Ukraine: Cyberwar’s Hottest Front – By Margaret Coker and  Paul Sonne Nov. 9, 2015 9:14 p.m. ET


Ukraine gives glimpse of future conflicts where attackers combine computer and traditional assaults

A woman votes in Kiev in May 2014. A cyberattack ahead of Ukraine’s 2014 presidential election threatened to derail the vote.

A woman votes in Kiev in May 2014. A cyberattack ahead of Ukraine’s 2014 presidential election threatened to derail the vote. Photo: Dan Kitwood/Getty Images

KIEV, Ukraine—Three days before Ukraine’s presidential vote last year, employees at the national election commission arrived at work to find their dowdy Soviet-era headquarters transformed into the front line of one of the world’s hottest ongoing cyberwars.

The night before, while the agency’s employees slept, a shadowy pro-Moscow hacking collective called CyberBerkut attacked the premises. Its stated goal: To cripple the online system for distributing results and voter turnout throughout election day. Software was destroyed. Hard drives were fried. Router settings were undone. Even the main backup was ruined.

The carnage stunned computer specialists the next morning. “It was like taking a cold shower,” said Victor Zhora, director of the Ukrainian IT firm Infosafe, which helped set up the network for the elections. “It really was the first strike in the cyberwar.”

In just 72 hours, Ukraine would head to the polls in an election crucial to cementing the legitimacy of a new pro-Western government, desperate for a mandate as war exploded in the country’s east. If the commission didn’t offer its usual real-time online results, doubts about the vote’s legitimacy would further fracture an already divided nation.

The attack ultimately failed to derail the vote. Ukrainian computer specialists mobilized to restore operations in time for the elections. But the intrusion heralded a new era in Ukraine that showed how geopolitical confrontation with Russia could give rise to a nebulous new cabal of cyberfoes, bent on undermining and embarrassing authorities trying to break with the Kremlin.

In the last two years, cyberattacks have hit Ukraine’s Ministry of Foreign Affairs, Ministry of Defense and the presidential administration. Military communications lines and secure databases at times were compromised, according to Ukrainian presidential and security officials. A steady flow of hacked government documents have appeared on the CyberBerkut website.

Ukraine offers a glimpse into the type of hybrid warfare that Western military officials are urgently preparing for: battles in which traditional land forces dovetail with cyberattackers to degrade and defeat an enemy. It also illustrates the difficulties that nations face in identifying and defending against a more powerful cyberfoe.

Article continues:

http://www.wsj.com/articles/ukraine-cyberwars-hottest-front-1447121671

Everything you always wanted to know about Tor (Browser) but were afraid to ask


Why Anonymity Matters

Screen Shot 2015-10-30 at Oct 30, 2015 1.45


Overview

The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor’s users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Along the same line, Tor is an effective censorship circumvention tool, allowing its users to reach otherwise blocked destinations or content. Tor can also be used as a building block for software developers to create new communication tools with built-in privacy features.

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor’s hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization.

Groups such as Indymedia recommend Tor for safeguarding their members’ online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company’s patent lawyers?

A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected.

Article continues:

https://www.torproject.org/index.html.en

Security This Week: Apparently China Is Still Hacking US Companies – YAEL GRAUER. 10.24.15. 7:00 AM


This week, a group of teenagers hacked CIA director John Brennan’s private AOL account, and WikiLeaks started publishing his leaked emails. Some ingenious French criminals exploited the supposedly secure chip and pin credit cards that are even more secure than what the US just adopted. (Let’s just say we told you so.) Facebook will now warn users about nation-state attacks, but it will also allow users to find public posts using search, so you may want to consider hiding yours. And WIRED set the record straight on the importance of reporting on car hacking.

But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!

China Said It Would Stop Hacking US Companies, But It Didn’t

The US and China reached a historic agreement last month to stop hacking into each other’s systems to steal economic secrets. But according to the American security company Crowdstrike, this hasn’t stopped hackers with ties to the Chinese government from continuing to target US companies. In fact, one attack took place the very next day after the agreement was reached. However, there’s a possibility that the hackers were acting on their own rather than following government orders.

