Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic.
The revelation comes as Britain prepares to host another summit on Monday – for the G8 nations, all of whom attended the 2009 meetings which were the object of the systematic spying. It is likely to lead to some tension among visiting delegates who will want the prime minister to explain whether they were targets in 2009 and whether the exercise is to be repeated this week.
The disclosure raises new questions about the boundaries of surveillance by GCHQ and its American sister organisation, the National Security Agency, whose access to phone records and internet data has been defended as necessary in the fight against terrorism and serious crime. The G20 spying appears to have been organised for the more mundane purpose of securing an advantage in meetings. Named targets include long-standing allies such as South Africa and Turkey.
I just received a PDF – “Gmail Verification Letter.pdf” – with an MD5 of dfa4f3d5e56d8700400dd919d40b44f4 and which GMail passed to me without flagging as spam.
Of course I’m not going to open it – at least not yet – and because it comes from Miami medical school rather than the ostensible “Gmail Team”, I am pretty sure it’s low-grade spam.
Just wondering if anyone else has it?
The National Police Agency in Japan is apparently asking ISPs in that country to “voluntarily” block the use of Tor, the well-known and widely used system for anonymously surfing the internet.
An expert panel to the NPA, which was looking into measures to combat crimes abusing the Tor system, compiled a report on April 18 stating that blocking online communications at the discretion of site administrators will be effective in preventing such crimes. Based on the recommendation, the NPA will urge the Internet provider industry and other entities to make voluntary efforts to that effect.
This is an extreme and dangerous overreaction. Yes, some people abuse the anonymity of Tor to do illegal things. Just as some people abuse the anonymity of cash to do bad things. But we don’t then outlaw cash because of this. There are many, many reasons why people have good reason to seek out an anonymizing tool like Tor to protect their identity. What if they’re whistle blowing on organized crime or corruption (say) in the police force? As for the fear that it’s being used for criminal activity, that doesn’t mean that police cannot identify them through other means. We’ve seen time and time again people leave digital tracks in other ways when they’re committing crimes. Yes, it makes life more difficult for police, and it means they have to do actual detective work, but that’s what their job is.
Since the beginning of the cybersecurity FUDgasm from Congress, we’ve been asking for proof of the actual problem. All we get are stories about how airplanes might fall from the sky, but not a single, actual example of any serious problem. Recently, some of the rhetoric shifted to how it wasn’t necessarily planes falling from the sky but Chinese hackers eating away at our livelihoods by hacking into computers to get our secrets and destroy our economy. Today, Congress is debating CISPA (in secret) based on this assumption. There’s just one problem: it’s still not true.
The 27 largest companies have now admitted to the SEC that cyberattacks are basically meaningless and have done little to no damage.
The 27 largest U.S. companies reporting cyber attacks say they sustained no major financial losses, exposing a disconnect with federal officials who say billions of dollars in corporate secrets are being stolen.
MetLife Inc., Coca-Cola Co. (KO), and Honeywell International Inc. were among the 100 largest U.S. companies by revenue to disclose online attacks in recent filings with the Securities and Exchange Commission, according to data compiled by Bloomberg. Citigroup Inc. (C) reported “limited losses” while the others said there was no material impact.
So what’s this all really about? It goes back to what we said from the very, very beginning. This is all FUD, engineered by defense contractors looking for a new way to charge the government tons of money, combined with a willing government who sees this as an opportunity to further take away the public’s privacy by claiming that it needs to see into corporate networks to prevent these attacks.
If this was a real problem, wouldn’t we see at least some evidence?
Ben Hammersley, a Number 10 adviser to the Tech City project, said the draft Communications Data Bill could be turned from a force for good into something more sinister under future governments.
The main aim of the Bill is to give security services like MI5 and GCHQ the ability to monitor email traffic, without actually looking at its content.
However, it is currently being revised after a committee of MPs and peers raised privacy concerns about the bill’s intrusion into people’s lives.
Asked for his views on the new laws, Mr Hammersley said the consequences could be “disastrous” in an interview with Tank magazine.
“I don’t trust future governments,” he said. “The successors of the politicians who put this in place might not be trustworthy.
From discussion with friends, an extract:
If the definition or example that somehow APT is a ‘newer, better and prolonged method of attack and stealth to obtain the crown jewels’ then what was Kevin Mitnick’s attack on Sun Microsystems?
It’s because Mitnick was an American – not “a Red” – and the net was not infrastructure back then.
In short: since the threat model has moved on from “Commies” now, APT is essentially a racist/jingoistic term for “foreign hacker who is other than us”.
My friend Jon Care says that ‘cloud’ is an irregular noun:
- I have a Private Cloud
- You have a Botnet
- They have a Cyberwarfare Capability / Cyberweapon
…and I am basically thinking that APT is the equivalent third term for government pentester - the second being the eternally-slightly-tarnished Hacker, of course.
ps: obligatory tip for decyber
…check some history:
The “bomber gap” was the unfounded belief in the Cold War-era United States that the Soviet Union had gained an advantage in deploying jet-powered strategic bombers. Widely accepted for several years, the gap was used as a political talking point in order to justify greatly increased defense spending. One result was a massive buildup of the United States Air Force bomber fleet, which peaked at over 2,500 bombers, in order to counter the perceived Soviet threat. Surveillance flights utilizing the Lockheed U-2 aircraft indicated that the bomber gap did not exist. Realizing that mere belief in the gap was an extremely effective funding source, a series of similarly nonexistent Soviet military advances were constructed in a tactic now known as “policy by press release.”
