This past Sunday’s (8-Nov-2009) 60 Minutes broadcast included this piece about Brazil’s blackout and how hackers were involved. But were hackers really involved? Anyone up for a history lesson?
Stop me if you’ve heard this before… There has been a massive blackout in Brazil affecting Rio de Janeiro , Sao Paulo, and parts of Paraguay (BBC,Guardian.co.uk). The blackout is reportedly caused by problems at the Itaipu dam, some say by a storm in the area, others say corporate incompetence is to blame.
Don’t mention that to CBS News, though. They have already decided that “hackers” were the cause. The same “hackers” who caused Brazil to go dark in 2007:
“We know that cyber intruders have probed our electrical grid, and that in other countries cyber attacks have plunged entire cities into darkness,” the president said.
President Obama didn’t say which country had been plunged into darkness, but a half a dozen sources in the military, intelligence, and private security communities have told us the president was referring to Brazil.
Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007.
That one in the state of Espirito Santo affected more than three million people in dozens of cities over a two-day period, causing major disruptions. In Vitoria, the world’s largest iron ore producer had seven plants knocked offline, costing the company $7 million. It is not clear who did it or what the motive was.
And to back up their claim, CBS News interviews some government-military-intelligence types who say “The US is not ready for a cyber-attack,” or some sound-alike crap, I really wasn’t paying too much attention.
Chicken Little. We’ve heard the stories about multi-million dollar thefts due to hacks, and we do tend to believe them. CBS tries to make the big leap to infrastructure attacks by adding how hackers have penetrated military and government systems by leaving USB thumbdrives lying around for sheeple to find and plug into their systems, infecting them and leaving backdoors open for further intrusions and attacks. It sounds like if such an attack is possible, it was made so by clueless soldiers and wage-slaves.
But are such attacks possible, even by “foreign” government agents? I wouldn’t put it pass them… but then again, I did read The Hacker Crackdown (I have to get a review up here!), and knowing that there’s a war for control of the Internet on, I would have to call shenanigans.
Someone beat me to the phone…
Wired Calls Shenanigans. (Wired) No sooner than CBS News puts the video and transcription up for public review, Wired’s Marcelo Soares knocks the foundation out from under:
Brazilian government officials disputed the report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he’s investigated the claims and found no evidence of hacker attacks, adding that Brazil’s electric control systems are not directly connected to the internet.
Uh oh. It looks like Brazil did something right (not connecting directly to the Internet), so CBS’s hacker claim is just some gov-mil-corp scare tactic. But if hackers didn’t cause those blackouts, what did?
The earliest explanation for the blackout came from Furnas (Centrais Elétricas) two days after the Sept. 26, 2007, incident began. The company announced that the outage was caused by deposits of dust and soot from burning fields in the Campos region of Espirito Santo. “The concentration of these residues would have been exacerbated by the lack of rain in the region for eight months,” the company said.
Brazil’s independent systems operator group later confirmed that the failure of a 345-kilovolt line “was provoked by pollution in the chain of insulators due to deposits of soot” (.pdf). And the National Agency for Electric Energy, Brazil’s energy regulatory agency, concluded its own investigation in January 2009 and fined Furnas $3.27 million (.pdf) for failing to maintain the high-voltage insulators on its transmission towers.
(Note: See the original article from Wired for links to the pdf files mentioned above)
Yep, corporate incompetence caused the blackouts. Don’t mention that to CBS News, though. It’ll ruin their image as a corporate propaganda machine.
Brain-Computer Interfaces are just in its infancy, but security experts are worried that hackers may be able to pull off the ultimate “mindfuck.”
Mind control. Using everyday objects requires using your brain, mostly to control your arms and legs to manipulate them. Lately though, there have been some major breakthroughs in interfacing directly to your head, including a thought-controlled wheelchair and mind-reading machines, which have stirred up some controversy of its own. William Gibson’s vision of a computer that you can “jack” into your head is ever so closer.
And that has some security people concerned…
“Neural devices are innovating at an extremely rapid rate and hold tremendous promise for the future,” said computer security expert Tadayoshi Kohno of the University of Washington. “But if we don’t start paying attention to security, we’re worried that we might find ourselves in five or 10 years saying we’ve made a big mistake.”
Hackers tap into personal computers all the time — but what would happen if they focused their nefarious energy on neural devices, such as the deep-brain stimulators currently used to treat Parkinson’s and depression, or electrode systems for controlling prosthetic limbs? According to Kohno and his colleagues, who published their concerns July 1 in Neurosurgical Focus, most current devices carry few security risks. But as neural engineering becomes more complex and more widespread, the potential for security breaches will mushroom.
