From the Los Angeles Times
Opinion
NSA's cyber overkill
A project to safeguard governmental computers, run by the NSA, is too big a threat to Americans' privacy.
By Jesselyn Radack, July 14, 2009
LINK

Cyber security is a real issue, as evidenced by the virus behind July 4 cyber attacks that hobbled government and business websites in the United States and South Korea. It originated from Internet provider addresses in 16 countries and targeted, among others, the White House and the New York Stock Exchange. (see article below -Editor)

Unfortunately, the Obama administration has chosen to combat it in a move that runs counter to its pledge to be transparent. The administration reportedly is proceeding with a Bush-era plan to use the National Security Agency to screen government computer traffic on private-sector networks. AT&T is slated to be the likely test site. This classified pilot program, dubbed "Einstein 3," is developed but not yet rolled out. It takes two offenders from President Bush's contentious secret surveillance program and puts them in charge of scrutinizing all Internet traffic going to or from federal government agencies.

Despite its name, the Einstein 3 program is more genie than genius -- an omnipotent force (run by the NSA via AT&T's "secret rooms") that does the government's bidding -- spying. The last time around, this sort of scheme was known as the "special access" program -- "special" being code for "unconstitutional."

Einstein 3 purportedly is meant to protect government networks from hackers. But cyber-security experts -- such as Babak Pasdar, who blew the whistle on a mysterious "Quantico Circuit" while working for a major service provider -- agree that Einstein 3 offers no intrinsic security value. The program is implemented where servers exchange traffic between one another -- in the heart of a network system rather than at the perimeter, which interfaces with the outside world. This is similar to a home security system that only monitors the central interior of a house, rather than keeping an eye on the actual doors (and the purpose of hackers may simply be to enter).

Furthermore, Einstein 3 focuses on collecting, processing and analyzing all person-to-person communications content rather than looking for hacker and malicious software attack patterns directed at government sites and installations -- which should raise eyebrows.

The prospect of NSA involvement in secret surveillance should set off alarm bells. The intelligence community lost any benefit of the doubt the last time it collected and read Americans' domestic e-mail messages without court warrants. Einstein 3 is based primarily on covert technologies developed by the NSA for the purposes of wiretapping.

The telecom companies also have lost their privacy cred. In a tacit admission that the proposed new program is problematic and possibly illegal, AT&T has sought written assurances from the administration that it will not be legally liable for participating in the program. The company was sued over its role in aiding Bush's electronic eavesdropping on Americans and, along with other telecoms, received retroactive immunity from Congress.

Earlier incarnations of the Einstein program observe predetermined signatures (specific patterns of network traffic), but Einstein 3 would look at the content of e-mails and other messages sent over government systems.

Moreover, while Einstein 1 and Einstein 2 passively observe information, Einstein 3 technology plans to use "active sensors." This is a tactic used by malware developers and is a popular feature of spyware that clogs up the Internet, slows down PCs and tips off hackers by emitting signals.

And most disturbingly, according to the Department of Homeland Security's 2008 "Privacy Impact Assessment," while earlier iterations of Einstein implemented signatures based on malicious computer codes, Einstein 3 could include signatures based on personally identifiable information. The privacy implications are great. Any citizen logging on to a ".gov" website would trigger this.

The IRS and other governmental agencies collect sensitive personal information for legitimate and limited purposes. However, strict confidentiality rules apply to that information. Although the Department of Homeland Security, which is managing the program, insists that the "main focus is to identify malicious code," we've heard such empty reassurances before.

Media reports indicate that government officials recently acknowledged during closed meetings of the House and Senate Intelligence and Judiciary committees that Americans' e-mails that were improperly gathered or read during Bush's warrantless wiretapping program -- even under the relaxed 2008 intelligence surveillance law -- were not just an "incidental byproduct." According to a former NSA analyst and two intelligence analysts interviewed by the New York Times, the e-mails could number in the millions.

Further, a government review of the Bush wiretapping program, released Friday, questioned the effectiveness of the surveillance efforts.

