Trump Makes Official a Cyber Command

Posted on August 18, 2017August 18, 2017 by Denise Simon

In a statement, Trump said the unit would be ranked at the level of Unified Combatant Command focused on cyberspace operations. Cyber Command’s elevation reflects a push to strengthen U.S. capabilities to interfere with the military programs of adversaries such as North Korea’s nuclear and missile development and Islamic State’s ability to recruit, inspire and direct attacks, three U.S. intelligence officials said this month, speaking on the condition of anonymity. The Pentagon did not specify how long the elevation process would take.

Current and former officials said a leading candidate to head U.S. Cyber Command was Army Lt. Gen. William Mayville, currently director of the Pentagon’s Joint Staff. More here.

There has not only been resistance to this, but it appears one or more agencies are launching their own cyber departments.

The State Department quietly established a new office earlier this year within its Diplomatic Security Service to safeguard against and respond to cybersecurity threats.

The State Department officially launched the new office, called the Cyber and Technology Security (CTS) directorate, on May 28, a department official confirmed. The establishment of the directorate was first reported by Federal News Radio last week.

However:

At the direction of the president, the Defense Department today initiated the process to elevate U.S. Cyber Command to a unified combatant command.

“This new unified combatant command will strengthen our cyberspace operations and create more opportunities to improve our nation’s defense,” President Donald J. Trump said in a written statement.

The elevation of the command demonstrates the increased U.S. resolve against cyberspace threats and will help reassure allies and partners and deter adversaries, the statement said. The elevation also will help to streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander with authorities commensurate with the importance of those operations and will ensure that critical cyberspace operations are adequately funded, the statement said.

Defense Secretary Jim Mattis is examining the possibility of separating U.S. Cyber Command from the National Security Agency, and is to announce his recommendations at a later date.

Growing Mission

The decision to elevate U.S. Cyber Command is consistent with Mattis’ recommendation and the requirements of the fiscal year 2017 National Defense Authorization Act, Kenneth P. Rapuano, assistant secretary of defense for homeland defense and global security, told reporters at the Pentagon today.

“The decision is a welcome and necessary one that ensures that the nation is best positioned to address the increasing threats in cyberspace,” he added.

Cybercom’s elevation from its previous subunified command status demonstrates the growing centrality of cyberspace to U.S. national security, Rapuano said, adding that the move signals the U.S. resolve to “embrace the changing nature of warfare and maintain U.S. military superiority across all domains and phases of conflict.”

Cybercom was established in 2009 in response to a clear need to match and exceed enemies seeking to use the cyber realm to attack the United States and its allies. The command is based at Fort George G. Meade, Maryland, with the National Security Agency. Navy Adm. Michael S. Rogers is the commander of U.S. Cyber Command and the National Security Agency director. The president has directed Mattis to recommend a commander for U.S. Cyber Command, and Rogers for now remains in the dual-hatted role, Rapuano said.

More Strategic Role

Since its establishment, Cybercom has grown significantly, consistent with DoD’s cyber strategy and reflective of major increases in investments in capabilities and infrastructure, Rapuano said. The command reached full operational capability Oct. 31, 2010, but it is still growing and evolving. The command is concentrating on building its Cyber Mission Force, which should be complete by the end of fiscal year 2018, he said.

The force is expected to consist of almost 6,200 personnel organized into 133 teams. All of the teams have already reached initial operational capability, and many are actively conducting operations. The force incorporates reserve component personnel and leverages key cyber talent from the civilian sector.

“This decision means that Cyber Command will play an even more strategic role in synchronizing cyber forces and training, conducting and coordinating military cyberspace operations, and advocating for and prioritizing cyber investments within the department,” Rapuano said.

Cybercom already has been performing many responsibilities of a unified combatant command. The elevation also raises the stature of the commander of Cyber Command to a peer level with the other unified combatant command commanders, allowing the Cybercom commander to report directly to the secretary of defense, Rapuano pointed out.

