Casting a wide intrusion net: Dozens burned with single hack

By FRANK BAJAK
March 7 , 2021

BOSTON — The SolarWinds hacking campaign blamed on Russian spies and the “grave threat” it poses to U.S. national security are widely known. A very different — and no less alarming — coordinated series of intrusions also detected in December has gotten considerably less public attention.

Nimble, highly skilled criminal hackers believed to operate out of Eastern Europe hacked dozens of companies and government agencies on at least four continents by breaking into a single product they all used.

The victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-powered U.S. law firm Jones Day — whose clients include former President Donald Trump — the rail freight company CSX and the Kroger supermarket and pharmacy chain. Also hit was Washington state’s auditor’s office, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud was potentially exposed.

The two-stage mega-hack in December and January of a popular file-transfer program from the Silicon Valley company Accellion highlights a threat that security experts fear may be getting out of hand: intrusions by top-flight criminal and state-backed hackers into software supply chains and third-party services.

MORE

Faxes and email: Old technology slows COVID-19 response

May 13, 2020

By FRANK BAJAK

On April 1, a researcher at the Centers for Disease Control and Prevention emailed Nevada public health counterparts for lab reports on two travelers who had tested positive for the coronavirus. She asked Nevada to send those records via a secure network or a “password protected encrypted file” to protect the travelers’ privacy.

The Nevada response: Can we just fax them over?

You’d hardly know the U.S. invented the internet by the way its public health workers are collecting vital pandemic data. While health-care industry record-keeping is now mostly electronic, cash-strapped state and local health departments still rely heavily on faxes, email and spreadsheets to gather infectious disease data and share it with federal authorities.

This data dysfunction is hamstringing the nation’s coronavirus response by, among other things, slowing the tracing of people potentially exposed to the virus. In response, the Trump administration set up a parallel reporting system run by the Silicon Valley data-wrangling firm Palantir. Duplicating many data requests, it has placed new burdens on front-line workers at hospitals, labs and other health care centers who already report case and testing data to public health agencies.

READ MORE

Book Review: An electronic Pearl Harbor is closer than you think







Book Review: An electronic Pearl Harbor is closer than you think

“Sandworm,” Doubleday, by Andy Greenberg

The Obama administration did not issue a single public rebuke after hackers knocked sections of Ukraine’s power grid offline on frigid December nights in 2015 and 2016. The unprecedented cyberattacks on civilian populations presaged the most devastating malware attack to date _ the June 2017 onslaught of NotPetya, which also targeted Ukraine but went further. Hobbled, too, were international business partners including Danish shipping multinational Maersk and pharmaceutical giant Merck. Damage was in the billions. In the U.S., hospital surgeries were impacted.

In “Sandworm,” Andy Greenberg sets out to track down the hackers behind those attacks, and his page-turning narrative sounds the alarm: We have failed to adequately confront a looming, existential threat. Our largely unquestioning dependence on digital technologies compounds the threat of a digital doomsday. The more reliant we become, the greater the potential peril. Power generation, health care and other vital services are at risk. Foreign agents have penetrated vital U.S. infrastructure, though the U.S. could also threaten global stability if its cyber-capabilities are carelessly loosed.

The 316-page real-life thriller takes the reader to the front lines of global cyberconflict, where U.S., Ukrainian and other computer security researchers painstakingly work to solve the authorship riddle. It concludes that the culprits _ initially dubbed ‘Sandworm’ by researcher John Hultquist after his team finds a reference to the Frank Herbert novel “Dune” in their code _ are the same state-backed hackers who wreaked havoc on the 2016 U.S. presidential elections, stealing and exposing Democratic National Committee emails and breaking into voter registration databases in at least two states.

andygreenbergThe military-backed Kremlin cyber-agents, it turns out, were also behind hacking of global anti-doping agencies and the U.S. power grid _ and knocked 2018 Winter Olympics networks offline during opening ceremonies.

When he gets technical _ no way around it, really _ Greenberg, a senior writer at ‘Wired,’ keeps the geek jargon to a minimum. His previous book, “This Machine Kills Secrets,” explores how digital tech and the global Internet _ where we are all publishers _ have transformed whistleblowing and leaking, keying off the WikiLeaks saga.

