CENTCOM Victim of CyberCaliphate

An unknown network of hackers that are sympathizers of Islamic State hacked CENTCOM’s twitter account and the associated YouTube channel.  So far the response is ‘it does not appear to be anything problematic’. Ah what…problematic? The hackers had some success that for sure is problematic and what is more, data breaches of any sort does not provide anyone in America with internet security confidence.

There is a ‘cybercaliphate’ that no one is admitting.

A screenshot shows the U.S. Central Command Twitter account after it was apparently hacked by people claiming to be aligned with Islamic State militants. The account was shortly thereafter suspended.  

A screenshot shows the U.S. Central Command Twitter account after it was apparently hacked by people claiming to be aligned with Islamic State militants. The account was shortly thereafter suspended. Reuters

WASHINGTON—Hackers claiming to be aligned with Islamic State militants took control of the U.S. Central Command’s Twitter and YouTube accounts Monday, posting phone numbers of top military officers and what they said was classified documents.

In the posting, the militants claimed they were working for the Islamic State and a “Cyber Caliphate.”

A Pentagon official said that U.S. Central Command was aware of the hack but had no immediate information about how it occurred.

Officials for a time Monday appeared to be trying to retake control of the Twitter account. Shortly after the first tweets from the hackers appeared, the “Cyber Caliphate” logo and slogan disappeared, replaced by a blue square.

Then shortly after 1 p.m., the Twitter account was labeled as suspended. Moments later, the Central Command’s YouTube account apparently was suspended.

“We can confirm that the U.S. Central Command Twitter and YouTube accounts were compromised earlier today,” said a defense official. “We are taking appropriate measures to address the matter. I have no further information to provide at this time.”

The White House said it was looking into the hack, but had little information and played down the significance of the intrusion.

“There is a significant difference between…a large data breach and the hacking of a Twitter account,” said Josh Earnest, the White House press secretary.

The tweets posted by the hackers included phone number of top military commanders and what the group said were military scenarios for a conflict with North Korea and China.

A senior Pentagon official said the information posted by the hackers on the Twitter account didn’t appear to be highly classified documents.

“It does not appear to be anything problematic,” the official said.

–Felicia Schwartz and Carol E. Lee contributed to this article.

Write to Julian E. Barnes at [email protected]

  • Regular
  • Medium
  • Large
  • Google+
  • LinkedIn
  • Print

WASHINGTON—Hackers claiming to be aligned with Islamic State militants took control of the U.S. Central Command’s Twitter and YouTube accounts Monday, posting phone numbers of top military officers and what they said was classified documents.

In the posting, the militants claimed they were working for the Islamic State and a “Cyber Caliphate.”

A Pentagon official said that U.S. Central Command was aware of the hack but had no immediate information about how it occurred.

Officials for a time Monday appeared to be trying to retake control of the Twitter account. Shortly after the first tweets from the hackers appeared, the “Cyber Caliphate” logo and slogan disappeared, replaced by a blue square.

Then shortly after 1 p.m., the Twitter account was labeled as suspended. Moments later, the Central Command’s YouTube account apparently was suspended.

“We can confirm that the U.S. Central Command Twitter and YouTube accounts were compromised earlier today,” said a defense official. “We are taking appropriate measures to address the matter. I have no further information to provide at this time.”

The White House said it was looking into the hack, but had little information and played down the significance of the intrusion.

“There is a significant difference between…a large data breach and the hacking of a Twitter account,” said Josh Earnest, the White House press secretary.

The tweets posted by the hackers included phone number of top military commanders and what the group said were military scenarios for a conflict with North Korea and China.

A senior Pentagon official said the information posted by the hackers on the Twitter account didn’t appear to be highly classified documents.

“It does not appear to be anything problematic,” the official said.

–Felicia Schwartz and Carol E. Lee contributed to this article.

Write to Julian E. Barnes at [email protected]

French Government Does NOT Get a Pass

The world watched in horror the bloody events in Paris at the hands of militants. A great deal of work is going into investigations and research to determine names, backgrounds, connections and causes of the terror in France.