Can’t happen… can it? It would seem that trying to upload malware into your cortex would be difficult at best, if you consider that most BCI are read-only (that is, they can only read your brainwaves). Then again, if the “sex chip” proves viable, that connection will become read-write which can be “influenced,” and not by outside hackers alone:
In some cases, patients might even want to hack into their own neural device. Unlike devices to control prosthetic limbs, which still use wires, many deep brain stimulators already rely on wireless signals. Hacking into these devices could enable patients to “self-prescribe” elevated moods or pain relief by increasing the activity of the brain’s reward centers.
They’re already hacking brains. If the attacks on Epilepsy support sites are any indication, brain hacking is already occurring if not directly. Having a hacker hijack your brainstem is not possible just yet, but on the day when neural interfaces and neuron reprogramming come together, you can bet that meatbots will abound and we will be facing a real zombie apocalypse…
It looks like the NSA(T&T) has some competition in the domestic spying game… and they may be targets themselves.
The Biggest Brother. While the UK is well on its way to being a security-surveillance police-state, and America’s plans are apparently “on hold” for now, it would seem hard to imagine another nation attempting to lay claim to the “Big Brother” title. But China has been doing just that, according to a recently released report from researchers at the University of Toronto. A ten-month investigation has turned up some 1300 infected systems worldwide, including high-value government computers like those of the exiled Tibetan government and the Dali Lama. A full report can be downloaded from here.
Vulnerability detected between keyboard and chair. The way the infection was spread sounds typical: e-mails were sent with a trojan attached, the user unwittingly opens the attachment and infects his system, and the infected system uploads sensitive files to China and spreads even more e-mails where the user unwittingly opens the attachment…
What happens after the initial infection:
“The GhostNet system directs infected computers to download a Trojan (horse) known as ghOst RAT that allows attackers to gain complete, real-time control,” the authors write in Tracking GhostNet: Investigating a Cyber Espionage Network.
“Our investigation reveals that GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.”
The Dalai Lama expresses how he feels about China’s regime
Other Ghosts on The Net? While the Ghostnet is concentrated more on Asia, there’s a possibility that American systems have also been infected, though no reports about such infections have surfaced… yet.
Americans being spied on by foreign nations may not be new, but The Student Operated Press raises concerns about the US cybersecurity scheme, and even worse, that a post-9/11 paranoia-infected Department of Homeland (in)Security has its own Ghostnet:
Robert Paul Reyes (S.O.P.):
I hope that the CIA is taking serious precautions to safeguard our military and intelligence computer systems. I`m confident that they are running their own GhostNet operations to keep track of our many enemies throughout the world.
But what I fear the most is that the Department of Homeland Security has a GhostNet operation to keep track of Americans. Under the guise of fighting terrorism the Bush administration wiretapped the phones of Americans without obtaining a warrant from the courts.
What Ghostnet is about may be scary, but it’s small fries compared the what Conficker may have to offer…
The BBC News’ program CLICK built a botnet to show what damage they can do.
You got spammed! We’ve had to deal with it, spam in our emails, and while filtering has gotten better at removing the crap, the spammers have devised even more powerful ways of insuring that your inbox chokes. The most sinister of them all is the botnet, innocent home computers that have been infected to make remote use possible.
This week, the BBC’s tech news program Click built their own botnet of 22,000 computers to perform two tasks. First, they had the net spam a couple of email addresses they set up for the test. Next, they use the net to launch a DDoS attach on a security site owned by Prevx.
The results: The inboxes choked while the site ground to a halt.
Is this even LEGAL? To build the botnet, the BBC posed as “customers” to purchase the software that infects computers to make the botnet. That would seem to be no different than an undercover agent looking to gather evidence of hacking, only the BBC didn’t need a warrant. The attack on the Prevx was done with the company’s approval on a backup site. This would like a “test” for a tiger-team to see if they are able to do a bigger hack. Companies hire hackers (”white hats”) to regularly test their security, or ethical hackers will do so while leaving messages of possible weaknesses.
What the BBC did may border on journalism and legality, but they do had a good reason for doing this:
A lot of the debate has been about whether we did the right thing digging into the murky world of hackers and organised cybercrime. In seeking to demonstrate the threat, had we put ourselves in the position of those we wanted to expose?
That’s always a good question. After all, we could have simply described what we believe happens and given some warning advice, couldn’t we? We’ve done this in the past. So have many others…
But hacking has gone professional. Today, your PC can be doing bad things to other people without you even knowing. It’s a major growth area for organised crime: it’s global, and very local to all of us who work, communicate and play on the world wide web.
So we felt that there was the strongest public interest in not just describing what malware can do, but actually showing it in action. A real demonstration of the power of today’s botnets - to infect, disrupt and damage our digital lives - is the most powerful way to alert our audiences to the dangers that they face. It’s a wake-up call to switch on that firewall and improve our security on the internet.
We think that what we did was a first for broadcast journalism. We were amazed by the ease of use of the botnet, and the power of its disruptive capacity.
They have since disabled the botnet.