The new command will be the central point of contact for resources for the department’s operations in the cyber domain and will serve to synchronize cyber forces under a single manager. The commander will also ensure U.S. forces will be interoperable.

“This decision is a significant step in the department’s continued efforts to build its cyber capabilities, enabling Cyber Command to provide real, meaningful capabilities as a command on par with the other geographic and functional combat commands,” Rapuano said.

DreamHost/DistruptJ20 Warrant is an Outrage

Posted on August 15, 2017August 15, 2017 by Denise Simon

The warrant is here.

The response delivered from DreamHost to the Justice Department is 60 pages and found here.

What is this Justice Department and Judge thinking? Of note, Jeff Sessions was not sworn in as Attorney General until February 9th. The warrant was signed off by John W, Borchert who was assigned to the Criminal Division’s Fraud Division.

The Electronic Frontier Foundation is aiding DreamHost as noted in this extensive blog post.

DreamHost is fighting DoJ request for 1.3M IP addresses of visitors to anti-Trump protest site

Web hosting service DreamHost is fighting a Department of Justice demand to scoop up all the IP addresses of visitors to an anti-Trump website. The website in question, disruptj20.org, organized participants of political protests against the current U.S. administration.

Blogging about its objections to the warrant yesterday, DreamHost’s general counsel describes it as “a highly untargeted demand that chills free association and the right of free speech afforded by the Constitution”.

DreamHost says it has not been able to see the affidavit pertaining to the warrant as those records are sealed. The search warrant can be found here.

In the warrant the DoJ demands that DreamHost hand over 1.3 million visitor IP addresses to the disruptj20.org website, along with contact information, email content, and photos of thousands of people.

“That information could be used to identify any individuals who used this site to exercise and express political speech protected under the Constitution’s First Amendment. That should be enough to set alarm bells off in anyone’s mind,” argues DreamHost.

“This is, in our opinion, a strong example of investigatory overreach and a clear abuse of government authority.”

The latest developments in what has been a months-long disagreement already, are that DreamHost has now filed arguments in opposition of the DoJ demand.

Its counsel will be attending a court hearing on the matter on August 18 in Washington, D.C.

DreamHost initially challenged the government to narrow the scope of the warrant but says instead the DoJ filed a motion in the Washington, D.C. Superior Court asking for an order to compel it to produce the records.

Also blogging about the issue yesterday, the Electronic Frontier Foundation accuses D.C. prosecutors of using “unconstitutional methods” to pursue their investigation into the J20 protests, aka the day President Trump was inaugurated.

“In just one example of the staggering overbreadth of the search warrant, it would require DreamHost to turn over the IP logs of all visitors to the [disruptj20.org] site. Millions of visitors — activists, reporters, or you (if you clicked on the link) — would have records of their visits turned over to the government. The warrant also sought production of all emails associated with the account and unpublished content, like draft blog posts and photos,” the EFF writes.

“No plausible explanation exists for a search warrant of this breadth, other than to cast a digital dragnet as broadly as possible. But the Fourth Amendment was designed to prohibit fishing expeditions like this. Those concerns are especially relevant here, where DOJ is investigating a website that served as a hub for the planning and exercise of First Amendment-protected activities.”

57,000 Detections, 74 Countries Affected by Global Ransomware

Posted on May 12, 2017May 12, 2017 by Denise Simon

Go here for more information on malware affections.

Further, US-CERT, by DHS has this information.

Older machines running XP do not appear to be affected. Meanwhile, about a month ago:

Microsoft responds to NSA’s Windows exploits, urges customers to upgrade to supported versions

Remember, this NSA vault toolkit was stolen, leaked and published by WikiLeaks, Julian Assange. In some cases, it could be a deadly threat to life considering the intrusions into hospitals. The other blame goes to the Russian cyber gang, ShadowBrokers.

