Information Operations
Newsletter
Compiled by: Mr. Jeff Harley
US Army Space and Missile Defense Command
Army Forces Strategic Command
G39, Information Operations Division
Table of Contents
ARSTRAT IO Newsletter on OSS.net
Table of Contents
Vol. 11, no. 05 (24 March – 30 April 2011)
1. NASA Computer Servers Vulnerable To Attack: Audit
2. Hackers Exploit Chink in Web's Armor
3. New and Old Information Operations in Afghanistan: What Works?
4. Red Flag Cyber Operations: Part III - Lackland Cyber IO Range Brings Red Flag Home
5. Increasing Need for Public-Private Partnerships in Cyber
6. Information War Around Libya. Who Prevails: The West or Gaddafi?
7. Army Electronic Warfare Division Hosts Semi-Annual Working Group
8. It Takes a Network
9. In Afghan Info War, Being First Trumps Being Right
10. Rebels Hijack Gadhafi's Phone Network
11. With Court Order, FBI Hijacks ‘Coreflood’ Botnet, Sends Kill Signal
12. Marine IO, MISO Teams Return
13. AP Exclusive: Al-Qaida In Yemen Adapts To Evade US
14. In Cyberspy Vs. Cyberspy, China Has The Edge
15. Dawn of the Cyber Operator
16. Iran Says It Has Uncovered Second Cyber Attack
17. Electronic Warfare Bucks Defense Cut Trend
18. Something Wrong With Our **** Chips Today
NASA Computer Servers Vulnerable To Attack: Audit
From AFP, 28 Mar 2011
WASHINGTON — NASA's inspector general warned Monday that computer servers used by the US space agency to control spacecraft were vulnerable to cyber attack through the Internet.
"We found that computer servers on NASA's agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet," NASA inspector general Paul Martin said in an audit of NASA's network security.
"Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable," the report said.
It said a cyber attacker who managed to penetrate the network could use compromised computers to exploit other weaknesses and "severely degrade or cripple NASA's operations."
The inspector general's audit of NASA's computer security found "network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers.
"These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks," the report said.
The inspector general warned that "until NASA addresses these critical deficiencies and improves its IT security practices, the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations, and personnel."
The inspector general performed the audit after NASA experienced a number of cyber intrusions that the report said resulted in the "theft of export-controlled and other sensitive data from its mission computer networks."
The inspector general cited a May 2009 incident in which cyber criminals infected a computer system that supports one of NASA's mission networks.
"Due to the inadequate security configurations on the system, the infection caused the computer system to make over 3,000 unauthorized connections to domestic and international Internet Protocol (IP) addresses including addresses in China, the Netherlands, Saudi Arabia, and Estonia," the report said.
It said that in January 2009, cybercriminals stole 22 gigabytes of export-restricted data from a Jet Propulsion Laboratory computer system.
The inspector general recommended that NASA immediately act to mitigate risks on Internet-accessible computers on its mission networks and carry out an agency-wide IT security risk assessment.
Table of Contents
Hackers Exploit Chink in Web's Armor
By Declan McCullagh and Elinor Mills, Cnet, 24 Mar 2011
A long-known but little-discussed vulnerability in the modern Internet's design was highlighted yesterday by a report that hackers traced to Iran spoofed the encryption procedures used to secure connections to Google, Yahoo, Microsoft, and other major Web sites.
This design, pioneered by Netscape in the early and mid-1990s, allows the creation of encrypted channels to Web sites, an important security feature typically identified by a closed lock icon in a browser. The system relies on third parties to issue so-called certificates that prove that a Web site is legitimate when making an "https://" connection.
The problem, however, is that the list of certificate issuers has ballooned over the years to approximately 650 organizations, which may not always follow the strictest security procedures. And each one has a copy of the Web's master keys.
"There is this problem that exists today where there are a very large number of certificate authorities that are trusted by everyone and everything," says Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation who has compiled a list of them.