Article continues:

http://www.wired.com/2015/10/security-this-week-apparently-china-is-still-hacking-us-companies/

A DEA Agent Who Helped Take Down Silk Road Is Going to Prison for Unbelievable Corruption


Ventura/Shutterstock

A corrupt former drug enforcement agent who played a central role in taking down the popular online drug bazaar Silk Road will serve six and a half years in prison for corruption, a federal judge ruled Monday.

Carl Mark Force IV pleaded guilty to extortion, money laundering, and obstruction of justice this past summer, after working for two years as an undercover agent foran interagency team tasked with identifying the owner of Silk Road. Force, who spent 15 years with the Drug Enforcement Administration, used his position in the investigation to swindle his way to a payout of more $700,000 in Bitcoin and a Hollywood contract. (Another member of the investigative team, ex-Secret Service Agent Shaun Bridges, also pleaded guilty over the summer to pocketing $820,000 from the accounts of Silk Road users.) Force has also been ordered to pay $340,000 in restitution.

In case you haven’t been following the Silk Road case, here’s a primer:

What exactly was Silk Road, again? Silk Road was a darknet marketplace that connected buyers and sellers dealing in a vast array of narcotics, false documents, weapons, and other contraband. “The idea was to create a website where people could buy anything anonymously, with no trail whatsoever that could lead back to them,” creator Ross Ulbricht wrote in his journal. Users paid in Bitcoin—around $1.2 billion worth—and could only access the site using an anonymous internet browser called Tor. Ulbricht ran Silk Road using the moniker “Dread Pirate Roberts” from January 2011 until 2013, when he was caught red-handed at his laptop by a law enforcement sting in a San Francisco coffee shop.

Depending on whom you ask, the site was either a radical experiment in libertarian principles or “the most sophisticated and extensive criminal market on the Internet,” as the criminal complaint against Force put it.

Ulbricht, who earned a commission on each transaction, was found guilty of drug trafficking, money laundering, and hacking, and he was sentenced to life in prison during the summer. At the sentencing hearing, the federal judge didn’t hide her intention to make an example of Ulbricht: “What you did was unprecedented, and in breaking that ground as the first person you sit here as the defendant now today having to pay the consequences for that.” Ulbricht’s family, defense counsel, and supporters have mounted a public campaign to protest what they call a “draconian sentence.”

 

Articles continues:

http://www.motherjones.com/mixed-media/2015/10/silk-road-investigator-sentencing-corruption-force

California Now Has the Nation’s Best Digital Privacy Law – KIM ZETTER 10.08.15. 9:58 PM


California continued its long-standing tradition for forward-thinking privacy laws today when Governor Jerry Brown signed a sweeping law protecting digital privacy rights.

The landmark Electronic Communications Privacy Act bars any state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to track the location of electronic devices like mobile phones, or to search them.

The legislation, which easily passed the Legislature last month, is the most comprehensive in the country, says the ACLU.

“This is a landmark win for digital privacy and all Californians,” Nicole Ozer, technology and civil liberties policy director at the ACLU of California, said in a statment. “We hope this is a model for the rest of the nation in protecting our digital privacy rights.”

Five other states have warrant protection for content, and nine others have warrant protection for GPS location tracking. But California is the first to enact a comprehensive law protecting location data, content, metadata and device searches, Ozer told WIRED.

“This is really a comprehensive update for the modern digital age,” she said.

State senators Mark Leno (D-San Francisco) and Joel Anderson (R-Alpine) wrote the legislation earlier this year to give digital data the same kinds of protection that non-digital communications have.

“For what logical reason should a handwritten letter stored in a desk drawer enjoy more protection from warrantless government surveillance than an email sent to a colleague or a text message to a loved one?” Leno said earlier this year. “This is nonsensical and violates the right to liberty and privacy that every Californian expects under the constitution.”

The bill enjoyed widespread support among civil libertarians like the American Civil Liberties Union and the Electronic Frontier Foundation as well as tech companies like Apple, Google, Facebook, Dropbox, LinkedIn, and Twitter, which have headquarters in California. It also had huge bipartisan support among state lawmakers.

“For too long, California’s digital privacy laws have been stuck in the Dark Ages, leaving our personal emails, text messages, photos and smartphones increasingly vulnerable to warrantless searches,” Leno said in a statement today. “That ends today with the Governor’s signature of CalECPA, a carefully crafted law that protects personal information of all Californians. The bill also ensures that law enforcement officials have the tools they need to continue to fight crime in the digital age.”