The background, cells and names rising to the surface are not new to the intelligence communities allied with the United States. What is new is that the governmental leadership(s) in Europe, North Africa and the West ignored the intelligence clarion calls for alarm.

Going back to 2005 and even earlier, mining open source information, the Buttes Chaumont information has been out there. The brothers of the Paris attacks were only the most recent members of the Buttes Chaumont terror cell. There were clearly other brothers and members that were festering a decade ago.

 

‘The first cell in this network was named the “19th arrondissement” or “Buttes Chaumont” cell, which both brothers were a part of. Farid Benyettou, a charismatic self-taught preacher who lectured outside various mosques and prayer groups, including the Addawa mosque of the 19th arrondissement, led this cell. Although Redouane died, Boubaker was in charge of a way station in Syria for French youths headed to Iraq. El-Hakim did not last long, though, since the Assad regime arrested him in 2004, imprisoned him for a year, and then extradited him to France in 2005.
El-Hakim would be sentenced in 2008 to seven years for his involvement in the recruitment ring. This would have kept him imprisoned through 2015, but he ended up only serving 2/3 of his term and was then deported to Tunisia sometime in 2012. Since then, el-Hakim’s name has popped up in reports on militants around Chaambi Mountain in western Tunisia. Again, it is hard to assess these claims since there is almost no way of independently verifying them. That said, due to his past connections within a jihadi recruitment network and al-Qaeda in Iraq, it would not be far-fetched if he indeed did have some type of connection or relationship with AQIM.
At the same time, due to the murky nature of el-Hakim’s presence in Tunisia and the dearth of solid information on the connections between AQIM and AST, it is too early to come to any real conclusions.’

The New York Times is data mining as well as has offered some current insight but the paper omits the feeble policy by the French leadership to deal with the dark yet active cell connections in France and in Northern Africa. The intelligence IS there but quite possibly passed to the side out of lack of law enforcement, lack of policy and lack of will.

It is a tragedy that France had to deploy more that 85,000 personnel to track down the killers in France while some many victims died. For the next several weeks, collaboration on intelligence and policy will occur include the United States.

PARIS — They jogged together or did calisthenics along the hilly lawns and tulip-dotted gardens of Buttes-Chaumont, the public park in northeastern Paris built more than a century ago under Emperor Napoleon III. Or they met in nearby apartments with a janitor turned self-proclaimed imam, a man deemed too radical by one local mosque because of his call for waging jihad in Iraq.

The group of young Muslim men, some still teenagers, became known to the French authorities as the Buttes-Chaumont group after the police in 2005 broke up their pipeline for sending young French Muslims from their immigrant neighborhood to fight against American troops in Iraq. The arrests seemingly shattered the group, and some officials and experts were skeptical that members ever posed a threat to France.

But the shocking terror attacks last week in Paris have now made plain that the Buttes-Chaumont network produced some of Europe’s most militant jihadists, including Chérif Kouachi, one of the three terrorists whose three-day rampage left 17 people dead and who was killed by the police.

Other alumni from the group have died in Iraq or remained committed to radical Islam, including a French-Tunisian now aligned with the Islamic State who has claimed responsibility for a handful of assassinations in Tunisia, including the July 2013 murder of a leading left-wing politician.

“They were considered the least dangerous,” Jean-Pierre Filiu, a professor of Middle East studies and specialist on French Islamic terror cells, said of the Buttes-Chaumont group. “And now you see them really at the forefront.”

Now French authorities, while still piecing together how such violent attacks could have been staged in the capital, must also be concerned by the possibility that other homegrown groups may be passing unnoticed — or may be similarly underestimated.

The attacks suggest the prospect of a potent intermingling among some members of the original Buttes-Chaumont group and other extremists. Their meeting place, apparently, was the French prison system.

There, their radicalism hardened as some members of the group came together with other prominent jihadists who were connected to more extensive and dangerous militant networks.

For decades, France has endured Islamic terror threats and attacks, from Iranian-inspired groups during the 1980s, to Algerian extremists in the 1990s, to cells linked to Al Qaeda before and after the Sept. 11, 2001, attacks in the United States.

