Five men believed to be responsible for spreading a notorious
computer worm on Facebook and other social networks — and pocketing several
million dollars from online schemes — are hiding in plain sight in St.
Petersburg, Russia, according to investigators at Facebook and several
independent computer security researchers.
The men live comfortable lives in St. Petersburg — and have frolicked on luxury
vacations in places like Monte Carlo, Bali and, earlier this month, Turkey,
according to photographs posted on social network sites — even though their
identities have been known for years to Facebook, computer security
investigators and law enforcement officials.
One member of the group, which is popularly known as the Koobface gang, has
regularly broadcast the coordinates of its offices by checking in on Foursquare,
a location-based social network, and posting the news to Twitter. Photographs on
Foursquare also show other suspected members of the group working on Macs in a
loftlike room that looks like offices used by tech start-ups in cities around
Beginning in July 2008, the Koobface gang aimed at Web users with invitations to
watch a funny or sexy video. Those curious enough to click the link got a
message to update their computer’s Flash software, which begins the download of
the Koobface malware. Victims’ computers are drafted into a “botnet,” or network
of infected PCs, and are sent official-looking advertisements of fake antivirus
software and their Web searches are also hijacked and the clicks delivered to
unscrupulous marketers. The group made money from people who bought the bogus
software and from unsuspecting advertisers.
The security software firm Kaspersky Labs has estimated the network includes
400,000 to 800,000 PCs worldwide at its height in 2010. Victims are often
unaware their machines have been compromised.
The Koobface gang’s freedom underscores how hard it is to apprehend
international computer criminals, even when identities are known. These groups
tend to operate in countries where they can work unmolested by the local
authorities, and where cooperation with United States and European law
enforcement agencies is poor. Meanwhile, Western law enforcement is awash in
computer crime and lacks the resources and skilled manpower to tackle it
effectively, especially when evidence putting individuals’ fingers on keyboards
must be collected abroad.
On Tuesday, Facebook plans to announce that it will begin sharing information
about the group and how to fight them with security researchers and other
Internet companies. It believes public namings can make it harder for such
groups to operate and send a message to the criminal underground.
None of the men have been charged with a crime and no law enforcement agencies
have confirmed they are under investigation.
The group investigators have identified has adopted the tongue-in-cheek name,
Ali Baba & 4: Anton Korotchenko, who uses the online nickname “KrotReal”;
Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by
“PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker
“PoMuc”; and Alexander Koltysehv, or “Floppy.” )
Efforts to contact members of the group for comment have been unsuccessful.
Weeks after early versions of the Koobface worm began appearing on Facebook,
investigators inside the company were able to trace the attacks to those
responsible. “We’ve had a picture of one of the guys in a scuba mask on our wall
since 2008,” said Ryan McGeehan, manager of investigations and incident response
Since then, Facebook and several independent security researchers have provided
law enforcement agencies, including the Federal Bureau of Investigation, with
information and evidence. Most notably, Jan Droemer, a 32-year-old independent
researcher in Germany, has provided important information and leads, including a
password-free view inside Koobface’s command-and-control system, known as the
“Mothership.” Mr. Droemer spent nights and weekends for four months in late 2009
and early 2010 unmasking the gang members using only information available
publicly on the Internet.
The F.B.I. declined to comment.
That computer crime pays is fueling a boom that is leaving few Internet users
and businesses unscathed. The toll on consumers alone is estimated at $114
billion annually worldwide, according to a September 2011 study by the security
software maker Symantec.
Russia, in particular, has a reputation as a hacker haven, although it has
pursued several prominent cases against spammers recently. The Soviet education
system’s emphasis on math and science combined with post-Communist economic
collapse and weak private industry meant there were many highly trained
engineers, but few legitimate outlets for their skills, said Vsevolod Gunitskiy,
an assistant professor at the University of Toronto.
“Russia is sort of a perfect storm for cybercrime,” he said. The proliferation
of organized crime and official corruption created “this very strong legacy of
contempt for the laws and general culture of criminality.”
The Russian Embassy in Washington said it does not have any information
regarding this group and that American law enforcement officials had never
contacted the embassy on this issue.
The men investigators believe are behind Koobface look a lot like ordinary
software enthusiasts, albeit with more tattoos and an outlaw persona. Mr.
Avdeyko, who is two decades older than the other men and has been tied to an
infamous spyware program dating to 2003 called CoolWebSearch, appears to hold a
He and at least two of the other men have worked in the world of online
pornography, said Mr. Droemer. Mr. Korotchenko and several of the other men
apparently tried to run a legitimate mobile software and services business,
colorfully named MobSoft Ltd. They did not reply to e-mails requesting
Mr. Droemer said the gang’s success was more attributable to workaday
persistence and willingness to adapt than technical sophistication. They could
have spread Koobface to many more PCs, he said. “They could have done a lot more
technical things to make it more perfect, more marvelous. But there was just no
need to do it. They were just investing as much to get the revenue they wanted
The group cleverly harnessed the infrastructures of powerful online services —
from Facebook and Twitter to Google’s search engine and Blogger — to do the
heavy lifting, and may have run its enterprise with just a few computers.
Koobface will probably earn its place in history for pioneering and leading the
criminal exploitation of social networks, rather than the size of its profits.
Data found in the botnet’s command-and-control system suggests the group has
earned at least $2 million a year for the 3 1/2 years of its existence, although
the actual total is very likely higher, Mr. Droemer said.
Experts say the gang could have further enriched itself through identity fraud,
since it has had access to millions of PCs and social-network profiles, but that
there is no evidence it has done so.
Indeed, in a 2009 Christmas e-card to security researchers left inside victim
computers, the gang vowed it would never steal credit card or banking
information. It called viruses “something awful.” Its tactics have been less
ruthless than those of many other hacker groups, experts said. For instance, it
has never deployed malicious programs that install automatically, and rather has
required its victims to make several unwise clicks.
While the Koobface gang operates freely, Facebook has focused on building
elaborate defenses against the worm, which relentlessly struck the site again
and again until disappearing in March. The gang abandoned the site after
Facebook mounted a major counteroffensive, which included an effort to dismantle
the command-and-control system of the botnet and a simultaneous push to scrub
its network of the worm and clean up infections in users’ PCs.
“We fired all the different guns at the same time,” said Joe Sullivan, chief
security officer at Facebook. “If we could literally shut down the
command-and-control, all the infections, and just make them have to start over
from scratch in all contexts, we figured they might decide to move on.” He hoped
they would conclude Facebook was unprofitable, he said.
But Facebook’s effort and two earlier takedown efforts by security researchers —
including one by the Bulgarian researcher Dancho Danchev, who revealed the name
of one Koobface member on his blog last week — have failed put an end to
Koobface, and smaller sites continue to suffer.
“People who engage in this type of stuff need to know that their name and real
identity are going to come out eventually and they’re going to get arrested and
they’re going to be targeted,” Mr. Sullivan said. “People are fighting back.”
The New York Times
By SOMINI SENGUPTA and JENNA WORTHAM
It was a
subtle swap: a cheesy advertisement for a vacation timeshare atop the home page
of ESPN.com, in a spot that might have been claimed by a well-known brand like
Those who saw swapped advertisements, federal prosecutors say, might never have
known that their computer had been drawn into a complex Internet advertising
scam that they say generated $14 million for its creators.