President Obama's federalization of many private systems and his adoption of the Bush administration's spying tactics are on a collision course that would expose many Americans' private data and communications to government scrutiny. I suspect that the public would be appalled that a taxpayer's financial information or a patient's medical records would be available to, much less perused by, the NSA. There are far less invasive network defenses that can secure government computing environments, such as upgrading good old-fashioned firewalls and filtering routers.

Obama came into office vested with vast new surveillance powers, which he voted for as a senator. Atty. Gen. Eric H. Holder Jr., while strenuously avoiding the word "illegal," called the original Bush snooping "unwise." But instead of trying to put the genie back in the bottle, Obama is considering expanding its power.

This is antithetical to basic civil liberties and privacy protections that are the core of a democratic society. Perhaps we can draw a lesson from the real Einstein, who ultimately regretted his role in urging the development of dangerous technology -- the atomic bomb -- and spent the rest of his life advocating against it.

Jesselyn Radack is the homeland security director of the Government Accountability Project in Washington.

Details Emerge In U.S. Cyber Attacks
Malware that targeted Web sites of The White House, Department of Homeland Security, the FAA, and others appears to be a MyDoom variant.
By J. Nicholas Hoover, InformationWeek, July 8, 2009
LINK

The distributed denial of service (DDOS) attack that has hit more than two dozen United States and South Korean government agencies and companies since the weekend does not make use of some of the latest developments in malware and was likely developed for this specific attack, according to researchers in possession of the malware source code.

The attack, which attempts to flood Web servers with initial requests to connect, temporarily took down several federal government Web sites in the United States and Korea over the past few days, though most are back online.

The targets, according to a list compiled by Verisign iDefense, include the Web sites of The White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration as well as The New York Stock Exchange, NASDAQ, and The Washington Post.

Several agencies, including two not on Verisign's list of 24 targets, confirmed to InformationWeek Government that they had been under attack. The Department of Treasury said it has experienced denial of service attacks over the past few days. The Department of Transportation, meanwhile, said it has been "experiencing network incidents" since the weekend and is cooperating with the United States Computer Emergency Response Team (US-CERT), one of the parties working to mitigate the attacks.

"US-CERT has issued a notice to federal departments and agencies, as well as other partner organizations, on this activity and advised them of steps to take to help mitigate against such attacks," a Department of Homeland Security spokeswoman said in an e-mailed statement. "We see attacks on federal networks every day, and measures in place have minimized the impact to federal websites."

Cybersecurity has become an increasingly high priority for the federal government, and President Barack Obama recently laid out plans to appoint a new high-level cybersecurity coordinator. Secretary of Defense Robert Gates recently said that the military had spent more than $100 million over six months responding to cyber attacks.

DDOS attacks have targeted the private sector for years and many companies have taken protective measures, but recent cyber attacks on Estonia and Georgia as well as this one could portend an increase in politically motivated attacks.

"It's no longer hackers defacing Web sites to become famous," says Phil Neray, VP of strategy at database security company Guardium. "It's political cyberterrorism, which is a very serious threat." Organizations can take several steps to stop the effectiveness of DDOS attacks, including isolating and blocking offending IP addresses, distributing network traffic across multiple network connections and network devices in order to dilute attack traffic, buying DDOS protection services from cybersecurity vendors, and developing and carrying out detailed response plans.

"It's nothing we haven't been talking about," said Dave Marcus, director of security research for McAfee's Avert Labs. "It's something that we've been seeing in the private sector for years. If nothing else, it serves as a wake up call."

Though several of the Web sites under attack experienced some downtime, many of them were back online by Wednesday. Web sites for the Korean president, legislature, Ministry of Foreign Affairs, and Ministry of Defense were reportedly all offline as late as Wednesday, but this reporter was able to reach all but the Ministry of Defense site by Wednesday morning Eastern Daylight Time.

The Web site for the Federal Trade Commission was down most of Monday and experienced problems on Tuesday, but a spokesman was unable to say whether this was a result of the DDOS attack.