More recently, French and other European security services have grown increasingly alarmed by thousands of young, alienated Muslim citizens who have enlisted for jihad in the conflicts in Syria and Iraq.

In each decade, a familiar pattern has emerged: a radicalized minority of European Muslims — whether they have gone abroad for jihad or not — have been angered and inspired by wars the West has waged in the Arab world, Africa and beyond, and have sought to bring the costs of those conflicts home.

After French authorities swept up members of the Buttes-Chaumont group in the 2005, during his time in prison Chérif Kouachi came under the sway of an influential French-Algerian jihadist who had plotted to bomb the United States Embassy in Paris in 2001.

There, he also recruited a holdup artist named Amedy Coulibaly, the man who killed four hostages at a kosher supermarket in Paris on Friday.

It is unclear if his older brother, Saïd Kouachi, who also took part in the attack on the Charlie Hebdo newspaper office, was a member of the Buttes-Chaumont group, but the authorities have confirmed that the older brother spent time in Yemen between 2009 and 2012, getting training from a branch of Al Qaeda.

 

Felony Charges Against General Petraeus?

Prosecutors Said to Seek Felony Charges against Petraeus

CyberWar Vulnerabilities

A Hacker’s Hit List of American Infrastructure

In an 800-page document dump, the U.S. government revealed critical vulnerabilities.

On Friday, December 19, the FBI officially named North Korea as the party responsible for a cyber attack and email theft against Sony Pictures. The Sony hack saw many studio executives’s sensitive and embarrassing emails leaked online. The hackers threatened to attack theaters on the opening day of the offending film, The Interview, and Sony pulled the plug on the movie, effectively censoring a major Hollywood studio. (Sony partially reversed course, allowing the movie to show in 331 independent theaters on Christmas Day, and to be streamed online.)

Technology journalists were quick to point out that, even though the cyber attack could be attributable to a nation-state actor, it wasn’t particularly sophisticated. Ars Technica’s Sean Gallagher likened it to a “software pipe bomb.”

But according to cybersecurity professionals, the Sony hack may be a prelude to a cyber attack on United States infrastructure that could occur in 2015, as a result of a very different, self-inflicted document dump from the Department of Homeland Security in July.

Here’s the background: On July 3, DHS, which plays “key role” in responding to cyber attacks on the nation, replied to a Freedom of Information Act (FOIA) request on a malware attack on Google called “Operation Aurora.”

Unfortunately, as Threatpost writer Dennis Fisher reports, DHS officials made a grave error in their response. DHS released more than 800 pages of documents related not to Operation Aurora but rather the Aurora Project, a 2007 research effort led by Idaho National Laboratory demonstrating how easy it was to hack elements in power and water systems.

Oops.

The Aurora Project exposed a vulnerability common to many electrical generators, water pumps, and other pieces of infrastructure, wherein an attacker remotely opens and closes key circuit breakers, throwing the machine’s rotating parts out of synchronization causing parts of the system to break down.

In 2007, in an effort to cast light on the vulnerability that was common to many electrical components, researchers from Idaho National Lab staged an Aurora attack live on CNN. The video is below.

How widespread is the Aurora vulnerability? In this 2013 article for Power Magazine:

The Aurora vulnerability affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide and potentially any rotating equipment—whether it generates power or is essential to an industrial or commercial facility.

The article was written by Michael Swearingen, then manager for regulatory policy for Tri-County Electric Cooperative (now retired), Steven Brunasso, a technology operations manager for a municipal electric utility, Booz Allen Hamilton critical infrastructure specialist Dennis Huber, and Joe Weiss, a managing partner for Applied Control Solutions.

Weiss today is a Defense Department subcontractor working with the Navy’s Mission Assurance Division. His specific focus is fixing Aurora vulnerabilities. He calls DHS’s error “breathtaking.”

The vast majority of the 800 or so pages are of no consequence, says Weiss, but a small number contain information that could be extremely useful to someone looking to perpetrate an attack. “Three of their slides constitute a hit list of critical infrastructure. They tell you by name which [Pacific Gas and Electric] substations you could use to destroy parts of grid. They give the name of all the large pumping stations in California.”