In “Sandworm,” Greenberg exposes the still uncharted world of global cyber-competition _ a perilous new front in warfighting that lacks norms and rules of engagement where human casualties seem inevitable. He describes, for one, how a nation’s own espionage tools can be dangerously turned against it and its allies, how programs written by U.S. National Security Agency uber-hackers to break into computers running on Microsoft operation systems wound up being exploited by Russian military hackers. Were they pilfered? Or leaked? That remains unclear.

“Sandworm” ranks with the multiple books by James Bamford and with Clifford Stoll’s 1989 “The Cuckoo’s Egg” as essential reading for grasping digital technology’s role in the evolution of global conflict.  It takes us well past the intrigue of cyber-espionage to contemplate _ now that the Trump administration has endorsed the use of offensive cyber operations _ how a global digital arms race might spiral out of control.

“Permanent Record” By Edward Snowden

Headline: Snowden memoir: The spy who came out and told
(On AP: Abridged version)

By FRANK BAJAK
Oct. 28, 2019

Edward Snowden is mostly self-invented, the fruit of his own ingenuity. He’s a community college dropout, but he’s no layabout. If hacking, purely defined, consists in devising the simplest, most elegant way of getting what you want then Snowden has always excelled at it, beginning when he set back every clock in the house at age 6 in order to stay up late.

The memoir “Permanent Record” from this computer whiz who exposed secret U.S. government mass domestic surveillance six years ago is already a headline. The government has sued to try to deny Snowden royalties for not allowing it pre-publication review. But I didn’t find any secrets he hasn’t already revealed.

A former CIA and National Security Agency systems engineer, Snowden is now a committed digital privacy activist with 4 million Twitter followers, charged with Espionage Act violations for which he says his conscience offered no other option. Civil disobedience is a long, proud tradition with practioners including the republic’s founders, Snowden reminds, and the book does at times read like a manifesto.

If anyone grew on the internet, it was Ed, who was intoxicated with its seemingly limitless potential for good. Snowden waxes poetic on the magic of the two-modem handshake when going online meant tying up the family phone line, which he did incessantly.

Before innocence was lost, the internet represented America’s true values to Snowden. Dorkishly, he read the U.S. Constitution cover to cover when it was offered free at work. Patriotism was ingrained in his upbringing. His parents quietly exercised it when clocking in daily at work. Dad was a Coast Guard techie. Mom held various government jobs.

The North Carolina-born Snowden hacked his way through adolescence in the shadow of Fort Meade, Maryland, the NSA’s home. His scheme for skating through high school with minimum effort _ calculating what it took to get passing grades and doing no more _ worked until Honest Ed explained it to a teacher.

Coming-of-age memoirs like Snowden’s typically recount personal journeys of moral and psychological discovery. That is the book’s strength. Others, most notably journalist Glenn Greenwald and filmmaker Laura Poitras, have already better chronicled the white-knuckled drama of how the most famous whistleblower since Daniel Ellsberg persuaded them to meet him in Hong Kong in 2013 so he could lift the lid on the NSA’s mass surveillance of U.S. citizens _ the 21st century’s biggest scoop.

What Snowden does well, aided by novelist Joshua Cohen, his ghostwriter, is define the promise and dangers of digital technology and the wacky alchemy that grants system architects and administrators like him extraordinary power over people’s lives. His clearcut explanations of complicated yet vital phenomena like the TOR privacy browser and encryption are especially instructive.

Looking back, Snowden most regrets his atavistic reaction to 9/11, how the 18-year-old Ed became “a willing vehicle of vengeance.” He enlists in the Army, hoping to join the Special Forces _ only to break his leg in basic training. He’d been at Fort Meade the day of the attacks, coding for an employer who lived on the base, and joined the vehicular exodus as thousands fled the NSA’s gleaming black towers.

Engrossing is Snowden’s description of how he used his programming skills to create a repository of classified in-house jots on the NSA’s global snooping _ and built a backup system for agency data he called EPICSHELTER. Reading through the repository _ and through his research during a short stint as a briefer on Asian cyberthreats _ Snowden begins to understand just how badly the government was stomping on its citizens’ civil liberties. The “bulk collection” program was called STELLARWIND.