Russian-linked cyber gang Shadow Brokers blamed for NHS computer hack

Courtesy: TelegraphUK: Ransom message found on NHS computers

CyberScoop: Large organizations on every continent are being hit by a global campaign of ransomware attacks on Friday, unfortunately, average ransomware demand has increased significantly. Machines are being infected using exploits developed by the U.S. National Security Agency and leaked by the group known as ShadowBrokers, according to authorities.

More than 57,000 detections in 74 countries have been recorded. Russia appears to be the most infected country by far, according to cybersecurity firms Kaspersky and Avast.

The “number [is] still growing fast,” according to Costin Raiu, Kaspersky’s director of research.

Hospitals across England were forced to divert emergency patients, according to the National Health Service. Other hospitals are asking patients to avoid coming in except for emergencies, news reports said.

In Spain, victims including the telecommunications company Telefónica told employees to shut down machines and networks in an effort to stop the spread of the malware. Other victims include Gas Natural and Iberdrola, an electric utility firm.

The ransomware campaign is caused by “exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar,”Spain’s Computer Emergency Readiness Team explained on Friday. “Infection of a single computer can end up compromising the entire corporate network.”

EternalBlue and DoublePulsar are code names for NSA hacking tools used to infect thousands of machines around the world since the NSA tools leaked in April.

That description from Spanish authorities and the work of several researchers point directly to NSA tools hacked and leaked by ShadowBrokers. The patch that Microsoft published in March assigned the designation MS17-010 to the vulnerability.

A widespread “bloodbath” from criminals has been expected by experts since the leak.

The ransomware “infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network. Microsoft published the vulnerability on March 14 in its bulletin and a few days ago a proof of concept was released that seems to have been the trigger of the campaign.” SMB is Microsoft’s Server Message Block protocol for network file sharing.

The attacks in different countries have been linked to the same group, according to the Financial Times.

The U.S. Department of Homeland Security is “coordinating with our international cyber partners” in Europe and Asia, a spokesperson told CyberScoop. “The Department of Homeland Security stands ready to support any international or domestic partner’s request for assistance. We routinely provide cybersecurity assistance upon request, including technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential.”

Security researcher Kevin Beaumont advised patching machines immediately:

** Kevin Beaumont?Verified account @GossiTheDog5h5 hours ago

Confirmed – wcry ransomware spreading across Europe uses EternalBlue/MS17-010/SMB. PATCH NOW EVERYWHERE.

Spanish authorities confirmed the ransomware is a version of WannaCry (also known as WannaCrypt0r), according to the National Cryptology Center. In Spain, the newspaper El Mundo is reporting that “early indications point to an attack originating in China.”

“Given the rapid, prolific distribution of this ransomware, we consider this activity poses high risks that all organizations using potentially vulnerable Windows machines should address,” a spokesperson from the cybersecurity firm FireEye told CyberScoop. “Organizations seeking to take risk management steps related to this campaign can implement patching for the MS17-010 Microsoft Security bulletin and leverage the indicators of compromise identified as associated with this activity.”

FireEye has yet to see a U.S.-based company be affected by the ransomware worm.

An estimated 25 health facilities in London and across England have been hit, according to the NHS. St Bartholomew’s Hospital in London, one of the victims, received warnings earlier this year that computers using Windows XP were vulnerable, reported the technology news site the Inquirer. Increasingly, some infected hospitals are not accepting phone calls or internet communications. The Derbyshire Community Health Services NHS Trust has reportedly shut down all of its IT systems.

“At this stage we do not have any evidence that patient data has been accessed,” an NHS statement said. “We will continue to work with affected organizations to confirm this.”

East and North Hertfordshire NHS trust, a hospital just north of London, publicly acknowledged “a major IT problem” that is “believed to be caused by a cyber attack.”

“The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency,” according to a statement. “To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”

News of the English hospitals being hit with ransomware spread quickly among doctors and hospital employees, including in a widely shared message from an English doctor now making the rounds on social media.