The publicly available documents that DHS released do indeed contain the names and physical locations of specific Pacific Gas and Electric Substations that may be vulnerable to attack.

Defense One shared the documents with Jeffrey Carr, CEO of the cybersecurity firm Taia Global and the author of Inside Cyber Warfare: Mapping the Cyber Underworld. “I’d agree…This release certainly didn’t help make our critical infrastructure any safer and for certain types of attackers, this information could save them some time in their pre-attack planning,” he said.

Perpetrating an Aurora attack is not easy, but it becomes much easier the more knowledge a would-be attacker has on the specific equipment they may want to target.

* * *

In a 2011 paper for the Protective Relay Engineers’ 64th Annual Conference, Mark Zeller, a service provider with Schweitzer Engineering Laborites lays out—broadly—the information an attacker would have to have to execute a successful Aurora attack. “The perpetrator must have knowledge of the local power system, know and understand the power system interconnections, initiate the attack under vulnerable system load and impedance conditions and select a breaker capable of opening and closing quickly enough to operate within the vulnerability window.”

“Assuming the attack is initiated via remote electronic access, the perpetrator needs to understand and violate the electronic media, find a communications link that is not encrypted or is unknown to the operator, ensure no access alarm is sent to the operators, know all passwords, or enter a system that has no authentication.”

That sounds like a lot of hurdles to jump over. But utilities commonly rely on publicly available equipment and common communication protocols (DNP, Modbus, IEC 60870-5-103,IEC 61850, Telnet, QUIC4/QUIN, and Cooper 2179) to handle links between different parts their systems. It makes equipment easier to run, maintain, repair and replace. But in that convenience lies vulnerability.

In their Power Magazine article, the authors point out that “compromising any of these protocols would allow the malicious party to control these systems outside utility operations.”

Defense One reached out to DHS to ask them if they saw any risk in the accidental document dump. A DHS official wrote back with this response: “As part of a recent Freedom of Information Act (FOIA) request related to Operation Aurora, the Department of Homeland Security (DHS) National Programs and Protection Directorate provided several previously released documents to the requestor. It appears that those documents may not have been specifically what the requestor was seeking; however, the documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised.”

Weiss calls the response “nonsense.”

The risk posed by DHS accidental document release may be large, as Weiss argues, or nonexistent, as DHS would have you believe. But even if it’s the latter, Aurora vulnerabilities remain a key concern.

Perry Pederson, who was the director of Control Systems Security Program at DHS in 2007 when the Aurora vulnerability was first exposed, said as much in a blog post in July after the vulnerability was discovered. He doesn’t lay blame at the feet of DHS. But his words echo those of Weiss in their urgency.

“Fast forward to 2014. What have we learned about the protection of critical cyber-physical assets? Based on various open source media reports in just the first half of 2014, we don’t seem to be learning how to defend at the same rate as others are learning to breach.”

* * *

In many ways the Aurora vulnerability is a much harder problem to defend against than the Sony hack, simply because there is no obvious incentive for any utility operator to take any of the relatively simple costs necessary to defend against it. And they are simple. Weiss says that a commonly available device installed on vulnerable equipment could effectively solve the problem, making it impossible to make the moving parts spin out of synchronization. There are two devices on the market iGR-933 rotating equipment isolation device (REID) and an SEL 751A, that purport to shield equipment from “out-of-phase” states.

To his knowledge, Weiss says, Pacific Gas and Electric has not installed any of them anywhere, even though the Defense Department will actually give them away to utility companies that want them, simply because DOD has an interest in making sure that bases don’t have to rely on backup power and water in the event of a blackout. “DOD bought several of the iGR-933, they bought them to give them away to utilities with critical substations,” Weiss said. “Even though DOD was trying to give them away, they couldn’t give them to any of the utilities because any facility they put them in would become a ‘critical facility’ and the facility would be open to NERCCIP audits.”

Aurora is not a zero-day vulnerability, an attack that exploits an entirely new vector giving the victim “zero days” to figure out a patch. The problem is that there is no way to know that they are being implemented until someone, North Korea or someone else, chooses to exploit them.