The law applies only to California law enforcement entities; law enforcement agencies in other states would be compelled by the laws in their jurisdictions, which is why Ozer and others say it’s important to get similar comprehensive laws passed elsewhere.

The law places California not only at the forefront of protecting digital privacy among states, it outpaces even the federal government, where such efforts have stalled.

 

Article continues:

http://www.wired.com/2015/10/california-now-nations-best-digital-privacy-law/

Cyber Sleuths Track Hacker to China’s Military – By JOSH CHIN Sept. 23, 2015 5:00 p.m. ET


The story of a Chinese military staffer’s alleged involvement in hacking provides a detailed look into Beijing’s sprawling state-controlled cyberespionage machinery

Security researchers have linked a Chinese military staffer to a hacker collective called Naikon. Shown, Chinese soldiers on parade in Beijing earlier this month.

Security researchers have linked a Chinese military staffer to a hacker collective called Naikon. Shown, Chinese soldiers on parade in Beijing earlier this month. PHOTO: YAO DAWEI/XINHUA/ZUMA PRESS

ENLARGE

Security researchers have linked a Chinese military staffer to a hacker collective called Naikon. Shown, Chinese soldiers on parade in Beijing earlier this month. Photo: Yao Dawei/Xinhua/Zuma Press

By

Josh Chin

Sept. 23, 2015 5:00 p.m. ET

KUNMING, China—The email attachment would tempt anyone following the diplomatic standoff between China and other countries in the South China Sea. The Microsoft Word document contained text and photos depicting Thai naval personnel capturing Vietnamese fishermen and forcing them to kneel at gunpoint.

But the attachment was a decoy: Anyone who opened it inadvertently downloaded software that searched their computers for sensitive information and sent it to an obscure corner of the Internet. Manning that corner, according to a new report from U.S. security researchers, was Ge Xing, a member of a Chinese military reconnaissance unit.

The growing reach of China’s army of cyberwarriors has become a flash point in relations between Beijing and Washington that President Barack Obamasays will be a focus during Chinese President Xi Jinping ’s state visit to the U.S. this week.

Cyberspace is the newest domain in warfare, and China’s relentless testing of its boundaries has flustered the U.S. The story of the Chinese military staffer’s alleged involvement in hacking provides a detailed look into Beijing’s sprawling state-controlled cyberespionage machinery.

Mr. Ge doesn’t appear to fit the hacker stereotype. His published academic papers identify him as an expert in a nontechnical subject: Thai politics. Frequent posts on Chinese social media that researchers have linked to him show him to be a new father and avid bicyclist who drives a white Volkswagen Golf sedan and occasionally criticizes the government.

But his activity elsewhere on the Internet links him to a Chinese hacker collective that attacks targets in an area of strategic interest to the U.S., according to the report by cybersecurity concern ThreatConnect and security consulting firm Defense Group Inc.

The U.S. has been caught flat-footed in recent months by a string of cyberintrusions in which Chinese state-sponsored hackers are the leading suspects. They include the theft of sensitive personal data on millions of government employees from computers at the U.S. Office of Personnel Management, and similar network breaches at health insurers and other companies.

Under pressure to respond, the White House has begun preparing a list of sanctions against Chinese companies that U.S. officials believe have benefited from cybertheft of U.S. corporate secrets, Mr. Obama said last week. Those sanctions, if implemented, wouldn’t address state-to-state hacking.

Beijing has bristled at U.S. finger-pointing on cybersecurity and portrayed itself as a victim of hacking, pointing to disclosures by former U.S. security contractor Edward Snowden of U.S. government cyberspying on China. “Cybertheft of commercial secrets and hacking attacks against government networks are both illegal,” Mr. Xi told the Journal in a written interview prior to embarking on his U.S. visit. “Such acts are criminal offenses and should be punished according to law and relevant international conventions.”

The ThreatConnect-DGI report helps throw new light on a still little-understood aspect of China’s cyber operations: the relationship between the country’s military and an aggressive corps of Chinese-speaking hackers that appear to be pressing the country’s interests abroad.

Through accounts allegedly tied to Mr. Ge, the report draws a direct link between his unit, People’s Liberation Army Unit 78020, a military intelligence arm based in China’s southwest, and a hacker collective known as Naikon that security researchers say has successfully penetrated key computer networks in countries competing with China for control over the South China Sea.