Over the last four years, a group of men in Eastern Europe quietly hijacked
millions of computers worldwide and diverted unsuspecting users to online
advertisements from which they could profit, federal law enforcement officials
said on Wednesday.
Six men, all in their 20s and early 30s, are under arrest in Estonia for what
the United States attorney’s office in New York called “a massive and
sophisticated Internet fraud scheme.” A Russian suspect in the case remains at
The malicious software infected four million computers, including 500,000 in the
United States, the prosecutors said. The software was so subtle that most people
using an infected computer were probably unaware of it.
It was a two-pronged scheme, prosecutors said. One component involved
redirecting clicks on search results to sites that were controlled by the
defendants. A search for “I.R.S.,” for instance, would lead a user to the Web
site of the tax preparer H&R Block. The sites to which users were directed would
pay the swindlers a referral fee, prosecutors said. The more traffic they could
redirect, the more fees they collected.
The other way the group made money, according to the indictment, was to swap
legitimate online advertisements on certain Web sites with others that would
generate payments for the defendants. Prosecutors said that Web sites for ESPN
and The Wall Street Journal were affected — but only when viewed on the infected
“On a mass scale, this gave new meaning to the term false advertising,” Preet
Bharara, the United States attorney for the Southern District of New York, said
at a press conference in Manhattan.
The security firm Trend Micro, which was among several private companies that
helped federal officials with the investigation, called it the “biggest
cybercriminal takedown in history.” The group running the scheme had 100
command-and-control servers worldwide, the company said, one of which was in a
data center run in New York.
The scheme came to light after 100 computers at the National Aeronautics and
Space Administration were found to have been infected. The malicious software
spread through infected Web sites.
The most serious aspect of the scheme was that it attacked part of the
scaffolding of the Internet: the domain name system, or D.N.S., which links the
numerical addresses of Web sites with more user-friendly addresses like irs.gov.
“When people start attacking infrastructure, it creates the potential for a
rogue version of the Internet,” said David Dagon, a computer security expert at
the Georgia Tech College of Computing who helped federal authorities in the
Unlike more traditional malware that ferrets out valuable personal information,
the group’s program was not designed to steal data, so it was not easily
detected, private security consultants said. It manipulated the infrastructure
of the Web to do what it does every day in great volumes: display advertising.
All six of the Estonian defendants were in the custody of Estonian police. Four
of them also face charges in that country. One of them, Vladimir Tsastsin, 31,
has been previously convicted of money laundering in Estonia, according to the
Federal Bureau of Investigation. He is identified with a company called Rove
Digital, which investigators say ran the operation’s infrastructure.
According to the indictment, the malware also staved off antivirus software
updates, which meant that an infected computer could not detect that it was
infected. This also made the machine vulnerable to other security bugs.
The malware affected both Windows and Mac operating systems. On its Web site,
the F.B.I. outlines how to detect this particular program and how to get rid of
Mr. Bharara described the scheme as “cyber infestation of the first order” that
reflected the global nature of Internet fraud.
The New York Times
By CLAIRE CAIN MILLER
FRANCISCO — Hackers have broken into the cellphones of celebrities like Scarlett
Johansson and Prince William. But what about the rest of us, who might not have
particularly salacious photos or voice messages stored in our phones, but
nonetheless have e-mails, credit card numbers and records of our locations?
A growing number of companies, including start-ups and big names in computer
security like McAfee, Symantec, Sophos and AVG, see a business opportunity in
mobile security — protecting cellphones from hacks and malware that could read
text messages, store location information or add charges directly to mobile
On Tuesday, McAfee introduced a service for consumers to protect their
smartphones, tablets and computers at once, and last week the company introduced
a mobile security system for businesses. Last month, AT&T partnered with Juniper
Networks to build mobile security apps for consumers and businesses. The Defense
Department has called for companies and universities to come up with ways to
protect Android devices from malware.
In an indication of investor interest, one start-up, Lookout, last week raised
$40 million from venture capital firms, including Andreessen Horowitz, bringing
its total to $76.5 million. The company makes an app that scans other apps that
people download to their phones, looking for malware and viruses. It
automatically tracks 700,000 mobile apps and updates Lookout whenever it finds a
Still, in some ways, it’s an industry ahead of its time. Experts in mobile
security agree that mobile hackers are not yet much of a threat. But that is
poised to change quickly, they say, especially as people increasingly use their
phones to exchange money, by mobile shopping or using digital wallets like
“Unlike PCs, the chance of running into something in the wild for your phone is
quite low,” said Charlie Miller, a researcher at Accuvant, a security consulting
company, and a hacker who has revealed weaknesses in iPhones. “That’s partly
because it’s more secure but mostly because the bad guys haven’t gotten around
to it yet. But the bad guys are going to slowly follow the money over to your
Most consumers, though they protect their computers, are unaware that they need
to secure their phones, he said, “but the smartphones people have are computers,
and the same thing that can happen on your computer can happen on your phone.”
Cellphone users are more likely than computer users to click on dangerous links
or download sketchy apps because they are often distracted, experts say. Phones
can be more vulnerable because they connect to wireless networks at the gym or
the coffee shop, and hackers can surreptitiously charge consumers for a
There have already been harmful attacks, most of which have originated in China,
said John Hering, co-founder and chief executive of Lookout.
For example, this year, the Android market was hit by malware called DroidDream.
Hackers pirated 80 applications, added malicious code and tricked users into
downloading them from the Android Market. Google said 260,000 devices were
Also this year, people unwittingly downloaded other malware, called GGTracker,
by clicking on links in ads, and on the Web site to which the links led. The
malware signed them up, without their consent, for text message subscription
services that charged $10 to $50.
Lookout says that up to a million people were afflicted by mobile malware in the
first half of the year, and that the threat for Android users is two and a half
times higher than it was just six months ago.
Still, other experts caution that fear is profitable for the security industry,
and that consumers should be realistic about the small size of the threat at
this point. AdaptiveMobile, which sells mobile security tools, found that 6
percent of smartphone users said they had received a virus, but that the actual
number of confirmed viruses had not topped 2 percent.
Lookout’s founders are hackers themselves, though they say they are the good
kind, who break into phones and computers to expose the risks but not to steal
information or behave maliciously. “It’s very James Bond-type stuff,” Mr. Hering
A few years ago, he stood with a backpack filled with hacking gear near the
Academy Awards red carpet and discovered that up to 100 of the stars carried, in
their bejeweled clutches and tuxedo pockets, cellphones that he could break
into. He did not break into the phones, but publicized his ability to do so.
He started Lookout in 2007, along with Kevin Mahaffey and James Burgess, to
prevent such intrusions. It has free apps for Android, BlackBerry and Windows
phones, but not for iPhones. They are less vulnerable to attacks, security
experts say, because Apple’s app store, unlike Android’s, screens every app
before accepting it. Also, Android is the fastest-growing mobile platform, so it
is more attractive to hackers.
Google says it regularly scans apps in the Android Market for malware and can
rapidly remove malicious apps from the market and from people’s phones. It
prevents Android apps from accessing other apps and alerts users if an app
accesses its contact list or location, for instance.