Can North Korea pull of an Aurora vulnerability? Weiss says yes. “North Korea and Iran and are capable of doing things like this.”

Would such an attack constitute an act of cyber war? The answer is maybe. Speaking to reporters at the Pentagon on Friday, Pentagon Press Secretary Rear Adm. John Kirby said “I’m also not able to lay out in any specificity for you what would be or wouldn’t be an act of war in the cyber domain. It’s not like there’s a demarcation line that exists in some sort of fixed space on what is or isn’t. The cyber domain remains challenging, it remains very fluid. Part of the reason why it’s such a challenging domain for us is because there aren’t internationally accepted norms and protocols. And that’s something that we here in the Defense Department have been arguing for.”

Peter Singer, in conversation with Jason Koebler at Motherboard, says that the bar for actual military engagement against North Korea is a lot higher than hacking a major Hollywood movie studio.

“We didn’t go to war with North Korea when they murdered American soldiers in the 1970s with axes. We didn’t go to war with North Korea when they fired missiles over our allies. We didn’t go to war with North Korea when one of their ships torpedoed an alliance partner and killed some of their sailors. You’re going to tell me we’re now going to go to war because a Sony exec described Angelina Jolie as a diva? It’s not happening.”

Obama said Friday that there would be some sort of response to the hack, but declined to say what. “We have been working up a range of options. They will be presented to me. I will make a decision on those based on what I believe is proportional and appropriate to the nature of this crime,” he said.

Would infrastructure vandalism causing blackouts and water shutdowns constitute an act of war? The question may be moot. Before the United States can consider what sort of response is appropriate to cyber attacks, it must first be able to attribute them.

The FBI was able to finger North Korea for the hack after looking at the malware in the same way a forensics team looks for signs of a perpetrator at the scene of the crime. “Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” according to the FBI statement. (Attribution has emerged as a point of contention in technology circles, with many experts suggesting that an inside hack job was more likely.)

An Aurora vulnerability attack, conversely, leaves no fingerprints except perhaps a single IP address. Unlike the Sony hack, it doesn’t require specially written malware to be uploaded into a system—malware that could indicate the identity of the attacker, or at least his or her affiliation. Exploiting an Aurora attack is simply a matter of gaining access, remotely, possibly because equipment is still running on factory-installed passwords, and then turning off and on a switch.

“You’re using the substations against whatever’s connected to them. Aurora uses the substations as the attack vector. This is the electric grid being the attack vector,” said Weiss, who calls it “a very, very insidious” attack.

The degree to which we are safe from that eventuality depends entirely on how well utility companies have put in place safeguards. We may know the answer to that question in 2015.

Taxes Driving U.S. Corporations to Shutter

No wants to change the tax code and no one wants to allow U.S. currency offshore to be repatriated so…

U.S. Stands to Lose Billions From Corporate Tax Inversions

One Estimate Puts Lost Tax Revenue at Close to $20 Billion Over a Decade

How much revenue does the U.S. Treasury stand to lose from corporate tax inversions? It is difficult to say precisely, but one estimate puts the figure at close to $20 billion. Calculating how much the U.S. Treasury would lose is nearly impossible because of a dearth of reliable tax data from companies’ public filings and the variables in how companies can structure their businesses, tax experts say. One way companies seek to reduce their U.S. tax bills by reincorporating overseas is to transfer pretax income from their U.S. operations to their foreign parent companies through intercompany debt, says corporate tax consultant Robert Willens. But it is difficult to know how large of an impact that will have for a given company because of limits on how much interest companies can deduct from their taxable income. There is also a risk that companies act too aggressively attract scrutiny from the Internal Revenue Service. Another variable is the cash many companies keep overseas to avoid U.S. taxes. The cash only becomes taxable once it is brought back to the U.S. to pay dividends to shareholders or is used for other purposes. But companies don’t always disclose how much cash they bring back home or when.