“What we see from Chinese intrusions is that they have a very grass roots, bottom-up kind of model,” said James Mulvenon, director of DGI’s Center for Intelligence Research and Analysis. “They have a lot of groups that are encouraged with relatively vague guidance to go out and develop hundreds of accesses and bring back lots of data.”

Two academic papers on Thailand’s political situation Mr. Ge published in 2008 identify him as working for Unit 78020, a technical reconnaissance bureau based in the southwestern Chinese city of Kunming. It is one of more than two dozen such bureaus within the PLA tasked with intelligence gathering, analysis and computer network defense and exploitation, according to Mark Stokes, executive director at Virginia think tank Project 2049 Institute and an authority on the role of China’s military in signals intelligence like cyberspying.

Unit 78020 is controlled by the PLA’s Chengdu Military Region, which is responsible for securing Tibet as well as China’s borders with Vietnam, Myanmar and India. Another reconnaissance bureau under the Chengdu Military Region was responsible for the hacking of computer networks connected to exiled Tibetan spiritual leader the Dalai Lama, Mr. Stokes said. Given the region’s focus on the border, “it also makes sense that they would do collections related to the South China Sea,” he said.

Staff with Unit 78020’s propaganda office declined requests for an interview. A spokesman for Chengdu Military Region referred questions to the defense ministry, which didn’t respond to requests for comment. The foreign ministry also didn’t respond to requests for comment.

ENLARGE

The ThreatConnect-DGI report makes the connection between the unit and the hacking group by matching Mr. Ge’s alleged activity on social media, where he uses the name greensky27, with activity on a part of Naikon’s network that also uses the greensky27 name. The Wall Street Journal reviewed the report before its publication, verifying its observations of Mr. Ge’s social-media activity and other evidence linking him to Unit 78020 and Naikon.

Researchers at PassiveTotal, a U.S. cybersecurity threat analysis company that provided some of the data for the report, said the report offered fair insight into how data about the use of hackers’ infrastructure can be used to track and identify potential threats.

In a brief phone conversation with the Journal in August, Mr. Ge confirmed he uses the greensky27 name on social media but declined to speak further when told he was the subject of a report. “If you publish, I’ll call the police,” he said and hung up before hearing the substance of the report. He didn’t answer subsequent phone calls or questions later sent by text message.

The greensky27 Naikon domain went dormant within an hour of the Journal’s phone conversation with Mr. Ge, according to ThreatConnect. Recent visits to the domain show it is still offline.

Named by experts after a piece of code found in malware it once used, Naikon sends well-crafted emails to trick recipients into opening attachments infected with malicious software, according to researchers. Infected attachments they have used include a calendar of Laotian beauty contestants, news stories and memos on strategic topics in English and local languages, and memos that appear to be based on classified information, according to a May report by Russian antivirus maker Kaspersky Lab.

Relying on this technique—known as spearphishing—Naikon has penetrated the networks of governments, military, media and energy companies in Vietnam, the Philippines and other countries throughout Southeast Asia, Kaspersky said. “Their success rate has been high,” said Kurt Baumgartner,principal security researcher at Kaspersky. “When they want to get in, they get in.”

China’s claims to sovereignty over vast swaths of the South China Sea—one of the world’s busiest shipping routes—have sparked conflict with many of its neighbors, including U.S. ally the Philippines. Beijing has rejected U.S. criticisms of its claims, saying territorial disputes should be settled bilaterally between those directly affected. It has also pressed ahead with island-building in disputed areas, raising tensions the U.S. fears could destabilize the region.

The malicious software Naikon uses to spy on its targets is “stone age” compared with what Russian hackers use, said Richard Barger, chief intelligence officer at ThreatConnect, but it doesn’t necessarily need to be advanced. “The targets they’re most likely going up against, this would be sophisticated for them,” he said.

ThreatConnect said it found Mr. Ge through a break in Naikon’s usual pattern. To siphon off stolen information without being detected, Naikon uses hundreds of special Internet domains—akin to Web addresses—that are able to connect at various places around the Internet. The names of most of those domains appear to refer to targets or are designed to mimic legitimate websites in target countries, but the greensky27 domain didn’t fit either of those criteria, ThreatConnect said.