Lookout also sells a paid version for $3 a month, which scans apps for privacy
intrusions like accessing a user’s contact list, alerts users if they visit
unsafe mobile Web sites or click on unsafe links in text messages, backs up a
phone’s call history and photos, and lets people lock or delete information from
T-Mobile builds Lookout into its Android phones, Verizon uses its technology to
screen apps in its app store and Sprint markets the app to customers. The
cellphone carriers and Lookout share the revenue when a user upgrades to the
“In mobile security circles, you never wait on it to become a problem and it’s
too late,” said Fared Adib, vice president of product development at Sprint.
Meanwhile, because mobile phone attacks are still relatively rare, Lookout’s
free app includes tools, including a way to back up a user’s contacts and a
feature that enables users to turn on an alarm on their phone when it is lost.
“You’re way more likely to just leave it in a cab than you are going to be
attacked by a hacker,” said Mr. Miller, the security researcher.
And in addition to collecting money from paying subscribers, Lookout plans to
sell the service to businesses. It has a chance because consumers are
increasingly bringing their own technologies into the workplace, and Lookout’s
app is consumer-friendly, said Chenxi Wang, a security analyst at Forrester
“It’s something a lot of I.T. guys are worried about because they have no
control over what consumers are doing and what these apps are doing,” Ms. Wang
Giovanni Vigna, a professor at the University of California, Santa Barbara who
studies security and malware, said it was only a matter of time before mobile
security was as second nature to consumers as computer security.
“The moment malware starts using text messages and expensive minutes people have
to pay for, things will move a lot faster,” he said.
NEW YORK |
Tue Jun 14, 2011
By Ben Berkowitz
(Reuters) - The recent string of sensational hacker attacks is driving companies
to seek "cyberinsurance" worth hundreds of millions of dollars, even though many
policies can still leave them exposed to claims.
Companies are having to enhance not just their information technology practices
but also their human resources and employee training functions just to get
adequate coverage against intrusion -- and in some cases, they are also
accepting deductibles in the tens of millions of dollars.
Insurers and insurance brokers say demand is soaring, as companies try to
protect themselves against civil suits and the potential for fines by
governments and regulators, but also as they seek help paying for mundane costs
like "sorry letters" to customers.
"When you have a catastrophic type of data breach then yes ... the phones ring
off the hook," said Kevin Kalinich, co-national managing director of the
professional risk group at insurance broker Aon Corp (AON.N: Quote, Profile,
Research, Stock Buzz).
In the past few weeks, the U.S. Senate, the International Monetary Fund, defense
contractor Lockheed Martin Corp. (LMT.N: Quote, Profile, Research, Stock Buzz),
banking concern Citigroup Inc (C.N: Quote, Profile, Research, Stock Buzz),
technology giant Google (GOOG.O: Quote, Profile, Research, Stock Buzz) and
consumer electronics group Sony Corp (6758.T: Quote, Profile, Research, Stock
Buzz) are among those who have disclosed hacker attacks of various kinds.
In the days after Sony disclosed it had more than 100 million customer accounts
compromised, the company said its insurance would help cover the costs of fixing
its systems and providing identity theft services to account holders.
That helped drum up business for the still-growing segment of the industry, and
the demand has only intensified since a more recent breach at Citigroup, which
security experts said was the largest direct attack on a U.S. bank to date.
Some insurers say this is the moment the industry has been waiting for as the
tide of bad news becomes so overwhelming that customers have no choice but to
seek coverage. On Tuesday, Travelers (TRV.N: Quote, Profile, Research, Stock
Buzz) became the latest insurer to launch a package of policies covering various
fraud and expense liabilities.
Aon's Kalinich said fewer than five percent of data breaches lead to costs of
more than $20 million, and yet more and more companies are seeking to be insured
for that and more to protect themselves against the shifting risk.
Large customers are going to extremes, taking out coverage for data breach
liabilities of as much as $200 million, while also taking $25 million
deductibles to keep their premiums down.
As with any kind of insurance, data breach policies carry all sorts of
exclusions that put the onus on the company. Some, for example, exclude coverage
for any incident that involves an unencrypted laptop. In other cases, insurers
say, coverage can be voided if regular software updates are not downloaded or if
employees do not change their passwords periodically.
"Insurers are all looking for good risks, whether it is a fire insurance company
that wants a building that is sprinklered and doesn't have oily rags laying
around - this is the equivalent in the IT area. They want good systems, they
want good protection, they want good risk," said Don Glazier, a principal at
Integro Insurance Brokers in Chicago.
Given that the average data breach cost $7.2 million last year, according to a
March study from the Ponemon Institute, hundreds of millions of dollars of cover
may seem extreme. But with the scale and scope of hacking attacks growing daily,
some companies can not be cautious enough.
Of course, the risk they face is a moving target, both for them and for the
insurance companies. After 10 years of writing policies, industry experts say a
consensus is building on what "cyberinsurance" covers.
Generally, such policies now cover third-party liability, like suits filed by
customers whose accounts have been hacked; direct costs like notification
letters sent to affected customers; and, increasingly, fines and penalties
associated with data breaches.
What is missing from the equation, however, is standards. Insurers can try to
standardize the risk from hacking attacks, but cyberinsurance is still not auto
insurance, where carriers can make their customers wear seat belts as a
condition of a policy.
"One day the industry will actually be so robust that ... we'll have the
leverage to actually create standards," said Tracey Vispoli, a senior vice
president at insurer Chubb (CB.N: Quote, Profile, Research, Stock Buzz). "We're
not there yet but that to me is a win to the industry."
Consumers are increasingly finding themselves less protected and more liable as
well. Courts are siding with vendors and not their customers in some cases when
it comes to the misuse of data.
In late May, a U.S. magistrate judge in Maine recommended the district court
throw out a lawsuit filed against a bank by one of its customers, a construction
The customer had suffered a series of unauthorized withdrawals from its account
after some employees' computers were infected with a virus that captured their
banking information. The company sued the bank on the grounds that the bank's
systems should have caught the clearly unusual pattern.
Lawyers who litigate cyberrisk say in the current environment, many companies
are only looking out for themselves, not for their customers or suppliers.
"Most companies are looking more for first party (coverage), they're worried
more about their own systems," said Richard Bortnick, an attorney with Cozen
O'Connor and the publisher of the digital law blog CyberInquirer.
"Not all companies deem it necessary to provide notification of a cyberbreach or
incident for reasons of reputation and other marketing-related bases," he said.
The New York Times
By NELSON D. SCHWARTZ and ERIC DASH
Think of it
as a mansion with a high-tech security system — but the front door wasn’t locked
Using the Citigroup customer Web site as a gateway to bypass traditional
safeguards and impersonate actual credit card holders, a team of sophisticated
thieves cracked into the bank’s vast reservoir of personal financial data, until
they were detected in a routine check in early May.
That allowed them to capture the names, account numbers, e-mail addresses and
transaction histories of more than 200,000 Citi customers, security experts
said, revealing for the first time details of one of the most brazen bank
hacking attacks in recent years.
The case illustrates the threat posed by the rising demand for private financial
information from the world of foreign hackers.
In the Citi breach, the data thieves were able to penetrate the bank’s defenses
by first logging on to the site reserved for its credit card customers.
Once inside, they leapfrogged between the accounts of different Citi customers
by inserting vari-ous account numbers into a string of text located in the
browser’s address bar. The hackers’ code systems automatically repeated this
exercise tens of thousands of times — allowing them to capture the confidential
The method is seemingly simple, but the fact that the thieves knew to focus on
this particular vulnerability marks the Citigroup attack as especially
ingenious, security experts said.
