy and Air Force would provide our nation with the capability to defend our technological infrastructure and conduct offensive operations. Perhaps more important, the existence of this capability would serve as a strong deterrent for our nation's enemies."
In response to concerns about the military's right to respond to cyber attacks, General Alexander stated "The U.S. must fire back against cyber attacks swiftly and strongly and should act to counter or disable a threat even when the identity of the attacker is unknown" prior to his confirmation hearings before the United States Congress.
This came in response to incidents such as a 2008 operation to take down a government-run extremist honeypot in Saudi Arabia. "Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum".
"The new U.S. Cyber Command needs to strike a balance between protecting military assets and personal privacy." stated Alexander, in a Defense Department release. If confirmed, Alexander said, his main focus will be on building capacity and capability to secure the networks and educating the public on the command's intent.
"This command is not about an effort to militarize cyber space," he said. "Rather, it's about safeguarding our military assets."
In July 2011, Deputy Defense Secretary William Lynn announced in a conference that "We have, within Cyber Command, a full spectrum of capabilities, but the thrust of the strategy is defensive." "The strategy rests on five pillars, he said:
In 2013, USCYBERCOM held a classified exercise in which reserve officers (with extensive experience in their civilian cyber-security work) easily defeated active duty cybermen. In 2015 Eric Rosenbach, the principal cyber adviser to Defense Secretary Ash Carter, said DoD was looking at alternatives to staffing with just active-duty military. Beginning that year, USCYBERCOM added 133 teams (staffing out at 6,000 people), with the intent that at least 15% of the personnel would be reserve cyber operations airmen. These new teams had achieved "initial operating capability" (IOC) as of 21 October 2016. Officials noted that IOC is not the same as combat readiness, but is the first step in that direction.
President Barack Obama's Commission on Enhancing National Cybersecurity is expected to release its substantial report prior to 20 January 2017. The report will make recommendations regarding the intertwining roles of the military, government administration and the private sector in providing cyber security. Incoming President Trump has indicated that he wants a full review of Cyber Command.
International effects and reactions:
The creation of U.S. Cyber Command appears to have motivated other countries in this arena. In December 2009, South Korea announced the creation of a cyber warfare command.
Reportedly, this was in response to North Korea's creation of a cyber warfare unit. In addition, the British GCHQ has begun preparing a cyber force. Furthermore, a shift in military interest in cyber warfare has motivated the creation of the first U.S. Cyber Warfare Intelligence Center.
In 2010, China introduced a department dedicated to defensive cyber war and information security in response to the creation of USCYBERCOM.
Operations:
In June 2019, Russia has conceded that it is "possible" its electrical grid was under cyberattack by the United States. The New York Times reported that hackers from the U.S. Cyber Command planted malware potentially capable of disrupting the Russian electrical grid.
Click on any of the following blue hyperlinks for more about the United States Cyber Command:
USCYBERCOM was created in mid-2009 at the National Security Agency (NSA) headquarters in Fort George G. Meade, Maryland. It cooperates with NSA networks and has been concurrently headed by the director of the National Security Agency since its inception.
While originally created with a defensive mission in mind, it has increasingly been viewed as an offensive force. On 18 August 2017, it was announced that USCYBERCOM would be elevated to the status of a full and independent unified combatant command. This elevation occurred on 4 May 2018.
Mission statement:
According to the US Department of Defense (DoD):
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.
The text "9ec4c12949a4f31474f299058ce2b22a", located in the command's emblem, is the MD5 hash of their mission statement.
The command is charged with pulling together existing cyberspace resources, creating synergies and synchronizing war-fighting effects to defend the information security environment. USCYBERCOM is tasked with centralizing command of cyberspace operations, strengthening DoD cyberspace capabilities, and integrating and bolstering DoD's cyber expertise.
Organization:
USCYBERCOM is an armed forces unified command under Department of Defense (DoD).
Service components:
U.S. Cyber Command is composed of several service components, units from military services who will provide Joint services to Cyber Command:
- Army Cyber Command (Army)
- Army Network Enterprise Technology Command / 9th Army Signal Command (NETCOM/9thSC(A))
- Cyber Protection Brigade
- United States Army Intelligence and Security Command will be under the operational control of ARCYBER for cyber-related actions.
- Army Network Enterprise Technology Command / 9th Army Signal Command (NETCOM/9thSC(A))
- Fleet Cyber Command/Tenth Fleet (Navy)
- Naval Network Warfare Command
- Navy Cyber Defense Operations Command
- Naval Information Operation Commands
- Combined Task Forces
- 16th Air Force (Air Force)
- Marine Corps Cyberspace Command (Marine Corps)
Cyber teams:
In 2015, the U.S. Cyber Command added 133 new cyber teams. The breakdown was:
- Thirteen National Mission Teams to defend against broad cyberattacks
- Sixty-eight Cyber Protection Teams to defend priority DoD networks and systems against priority threats
- Twenty-seven Combat Mission Teams to provide integrated cyberspace attacks in support of operational plans and contingency operations
- Twenty-five Cyber Support Teams to provide analytic and planning support to the national mission and combat mission teams.
Background:
An intention by the U.S. Air Force to create a 'cyber command' was announced in October 2006. An Air Force Cyber Command was created in a provisional status in November 2006. However, in October 2008, it was announced the command would not be brought into permanent activation.
On 23 June 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command (USSTRATCOM) to establish USCYBERCOM. In May 2010, General Keith Alexander outlined his views in a report for the United States House Committee on Armed Services subcommittee:
- "My own view is that the only way to counteract both criminal and espionage activity online is to be proactive. If the U.S. is taking a formal approach to this, then that has to be a good thing.
- The Chinese are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid. If that is determined to be an organized attack, I would want to go and take down the source of those attacks.
- The only problem is that the Internet, by its very nature, has no borders and if the U.S. takes on the mantle of the world's police; that might not go down so well."
Initial operational capability was attained on 21 May 2010. General Alexander was promoted to four-star rank, becoming one of 38 U.S. generals, and took charge of U.S. Cyber Command in a ceremony at Fort Meade that was attended by Commander of U.S. Central Command GEN David Petraeus, and Secretary of Defense Robert M. Gates.
USCYBERCOM reached full operational capability on 31 October 2010.
The command assumed responsibility for several existing organizations. The Joint Task Force for Global Network Operations (JTF-GNO) and the Joint Functional Component Command for Network Warfare (JFCC-NW) were absorbed by the command. The Defense Information Systems Agency, where JTF-GNO operated, provides technical assistance for network and information assurance to USCYBERCOM, and is moving its headquarters to Fort Meade.
President Obama signed into law, on 23 December 2016, the National Defense Authorization Act (NDAA) for fiscal year (FY) 2017, which elevated USCYBERCOM to a unified combatant command.
The FY 2017 NDAA also specified that the dual-hatted arrangement of the commander of USCYBERCOM will not be terminated until the Secretary of Defense and Chairman of the Joint Chiefs of Staff jointly certify that ending this arrangement will not pose risks to the military effectiveness of CYBERCOM that are unacceptable to the national security interests of the United States.
Concerns:
There are concerns that the Pentagon and NSA will overshadow any civilian cyber defense efforts.
There are also concerns on whether the command will assist in civilian cyber defense efforts. According to Deputy Secretary of Defense William J. Lynn, the command "will lead day-to-day defense and protection of all DoD networks. It will be responsible for DoD's networks – the dot-mil world. Responsibility for federal civilian networks – dot-gov – stays with the Department of Homeland Security, and that's exactly how it should be."
Alexander notes, however, that if faced with cyber hostilities an executive order could expand Cyber Command's spectrum of operations to include, for instance, assisting the Department of Homeland Security in defense of their networks.
Some military leaders claim that the existing cultures of the Army, Navy, and Air Force are fundamentally incompatible with that of cyber warfare. Major Robert Costa (USAF) even suggested a sixth branch of the military, an Information (Cyber) Service with Title 10 responsibilities analogous to its sister services in 2002 noting:
While no one [Instrument of National Power] operates in a vacuum... Information increasingly underpins the other three [Diplomatic, Economic and Military], yet has proven to be the most vulnerable, even as US society becomes more dependent on it in peace, conflict, and war.
To attack these centers of gravity, an adversary will use the weakest decisive point, ... the Information IOP. In addition, the other IOPs benefit from Unity of Effort--Constitutional balances of power ensure the Diplomatic and Military IOPs exercised by the President in concert with Congress are focused, while the Economic IOP achieves Unity of Action through international market controls and an international body of law.
[In 2002], [t]he Information IOP however, [was] rudderless, lacking both Unity of Action and Unity of Command.
Others have also discussed the creation of a cyber-warfare branch. Lieutenant Colonel Gregory Conti and Colonel John "Buck" Surdu (chief of staff of the United States Army Research, Development and Engineering Command) stated that the three major services are properly positioned to fight kinetic wars, and they value skills such as marksmanship, physical strength, the ability to leap out of airplanes and lead combat units under enemy fire.
Conti and Surdu reasoned, "Adding an efficient and effective cyber branch alongside the Army, Navy and Air Force would provide our nation with the capability to defend our technological infrastructure and conduct offensive operations. Perhaps more important, the existence of this capability would serve as a strong deterrent for our nation's enemies."
In response to concerns about the military's right to respond to cyber attacks, General Alexander stated "The U.S. must fire back against cyber attacks swiftly and strongly and should act to counter or disable a threat even when the identity of the attacker is unknown" prior to his confirmation hearings before the United States Congress.
This came in response to incidents such as a 2008 operation to take down a government-run extremist honeypot in Saudi Arabia. "Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum".
"The new U.S. Cyber Command needs to strike a balance between protecting military assets and personal privacy." stated Alexander, in a Defense Department release. If confirmed, Alexander said, his main focus will be on building capacity and capability to secure the networks and educating the public on the command's intent.
"This command is not about an effort to militarize cyber space," he said. "Rather, it's about safeguarding our military assets."
In July 2011, Deputy Defense Secretary William Lynn announced in a conference that "We have, within Cyber Command, a full spectrum of capabilities, but the thrust of the strategy is defensive." "The strategy rests on five pillars, he said:
- treat cyber as a domain;
- employ more active defenses;
- support the Department of Homeland Security in protecting critical infrastructure networks;
- practice collective defense with allies and international partners;
- and reduce the advantages attackers have on the Internet."
In 2013, USCYBERCOM held a classified exercise in which reserve officers (with extensive experience in their civilian cyber-security work) easily defeated active duty cybermen. In 2015 Eric Rosenbach, the principal cyber adviser to Defense Secretary Ash Carter, said DoD was looking at alternatives to staffing with just active-duty military. Beginning that year, USCYBERCOM added 133 teams (staffing out at 6,000 people), with the intent that at least 15% of the personnel would be reserve cyber operations airmen. These new teams had achieved "initial operating capability" (IOC) as of 21 October 2016. Officials noted that IOC is not the same as combat readiness, but is the first step in that direction.
President Barack Obama's Commission on Enhancing National Cybersecurity is expected to release its substantial report prior to 20 January 2017. The report will make recommendations regarding the intertwining roles of the military, government administration and the private sector in providing cyber security. Incoming President Trump has indicated that he wants a full review of Cyber Command.
International effects and reactions:
The creation of U.S. Cyber Command appears to have motivated other countries in this arena. In December 2009, South Korea announced the creation of a cyber warfare command.
Reportedly, this was in response to North Korea's creation of a cyber warfare unit. In addition, the British GCHQ has begun preparing a cyber force. Furthermore, a shift in military interest in cyber warfare has motivated the creation of the first U.S. Cyber Warfare Intelligence Center.
In 2010, China introduced a department dedicated to defensive cyber war and information security in response to the creation of USCYBERCOM.
Operations:
In June 2019, Russia has conceded that it is "possible" its electrical grid was under cyberattack by the United States. The New York Times reported that hackers from the U.S. Cyber Command planted malware potentially capable of disrupting the Russian electrical grid.
Click on any of the following blue hyperlinks for more about the United States Cyber Command:
- List of commanders
- See also:
- U.S. Cyber Command website
- "NSA Chief may lose US Cyber Command role". Retrieved 4 November 2013.
- "But NSA & Cyber Command are to stay under one chief". Retrieved 14 December 2013.
- US Cyber Command Fact Sheet
- US Cyber Command Fact Sheet PowerPoint
- The official facebook page of the United States Cyber Command
- List of cyber warfare forces
- United States Strategic Command
- Joint Task Force-Global Network Operations
- United States National Security Agency (NSA)
- United States Department of Homeland Security
- Information assurance vulnerability alert
- Cooperative Cyber Defence Centre of Excellence (NATO)
- National Cyberdefence Centre (Germany)
- Cyberwarfare
- Defense Information Systems Agency
Outline of Computer Security
- YouTube Video: 5 Best Free Antivirus Software for 2021 | Top Picks for Windows 10 PCs
- YouTube Video: Top 3 Best Antivirus Software 2020: What Keeps You Safe Against Malware, Viruses and Ransomware
- YouTube Video: How the Best Hackers Learn Their Craft
* -- 19 Cybersecurity Best Practices to Protect Your Business
By: PhoenixNap Global IT Services 3/9/2020
[Your WebHost: I decided to add this section, intended as best practices for larger firms, to enable companies looking beyond "simpler" computer security solutions, as covered later herein.]
Cybersecurity is high on the list of concerns for rapidly evolving businesses online. As more small businesses move services or store data online, they are putting themselves at risk for cyberattacks.
At the forefront of this battle against cybercrime and hackers, companies must consolidate a solid defense by implementing cybersecurity best practices. This article will cover key strategies every company should adopt to avoid attacks and become less exposed.
Cyberattacks aim to compromise systems and access relevant data that they can monetize, ranging from stolen credit card information or credentials for identity theft.
Strong cybersecurity policies and procedures can save millions of dollars for organizations. It does require an initial investment to set up a stable network and protect against intrusions.
But the severity and scale of cyberattacks are increasing daily, and the threat is imminent.
Thus, the need for safeguarding against such dangers is critical.
Recommended Cybersecurity Best Practices:
Adopt the cybersecurity best practices below to prepare your organization against cyber threats and ensure the continuity of your business.
1. Create a Dedicated Insider Threat Role: An insider threat program is considered a core part of a modern cybersecurity strategy. Having employees who have access to data is risky since they can leak information or damage equipment. Creating an insider threat program is essential for companies that have sensitive data, and could have their reputations ruined due to exposure via an insider attack. It does come with a cost and can be considered a low priority task, businesses should not delay, and instead, gain the support of top management to develop policy across all departments.
2. Conduct Phishing Simulations: As of 2020, phishing attacks are one of the most prevalent forms of cyber threats experienced by companies on a global level. Phishing simulations should train employees on how to avoid clicking on malicious links or downloading unknown files. Raising cybersecurity awareness, such as simulated phishing attacks, helps employees understand the far-reaching effects of a phishing attack. The simulation creates a safe space where employees’ knowledge is tested, to ask questions, and find out what the latest tricks are.
3. Secure Remotely Working and Travelling Employees: Many corporate employees have the dangerous habit of accessing corporate networks through unsecured public Wi-Fi networks while traveling on work trips. Sacrificing security for convenience is unacceptable in the corporate world, and employees should be aware of the huge risks they are taking. Training and education on the precautions one can take to avoid risks is essential. Options, such as using VPNs while surfing the web when traveling installing anti-malware programs, will tighten the security gaps in your workforce outside the office. Read our article on remote access security.
4. Prioritize Employee Privacy: Data privacy awareness and digital data sensitivity concerns are at an all-time high, with new legislation coming out to better regulate it. Employee privacy can be prioritized by “anonymizing” their data and taking steps to protect them from threats in a prevention capacity. Educate employees using workshops and presentations about different cybersecurity policies and local laws, emphasizing the impact on their privacy.
5. Create a Cybersecurity Awareness Training Program: Company surveys have found that two out of three insider threat incidents are initiated by an employee or contractor, which can be prevented (ObserveIT). Employees are the first line of defense against cybercrime. Their education is vital in developing all the skills and knowledge needed to protect an organization. A comprehensive cybersecurity awareness program will create a critical “security-first culture.” It would address aspects such as identifying risks, changing employee behaviors, and tracking metrics of improvement.
6. Inform Third-Party Contractors of Cybersecurity Policy: Due to globalization and interconnectivity, many businesses take advantage of allocating specialized workloads to third-party partners or outsourced entities. However, these third-party contractors have to be made aware of the cybersecurity policies you are using. Both in-house staff, as well as third-party contractors, have to be made aware or trained to follow the cybersecurity policies put in place.
7. Implement IS Governance Approach: Every company should establish and maintain an information security (IS) framework that aligns with the business’s existing assurance strategies. When selecting one of these methods, it should ensure that the program selected provides all levels of management with the ability to employ a risk-based approach. This strategy enables staff to detect incidents, investigate, and respond to them faster.
8. Monitor User and File Activity: Malicious insider threats tend to take advantage of multiple channels to exfiltrate data. Developing a good user and file activity monitoring system is one of the best solutions available to this problem. Existing solutions such as Data loss prevention, which focus on only on data and not on user activity, fall short of preventing all malicious insider threats inside the system. If you monitor users closely and know what files they access, it’s easier to react to an incident or prevent one.
9. Be Aware of State-Sponsored Threats: It is well-documented that employees belonging to high-value industries such as healthcare, technology, and banking may be susceptible to monetary incentives to sell data to foreign governments and entities. Understanding the motivation of such entities and potential insider targets is of the utmost priority so that you can spot patterns of suspicious and underhanded behavior.
10. Enforce the Use of Password Managers, SSOs, and MFAs: The use of repetitive or weak passwords is still a very common practice among employees of multinationals today. Implementing a enterprise password manager is the most viable option available to combat potential security soft spots in your company.
11. Audit Privileged Access For the company’s head management, it’s advisable to review the number of users who have privileged access to sensitive areas of the business or data. Granting privileged access is a necessary risk, especially when there is a changeover in staff or changing roles, etc. Businesses should regularly look at permissions, adopt a system of temporary or rotating credentials, or develop a system of auditing privileged accesses.
Essential Network Security Practices: Security teams are held accountable for addressing the risk of insider breaches. To develop a strong plan against insider risk, take a systematic approach when organizing security measures. Here are some essential network security practices:
12. Stop Data Loss: Enterprises regularly experience the problems caused by leaked and stolen data. One of the top security concerns for modern companies is the act of data exfiltration from an endpoint. Companies should always control access, monitor contractors and vendors, as well as employees, to get a clear picture of how all parties access and handle data.
13. Detect Insider Threat: While well-trained users are a company’s first line in security and defense, technology remains the main tool. Companies can detect unauthorized behavior by regularly monitoring user activity. This strategy helps companies verify user actions that do not violate security policies while flagging the ones that do.
14. Back-Up Data: Backing up data regularly should be mandatory practice, especially when you consider the malicious ransomware out there like “Wannacry” and “Petya.” Data back-ups are good practice to include in one’s basic security hygiene, as well as to combat emerging cyber threats.
Beware of Social Engineering: Social engineering tactics are considered a threat and have been used for decades to gain login credentials and access to files that are encrypted. Such attempts may come from phone devices, emails, social media profiles, etc. In such circumstances, the best defense is to do the following:
15. Outline Clear Use Policies for New Hires and Third Parties: Requirements and expectations that the company has, regarding IT security, should be clearly stated in the employment contracts and the various SLAs and SOPs that a company might have.
16. Update Software and Systems: Cyber threats and crimes are ever-increasing, and an optimized security network might eventually fall prey to it. Thus, a company’s network should always be protected. Plan regular software updates and schedule maintenance on hardware security.
17. Create an Incident Response Playbook: No matter how many security measures a company takes against rising cybercrimes, vulnerability to unseen threats remain. Thus, companies should have a security incident response plan in case they get attacked. This planning will allow management to limit the damage of a security breach, allowing them to remediate the situation effectively.
18. Educate and Train Users: Employees should be trained on how to create and maintain strong passwords, recognize phishing emails, avoid dangerous applications, etc. ensuring that valuable information doesn’t flow out of the company in the case of an external attack.
19. Maintain Compliance: No matter what level of cybersecurity a company implements or already has, it should always comply with regulatory bodies such as; HIPAA, PCI, ISO, and DSS and keep up with their latest guidelines.
[End of Article]
___________________________________________________________________________
Overall Outline of computer security:
The following outline is provided as an overview of and topical guide to computer security:
Computer security – security applied to computing devices such as computers and smartphones, as well as computer networks such as private and public networks, including the whole Internet.
The field covers all the processes and mechanisms by which digital equipment, information and services are protected from unintended or unauthorized access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems of most societies worldwide.
Computer security includes measures taken to ensure the integrity of files stored on a computer or server as well as measures taken to prevent unauthorized access to stored data, by securing the physical perimeter of the computer equipment, authentication of users or computer accounts accessing the data, and providing a secure method of data transmission.
Essence of computer security:
Computer security can be described as all of the following:
Computer security threats:
The variety of threats combined with the rapid development of new threats has made cyber insecurity and the removal of information assurance the 'status quo'. As long as man continues to use the computer, man will also takes interest in manipulating, modifying, creating and bypassing 'rules' and 'security standards.'
The most common and effective method of violating computer security protocols is Phishing; Phishing is the process of providing a cloned login page for a site the victim uses, for example, Google's Gmail - once the user enters his/her login information, the data is captured and access to the victims account is gained.
Many corporations executive's, mid-ranking managers and even low level staff of many current U.S. corporations have no idea that a malicious user is quietly and passively intercepting their communications.
Why? A strong motivation is the theft of Intellectual Property. Often victims of phishing either never become aware there privacy has been breached, or many months pass before they become aware that their privacy has been lost.
Methods of Computer Network Attack and Computer Network Exploitation:
Social engineering is a frequent method of attack, and can take the form of phishing, or spear phishing in the corporate or government world, as well as counterfeit websites.
Computer defenses and security measures:
Access control:
Access control – selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.
Application security:
Application security
Data security:
Data security – protecting data, such as a database, from destructive forces and the unwanted actions of unauthorized users.
Information privacy:
Mobile security:
Network security:
World Wide Web Security:
History of computer security:
Computer security industry:
Computer security software:
Testing labs:
Computer security companies:
Computer security publications:
Journals and magazines:
Books on computer security:
Books on cryptography:
Cyber security community:
Cyber security communities:
Computer security organizations:
Academic:
Commercial:
See also: Computer security companies, above
Government agencies:
Law enforcement agencies:
Internet police – police and secret police departments and other law enforcement agencies in charge of policing the Internet. The major purposes of Internet police, depending on the state, are fighting cybercrime, as well as censorship, propaganda, and monitoring and manipulating the online public opinion.
Independent non-profits:
Independent web-sites:
Click on any of the following blue hyperlinks for more about Computer Security:
By: PhoenixNap Global IT Services 3/9/2020
[Your WebHost: I decided to add this section, intended as best practices for larger firms, to enable companies looking beyond "simpler" computer security solutions, as covered later herein.]
Cybersecurity is high on the list of concerns for rapidly evolving businesses online. As more small businesses move services or store data online, they are putting themselves at risk for cyberattacks.
At the forefront of this battle against cybercrime and hackers, companies must consolidate a solid defense by implementing cybersecurity best practices. This article will cover key strategies every company should adopt to avoid attacks and become less exposed.
Cyberattacks aim to compromise systems and access relevant data that they can monetize, ranging from stolen credit card information or credentials for identity theft.
Strong cybersecurity policies and procedures can save millions of dollars for organizations. It does require an initial investment to set up a stable network and protect against intrusions.
But the severity and scale of cyberattacks are increasing daily, and the threat is imminent.
Thus, the need for safeguarding against such dangers is critical.
Recommended Cybersecurity Best Practices:
Adopt the cybersecurity best practices below to prepare your organization against cyber threats and ensure the continuity of your business.
1. Create a Dedicated Insider Threat Role: An insider threat program is considered a core part of a modern cybersecurity strategy. Having employees who have access to data is risky since they can leak information or damage equipment. Creating an insider threat program is essential for companies that have sensitive data, and could have their reputations ruined due to exposure via an insider attack. It does come with a cost and can be considered a low priority task, businesses should not delay, and instead, gain the support of top management to develop policy across all departments.
2. Conduct Phishing Simulations: As of 2020, phishing attacks are one of the most prevalent forms of cyber threats experienced by companies on a global level. Phishing simulations should train employees on how to avoid clicking on malicious links or downloading unknown files. Raising cybersecurity awareness, such as simulated phishing attacks, helps employees understand the far-reaching effects of a phishing attack. The simulation creates a safe space where employees’ knowledge is tested, to ask questions, and find out what the latest tricks are.
3. Secure Remotely Working and Travelling Employees: Many corporate employees have the dangerous habit of accessing corporate networks through unsecured public Wi-Fi networks while traveling on work trips. Sacrificing security for convenience is unacceptable in the corporate world, and employees should be aware of the huge risks they are taking. Training and education on the precautions one can take to avoid risks is essential. Options, such as using VPNs while surfing the web when traveling installing anti-malware programs, will tighten the security gaps in your workforce outside the office. Read our article on remote access security.
4. Prioritize Employee Privacy: Data privacy awareness and digital data sensitivity concerns are at an all-time high, with new legislation coming out to better regulate it. Employee privacy can be prioritized by “anonymizing” their data and taking steps to protect them from threats in a prevention capacity. Educate employees using workshops and presentations about different cybersecurity policies and local laws, emphasizing the impact on their privacy.