Kunming connection

Looking at the greensky27 domain’s activity over a five-year period, researchers found it making an unusually large number of long-lasting connections to Internet addresses in the southwestern Chinese city of Kunming, according to the report. Chinese-language analysts at DGI followed that lead and discovered multiple Internet accounts making references to Kunming that used the same greensky27 name.

Comparing the domain with the social-media accounts, the researchers found a pattern. In February 2012, for example, the domain made a series of connections to Internet servers in Beijing on the same dates a user posting under greensky27 on Tencent Holdings Ltd. ’s microblogging platform indicated that he was visiting the city. The domain went dormant for more than a week in November that same year, starting the day a user named greensky27 posted a message announcing the birth of a boy surnamed Ge on a discussion board maintained by Chinese search giant Baidu Inc., the report said.

DGI said it found a clue to Mr. Ge’s identity in photos posted on the greensky27 Tencent account in 2013 that showed a visit to what it called the Ge family ancestral temple in Yuxi county, about 50 miles south of Kunming. Digging around further online, DGI said it found Mr. Ge’s full name and phone number, as well as the academic papers listing Mr. Ge as working for Unit 78020. Mr. Ge’s rank in the military and specific role within the unit are unclear, the researchers said.

A series of skyline snapshots Mr. Ge allegedly posted online during work hours between 2011 and 2013 confirm an affiliation with the military. Taken from the same vantage point, they show a view of a tall apartment tower that could have been captured only from inside a military complex located in downtown Kunming.

Another series of photos showed snow-covered cars in a parking lot with a water tower in the background that also indicated they were shot from inside the military compound, the report said. “Little Golf and his buddies,” he wrote, in apparent reference to his car and to those parked around it.

On a recent visit to the complex by a Journal reporter, security personnel confirmed the compound belongs to Unit 78020 of the People’s Liberation Army. Staff with the unit’s propaganda office wouldn’t say whether Mr. Ge worked there.

The user was coy about discussing his military background on social media. The Tencent account listed him as having attended PLA International Studies University in 1998. In 2014, he posted photos of a visit to the university’s campus in the city of Nanjing with a short message: “Just posting photos, not explaining, look for yourself.” A couple of weeks later he posted photos of a PLA firefighter demonstration and from an event celebrating the PLA’s 87th anniversary. “Not explaining,” he wrote again.

Quiet at holidays

Some of his early posts contained cryptic political and social commentary. “Faith = Whatever the party tells me to do, I do,” he wrote in a post in July 2012. In another post the previous fall, he repeated a common joke about China’s state TV broadcaster’s tendency to emphasize the positive in its nightly news show: “I have a dream—to always live inside Xinwen Lianbo.”

After the birth of his son in late 2012, his posts focused on family life, the weather and travel. One post early the following year featured a picture of a cluster of villas. “Ten year goal,” he wrote. The Tencent account was deleted within a day of the Journal’s call to Mr. Ge.

Activity on the greensky27 domain indicates a relatively regular work schedule. The domain connected to the Naikon network around 9 a.m., went quiet around lunch and typically signed off around 6 p.m., according to the report.

The domain also tended to go dormant around China’s annual Spring Festival holiday, the report said, but there were exceptions. In early 2012, according to ThreatConnect, the domain went silent for Spring Festival only to suddenly come to life the weekend of Jan. 27, a day after news broke that a delegation from the Philippines had launched talks in Washington over military cooperation with the U.S.

Data collected by ThreatConnect show frequent connections between the hacker domain and Internet addresses in Thailand beginning in 2012. Those connections began to tail off in May 2014, after the U.S. indictments of five PLA officers on charges of commercial cybertheft. China has denied the allegations.

The social-media feeds attributed to Mr. Ge indicate he spends much of his time either playing with his son or riding, repairing and talking about his mountain bike. Xiong Junwu, a bike shop owner and founder of Kunming’s Fattire Fun Bike Club, recognized a photo of Mr. Ge and said he occasionally joined the club’s weekly rides in the Kunming area.

Like many Chinese outdoors enthusiasts, Mr. Ge sometimes turned wistful when contemplating polluted skies. “Today’s air is only average,” he wrote next to a photo of a gray sky taken from inside the Unit 78020 compound. “Wishing peace to everyone and tranquility to the world.”

Write to Josh Chin at josh.chin@wsj.com