One security expert familiar with the investigation wondered how the hackers
could have known to breach security by focusing on the vulnerability in the
browser. “It would have been hard to prepare for this type of vulnerability,” he
said. The security expert insisted on anonymity because the inquiry was at an
The financial damage to Citigroup and its customers is not yet clear. Sean
Kevelighan, a bank spokesman, declined to comment on the details of the breach,
citing the ongoing criminal investigation. In a statement, he said that
Citigroup discovered the breach in early May and the problem was “rectified
immediately.” He added that the bank had initiated internal fraud alerts and
stepped up its account monitoring.
The expertise behind the attack, according to law enforcement officials and
security experts, is a sign of what is likely to be a wave of more and more
sophisticated breaches by high-tech thieves hungry for credit card numbers and
other confidential information.
That is because demand for the data is on the rise. In 2008, the underground
market for the data was flooded with more than 360 million stolen personal
records, most of them credit and debit files. That compared with 3.8 million
records stolen in 2010, according to a report by Verizon and the Secret Service,
which investigates credit card fraud along with other law enforcement agencies
like the Federal Bureau of Investigation.
Now, as credit cards that were compromised in the vast 2008 thefts expire,
thieves are stepping up efforts to find new accounts.
As a result, prices for basic credit card information could rise to several
dollars from their current level of only pennies.
“If you think financially motivated breaches are huge now, just wait another
year,” said Bryan Sartin, who conducts forensic investigations for Verizon’s
The kind of information the thieves are able to glean is shared in online forums
that are a veritable marketplace for criminals. Networks that three years ago
numbered several thousands users have expanded to include tens of thousands of
“These are online bazaars,” said Pablo Martinez, deputy special agent in charge
of the Secret Service’s criminal investigation division. “They are growing
exponentially and we have seen the entire process become more professional.”
For example, some hackers specialize in prying out customer names, account
numbers and other confidential information, Mr. Martinez said. Brokers then sell
that information in the Internet bazaars. Criminals use it to impersonate
customers and buy merchandise. Finally, “money mules” wire home the profits
through outlets like Western Union or MoneyGram.
“It’s like ‘Mission Impossible’ when they select the teams,” said Mark Rasch, a
former prosecutor who is now with CSC, an information technology services firm.
“And they don’t know each other, except by hacker handle and reputation.”
In the Citi attack, the hackers did not obtain expiration dates or the
three-digit security code on the back of the card, which will make it harder for
thieves to use the information to commit fraud.
Not every breach results in a crime. But identity theft has ranked first among
complaints to the Federal Trade Commission for 11 consecutive years, with 1.34
million in 2010, twice as many as the next category, which is debt collection.
Many of these attacks have their origins in Eastern Europe, including Russia,
Belarus, Ukraine and Romania. In fact, the security expert familiar with the
Citi breach said it originated in the region, though he would not specify the
In Russia, Xakep.ru, is one of the larger forums for Eastern European hackers
today, with nearly 13,300 registered members, according to Cyveillance.
HackZone.ru is larger, and has more than 58,000 members. In addition, attacks by
Romanian hackers have grown noticeably more advanced recently, according to
On HackZone, one seller who called himself “zoloto” promised “all cards valid
100%” and that they would be sold only one time.
Underscoring the multinational nature of these rings, American law-enforcement
agencies have also been putting more investigators overseas.
“The only way to address a global issue is to address it globally with your
partners,” said Gordon M. Snow, assistant director of the F.B.I.’s Cyber
The Secret Service established a presence in Tallinn, Estonia, last month, and
has embedded agents with Ukrainian authorities since the beginning of the year.
The F.B.I. has embedded agents in the Netherlands, Estonia, Ukraine and Romania,
and works closely with its counterparts in Australia, Germany and Britain.
But even officials at these agencies acknowledge that as fast as they move, the
hackers’ strategies are evolving at Silicon Valley speed.
“With every takedown, they regroup,” said J. Keith Mularski, a supervisory
special agent with the F.B.I.
| Tue Jun 14, 2011
By Diane Bartz and Thomas Ferraro
(Reuters) - The Senate's website was hacked over the weekend, leading to a
review of all of its websites, in the latest embarrassing breach of security to
hit a major U.S.-based institution.
The loosely organized hacker group Lulz Security broke into a public portion of
the Senate website but did not reach behind a firewall into a more sensitive
portion of the network, Martina Bradford, the deputy Senate sergeant at arms,
said on Monday.
Despite the breach, the Sergeant at Arms Office, which provides security for the
Senate, said that the breach had not compromised any individual senator's
Lulz announced the hack on Monday.
"We were responding to their allegations. Basically what we're saying that the
server they got into is for public access and is in the public side," said
Lulz Security, who have hacked into Sony's website and the Public Broadcasting
System, posted online a list of files that appear not to be sensitive but
indicate the hackers had been into the Senate's computer network.
"We don't like the U.S. government very much," Lulz Security said at the top of
their release. "This is a small, just-for-kicks release of some internal data
from Senate.gov - is this an act of war, gentlemen? Problem?"
The comment refers to reports that the military had decided that it could
respond to cyber attacks from foreign countries with traditional military force.
Senate staffers were alerted about the breach late Monday.
"Although this intrusion is inconvenient, it does not compromise the security of
the Senate's network, its members or staff," Bradford said in a statement.
"Specifically, there is no individual user account information on the server
supporting senate.gov that could have been compromised."
"The hackers may have done the equivalent of burglarizing the Senate and
bragging because they managed to steal a bunch of souvenirs from the gift shop,"
said Stewart Baker, a former cyber official at the Department of Homeland
Security. He is now with the law firm Steptoe and Johnson.
The Senate has been the frequent target of hacking attacks, with tens of
thousands thwarted each month, Senate Sergeant at Arms Terrance Gainer told
Reuters in early June.
Still, the break-in is just the latest in a series of embarrassing hacks against
companies and organizations.
The International Monetary Fund has been hit, as have Lockheed Martin Corp,
Citigroup Inc, Google and Michaels Stores.
The break-in would cause embarrassment at the Senate, said John Bumgarner of the
Cyber Consequences Unit, a think tank.
"They're all valid directories," he said after looking at data that Lulz posted
online. "This is an especially embarrassing incident for the Senate, because
they are often asking others to explain why their cybersecurity programs have
"The information disclosed online ... shows that the intruders had
administrator-level access to the Senate server. This access could have
potentially been used as a jump-off point to compromise other systems in the
network," he said.
Lulz, which is Internet slang for 'laugh out loud,' has claimed hacks into
websites owned by Sony Corp. It has also claimed responsibility for defacing the
Public Broadcasting Service network websites, and for posting on Monday data
from PBS servers to protest a "Front Line" documentary about WikiLeaks.
Lulz claimed credit for breaking into a Fox.com website and publishing data
about contestants for the upcoming Fox TV talent show, "X Factor." Fox is a unit
of News Corp.
Another loosely affiliated hacking group, Anonymous, gained prominence when it
temporarily crippled the websites of MasterCard, Visa and PayPal after they cut
off financial services to WikiLeaks.
It has also attacked websites in Syria, Tunisia, Egypt and India for political
Sun, Jun 12
WASHINGTON/LONDON | Sun Jun 12, 2011
By Jim Wolf and William Maclean
WASHINGTON/LONDON (Reuters) - A major cyber attack on the IMF aimed to steal
sensitive insider information, a cyber security expert said on Sunday, as the
race to lead the body which oversees global financial system heated up.