Snowden became sullen. “I felt more adult than ever, but also cursed with the knowledge that all of us had been reduced to something like children, who’d been forced to live the rest of their lives under omniscient parental supervision. I felt like a fraud.”

The rest is history: Snowden’s aborted flight from Hong Kong to Ecuador, stymied when the U.S. canceled his passport, stranding him in Moscow, where he lives in forced exile with longtime girlfriend, now wife, Lindsay Mills. If that relationship was ever tested Snowden is not saying. He turns the book over to Mills for a late chapter taken from her diaries when he disappears without a trace _ then shows up on everyone’s TV screen _ and the FBI is on her like flypaper. By then, the narrative has gone thin.

Snowden says he came to realize, in 2011 as he was deciding to blow the whistle on the NSA, that it wasn’t just the government that was endangering our liberty by amassing and categorizing our data. Back in the U.S. from Japan, he meets his first Internet-equipped ‘smart fridge.’ He is aghast.

Here he was, getting all exercised about U.S. government snooping while surveillance capitalists similarly spied on acquiescent consumers, rendering them a product that “corporations sold to other corporations, data brokers and advertisers.” Worse, people were being persuaded to surrender control of their data to corporations for storage “in the cloud.”

Snowden, at age 28, had soured on his beloved internet. “The Internet that had raised me was disappearing. And with it, so was my youth. The very act of going online, which had once seemed like a marvelous adventure, now seemed like a fraught ordeal.”

“Every transaction was a potential danger.”

Two years later, he’d share his discoveries with the rest of us.

Wiring the Planet – 1993







Thanks to Patrick Kroupa for keeping this story alive online – From a package I wrote introducing folks to an erstewhile invention of the military-industrial complex _ later hijacked by telecommunications conglomerates and the micro-targeting advertising industry _  called the Internet:

Wiring the Planet — MindVox!

Sunday, May 23, 1993

By Frank Bajak

Somewhere in the ether and silicon that unite two workstations 11 floors above lower Broadway, denizens of the cyberpunk milieu are feverishly debating whether anyone in government can be trusted. Elsewhere amid the colliding electrons, people read a rock musician’s rage about the computer information service that somehow obtained and posted his lyrics without permission. This is the 12-by-20-foot bare-walled home of MindVox, today’s recreation hall for the new lost generation’s telecomputing crowd. You can enter by phone line or directly off Internet.

Patrick Kroupa and Bruce Fancher are the proprietors, self-described former Legion of Doom telephone hackers who cut the cord with computing for a time after mid-1980s teen-age shenanigans. But back they came, deciding to take the code-writing prowess of their circle, write some real idiot proof software” on top of a Unix operating system and build a primo thoughtspace for meetings of minds. ‘We just saw that a lot of interesting technologies were not being used for anything but file-servers,’ says Kroupa, describing the thousands of dial-up bulletin board systems in which callers often find little more than downloads of software and dirty pictures.

Kroupa is a towering 25-year-old high school dropout in a black leather jacket with long hair gathered under a gray bandanna, three earrings and a hearty laugh. “America online looks pretty, but is pretty devoid of intellectual content,” Kroupa says of the popular information service. His chronicle of an angst-ridden odyssey from an adolescent hacker known as ‘Lord Digital, to cyberspace saloon-keeper is suggested reading for MindVox newcomers. Fancher is 22 and more businesslike, but equally in love with this dream he left Tufts University for.

READ MORE

AP Exclusive: Colombia ‘panic buttons’ expose activists







By FRANK BAJAK

It is supposed to help protect human-rights activists, labor organizers and journalists working in risky environments, but a GPS-enabled “panic button” that Colombia’s government has issued to about 400 people could be exposing them to more peril.

The pocket-sized devices are designed to notify authorities in the event of an attack or attempted kidnapping. But the Associated Press, with an independent security audit , uncovered technical flaws that could let hostile parties disable them, eavesdrop on conversations and track users’ movements.

There is no evidence the vulnerabilities have been exploited, but security experts are alarmed.

“This is negligent in the extreme,” said Eva Galperin, director of cybersecurity at the nonprofit Electronic Frontier Foundation, calling the finding “a tremendous security failure.”
Over the past four years, other “distress alarms” and smartphone apps have been deployed or tested around the world, with mixed results. When effective, they can be crucial lifelines against criminal gangs, paramilitary groups or the hostile security forces of repressive regimes.