**

If.ra? @asystoly6h6 hours ago Why would you cyber attack a hospital and hold it for ransom? The state of the world

“So our hospital is down,” the doctor wrote. “We got a message saying your computers are now under their control and pay a certain amount of money. And now everything is gone.”

Think Tank Predicted Russian Cyberwar v. United States

Posted on May 3, 2017May 3, 2017 by Denise Simon

Washington, D.C., May 3, 2017 – A Rand Corporation 1967 paper predicted many of the cyber dilemmas faced by policy makers today, and a 2017 expanded analysis of the “GRIZZLY STEPPE” hacking by Russian cyber operators disclosed key findings about the techniques the hackers used and ways to mitigate them, according to the National Security Archive publication today of 40+ highlighted primary sources from the critically-praised “Cyber Vault” at http://nsarchive.gwu.edu/cybervault.

Compiled and edited by noted intelligence historian Dr. Jeffrey T. Richelson, the Cyber Vault collection of primary sources is growing by a dozen or more documents every week, and includes the declassified briefings provided by the National Security Agency to the George W. Bush and Barack Obama transition teams in 2000 and 2009, respectively. The collection also includes a 2016 order from the U.S. Cyber Command to set up a unit with the mission of debilitating and destroying computer and communications operations of the terrorist group ISIS.

The Cyber Vault team obtained the 2016 order under the Freedom of Information Act (FOIA). The project has filed scores of other FOIA and declassification requests as part of a multi-year documentation contribution to the growing field of cyber studies, with the support of the William and Flora Hewlett Foundation.

The 2000 transition briefing explicitly foreshadowed the Edward Snowden controversy, warning the new White House team that the 4th Amendment-protected communications of Americans were inextricably mixed with those of foreigners on the Internet. The 2016 U.S. Cyber Command order established a joint task force designed to bring the resources of the Defense Department, Intelligence Community, and Justice Department to bear against the terrorist group that the Trump administration has since designated its top foreign policy priority.

Cyber Vault Highlights

By Jeffrey T. Richelson

On March 30, 2016, the National Security Archive opened its Cyber Vault, a repository of documents on all aspects of cyber activity – including computer network defense (and other other aspects of cybersecurity), computer network attack, and computer network exploitation. The more than 750 documents currently in the vault have been drawn from a variety of sources – Freedom of Information Act releases, websites of both U.S. federal and state government organizations, courts, foreign government organizations, NATO, government contractors, think-tanks, advocacy groups, and media websites (including Wikileaks and those that posted documents provided by Edward Snowden).

In addition to relying on a multitude of sources to populate the Cyber Vault, the Archive has sought to accumulate a diverse set of documents – which has guided its collection strategy. As a result, the Cyber Vault includes significant documents from the 1960s and each subsequent decade, on cyber organization, on policy and strategy, on domestic and foreign cyber activities, on cybersecurity requirements, and on cyber crimes and the related investigations. Also included are intelligence assessments and theses. The documents also represent a spectrum of classifications, from unclassified, to formerly classified, and – in the cases of Wikileaks and Snowden documents – currently classified documents. Many of the documents cut across a number of categories.

Among the documents represented from the 1960s and 1970s are two seminal papers. One is Willis Ware’s 1967 effort, Secrecy and Privacy in Computer Systems (Document 1), written for the RAND Corporation, and one of the very first systematic approaches to information leakage, security, and privacy. The other (Document 2), produced by a staff member of Britain’s signals intelligence agency, the Government Communications Headquarters (GCHQ), represents the initial development of public key cryptography – although it was not declassified until years after the concept had been made public by American mathematicians.