The U.S. Federal Bureau of Investigation is helping to investigate the attack on
the International Monetary Fund, the latest in a rash of cyber break-ins that
have targeted high-profile companies and institutions.
"The IMF attack was clearly designed to infiltrate the IMF with the intention of
gaining sensitive 'insider privileged information'," cyber security specialist
Mohan Koo, who is also Managing Director, Dtex Systems (UK), told Reuters in
A June 8 internal memo from Chief Information Officer Jonathan Palmer told staff
the Fund had detected suspicious file transfers and that an investigation had
shown a desktop computer "had been compromised and used to access some Fund
"At this point, we have no reason to believe that any personal information was
sought for fraud purposes," it said.
The New York Times cited computer experts as saying the IMF's board of directors
was told of the attack on Wednesday, though the assault had lasted several
The IMF says its remains "fully functional" but has declined to comment on the
extent of the attack or the nature of the intruders' goal.
News of the hack came at a sensitive time for the world lender of last resort,
which is seeking to replace former managing director Dominique Strauss-Kahn, who
quit last month after being charged with the attempted rape of a hotel maid.
French Finance Minister Christine Lagarde remains the frontrunner to replace
him, although Stanley Fischer, the Bank of Israel Governor and a former IMF
deputy chief, has emerged as a late candidate, and Mexico's central bank chief,
Agustin Carstens, is another contender.
Jeff Moss, a self-described computer hacker and member of the Department of
Homeland Security Advisory Committee, said he believed the attack was conducted
on behalf of a nation-state looking to either steal sensitive information about
key IMF strategies or embarrass the organization to undermine its clout.
He said it could inspire attacks on other large institutions. "If they can't
catch them, I'm afraid it might embolden others to try," said Moss, who is chief
security officer for ICANN.
Tom Kellerman, a cybersecurity expert who has worked for both the IMF and the
World Bank, said the intruders had aimed to install software that would give a
nation state a "digital insider presence" on the IMF network.
That could yield a trove of non-public economic data used by the Fund to promote
exchange rate stability, support balanced international trade and provide
resources to remedy members' balance-of-payments crises.
"It was a targeted attack," said Kellerman, who serves on the board of a group
known as the International Cyber Security Protection Alliance.
The code used in the IMF incident was developed specifically for the attack on
the institution, said Kellerman, formerly responsible for cyber-intelligence
within the World Bank's treasury team and now chief technology officer at
AirPatrol, a cyber consultancy.
Koo of Dtex Systems (UK) said the recent spate of attacks on large global
organizations was worrying because they were targeted, well-organized and
well-executed, not opportunistic.
"Perhaps most frightening of all is the fact that these type of attacks could
quite easily be directed toward Critical National Infrastructure (CNI)
organizations, for example Energy and Water, where the impact of such a breach
would have severe, immediate and potentially life-threatening consequences for
Cyber security experts said it might be difficult for investigators to prove
which nation was behind the attack.
"Even developing nations are able to leverage the Internet in order to change
their standing and ability to influence," said Jeffrey Carr, author of the book,
"Inside Cyber Warfare."
"It's something they never could have done before without gold or without
military might," Carr said.
CIA Director Leon Panetta told the U.S. Congress on June 9 that the United
States faced the "real possibility" of a crippling cyber attack on power
systems, the electricity grid, security, financial and governmental systems.
Lockheed Martin Corp, the Pentagon's No. 1 supplier by sales and the biggest
information technology provider to the U.S. government, disclosed two weeks ago
that it had thwarted a "significant" cyber attack. It said it had become a
"frequent target of adversaries around the world."
Also hit recently have been Citigroup Inc, Sony Corp and Google Inc.
Lesley Wroughton, Jim Finkle, Jim Wolf,
Sat Jun 4, 2011
By Raju Gopalakrishnan
and David Alexander
(Reuters) - The United States is seriously concerned about cyber-attacks and is
prepared to use force against those it considers acts of war, Defense Secretary
Robert Gates said at a security meeting in Asia on Saturday.
He also assured Asian allies that the United States would protect sea lanes and
maintain a robust military presence in the region despite a severe budget crunch
and the protracted wars in Iraq and Afghanistan.
"We take the cyber threat very seriously and we see it from a variety of
sources, not just one or another country," Gates said at the annual Shangri-La
Dialogue, an apparent reference to reports that several of the attacks may have
originated in China.
"What would constitute an act of war by cyber that would require some kind of
response, either in kind or kinetically?" he said.
"We could avoid some serious international tensions in the future if we could
establish some rules of the road as early as possible to let people know what
kinds of acts are acceptable, what kinds of acts are not and what kinds of acts
may in fact be acts of war."
Earlier this week, Google said it had disrupted a campaign aimed at stealing
passwords of hundreds of Google email account holders, including senior U.S.
government officials, Chinese activists and journalists.
It was the latest in a series of cyber attacks that have also targeted defense
contractor Lockheed Martin and Sony Corp. Google said the latest breach appeared
to originate in China but neither the company nor the U.S. government has said
the Chinese government was responsible.
But the U.S. State Department has asked Beijing to investigate.
British Defense Secretary Liam Fox said cyber attacks were now regular and in
large numbers. "It's....the war of the invisible enemy," he said, adding that it
had become a matter of urgency and was firmly on top of the security agenda.
Gates said it was difficult to identify where the perpetrators of such attacks
were based and added that military ties with China were improving.
But he also said the U.S. was preparing weapons systems and capabilities that
would allow U.S. forces "to deploy, move and strike over great distances in
defense of our allies and vital interests." Although he gave few other details,
the plans could worry China, U.S. officials privately said.
Asked whether China wouldn't see the remarks as a concern, a senior U.S. defense
official said it was an example of the need for greater military transparency
between the two sides.
"Without transparency, we obviously have to do certain things and make certain
preparations because it's not quite clear what everybody's intentions are," the
official said. "So the more ... clear it is about what China's military
investment is aimed at, the more clear it us for us what's going on in the
region and what intentions are."
Gates said the United States was committed to its Asian allies although a decade
of combat in Iraq and Afghanistan had strained U.S. ground forces and exhausted
public patience, while the recession had left Washington with huge budget
deficits and looking to cut military spending.
"Irrespective of the tough times the U.S. faces today, or the tough budget
choices we confront in the coming years, ... America's interests as a Pacific
nation -- as a country that conducts much of its trade in the region -- will
endure," he said.
"The United States and Asia will only become more inextricably linked over the
course of this century. These realities ... argue strongly for sustaining our
commitments to allies while maintaining a robust military engagement and
deterrent posture across the Pacific Rim," he said.
BOSTON (Reuters) - An unauthorized person stole names,
addresses and possibly credit card data belonging to 77 million account holders
on Sony's PlayStation Network in what could be one of the largest-ever Internet
Internet security experts believe that these systems were breached by hackers
who persuaded unsuspecting system administrators to load malicious software onto
their machines. Here are some other large Internet security breaches:
April 2011 -- Online marketer Epsilon, which sends billions of emails a year for
clients that represent a "Who's Who" of major banks and retailers, reports a
breach of its system. It says that some clients' customer names and email
addresses were stolen.