READ FULL ARTICLE

A year in digital insecurity – nothing, and no one is safe







I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.

Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.

Credit: Andy Greenberg

In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team).  Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.

Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.

Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).

The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.

The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.

The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.

On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities.  Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.

Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June.  Tim CookWeakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”

So all the 2015 security news isn’t bad, after all.

A week after AP’s Peru drug investigation published, a landmark arrest







Eight days after we published my investigation on how more than a ton of cocaine was being flown daily out of the world’s No. 1 coca-producing valley right under the Peruvian military’s nose, we have a significant development.

For the first time in more than a decade, an officer of Peru’s armed forces has been arrested for drug trafficking.  An army lieutenant, he had worked in the valley for eight years and collected bribes of $10,000 per flight that likely were shared with his superiors, the prosecutor told me. That’s the same sum that an accused narco pilot had told me local military commanders got per plane.

blowing-up-airstriMy months of reporting were now being substantiated by events. Intercepted phone conversations made it clear that Lt. Wilmer Eduardo Delgado Ruiz was the bag man. Or rather his wife was, as the money was transferred into her account.

Former Peruvian army Maj. Evaristo Castillo, who blew the whistle on military drug trafficking in the 1990s, says drug corruption is _ as it was then _ systematic in the military, as top to bottom as the command structure.

One arrest is no guarantee of a housecleaning. Just ask Castillo. None of the generals he publicly denounced for drug trafficking was ever convicted of it, he told me. Castillo’s military career was wrecked because he blew the whistle, was disloyal. He spent seven years in exile. And, as one of his four sons (also Evaristo), told me, their hopes of following their father into the service were also extinguished.

 

 

 

 

 

The Disappearing Mississippi Delta – A Preservationist’s Tour







Hurricane Katrina’s 10th anniversary is upon us and much attention is being paid to rebuilding and recovery. A bigger question is how much longer New Orleans and the disappearing lands around it will last. A great river delta is dying. (See my AP colleague Cain Burdeau’s fine feature from Delacroix). Richie Blink, a local boat captain, lives to save it.

Of the 55 classmates who graduated from his Plaquemines Parish high school in 2005 with Richie Blink only about a half dozen stuck around. Blink tried moving to Baton Rouge, where he worked at the airport and got his pilot’s license, but the land drew him back. What’s left of the land, that is.

Blink won’t quit on the Mississippi River Delta, which is disappearing at the rate of a football field an hour in what some have called the Western Hemisphere’s biggest environmental disaster after the deforestation of the Amazon.

He’s lobbying and cajoling to broaden coastal restoration projects and save the delta from the seeming death sentence rendered by human activity. (View ProPublica project Losing Ground)

One goal is to rebuild a 50-mile buffer against ocean storm surges that has been erased in a single human lifetime, a buffer that might have eased the hurt to New Orleans from Hurricane Katrina.

Mostly open bay just over the levee that shields the Mississippi from the Gulf of Mexico

 

Blink sets off from the wharf at Buras _ where Katrina made landfall _ in a fisherman’s skiff into a mostly open bay with sparse clumps of marsh grass.

We’re 70 miles southeast of New Orleans on the right bank of the Mississippi. This is the sliver of land, sheltered on both sides by 20-foot-high levees, that those who remain inhabit. Rebuilt homes on the peninsula _ including the high school _ are raised on piles driven deep into sandy soil.

Blink shows us where engineers have built an “oyster break” in the shallow water by the wharf. It’s a concrete honeycomb designed to help rejuvenate the oyster population .

He opens up the throttle and the boat slides through heavily brackish water.

“When I was a kid, this was all little bayous, meandering streams. I spent a lot of time here,” he says.

Shrimp boat in mostly barren salt marsh

 

We pass a working shrimp boat and an old abandoned fishing camp on stilts.

A little more than a decade ago, the place was crawling with alligators and other wildlife, a teeming coastal swamp. Now, the Gulf of Mexico is in charge.

Man-made berm on the Gulf of Mexico side

 

We pull up to a barrier being built by barges that dredge the bottom and hurl muck over the berm. This is land-building. And it’s expensive.

The government has spent $300 million building a barrier a few miles away across more than 30 miles of coastal islands fronting the gulf.