5. Create a Cybersecurity Awareness Training Program: Company surveys have found that two out of three insider threat incidents are initiated by an employee or contractor, which can be prevented (ObserveIT). Employees are the first line of defense against cybercrime. Their education is vital in developing all the skills and knowledge needed to protect an organization. A comprehensive cybersecurity awareness program will create a critical “security-first culture.” It would address aspects such as identifying risks, changing employee behaviors, and tracking metrics of improvement.
6. Inform Third-Party Contractors of Cybersecurity Policy: Due to globalization and interconnectivity, many businesses take advantage of allocating specialized workloads to third-party partners or outsourced entities. However, these third-party contractors have to be made aware of the cybersecurity policies you are using. Both in-house staff, as well as third-party contractors, have to be made aware or trained to follow the cybersecurity policies put in place.
7. Implement IS Governance Approach: Every company should establish and maintain an information security (IS) framework that aligns with the business’s existing assurance strategies. When selecting one of these methods, it should ensure that the program selected provides all levels of management with the ability to employ a risk-based approach. This strategy enables staff to detect incidents, investigate, and respond to them faster.
8. Monitor User and File Activity: Malicious insider threats tend to take advantage of multiple channels to exfiltrate data. Developing a good user and file activity monitoring system is one of the best solutions available to this problem. Existing solutions such as Data loss prevention, which focus on only on data and not on user activity, fall short of preventing all malicious insider threats inside the system. If you monitor users closely and know what files they access, it’s easier to react to an incident or prevent one.
9. Be Aware of State-Sponsored Threats: It is well-documented that employees belonging to high-value industries such as healthcare, technology, and banking may be susceptible to monetary incentives to sell data to foreign governments and entities. Understanding the motivation of such entities and potential insider targets is of the utmost priority so that you can spot patterns of suspicious and underhanded behavior.
10. Enforce the Use of Password Managers, SSOs, and MFAs: The use of repetitive or weak passwords is still a very common practice among employees of multinationals today. Implementing a enterprise password manager is the most viable option available to combat potential security soft spots in your company.
11. Audit Privileged Access For the company’s head management, it’s advisable to review the number of users who have privileged access to sensitive areas of the business or data. Granting privileged access is a necessary risk, especially when there is a changeover in staff or changing roles, etc. Businesses should regularly look at permissions, adopt a system of temporary or rotating credentials, or develop a system of auditing privileged accesses.
Essential Network Security Practices: Security teams are held accountable for addressing the risk of insider breaches. To develop a strong plan against insider risk, take a systematic approach when organizing security measures. Here are some essential network security practices:
12. Stop Data Loss: Enterprises regularly experience the problems caused by leaked and stolen data. One of the top security concerns for modern companies is the act of data exfiltration from an endpoint. Companies should always control access, monitor contractors and vendors, as well as employees, to get a clear picture of how all parties access and handle data.
13. Detect Insider Threat: While well-trained users are a company’s first line in security and defense, technology remains the main tool. Companies can detect unauthorized behavior by regularly monitoring user activity. This strategy helps companies verify user actions that do not violate security policies while flagging the ones that do.
14. Back-Up Data: Backing up data regularly should be mandatory practice, especially when you consider the malicious ransomware out there like “Wannacry” and “Petya.” Data back-ups are good practice to include in one’s basic security hygiene, as well as to combat emerging cyber threats.
Beware of Social Engineering: Social engineering tactics are considered a threat and have been used for decades to gain login credentials and access to files that are encrypted. Such attempts may come from phone devices, emails, social media profiles, etc. In such circumstances, the best defense is to do the following:
15. Outline Clear Use Policies for New Hires and Third Parties: Requirements and expectations that the company has, regarding IT security, should be clearly stated in the employment contracts and the various SLAs and SOPs that a company might have.
16. Update Software and Systems: Cyber threats and crimes are ever-increasing, and an optimized security network might eventually fall prey to it. Thus, a company’s network should always be protected. Plan regular software updates and schedule maintenance on hardware security.
17. Create an Incident Response Playbook: No matter how many security measures a company takes against rising cybercrimes, vulnerability to unseen threats remain. Thus, companies should have a security incident response plan in case they get attacked. This planning will allow management to limit the damage of a security breach, allowing them to remediate the situation effectively.
18. Educate and Train Users: Employees should be trained on how to create and maintain strong passwords, recognize phishing emails, avoid dangerous applications, etc. ensuring that valuable information doesn’t flow out of the company in the case of an external attack.
19. Maintain Compliance: No matter what level of cybersecurity a company implements or already has, it should always comply with regulatory bodies such as; HIPAA, PCI, ISO, and DSS and keep up with their latest guidelines.
[End of Article]
___________________________________________________________________________
Overall Outline of computer security:
The following outline is provided as an overview of and topical guide to computer security:
Computer security – security applied to computing devices such as computers and smartphones, as well as computer networks such as private and public networks, including the whole Internet.
The field covers all the processes and mechanisms by which digital equipment, information and services are protected from unintended or unauthorized access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems of most societies worldwide.
Computer security includes measures taken to ensure the integrity of files stored on a computer or server as well as measures taken to prevent unauthorized access to stored data, by securing the physical perimeter of the computer equipment, authentication of users or computer accounts accessing the data, and providing a secure method of data transmission.
Essence of computer security:
Computer security can be described as all of the following:
- a branch of security
- Access control – selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.
- Computer access control – includes authorization, authentication, access approval, and audit.
- Cyber security and countermeasure
- Device fingerprint
- Physical security – protecting property and people from damage or harm (such as from theft, espionage, or terrorist attacks). It includes security measures designed to deny unauthorized access to facilities, (such as a computer room), equipment (such as your computer), and resources (like the data storage devices, and data, in your computer). If a computer gets stolen, then the data goes with it. In addition to theft, physical access to a computer allows for ongoing espionage, like the installment of a hardware keylogger device, and so on.
- Data security – protecting data, such as a database, from destructive forces and the unwanted actions of unauthorized users.
- Information privacy – relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. Privacy concerns exist wherever personally identifiable information or other sensitive information is collected and stored – in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues.
- Internet privacy – involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to oneself via the Internet. Privacy can entail either Personally Identifying Information (PII) or non-PII information such as a site visitor's behavior on a website. PII refers to any information that can be used to identify an individual. For example, age and physical address alone could identify who an individual is without explicitly disclosing their name, as these two factors relate to a specific person.
- Mobile security – security pertaining to smartphones, especially with respect to the personal and business information stored on them.
- Network security – provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator.
- Network Security Toolkit
- Internet security – computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing. Different methods have been used to protect the transfer of data, including encryption.
- World Wide Web Security – dealing with the vulnerabilities of users who visit websites. Cybercrime on the Web can include identity theft, fraud, espionage and intelligence gathering. For criminals, the Web has become the preferred way to spread malware.
Computer security threats:
The variety of threats combined with the rapid development of new threats has made cyber insecurity and the removal of information assurance the 'status quo'. As long as man continues to use the computer, man will also takes interest in manipulating, modifying, creating and bypassing 'rules' and 'security standards.'
The most common and effective method of violating computer security protocols is Phishing; Phishing is the process of providing a cloned login page for a site the victim uses, for example, Google's Gmail - once the user enters his/her login information, the data is captured and access to the victims account is gained.
Many corporations executive's, mid-ranking managers and even low level staff of many current U.S. corporations have no idea that a malicious user is quietly and passively intercepting their communications.
Why? A strong motivation is the theft of Intellectual Property. Often victims of phishing either never become aware there privacy has been breached, or many months pass before they become aware that their privacy has been lost.
Methods of Computer Network Attack and Computer Network Exploitation:
Social engineering is a frequent method of attack, and can take the form of phishing, or spear phishing in the corporate or government world, as well as counterfeit websites.
- Password sharing and insecure password practices
- Poor patch management
- Computer crime –
- Computer criminals –
- Hackers – in the context of computer security, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network.
- List of computer criminals
- Identity theft –
- Computer criminals –
- Computer malfunction –
- Operating system failure and vulnerabilities
- Hard disk drive failure – occurs when a hard disk drive malfunctions and the stored information cannot be accessed with a properly configured computer. A disk failure may occur in the course of normal operation, or due to an external factor such as exposure to fire or water or high magnetic fields, or suffering a sharp impact or environmental contamination, which can lead to a head crash. Data recovery from a failed hard disk is problematic and expensive. Backups are essential
- Computer and network surveillance –
- Man in the Middle
- Loss of anonymity – when one's identity becomes known. Identification of people or their computers allows their activity to be tracked. For example, when a person's name is matched with the IP address they are using, their activity can be tracked thereafter by monitoring the IP address.
- Cyber spying – obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature), from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using methods on the Internet, networks or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware. It may be done online from by professionals sitting at their computer desks on bases in far away countries, or it may involve infiltration at home by computer trained conventional spies and moles, or it may be the criminal handiwork of amateur malicious hackers, software programmers, or thieves.
- Computer and network eavesdropping
- Lawful Interception
- War Driving
- Packet analyzer (aka packet sniffer) – mainly used as a security tool (in many ways, including for the detection of network intrusion attempts), packet analyzers can also be used for spying, to collect sensitive information (e.g., login details, cookies, personal communications) sent through a network, or to reverse engineer proprietary protocols used over a network. One way to protect data sent over a network such as the Internet is by using encryption software.
- Computer and network eavesdropping
- Cyberwarfare –
- Exploit – piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.
- Trojan
- Computer virus
- Computer worm
- Denial-of-service attack – an attempt to make a machine or network resource unavailable to its intended users, usually consisting of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable.
- Distributed denial-of-service attack (DDoS) – DoS attack sent by two or more persons.
- Hacking tool
- Malware
- Computer virus
- Computer worm
- Keylogger – program that does keystroke logging, which is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
- Rootkit – stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool).
- Spyware
- Trojan
- Data loss –
- Natural disasters – fire, flood, etc. can cause loss of computers and data. Either fire or water can cause a hard disk drive failure, for example. Earthquakes can cause a data center to go down. For this reason large web businesses use load balancing and failover techniques to ensure business continuity.
- Payload - malicious code that is delivered to a vulnerable computer, often masquerading as something else
- Physical loss – losing a computer (for example due to fire, or leaving one's laptop on a bus), results inke data loss, unless there is a backup.
- Physical theft – when someone takes property without authorization as his or her own. When a computer is stolen, the data is gone too, unless there is a backup.
- Laptop theft – stealing a laptop computer. Victims of laptop theft can lose hardware, software, and essential data that has not been backed up. Thieves also may have access to sensitive data and personal information. Some systems authorize access based on credentials stored on the laptop including MAC addresses, web cookies, cryptographic keys and stored passwords.
- Physical theft – when someone takes property without authorization as his or her own. When a computer is stolen, the data is gone too, unless there is a backup.
- Vulnerabilities:
- Exploitable vulnerability – vulnerability for which an exploit exists
- Open port – TCP or UDP port number that is configured to accept packets. Ports are an integral part of the Internet's communication model — they are the channel through which applications on the client computer can reach the software on the server. Services, such as web pages or FTP, require their respective ports to be "open" on the server in order to be publicly reachable. "Open" (reachable) is not enough for a communication channel to be established. There needs to be an application (service) listening on that port, accepting the incoming packets and processing them. Open ports are vulnerable when there is a service listening and there is no firewall filtering incoming packets to them.
- Security bug
- Zero-day attack
- Hackers
Computer defenses and security measures:
- Access Control Systems
- Authentication
- Authorization
- Firewalls and Internet Security
- Firewall
- Intrusion detection system
- Intrusion prevention system
- Mobile secure gateway
Access control:
Access control – selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.
- Computer access control – includes authorization, authentication, access approval, and audit.
- Authorization – function of specifying access rights to computer resources. "To authorize" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is may be formalized as access control rules in a computer system. During operation, the computer system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer programs and other devices attempting to access data that is on a computer.
- Authentication – act of confirming the identity of a consumer. In this context, a consumer is a computer user, computer program, or other device attempting to access data that is on a computer
- User account – system ID unique to each user. It allows a user to authenticate (log in) to a system and to be granted authorization to access resources provided by or connected to that system; however, authentication does not imply authorization. To log in to an account, a user is typically required to authenticate oneself with a password or other credentials for the purposes of accounting, security, logging, and resource management.
- Password – word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.
- Access approval (computer access control) –
- Audit –
- Physical security – protecting property and people from damage or harm (such as from theft, espionage, or terrorist attacks). It includes security measures designed to deny unauthorized access to facilities, (such as a computer room), equipment (such as your computer), and resources (like the data storage devices, and data, in your computer). If a computer gets stolen, then the data goes with it. In addition to theft, physical access to a computer allows for ongoing espionage, like the installment of a hardware keylogger device, and so on. Examples of physical security system components include:
- Locks – locks may be used to secure a building or room that a computer is in. They may also be used on computer casings to prevent opening computers to remove or swap out parts, or install unauthorized components. And they may be used on a computer to disallow it from being turned on or used without a physical key. There are also locks to attach cables to laptops to prevent them from being taken.
- Security alarms –
- Security barriers – such as fences and walls.
- Security guards –
- Theft recovery software – as LoJack is to cars, theft recovery software is to desktop and laptop computers.
Application security:
Application security
Data security:
Data security – protecting data, such as a database, from destructive forces and the unwanted actions of unauthorized users.
Information privacy:
- Information privacy – relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. Privacy concerns exist wherever personally identifiable information or other sensitive information is collected and stored – in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues.
- Internet privacy – involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to oneself via the Internet. Privacy can entail either Personally Identifying Information (PII) or non-PII information such as a site visitor's behavior on a website. PII refers to any information that can be used to identify an individual. For example, age and physical address alone could identify who an individual is without explicitly disclosing their name, as these two factors relate to a specific person.
Mobile security:
- Mobile security – security pertaining to smartphones, especially with respect to the personal and business information stored on them.
Network security:
- Network security – provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator.
- Internet security – computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing. Different methods have been used to protect the transfer of data, including encryption.
- Virtual private network (VPN) – extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions.
- IPsec – protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
- OpenVPN – open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
- Virtual private network (VPN) – extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions.
- Internet security – computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing. Different methods have been used to protect the transfer of data, including encryption.
World Wide Web Security:
- World Wide Web Security – dealing with the vulnerabilities of users who visit websites. Cybercrime on the Web can include identity theft, fraud, espionage and intelligence gathering. For criminals, the Web has become the preferred way to spread malware.
History of computer security:
Computer security industry:
Computer security software:
- Antivirus software
- List of antivirus software (including comparison)
- Encryption software
- Firewall
- List of firewalls (and comparison)
- List of router and firewall distributions
Testing labs:
- AV-TEST – An independent organization which evaluates and rates antivirus and security suite software for Microsoft Windows and Android operating systems, according to a variety of criteria. Every other month, the researchers publish the results of their testing, where they list which products they awarded their certification. The organization is based in Magdeburg, in Germany.
- ICSA Labs – independent division of Verizon Business that tests and certifies computer security software (including anti-spyware, anti-virus, and firewall products), for a fee.
- Virus Bulletin – magazine that conducts tests of anti-virus software. The magazine itself is about the prevention, detection and removal of malware and spam. It regularly features analyses of the latest virus threats, articles exploring new developments in the fight against viruses, interviews with anti-virus experts, and evaluations of current anti-malware products.
- West Coast Labs – tests computer security products for a fee. Its Checkmark Certification program reports test results to the public.
Computer security companies:
- McAfee, Inc. (Intel Security) – American global computer security software company headquartered in Santa Clara, California, and the world's largest dedicated security technology company. On February 28, 2011, McAfee became a wholly owned subsidiary of Intel. In early 2014, Intel announced it would rebrand McAfee as Intel Security in 2014.
- Secunia – American computer security company with software offerings in vulnerability management, PC security and patch management.
Computer security publications:
Journals and magazines:
- 2600: The Hacker Quarterly – technical and political articles of interest to the internet security community
- Virus Bulletin – magazine about the prevention, detection and removal of malware and spam. It regularly features analyses of the latest virus threats, articles exploring new developments in the fight against viruses, interviews with anti-virus experts, and evaluations of current anti-malware products.
Books on computer security:
- The Art of Deception
- The Art of Intrusion
- Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age
- The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage – 1989 book written by Clifford Stoll. First person account of the hunt for a hacker who broke into a computer at the Lawrence Berkeley National Laboratory.
- Cypherpunks
- Firewalls and Internet Security
- The Hacker Crackdown
- The Hacker's Handbook
- Hacking: The Art of Exploitation
- Out of the Inner Circle
- Underground
Books on cryptography:
Cyber security community:
Cyber security communities:
Computer security organizations:
Academic:
- CERIAS – a center for research and education of information security for computing and communication infrastructures located at Purdue University.
- CERT Coordination Center – A program of Carnegie-Mellon University that develops advanced methods and technologies to counter large-scale, sophisticated cyber threats in partnership with other academic programs and with government and law enforcement agencies. The Cert Knowledgebase compiles information on information security incidents.
- Georgia Tech Information Security Center – department of Georgia Tech that deals with information security issues such as cryptography, network security, trusted computing, software reliability, privacy, and internet governance.
- Oulu University Secure Programming Group – studies, evaluates and develops methods of implementing and testing application and system software in order to prevent, discover and eliminate implementation level security vulnerabilities in a pro-active fashion. The focus is on implementation level security issues and software security testing.
Commercial:
See also: Computer security companies, above
- Australian Information Security Association – also known as AISA with paid members in branches located throughout Australia to monitor the condition of information security.
- Microsoft Digital Crimes Unit – a Microsoft sponsored team of international legal and technical experts to stop or interfere with cyber crime and cyber threats.
Government agencies:
- ARNES – Academic and Research Network of Slovenia, which is responsible for development, operation and management of the communication and information network for education and research. It includes the SI-CERT, the Slovenian Computer Emergency Response Team.
- Canadian Cyber Incident Response Centre – also known as CCIRC, a Canadian government program under the Ministry of Public Safety. The program monitors threats, coordinates national responses, and protects national critical infrastructure against cyber incidents.
- Norwegian Cyber Defence Force – the branch of the Norwegian Armed Forces responsible for military communications and offensive and defensive cyberwarfare in Norway.
Law enforcement agencies:
Internet police – police and secret police departments and other law enforcement agencies in charge of policing the Internet. The major purposes of Internet police, depending on the state, are fighting cybercrime, as well as censorship, propaganda, and monitoring and manipulating the online public opinion.
- Air Force Cyber Command (Provisional) – a proposed U.S. Air Force command that existed in provisional status. On 6 October 2008, the Air Force's cyberspace mission was transferred to USCYBERCOM.
- Department of Defense Cyber Crime Center – also known as DC3, is a United States Department of Defense agency that provides digital forensics support to the DoD and to other law enforcement agencies. DC3's main focus is in criminal, counterintelligence, counterterrorism, and fraud investigations.
- FBI Criminal, Cyber, Response, and Services Branch – also known as CCRSB, is a service within the Federal Bureau of Investigation responsible for investigating certain crimes including all computer-based crime related to counterterrorism, counterintelligence, and criminal threats against the United States.
- FBI Cyber Division – Federal Bureau of Investigation division that heads the national effort to investigate and prosecute internet crimes, including "cyber based terrorism, espionage, computer intrusions, and major cyber fraud." This division of the FBI uses the information it gathers during investigation to inform the public of current trends in cyber crime. It focuses around three main priorities: computer intrusion, identity theft, and cyber fraud. It was created in 2002. FBI's Ability to Address the National Security Cyber Intrusion Threat, p. 2 (PDF Archived 2013-03-11 at the Wayback Machine)
- National Security Agency – The United States Bureau responsible for national cybersecurity and military communications protection.
- US-CERT – also known as the United States Computer Emergency Readiness Team, organization within the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD); a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC). US-CERT is responsible for analyzing and reducing cyber threats, vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.
- USCYBERCOM – is an armed forces sub-unified command subordinate to United States Strategic Command. The unit centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks.
Independent non-profits:
- Australian Information Security Association – organization for individuals rather than companies that aims to maintain an unbiased view of information security in Australia. Hosts 2 conferences annually.
- Information Card Foundation – created by Equifax, Google, Microsoft, Novell, Oracle Corporation, PayPal and others, to promote the Information Card approach. Information Cards are personal digital identities that people can use online, and the key component of Identity metasystems.
- Information Systems Security Association –
- International Computer Security Association –
- Internet Watch Foundation –
- OWASP –
Independent web-sites:
- Attrition – information security-related website, updated at least weekly by an all-volunteer staff. The "Errata" section is devoted to pointing out inaccuracies, omissions, and other problems with mainstream media related to computer security and hacking. Additionally, staff members publish opinion pieces such as "Security Rants" pointing out problems with the computer security industry.
- Wiretapped.net –
Click on any of the following blue hyperlinks for more about Computer Security:
- Persons influential in computer security
- See also:
- Rubber-hose cryptanalysis
- Outline of computer security at Curlie
- The Layered Defense approach to Security Malay Upadhyay (Cyberoam), January 2014
- Arcos Sergio. Social Engineering. Sancho Rivera.
- Trends in Cyber Security Dan Geer (author), November 2013
- Participating With Safety, a guide to electronic security threats from the viewpoint of civil liberties organisations. Licensed under the GNU Free Documentation License.
- Article "Why Information Security is Hard — An Economic Perspective" by Ross Anderson
- The SANS Top 20 Internet Critical Security Controls
- Windows 7 security
- Windows 8 security
Mac security
Linux security - Security In-Depth for Linux Software: Preventing and Mitigating Security Bugs (PDF)
- Threat alerts and vulnerability tracking lists
- Lists of advisories by product Lists of known unpatched vulnerabilities from Secunia
- List of vulnerabilities maintained by the government of the USA
Privacy software
- YouTube Video: Software security - What is software security
- YouTube Video: Best Cryptography and Data Privacy Software (Open Source / Free)
- YouTube Video: GDPR Compliance: “Explain Like I’m Five” with Data Privacy Expert
Privacy software is software built to protect the privacy of its users. The software typically works in conjunction with Internet usage to control or limit the amount of information made available to third parties. The software can apply encryption or filtering of various kinds.
Types of protection:
Privacy software can refer to two different types of protection:
One type is protecting a user's Internet privacy from the World Wide Web. There are software products that will mask or hide a user's IP address from the outside world in order to protect the user from identity theft.
The second type of protection is hiding or deleting the users Internet traces that are left on their PC after they have been surfing the Internet. There is software that will erase all the users Internet traces and there is software that will hide and encrypt a user's traces so that others using their PC will not know where they have been surfing.
Whitelisting and blacklisting:
One solution to enhance privacy software is whitelisting. Whitelisting is a process in which a company identifies the software that it will allow to and does not try to recognize malware.
Whitelisting permits acceptable software to run and either prevents anything else from running or lets new software run in a quarantined environment until its validity can be verified.
Whereas whitelisting allows nothing to run unless it is on the whitelist, blacklisting allows everything to run unless it is on the black. A blacklist then includes certain types of software that are not allowed to run in the company environment. For example, a company might blacklist peer-to-peer file sharing on its systems. In addition to software, people, devices, and web sites can also be whitelisted or blacklisted.
Intrusion detection systems:
Intrusion detection systems are designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall. These systems capture all network traffic flows and examine the contents of each packet for malicious traffic.
Encryption:
Main article: Encryption software
Encryption is another form for privacy security. When organizations do not have secure channel for sending information, they use encryption to stop unauthorized eavesdroppers.
Encryption is the process of converting an original message into a form that cannot be read by anyone except the intended receiver.
Steganography:
Steganography is sometimes used to hide messages from eavesdropping and e-surveillance.
Compared to using cryptography, that translates the text itself to another format, stenography hides the data rather than converting it. According to the company Privacy Canada, by using Steganography, they ensure that messages can be hidden from being exposed.
Similar to cryptography, the message is encoded for protection in various ways: Text, Image, Audio, Video and Network Steganography. It is a substitute for cryptography in order to conceal texts from being viewed.
Privacy vs anonymity:
Privacy is different from anonymity in its applicability and usage. Anonymity is subordinate to privacy and might be desired for the exchange, retrieval or publication of specific information.
Legal issues of use:
Uses of privacy software are not free from legal issues. For instance, there are regulations for export of cryptography from the United States. Similarly, key disclosure law also requires individuals to surrender cryptographic keys to law enforcement agencies.
Encryption laws in India also carry many legal restrictions in diverse situations. Talks are also in pipeline to include cyber security technologies, like encryption related software, under the Wassenaar Arrangement thereby making its export more cumbersome.
See also:
General topics:
Software:
Other:
Types of protection:
Privacy software can refer to two different types of protection:
One type is protecting a user's Internet privacy from the World Wide Web. There are software products that will mask or hide a user's IP address from the outside world in order to protect the user from identity theft.
The second type of protection is hiding or deleting the users Internet traces that are left on their PC after they have been surfing the Internet. There is software that will erase all the users Internet traces and there is software that will hide and encrypt a user's traces so that others using their PC will not know where they have been surfing.
Whitelisting and blacklisting:
One solution to enhance privacy software is whitelisting. Whitelisting is a process in which a company identifies the software that it will allow to and does not try to recognize malware.