2010 -- Security researchers identify a computer worm dubbed Stuxnet that they
speculate was designed to breach a system used to refine uranium in Iran at that
nation's Natanz enrichment plant.
2010 -- Google Inc says that it was the victim of a cyber attack on its
operations in China that resulted in the theft of its intellectual property.
Google said that the networks of more than 20 other companies had been
2009 -- Hacker Albert Gonzalez pleads guilty to stealing tens of millions of
payment card numbers by breaking into corporate computer systems from businesses
including payment card processor Heartland Payment Systems, TJX Company Inc,
7-Eleven Inc and Target Co
WASHINGTON/BOSTON | Wed Apr 13, 2011
By Diane Bartz and Jim Finkle
WASHINGTON/BOSTON (Reuters) - U.S. authorities claimed one of their biggest
victories against cyber crime as they shut down a ring they said used malicious
software to take control of more than 2 million PCs around the world, and may
have led to theft of more than $100 million.
A computer virus, dubbed Coreflood, infected more than 2 million PCs, enslaving
them into a "botnet" that grabbed banking credentials and other sensitive data
its masters used to steal funds via fraudulent banking and wire transactions,
the U.S. Department of Justice said on Wednesday.
The government shuttered that botnet, which had operated for a decade, by
seizing hard drives used to run it after a federal court in Connecticut gave the
"This was big money stolen on a large scale by foreign criminals. The FBI wanted
to stop it and they did an incredibly good job at it," said Alan Paller,
director of research at the SAN Institute, a nonprofit group that helps fight
The vast majority of the infected machines were in the United States, but the
criminal gang was likely overseas.
"We're pretty sure a Russian crime group was behind it," said Paller.
Paller and other security experts said it was hard to know how much money the
gang stole. It could easily be tens of millions of dollars and could go above
$100 million, said Dave Marcus, McAfee Labs research and communications
A civil complaint against 13 unnamed foreign nationals was also filed by the
U.S. district attorney in Connecticut. It accused them of wire and bank fraud.
The Justice Department said it had an ongoing criminal investigation.
The malicious Coreflood software was used to infect computers with keylogging
software that stole user names, passwords, financial data and other information,
the Justice Department said.
"The seizure of the Coreflood servers and Internet domain names is expected to
prevent criminals from using Coreflood or computers infected by Coreflood for
their nefarious purposes," U.S. Attorney David Fein said in a statement.
In March, law enforcement raids on servers used by a Rustock botnet were shut
down after legal action against them by Microsoft Corp. Authorities severed the
Rustock IP addresses, effectively disabling the botnet.
Rustock had been one of the biggest producers of spam e-mail, with some tech
security experts estimating they produced half the spam that fills people's junk
A botnet is essentially one or more servers that spread malicious software and
use the software to send spam or to steal personal information or data that can
be used to empty a victim's bank account.
U.S. government programmers shut down the Coreflood botnet on Tuesday. They also
instructed the computers enslaved in the botnet to stop sending stolen data and
to shut down. A similar tactic was used in a Dutch case, but it was the first
time U.S. authorities had used this method to shut down a botnet, according to
Victims of the botnet included a real estate company in Michigan that lost
$115,771, a South Carolina law firm that lost $78,421 and a Tennessee defense
contractor that lost $241,866, according to the complaint filed in the U.S.
District Court for the District of Connecticut.
The government plans to work with Internet service providers around the country
to identify other victims.
HELSINKI | Tue Apr 5, 2011
By Tarmo Virki,
European Technology Correspondent
HELSINKI (Reuters) - Targeted cyber attacks will pose a growing threat to
companies around the world this year after the Stuxnet worm hit Iran's nuclear
program in 2010, security software maker Symantec Corp said on Tuesday.
"Last year was the year of high-profile targeted attacks. We will see so many
more," said Sian John, security strategist at Symantec.
So-called targeted attacks succeed as most consumers avoid clicking on
suspicious links in spam emails, but open files that seem to arrive from
"They are more challenging, but the return is higher," John said.
In total, the number of measured Web-based attacks rose 93 percent in 2010 from
a year ago, boosted by proliferation of shortened Internet addresses, Symantec
said in its annual threat review.
"Last year, attackers posted millions of these shortened links on social
networking sites to trick victims into both phishing and malware attacks,
dramatically increasing the rate of successful infection," Symantec said.
Social networking sites are increasingly important platform for attackers as
their popularity among consumers is rising fast.
The software company said attacks on leading mobile platforms were also set to
increase after a 42 percent rise in mobile vulnerabilities last year.
"The major mobile platforms are finally becoming ubiquitous enough to garner the
attention of attackers," Symantec said. "Attackers are really following the
The New York Times
By RICHARD A. FALKENRATH
the computer worm that last year disrupted many of the gas centrifuges central
to Iran’s nuclear program, is a powerful weapon in the new age of global
information warfare. A sophisticated half-megabyte of computer code apparently
accomplished what a half-decade of United Nations Security Council resolutions
This new form of warfare has several implications that are only now becoming
apparent, and that will define the shape of what will likely become the next
global arms race — albeit one measured in computer code rather than firepower.
For one thing, the Stuxnet attack highlights the ambiguous boundaries of
sovereignty in cyberspace. Promoting national security in the information age
will, from time to time, cause unpredictable offense to the rights and interests
of innocent people, companies and countries.
Stuxnet attacked the Iranian nuclear program, but it did so by maliciously
manipulating commercial software products sold globally by major Western
companies. Whoever launched the assault also infected thousands of computers in
several countries, including Australia, Britain, Indonesia and the United
This kind of collateral damage to the global civilian realm is going to be the
norm, not the exception, and advanced economies, which are more dependent on
advanced information systems, will be at particular risk.
What’s more, offensive and defensive information warfare are tightly,
insidiously coupled, which will significantly complicate military-industrial
The expertise needed to defend against a cyberattack is essentially
indistinguishable from that needed to make such an attack. The Stuxnet
programmers are reported to have exploited proprietary information that had been
voluntarily provided to the American government by Siemens, that German company
that makes data-and-control programs used in nuclear power facilities —
Siemens did this to help Washington build up its ability to fend off
cyberattacks. Will Siemens and other companies think twice next time the
American government calls? Probably. Whether it’s true or not, as far as the
rest of the world is concerned, the United States is now in the business of
offensive information warfare, along with China, Israel and Russia, among
It’s not hard to imagine, then, the splintering of the global information
technology industry into multiple camps according to their willingness to
cooperate with governments on security matters. We can already see this
happening in the telecommunications industry, where companies promote their
products’ resistance to government intrusion. At the same time, other companies
might see an advantage to working closely with the government.
Stuxnet also raises sticky and perhaps irresolvable legal questions. At present
there is no real legal framework for adjudicating international cyberattacks;
even if victims could determine who was responsible, their governments have few
options outside of diplomatic complaints and, perhaps, retaliation in kind. An
international entity that could legislate or enforce an information warfare
armistice does not exist, and is not really conceivable.
A similar question exists within the United States. Under American law the
transmission of malicious code is in many cases a criminal offense. This makes
sense, given the economy’s reliance on information networks, the sensitivity of
stored electronic data and the ever-present risk of attack from viruses, worms
and other varieties of malware.
But the president, as commander in chief, does have some authority to conduct
offensive information warfare against foreign adversaries. However, as with many
presidential powers to wage war and conduct espionage, the extent of his
authority has never been enumerated.