It’s six feet high in some places.

But it’s not holding back the tide. Sea levels are on the rise with global warming. But that’s the least of it.

The reason the Mississippi Delta has been sinking by much as a meter a century is human engineering. It’s part of the reason half of New Orleans is now below sea level.

By stringing levees up and down the length of the Mississippi to protect homes and businesses from flooding, we have robbed the great river of vigor, diminishing the flow of silt that, since the last ice age ended 7,000 years ago, made the delta. Once meandering, the river is now straight-jacketed. Successful river control has degraded coastal wetlands.

The greatest flood danger now comes not from the Mississippi but the ocean, as Katrina proved.

Worsening matters, the energy industry has since the 1930s dug some 20,000 miles of canals in the delta to extract oil and natural gas and service pumping operations.

Add to that as aggravating factor the introduction of an invasive South American rodent, the nutria. It devours root systems _ yet another coastal erosion engine at work.

The toe of the boot that is Louisiana is wasting away. The physical version we know from maps is no longer true. The boot is not solid. It is gossamer.

“This is the dying side of the river,” says Blink. We head back to the marina. Blink runs the skiff up on its trailer.

It’s time to head over to the Mississippi and drop in there. We’ve done the bad news piece of our vanishing coastline tour.

___

Buras, Louisiana

 

Blink works as Coastal Zone Program Manager for Plaquemines Parish. He ensures coastal restoration projects are built as designed. The job dovetails with his passion of fighting to preserve a peninsula that four in five residents abandoned after Katrina.

Blink sits on the parish’s Coastal Zone Advisory Committee and is active in the Louisiana Lost Lands Foundation that Pulitzer-winning journalist Bob Marshall and his wife Marie Gould created.

They run educational tours of these wetlands in kayaks. And Blink plants cypress trees, well over 10,000 to date, to fight the ravages of sinking soils and salt water seepage.

___

We cross the Mississippi to its left bank, what Blink calls the bank of hope.

Mississippi River lock, left bank, Buras, Louisiana

 

A few locks separate the river here from marshlands and estuaries to the northeast.

But there are also breaches, crevasses they’re called. We drop down one, the boat swirling in a churning whirlpool.

Below a crevasse, fresh water spills into a healthy tidal marsh

 

Soon, we are motoring through true tidal marsh. We hear songbirds, see fish jump. Marsh grass, cattails and lotus pods abound. A farmer still grazes cattle on land above one bayou.

Blink navigates into a narrow channel where grass gets caught in the outboard’s propeller.

He is taking us to a cemetery whose graves _ several score _ date back to the 1830s. The most recent is from 1976 and relatives still tend it, cutting the grass and even bringing flowers from time to time.

Video: Disappearing Tombs

Point Pleasant cemetery

 

Blink does his best not to get too heartsick. But he has no illusions.

Stacked up against the coastal reconstruction campaign he champions are an influential lot: oyster and shrimp fishermen, the oil and gas industry.

He realizes that he and others who are bound sentimentally to the disappearing delta and are trying to turn back the rising tide will most likely have to settle, if they want to stick around, for what climate scientists call adaptation.

“Either your house will be on stilts,” he says, “or on an earthen mound.”

Gaming Twitter – Measuring how Venezuela’s rulers marshal bots







Quite a bit of behind-the-scenes work went into Hannah Dreier’s story on how Venezuela’s ruling party, having successfully squelched most independent voices in traditional media, uses automated robot accounts on Twitter to try to dominate political discourse online.

We started with a few scripts (computer programlets) written for us by a Twitter programmer who wishes to remain anonymous. They were used to passively identify the bots that instantly retweet hashtags issued by various state- and party-run accounts. Hannah then passed the scripts along to three academic groups, who also used programs of their own.

_A Northeastern University PhD candidate, working under the supervision of an MIT adviser.
_The University of Washington’s politicalbots.org team. It did it’s own research, “Political Bots and the Manipulation of Public Opinion in Venezuela”
_The Data Science lab at Utah State.

Takis Metaxis on the twittertrails.com project also helped. Their results here.

And we checked in with Emilio Ferrara, part of the team at the “Truthy” project that created “Bot or Not.” – I recommend “The Rise of Social Bots”

Here is a partial image of what one script identified as bots:  TwitterBots