Was this power trip really necessary? People will question whether the BBC’s use of a botnet was required, but there’s no question that there will always be security holes in the system. Linux and Windows users have known this, and OS X users will soon learn this lesson the hard way.
Remember: No amount of software patching will ever close the security hole between the keyboard and the chair.
You must have heard about it over the weekend: An “Anonymous” hacker (now known, or suspected to be University of Tennessee student David Kernell, son of representative Mike Kernell, D-TN) gained access to Palin’s Yahoo! email account and posted screencaps of her inbox, emails, etc. to 4chan. Those pics have since been removed, and Palin’s Yahoo email has been deleted, but you can still get a lookee at the booty on Gawker or download a zip from WikiLeaks. Even now, there are still events unfolding around the hack, along with some “collateral damage.”
How the hack went down. Whether one can call this an actual “hack” may be questioned. In actuality, the “hack” was not much more than gaming Yahoo’s password recovery:
after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits [sic] that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
That’s it. No buffer overflows, no stealth virus bombardment, no password cracking, not even any social engineering. Just some basic Google research to find answers that only Palin herself should know.
Is this the 7337 hax0r who raided Palin’s Yahoo account?
Was it worth the effort? After looking at what was posted, there’s really nothing earth-shattering to behold; It’s just basic family-and-business yakking. Hardly worth the effort, right? Obviously, idle chatter was not what the hacker was looking for. He must have been looking for some dirt regarding Palin’s Troopergate scandal, only to leave with the screenshots to prove he was there.
The FBI was able to trace the hack through a proxy that was used, and got a search warrant (yes, the FBI actually bothered to get a warrant!) to search Kernell’s apartment. Today (September 23, 2008), a grand jury convened to examine the evidence, but no indictment was made as yet. There may be future sessions to hear more evidence if it becomes available.
One good hack deserves another.
Collateral Damage. Fox News windbag William “ORLY?” O’Rilley mouthed off about the screenshot postings, referring to the act as “trafficking in stolen merchandise” and “despicable, slimy, scummy.”
Big Brother Goes Both Ways. (Not like that!) Anthony Taurus perhaps put it best in his blog, The United States of Anthony, on why hackers are more important today than ever before:
We live in a true Matrix and we’ve got to be able to fight back digitally. We, the people, need hackers as the government has hackers and as corporations have hackers that can be, will be, and have been used against us. This hacking lets me know that not even government officials are safe from the system they’ve developed. There is always someone out there watching and listening. And, those kinds of individuals exist on both teams.
There’s also a comment posted by “Anonymous” (no relation to the Palin hacker, maybe) that points out the difference between real hackers and the Palin hacker.
As always, stay tuned as more (leaked) data becomes available…
Meanwhile, Palin is said to have another email system setup outside official channels. The system was setup for her run for Alaska’s governor, but has been shut down since the Yahoo account breach. It is believed the system may have been used like the Yahoo account was; To bypass official channels and possibly hide evidence of ethics violations.
When Zed Shaw lost his V.P. job because Bear Stearns went FUBAR, he found himself with more free time (and severance $$$$$) than he can handle. So now he wants to start a special group for hackers:
This rant is about an idea I have for a group of geeks who fight to keep the art of hacking and invention alive. I want to call it The Freehacker’s Union. I want it to be against business, against the coopting and destruction of geek culture, and for preserving hacking and invention as methods of personal artistic expression.
His profile does make him sound like a dick, but he seems to have the tech ability to back it up. Plus his idea of a hacking group devoid of the co-opting that businesses and crime groups are now doing has to be good news for old-school hacker purists.
Really, what’s his motivation? “This town needs an enema,” proclaims Zed as he describes the New York City hacking scene being co-opted and corrupted. He remembers when hacking was for the adventurous, not venture capitalists:
Then it hit me, it’s the business that’s killing tech in this city. The business of technology in New York values douchebag asswipes and “idea guys” over the real people who built this world. Their ideas are shit, but because they have an MBA from Columbia (they didn’t do much to earn) they are listened to and valuable. Me and the other hackers are just tools, cogs, and slave labor designed to be subservient to a real man’s passions.
The problem is, because none of these dicks do anything they don’t know what’s a real technically challenging innovation. They would rather try to make a little bit of money making a slightly better version of whatever everyone else is making. They want the lottery tickets and the fast payout where they take all the fucking money and trade the geeks over to Google or Microsoft like some fucking slave exchange.
Zed’s rules of The Freehacker’s Union:
I want the rules of The Freehacker’s Union to be:
1. If it’s art, wires, or code you can bring it. This will be our triad: art/wires/code. Remember it.
2. NO FUCKING BUSINESS ASSHOLES This isn’t your personal fucking recruiting station. Take your “game changing” ideas and fuck the hell off.