This legal ambiguity is problematic because such warfare is far less
controllable than traditional military and intelligence operations, and it
raises much more complex issues of private property, personal privacy and
Therefore, before our courts are forced to consider the issue and potentially
limit executive powers, as they did after President Harry Truman tried to seize
steel plants in the early 1950s, Congress should grant the White House broad
authority to wage offensive information warfare.
By explicitly authorizing these offensive operations in appropriate, defined
circumstances, a new statute would strengthen the president’s power to provide
for the common defense in cyberspace. Doing so wouldn’t answer all the questions
that this new era of warfare presents. But one thing is sure: as bad as this
arms race will be, losing it would be even worse.
a principal of the Chertoff Group,
an investment advisory firm,
former deputy commissioner for counterterrorism
The New York Times
By WILLIAM J. BROAD, JOHN MARKOFF
and DAVID E. SANGER
is by William J. Broad, John Markoff
and David E. Sanger.
The Dimona complex in the Negev desert is famous as the heavily guarded heart of
Israel’s never-acknowledged nuclear arms program, where neat rows of factories
make atomic fuel for the arsenal.
Over the past two years, according to intelligence and military experts familiar
with its operations, Dimona has taken on a new, equally secret role — as a
critical testing ground in a joint American and Israeli effort to undermine
Iran’s efforts to make a bomb of its own.
Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear
centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists
are struggling to enrich uranium. They say Dimona tested the effectiveness of
the Stuxnet computer worm, a destructive program that appears to have wiped out
roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not
destroy, Tehran’s ability to make its first nuclear arms.
“To check out the worm, you have to know the machines,” said an American expert
on nuclear intelligence. “The reason the worm has been effective is that the
Israelis tried it out.”
Though American and Israeli officials refuse to talk publicly about what goes on
at Dimona, the operations there, as well as related efforts in the United
States, are among the newest and strongest clues suggesting that the virus was
designed as an American-Israeli project to sabotage the Iranian program.
In recent days, the retiring chief of Israel’s Mossad intelligence agency, Meir
Dagan, and Secretary of State Hillary Rodham Clinton separately announced that
they believed Iran’s efforts had been set back by several years. Mrs. Clinton
cited American-led sanctions, which have hurt Iran’s ability to buy components
and do business around the world.
The gruff Mr. Dagan, whose organization has been accused by Iran of being behind
the deaths of several Iranian scientists, told the Israeli Knesset in recent
days that Iran had run into technological difficulties that could delay a bomb
until 2015. That represented a sharp reversal from Israel’s long-held argument
that Iran was on the cusp of success.
The biggest single factor in putting time on the nuclear clock appears to be
Stuxnet, the most sophisticated cyberweapon ever deployed.
In interviews over the past three months in the United States and Europe,
experts who have picked apart the computer worm describe it as far more complex
— and ingenious — than anything they had imagined when it began circulating
around the world, unexplained, in mid-2009.
Many mysteries remain, chief among them, exactly who constructed a computer worm
that appears to have several authors on several continents. But the digital
trail is littered with intriguing bits of evidence.
In early 2008 the German company Siemens cooperated with one of the United
States’ premier national laboratories, in Idaho, to identify the vulnerabilities
of computer controllers that the company sells to operate industrial machinery
around the world — and that American intelligence agencies have identified as
key equipment in Iran’s enrichment facilities.
Seimens says that program was part of routine efforts to secure its products
against cyberattacks. Nonetheless, it gave the Idaho National Laboratory — which
is part of the Energy Department, responsible for America’s nuclear arms — the
chance to identify well-hidden holes in the Siemens systems that were exploited
the next year by Stuxnet.
The worm itself now appears to have included two major components. One was
designed to send Iran’s nuclear centrifuges spinning wildly out of control.
Another seems right out of the movies: The computer program also secretly
recorded what normal operations at the nuclear plant looked like, then played
those readings back to plant operators, like a pre-recorded security tape in a
bank heist, so that it would appear that everything was operating normally while
the centrifuges were actually tearing themselves apart.
The attacks were not fully successful: Some parts of Iran’s operations ground to
a halt, while others survived, according to the reports of international nuclear
inspectors. Nor is it clear the attacks are over: Some experts who have examined
the code believe it contains the seeds for yet more versions and assaults.
“It’s like a playbook,” said Ralph Langner, an independent computer security
expert in Hamburg, Germany, who was among the first to decode Stuxnet. “Anyone
who looks at it carefully can build something like it.” Mr. Langner is among the
experts who expressed fear that the attack had legitimized a new form of
industrial warfare, one to which the United States is also highly vulnerable.
Officially, neither American nor Israeli officials will even utter the name of
the malicious computer program, much less describe any role in designing it.
But Israeli officials grin widely when asked about its effects. Mr. Obama’s
chief strategist for combating weapons of mass destruction, Gary Samore,
sidestepped a Stuxnet question at a recent conference about Iran, but added with
a smile: “I’m glad to hear they are having troubles with their centrifuge
machines, and the U.S. and its allies are doing everything we can to make it
In recent days, American officials who spoke on the condition of anonymity have
said in interviews that they believe Iran’s setbacks have been underreported.
That may explain why Mrs. Clinton provided her public assessment while traveling
in the Middle East last week.
By the accounts of a number of computer scientists, nuclear enrichment experts
and former officials, the covert race to create Stuxnet was a joint project
between the Americans and the Israelis, with some help, knowing or unknowing,
from the Germans and the British.
The project’s political origins can be found in the last months of the Bush
administration. In January 2009, The New York Times reported that Mr. Bush
authorized a covert program to undermine the electrical and computer systems
around Natanz, Iran’s major enrichment center. President Obama, first briefed on
the program even before taking office, sped it up, according to officials
familiar with the administration’s Iran strategy. So did the Israelis, other
officials said. Israel has long been seeking a way to cripple Iran’s capability
without triggering the opprobrium, or the war, that might follow an overt
military strike of the kind they conducted against nuclear facilities in Iraq in
1981 and Syria in 2007.
Two years ago, when Israel still thought its only solution was a military one
and approached Mr. Bush for the bunker-busting bombs and other equipment it
believed it would need for an air attack, its officials told the White House
that such a strike would set back Iran’s programs by roughly three years. Its
request was turned down.
Now, Mr. Dagan’s statement suggests that Israel believes it has gained at least
that much time, without mounting an attack. So does the Obama administration.
For years, Washington’s approach to Tehran’s program has been one of attempting
“to put time on the clock,” a senior administration official said, even while
refusing to discuss Stuxnet. “And now, we have a bit more.”
Paranoia helped, as it turns out.
Years before the worm hit Iran, Washington had become deeply worried about the
vulnerability of the millions of computers that run everything in the United
States from bank transactions to the power grid.
Computers known as controllers run all kinds of industrial machinery. By early
2008, the Department of Homeland Security had teamed up with the Idaho National
Laboratory to study a widely used Siemens controller known as P.C.S.-7, for
Process Control System 7. Its complex software, called Step 7, can run whole
symphonies of industrial instruments, sensors and machines.
The vulnerability of the controller to cyberattack was an open secret. In July
2008, the Idaho lab and Siemens teamed up on a PowerPoint presentation on the
controller’s vulnerabilities that was made to a conference in Chicago at Navy
Pier, a top tourist attraction.