Whitelisting permits acceptable software to run and either prevents anything else from running or lets new software run in a quarantined environment until its validity can be verified.
Whereas whitelisting allows nothing to run unless it is on the whitelist, blacklisting allows everything to run unless it is on the black. A blacklist then includes certain types of software that are not allowed to run in the company environment. For example, a company might blacklist peer-to-peer file sharing on its systems. In addition to software, people, devices, and web sites can also be whitelisted or blacklisted.
Intrusion detection systems:
Intrusion detection systems are designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall. These systems capture all network traffic flows and examine the contents of each packet for malicious traffic.
Encryption:
Main article: Encryption software
Encryption is another form for privacy security. When organizations do not have secure channel for sending information, they use encryption to stop unauthorized eavesdroppers.
Encryption is the process of converting an original message into a form that cannot be read by anyone except the intended receiver.
Steganography:
Steganography is sometimes used to hide messages from eavesdropping and e-surveillance.
Compared to using cryptography, that translates the text itself to another format, stenography hides the data rather than converting it. According to the company Privacy Canada, by using Steganography, they ensure that messages can be hidden from being exposed.
Similar to cryptography, the message is encoded for protection in various ways: Text, Image, Audio, Video and Network Steganography. It is a substitute for cryptography in order to conceal texts from being viewed.
Privacy vs anonymity:
Privacy is different from anonymity in its applicability and usage. Anonymity is subordinate to privacy and might be desired for the exchange, retrieval or publication of specific information.
Legal issues of use:
Uses of privacy software are not free from legal issues. For instance, there are regulations for export of cryptography from the United States. Similarly, key disclosure law also requires individuals to surrender cryptographic keys to law enforcement agencies.
Encryption laws in India also carry many legal restrictions in diverse situations. Talks are also in pipeline to include cyber security technologies, like encryption related software, under the Wassenaar Arrangement thereby making its export more cumbersome.
See also:
General topics:
- Information privacy
- Encryption
- Privacy
- Proxy server
- Metadata removal tool
- Privacy engineering
- Privacy-enhancing technologies
Software:
- GNU Privacy Guard (GPG)
- Pretty Easy privacy
- Portable Firefox
- Pretty Good Privacy (PGP)
- Secure Shell (SSH)
- I2P
- Tor
- uProxy
Other:
- Reset The Net
- PRISM Break
- ISO IEC 27701
- Privacy Vendors
- Privacy Tools
- NIST
- Tutorials for privacy tools, by CryptoParty
A connected world will be a playground for hackers (The Economist) and Hackers have a devastating new target (CNN Business)
- YouTube Video: Network Security 101: Full Workshop
- YouTube Video: Operations slowly resume after hackers shutdown major U.S. pipeline with ransomware attack
- YouTube Video: What is the True Cost of a Ransomware Attack? 6 Factors to Consider
A connected world will be a playground for hackers
Few companies making connected gadgets have much experience with cyber security:
As ways to break into casinos go, a fish tank is an unusual route. Yet that is what was used in an unnamed American gambling house in 2017. It had invested in a fancy internet-connected tank in which the temperature and salinity of the water were remotely controlled. Its owners were not naive: when they installed it, they isolated its controls on their own specific part of their company network, away from all their sensitive systems.
It made no difference. According to Darktrace, a computer-security firm, attackers from Finland managed to break into the tank’s systems, then used it as a stepping stone for the rest of the casino’s networks. They made off with around 10gb of data.
Computer security is already hard. Everyone from the central bank of Bangladesh to America’s National Security Agency has suffered hacks or data breaches. The iot will make things worse. A world in which more objects are computers is a world with more targets for miscreants.
David Palmer, Darktrace’s director of technology, reels off a list of examples. “We’ve seen corporate espionage between suppliers inside a power station,” he says. “One supplier was using [their] access within the network to look at the performance characteristics of another supplier’s equipment.” His firm also discovered an attack on fingerprint readers that controlled access to a luxury-goods factory, and malware which spread through a hospital department after infecting a connected fax machine.
Other incidents have been spectacular enough to make the news. In 2016 millions of people in America found themselves struggling to reach many websites, including those of Twitter, Amazon, Netflix and Reddit. The culprit was a piece of iot-focused malware called Mirai. By exploiting a list of default usernames and passwords, which most users never change, Mirai had infected hundreds of thousands of connected devices, from smart energy meters to home cctv cameras and connected baby monitors.
Each infected gadget became part of a “botnet”, a group of computers in thrall to the malware. The botnet then performed a “distributed denial-of-service attack” against Dyn, a company that helps maintain the routing information that allows browsers to reach websites.
By deluging Dyn’s servers with junk messages generated by the subverted devices, the botnet prevented them from responding to legitimate requests.
But the iot will do more than simply give hackers new targets. As computers spread into objects that can interact with the physical world, it will enable attacks that endanger life and property.
In 2015 a pair of security researchers from Twitter, a social network, and ioactive, a cyber-security firm, staged a demonstration for Wired, a technology magazine, in which they remotely took control of a car while it was being driven. They were able to turn on the stereo and the windscreen wipers, cut the engine, apply the brakes and even, in some circumstances, control the steering wheel.
As a result Fiat Chrysler, the car’s manufacturer, announced it would recall 1.4m vehicles. Security researchers have demonstrated an ability to hack into medical devices, including pacemakers and insulin pumps
Hacking an insulin pump would be a convoluted way to kill someone. But less drastic sorts of crime will be possible, too. Ransomware, which prevents use of a computer until cash is paid, is a natural fit for a world where everything is connected. Ransomware for cars or home-lighting systems is a popular near-future prediction at computer-security conferences.
Some accidental infections have already happened. In 2018, 55 speed cameras in Victoria, Australia, were infected by a piece of ransomware that was designed to attack desktop computers. In June Avast Software, a Czech cyber-security firm, demonstrated how to install ransomware on a networked coffee machine, making it gush boiling water and constantly spin its grinder until the victim pays up.
Dangers of connection:
Companies are aware of the danger. A survey of managers by Bain & Company, a consulting firm, found that worries about security were the single biggest barrier for companies thinking of adopting iot technologies. Consumers are worried, too. A survey of 2,500 of them by Ernst & Young, a management consultancy, found that 71% were concerned about hackers getting access to smart gadgets.
Patching up the holes will not be easy. One reason is that computers, and computer software, are complicated. Ford’s best-selling f150 pickup truck, for instance, is reckoned to have around 150m lines of code. A general rule is that good programmers working under careful supervision average about one bug per 2,000 lines of code. That means that almost any computerized gadget will be riddled with bugs.
Another problem is that few of the companies making connected gadgets have much experience with cyber security—or the incentives to take it seriously. Good security costs money, and the better it is, the less its benefits are visible to the end-user. Attacks like Mirai, in which the costs fall not on the gadget-makers or their owners but on unrelated third parties, muddy things even more. The upshot is that basic precautions are routinely ignored.
A paper published in June by Stanford University analysed telemetry from 83m connected devices and found that millions used old, insecure communication protocols or weak passwords.
One option is to learn from others. In February the Industrial Internet Consortium, a trade body focused on industrial deployments of the iot, published a guide to security written by experts from veteran firms such as Fujitsu, Kaspersky Labs and Microsoft. Another is to outsource the problem to those better suited to dealing with it. Arm has fortified its chip designs with built-in security features, as has Intel, the world’s biggest chipmaker.
Big computing firms are trying to turn security into a selling point. Microsoft sees the iot as an important market for its cloud-computing business. Under the Azure Sphere brand it has developed a security-focused, low-power microcontroller designed to be the brains of a wide range of iot devices (these are smaller, cheaper and less capable than a microprocessor).
Those micro-controllers run a security-focused version of the Linux operating system and communicate through Azure’s cloud servers, which have extra security features of their own. Mark Russinovich, Azure’s chief technology officer, says many of the security features were inspired by lessons from the firm’s xbox video-gaming division, which has plenty of experience designing hack-resistant computers. Starbucks, a coffee chain whose connected coffee machines can download new recipes, is one early customer.
Governments are getting involved, too. In 2017 America’s Food and Drug Administration issued its first cyber-security-related product recall, having found that some wireless pacemakers were vulnerable to hacking.
The following year California became the first American state to mandate minimum security standards for iot products, including a ban on the use of default passwords. Britain’s government is mooting similar laws to require manufacturers to provide contact details for bug-hunters and to spell out how long products can expect to receive security updates.
But whereas widget-makers can learn much from the computing giants, some lessons will have to flow in the other direction, too. The computing industry moves at high speed.
Smartphones, for instance, rarely receive security updates for more than five years. That sort of institutional neophilia is not going to work with products like cars or factory robots, which can have much longer lifespans, says Mr Palmer. Employing the programmers necessary to provide support for dozens of models for decades, he says, will be an expensive proposition.
Code and the law:
Looming over everything, says Angela Walch, an American lawyer who specializes in tech, is the question of legal liability. The software industry uses licensing agreements to try to exempt itself from the sort of liability that attaches to firms that ship shoddy goods. Such an exemption, she says, amounts to an enormous de facto subsidy.
So far courts (at least in America) have been broadly happy to enforce such disclaimers. Ms Walch says any attempt to change that would be fought by the software industry, which has long argued that holding it liable for mishaps would stifle innovation.
But that line will become harder to defend as software spreads into the sorts of physical goods that, historically, have not been granted such legal exemptions. “What are we saying?” she asks. “That if buggy software or compromised software kills someone, you won’t be able to claim?”
Bruce Schneier, an American security expert, thinks that, in the long run, the consequences of poor security could mean that businesses and consumers reach “peak connectivity” and begin to question the wisdom of connecting everyday objects. He draws an analogy with nuclear energy, which enthusiasts once saw powering everything from cars to catflaps. These days “we still have nuclear power,” he writes, “but there’s more consideration about when to build nuclear plants and when to go with some alternative form of energy. One day, computerisation is going to be like that, too.” ■
This article appeared in the Technology Quarterly section of the print edition under the headline "Hack the Planet"
[End of Economist Article]
___________________________________________________________________________
Hackers have a devastating new target (CNN Business)
(By Rishi Iyengar and Clare Duffy, CNN Business
Updated 7:19 AM ET, Fri June 4, 2021
CNN Business) A major gas pipeline. Dozens of government agencies. A Florida city's water supply. And now, one of the world's top meat producers.
The last few months have seen a sharp rise in cyberattacks, often disrupting products and services that are key to our everyday lives. Many of those attacks have used ransomware, a set of tools that lets hackers gain access to computer systems and disrupt or lock them until they get paid.
Ransomware is not new. But there is a growing trend of hackers targeting critical infrastructure and physical business operations, which makes the attacks more lucrative for bad actors and more devastating for victims. And with the rise of remote work during the pandemic, significant vulnerabilities have been revealed that only make it easier to carry out such attacks.
The US Department of Justice in April created a ransomware task force, after declaring 2020 the "worst year ever" for extortion-related cyberattacks. The issue only seems to be getting worse: The first half of 2021 has already seen a 102% increase in ransomware attacks compared to the beginning of last year, according to a report from cybersecurity firm Check Point Software.
That doesn't even factor in the most recent events, including the announcement Wednesday from a ferry operator in Martha's Vineyard, Cape Cod and Nantucket that it was hit by a ransomware attack.
The US government is now ratcheting up efforts to address the threat of ransomware, but experts warn that without significant cooperation and investment from the private sector, these attacks are likely here to stay. Bigger targets, better returns
Many people think of cyberattacks as just that: an attempt by hackers to steal sensitive data or money online. But now hackers have found a significant moneymaker in targeting physical infrastructure.
These attacks have potential to spark mayhem in people's lives, leading to product shortages, higher prices and more. The greater the disruption, the greater the likelihood that companies will pay to alleviate it.
"If you're a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you," said Katell Thielemann, Gartner's vice president analyst for security and risk management. "This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly that's where the most pain is felt because that's where they make money."
Multiple recent ransomware attacks have originated from Russia, according to US officials.
On Wednesday, the FBI attributed the attack on meat producer JBS to Russia-based cybercriminal group called REvil, which also tried to extort Apple supplier Quanta Computer earlier this year. REvil is similar to DarkSide, the group US officials said was behind the ransomware attack that shut down the Colonial Pipeline last month.
Experts say both REvil and DarkSide operate what are essentially "ransomware-as-a-service" businesses, often employing large staffs to create tools to help others execute ransomware attacks, and taking a cut of the profits. In some cases, they also carry out their own attacks.
Russian law enforcement typically leaves such groups operating within the country alone if their targets are elsewhere, because they bring money into the country, cybersecurity experts say.
JBS has not said whether it paid any ransom to the attackers, but Colonial Pipeline's CEO admitted to paying $4.4 million in ransom to resume its operations. Experts typically advise against paying ransoms to avoid funding the criminal groups that impose them, but companies sometimes have little choice to get back up and running.
The list of potential targets is long. The US government's Cybersecurity and Infrastructure Agency (CISA) lists 16 different industries as "critical infrastructure sectors," including energy, healthcare, financial services, water, transportation, food and agriculture, the compromise of which could have a "debilitating effect" on the US economy and security. But experts say much of this infrastructure is aging, and its cyber defenses haven't kept up with the evolution of bad actors.
To make matters worse, many companies in those industries haven't historically thought of themselves as tech companies, meaning their systems may be less sophisticated and easier to compromise, according to Mark Ostrowski, head of engineering at Check Point.
"So hospitals, their business is to save lives; meat and poultry is to produce goods and services; pipelines are to create gas exchange or oil exchange," he said. "Those certain industries also may be targeted because maybe they're behind in their [software] patching, maybe their cyber program is not quite what it needs to be."
This has become increasingly true in recent years. As technology has evolved, more physical infrastructure has been embedded with connected devices that link it with a company's larger network. Even if a hacker enters a company's network through its email system, for example, they could have the opportunity to wreak havoc on the machines in its production facilities or other areas of the business.
"The world is becoming more connected" and we should expect the risks "to multiply across all of these industries," Thielemann said.
How the pandemic made things worse
It's not a coincidence that ransomware has spiked during the pandemic.
The health crisis is a perfect storm, with millions of people shifting to remote work almost overnight — including workers who may have access to critical infrastructure systems — and ransomware that can be deployed simply by clicking a link in an email.
"Critical infrastructure was always designed to have the control systems isolated and physically separate from the corporate network and the internet," said Eric Cole, a former cybersecurity commissioner to the Obama administration and author of the new book "Cyber Crisis."
"Initially for automation and accelerated by the pandemic, these systems are now connected to the internet. ... The known vulnerabilities make them an easy target," Cole added.
The pandemic also heightened certain targets, as hackers sought opportunities to profit by attacking crucial services.
In particular, hospital systems and other health providers frequently came under attack even as they struggled to deal with the strain of Covid-19 — leaving them little time to respond and update defenses. An analysis by CISA between March and November 2020 showed that 49% of healthcare providers it surveyed had "risky ports and services" and 58% of them were using software versions vulnerable to attack.
An analysis by cybersecurity firm Emsisoft published in January showed that as many as 560 healthcare facilities were hit by ransomware last year. More than 1,500 schools and 113 government agencies were also impacted, the firm said.
The targeting of healthcare facilities appears to predate the pandemic — Emsisoft's previous research showed that 764 healthcare providers suffered ransomware attacks in 2019, though overall attacks tracked by the firm went up in 2020.
What needs to be done
Companies, organizations and agencies will now need to work as quickly as possible to plug potential gaps in their systems, updating software and ensuring that their most critical functions are sufficiently insulated from cyberattacks.
President Joe Biden last month signed an executive order requiring companies doing work for the government to improve their cybersecurity practices — stipulations that Congress could expand to other private firms underpinning infrastructure and other critical levers of the US economy. On Wednesday, following the JBS and ferry attacks, White House press secretary Jen Psaki said the administration is also "building an international coalition to hold countries who harbor ransom actors accountable."
On Thursday, the White House issued an open letter urging companies to treat the threat of ransomware attacks with greater urgency, saying companies that "view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively."
"Every company needs to be able to heighten this and become preventative because these attacks are weapons-grade. They're not just casual attacks," Ostrowski said.
For companies, the easiest fix is to keep the most vital infrastructure functions off the web — and to keep any online systems up to date with software patches, Cole said.
And while systems-level upgrades or overhauls may sometimes be necessary, Ostrowski said the risk often comes down to individual behavior. Most ransomware is distributed through phishing attacks, where users are tricked into clicking a link on an email that gives the hackers broad access to their system.
"It's actually very simple. As a cybersecurity community we've been trying to solve the email problem for decades," he said. "It's about solving and preventing phishing attacks, number one, and that will lead to anti-ransomware technologies."
In many cases, companies in healthcare, food or energy have few, if any, executives or board members with the technical background or know-how needed to help mitigate cyber risks, something that also needs to change as bad actors become increasingly sophisticated.
"I think the industries expect these number of attacks to continue to increase," Ostrowski said. "If anything, what this has highlighted is how important our supply chains are."
[End of CNN Article]
Few companies making connected gadgets have much experience with cyber security:
As ways to break into casinos go, a fish tank is an unusual route. Yet that is what was used in an unnamed American gambling house in 2017. It had invested in a fancy internet-connected tank in which the temperature and salinity of the water were remotely controlled. Its owners were not naive: when they installed it, they isolated its controls on their own specific part of their company network, away from all their sensitive systems.
It made no difference. According to Darktrace, a computer-security firm, attackers from Finland managed to break into the tank’s systems, then used it as a stepping stone for the rest of the casino’s networks. They made off with around 10gb of data.
Computer security is already hard. Everyone from the central bank of Bangladesh to America’s National Security Agency has suffered hacks or data breaches. The iot will make things worse. A world in which more objects are computers is a world with more targets for miscreants.
David Palmer, Darktrace’s director of technology, reels off a list of examples. “We’ve seen corporate espionage between suppliers inside a power station,” he says. “One supplier was using [their] access within the network to look at the performance characteristics of another supplier’s equipment.” His firm also discovered an attack on fingerprint readers that controlled access to a luxury-goods factory, and malware which spread through a hospital department after infecting a connected fax machine.
Other incidents have been spectacular enough to make the news. In 2016 millions of people in America found themselves struggling to reach many websites, including those of Twitter, Amazon, Netflix and Reddit. The culprit was a piece of iot-focused malware called Mirai. By exploiting a list of default usernames and passwords, which most users never change, Mirai had infected hundreds of thousands of connected devices, from smart energy meters to home cctv cameras and connected baby monitors.
Each infected gadget became part of a “botnet”, a group of computers in thrall to the malware. The botnet then performed a “distributed denial-of-service attack” against Dyn, a company that helps maintain the routing information that allows browsers to reach websites.
By deluging Dyn’s servers with junk messages generated by the subverted devices, the botnet prevented them from responding to legitimate requests.
But the iot will do more than simply give hackers new targets. As computers spread into objects that can interact with the physical world, it will enable attacks that endanger life and property.
In 2015 a pair of security researchers from Twitter, a social network, and ioactive, a cyber-security firm, staged a demonstration for Wired, a technology magazine, in which they remotely took control of a car while it was being driven. They were able to turn on the stereo and the windscreen wipers, cut the engine, apply the brakes and even, in some circumstances, control the steering wheel.
As a result Fiat Chrysler, the car’s manufacturer, announced it would recall 1.4m vehicles. Security researchers have demonstrated an ability to hack into medical devices, including pacemakers and insulin pumps
Hacking an insulin pump would be a convoluted way to kill someone. But less drastic sorts of crime will be possible, too. Ransomware, which prevents use of a computer until cash is paid, is a natural fit for a world where everything is connected. Ransomware for cars or home-lighting systems is a popular near-future prediction at computer-security conferences.
Some accidental infections have already happened. In 2018, 55 speed cameras in Victoria, Australia, were infected by a piece of ransomware that was designed to attack desktop computers. In June Avast Software, a Czech cyber-security firm, demonstrated how to install ransomware on a networked coffee machine, making it gush boiling water and constantly spin its grinder until the victim pays up.
Dangers of connection:
Companies are aware of the danger. A survey of managers by Bain & Company, a consulting firm, found that worries about security were the single biggest barrier for companies thinking of adopting iot technologies. Consumers are worried, too. A survey of 2,500 of them by Ernst & Young, a management consultancy, found that 71% were concerned about hackers getting access to smart gadgets.
Patching up the holes will not be easy. One reason is that computers, and computer software, are complicated. Ford’s best-selling f150 pickup truck, for instance, is reckoned to have around 150m lines of code. A general rule is that good programmers working under careful supervision average about one bug per 2,000 lines of code. That means that almost any computerized gadget will be riddled with bugs.
Another problem is that few of the companies making connected gadgets have much experience with cyber security—or the incentives to take it seriously. Good security costs money, and the better it is, the less its benefits are visible to the end-user. Attacks like Mirai, in which the costs fall not on the gadget-makers or their owners but on unrelated third parties, muddy things even more. The upshot is that basic precautions are routinely ignored.
A paper published in June by Stanford University analysed telemetry from 83m connected devices and found that millions used old, insecure communication protocols or weak passwords.
One option is to learn from others. In February the Industrial Internet Consortium, a trade body focused on industrial deployments of the iot, published a guide to security written by experts from veteran firms such as Fujitsu, Kaspersky Labs and Microsoft. Another is to outsource the problem to those better suited to dealing with it. Arm has fortified its chip designs with built-in security features, as has Intel, the world’s biggest chipmaker.
Big computing firms are trying to turn security into a selling point. Microsoft sees the iot as an important market for its cloud-computing business. Under the Azure Sphere brand it has developed a security-focused, low-power microcontroller designed to be the brains of a wide range of iot devices (these are smaller, cheaper and less capable than a microprocessor).
Those micro-controllers run a security-focused version of the Linux operating system and communicate through Azure’s cloud servers, which have extra security features of their own. Mark Russinovich, Azure’s chief technology officer, says many of the security features were inspired by lessons from the firm’s xbox video-gaming division, which has plenty of experience designing hack-resistant computers. Starbucks, a coffee chain whose connected coffee machines can download new recipes, is one early customer.
Governments are getting involved, too. In 2017 America’s Food and Drug Administration issued its first cyber-security-related product recall, having found that some wireless pacemakers were vulnerable to hacking.
The following year California became the first American state to mandate minimum security standards for iot products, including a ban on the use of default passwords. Britain’s government is mooting similar laws to require manufacturers to provide contact details for bug-hunters and to spell out how long products can expect to receive security updates.
But whereas widget-makers can learn much from the computing giants, some lessons will have to flow in the other direction, too. The computing industry moves at high speed.
Smartphones, for instance, rarely receive security updates for more than five years. That sort of institutional neophilia is not going to work with products like cars or factory robots, which can have much longer lifespans, says Mr Palmer. Employing the programmers necessary to provide support for dozens of models for decades, he says, will be an expensive proposition.
Code and the law:
Looming over everything, says Angela Walch, an American lawyer who specializes in tech, is the question of legal liability. The software industry uses licensing agreements to try to exempt itself from the sort of liability that attaches to firms that ship shoddy goods. Such an exemption, she says, amounts to an enormous de facto subsidy.
So far courts (at least in America) have been broadly happy to enforce such disclaimers. Ms Walch says any attempt to change that would be fought by the software industry, which has long argued that holding it liable for mishaps would stifle innovation.
But that line will become harder to defend as software spreads into the sorts of physical goods that, historically, have not been granted such legal exemptions. “What are we saying?” she asks. “That if buggy software or compromised software kills someone, you won’t be able to claim?”
Bruce Schneier, an American security expert, thinks that, in the long run, the consequences of poor security could mean that businesses and consumers reach “peak connectivity” and begin to question the wisdom of connecting everyday objects. He draws an analogy with nuclear energy, which enthusiasts once saw powering everything from cars to catflaps. These days “we still have nuclear power,” he writes, “but there’s more consideration about when to build nuclear plants and when to go with some alternative form of energy. One day, computerisation is going to be like that, too.” ■
This article appeared in the Technology Quarterly section of the print edition under the headline "Hack the Planet"
[End of Economist Article]
___________________________________________________________________________
Hackers have a devastating new target (CNN Business)
(By Rishi Iyengar and Clare Duffy, CNN Business
Updated 7:19 AM ET, Fri June 4, 2021
CNN Business) A major gas pipeline. Dozens of government agencies. A Florida city's water supply. And now, one of the world's top meat producers.
The last few months have seen a sharp rise in cyberattacks, often disrupting products and services that are key to our everyday lives. Many of those attacks have used ransomware, a set of tools that lets hackers gain access to computer systems and disrupt or lock them until they get paid.
Ransomware is not new. But there is a growing trend of hackers targeting critical infrastructure and physical business operations, which makes the attacks more lucrative for bad actors and more devastating for victims. And with the rise of remote work during the pandemic, significant vulnerabilities have been revealed that only make it easier to carry out such attacks.
The US Department of Justice in April created a ransomware task force, after declaring 2020 the "worst year ever" for extortion-related cyberattacks. The issue only seems to be getting worse: The first half of 2021 has already seen a 102% increase in ransomware attacks compared to the beginning of last year, according to a report from cybersecurity firm Check Point Software.
That doesn't even factor in the most recent events, including the announcement Wednesday from a ferry operator in Martha's Vineyard, Cape Cod and Nantucket that it was hit by a ransomware attack.