That document is also one of several illustrating or concerning foreign government cyber efforts. A much more recent GCHQ product (Document 29) was one of the documents provided to Glenn Greenwald and Laura Poitras by Edward Snowden – a briefing on efforts to deanonymize users of The Onion Router (TOR) network, which had been developed by members of the U.S. Naval Research Laboratory (Document 32) as a means of protecting online communications. Chinese cyber organization, policy, and operations are covered, collectively, by two documents – an unclassified paper (Document 36) produced under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence and a Top Secret codeword NSA briefing (Document 24) on the People Republic of China’s computer network exploitation activity. Current Russian cyber activities are discussed in an extract (Document 35) from the controversial “Trump Dossier,” written by a former British Secret Intelligence Service officer.

Other documents concern hostile cyber activities from an earlier era. One, from 1998 (Document 12) provides information to the then director of the FBI, Louis Freeh, concerning the SOLAR SUNRISE investigation concerning intrusions into at least 11 unclassified DoD Computer systems at various locations in the United States. Another FBI memo (Document 13), concerns a 1999 investigation into intrusions into computer systems in the United States, the United Kingdom, Canada, Brazil, and Germany – an investigation which took some of the investigators to Moscow. In a newly released portion, it discusses possible response to intrusions – including the creation of “honeypots” containing “beacon” files.

In addition to being the victim of intrusions, the U.S. has also debated and formulated policy, granted authority over, and conducted intrusions in pursuit of national security objectives. In March 1997, Secretary of Defense William Cohen assigned the responsibility for computer network attack and exploitation to the National Security Agency in a short memo (Document 10). During that Spring a senior NSA official addressed the issue of cyberwar in a Secret article (Document 11) in a NSA journal. Many years later, according to a number of accounts, U.S. and Israeli cyber personnel were able to penetrate industrial control systems associated with the Iranian nuclear program and damage centrifuges that could produce weapons-grade material. While there have been no publicly released executive branch documents concerning the “Stuxnet” operation, it has been the subject of reports by RAND and the Congressional Research Service. (Document 26).

Concern over possible Russian intrusion into U.S. computer systems related to elections became a significant subject of discussion in the 2016 presidential election. Apprehensions over the possibility of such intrusions go back at least a decade. A December 2007 report (Document 20) was commissioned by Ohio’s Secretary of State, and contained disturbing results about the vulnerability of Ohio’s electronic voting systems. In the wake of a poorly-received, brief analysis of alleged Russian cyber activity related to the 2016 election, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center produced more detailed examination (Document 41) of the GRIZZLY STEPPE activity.

By the time the DHS report was issued, President Trump had been presented with a draft executive order on cybersecurity (Document 40 ), which would undoubtedly have been the first of a significant number of presidential actions on cybersecurity – just as President Obama had signed a number of cyber-related executive orders and presidential directives, including one (Document 34) that established a Cyber Threat Intelligence Integration Center. Ultimately, the Trump draft order became the first in a series of drafts, and no order has yet been signed.

Please Don’t Sign it Mr. Trump, You Cant Sign it…

Posted on March 29, 2017March 29, 2017 by Denise Simon

(CNN)FBI Director James Comey warned Wednesday that Americans should not have expectations of “absolute privacy,” adding that he planned to finish his term leading the FBI.

“There is no such thing as absolute privacy in America; there is no place outside of judicial reach,” Comey said at a Boston College conference on cybersecurity. He made the remark as he discussed the rise of encryption since 2013 disclosures by former National Security Agency contractor Edward Snowden revealed sensitive US spy practices.

“Even our communications with our spouses, with our clergy members, with our attorneys are not absolutely private in America,” Comey added. “In appropriate circumstances, a judge can compel any one of us to testify in court about those very private communications.”

Did you get that? What? Keep reading, it gets worse….

Here’s the Data Republicans Just Allowed ISPs to Sell Without Your Consent

Privacy watchdogs blasted the vote as a brazen GOP giveaway to the broadband industry.

Motherboard: Financial and medical information. Social Security numbers. Web browsing history. Mobile app usage. Even the content of your emails and online chats.

These are among the types of private consumer information that House Republicans voted on Tuesday to allow your internet service provider (ISP) to sell to the highest bidder without your permission, prompting outrage from privacy watchdogs.