3. If you can’t sling at least one of the three in the A/W/C triad then you can’t come. No exceptions.
4. Everyone who attends has to eventually show something. If it’s your first night, you have to present something. It can be anything, but you gotta show that you belong. If you can’t then you can’t come back until you can. For those who absolutely can’t talk in front of people, you can get someone to show your stuff on your behalf.
5. No girlfriends or boyfriends unless they’re hardcore too. Keep your fucking groupies at home.
6. Organized using simple software that’s open. No special hidden jabber servers, no yahoo groups, no fucking evite or someone’s favorite latest startup website. Just a simple mailing list, a website anyone can manage, and maybe a channel on IRC.
7. Frequent meetings at a regular time and spot. I like twice a month, but hell if people can handle more then I want to do it.
8. Clear guidelines on how to become a member, including the benefits and responsibilities.
Other than that, I’m open to suggestions. I’m going to be doing more writing on this subject, and coming up with ideas with friends, and then I’ll announce our first meeting. If you have thoughts, or you want to attend, then let me know.
If you’re an Alpha Biz Guy then fuck off. I don’t want to hear about how you can kick my ass and how I’m never going to get hired again.
I don’t give a fuck about you, I just want to hack and you’re fucking that up for me.
Stanford law professor Lawrence Lessig has learned from a reliable source - former government Counter Terrorism Czar Richard Clarke - that a Virtual Patriot Act, or “i-Patriot Act” as they call it, is already drawn up in response to an event yet to happen - a large-scale attack on/involving/using the Internet:
There’s going to be an i-9/11 event. Which doesn’t necessarily mean an Al Qaeda attack, it means an event where the instability or the insecurity of the internet becomes manifest during a malicious event which then inspires the government into a response. You’ve got to remember that after 9/11 the government drew up the Patriot Act within 20 days and it was passed.
The Patriot Act is huge and I remember someone asking a Justice Department official how did they write such a large statute so quickly, and of course the answer was that it has been sitting in the drawers of the Justice Department for the last 20 years waiting for the event where they would pull it out.
Of course, the Patriot Act is filled with all sorts of insanity about changing the way civil rights are protected, or not protected in this instance. So I was having dinner with Richard Clarke and I asked him if there is an equivalent, is there an i-Patriot Act just sitting waiting for some substantial event as an excuse to radically change the way the internet works. He said “of course there is … and Vint Cerf is NOT going to like it very much.”
That line about Vint Cerf was from the video on the sites, where Lessig drops the i-bomb around the 4:30 mark. Here’s an excerpt of the i-9/11 reference:
Another Version of the Truth. With the presidential elections coming up in the US there have been “warnings” about possible “terrorist attacks” possibly to influence the election (see this article from Bloomberg), so don’t be surprised to hear about hackers causing blackouts or hacking e-voting machines on election day. What better excuse to implement the i-Patriot Act, considering how the NSA was reportedly trying to set up a surveillance grid months BEFORE 9/11.
Call it conspiracy theory if you must, but there’s been more going on that shows that king Duh’bya is looking to hijack TOTAL CONTROL over the Internet by any means necessary…
Information Clearing House admin harased by government thugs: (Propaganda Matrix,Truth Seeker) Tom Feeley of informationclearinghouse.info and his wife were threatened by apparent government thugs who told them “”Stop what he is/you are doing on the Internet, NOW!”
Secret EU security draft risks uproar with call to pool policing and give US personal data: (Guardian.co.uk) As if the US wasn’t satisfied with spying on its own citizens, they also want to spy on EU citizens as well, all under the banner of “achieving a Euro-Atlantic area of cooperation with the United States in the field of freedom, security and justice.”
Fool me once, shame on you. Fool me twice, shame on me.
California professor George Ledin doesn’t mind if his students write viruses, worms, and spyware, or spam email and bulletin boards. After all, he shows them how to bypass security wares to do such dirty work. And security software companies like McAfee are pissed, since the reportedly $5 BILLION (US) spent by companies on anti-malware packages is being rendered into money down the toilet.
That’s the point. Ledin compares the current “security” market to the cryptography scene some decades ago when the NSA ran the scene. Eventually, that technology was made publicly available to make online shopping possible. The anti-malware codes, however, are kept under corporate lock-and-key thanks to the Digital Millennium Copyright Act of 1998, and the likes of McAfee and Symantec are showing no signs of letting their “trade secrets” loose.
But Ledin’s goal goes beyond making the corporate wares useless, he wants his students to think like the enemy to better devise solutions to the growing malware threat:
“Unlike biological viruses, computer viruses are written by a programmer. We want to get into the mindset: how do people learn how to do this?”
While he admits that what he teaches can do harm in the wrong hands, Ledin also believes that his course can lead to a more open (or maybe open-source) anti-malware package that’s more complete than the legacy technology being offered and used.
Only one question I have is this: WHERE DO I SIGN UP???