The US government is now ratcheting up efforts to address the threat of ransomware, but experts warn that without significant cooperation and investment from the private sector, these attacks are likely here to stay. Bigger targets, better returns
Many people think of cyberattacks as just that: an attempt by hackers to steal sensitive data or money online. But now hackers have found a significant moneymaker in targeting physical infrastructure.
These attacks have potential to spark mayhem in people's lives, leading to product shortages, higher prices and more. The greater the disruption, the greater the likelihood that companies will pay to alleviate it.
"If you're a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you," said Katell Thielemann, Gartner's vice president analyst for security and risk management. "This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly that's where the most pain is felt because that's where they make money."
Multiple recent ransomware attacks have originated from Russia, according to US officials.
On Wednesday, the FBI attributed the attack on meat producer JBS to Russia-based cybercriminal group called REvil, which also tried to extort Apple supplier Quanta Computer earlier this year. REvil is similar to DarkSide, the group US officials said was behind the ransomware attack that shut down the Colonial Pipeline last month.
Experts say both REvil and DarkSide operate what are essentially "ransomware-as-a-service" businesses, often employing large staffs to create tools to help others execute ransomware attacks, and taking a cut of the profits. In some cases, they also carry out their own attacks.
Russian law enforcement typically leaves such groups operating within the country alone if their targets are elsewhere, because they bring money into the country, cybersecurity experts say.
JBS has not said whether it paid any ransom to the attackers, but Colonial Pipeline's CEO admitted to paying $4.4 million in ransom to resume its operations. Experts typically advise against paying ransoms to avoid funding the criminal groups that impose them, but companies sometimes have little choice to get back up and running.
The list of potential targets is long. The US government's Cybersecurity and Infrastructure Agency (CISA) lists 16 different industries as "critical infrastructure sectors," including energy, healthcare, financial services, water, transportation, food and agriculture, the compromise of which could have a "debilitating effect" on the US economy and security. But experts say much of this infrastructure is aging, and its cyber defenses haven't kept up with the evolution of bad actors.
To make matters worse, many companies in those industries haven't historically thought of themselves as tech companies, meaning their systems may be less sophisticated and easier to compromise, according to Mark Ostrowski, head of engineering at Check Point.
"So hospitals, their business is to save lives; meat and poultry is to produce goods and services; pipelines are to create gas exchange or oil exchange," he said. "Those certain industries also may be targeted because maybe they're behind in their [software] patching, maybe their cyber program is not quite what it needs to be."
This has become increasingly true in recent years. As technology has evolved, more physical infrastructure has been embedded with connected devices that link it with a company's larger network. Even if a hacker enters a company's network through its email system, for example, they could have the opportunity to wreak havoc on the machines in its production facilities or other areas of the business.
"The world is becoming more connected" and we should expect the risks "to multiply across all of these industries," Thielemann said.
How the pandemic made things worse
It's not a coincidence that ransomware has spiked during the pandemic.
The health crisis is a perfect storm, with millions of people shifting to remote work almost overnight — including workers who may have access to critical infrastructure systems — and ransomware that can be deployed simply by clicking a link in an email.
"Critical infrastructure was always designed to have the control systems isolated and physically separate from the corporate network and the internet," said Eric Cole, a former cybersecurity commissioner to the Obama administration and author of the new book "Cyber Crisis."
"Initially for automation and accelerated by the pandemic, these systems are now connected to the internet. ... The known vulnerabilities make them an easy target," Cole added.
The pandemic also heightened certain targets, as hackers sought opportunities to profit by attacking crucial services.
In particular, hospital systems and other health providers frequently came under attack even as they struggled to deal with the strain of Covid-19 — leaving them little time to respond and update defenses. An analysis by CISA between March and November 2020 showed that 49% of healthcare providers it surveyed had "risky ports and services" and 58% of them were using software versions vulnerable to attack.
An analysis by cybersecurity firm Emsisoft published in January showed that as many as 560 healthcare facilities were hit by ransomware last year. More than 1,500 schools and 113 government agencies were also impacted, the firm said.
The targeting of healthcare facilities appears to predate the pandemic — Emsisoft's previous research showed that 764 healthcare providers suffered ransomware attacks in 2019, though overall attacks tracked by the firm went up in 2020.
What needs to be done
Companies, organizations and agencies will now need to work as quickly as possible to plug potential gaps in their systems, updating software and ensuring that their most critical functions are sufficiently insulated from cyberattacks.
President Joe Biden last month signed an executive order requiring companies doing work for the government to improve their cybersecurity practices — stipulations that Congress could expand to other private firms underpinning infrastructure and other critical levers of the US economy. On Wednesday, following the JBS and ferry attacks, White House press secretary Jen Psaki said the administration is also "building an international coalition to hold countries who harbor ransom actors accountable."
On Thursday, the White House issued an open letter urging companies to treat the threat of ransomware attacks with greater urgency, saying companies that "view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively."
"Every company needs to be able to heighten this and become preventative because these attacks are weapons-grade. They're not just casual attacks," Ostrowski said.
For companies, the easiest fix is to keep the most vital infrastructure functions off the web — and to keep any online systems up to date with software patches, Cole said.
And while systems-level upgrades or overhauls may sometimes be necessary, Ostrowski said the risk often comes down to individual behavior. Most ransomware is distributed through phishing attacks, where users are tricked into clicking a link on an email that gives the hackers broad access to their system.
"It's actually very simple. As a cybersecurity community we've been trying to solve the email problem for decades," he said. "It's about solving and preventing phishing attacks, number one, and that will lead to anti-ransomware technologies."
In many cases, companies in healthcare, food or energy have few, if any, executives or board members with the technical background or know-how needed to help mitigate cyber risks, something that also needs to change as bad actors become increasingly sophisticated.
"I think the industries expect these number of attacks to continue to increase," Ostrowski said. "If anything, what this has highlighted is how important our supply chains are."
[End of CNN Article]
The Dark Web
- YouTube Video: How To Find Anything On The Dark Web
- YouTube Video: What is the Dark Web?
- YouTube Video: Guide to DarkNet Markets
The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access.
Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the Web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.
The darknets which constitute the dark web include small, friend-to-friend peer-to-peer networks, as well as large, popular networks such as Tor, Freenet, I2P, and Riffle operated by public organizations and individuals. Users of the dark web refer to the regular web as Clearnet due to its unencrypted nature. The Tor dark web or onionland uses the traffic anonymization technique of onion routing under the network's top-level domain suffix .onion.
Terminology:
Definition:
Main article: Darknet
The dark web has often been confused with the deep web, the parts of the web not indexed (searchable) by search engines. The term Dark Web first emerged in 2009, however, it is unknown when the actual dark web first emerged. Many internet users only use the surface web, data that can be accessed by a typical Google browser.
The dark web forms a small part of the deep web, but requires custom software in order to access its content. This confusion dates back to at least 2009. Since then, especially in reporting on Silk Road, the two terms have often been conflated, despite recommendations that they should be distinguished.
The Dark Web, also known as Darknet websites, are accessible only through networks such as Tor ("The Onion Routing" project) that are created specifically for the Dark Web. Tor browser and Tor-accessible sites are widely used among the darknet users and can be identified by the domain ".onion". Tor browsers create encrypted entry points and pathways for the user, allowing their Dark Web searches and actions to be anonymous. Identities and locations of darknet users stay anonymous and cannot be tracked due to the layered encryption system.
The darknet encryption technology routes users' data through a large number of intermediate servers, which protects the users' identity and guarantees anonymity. The transmitted information can be decrypted only by a subsequent node in the scheme, which leads to the exit node.
The complicated system makes it almost impossible to reproduce the node path and decrypt the information layer by layer. Due to the high level of encryption, websites are not able to track geolocation and IP of their users, and users are not able to get this information about the host. Thus, communication between darknet users is highly encrypted allowing users to talk, blog, and share files confidentially.
This anonymity also creates a forum for illegal activity which is what the Dark Web is most associated with. Authorities have reported the trade of child pornography, drug related crime, illegal financing of pornography relating to children, violence, and animals. A Dark Web market-place, also known as a crypto-market, operates by selling illegal goods such as drugs, weapons, and financial fraud related products and information.
Content:
A December 2014 study by Gareth Owen from the University of Portsmouth found that the most commonly hosted type of content on Tor was child pornography, followed by black markets, while the individual sites with the highest traffic were dedicated to botnet operations (see attached metric). Many whistleblowing sites maintain a presence as well as political discussion forums. Sites associated with Bitcoin, fraud-related services, and mail order services are some of the most prolific.
As of December 2020, the number of active Tor sites in .onion was estimated at 76,300 (containing a lot of copies). Of these, 18 000 would have original content.
In July 2017, Roger Dingledine, one of the three founders of the Tor Project, said that Facebook is the biggest hidden service. The Dark Web comprises only 3% of the traffic in the Tor network.
A February 2016 study from researchers at King's College London gives the following breakdown of content by an alternative category set, highlighting the illicit use of .onionservices.
Botnets:
Botnets are often structured with their command-and-control servers based on a censorship-resistant hidden service, creating a large amount of bot-related traffic.
Darknet markets:
Main article: Darknet market
Commercial darknet markets mediate transactions for illegal goods and typically use Bitcoin as payment. These markets have attracted significant media coverage, starting with the popularity of Silk Road and Diabolus Market and its subsequent seizure by legal authorities. Silk Road was one of the first dark web marketplaces that emerged in 2011 and has allowed for the trading of weapons and identity fraud resources. These markets have no protection for its users and can be closed down at any time by authorities.
Despite the closures of these marketplaces, others pop up in their place. As of 2020, there have been at least 38 active dark web market places. These marketplaces are similar to that of eBay or Craigslist where users can interact with sellers and leave reviews about marketplace products.
Examination of price differences in Dark web markets versus prices in real life or over the World Wide Web have been attempted as well as studies in the quality of goods received over the Dark web. One such study was performed on Evolution, one of the most popular crypto-markets active from January 2013 to March 2015.
Although it found the digital information, such as concealment methods and shipping country, "seems accurate", the study uncovered issues with the quality of illegal drugs sold in Evolution, stating that, "... the illicit drugs purity is found to be different from the information indicated on their respective listings." Less is known about consumer motivations for accessing these marketplaces and factors associated with their use.
Bitcoin services:
Bitcoin is one of the main cryptocurrencies used in dark web marketplaces due to the flexibility of the currency. With Bitcoin, people can hide their intentions as well as their identity. A common approach was to use a digital currency exchanger service which converted Bitcoin into an online game currency (such as gold coins in World of Warcraft) that will later be converted back into money.
Bitcoin services such as tumblers are often available on Tor, and some – such as Grams – offer darknet market integration. A research study undertaken by Jean-Loup Richet, a research fellow at ESSEC, and carried out with the United Nations Office on Drugs and Crime, highlighted new trends in the use of Bitcoin tumblers for money laundering purposes.
Due to its relevance in the digital world, Bitcoin has become a popular product for users to scam companies with. Cybercriminal groups such as DDOS"4" have led to over 140 cyberattacks on companies since the emergence of Bitcoins in 2014. These attacks have led to the formation of other cybercriminal groups as well as Cyber Extortion.
Hacking groups and services:
Many hackers sell their services either individually or as a part of groups. Such groups include xDedic, hackforum, Trojanforge, Mazafaka, dark0de and the TheRealDeal darknet market. Some have been known to track and extort apparent pedophiles. Cyber crimes and hacking services for financial institutions and banks have also been offered over the Dark web.
Attempts to monitor this activity have been made through various government and private organizations, and an examination of the tools used can be found in the Procedia Computer Science journal. Use of Internet-scale DNS Distributed Reflection Denial of Service (DRDoS) attacks have also been made through leveraging the Dark Web. There are many scam .onion sites also present which end up giving tools for download that are infected with trojan horses or backdoors.
Financing and fraud:
Scott Dueweke the president and founder of Zebryx Consulting states that Russian electronic currency such as WebMoney and Perfect Money are behind the majority of the illegal actions. In April 2015, Flashpoint received a 5 million dollar investment to help their clients gather intelligence from the Deep and Dark web.
There are numerous carding forums, PayPal and Bitcoin trading websites as well as fraud and counterfeiting services. Many such sites are scams themselves. Phishing via cloned websites and other scam sites are numerous, with darknet markets often advertised with fraudulent URLs.
Illegal pornography:
The type of content that has the most popularity on the dark web is illegal pornography, more specifically, child pornography. About 80% of web traffic is related to accessing child pornography despite it being difficult to find, even on the dark web. A website called Lolita City, that has since been taken down, contained over 100 GB of child pornographic media and had about 15,000 members.
There is regular law enforcement action against sites distributing child pornography – often via compromising the site and tracking users' IP addresses. In 2015, the FBI investigated and took down a website called PLAYPEN. At the time, PLAYPEN was the largest child pornography website on the dark web with over 200,000 members. Sites use complex systems of guides, forums and community regulation.
Other content includes sexualized torture and killing of animals and revenge porn. In May 2021, German police said that they had dismantled one of the world's biggest child pornography networks on the dark web, with over 400,000 registered users. Four people had been detained in raids, including a man from Paraguay, on suspicion of running the network. Europol said several pedophile chat sites were also taken down in the German-led intelligence operation.
Terrorism:
Terrorist organization took to the internet as early as the 1990s, however, the birth of the dark web attracted these organizations due to the anonymity, lack of regulation, social interaction, and easy accessibility. These groups have been taking advantage of the chat platforms within the dark web to inspire terrorist attacks. Groups have even posted "How To" guides, teaching people how to become and hide their identity as terrorist.
The dark web became a forum for terrorist propaganda, guiding information, and most importantly, funding. With the introduction of Bitcoin, an anonymous transactions were created which allowed for anonymous donations and funding. By accepting Bitcoin, terrorists were now able to fund money to purchase weaponry.
In 2018, an individual named Ahmed Sarsur was charged for attempting to purchase explosives and hire snipers to aid Syrian terrorists, as well as attempting to provide them financial support, all through the dark web.
There are at least some real and fraudulent websites claiming to be used by ISIL (ISIS), including a fake one seized in Operation Onymous. With the increase of technology, it has allowed cyber terrorists to flourish by attacking the weaknesses of the technology.
In the wake of the November 2015 Paris attacks, an actual such site was hacked by an Anonymous-affiliated hacker group, GhostSec, and replaced with an advert for Prozac. The Rawti Shax Islamist group was found to be operating on the dark web at one time.
Social media:
Within the dark web, there exists emerging social media platforms similar to those on the World Wide Web, this is known as the Dark Web Social Network (DWSN). The DWSN works a like a regular social networking site where members can have customizable pages, have friends, like posts, and blog in forums.
Facebook and other traditional social media platforms have begun to make dark-web versions of their websites to address problems associated with the traditional platforms and to continue their service in all areas of the World Wide Web.
Unlike Facebook, the privacy policy of the DWSN requires that members are to reveal absolutely no personal information and remain anonymous.
Hoaxes and unverified content:
Main article: Hoax
There are reports of crowdfunded assassinations and hitmen for hire, however, these are believed to be exclusively scams. The creator of Silk Road, Ross Ulbricht, was arrested by Homeland Security investigations (HSI) for his site and allegedly hiring a hitman to kill six people, although the charges were later dropped.
There is an urban legend that one can find live murder on the dark web. The term "Red Room" has been coined based on the Japanese animation and urban legend of the same name. However, the evidence points toward all reported instances being hoaxes.
On June 25, 2015, the indie game Sad Satan was reviewed by YouTubers Obscure Horror Corner which they claimed to have found via the dark web. Various inconsistencies in the channel's reporting cast doubt on the reported version of events. There are several websites which analyze and monitor the deep web and dark web for threat intelligence.
Policing the Dark Web:
There have been arguments that the dark web promotes civil liberties, like "free speech, privacy, anonymity." Some prosecutors and government agencies are concerned that it is a haven for criminal activity. The deep and dark web are applications of integral internet features to provide privacy and anonymity. Policing involves targeting specific activities of the private web deemed illegal or subject to internet censorship.
When investigating online suspects, police typically use the IP (Internet Protocol) address of the individual, however, due to Tor. browsers creating anonymity, this becomes an impossible tactic. As a result, law enforcement has employed many other tactics in order to identify and arrest those engaging in illegal activity on the dark web.
OSINT, or Open Source Intelligence, are data collection tools that legally collect information from public sources. OSINT tools can be dark web specific to help officers find bits of information that would lead them to gaining more knowledge about interactions going on in the dark web.
In 2015 it was announced that Interpol now offers a dedicated dark web training program featuring technical information on Tor, cybersecurity and simulated Darknet market takedowns.
In October 2013 the UK's National Crime Agency and GCHQ announced the formation of a "Joint Operations Cell" to focus on cybercrime. In November 2015 this team would be tasked with tackling child exploitation on the dark web as well as other cybercrime.
In March 2017 the Congressional Research Service released an extensive report on the dark web, noting the changing dynamic of how information is accessed and presented on it; characterized by the unknown, it is of increasing interest to researchers, law enforcement, and policymakers.
In August 2017, according to reportage, cybersecurity firms which specialize in monitoring and researching the dark web on behalf of banks and retailers routinely share their findings with the FBI and with other law enforcement agencies "when possible and necessary" regarding illegal content. The Russian-speaking underground offering a crime-as-a-service model is regarded as being particularly robust.
Journalism:
Many individual journalists, alternative news organizations, educators, and researchers are influential in their writing and speaking of the Darknet, and making its use clear to the general public.
Media coverage typically reports on the dark web in two ways; detailing the power and freedom of speech the dark web allows you to express, or more commonly reaffirms the illegality and fear of its contents, such as computer hackers.
Many headlines tie the dark web to CP (Child Pornography) with headlines such as, "N.J. man charged with surfing 'Dark Web' to collect nearly 3K images of child porn", along with other illegal activities where news outlets describe it as "a hub for black markets that sell or distribute drugs".
Specialist Clearweb news sites such as DeepDotWeb and All Things Vice provide news coverage and practical information about dark web sites and services.
However DeepDotWeb was shut down by authorities in 2019. The Hidden Wiki and its mirrors and forks hold some of the largest directories of content at any given time. Traditional media and news channels such as ABC News have also featured articles examining the Darknet.
See also:
Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the Web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.
The darknets which constitute the dark web include small, friend-to-friend peer-to-peer networks, as well as large, popular networks such as Tor, Freenet, I2P, and Riffle operated by public organizations and individuals. Users of the dark web refer to the regular web as Clearnet due to its unencrypted nature. The Tor dark web or onionland uses the traffic anonymization technique of onion routing under the network's top-level domain suffix .onion.
Terminology:
Definition:
Main article: Darknet
The dark web has often been confused with the deep web, the parts of the web not indexed (searchable) by search engines. The term Dark Web first emerged in 2009, however, it is unknown when the actual dark web first emerged. Many internet users only use the surface web, data that can be accessed by a typical Google browser.
The dark web forms a small part of the deep web, but requires custom software in order to access its content. This confusion dates back to at least 2009. Since then, especially in reporting on Silk Road, the two terms have often been conflated, despite recommendations that they should be distinguished.
The Dark Web, also known as Darknet websites, are accessible only through networks such as Tor ("The Onion Routing" project) that are created specifically for the Dark Web. Tor browser and Tor-accessible sites are widely used among the darknet users and can be identified by the domain ".onion". Tor browsers create encrypted entry points and pathways for the user, allowing their Dark Web searches and actions to be anonymous. Identities and locations of darknet users stay anonymous and cannot be tracked due to the layered encryption system.
The darknet encryption technology routes users' data through a large number of intermediate servers, which protects the users' identity and guarantees anonymity. The transmitted information can be decrypted only by a subsequent node in the scheme, which leads to the exit node.
The complicated system makes it almost impossible to reproduce the node path and decrypt the information layer by layer. Due to the high level of encryption, websites are not able to track geolocation and IP of their users, and users are not able to get this information about the host. Thus, communication between darknet users is highly encrypted allowing users to talk, blog, and share files confidentially.
This anonymity also creates a forum for illegal activity which is what the Dark Web is most associated with. Authorities have reported the trade of child pornography, drug related crime, illegal financing of pornography relating to children, violence, and animals. A Dark Web market-place, also known as a crypto-market, operates by selling illegal goods such as drugs, weapons, and financial fraud related products and information.
Content:
A December 2014 study by Gareth Owen from the University of Portsmouth found that the most commonly hosted type of content on Tor was child pornography, followed by black markets, while the individual sites with the highest traffic were dedicated to botnet operations (see attached metric). Many whistleblowing sites maintain a presence as well as political discussion forums. Sites associated with Bitcoin, fraud-related services, and mail order services are some of the most prolific.
As of December 2020, the number of active Tor sites in .onion was estimated at 76,300 (containing a lot of copies). Of these, 18 000 would have original content.
In July 2017, Roger Dingledine, one of the three founders of the Tor Project, said that Facebook is the biggest hidden service. The Dark Web comprises only 3% of the traffic in the Tor network.
A February 2016 study from researchers at King's College London gives the following breakdown of content by an alternative category set, highlighting the illicit use of .onionservices.
Botnets:
Botnets are often structured with their command-and-control servers based on a censorship-resistant hidden service, creating a large amount of bot-related traffic.
Darknet markets:
Main article: Darknet market
Commercial darknet markets mediate transactions for illegal goods and typically use Bitcoin as payment. These markets have attracted significant media coverage, starting with the popularity of Silk Road and Diabolus Market and its subsequent seizure by legal authorities. Silk Road was one of the first dark web marketplaces that emerged in 2011 and has allowed for the trading of weapons and identity fraud resources. These markets have no protection for its users and can be closed down at any time by authorities.
Despite the closures of these marketplaces, others pop up in their place. As of 2020, there have been at least 38 active dark web market places. These marketplaces are similar to that of eBay or Craigslist where users can interact with sellers and leave reviews about marketplace products.
Examination of price differences in Dark web markets versus prices in real life or over the World Wide Web have been attempted as well as studies in the quality of goods received over the Dark web. One such study was performed on Evolution, one of the most popular crypto-markets active from January 2013 to March 2015.
Although it found the digital information, such as concealment methods and shipping country, "seems accurate", the study uncovered issues with the quality of illegal drugs sold in Evolution, stating that, "... the illicit drugs purity is found to be different from the information indicated on their respective listings." Less is known about consumer motivations for accessing these marketplaces and factors associated with their use.
Bitcoin services:
Bitcoin is one of the main cryptocurrencies used in dark web marketplaces due to the flexibility of the currency. With Bitcoin, people can hide their intentions as well as their identity. A common approach was to use a digital currency exchanger service which converted Bitcoin into an online game currency (such as gold coins in World of Warcraft) that will later be converted back into money.
Bitcoin services such as tumblers are often available on Tor, and some – such as Grams – offer darknet market integration. A research study undertaken by Jean-Loup Richet, a research fellow at ESSEC, and carried out with the United Nations Office on Drugs and Crime, highlighted new trends in the use of Bitcoin tumblers for money laundering purposes.
Due to its relevance in the digital world, Bitcoin has become a popular product for users to scam companies with. Cybercriminal groups such as DDOS"4" have led to over 140 cyberattacks on companies since the emergence of Bitcoins in 2014. These attacks have led to the formation of other cybercriminal groups as well as Cyber Extortion.
Hacking groups and services:
Many hackers sell their services either individually or as a part of groups. Such groups include xDedic, hackforum, Trojanforge, Mazafaka, dark0de and the TheRealDeal darknet market. Some have been known to track and extort apparent pedophiles. Cyber crimes and hacking services for financial institutions and banks have also been offered over the Dark web.
Attempts to monitor this activity have been made through various government and private organizations, and an examination of the tools used can be found in the Procedia Computer Science journal. Use of Internet-scale DNS Distributed Reflection Denial of Service (DRDoS) attacks have also been made through leveraging the Dark Web. There are many scam .onion sites also present which end up giving tools for download that are infected with trojan horses or backdoors.
Financing and fraud:
Scott Dueweke the president and founder of Zebryx Consulting states that Russian electronic currency such as WebMoney and Perfect Money are behind the majority of the illegal actions. In April 2015, Flashpoint received a 5 million dollar investment to help their clients gather intelligence from the Deep and Dark web.
There are numerous carding forums, PayPal and Bitcoin trading websites as well as fraud and counterfeiting services. Many such sites are scams themselves. Phishing via cloned websites and other scam sites are numerous, with darknet markets often advertised with fraudulent URLs.
Illegal pornography:
The type of content that has the most popularity on the dark web is illegal pornography, more specifically, child pornography. About 80% of web traffic is related to accessing child pornography despite it being difficult to find, even on the dark web. A website called Lolita City, that has since been taken down, contained over 100 GB of child pornographic media and had about 15,000 members.
There is regular law enforcement action against sites distributing child pornography – often via compromising the site and tracking users' IP addresses. In 2015, the FBI investigated and took down a website called PLAYPEN. At the time, PLAYPEN was the largest child pornography website on the dark web with over 200,000 members. Sites use complex systems of guides, forums and community regulation.
Other content includes sexualized torture and killing of animals and revenge porn. In May 2021, German police said that they had dismantled one of the world's biggest child pornography networks on the dark web, with over 400,000 registered users. Four people had been detained in raids, including a man from Paraguay, on suspicion of running the network. Europol said several pedophile chat sites were also taken down in the German-led intelligence operation.