The House action, which was rammed through by a vote of 215 – 205 on a largely partisan basis by the GOP majority, represents another nail in the coffin of landmark Federal Communications Commission consumer privacy rules that were passed in 2016. The rules, which were set to go into effect later this year, would have required broadband providers to obtain “opt-in” consent before using, sharing, or selling private consumer data.

“Ignoring calls from thousands of their constituents, House Republicans just joined their colleagues in the Senate in violating internet users’ privacy rights,” Craig Aaron, CEO of DC-based public interest group Free Press Action Fund, said in a statement. “They voted to take away the privacy rights of hundreds of millions of Americans just so a few giant companies could pad their already considerable profits.”

Last week, the Senate passed its version of the legislation. President Trump, who “strongly” supports the FCC privacy rollback, is expected to sign the measure soon, as part of the widening Republican campaign to reverse federal safeguards across broad swaths of the economy, including rules protecting the environment, public health, and consumer interests.

Privacy watchdogs say the FCC’s policy is necessary because ISPs can see everything that consumers do online. Unless you use a Virtual Private Network (VPN), every website you visit, every mobile app you use, every online search you conduct, is visible on their networks. Needless to say, this data is immensely valuable because it can be used to create detailed profiles for marketing and tracking purposes.

Related reading: Is Your Favorite Website Spying on You?

Corporate giants like Comcast, AT&T and Verizon already rake in billions of dollars annually from internet, cable, and mobile subscriptions. Now, these broadband firms will be able to make even more money by selling your private data to third party marketers without your permission.

“What the heck are you thinking? What is in your mind?”

Last year, the FCC detailed the data covered by its privacy policy. Thanks to Capitol Hill Republicans, ISPs will no longer be required to obtain “opt-in” consent before using, sharing, or selling this data.

Image: FCC

“What the heck are you thinking?” Rep. Michael Capuano, the Massachusetts Democrat, demanded of his GOP colleagues during floor debate earlier Tuesday. “What is in your mind? Why would you want to give out any of your personal information to a faceless corporation for the sole purpose of them selling it?”

Privacy advocates are particularly outraged because Republican lawmakers are nuking the FCC privacy policy using a controversial legislative tool called the Congressional Review Act (CRA), which allows Congress to nullify recently-approved federal regulations. “Resolutions of disapproval” passed under the CRA cannot be filibustered, and prohibit the agency in question, in this case the FCC, from adopting “substantially similar” privacy rules in the future.

“Once President Trump signs this resolution, there will be no effective federal cop on the beat to proactively protect consumer information collected by ISPs,” Dallas Harris, Policy Fellow at DC-based digital rights group Public Knowledge, said in a statement. “Without the FCC’s broadband privacy rules, Americans go from being internet users to marketing data—from people to the product.”

It should come as no surprise that many of the Republicans leading the charge to roll back the FCC’s privacy rules, including Rep. Marsha Blackburn of Tennessee, have received vast sums of campaign cash from the broadband industry.

Over the course of Blackburn’s 14-year career in the House, she has received $75,750 from AT&T and $72,650 from Verizon, her second and third largest corporate donors, respectively, according to the Center for Responsive Politics. Blackburn has also received $66,000 from NCTA, the broadband industry trade group, and $49,500 from Comcast.

For the last year, the broadband industry has complained that the FCC’s privacy policy is unfair because it doesn’t apply to so-called “edge providers” like Google and Facebook, which are regulated by the Federal Trade Commission (FTC). But instead of fighting to bolster the FTC’s privacy policy to create a level playing field, Republican lawmakers instead chose to eliminate the FCC’s more robust protections. Now the measure moves to Trump’s desk.

“If President Trump was serious about his campaign promises to stand up for the rights of the individual over the powerful special interests in Washington DC, then he would veto this bill,” Nathan White, Senior Legislative Manager at Access Now, said in a statement.