This has resulted in a bizarre situation in which companies like Etisalat, a wireless carrier in the United Arab Emirates that implanted spyware on customers' BlackBerry devices, possess the master keys that can be used to impersonate any Web site on the Internet, even the U.S. Treasury, BankofAmerica.com, and Google.com. So do more than 100 German universities, the U.S. Department of Homeland Security, and random organizations like the Gemini Observatory, which operates a pair of 8.1-meter diameter telescopes in Hawaii and Chile.
It's a situation that nobody would have anticipated nearly two decades ago when the cryptographic protection known as SSL (Secure Sockets Layer) began to be embedded into Web browsers. At the time, the focus was on securing the connections, not on securing the certificate authorities themselves--or limiting their numbers.
"It was the '90s," says security researcher Dan Kaminsky, who discovered a serious Domain Name System flaw in 2008. "We didn't realize how this system would grow." Today, there are now about 1,500 master keys, or signing certificates, trusted by Internet Explorer and Firefox.
The vulnerability of today's authentication infrastructure came to light after Comodo, a Jersey City, N.J.-based firm that issues SSL certificates, alerted Web browser makers that an unnamed European partner had its systems compromised. The attack originated from an Iranian Internet Protocol address, according to Comodo Chief Executive Melih Abdulhayoglu, who told CNET that the skill and sophistication suggested a government was behind the intrusion.
Spoofing those Web sites would allow the Iranian government to use what's known as a man-in-the-middle attack to impersonate the legitimate sites and grab passwords, read e-mail messages, and monitor any other activities its citizens performed, even if Web browsers show that the connections were securely protected with SSL encryption.
If Comodo is correct about the attack originating from Iran, it wouldn't be the first government in the region to have taken similar steps. Late last year, the Tunisian government undertook an ambitious scheme to steal an entire country's worth of Gmail, Yahoo, and Facebook passwords. It used malicious JavaScript code to siphon off unencrypted log-in credentials, which allowed government agents to infiltrate or delete protest-related discussions.
Comodo's revelation throws into sharp relief the list of flaws inherent in the current system. There is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. There are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance; Tunisia even has its own certificate-issuing government agency.
"These organizations act as cornerstones of security and trust on the Internet, but it seems like they're not doing basic due diligence that other organizations are expect to do, like the banks," says Mike Zusman, managing consultant at Web app security firm Intrepidus Group. "I'm not sure what we need to do but I think it's time we start addressing the issue of trust and issues of certificate authorities potentially not living up to standards that they should be."
Over the last few years, a handful of papers and demonstrations at hacker conferences have focused more attention on the topic. But the Comodo intrusion, which appears to be the first public evidence of an actual attack on the way the Web handles authentication, could be a catalyst for rethinking the way to handle security.
Two years ago, for instance, Zusman was able to get a certificate from Thawte, a VeriSign subsidiary, for "login.live.com" just based on an e-mail address he created on the Hotmail domain. Even though it was revoked, it still worked in a Web browser during a demonstration at the Black Hat conference in Las Vegas. Comodo, too, has previously been shown to have lax security standards among its resellers as far back as December 2008.
"Remember, the only reason Iran has to go to the lengths they've gone to get certificates is because they don't have a (certificate issuer) of their own... most countries can just generate their own," says Moxie Marlinspike, chief technology officer of mobile app developer Whisper Systems, who has discovered serious problems with Web authentication before. One problem, he says, is that companies that issue certificates have a strong economic incentive to make it as easy as possible to obtain them.
Another worrisome aspect is that browser makers don't always have a good way to revoke fraudulent certificates. A discussion thread at Mozilla.org, makers of the Firefox browser, shows that after being alerted by Comodo, they had no process to revoke the faux certificates. Mozilla developers ended up having to write new code and test a patch, which took a few days and, even after its release, meant that only users who downloaded new versions of Firefox benefit.
Google's Chrome, on the other hand, uses a transparent update system for desktop versions but not necessarily mobile ones. Microsoft said yesterday that "an update is available for all supported versions of Windows to help address this issue."