Terrorism:
Terrorist organization took to the internet as early as the 1990s, however, the birth of the dark web attracted these organizations due to the anonymity, lack of regulation, social interaction, and easy accessibility. These groups have been taking advantage of the chat platforms within the dark web to inspire terrorist attacks. Groups have even posted "How To" guides, teaching people how to become and hide their identity as terrorist.
The dark web became a forum for terrorist propaganda, guiding information, and most importantly, funding. With the introduction of Bitcoin, an anonymous transactions were created which allowed for anonymous donations and funding. By accepting Bitcoin, terrorists were now able to fund money to purchase weaponry.
In 2018, an individual named Ahmed Sarsur was charged for attempting to purchase explosives and hire snipers to aid Syrian terrorists, as well as attempting to provide them financial support, all through the dark web.
There are at least some real and fraudulent websites claiming to be used by ISIL (ISIS), including a fake one seized in Operation Onymous. With the increase of technology, it has allowed cyber terrorists to flourish by attacking the weaknesses of the technology.
In the wake of the November 2015 Paris attacks, an actual such site was hacked by an Anonymous-affiliated hacker group, GhostSec, and replaced with an advert for Prozac. The Rawti Shax Islamist group was found to be operating on the dark web at one time.
Social media:
Within the dark web, there exists emerging social media platforms similar to those on the World Wide Web, this is known as the Dark Web Social Network (DWSN). The DWSN works a like a regular social networking site where members can have customizable pages, have friends, like posts, and blog in forums.
Facebook and other traditional social media platforms have begun to make dark-web versions of their websites to address problems associated with the traditional platforms and to continue their service in all areas of the World Wide Web.
Unlike Facebook, the privacy policy of the DWSN requires that members are to reveal absolutely no personal information and remain anonymous.
Hoaxes and unverified content:
Main article: Hoax
There are reports of crowdfunded assassinations and hitmen for hire, however, these are believed to be exclusively scams. The creator of Silk Road, Ross Ulbricht, was arrested by Homeland Security investigations (HSI) for his site and allegedly hiring a hitman to kill six people, although the charges were later dropped.
There is an urban legend that one can find live murder on the dark web. The term "Red Room" has been coined based on the Japanese animation and urban legend of the same name. However, the evidence points toward all reported instances being hoaxes.
On June 25, 2015, the indie game Sad Satan was reviewed by YouTubers Obscure Horror Corner which they claimed to have found via the dark web. Various inconsistencies in the channel's reporting cast doubt on the reported version of events. There are several websites which analyze and monitor the deep web and dark web for threat intelligence.
Policing the Dark Web:
There have been arguments that the dark web promotes civil liberties, like "free speech, privacy, anonymity." Some prosecutors and government agencies are concerned that it is a haven for criminal activity. The deep and dark web are applications of integral internet features to provide privacy and anonymity. Policing involves targeting specific activities of the private web deemed illegal or subject to internet censorship.
When investigating online suspects, police typically use the IP (Internet Protocol) address of the individual, however, due to Tor. browsers creating anonymity, this becomes an impossible tactic. As a result, law enforcement has employed many other tactics in order to identify and arrest those engaging in illegal activity on the dark web.
OSINT, or Open Source Intelligence, are data collection tools that legally collect information from public sources. OSINT tools can be dark web specific to help officers find bits of information that would lead them to gaining more knowledge about interactions going on in the dark web.
In 2015 it was announced that Interpol now offers a dedicated dark web training program featuring technical information on Tor, cybersecurity and simulated Darknet market takedowns.
In October 2013 the UK's National Crime Agency and GCHQ announced the formation of a "Joint Operations Cell" to focus on cybercrime. In November 2015 this team would be tasked with tackling child exploitation on the dark web as well as other cybercrime.
In March 2017 the Congressional Research Service released an extensive report on the dark web, noting the changing dynamic of how information is accessed and presented on it; characterized by the unknown, it is of increasing interest to researchers, law enforcement, and policymakers.
In August 2017, according to reportage, cybersecurity firms which specialize in monitoring and researching the dark web on behalf of banks and retailers routinely share their findings with the FBI and with other law enforcement agencies "when possible and necessary" regarding illegal content. The Russian-speaking underground offering a crime-as-a-service model is regarded as being particularly robust.
Journalism:
Many individual journalists, alternative news organizations, educators, and researchers are influential in their writing and speaking of the Darknet, and making its use clear to the general public.
Media coverage typically reports on the dark web in two ways; detailing the power and freedom of speech the dark web allows you to express, or more commonly reaffirms the illegality and fear of its contents, such as computer hackers.
Many headlines tie the dark web to CP (Child Pornography) with headlines such as, "N.J. man charged with surfing 'Dark Web' to collect nearly 3K images of child porn", along with other illegal activities where news outlets describe it as "a hub for black markets that sell or distribute drugs".
Specialist Clearweb news sites such as DeepDotWeb and All Things Vice provide news coverage and practical information about dark web sites and services.
However DeepDotWeb was shut down by authorities in 2019. The Hidden Wiki and its mirrors and forks hold some of the largest directories of content at any given time. Traditional media and news channels such as ABC News have also featured articles examining the Darknet.
See also:
- Deepnet
- Darknet market
- List of Tor onion services
- OneSwarm
- Attacks Landscape in the Dark Side of the Web
IC3.Gov
YouTube Video: Reporting Cyber Crime is as Easy as IC3 (FBI.Gov)
Pictured below: The Role of the IC3 in Cybercrime Prosecution
YouTube Video: Reporting Cyber Crime is as Easy as IC3 (FBI.Gov)
Pictured below: The Role of the IC3 in Cybercrime Prosecution
Internet Crime Complaint Center: (IC3.Gov):
The mission of the Internet Crime Complaint Center, also known as IC3, is to provide the public with a reliable and convenient reporting mechanism to submit information to the Federal Bureau of Investigation (FBI) concerning suspected Internet-facilitated criminal activity and to develop alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness.
Since 2000, the IC3 has received complaints crossing the spectrum of cyber crime matters, to include online fraud in its many forms including intellectual property rights (IPR) matters, computer intrusions (hacking), economic espionage (theft of trade secrets), online extortion, international money laundering, identity theft, and a growing list of Internet facilitated crimes.
IC3 has become increasingly evident that, regardless of the label placed on a cyber crime matter, the potential for it to overlap with another referred matter is substantial. Therefore, the IC3, formerly known as the Internet Fraud Complaint Center (IFCC), was renamed in October 2003 to better reflect the broad character of such matters having an Internet, or cyber, nexus referred to the IC3, and to minimize the need for one to distinguish "Internet Fraud" from other potentially overlapping cyber crimes.
Purpose:
IC3's purpose is to serve as a central hub to receive, develop, and refer criminal complaints regarding the rapidly expanding occurrences of Internet crime. The IC3 gives victims a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the Internet. IC3 develops leads and notifies law enforcement agencies at the federal, state, local and international level.
See also:
The mission of the Internet Crime Complaint Center, also known as IC3, is to provide the public with a reliable and convenient reporting mechanism to submit information to the Federal Bureau of Investigation (FBI) concerning suspected Internet-facilitated criminal activity and to develop alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness.
Since 2000, the IC3 has received complaints crossing the spectrum of cyber crime matters, to include online fraud in its many forms including intellectual property rights (IPR) matters, computer intrusions (hacking), economic espionage (theft of trade secrets), online extortion, international money laundering, identity theft, and a growing list of Internet facilitated crimes.
IC3 has become increasingly evident that, regardless of the label placed on a cyber crime matter, the potential for it to overlap with another referred matter is substantial. Therefore, the IC3, formerly known as the Internet Fraud Complaint Center (IFCC), was renamed in October 2003 to better reflect the broad character of such matters having an Internet, or cyber, nexus referred to the IC3, and to minimize the need for one to distinguish "Internet Fraud" from other potentially overlapping cyber crimes.
Purpose:
IC3's purpose is to serve as a central hub to receive, develop, and refer criminal complaints regarding the rapidly expanding occurrences of Internet crime. The IC3 gives victims a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the Internet. IC3 develops leads and notifies law enforcement agencies at the federal, state, local and international level.
See also:
- Official website
- 2012 Press Releases by the Internet Crime Complaint Center (IC3)
- Intelligence Note Prepared by the Internet Crime Complaint Center (IC3), January 20, 2012
- 2016 IC3 Annual Report
- List of convicted computer criminals
U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms (Washington Post February 26, 2019): Russian Web Brigades Pictured below: The building that housed the Internet Research Agency in St. Petersburg, shown in 2018. (Dmitri Lovetsky/AP)
By Ellen Nakashima
Washington Post, February 26 at 11:44 AM
The U.S. military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several U.S. officials said, a warning that the Kremlin’s operations against the United States are not cost-free.
The strike on the Internet Research Agency in St. Petersburg, a company underwritten by an oligarch close to President Vladimir Putin, was part of the first offensive cyber campaign against Russia designed to thwart attempts to interfere with a U.S. election, the officials said.
“They basically took the IRA offline,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss classified information. “They shut them down.”
The operation marked the first muscle-flexing by U.S. Cyber Command, with intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities. The president approved of the general operation to prevent Russian interference in the midterms, but was not required to sign off on individual elements of the campaign, officials said.
Whether the impact of the St. Petersburg action will be long-lasting remains to be seen. Russia’s tactics are evolving, and some analysts were skeptical the strike would deter the Russian troll factory or Putin, who, according to U.S. intelligence officials, ordered an “influence” campaign in 2016 to undermine faith in U.S. democracy. U.S. officials have also assessed that the Internet Research Agency works on behalf of the Kremlin.
“Such an operation would be more of a pinprick that is more annoying than deterring in the long run,” said Thomas Rid, a strategic-studies professor at Johns Hopkins University who was not briefed on the details.
Some U.S. officials argued that “grand strategic deterrence” is not always the goal. “Part of our objective is to throw a little curveball, inject a little friction, sow confusion,” said one defense official. “There’s value in that. We showed what’s in the realm of the possible. It’s not the old way of doing business anymore.”
The action has been hailed as a success by Pentagon officials, and some senators credited Cyber Command with averting Russian interference in the midterms.
“The fact that the 2018 election process moved forward without successful Russian intervention was not a coincidence,” said Sen. Mike Rounds (R-S.D.), who did not discuss the specific details of the operation targeting the St. Petersburg group. Without Cybercom’s efforts, he said, there “would have been some very serious cyber incursions.”
[Cyber Command credited with helping avert midterm election interference]
Cybercom and the NSA declined to comment.
The disruption to the Internet Research Agency’s networks took place as Americans went to the polls and a day or so afterward as the votes were tallied, to prevent the Russians from mounting a disinformation campaign that cast doubt on the results, according to officials.
The blockage was so frustrating to the trolls that they complained to their system administrators about the disruption, the officials said.
The Internet Research Agency as early as 2014 and continuing through the 2016 presidential election sought to undermine the U.S. political system, according to the Justice Department. Posing as Americans and operating social media pages and groups, Russian trolls sought to exacerbate tensions over issues such as race, sexual identity and guns.
The agency, according to federal prosecutors, is financed by Yevgeniy Prigozhin, a tycoon from St. Petersburg and an ally of Putin. Prigozhin, the Internet Research Agency and a company Prigozhin runs called Concord Management and Consulting were among 16 Russian individuals and companies a grand jury indicted a year ago as part of special counsel Robert S. Mueller III’s investigation into Russian interference in the 2016 election.
In a response to questions from The Washington Post, Prigozhin said in a statement on the Russian version of Facebook, “I cannot comment on the work of the Internet Research Agency in any way because I have no relation to it.” Concord Management declined to comment, citing the ongoing litigation in the United States.
Another element of the Cyber Command campaign, first reported by the New York Times, involved “direct messaging” that targeted the trolls as well as hackers who work for the Russian military intelligence agency, the GRU. Using emails, pop-ups, texts or direct messages, U.S. operatives beginning in October let the Russians know that their real names and online handles were known and they should not interfere in other nations’ affairs, defense officials said.
Some Internet Research Agency officials were so perturbed by the messaging that they launched an internal investigation to root out what they thought were insiders leaking personnel information, according to two individuals.
The operation was part of a broader government effort to safeguard the 2018 elections, involving the Homeland Security, State and Justice departments, as well as the FBI. It was led by Gen. Paul Nakasone, who in July formed the Russia Small Group, made up of 75 to 80 people from Cybercom and the NSA, which are part of the Defense Department.
When Nakasone took the helm at the NSA and Cybercom in May, the White House and then-Defense Secretary Jim Mattis told him his priority needed to be the defense of the midterm elections, officials said. No one wanted a repeat of the 2016 campaign, when the GRU hacked Democratic Party computers and released troves of emails and the Internet Research Agency mounted its social media campaign to exploit social divisions.
In August, Director of National Intelligence Daniel Coats said Russia was continuing “a pervasive messaging campaign” to try to weaken and divide the United States, though officials concluded it was not as aggressive as the 2016 operation by Russia.
Two new U.S. authorities facilitated the move against the Internet Research Agency. A presidential order in August gave Cybercom greater latitude to undertake offensive operations below the level of armed conflict — actions that would not result in death, significant damage or destruction. And a provision in the National Defense Authorization Act passed last year also cleared the way for clandestine cyber operations that fall below that same threshold, categorizing them as “traditional military activity.”
“The calculus for us here was that you’re just pushing back in the same way that the adversary has for years,” a second defense official said. “It’s not escalatory. In fact, we’re finally in the game.”
Other officials were more circumspect.
“Causing consternation or throwing sand in the gears may raise the cost of engaging in nefarious activities, but it is not going to cause a nation state to just drop their election interference or their malign influence in general,” a third official said. “It’s not going to convince the decision-maker at the top.”
The operation also was the first real test of Cybercom’s new strategy of “persistent engagement,” issued in April, involving continually confronting the adversary and sharing information with partners. Cybercom in fall 2018 sent troops to Montenegro, Macedonia and Ukraine to help shore up their network defenses, and the Americans were able to obtain unfamiliar malware samples that private security researchers traced to the GRU, according to officials.
The Cybercom campaign also was part of what Nakasone described in an interview with Joint Force Quarterly as “acting outside our borders, being outside our networks, to ensure that we understand what our adversaries are doing.”
Joseph Marks contributed to this report.
[End of Article]
___________________________________________________________________________
Russian Web Brigades:
The web brigades (Russian: Веб-бригады), also known as Russia's troll army, Russian bots, Putinbots, Kremlinbots, troll factory, or troll farms are state-sponsored anonymous Internet political commentators and trolls linked to the Russian government.
Participants report that they are organized into teams and groups of commentators that participate in Russian and international political blogs and Internet forums using sockpuppets and large-scale orchestrated trolling and disinformation campaigns to promote pro-Putin and pro-Russian propaganda.
It has also been found that articles on Russian Wikipedia concerning the MH17 crash and the 2014 Ukraine conflict were targeted by Russian internet propaganda outlets.
Background:
See also: Internet Research Agency and State-sponsored Internet propaganda
State sponsored online sockpuppetry and manipulation of online views is practiced by several countries, in particular by Russia, China, United States, United Kingdom, Israel, Turkey, Iran, Vietnam and Ukraine.
The earliest documented allegations of the existence of "web brigades" appear to be in the April 2003 Vestnik Online article "The Virtual Eye of Big Brother" by French journalist Anna Polyanskaya (a former assistant to assassinated Russian politician Galina Starovoitova) and two other authors, Andrey Krivov and Ivan Lomako.
The authors claim that up to 1998, contributions to forums on Russian Internet sites (Runet) predominantly reflected liberal and democratic values, but after 2000, the vast majority of contributions reflected totalitarian values. This sudden change was attributed to the appearance of teams of pro-Russian commenters who appeared to be organized by the Russian state security service.
According to the authors, about 70% of Russian Internet posters were of generally liberal views prior to 1998–1999, while a surge of "antidemocratic" posts (about 60–80%) suddenly occurred at many Russian forums in 2000. This could also be a reflection to the fact that access to Internet among the general Russian population soared during this time, which was until then accessible only to some sections of the society.
In January 2012, a hacktivist group calling itself the Russian arm of Anonymous published a massive collection of email allegedly belonging to former and present leaders of the pro-Kremlin youth organization Nashi (including a number of government officials).
Journalists who investigated the leaked information found that the pro-Kremlin movement had engaged in a range of activities including paying commentators to post content and hijacking blog ratings in the fall of 2011.
The e-mails indicated that members of the "brigades" were paid 85 rubles (about US$3) or more per comment, depending on whether the comment received replies. Some were paid as much as 600,000 roubles (about US $21,000) for leaving hundreds of comments on negative press articles on the internet, and were presented with iPads. A number of high-profile bloggers were also mentioned as being paid for promoting Nashi and government activities.
The Federal Youth Agency, whose head (and the former leader of Nashi) Vasily Yakemenko was the highest-ranking individual targeted by the leaks, refused to comment on authenticity of the e-mails.
In 2013, a Freedom House report stated that 22 of 60 countries examined have been using paid pro-government commentators to manipulate online discussions, and that Russia has been at the forefront of this practice for several years, along with China and Bahrain.
In the same year, Russian reporters investigated the St. Petersburg Internet Research Agency, which employs at least 400 people. They found that the agency covertly hired young people as "Internet operators" paid to write pro-Kremlin postings and comments, smearing opposition leader Alexei Navalny and U.S. politics and culture.
“Each commenter was to write no less than 100 comments a day, while people in the other room were to write four postings a day, which then went to the other employees whose job was to post them on social networks as widely as possible.
Some Russian opposition journalists state that such practices create a chilling effect on the few independent media outlets remaining in the country.
Further investigations were performed by Russian opposition newspaper Novaya Gazeta and Institute of Modern Russia in 2014–15, inspired by the peak of activity of the pro-Russian brigades during the Ukrainian conflict and assassination of Boris Nemtsov. The effort of using "troll armies" to promote Putin's policies is reported to be a multimillion-dollar operation.
According to an investigation by the British Guardian newspaper, the flood of pro-Russian comments is part of a coordinated "informational-psychological war operation".
One Twitter bot network was documented to use more than 20,500 fake Twitter accounts to spam negative comments after the death of Boris Nemtsov and events related to the Ukrainian conflict.
An article based on the original Polyanskaya article, authored by the Independent Customers' Association, was published in May 2008 at Expertiza.Ru. In this article the term web brigades is replaced by the term Team "G".
During his presidency, Donald Trump retweeted a tweet from an account operated by the Russians.
Methods:
Web brigades commentators sometimes leave hundreds of postings a day that criticize the country's opposition and promote Kremlin-backed policymakers.
Commentators simultaneously react to discussions of "taboo" topics, including the historical role of Soviet leader Joseph Stalin, political opposition, dissidents such as Mikhail Khodorkovsky, murdered journalists, and cases of international conflict or rivalry (with countries such as Estonia, Georgia, and Ukraine, but also with the foreign policies of the United States and the European Union).
Prominent journalist and Russia expert Peter Pomerantsev believes Russia's efforts are aimed at confusing the audience, rather than convincing it. He states that they cannot censor information but can "trash it with conspiracy theories and rumors".
To avert suspicions, the users sandwich political remarks between neutral articles on travelling, cooking and pets. They overwhelm comment sections of media to render meaningful dialogue impossible.
“The effect created by such Internet trolls is not very big, but they manage to make certain forums meaningless because people stop commenting on the articles when these trolls sit there and constantly create an aggressive, hostile atmosphere toward those whom they don’t like.
The trolls react to certain news with torrents of mud and abuse. This makes it meaningless for a reasonable person to comment on anything there.”A collection of leaked documents, published by Moy Rayon, suggests that work at the "troll den" is strictly regulated by a set of guidelines.
Any blog post written by an agency employee, according to the leaked files, must contain "no fewer than 700 characters" during day shifts and "no fewer than 1,000 characters" on night shifts.
Use of graphics and keywords in the post's body and headline is also mandatory. In addition to general guidelines, bloggers are also provided with "technical tasks" – keywords and talking points on specific issues, such as Ukraine, Russia's internal opposition and relations with the West.
On an average working day, the workers are to post on news articles 50 times. Each blogger is to maintain six Facebook accounts publishing at least three posts a day and discussing the news in groups at least twice a day. By the end of the first month, they are expected to have won 500 subscribers and get at least five posts on each item a day.
On Twitter, the bloggers are expected to manage 10 accounts with up to 2,000 followers and tweet 50 times a day.
In 2015, Lawrence Alexander disclosed a network of propaganda websites sharing the same Google Analytics identifier and domain registration details, allegedly run by Nikita Podgorny from Internet Research Agency.
The websites were mostly meme repositories focused on attacking Ukraine, Euromaidan, Russian opposition and Western policies. Other websites from this cluster promoted president Putin and Russian nationalism, and spread alleged news from Syria presenting anti-Western and pro-Bashar al-Assad viewpoints.
In August 2015, Russian researchers correlated Google search statistics of specific phrases with their geographic origin, observing increases in specific politically loaded phrases (such as "Poroshenko", "Maidan", "sanctions") starting from 2013 and originating from very small, peripheral locations in Russia, such as Olgino, which also happens to be the headquarters of the Internet Research Agency company.
The Internet Research Agency also appears to be the primary sponsor of an anti-Western exhibition Material Evidence.
Since 2015, Finnish reporter Jessikka Aro has inquiried into web brigades and Russian trolls. In addition, Western journalists have referred to the phenomenon and have supported traditional media.
See also:
Washington Post, February 26 at 11:44 AM
The U.S. military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several U.S. officials said, a warning that the Kremlin’s operations against the United States are not cost-free.
The strike on the Internet Research Agency in St. Petersburg, a company underwritten by an oligarch close to President Vladimir Putin, was part of the first offensive cyber campaign against Russia designed to thwart attempts to interfere with a U.S. election, the officials said.
“They basically took the IRA offline,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss classified information. “They shut them down.”
The operation marked the first muscle-flexing by U.S. Cyber Command, with intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities. The president approved of the general operation to prevent Russian interference in the midterms, but was not required to sign off on individual elements of the campaign, officials said.
Whether the impact of the St. Petersburg action will be long-lasting remains to be seen. Russia’s tactics are evolving, and some analysts were skeptical the strike would deter the Russian troll factory or Putin, who, according to U.S. intelligence officials, ordered an “influence” campaign in 2016 to undermine faith in U.S. democracy. U.S. officials have also assessed that the Internet Research Agency works on behalf of the Kremlin.
“Such an operation would be more of a pinprick that is more annoying than deterring in the long run,” said Thomas Rid, a strategic-studies professor at Johns Hopkins University who was not briefed on the details.
Some U.S. officials argued that “grand strategic deterrence” is not always the goal. “Part of our objective is to throw a little curveball, inject a little friction, sow confusion,” said one defense official. “There’s value in that. We showed what’s in the realm of the possible. It’s not the old way of doing business anymore.”
The action has been hailed as a success by Pentagon officials, and some senators credited Cyber Command with averting Russian interference in the midterms.
“The fact that the 2018 election process moved forward without successful Russian intervention was not a coincidence,” said Sen. Mike Rounds (R-S.D.), who did not discuss the specific details of the operation targeting the St. Petersburg group. Without Cybercom’s efforts, he said, there “would have been some very serious cyber incursions.”
[Cyber Command credited with helping avert midterm election interference]
Cybercom and the NSA declined to comment.
The disruption to the Internet Research Agency’s networks took place as Americans went to the polls and a day or so afterward as the votes were tallied, to prevent the Russians from mounting a disinformation campaign that cast doubt on the results, according to officials.
The blockage was so frustrating to the trolls that they complained to their system administrators about the disruption, the officials said.
The Internet Research Agency as early as 2014 and continuing through the 2016 presidential election sought to undermine the U.S. political system, according to the Justice Department. Posing as Americans and operating social media pages and groups, Russian trolls sought to exacerbate tensions over issues such as race, sexual identity and guns.
The agency, according to federal prosecutors, is financed by Yevgeniy Prigozhin, a tycoon from St. Petersburg and an ally of Putin. Prigozhin, the Internet Research Agency and a company Prigozhin runs called Concord Management and Consulting were among 16 Russian individuals and companies a grand jury indicted a year ago as part of special counsel Robert S. Mueller III’s investigation into Russian interference in the 2016 election.
In a response to questions from The Washington Post, Prigozhin said in a statement on the Russian version of Facebook, “I cannot comment on the work of the Internet Research Agency in any way because I have no relation to it.” Concord Management declined to comment, citing the ongoing litigation in the United States.
Another element of the Cyber Command campaign, first reported by the New York Times, involved “direct messaging” that targeted the trolls as well as hackers who work for the Russian military intelligence agency, the GRU. Using emails, pop-ups, texts or direct messages, U.S. operatives beginning in October let the Russians know that their real names and online handles were known and they should not interfere in other nations’ affairs, defense officials said.
Some Internet Research Agency officials were so perturbed by the messaging that they launched an internal investigation to root out what they thought were insiders leaking personnel information, according to two individuals.
The operation was part of a broader government effort to safeguard the 2018 elections, involving the Homeland Security, State and Justice departments, as well as the FBI. It was led by Gen. Paul Nakasone, who in July formed the Russia Small Group, made up of 75 to 80 people from Cybercom and the NSA, which are part of the Defense Department.