The missile gap was the term used in the United States for the perceived disparity between the number and power of the weapons in the U.S.S.R. andU.S. ballistic missile arsenals during the Cold War. The gap only existed in exaggerated estimates made by the Gaither Committee in 1957 and in United States Air Force (USAF) figures. Even the CIA figures that were much lower and gave the US a clear advantage were far above the actual count. Like thebomber gap of only a few years earlier, it is believed that the gap was known to be illusionary from the start, and was being used solely as a political tool, an example of policy by press release.
Policy by press release refers to the act of attempting to influence public policy through press releases intended to alarm the public into demanding action from their elected officials. The practice is frowned upon, but remains effective and widely used. In modern times, the term is used to dismiss an opponent’s claims, suggesting they are lacking in substance and created to generate media attention.
Now: Compare with:
The United States doesn’t have nearly enough people who can defend the country from digital intrusions. We know this, because cybersecurity professionals are part of a larger class of workers in science, technology, engineering, and math–and we don’t have nearly enough of them, either. We’re just two years into President Obama’s decade-long plan to develop an army of STEM teachers. We’re little more than one year from his request to Congress for money to retrain 2 million Americans for high-tech work (a request Republicans blocked). And it has been less than a month since the Pentagon said it needed to increase the U.S. Cyber Command’s workforce by 300 percent–a tall order by any measure, but one that’s grown even more urgent since the public learned of massive and sustained Chinese attempts at cyberespionage last month.
Where are Cyber Command’s new hires going to come from? Even with so many Americans out of work, it isn’t as though there’s a giant pool of cyber professionals tapping their feet, waiting to be plucked up by federal agencies and CEOs who’ve suddenly realized they’re naked in cyberspace. In fact, over the next couple of years, the manpower deficit is only going to get worse as more companies come to grips with the scale of the danger.
Demand for cyber labor is still far outstripping supply, Ron Sanders, a vice president at Booz Allen Hamilton, told National Journal in a phone interview. “With each headline we read,” he said, “the demand for skilled cyber professionals just increases.”
The number of industry employees is already growing at double-digit rates. A new report released Monday finds that the number of people working in the cyber field is going to grow worldwide by 11 percent every year for the next five years. In North and South America, according to the paper–published by the International Information System Security Certification Consortium (ISC2)–that will mean almost a million more workers in the field by 2017. Many of them will be highly qualified. But not all of them will be in the employ of U.S. entities, to say nothing about working in the United States itself.
“…doomed to repeat it.”
I am wondering if we are going to end up with people who are skilled in security getting quite literally drafted in order to quell the panic?
Extract from the posting:
First off I can confirm a few basic facts, namely that we really did receive a ~300 Gbps attack directed at Cloudflare, and later specifically targeted at pieces of our core infrastructure. This is definitely on the large end of the scale as far as DoS attacks go, but I wouldn’t call it “record smashing” or “game changing” in any special way. It’s just another large attack, maybe 10-15% larger than other similar ones we’ve seen in the past, and I’m certain we will continue to see even larger ones in the future as global traffic levels increase. What made this particular attack notable is where it was targeted, which greatly increased the number of people who noticed it.
In defense of the claims in other articles, there is a huge difference between “taking down the entire Internet” and “causing impact to notable portions of the Internet”. My company, most other large Internet carriers, and even the largest Internet exchange points, all deliver traffic at multi-terabits-per-second rates, so in the grand scheme of things 300 Gbps is certainly not going to destroy the Internet, wipe anybody off the map, or even show up as more than a blip on the charts of global traffic levels. That said, there is absolutely NO network on this planet who maintains 300 Gbps of active/lit but unused capacity to every point in their network. This would be incredibly expensive and wasteful, and most of us are trying to run for-profit commercial networks, so when 300 Gbps of NEW traffic suddenly shows up and all wants to go to ONE location, someone is going to have a bad day.
But, having a bad day on the Internet is nothing new. [...]
The whole thing is worth reading, all of which is a response to this Gizmodo article and apparently re: one comment on it from someone looking for primary sources.
I hope the comment’s author feels he got his money’s worth.
tl;dr – breaking the internet is still really hard via DDoS.
IT IS a type of software sometimes described as “absolute power” or “God”. Small wonder its sales are growing. Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.
Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.
“It’s like selling guns to criminals” – where have I heard something like that before?
Oh yes, here:
[...] people can now crack a system, using “crack“, without even being decent programmers. There is no rite-of-passage for these people, they may not even realize that there are laws which could stick them in jail for years.
Someone once broke into another system which I control, I discovered it, tracked them down, and they got fired. For what? This person wasn’t even a good programmer–they didn’t even know they could be traced. I didn’t feel very good about this firing–didn’t want them to be fired–I just wanted to stop them from breaking into my system. When I discussed this case with CERT, I made it clear that I didn’t want the perpetrators arrested since they did no damage, I just wanted them to stop. However, under present US law they committed a felony. Frankly, it did waste about $500 of my time. The CERT people tried to assuage my feelings: at least they didn’t get thrown in jail, because you didn’t press charges, they said.
A publically available raw “crack” is somewhat like throwing a pile of guns into a day care center. There isn’t even a “safety” on crack.
I want to make it clear that I am not trying to impose some sort of mandate onto the developers of “crack”. They have the right to produce and distribute whatever software they choose.
Instead, I am appealing to them to produce a piece of software which errs more on the side of usefulness than destructiveness.
That was in 1992, and the discussion continues at that link; and here we are again with sploitz and vulnz and 0days, oh my…
Some muppet is going to get their hands on the article and convince Governments to waste money on them, just wait and see; and attempts at “regulation” will follow.