Ross Anderson, professor of security engineering at the University of Cambridge's computer laboratory, offered an anecdote in this paper (PDF): "I asked a panelist from the Mozilla Foundation why, when I updated Firefox the previous day, it had put back a certificate I'd previously deleted, from an organisation associated with the Turkish military and intelligence services. The Firefox spokesman said that I couldn't remove certificates--I had to leave them in but edit them to remove their capabilities - while an outraged Turkish delegate claimed that the body in question was merely a 'research organisation.'"
Jacob Appelbaum, a Tor Project developer who is a subject of a legal spat with the Justice Department over his work with WikiLeaks, says Mozilla should have warned of the vulnerability immediately and shipped Firefox 4 with a way to detect and revoke bad certificates turned on by default. (The technique is called Online Certificate Status Protocol, or OSCP).
"Mozilla's not taking their responsibility to the Internet seriously," said Appelbaum, who wrote an independent analysis of the situation. "A Web browser isn't a toy. It's being used as a tool to overthrow governments...At the end of the day, they did not put their users first."
Some long-term technical fixes have been proposed, with names like DANE, HASTLS, CAA (Comodo's Philip Hallam-Baker is a co-author), and Monkeysphere. The technology known as Domain Name System Security Extensions, or DNSSEC, can help. The Electronic Frontier Foundation's Eckersley, who runs the groups SSL Observatory that tracks SSL certificates, hints that he'll soon offer another proposal about how to reinforce the Web's cryptographic architecture.
"We do in fact need a way not to trust everyone," Eckersley says. "We have 1,500 master certificates for the Web running around. That's 1,500 places that could be hacked and all of a sudden you have to scramble to dream up a solution."
Table of Contents
New and Old Information Operations in Afghanistan: What Works?
By Walter Pincus, Washington Post, March 28, 2011
After years of spending hundreds of millions of dollars trying to get its message out to Afghans, the United States is still experimenting.
The State Department, for example, is trying a new communications approach in Kandahar by turning to old media — radio and television. It’s planning to lease free space to Afghan service providers on a radio-TV transmission tower recently built within the area of Kandahar Airfield, which is controlled by the U.S. military.
It’s the first of several such broadcasting towers to be constructed by State in Afghanistan. “The program is designed to improve the access of Afghans in underserved areas to a variety of radio and television signals,” said David Ensor, a former CNN correspondent who is director of communications and public diplomacy at the U.S. Embassy in Kabul.
“We are in an information war,” Secretary of State Hillary Rodham Clinton told a Senate Appropriations subcommittee recently, adding: “The fact is most people still get their news from TV and radio. So while we’re being active in online new media, we have to be active in the old media as well.”
The State Department’s mixed approach to fighting the propaganda war in Afghanistan comes at a time when the U.S. military is stepping up its use of new media because of gains it sees being made by the Taliban.
Gen. James Mattis, the Central Command commander, recently told Congress that CENTCOM’s communications program, “Operation Earnest Voice,” will “reach regional audiences through traditional media, as well as via Web sites and regional public-affairs blogging.”
“In each of these efforts, we follow the admonition we practiced in Iraq, that of being first with the truth,” he added.
Mattis said Taliban propagandists are using the Internet for recruiting.
“We can directly track some of this. In broad terms, we challenge their propaganda. We disrupt the recruiting. We show that it’s silly to go down this line. . . . We bring out the moderate voices. We amplify those. And in more detail, we detect and we flag if there is adversary, hostile, corrosive content in some open-source Web forum, [and] we engage with the Web administrators to show that this violates Web site provider policies.”
Some analysts have said Taliban propaganda works because the group focuses primarily on publicizing coalition attacks that kill Afghan civilians.
CENTCOM has a digital engagement team working in Arabic, Farsi, Urdu and Pashtu that responds to people on the Web, according to Mattis. “It’s fully attributable,” he said.
But in February, the multimedia publication Information Week was among the first to publish a story about CENTCOM’s 2010 contract with a California company. The solicitation called for supplying software to allow a military operator in Afghanistan to create and control 10 Web personalities “replete with background, history, supporting details and cyber presences that are technically, culturally and geographically consistent.” These virtual persons are to be untraceable and “must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms,” according to the contract proposal.