When Nakasone took the helm at the NSA and Cybercom in May, the White House and then-Defense Secretary Jim Mattis told him his priority needed to be the defense of the midterm elections, officials said. No one wanted a repeat of the 2016 campaign, when the GRU hacked Democratic Party computers and released troves of emails and the Internet Research Agency mounted its social media campaign to exploit social divisions.
In August, Director of National Intelligence Daniel Coats said Russia was continuing “a pervasive messaging campaign” to try to weaken and divide the United States, though officials concluded it was not as aggressive as the 2016 operation by Russia.
Two new U.S. authorities facilitated the move against the Internet Research Agency. A presidential order in August gave Cybercom greater latitude to undertake offensive operations below the level of armed conflict — actions that would not result in death, significant damage or destruction. And a provision in the National Defense Authorization Act passed last year also cleared the way for clandestine cyber operations that fall below that same threshold, categorizing them as “traditional military activity.”
“The calculus for us here was that you’re just pushing back in the same way that the adversary has for years,” a second defense official said. “It’s not escalatory. In fact, we’re finally in the game.”
Other officials were more circumspect.
“Causing consternation or throwing sand in the gears may raise the cost of engaging in nefarious activities, but it is not going to cause a nation state to just drop their election interference or their malign influence in general,” a third official said. “It’s not going to convince the decision-maker at the top.”
The operation also was the first real test of Cybercom’s new strategy of “persistent engagement,” issued in April, involving continually confronting the adversary and sharing information with partners. Cybercom in fall 2018 sent troops to Montenegro, Macedonia and Ukraine to help shore up their network defenses, and the Americans were able to obtain unfamiliar malware samples that private security researchers traced to the GRU, according to officials.
The Cybercom campaign also was part of what Nakasone described in an interview with Joint Force Quarterly as “acting outside our borders, being outside our networks, to ensure that we understand what our adversaries are doing.”
Joseph Marks contributed to this report.
[End of Article]
___________________________________________________________________________
Russian Web Brigades:
The web brigades (Russian: Веб-бригады), also known as Russia's troll army, Russian bots, Putinbots, Kremlinbots, troll factory, or troll farms are state-sponsored anonymous Internet political commentators and trolls linked to the Russian government.
Participants report that they are organized into teams and groups of commentators that participate in Russian and international political blogs and Internet forums using sockpuppets and large-scale orchestrated trolling and disinformation campaigns to promote pro-Putin and pro-Russian propaganda.
It has also been found that articles on Russian Wikipedia concerning the MH17 crash and the 2014 Ukraine conflict were targeted by Russian internet propaganda outlets.
Background:
See also: Internet Research Agency and State-sponsored Internet propaganda
State sponsored online sockpuppetry and manipulation of online views is practiced by several countries, in particular by Russia, China, United States, United Kingdom, Israel, Turkey, Iran, Vietnam and Ukraine.
The earliest documented allegations of the existence of "web brigades" appear to be in the April 2003 Vestnik Online article "The Virtual Eye of Big Brother" by French journalist Anna Polyanskaya (a former assistant to assassinated Russian politician Galina Starovoitova) and two other authors, Andrey Krivov and Ivan Lomako.
The authors claim that up to 1998, contributions to forums on Russian Internet sites (Runet) predominantly reflected liberal and democratic values, but after 2000, the vast majority of contributions reflected totalitarian values. This sudden change was attributed to the appearance of teams of pro-Russian commenters who appeared to be organized by the Russian state security service.
According to the authors, about 70% of Russian Internet posters were of generally liberal views prior to 1998–1999, while a surge of "antidemocratic" posts (about 60–80%) suddenly occurred at many Russian forums in 2000. This could also be a reflection to the fact that access to Internet among the general Russian population soared during this time, which was until then accessible only to some sections of the society.
In January 2012, a hacktivist group calling itself the Russian arm of Anonymous published a massive collection of email allegedly belonging to former and present leaders of the pro-Kremlin youth organization Nashi (including a number of government officials).
Journalists who investigated the leaked information found that the pro-Kremlin movement had engaged in a range of activities including paying commentators to post content and hijacking blog ratings in the fall of 2011.
The e-mails indicated that members of the "brigades" were paid 85 rubles (about US$3) or more per comment, depending on whether the comment received replies. Some were paid as much as 600,000 roubles (about US $21,000) for leaving hundreds of comments on negative press articles on the internet, and were presented with iPads. A number of high-profile bloggers were also mentioned as being paid for promoting Nashi and government activities.
The Federal Youth Agency, whose head (and the former leader of Nashi) Vasily Yakemenko was the highest-ranking individual targeted by the leaks, refused to comment on authenticity of the e-mails.
In 2013, a Freedom House report stated that 22 of 60 countries examined have been using paid pro-government commentators to manipulate online discussions, and that Russia has been at the forefront of this practice for several years, along with China and Bahrain.
In the same year, Russian reporters investigated the St. Petersburg Internet Research Agency, which employs at least 400 people. They found that the agency covertly hired young people as "Internet operators" paid to write pro-Kremlin postings and comments, smearing opposition leader Alexei Navalny and U.S. politics and culture.
“Each commenter was to write no less than 100 comments a day, while people in the other room were to write four postings a day, which then went to the other employees whose job was to post them on social networks as widely as possible.
Some Russian opposition journalists state that such practices create a chilling effect on the few independent media outlets remaining in the country.
Further investigations were performed by Russian opposition newspaper Novaya Gazeta and Institute of Modern Russia in 2014–15, inspired by the peak of activity of the pro-Russian brigades during the Ukrainian conflict and assassination of Boris Nemtsov. The effort of using "troll armies" to promote Putin's policies is reported to be a multimillion-dollar operation.
According to an investigation by the British Guardian newspaper, the flood of pro-Russian comments is part of a coordinated "informational-psychological war operation".
One Twitter bot network was documented to use more than 20,500 fake Twitter accounts to spam negative comments after the death of Boris Nemtsov and events related to the Ukrainian conflict.
An article based on the original Polyanskaya article, authored by the Independent Customers' Association, was published in May 2008 at Expertiza.Ru. In this article the term web brigades is replaced by the term Team "G".
During his presidency, Donald Trump retweeted a tweet from an account operated by the Russians.
Methods:
Web brigades commentators sometimes leave hundreds of postings a day that criticize the country's opposition and promote Kremlin-backed policymakers.
Commentators simultaneously react to discussions of "taboo" topics, including the historical role of Soviet leader Joseph Stalin, political opposition, dissidents such as Mikhail Khodorkovsky, murdered journalists, and cases of international conflict or rivalry (with countries such as Estonia, Georgia, and Ukraine, but also with the foreign policies of the United States and the European Union).
Prominent journalist and Russia expert Peter Pomerantsev believes Russia's efforts are aimed at confusing the audience, rather than convincing it. He states that they cannot censor information but can "trash it with conspiracy theories and rumors".
To avert suspicions, the users sandwich political remarks between neutral articles on travelling, cooking and pets. They overwhelm comment sections of media to render meaningful dialogue impossible.
“The effect created by such Internet trolls is not very big, but they manage to make certain forums meaningless because people stop commenting on the articles when these trolls sit there and constantly create an aggressive, hostile atmosphere toward those whom they don’t like.
The trolls react to certain news with torrents of mud and abuse. This makes it meaningless for a reasonable person to comment on anything there.”A collection of leaked documents, published by Moy Rayon, suggests that work at the "troll den" is strictly regulated by a set of guidelines.
Any blog post written by an agency employee, according to the leaked files, must contain "no fewer than 700 characters" during day shifts and "no fewer than 1,000 characters" on night shifts.
Use of graphics and keywords in the post's body and headline is also mandatory. In addition to general guidelines, bloggers are also provided with "technical tasks" – keywords and talking points on specific issues, such as Ukraine, Russia's internal opposition and relations with the West.
On an average working day, the workers are to post on news articles 50 times. Each blogger is to maintain six Facebook accounts publishing at least three posts a day and discussing the news in groups at least twice a day. By the end of the first month, they are expected to have won 500 subscribers and get at least five posts on each item a day.
On Twitter, the bloggers are expected to manage 10 accounts with up to 2,000 followers and tweet 50 times a day.
In 2015, Lawrence Alexander disclosed a network of propaganda websites sharing the same Google Analytics identifier and domain registration details, allegedly run by Nikita Podgorny from Internet Research Agency.
The websites were mostly meme repositories focused on attacking Ukraine, Euromaidan, Russian opposition and Western policies. Other websites from this cluster promoted president Putin and Russian nationalism, and spread alleged news from Syria presenting anti-Western and pro-Bashar al-Assad viewpoints.
In August 2015, Russian researchers correlated Google search statistics of specific phrases with their geographic origin, observing increases in specific politically loaded phrases (such as "Poroshenko", "Maidan", "sanctions") starting from 2013 and originating from very small, peripheral locations in Russia, such as Olgino, which also happens to be the headquarters of the Internet Research Agency company.
The Internet Research Agency also appears to be the primary sponsor of an anti-Western exhibition Material Evidence.
Since 2015, Finnish reporter Jessikka Aro has inquiried into web brigades and Russian trolls. In addition, Western journalists have referred to the phenomenon and have supported traditional media.
See also:
- Cyberwarfare by Russia
- Internet Research Agency
- Fake news website
- State-sponsored Internet propaganda
- Internet Water Army
- 50 Cent Party
- Operation Earnest Voice
- Public opinion brigades
- Jewish Internet Defense Force
- Joint Threat Research Intelligence Group
- AK Trolls
FBI acknowledges it tested Israel NSO Group’s spyware
- YouTube Video: Pegasus: the spyware technology that threatens democracy
- YouTube Video: How To Check If Your Smartphone Is Infected With Pegasus
- YouTube Video: Is Pegasus Spyware a Risk to YOUR iPhone?
"The agency says it never used the spyware in an investigation"
By Ellen Nakashima February 2, 2022 at 1:23 p.m. EST (The Washington Post)
The FBI tested Pegasus spyware made by the Israeli company NSO Group for possible use in criminal investigations, even as the FBI and Justice Department were investigating whether the NSO software had been used to illegally hack phones in the United States, people familiar with the events have told The Washington Post.
Justice Department lawyers at the time discussed that if the FBI were actually to deploy the tool, it could complicate any subsequent prosecution if the department brought charges, according to the people, who spoke on the condition of anonymity because of the matter’s sensitivity.
In a statement to The Post, the FBI confirmed that it had tested the spyware but stressed it had not been used “in support of any investigation.”
The FBI statement is the first official confirmation that a U.S. law enforcement agency has tested NSO spyware. The development was first reported by the New York Times.
“The FBI works diligently to stay abreast of emerging technologies and tradecraft — not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties,” the statement said. “That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only.”
Pegasus is NSO’s most well-known spyware, breathtakingly potent in its ability to covertly scoop up an iPhone or Android phone user’s calls and text messages, pictures and whereabouts. NSO says it’s for use only against bad actors such as gangsters and drug lords, but investigations by civil society groups have uncovered its use by foreign governments to track activists, journalists, lawyers and their families.
The Israeli firm has repeatedly said Pegasus cannot be used to target U.S. phones or devices assigned a +1 U.S. number. But NSO appears to have created a workaround — a separate product called Phantom — to enable American law enforcement to monitor U.S. devices, according to documents obtained by the tech news site Motherboard in 2020.
According to the Times, NSO Group made a presentation of Phantom’s capability to the FBI in 2019 to show that the spyware “could hack any number in the United States that the F.B.I. decided to target.”
The Times also reported that the bureau ran up $5 million in fees to NSO and renewed a contract for the Pegasus software. The FBI declined to confirm those details.
NSO Group declined to comment for this story.
According to the Times, the FBI decided not to deploy the spyware last summer, around the time The Post and an international journalism consortium published a multipart investigation that found Pegasus had been used to attack the phones of journalists, human rights activists and politicians around the world.
The company has promised to investigate abuses of its system and cut off clients who violate NSO rules.
The agencies declined to offer details on the pitches, but public records show they were sent brochures boasting that Phantom could “remotely and covertly [extract] all data from any smartphone” and fill “a void in law enforcement data gathering ability.” The brochure was distributed by a company calling itself NSO’s North American branch.
The use of NSO spyware by the FBI arguably would have been lawful since wiretap laws generally provide such authority, experts say. Erez Liebermann, a former federal prosecutor in New Jersey who has prosecuted criminal hackers, said he would support the use of such a tool “as long as it’s done with court approval and internal oversight by the FBI, which makes it very different from its use by some of these other regimes.”
Liebermann noted that a decade ago when he was still a prosecutor, law enforcement officials feared the rise of strong encryption on mobile devices was undercutting their ability to intercept criminals’ communications.
“There has to be a tool for law enforcement to prevent crime,” said Liebermann, now a partner at the law firm Linklaters. “The question for us all is what do we find acceptable?”
But others noted that had the FBI used NSO tools and that use had become public, the move probably would have been controversial. Human rights organizations have long highlighted the use of Pegasus by authoritarian governments to monitor their opponents, and the software was used to target associates of Washington Post contributing columnist Jamal Khashoggi before he was murdered by Saudi operatives in Turkey in 2018.
“This is extremely troubling and raises basic questions about whether Americans’ constitutional rights are being sufficiently protected as the FBI explores or uses hacking tools,” said John Scott-Railton, senior researcher at the Citizen Lab, an affiliate of the University of Toronto’s Munk School of Global Affairs and Public Policy.
Citizen Lab reports in 2016 were among the first to claim Pegasus had been used to hack journalists and dissidents in countries with troubling human rights records.
In November, the U.S. Commerce Department placed NSO on its Entity List, a designation — in some cases seen as effectively a “death penalty” for companies — that curbs the firm’s access to American technologies. NSO has used the servers of American companies such as Amazon Web Services to distribute the malware, WhatsApp charges in its lawsuit against NSO.
The Commerce Department designation came after Apple began notifying users, including 11 employees of the U.S. Embassy in Uganda, that their iPhones had been attacked with Pegasus.
“By design, NSO’s spyware creates a breathtakingly invasive and disproportionate access to a person’s current and past digital life,” Scott-Railton said. “It’s time for the U.S. government to be much more transparent about the use of such contractors and what ethical oversight is involved. Democracies and dictatorships shouldn’t share a hacking toolbox.”
Pegasus spyware used to hack U.S. diplomats working abroad
In the spring of 2019, WhatsApp discovered that its platform had been hacked by unknown actors who deployed Pegasus to some 1,400 phones and devices. At least one number that was targeted had a Washington, D.C., area code, the company said in court documents.
The company brought the matter to the Justice Department, according to people familiar with the matter. In October that year, WhatsApp sued NSO in federal court in San Francisco, alleging the firm’s spyware was used against victims in 20 countries during a two-week period from late April to mid-May in 2019.
What WhatsApp “didn’t appear to know” when it filed its lawsuit, the Times’s report said, was that the “attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the FBI of Phantom.”
Asked to comment on that report, WhatsApp said: “In all circumstances, our priority is to defend our services from threats that would harm people’s ability to safely communicate with one another. We will continue our efforts to hold NSO accountable for their attacks against journalists, human rights activists, and government officials in violation of U.S. law. The spyware industry must be prevented from undermining the privacy and security of people in the U.S. and across the world.”
Drew Harwell, Dana Priest and Craig Timberg contributed to this report.
___________________________________________________________________________
Pegasus spyware (Wikipedia)
Pegasus is spyware developed by the Israeli cyber-arms company NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android.
Pegasus is able to exploit iOS versions up to 14.7, through a zero-click exploit.
As of 2022, Pegasus was capable of:
The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent "flying through the air" to infect cell phones.
Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, as well as the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the "most sophisticated" smartphone attack ever; it was the first time that a malicious remote exploit used jailbreaking to gain unrestricted access to an iPhone.
The spyware has been used for surveillance of anti-regime activists, journalists, and political leaders from several nations around the world. In July 2021, the investigation initiative Pegasus Project, along with an in-depth analysis by human rights group Amnesty International, reported that Pegasus was still being widely used against high-profile targets.
Background;
NSO Group developed its first iteration of Pegasus spyware in 2011. The company states that it provides "authorized governments with technology that helps them combat terror and crime."
NSO Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.
Discovery:
Pegasus's iOS exploitation was identified in August 2016. Arab human rights defender Ahmed Mansoor received a text message promising "secrets" about torture happening in prisons in the United Arab Emirates by following a link.
Mansoor sent the link to Citizen Lab of the University of Toronto, which investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering.
Citizen Lab and Lookout discovered that the link downloaded software to exploit three previously unknown and unpatched zero-day vulnerabilities in iOS. According to their analysis, the software can jailbreak an iPhone when a malicious URL is opened. The software installs itself and collects all communications and locations of targeted iPhones.
The software can also collect Wi-Fi passwords. The researchers noticed that the software's code referenced an NSO Group product called "Pegasus" in leaked marketing materials.
Pegasus had previously come to light in a leak of records from Hacking Team, which indicated the software had been supplied to the government of Panama in 2015. Citizen Lab and Lookout notified Apple's security team, which patched the flaws within ten days and released an update for iOS. A patch for macOS was released six days later.
Regarding how widespread the issue was, Lookout explained in a blog post: "We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code" and pointed out that the code shows signs of a "kernel mapping table that has values all the way back to iOS 7" (released 2013).
The New York Times and The Times of Israel both reported that it appeared that the United Arab Emirates was using this spyware as early as 2013. It was used in Panama by former president Ricardo Martinelli from 2012 to 2014, who established the Consejo de Seguridad Pública y Defensa Nacional (National Security Council) for its use.
Chronology:
Several lawsuits outstanding in 2018 claimed that NSO Group helped clients operate the software and therefore participated in numerous violations of human rights initiated by its clients.
Two months after the murder and dismemberment of The Washington Post journalist Jamal Khashoggi, a Saudi human rights activist, in the Saudi Arabian Consulate in Istanbul, Turkey, Saudi dissident Omar Abdulaziz, a Canadian resident, filed suit in Israel against NSO Group, accusing the firm of providing the Saudi government with the surveillance software to spy on him and his friends, including Khashoggi.
In December 2020, an Al Jazeera investigative show The Hidden is More Immense covered Pegasus and its penetration into the phones of media professionals and activists; and its use by Israel to eavesdrop on both opponents and allies.
Technical details:
The spyware can be installed on devices running certain versions of iOS, Apple's mobile operating system, as well as some Android devices. Rather than being a specific exploit, Pegasus is a suite of exploits that uses many vulnerabilities in the system.
Infection vectors include clicking links, the Photos app, the Apple Music app, and iMessage. Some of the exploits Pegasus uses are zero-click—that is, they can run without any interaction from the victim.
Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps:
In April 2017, after a Lookout report, Google researchers discovered Android malware "believed to be created by NSO Group Technologies" and named it Chrysaor (Pegasus' brother in Greek mythology). According to Google, "Chrysaor is believed to be related to the Pegasus spyware".
At the 2017 Security Analyst Summit held by Kaspersky Lab, researchers revealed that Pegasus was available for Android in addition to iOS. Its functionality is similar to the iOS version, but the mode of attack is different. The Android version tries to gain root access (similar to jailbreaking in iOS); if it fails, it asks the user for permissions that enable it to harvest at least some data.
At the time Google said that only a few Android devices had been infected.
Pegasus hides itself as far as is possible and self-destructs in an attempt to eliminate evidence if unable to communicate with its command-and-control server for more than 60 days, or if on the wrong device. Pegasus also can self-destruct on command.
If it is not possible to compromise a target device by simpler means, Pegasus can be installed by setting up a wireless transceiver near a target device, or by gaining physical access to the device.
Development of capabilities:
The earliest version of Pegasus - which was identified in 2016 - relied on a spear-phishing attack which required the target to click a malicious link in a text message or email.
As of August 2016 - according to a former NSO Employee - the U.S. version of Pegasus had 1-click capabilities for all phones apart from old Blackberry models which could be infiltrated with a 0-click attack.
In 2019, WhatsApp revealed Pegasus had employed a vulnerability in its app to launch zero-click attacks (the spyware would be installed onto a target's phone by calling the target phone; the spyware would be installed even if the call was not answered).
Since 2019, Pegasus has come to rely on iPhone iMessage vulnerabilities to deploy spyware.
By 2020, Pegasus shifted towards zero-click exploits and network-based attacks. These methods allowed clients to break into target phones without requiring user interaction and without leaving any detectable traces.
Vulnerabilities:
Lookout provided details of the three iOS vulnerabilities:
Google's Project Zero documented another exploit, dubbed FORCEDENTRY, in December 2021. According to Google's researchers, Pegasus sent an iMessage to its targets that contained what appeared to be GIF images, but which in fact contained a JBIG2 image.
A vulnerability in the Xpdf implementation of JBIG2, re-used in Apple's iOS phone operating software, allowed Pegasus to construct an emulated computer architecture inside the JBIG2 stream which was then used to implement the zero-click attack. Apple fixed the vulnerability in iOS 14.8 in September 2021 as CVE-2021-30860.
As of July 2021, Pegasus likely uses many exploits, some not listed in the above CVEs.
Pegasus Anonymizing Transmission Network:
Human rights group Amnesty International reported in the 2021 investigation that Pegasus employs a sophisticated command-and-control (C&C) infrastructure to deliver exploit payloads and send commands to Pegasus targets.
There are at least four known iterations of the C&C infrastructure, dubbed the Pegasus Anonymizing Transmission Network (PATN) by NSO group, each encompassing up to 500 domain names, DNS servers, and other network infrastructure.
The PATN reportedly utilizes techniques such as registering high port numbers for their online infrastructure as to avoid conventional internet scanning. PATN also uses up to three randomised subdomains unique per exploit attempt as well as randomised URL paths.
Use by country:
See also: Pegasus Project (investigation)
More about the United States:
NSO Group pitched its spyware to the Drug Enforcement Administration (DEA), which declined to purchase it due to its high cost.
In August 2016, NSO Group (through its U.S. subsidiary Westbridge) pitched its U.S. version of Pegasus to the San Diego Police Department (SDPD). In the marketing material, Westbridge emphasized that the company is U.S.-based and majority-owned by a U.S. parent company. An SDPD Sergeant responded to the sales pitch with "sounds awesome". The SDPD declined to purchase the spyware as it was too expensive.
In July 2021, it was revealed that the phone numbers of about a dozen U.S. citizens - including diplomats, journalists, aid workers, and dissident expatriates - were on a list of prospective targets for Pegasus infiltration, however, it was not known whether an attack was ever attempted or completed against any of their devices.
Among the phone numbers discovered on the list were those of the Biden administration's chief negotiator of the Joint Comprehensive Plan of Action as well as those of several United Nations diplomats residing in the U.S. NSO Group has said that Pegasus is not deployed against any device located within the territory of the U.S., however, it has been suggested that U.S. citizens can become targets when abroad.
In December 2021, it was reported that Pegasus spyware was found in the preceding months on the iPhones of at least nine U.S. State Department employees, all of whom were either stationed in Uganda or worked on matters related to Uganda. Later the same month, AP reported that a total of 11 U.S. State Department employees stationed in Uganda had their iPhones hacked with Pegasus.
The US government blacklisted the NSO Group to stop what it called "transnational repression".
In January 2022, it was reported that the Federal Bureau of Investigation had secretly bought the Pegasus spyware in 2019 and had seen a demonstration of Phantom, a newer tool capable of targeting American phone numbers.
The FBI went on to test both tools, and considered their use for domestic surveillance in the U.S., which reportedly led to discussions between the FBI and United States Department of Justice; ultimately the FBI decided against using NSO spyware.
However, despite the 2021 decision rejecting use of NSO software, Pegasus equipment is still in the FBI's possession at a New Jersey facility. Responding to the reports, FBI officials played down the domestic surveillance aspect of the Pegasus testing, instead stressing counter-intelligence as their purported main goal. A document later obtained by The New York Times clearly showed that the agency weighed using Pegasus and Phantom in domestic law enforcement cases.
L3/Harris, a U.S. defense contractor, was in talks to acquire NSO Group, the maker of Pegasus. L3/Harris reportedly had the backing of U.S. intelligence in undertaking the acquisition negotiations. After months of negotiations, the talks were scuttled after they were made known to the public by the news media in June 2022, with the U.S. government publicly rebuking the acquisition attempt.
Pegasus Project:
Main article: Pegasus Project (investigation)
A leak of a list of more than 50,000 telephone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organisation Forbidden Stories and Amnesty International. They shared the information with seventeen news media organisations in what has been called Pegasus Project, and a months-long investigation was carried out, which reported from mid-July 2021.
The Pegasus Project involved 80 journalists from the media partners including the following:
Evidence was found that many phones with numbers in the list had been targets of Pegasus spyware. However, The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can't be verified as reliable one. "This is an attempt to build something on a crazy lack of information... There is something fundamentally wrong with this investigation".
French intelligence (ANSSI) confirmed that Pegasus spyware had been found on the phones of three journalists, including a journalist of France 24, in what was the first time an independent and official authority corroborated the findings of the investigation.
On 26 January 2022, the reports revealed that mobile phones of Lama Fakih, a US-Lebanese citizen and director of crisis and conflict at Human Rights Watch, were repeatedly hacked by a client of NSO Group at a time when she was investigating the 2020 Beirut explosion that killed more than 200 people.