Some companies say they were never going to repatriate the cash anyway, so they aren’t depriving the U.S. tax base of revenue by moving out of the country. Report: 1 million corporations closed, 60,000 a year; taxes blamed America has lost 1 million corporations since their height during the Reagan era, in part driven out of business by the industrialized world’s highest corporate tax rate, according to a new report from the nonpartisan Tax Foundation. The just-issued research revealed that the number of traditional “C” corporations has fall to a “historically low level” and wiped out the corporate tax base, resulting in the federal government relying much more on individual income taxes to fund its operation. “There is now more net business income taxed under the individual income tax system than the traditional corporate tax code, a trend that does not appear to be stopping any time soon,” said the report provided to Secrets. It said that corporate closings have recently picked up steam and now 60,000 a year are shut down. A driver in the loss of traditional corporations has been the ever-rising corporate tax rate, an issue Washington has been ducking for years. The Tax Foundation said that many corporate titans have taken matters into their own hands by restructuring as “pass through” operations which allows profits to be taxed at lower individual rates. “More than 60 percent of U.S. business profits are now taxed under the individual income tax code rather than the corporate tax code, which explains why the U.S. collects a relatively small amount of tax revenue from corporations despite having the developed world’s highest corporate tax rate,” said the foundation. “Although this kind of do-it-yourself tax reform is beneficial to the overall economy because it lowers the tax burden on business investment, something is nevertheless lost,” said Tax Foundation Chief Economist William McBride in a statement. “Pass-through businesses do not offer the same ability to invite investment from thousands of shareholders or easily transfer shares. That means the decline of the traditional corporate sector represents an economic distortion that is hobbling American industrial capacity and job growth. No other developed country has such a distorted business sector,” he added.

Report: 1 million corporations closed, 60,000 a year; taxes blamed

America has lost 1 million corporations since their height during the Reagan era, in part driven out of business by the industrialized world’s highest corporate tax rate, according to a new report from the nonpartisan Tax Foundation.

The just-issued research revealed that the number of traditional “C” corporations has fall to a “historically low level” and wiped out the corporate tax base, resulting in the federal government relying much more on individual income taxes to fund its operation.

“There is now more net business income taxed under the individual income tax system than the traditional corporate tax code, a trend that does not appear to be stopping any time soon,” said the report provided to Secrets.

It said that corporate closings have recently picked up steam and now 60,000 a year are shut down.

A driver in the loss of traditional corporations has been the ever-rising corporate tax rate, an issue Washington has been ducking for years.

The Tax Foundation said that many corporate titans have taken matters into their own hands by restructuring as “pass through” operations which allows profits to be taxed at lower individual rates.

“More than 60 percent of U.S. business profits are now taxed under the individual income tax code rather than the corporate tax code, which explains why the U.S. collects a relatively small amount of tax revenue from corporations despite having the developed world’s highest corporate tax rate,” said the foundation.

“Although this kind of do-it-yourself tax reform is beneficial to the overall economy because it lowers the tax burden on business investment, something is nevertheless lost,” said Tax Foundation Chief Economist William McBride in a statement.

“Pass-through businesses do not offer the same ability to invite investment from thousands of shareholders or easily transfer shares. That means the decline of the traditional corporate sector represents an economic distortion that is hobbling American industrial capacity and job growth. No other developed country has such a distorted business sector,” he added.

Then comes Congress with threats:

The Senate’s chief tax writer, Ron Wyden, wants U.S. companies looking to move abroad for a lower tax bill to understand one thing: “[T]hey won’t profit from abandoning the U.S.”

The Democrat’s comments, made in a Wall Street Journal op-ed last week, came amidst a spate of proposed mergers between major American companies and foreign rivals that would end up in their reducing their U.S. tax bill.

The proposed merger that’s gotten the most attention of late: The so far unsuccessful bid by Pfizer (PFE) for British pharmaceutical maker AstraZeneca (AZN).

Today, a U.S. company can move to a more tax-friendly country in a process known as “inversion” if the foreign partner owns more than 20% of the stock in the merged entity, among other requirements.

Wyden wants to raise that threshold to at least 50%, and he would like to make such a provision retroactive to May 8, 2014.