According to reports by the Associated Press and Korean news agency Yonhap, South Korean government officials believe the attacks have been carried out by North Korean or pro-North Korean entities. Researchers say it is unclear if this is actually the case, and would be tough to prove without detailed forensic analysis.

Malware Bears Marks Of 'Novice' Writer

Researchers also say that the botnet does not take advantage of some of the latest developments in malware. For example, the malware doesn't include any anti-virus evasion techniques, which are commonly found in today's malware. To Joe Stewart, director of malware research for SecureWorks' counter-threat unit, that's a sign that the person or group who developed this attack was a novice in writing malware.

Verisign and McAfee say the versions they have tested in their labs do not appear to be able to self-update to receive new targets, but SecureWorks says it has proven that capability is indeed there, and that the malware uses "rudimentary" encryption to receive updates.

In that case, analyzing network connections during those updates in pursuit of the hackers is likely of little use, Stewart said, because the hacker could easily mask those home IP addresses by setting up proxies to make them appear as if they were anywhere in the world.

If the number of targets is increasing, the attacker is also limiting the effectiveness of the attack by spreading the botnet thinner, so that fewer requests are available to be sent to each target. "They're diluting their attack, so it seems the purpose here is really to get attention rather than taking all those sites down," Stewart said.

Marcus also says that the malware was likely designed with this specific attack in mind, though for a different reason: it is "monolithic as opposed to modular, and things are hard-coded into it," he says, which makes it less flexible for long-term development and evolution.

Some of the initial research has suggested that the malware may be a variant of or share some underlying code with MyDoom, a worm that spread quickly via e-mail more than five years ago, in early 2004. Several virus detection mechanisms detect the malware as a MyDoom variant, and both Verisign iDefense and McAfee say the malware is nothing more than a MyDoom variant.

Cyber Attacks Hit U.S. Government Sites; North Korea Eyed
Attacks crippled at least 11 U.S. government and private Web sites for much of the weekend. No data is believed to have been stolen.
By W. David Gardner, InformationWeek, July 8, 2009
LINK

Law enforcement officials in the U.S. and South Korea were stepping up their efforts Wednesday to halt a rash of denial of service cyber attacks against more than 25 government agencies and companies. While the source of the attacks wasn't pinpointed as of Wednesday morning, officials said they suspected the attacks originated in North Korea or from groups sympathetic to North Korea.

In the U.S., some government agencies including the Treasury Department, the Transportation Department and the Federal Trade Commission were down for much of the July 4th holiday weekend. Some sites were said to still be affected, although US officials said they believed no data had been stolen.

"We see attacks on federal networks every day, and measures in place have minimized the impact to federal Web sites," Department of Homeland Security spokesperson Amy Kudwa told the Washington Post. The newspaper reported that it, too, had been a target of the attacks, although the Post's Web site was up and functioning well Wednesday. A spokesperson for the FTC said its cyber attack countermeasures performed well and the agency's web sites have been up and running most of the time.

According to the South Korean National Intelligence Service, the coordinated attack occurred when some 20,000 computers -- most of them in South Korea -- were taken over in the cyber attack. The computers had been infected with rogue software and were remotely ordered to repeatedly bombard the targeted sites.

If the attacks did indeed originate in North Korea, the government there would likely have been involved. The North Korean telecom service is generally available only to government employees. The communist country has relatively modern telecom facilities. For instance, Egypt's Orascom Telecom recently deployed a 3G wireless network in North Korea.

North Korea has embarked on a belligerent campaign in recent months, provoking neighboring countries and the international community with a stepped up missile campaign.

At last count, 11 US Web sites had been targeted. Even the White House was hit, although officials said there was no disruption of service on the site. Other federal agencies targeted included the Department of Homeland Security, the Defense Department, and the Federal Aviation Administration. Private sites that were affected included those operated by the New York Stock Exchange and the Nasdaq exchange.

Several South Korean government agencies as well as banks and newspapers were also hit by the attacks, although the South Korean intelligence agency said all sites were back to normal Wednesday morning.