In July 2021, a joint investigation conducted by seventeen media organisations, revealed that Pegasus spyware was used to target and spy on heads of state, activists, journalists, and dissidents, enabling "human rights violations around the world on a massive scale".
The investigation was launched after a leak of 50,000 phone numbers of potential surveillance targets. Amnesty International carried out forensic analysis of mobile phones of potential targets. The investigation identified 11 countries as NSO clients:
The investigation also revealed that journalists from multiple media organizations included:
These were targeted and identified at least 180 journalists from 20 countries who were selected for targeting with NSO spyware between 2016 and June 2021.
Reactions:
NSO Group response:
Responding to August 2016 reports of a targeting of an Arab activist, NSO Group stated that they provide "authorized governments with technology that helps them combat terror and crime", although the Group told him that they had no knowledge of any incidents.
Bug-bounty program skepticism:
In the aftermath of the news, critics asserted that Apple's bug-bounty program, which rewards people for finding flaws in its software, might not have offered sufficient rewards to prevent exploits being sold on the black market, rather than being reported back to Apple.
Russell Brandom of The Verge commented that the reward offered in Apple's bug-bounty program maxes out at $200,000, "just a fraction of the millions that are regularly spent for iOS exploits on the black market".
He goes on to ask why Apple doesn't "spend its way out of security vulnerabilities?", but also writes that "as soon as [the Pegasus] vulnerabilities were reported, Apple patched them—but there are plenty of other bugs left.
While spyware companies see an exploit purchase as a one-time payout for years of access, Apple's bounty has to be paid out every time a new vulnerability pops up."
Brandom also wrote; "The same researchers participating in Apple's bug bounty could make more money selling the same finds to an exploit broker." He concluded the article by writing; "It's hard to say how much damage might have been caused if Mansoor had clicked on the spyware link... The hope is that, when the next researcher finds the next bug, that thought matters more than the money."
Books:
On January 17, 2023, a book about the Pegasus spyware by investigative journalists, Laurent Richards and Sandrine Rigaud, was published.
See also:
By Ellen Nakashima February 2, 2022 at 1:23 p.m. EST (The Washington Post)
The FBI tested Pegasus spyware made by the Israeli company NSO Group for possible use in criminal investigations, even as the FBI and Justice Department were investigating whether the NSO software had been used to illegally hack phones in the United States, people familiar with the events have told The Washington Post.
Justice Department lawyers at the time discussed that if the FBI were actually to deploy the tool, it could complicate any subsequent prosecution if the department brought charges, according to the people, who spoke on the condition of anonymity because of the matter’s sensitivity.
In a statement to The Post, the FBI confirmed that it had tested the spyware but stressed it had not been used “in support of any investigation.”
The FBI statement is the first official confirmation that a U.S. law enforcement agency has tested NSO spyware. The development was first reported by the New York Times.
“The FBI works diligently to stay abreast of emerging technologies and tradecraft — not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties,” the statement said. “That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only.”
Pegasus is NSO’s most well-known spyware, breathtakingly potent in its ability to covertly scoop up an iPhone or Android phone user’s calls and text messages, pictures and whereabouts. NSO says it’s for use only against bad actors such as gangsters and drug lords, but investigations by civil society groups have uncovered its use by foreign governments to track activists, journalists, lawyers and their families.
The Israeli firm has repeatedly said Pegasus cannot be used to target U.S. phones or devices assigned a +1 U.S. number. But NSO appears to have created a workaround — a separate product called Phantom — to enable American law enforcement to monitor U.S. devices, according to documents obtained by the tech news site Motherboard in 2020.
According to the Times, NSO Group made a presentation of Phantom’s capability to the FBI in 2019 to show that the spyware “could hack any number in the United States that the F.B.I. decided to target.”
The Times also reported that the bureau ran up $5 million in fees to NSO and renewed a contract for the Pegasus software. The FBI declined to confirm those details.
NSO Group declined to comment for this story.
According to the Times, the FBI decided not to deploy the spyware last summer, around the time The Post and an international journalism consortium published a multipart investigation that found Pegasus had been used to attack the phones of journalists, human rights activists and politicians around the world.
The company has promised to investigate abuses of its system and cut off clients who violate NSO rules.
The agencies declined to offer details on the pitches, but public records show they were sent brochures boasting that Phantom could “remotely and covertly [extract] all data from any smartphone” and fill “a void in law enforcement data gathering ability.” The brochure was distributed by a company calling itself NSO’s North American branch.
The use of NSO spyware by the FBI arguably would have been lawful since wiretap laws generally provide such authority, experts say. Erez Liebermann, a former federal prosecutor in New Jersey who has prosecuted criminal hackers, said he would support the use of such a tool “as long as it’s done with court approval and internal oversight by the FBI, which makes it very different from its use by some of these other regimes.”
Liebermann noted that a decade ago when he was still a prosecutor, law enforcement officials feared the rise of strong encryption on mobile devices was undercutting their ability to intercept criminals’ communications.
“There has to be a tool for law enforcement to prevent crime,” said Liebermann, now a partner at the law firm Linklaters. “The question for us all is what do we find acceptable?”
But others noted that had the FBI used NSO tools and that use had become public, the move probably would have been controversial. Human rights organizations have long highlighted the use of Pegasus by authoritarian governments to monitor their opponents, and the software was used to target associates of Washington Post contributing columnist Jamal Khashoggi before he was murdered by Saudi operatives in Turkey in 2018.
“This is extremely troubling and raises basic questions about whether Americans’ constitutional rights are being sufficiently protected as the FBI explores or uses hacking tools,” said John Scott-Railton, senior researcher at the Citizen Lab, an affiliate of the University of Toronto’s Munk School of Global Affairs and Public Policy.
Citizen Lab reports in 2016 were among the first to claim Pegasus had been used to hack journalists and dissidents in countries with troubling human rights records.
In November, the U.S. Commerce Department placed NSO on its Entity List, a designation — in some cases seen as effectively a “death penalty” for companies — that curbs the firm’s access to American technologies. NSO has used the servers of American companies such as Amazon Web Services to distribute the malware, WhatsApp charges in its lawsuit against NSO.
The Commerce Department designation came after Apple began notifying users, including 11 employees of the U.S. Embassy in Uganda, that their iPhones had been attacked with Pegasus.
“By design, NSO’s spyware creates a breathtakingly invasive and disproportionate access to a person’s current and past digital life,” Scott-Railton said. “It’s time for the U.S. government to be much more transparent about the use of such contractors and what ethical oversight is involved. Democracies and dictatorships shouldn’t share a hacking toolbox.”
Pegasus spyware used to hack U.S. diplomats working abroad
In the spring of 2019, WhatsApp discovered that its platform had been hacked by unknown actors who deployed Pegasus to some 1,400 phones and devices. At least one number that was targeted had a Washington, D.C., area code, the company said in court documents.
The company brought the matter to the Justice Department, according to people familiar with the matter. In October that year, WhatsApp sued NSO in federal court in San Francisco, alleging the firm’s spyware was used against victims in 20 countries during a two-week period from late April to mid-May in 2019.
What WhatsApp “didn’t appear to know” when it filed its lawsuit, the Times’s report said, was that the “attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the FBI of Phantom.”
Asked to comment on that report, WhatsApp said: “In all circumstances, our priority is to defend our services from threats that would harm people’s ability to safely communicate with one another. We will continue our efforts to hold NSO accountable for their attacks against journalists, human rights activists, and government officials in violation of U.S. law. The spyware industry must be prevented from undermining the privacy and security of people in the U.S. and across the world.”
Drew Harwell, Dana Priest and Craig Timberg contributed to this report.
___________________________________________________________________________
Pegasus spyware (Wikipedia)
Pegasus is spyware developed by the Israeli cyber-arms company NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android.
Pegasus is able to exploit iOS versions up to 14.7, through a zero-click exploit.
As of 2022, Pegasus was capable of:
- reading text messages,
- tracking calls,
- collecting passwords,
- location tracking,
- accessing the target device's microphone and camera,
- and harvesting information from apps.
The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent "flying through the air" to infect cell phones.
Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, as well as the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the "most sophisticated" smartphone attack ever; it was the first time that a malicious remote exploit used jailbreaking to gain unrestricted access to an iPhone.
The spyware has been used for surveillance of anti-regime activists, journalists, and political leaders from several nations around the world. In July 2021, the investigation initiative Pegasus Project, along with an in-depth analysis by human rights group Amnesty International, reported that Pegasus was still being widely used against high-profile targets.
Background;
NSO Group developed its first iteration of Pegasus spyware in 2011. The company states that it provides "authorized governments with technology that helps them combat terror and crime."
NSO Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.
Discovery:
Pegasus's iOS exploitation was identified in August 2016. Arab human rights defender Ahmed Mansoor received a text message promising "secrets" about torture happening in prisons in the United Arab Emirates by following a link.
Mansoor sent the link to Citizen Lab of the University of Toronto, which investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering.
Citizen Lab and Lookout discovered that the link downloaded software to exploit three previously unknown and unpatched zero-day vulnerabilities in iOS. According to their analysis, the software can jailbreak an iPhone when a malicious URL is opened. The software installs itself and collects all communications and locations of targeted iPhones.
The software can also collect Wi-Fi passwords. The researchers noticed that the software's code referenced an NSO Group product called "Pegasus" in leaked marketing materials.
Pegasus had previously come to light in a leak of records from Hacking Team, which indicated the software had been supplied to the government of Panama in 2015. Citizen Lab and Lookout notified Apple's security team, which patched the flaws within ten days and released an update for iOS. A patch for macOS was released six days later.
Regarding how widespread the issue was, Lookout explained in a blog post: "We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code" and pointed out that the code shows signs of a "kernel mapping table that has values all the way back to iOS 7" (released 2013).
The New York Times and The Times of Israel both reported that it appeared that the United Arab Emirates was using this spyware as early as 2013. It was used in Panama by former president Ricardo Martinelli from 2012 to 2014, who established the Consejo de Seguridad Pública y Defensa Nacional (National Security Council) for its use.
Chronology:
Several lawsuits outstanding in 2018 claimed that NSO Group helped clients operate the software and therefore participated in numerous violations of human rights initiated by its clients.
Two months after the murder and dismemberment of The Washington Post journalist Jamal Khashoggi, a Saudi human rights activist, in the Saudi Arabian Consulate in Istanbul, Turkey, Saudi dissident Omar Abdulaziz, a Canadian resident, filed suit in Israel against NSO Group, accusing the firm of providing the Saudi government with the surveillance software to spy on him and his friends, including Khashoggi.
In December 2020, an Al Jazeera investigative show The Hidden is More Immense covered Pegasus and its penetration into the phones of media professionals and activists; and its use by Israel to eavesdrop on both opponents and allies.
Technical details:
The spyware can be installed on devices running certain versions of iOS, Apple's mobile operating system, as well as some Android devices. Rather than being a specific exploit, Pegasus is a suite of exploits that uses many vulnerabilities in the system.
Infection vectors include clicking links, the Photos app, the Apple Music app, and iMessage. Some of the exploits Pegasus uses are zero-click—that is, they can run without any interaction from the victim.
Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps:
In April 2017, after a Lookout report, Google researchers discovered Android malware "believed to be created by NSO Group Technologies" and named it Chrysaor (Pegasus' brother in Greek mythology). According to Google, "Chrysaor is believed to be related to the Pegasus spyware".
At the 2017 Security Analyst Summit held by Kaspersky Lab, researchers revealed that Pegasus was available for Android in addition to iOS. Its functionality is similar to the iOS version, but the mode of attack is different. The Android version tries to gain root access (similar to jailbreaking in iOS); if it fails, it asks the user for permissions that enable it to harvest at least some data.
At the time Google said that only a few Android devices had been infected.
Pegasus hides itself as far as is possible and self-destructs in an attempt to eliminate evidence if unable to communicate with its command-and-control server for more than 60 days, or if on the wrong device. Pegasus also can self-destruct on command.
If it is not possible to compromise a target device by simpler means, Pegasus can be installed by setting up a wireless transceiver near a target device, or by gaining physical access to the device.
Development of capabilities:
The earliest version of Pegasus - which was identified in 2016 - relied on a spear-phishing attack which required the target to click a malicious link in a text message or email.
As of August 2016 - according to a former NSO Employee - the U.S. version of Pegasus had 1-click capabilities for all phones apart from old Blackberry models which could be infiltrated with a 0-click attack.
In 2019, WhatsApp revealed Pegasus had employed a vulnerability in its app to launch zero-click attacks (the spyware would be installed onto a target's phone by calling the target phone; the spyware would be installed even if the call was not answered).
Since 2019, Pegasus has come to rely on iPhone iMessage vulnerabilities to deploy spyware.
By 2020, Pegasus shifted towards zero-click exploits and network-based attacks. These methods allowed clients to break into target phones without requiring user interaction and without leaving any detectable traces.
Vulnerabilities:
Lookout provided details of the three iOS vulnerabilities:
- CVE-2016-4655: Information leak in kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel's location in memory.
- CVE-2016-4656: Kernel memory corruption leads to jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to secretly jailbreak the device and install surveillance software – details in reference.
- CVE-2016-4657: Memory corruption in the webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
Google's Project Zero documented another exploit, dubbed FORCEDENTRY, in December 2021. According to Google's researchers, Pegasus sent an iMessage to its targets that contained what appeared to be GIF images, but which in fact contained a JBIG2 image.
A vulnerability in the Xpdf implementation of JBIG2, re-used in Apple's iOS phone operating software, allowed Pegasus to construct an emulated computer architecture inside the JBIG2 stream which was then used to implement the zero-click attack. Apple fixed the vulnerability in iOS 14.8 in September 2021 as CVE-2021-30860.
As of July 2021, Pegasus likely uses many exploits, some not listed in the above CVEs.
Pegasus Anonymizing Transmission Network:
Human rights group Amnesty International reported in the 2021 investigation that Pegasus employs a sophisticated command-and-control (C&C) infrastructure to deliver exploit payloads and send commands to Pegasus targets.
There are at least four known iterations of the C&C infrastructure, dubbed the Pegasus Anonymizing Transmission Network (PATN) by NSO group, each encompassing up to 500 domain names, DNS servers, and other network infrastructure.
The PATN reportedly utilizes techniques such as registering high port numbers for their online infrastructure as to avoid conventional internet scanning. PATN also uses up to three randomised subdomains unique per exploit attempt as well as randomised URL paths.
Use by country:
See also: Pegasus Project (investigation)
More about the United States:
NSO Group pitched its spyware to the Drug Enforcement Administration (DEA), which declined to purchase it due to its high cost.
In August 2016, NSO Group (through its U.S. subsidiary Westbridge) pitched its U.S. version of Pegasus to the San Diego Police Department (SDPD). In the marketing material, Westbridge emphasized that the company is U.S.-based and majority-owned by a U.S. parent company. An SDPD Sergeant responded to the sales pitch with "sounds awesome". The SDPD declined to purchase the spyware as it was too expensive.
In July 2021, it was revealed that the phone numbers of about a dozen U.S. citizens - including diplomats, journalists, aid workers, and dissident expatriates - were on a list of prospective targets for Pegasus infiltration, however, it was not known whether an attack was ever attempted or completed against any of their devices.
Among the phone numbers discovered on the list were those of the Biden administration's chief negotiator of the Joint Comprehensive Plan of Action as well as those of several United Nations diplomats residing in the U.S. NSO Group has said that Pegasus is not deployed against any device located within the territory of the U.S., however, it has been suggested that U.S. citizens can become targets when abroad.
In December 2021, it was reported that Pegasus spyware was found in the preceding months on the iPhones of at least nine U.S. State Department employees, all of whom were either stationed in Uganda or worked on matters related to Uganda. Later the same month, AP reported that a total of 11 U.S. State Department employees stationed in Uganda had their iPhones hacked with Pegasus.
The US government blacklisted the NSO Group to stop what it called "transnational repression".
In January 2022, it was reported that the Federal Bureau of Investigation had secretly bought the Pegasus spyware in 2019 and had seen a demonstration of Phantom, a newer tool capable of targeting American phone numbers.
The FBI went on to test both tools, and considered their use for domestic surveillance in the U.S., which reportedly led to discussions between the FBI and United States Department of Justice; ultimately the FBI decided against using NSO spyware.
However, despite the 2021 decision rejecting use of NSO software, Pegasus equipment is still in the FBI's possession at a New Jersey facility. Responding to the reports, FBI officials played down the domestic surveillance aspect of the Pegasus testing, instead stressing counter-intelligence as their purported main goal. A document later obtained by The New York Times clearly showed that the agency weighed using Pegasus and Phantom in domestic law enforcement cases.
L3/Harris, a U.S. defense contractor, was in talks to acquire NSO Group, the maker of Pegasus. L3/Harris reportedly had the backing of U.S. intelligence in undertaking the acquisition negotiations. After months of negotiations, the talks were scuttled after they were made known to the public by the news media in June 2022, with the U.S. government publicly rebuking the acquisition attempt.
Pegasus Project:
Main article: Pegasus Project (investigation)
A leak of a list of more than 50,000 telephone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organisation Forbidden Stories and Amnesty International. They shared the information with seventeen news media organisations in what has been called Pegasus Project, and a months-long investigation was carried out, which reported from mid-July 2021.
The Pegasus Project involved 80 journalists from the media partners including the following:
- The Guardian (UK),
- Radio France and Le Monde (France),
- Die Zeit and Süddeutsche Zeitung (Germany),
- The Washington Post (United States),
- Haaretz (Israel),
- Aristegui Noticias,
- Proceso (Mexico),
- the Organized Crime and Corruption Reporting Project,
- Knack,
- Le Soir,
- The Wire,
- Daraj,
- Direkt36 (Hungary),
- and Frontline.
Evidence was found that many phones with numbers in the list had been targets of Pegasus spyware. However, The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can't be verified as reliable one. "This is an attempt to build something on a crazy lack of information... There is something fundamentally wrong with this investigation".
French intelligence (ANSSI) confirmed that Pegasus spyware had been found on the phones of three journalists, including a journalist of France 24, in what was the first time an independent and official authority corroborated the findings of the investigation.
On 26 January 2022, the reports revealed that mobile phones of Lama Fakih, a US-Lebanese citizen and director of crisis and conflict at Human Rights Watch, were repeatedly hacked by a client of NSO Group at a time when she was investigating the 2020 Beirut explosion that killed more than 200 people.
In July 2021, a joint investigation conducted by seventeen media organisations, revealed that Pegasus spyware was used to target and spy on heads of state, activists, journalists, and dissidents, enabling "human rights violations around the world on a massive scale".
The investigation was launched after a leak of 50,000 phone numbers of potential surveillance targets. Amnesty International carried out forensic analysis of mobile phones of potential targets. The investigation identified 11 countries as NSO clients:
- Azerbaijan,
- Bahrain,
- Hungary,
- India,
- Kazakhstan,
- Mexico,
- Morocco,
- Rwanda,
- Saudi Arabia,
- Togo,
- and the United Arab Emirates.
The investigation also revealed that journalists from multiple media organizations included:
- Al Jazeera,
- CNN,
- the Financial Times,
- the Associated Press,
- The New York Times,
- The Wall Street Journal,
- Bloomberg News
- and Le Monde.
These were targeted and identified at least 180 journalists from 20 countries who were selected for targeting with NSO spyware between 2016 and June 2021.
Reactions:
NSO Group response:
Responding to August 2016 reports of a targeting of an Arab activist, NSO Group stated that they provide "authorized governments with technology that helps them combat terror and crime", although the Group told him that they had no knowledge of any incidents.
Bug-bounty program skepticism:
In the aftermath of the news, critics asserted that Apple's bug-bounty program, which rewards people for finding flaws in its software, might not have offered sufficient rewards to prevent exploits being sold on the black market, rather than being reported back to Apple.
Russell Brandom of The Verge commented that the reward offered in Apple's bug-bounty program maxes out at $200,000, "just a fraction of the millions that are regularly spent for iOS exploits on the black market".
He goes on to ask why Apple doesn't "spend its way out of security vulnerabilities?", but also writes that "as soon as [the Pegasus] vulnerabilities were reported, Apple patched them—but there are plenty of other bugs left.
While spyware companies see an exploit purchase as a one-time payout for years of access, Apple's bounty has to be paid out every time a new vulnerability pops up."
Brandom also wrote; "The same researchers participating in Apple's bug bounty could make more money selling the same finds to an exploit broker." He concluded the article by writing; "It's hard to say how much damage might have been caused if Mansoor had clicked on the spyware link... The hope is that, when the next researcher finds the next bug, that thought matters more than the money."
Books:
On January 17, 2023, a book about the Pegasus spyware by investigative journalists, Laurent Richards and Sandrine Rigaud, was published.
See also:
- DROPOUTJEEP
- Hermit (spyware)
- IMSI-catcher
- RCSAndroid from Hacking Team
- Chawla, Ajay (July 21, 2021). "Pegasus Spyware – 'A Privacy Killer'". SSRN 3890657.
- "Israel surveillance exports to survive Pegasus scandal". Emerald Expert Briefings. 2021. doi:10.1108/OXAN-DB263067. S2CID 241381239.
- Leander, Anna (March 2021). "Parsing Pegasus: An Infrastructural Approach to the Relationship between Technology and Swiss Security Politics". Swiss Political Science Review. 27 (1): 205–213. doi:10.1111/spsr.12441. S2CID 233971106.
- Marczak, Bill; Anstis, Siena; Crete-Nishihata, Masashi; Scott-Railton, John; Deibert, Ron (January 28, 2020). "Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator". hdl:1807/102557.
- "Global Spyware Scandal: Exposing Pegasus". PBS Frontline. January 3, 2023.
Spyware, including a List of Spyware Programs
- YouTube Video: What is Spyware? Spyware and Cybercrime
- YouTube Video: How Does Spyware Work?
- YouTube Video: 13 Signs Your Computer Has Been Hacked
Click here or a List of Spyware Programs.
Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privacy or endangering their device's security.
This behaviour may be present in malware as well as in legitimate software. Websites may engage in spyware behaviours like web tracking. Hardware devices may also be affected.
Spyware is frequently associated with advertising and involves many of the same issues.
Because these behaviors are so common, and can have non-harmful uses, providing a precise definition of spyware is a difficult task.
History:
The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware at first denoted software meant for espionage purposes.
However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Later in 2000, a parent using ZoneAlarm was alerted to the fact that Reader Rabbit, educational software marketed to children by the Mattel toy company, was surreptitiously sending data back to Mattel. Since then, "spyware" has taken on its present sense.
According to a 2005 study by AOL and the National Cyber-Security Alliance, 61 percent of surveyed users' computers were infected with form of spyware. 92 percent of surveyed users with spyware reported that they did not know of its presence, and 91 percent reported that they had not given permission for the installation of the spyware.
As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. Computers on which Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks, not only because IE was the most widely used, but because its tight integration with Windows allows spyware access to crucial parts of the operating system.
Before Internet Explorer 6 SP2 was released as part of Windows XP Service Pack 2, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user ignorance about these changes, and the assumption by Internet Explorer that all ActiveX components are benign, helped to spread spyware significantly.
Many spyware components would also make use of exploits in JavaScript, Internet Explorer and Windows to install without user knowledge or permission.
The Windows Registry contains multiple sections where modification of key values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution.
Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted, even if some (or most) of the registry links are removed.
Overview:
Spyware is mostly classified into four types: adware, system monitors, tracking including web tracking, and trojans; examples of other notorious types include digital rights management capabilities that "phone home", keyloggers, rootkits, and web beacons.
These four categories are not mutually exclusive and they have similar tactics in attacking networks and devices. The main goal is to install, hack into the network, avoid being detected, and safely remove themselves from the network.
Spyware is mostly used for the stealing information and storing Internet users' movements on the Web and serving up pop-up ads to Internet users. Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.
While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information.
Spyware can also interfere with a user's control of a computer by installing additional software or redirecting web browsers. Some spyware can change computer settings, which can result in slow Internet connection speeds, un-authorized changes in browser settings, or changes to software settings.
Sometimes, spyware is included along with genuine software, and may come from a malicious website or may have been added to the intentional functionality of genuine software (see the paragraph about Facebook, below).
In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security practices, especially for computers running Microsoft Windows.
A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer.
In German-speaking countries, spyware used or made by the government is called govware by computer experts (in common parlance: Regierungstrojaner, literally "Government Trojan"). Govware is typically a trojan horse software used to intercept communications from the target computer.
Some countries, like Switzerland and Germany, have a legal framework governing the use of such software. In the US, the term "policeware" has been used for similar purposes.
Use of the term "spyware" has eventually declined as the practice of tracking users has been pushed ever further into the mainstream by major websites and data mining companies; these generally break no known laws and compel users to be tracked, not by fraudulent practices per se, but by the default settings created for users and the language of terms-of-service agreements.
In one documented example, on CBS/CNet News reported, on March 7, 2011, on a Wall Street Journal analysis revealing the practice of Facebook and other websites of tracking users' browsing activity, linked to their identity, far beyond users' visits and activity within the Facebook site itself.
The report stated: "Here's how it works. You go to Facebook, you log in, you spend some time there, and then ... you move on without logging out. Let's say the next site you go to is New York Times. Those buttons, without you clicking on them, have just reported back to Facebook and Twitter that you went there and also your identity within those accounts.
Let's say you moved on to something like a site about depression. This one also has a tweet button, a Google widget, and those, too, can report back who you are and that you went there." The WSJ analysis was researched by Brian Kennish, founder of Disconnect, Inc.
Routes of infection:
Spyware does not necessarily spread in the same way as a virus or worm because infected systems generally do not attempt to transmit or copy the software to other computers.
Instead, spyware installs itself on a system by deceiving the user or by exploiting software vulnerabilities.
Most spyware is installed without knowledge, or by using deceptive tactics. Spyware may try to deceive users by bundling itself with desirable software. Other common tactics are using a Trojan horse, spy gadgets that look like normal devices but turn out to be something else, such as a USB Keylogger.
These devices actually are connected to the device as memory units but are capable of recording each stroke made on the keyboard. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware.
The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it a frequent target. Its deep integration with the Windows environment make it susceptible to attack into the Windows operating system.
Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behaviour.
Effects and behaviors:
This section relies largely or entirely upon a single source. Relevant discussion may be found on the talk page. Please help improve this article by introducing citations to additional sources. (December 2018). A spyware rarely operates alone on a computer; an affected machine usually has multiple infections.
Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes are also common.
Usually, this effect is intentional, but may be caused from the malware simply requiring large amounts of computing power, disk space, or network usage. Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet.
In some infections, the spyware is not even evident. Users assume in those situations that the performance issues relate to faulty hardware, Windows installation problems, or another malware infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.
Moreover, some types of spyware disable software firewalls and antivirus software, and/or reduce browser security settings, which opens the system to further opportunistic infections.
Some spyware disables or even removes competing spyware programs, on the grounds that more spyware-related annoyances increase the likelihood that users will take action to remove the programs.
Keyloggers are sometimes part of malware packages downloaded onto computers without the owners' knowledge. Some keylogger software is freely available on the internet, while others are commercial or private applications. Most keyloggers allow not only keyboard keystrokes to be captured, they also are often capable of collecting screen captures from the computer.
A typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs has unrestricted access to the system. As with other operating systems, Windows users are able to follow the principle of least privilege and use non-administrator accounts. Alternatively, they can reduce the privileges of specific vulnerable Internet-facing processes, such as Internet Explorer.
Since Windows Vista is, by default, a computer administrator that runs everything under limited-user privileges, when a program requires administrative privileges, a User Account Control pop-up will prompt the user to allow or deny the action. This improves on the design used by previous versions of Windows.
Spyware is also known as tracking software.
Remedies and prevention:
See also: Computer virus § Virus removal
As the spyware threat has evolved, a number of techniques have emerged to counteract it. These include programs designed to remove or block spyware, as well as various user practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. For instance, some spyware cannot be completely removed by Symantec, Microsoft, PC Tools.
Anti-spyware programs:
See also: Category:Spyware removal
Many programmers and some commercial firms have released products designed to remove or block spyware. Programs such as PC Tools' Spyware Doctor, Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as tools to remove, and in some cases intercept, spyware programs.
On December, 2004, Microsoft acquired the GIANT AntiSpyware software, re‑branding it as Microsoft AntiSpyware (Beta 1) and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In November, 2005, it was renamed Windows Defender.
Major anti-virus firms such as Symantec, PC Tools, McAfee and Sophos have also added anti-spyware features to their existing anti-virus products.
Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware".
However, recent versions of these major firms home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection against these threats.
How anti-spyware software works:
Anti-spyware programs can combat spyware in two ways:
Such programs inspect the contents of the Windows registry, operating system files, and installed programs, and remove files and entries which match a list of known spyware.
Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.
Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based spyware.
Like most anti-virus software, many anti-spyware/adware tools require a frequently updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, adding to the list of known spyware, which allows the software to detect and remove new spyware.
As a result, anti-spyware software is of limited usefulness without regular updates. Updates may be installed automatically or manually.
A popular generic spyware removal tool used by those that requires a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually.
As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete.
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program.
Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree may also work.
Security practices:
To detect spyware, computer users have found several practices useful in addition to installing anti-spyware programs. Many users have installed a web browser other than Internet Explorer, such as Mozilla Firefox or Google Chrome. Though no browser is completely safe, Internet Explorer was once at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX but these three major browsers are now close to equivalent when it comes to security.
Some ISPs—particularly colleges and universities—have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware.
On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. Many other educational institutions have taken similar steps.
Individual users can also install firewalls from a variety of companies. These monitor the flow of information going to and from a networked computer and provide protection against spyware and malware.
Some users install a large hosts file which prevents the user's computer from connecting to known spyware-related web addresses. Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack.
Individual users can use cellphone / computer with physical (electric) switch, or isolated electronic switch that disconnects microphone, camera without bypass and keep it in disconnected position where not in use, that limits information that spyware can collect. (Policy recommended by NIST Guidelines for Managing the Security of Mobile Devices, 2013).
Applications:
"Stealware" and affiliate fraud:
A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.
Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity – replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks.
Mobile devices can also be vulnerable to chargeware, which manipulates users into illegitimate mobile charges.
Identity theft and fraud:
In one case, spyware has been closely associated with identity theft. In August 2005, researchers from security software firm Sunbelt Software suspected the creators of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc."; however it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS."
This case is currently under investigation by the FBI.
The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.
Digital rights management:
Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology.
Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas Attorney General Greg Abbott filed suit, and three separate class-action suits were filed. Sony BMG later provided a workaround on its website to help users remove it.
Beginning on April 25, 2006, Microsoft's Windows Genuine Advantage Notifications application was installed on most Windows PCs as a "critical security update".
While the main purpose of this deliberately uninstallable application is to ensure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware. It can be removed with the RemoveWGA tool.
Personal relationships:
Stalkerware is spyware that has been used to monitor electronic activities of partners in intimate relationships. At least one software package, Loverspy, was specifically marketed for this purpose.
Depending on local laws regarding communal/marital property, observing a partner's online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.
Browser cookies:
Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them.
Shameware:
Shameware or "accountability software" is a type of spyware that is not hidden from the user, but operates with their knowledge, if not necessarily their consent. Parents, religious leaders or other authority figures may require their children or congregation members to install such software, which is intended to detect the viewing of pornography or other content deemed inappropriate, and to report it to the authority figure, who may then confront the user about it.
Spyware programs:
Main article: List of spyware programs
These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators.
Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator".
Likewise, programs that are frequently installed together may be described as parts of the same spyware package, even if they function separately.
Rogue anti-spyware programs:
See also:
Malicious programmers have released a large number of rogue (fake) anti-spyware programs, and widely distributed Web banner ads can warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or else, may add more spyware of their own.
The recent proliferation of fake or spoofed antivirus products that bill themselves as antispyware can be troublesome. Users may receive popups prompting them to install them to protect their computer, when it will in fact add spyware.
It is recommended that users do not install any freeware claiming to be anti-spyware unless it is verified to be legitimate. Some known offenders include:
Fake antivirus products constitute 15 percent of all malware. On January 26, 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product.
Legal issues:
Criminal law:
Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act, and similar laws in other countries.
Since owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act.
Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.
Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA).
Many users habitually ignore these purported contracts, but spyware companies such as Claria say these demonstrate that users have consented.
Despite the ubiquity of EULAs agreements, under which a single click can be taken as consent to the entire text, relatively little caselaw has resulted from their use. It has been established in most common law jurisdictions that this type of agreement can be a binding contract in certain circumstances.
This does not, however, mean that every such agreement is a contract, or that every term in one is enforceable.
Some jurisdictions, including the U.S. states of Iowa and Washington, have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.
In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.
Administrative sanctions:
US FTC actions:
The US Federal Trade Commission has sued Internet marketing organizations under the "unfairness doctrine" to make them stop infecting consumers' PCs with spyware.
In one case, that against Seismic Entertainment Productions, the FTC accused the defendants of developing a program that seized control of PCs nationwide, infected them with spyware and other malicious software, bombarded them with a barrage of pop-up advertising for Seismic's clients, exposed the PCs to security risks, and caused them to malfunction. Seismic then offered to sell the victims an "antispyware" program to fix the computers, and stop the popups and other problems that Seismic had caused.
On November 21, 2006, a settlement was entered in federal court under which a $1.75 million judgment was imposed in one case and $1.86 million in another, but the defendants were insolvent.
In a second case, brought against CyberSpy Software LLC, the FTC charged that CyberSpy marketed and sold "RemoteSpy" keylogger spyware to clients who would then secretly monitor unsuspecting consumers' computers. According to the FTC, Cyberspy touted RemoteSpy as a "100% undetectable" way to "Spy on Anyone. From Anywhere."
The FTC has obtained a temporary order prohibiting the defendants from selling the software and disconnecting from the Internet any of their servers that collect, store, or provide access to information that this software has gathered. The case is still in its preliminary stages.
A complaint filed by the Electronic Privacy Information Center (EPIC) brought the RemoteSpy software to the FTC's attention.
Netherlands OPTA:
An administrative fine, the first of its kind in Europe, has been issued by the Independent Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting 22 million computers.
The spyware concerned is called DollarRevenue. The law articles that have been violated are art. 4.1 of the Decision on universal service providers and on the interests of end users; the fines have been issued based on art. 15.4 taken together with art. 15.10 of the Dutch telecommunications law.
Civil law:
Former New York State Attorney General and former Governor of New York Eliot Spitzer has pursued spyware companies for fraudulent installation of software. In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling, by agreeing to pay US$7.5 million and to stop distributing spyware.
The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court.
Courts have not yet had to decide whether advertisers can be held liable for spyware that displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm.
Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies that have run their ads in spyware.
Libel suits by spyware developers:
Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described.
In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware". PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software. As a result, other anti-spyware and anti-virus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.
WebcamGate:
Main article: Robbins v. Lower Merion School District
In the 2010 WebcamGate case, plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, and therefore infringed on their privacy rights.
The school loaded each student's computer with LANrev's remote activation tracking software. This included the now-discontinued "TheftTrack". While TheftTrack was not enabled by default on the software, the program allowed the school district to elect to activate it, and to choose which of the TheftTrack surveillance options the school wanted to enable.
TheftTrack allowed school district employees to secretly remotely activate the webcam embedded in the student's laptop, above the laptop's screen. That allowed school officials to secretly take photos through the webcam, of whatever was in front of it and in its line of sight, and send the photos to the school's server.
The LANrev software disabled the webcams for all other uses (e.g., students were unable to use Photo Booth or video chat), so most students mistakenly believed their webcams did not work at all. On top of the webcam surveillance, TheftTrack allowed school officials to take screenshots and send them to the school's server.
School officials were also granted the ability to take snapshots of instant messages, web browsing, music playlists, and written compositions. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.
See also:
Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privacy or endangering their device's security.
This behaviour may be present in malware as well as in legitimate software. Websites may engage in spyware behaviours like web tracking. Hardware devices may also be affected.
Spyware is frequently associated with advertising and involves many of the same issues.
Because these behaviors are so common, and can have non-harmful uses, providing a precise definition of spyware is a difficult task.
History:
The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware at first denoted software meant for espionage purposes.
However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Later in 2000, a parent using ZoneAlarm was alerted to the fact that Reader Rabbit, educational software marketed to children by the Mattel toy company, was surreptitiously sending data back to Mattel. Since then, "spyware" has taken on its present sense.
According to a 2005 study by AOL and the National Cyber-Security Alliance, 61 percent of surveyed users' computers were infected with form of spyware. 92 percent of surveyed users with spyware reported that they did not know of its presence, and 91 percent reported that they had not given permission for the installation of the spyware.
As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. Computers on which Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks, not only because IE was the most widely used, but because its tight integration with Windows allows spyware access to crucial parts of the operating system.
Before Internet Explorer 6 SP2 was released as part of Windows XP Service Pack 2, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user ignorance about these changes, and the assumption by Internet Explorer that all ActiveX components are benign, helped to spread spyware significantly.
Many spyware components would also make use of exploits in JavaScript, Internet Explorer and Windows to install without user knowledge or permission.
The Windows Registry contains multiple sections where modification of key values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution.
Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted, even if some (or most) of the registry links are removed.
Overview:
Spyware is mostly classified into four types: adware, system monitors, tracking including web tracking, and trojans; examples of other notorious types include digital rights management capabilities that "phone home", keyloggers, rootkits, and web beacons.
These four categories are not mutually exclusive and they have similar tactics in attacking networks and devices. The main goal is to install, hack into the network, avoid being detected, and safely remove themselves from the network.
Spyware is mostly used for the stealing information and storing Internet users' movements on the Web and serving up pop-up ads to Internet users. Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.
While the term spyware suggests software that monitors a user's computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information.
Spyware can also interfere with a user's control of a computer by installing additional software or redirecting web browsers. Some spyware can change computer settings, which can result in slow Internet connection speeds, un-authorized changes in browser settings, or changes to software settings.
Sometimes, spyware is included along with genuine software, and may come from a malicious website or may have been added to the intentional functionality of genuine software (see the paragraph about Facebook, below).
In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security practices, especially for computers running Microsoft Windows.
A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer.
In German-speaking countries, spyware used or made by the government is called govware by computer experts (in common parlance: Regierungstrojaner, literally "Government Trojan"). Govware is typically a trojan horse software used to intercept communications from the target computer.
Some countries, like Switzerland and Germany, have a legal framework governing the use of such software. In the US, the term "policeware" has been used for similar purposes.
Use of the term "spyware" has eventually declined as the practice of tracking users has been pushed ever further into the mainstream by major websites and data mining companies; these generally break no known laws and compel users to be tracked, not by fraudulent practices per se, but by the default settings created for users and the language of terms-of-service agreements.
In one documented example, on CBS/CNet News reported, on March 7, 2011, on a Wall Street Journal analysis revealing the practice of Facebook and other websites of tracking users' browsing activity, linked to their identity, far beyond users' visits and activity within the Facebook site itself.
The report stated: "Here's how it works. You go to Facebook, you log in, you spend some time there, and then ... you move on without logging out. Let's say the next site you go to is New York Times. Those buttons, without you clicking on them, have just reported back to Facebook and Twitter that you went there and also your identity within those accounts.
Let's say you moved on to something like a site about depression. This one also has a tweet button, a Google widget, and those, too, can report back who you are and that you went there." The WSJ analysis was researched by Brian Kennish, founder of Disconnect, Inc.
Routes of infection:
Spyware does not necessarily spread in the same way as a virus or worm because infected systems generally do not attempt to transmit or copy the software to other computers.
Instead, spyware installs itself on a system by deceiving the user or by exploiting software vulnerabilities.
Most spyware is installed without knowledge, or by using deceptive tactics. Spyware may try to deceive users by bundling itself with desirable software. Other common tactics are using a Trojan horse, spy gadgets that look like normal devices but turn out to be something else, such as a USB Keylogger.
These devices actually are connected to the device as memory units but are capable of recording each stroke made on the keyboard. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware.
The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it a frequent target. Its deep integration with the Windows environment make it susceptible to attack into the Windows operating system.
Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behaviour.
Effects and behaviors:
This section relies largely or entirely upon a single source. Relevant discussion may be found on the talk page. Please help improve this article by introducing citations to additional sources. (December 2018). A spyware rarely operates alone on a computer; an affected machine usually has multiple infections.
Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes are also common.
Usually, this effect is intentional, but may be caused from the malware simply requiring large amounts of computing power, disk space, or network usage. Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet.
In some infections, the spyware is not even evident. Users assume in those situations that the performance issues relate to faulty hardware, Windows installation problems, or another malware infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.
Moreover, some types of spyware disable software firewalls and antivirus software, and/or reduce browser security settings, which opens the system to further opportunistic infections.
Some spyware disables or even removes competing spyware programs, on the grounds that more spyware-related annoyances increase the likelihood that users will take action to remove the programs.
Keyloggers are sometimes part of malware packages downloaded onto computers without the owners' knowledge. Some keylogger software is freely available on the internet, while others are commercial or private applications. Most keyloggers allow not only keyboard keystrokes to be captured, they also are often capable of collecting screen captures from the computer.
A typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs has unrestricted access to the system. As with other operating systems, Windows users are able to follow the principle of least privilege and use non-administrator accounts. Alternatively, they can reduce the privileges of specific vulnerable Internet-facing processes, such as Internet Explorer.
Since Windows Vista is, by default, a computer administrator that runs everything under limited-user privileges, when a program requires administrative privileges, a User Account Control pop-up will prompt the user to allow or deny the action. This improves on the design used by previous versions of Windows.
Spyware is also known as tracking software.
Remedies and prevention:
See also: Computer virus § Virus removal
As the spyware threat has evolved, a number of techniques have emerged to counteract it. These include programs designed to remove or block spyware, as well as various user practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. For instance, some spyware cannot be completely removed by Symantec, Microsoft, PC Tools.
Anti-spyware programs:
See also: Category:Spyware removal
Many programmers and some commercial firms have released products designed to remove or block spyware. Programs such as PC Tools' Spyware Doctor, Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as tools to remove, and in some cases intercept, spyware programs.
On December, 2004, Microsoft acquired the GIANT AntiSpyware software, re‑branding it as Microsoft AntiSpyware (Beta 1) and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In November, 2005, it was renamed Windows Defender.
Major anti-virus firms such as Symantec, PC Tools, McAfee and Sophos have also added anti-spyware features to their existing anti-virus products.
Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware".
However, recent versions of these major firms home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection against these threats.
How anti-spyware software works:
Anti-spyware programs can combat spyware in two ways:
- They can provide real-time protection in a manner similar to that of anti-virus protection: all incoming network data is scanned for spyware, and any detected threats are blocked.
- Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed into the computer. This kind of anti-spyware can often be set to scan on a regular schedule.
Such programs inspect the contents of the Windows registry, operating system files, and installed programs, and remove files and entries which match a list of known spyware.
Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.
Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based spyware.
Like most anti-virus software, many anti-spyware/adware tools require a frequently updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, adding to the list of known spyware, which allows the software to detect and remove new spyware.
As a result, anti-spyware software is of limited usefulness without regular updates. Updates may be installed automatically or manually.
A popular generic spyware removal tool used by those that requires a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually.
As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete.
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program.
Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree may also work.
Security practices:
To detect spyware, computer users have found several practices useful in addition to installing anti-spyware programs. Many users have installed a web browser other than Internet Explorer, such as Mozilla Firefox or Google Chrome. Though no browser is completely safe, Internet Explorer was once at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX but these three major browsers are now close to equivalent when it comes to security.
Some ISPs—particularly colleges and universities—have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware.
On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. Many other educational institutions have taken similar steps.
Individual users can also install firewalls from a variety of companies. These monitor the flow of information going to and from a networked computer and provide protection against spyware and malware.
Some users install a large hosts file which prevents the user's computer from connecting to known spyware-related web addresses. Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack.
Individual users can use cellphone / computer with physical (electric) switch, or isolated electronic switch that disconnects microphone, camera without bypass and keep it in disconnected position where not in use, that limits information that spyware can collect. (Policy recommended by NIST Guidelines for Managing the Security of Mobile Devices, 2013).
Applications:
"Stealware" and affiliate fraud:
A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.
Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity – replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks.
Mobile devices can also be vulnerable to chargeware, which manipulates users into illegitimate mobile charges.
Identity theft and fraud:
In one case, spyware has been closely associated with identity theft. In August 2005, researchers from security software firm Sunbelt Software suspected the creators of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc."; however it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS."
This case is currently under investigation by the FBI.
The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.
Digital rights management:
Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology.
Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas Attorney General Greg Abbott filed suit, and three separate class-action suits were filed. Sony BMG later provided a workaround on its website to help users remove it.
Beginning on April 25, 2006, Microsoft's Windows Genuine Advantage Notifications application was installed on most Windows PCs as a "critical security update".
While the main purpose of this deliberately uninstallable application is to ensure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware. It can be removed with the RemoveWGA tool.
Personal relationships:
Stalkerware is spyware that has been used to monitor electronic activities of partners in intimate relationships. At least one software package, Loverspy, was specifically marketed for this purpose.
Depending on local laws regarding communal/marital property, observing a partner's online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.
Browser cookies:
Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them.
Shameware:
Shameware or "accountability software" is a type of spyware that is not hidden from the user, but operates with their knowledge, if not necessarily their consent. Parents, religious leaders or other authority figures may require their children or congregation members to install such software, which is intended to detect the viewing of pornography or other content deemed inappropriate, and to report it to the authority figure, who may then confront the user about it.
Spyware programs:
Main article: List of spyware programs
These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators.
Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator".
Likewise, programs that are frequently installed together may be described as parts of the same spyware package, even if they function separately.
Rogue anti-spyware programs:
See also:
Malicious programmers have released a large number of rogue (fake) anti-spyware programs, and widely distributed Web banner ads can warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or else, may add more spyware of their own.
The recent proliferation of fake or spoofed antivirus products that bill themselves as antispyware can be troublesome. Users may receive popups prompting them to install them to protect their computer, when it will in fact add spyware.
It is recommended that users do not install any freeware claiming to be anti-spyware unless it is verified to be legitimate. Some known offenders include:
- AntiVirus 360 & Antivirus 2009
- AntiVirus Gold
- ContraVirus
- MacSweeper
- Pest Trap
- PSGuard
- Spy Wiper
- Spydawn
- Spylocked
- Spysheriff
- SpyShredder
- Spyware Quake
- SpywareStrike
- UltimateCleaner
- WinAntiVirus Pro 2006
- Windows Police Pro
- WinFixer
- WorldAntiSpy
Fake antivirus products constitute 15 percent of all malware. On January 26, 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product.
Legal issues:
Criminal law:
Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act, and similar laws in other countries.
Since owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act.
Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.
Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA).
Many users habitually ignore these purported contracts, but spyware companies such as Claria say these demonstrate that users have consented.
Despite the ubiquity of EULAs agreements, under which a single click can be taken as consent to the entire text, relatively little caselaw has resulted from their use. It has been established in most common law jurisdictions that this type of agreement can be a binding contract in certain circumstances.
This does not, however, mean that every such agreement is a contract, or that every term in one is enforceable.
Some jurisdictions, including the U.S. states of Iowa and Washington, have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.
In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.
Administrative sanctions:
US FTC actions:
The US Federal Trade Commission has sued Internet marketing organizations under the "unfairness doctrine" to make them stop infecting consumers' PCs with spyware.
In one case, that against Seismic Entertainment Productions, the FTC accused the defendants of developing a program that seized control of PCs nationwide, infected them with spyware and other malicious software, bombarded them with a barrage of pop-up advertising for Seismic's clients, exposed the PCs to security risks, and caused them to malfunction. Seismic then offered to sell the victims an "antispyware" program to fix the computers, and stop the popups and other problems that Seismic had caused.
On November 21, 2006, a settlement was entered in federal court under which a $1.75 million judgment was imposed in one case and $1.86 million in another, but the defendants were insolvent.
In a second case, brought against CyberSpy Software LLC, the FTC charged that CyberSpy marketed and sold "RemoteSpy" keylogger spyware to clients who would then secretly monitor unsuspecting consumers' computers. According to the FTC, Cyberspy touted RemoteSpy as a "100% undetectable" way to "Spy on Anyone. From Anywhere."
The FTC has obtained a temporary order prohibiting the defendants from selling the software and disconnecting from the Internet any of their servers that collect, store, or provide access to information that this software has gathered. The case is still in its preliminary stages.
A complaint filed by the Electronic Privacy Information Center (EPIC) brought the RemoteSpy software to the FTC's attention.
Netherlands OPTA:
An administrative fine, the first of its kind in Europe, has been issued by the Independent Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting 22 million computers.
The spyware concerned is called DollarRevenue. The law articles that have been violated are art. 4.1 of the Decision on universal service providers and on the interests of end users; the fines have been issued based on art. 15.4 taken together with art. 15.10 of the Dutch telecommunications law.
Civil law:
Former New York State Attorney General and former Governor of New York Eliot Spitzer has pursued spyware companies for fraudulent installation of software. In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling, by agreeing to pay US$7.5 million and to stop distributing spyware.
The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court.
Courts have not yet had to decide whether advertisers can be held liable for spyware that displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm.
Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies that have run their ads in spyware.
Libel suits by spyware developers:
Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described.
In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware". PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software. As a result, other anti-spyware and anti-virus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.
WebcamGate:
Main article: Robbins v. Lower Merion School District
In the 2010 WebcamGate case, plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, and therefore infringed on their privacy rights.
The school loaded each student's computer with LANrev's remote activation tracking software. This included the now-discontinued "TheftTrack". While TheftTrack was not enabled by default on the software, the program allowed the school district to elect to activate it, and to choose which of the TheftTrack surveillance options the school wanted to enable.
TheftTrack allowed school district employees to secretly remotely activate the webcam embedded in the student's laptop, above the laptop's screen. That allowed school officials to secretly take photos through the webcam, of whatever was in front of it and in its line of sight, and send the photos to the school's server.
The LANrev software disabled the webcams for all other uses (e.g., students were unable to use Photo Booth or video chat), so most students mistakenly believed their webcams did not work at all. On top of the webcam surveillance, TheftTrack allowed school officials to take screenshots and send them to the school's server.
School officials were also granted the ability to take snapshots of instant messages, web browsing, music playlists, and written compositions. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.
See also:
- Cuckoo's egg (metaphor)
- Cyber spying
- Employee monitoring software
- Industrial espionage
- Malware
- Phishing
- Superfish
- Technical support scam
- XOFTspy Portable Anti-Spyware
- Microphone blocker
- Home Computer Security – Carnegie Mellon Software Institute