“Goal is for attacker to gain control,” the July paper said in describing the
many kinds of maneuvers that could exploit system holes. The paper was 62 pages
long, including pictures of the controllers as they were examined and tested in
In a statement on Friday, the Idaho National Laboratory confirmed that it formed
a partnership with Siemens but said it was one of many with manufacturers to
identify cybervulnerabilities. It argued that the report did not detail specific
flaws that attackers could exploit. But it also said it could not comment on the
laboratory’s classified missions, leaving unanswered the question of whether it
passed what it learned about the Siemens systems to other parts of the nation’s
The presentation at the Chicago conference, which recently disappeared from a
Siemens Web site, never discussed specific places where the machines were used.
But Washington knew. The controllers were critical to operations at Natanz, a
sprawling enrichment site in the desert. “If you look for the weak links in the
system,” said one former American official, “this one jumps out.”
Controllers, and the electrical regulators they run, became a focus of sanctions
efforts. The trove of State Department cables made public by WikiLeaks describes
urgent efforts in April 2009 to stop a shipment of Siemens controllers,
contained in 111 boxes at the port of Dubai, in the United Arab Emirates. They
were headed for Iran, one cable said, and were meant to control “uranium
enrichment cascades” — the term for groups of spinning centrifuges.
Subsequent cables showed that the United Arab Emirates blocked the transfer of
the Siemens computers across the Strait of Hormuz to Bandar Abbas, a major
Only months later, in June, Stuxnet began to pop up around the globe. The
Symantec Corporation, a maker of computer security software and services based
in Silicon Valley, snared it in a global malware collection system. The worm hit
primarily inside Iran, Symantec reported, but also in time appeared in India,
Indonesia and other countries.
But unlike most malware, it seemed to be doing little harm. It did not slow
computer networks or wreak general havoc.
That deepened the mystery.
No one was more intrigued than Mr. Langner, a former psychologist who runs a
small computer security company in a suburb of Hamburg. Eager to design
protective software for his clients, he had his five employees focus on picking
apart the code and running it on the series of Siemens controllers neatly
stacked in racks, their lights blinking.
He quickly discovered that the worm only kicked into gear when it detected the
presence of a specific configuration of controllers, running a set of processes
that appear to exist only in a centrifuge plant. “The attackers took great care
to make sure that only their designated targets were hit,” he said. “It was a
For example, one small section of the code appears designed to send commands to
984 machines linked together.
Curiously, when international inspectors visited Natanz in late 2009, they found
that the Iranians had taken out of service a total of exactly 984 machines that
had been running the previous summer.
But as Mr. Langner kept peeling back the layers, he found more — what he calls
the “dual warhead.” One part of the program is designed to lie dormant for long
periods, then speed up the machines so that the spinning rotors in the
centrifuges wobble and then destroy themselves. Another part, called a “man in
the middle” in the computer world, sends out those false sensor signals to make
the system believe everything is running smoothly. That prevents a safety system
from kicking in, which would shut down the plant before it could self-destruct.
“Code analysis makes it clear that Stuxnet is not about sending a message or
proving a concept,” Mr. Langner later wrote. “It is about destroying its targets
with utmost determination in military style.”
This was not the work of hackers, he quickly concluded. It had to be the work of
someone who knew his way around the specific quirks of the Siemens controllers
and had an intimate understanding of exactly how the Iranians had designed their
In fact, the Americans and the Israelis had a pretty good idea.
Perhaps the most secretive part of the Stuxnet story centers on how the theory
of cyberdestruction was tested on enrichment machines to make sure the malicious
software did its intended job.
The account starts in the Netherlands. In the 1970s, the Dutch designed a tall,
thin machine for enriching uranium. As is well known, A. Q. Khan, a Pakistani
metallurgist working for the Dutch, stole the design and in 1976 fled to
The resulting machine, known as the P-1, for Pakistan’s first-generation
centrifuge, helped the country get the bomb. And when Dr. Khan later founded an
atomic black market, he illegally sold P-1’s to Iran, Libya, and North Korea.
The P-1 is more than six feet tall. Inside, a rotor of aluminum spins uranium
gas to blinding speeds, slowly concentrating the rare part of the uranium that
can fuel reactors and bombs.
How and when Israel obtained this kind of first-generation centrifuge remains
unclear, whether from Europe, or the Khan network, or by other means. But
nuclear experts agree that Dimona came to hold row upon row of spinning
“They’ve long been an important part of the complex,” said Avner Cohen, author
of “The Worst-Kept Secret” (2010), a book about the Israeli bomb program, and a
senior fellow at the Monterey Institute of International Studies. He added that
Israeli intelligence had asked retired senior Dimona personnel to help on the
Iranian issue, and that some apparently came from the enrichment program.
“I have no specific knowledge,” Dr. Cohen said of Israel and the Stuxnet worm.
“But I see a strong Israeli signature and think that the centrifuge knowledge
Another clue involves the United States. It obtained a cache of P-1’s after
Libya gave up its nuclear program in late 2003, and the machines were sent to
the Oak Ridge National Laboratory in Tennessee, another arm of the Energy
By early 2004, a variety of federal and private nuclear experts assembled by the
Central Intelligence Agency were calling for the United States to build a secret
plant where scientists could set up the P-1’s and study their vulnerabilities.
“The notion of a test bed was really pushed,” a participant at the C.I.A.
The resulting plant, nuclear experts said last week, may also have played a role
in Stuxnet testing.
But the United States and its allies ran into the same problem the Iranians have
grappled with: the P-1 is a balky, badly designed machine. When the Tennessee
laboratory shipped some of its P-1’s to England, in hopes of working with the
British on a program of general P-1 testing, they stumbled, according to nuclear
“They failed hopelessly,” one recalled, saying that the machines proved too
crude and temperamental to spin properly.
Dr. Cohen said his sources told him that Israel succeeded — with great
difficulty — in mastering the centrifuge technology. And the American expert in
nuclear intelligence, who spoke on the condition of anonymity, said the Israelis
used machines of the P-1 style to test the effectiveness of Stuxnet.
The expert added that Israel worked in collaboration with the United States in
targeting Iran, but that Washington was eager for “plausible deniability.”
In November, the Iranian president, Mahmoud Ahmadinejad, broke the country’s
silence about the worm’s impact on its enrichment program, saying a cyberattack
had caused “minor problems with some of our centrifuges.” Fortunately, he added,
“our experts discovered it.”
The most detailed portrait of the damage comes from the Institute for Science
and International Security, a private group in Washington. Last month, it issued
a lengthy Stuxnet report that said Iran’s P-1 machines at Natanz suffered a
series of failures in mid- to late 2009 that culminated in technicians taking
984 machines out of action.
The report called the failures “a major problem” and identified Stuxnet as the
Stuxnet is not the only blow to Iran. Sanctions have hurt its effort to build
more advanced (and less temperamental) centrifuges. And last January, and again
in November, two scientists who were believed to be central to the nuclear
program were killed in Tehran.
The man widely believed to be responsible for much of Iran’s program, Mohsen
Fakrizadeh, a college professor, has been hidden away by the Iranians, who know
he is high on the target list.
Publicly, Israeli officials make no explicit ties between Stuxnet and Iran’s
problems. But in recent weeks, they have given revised and surprisingly upbeat
assessments of Tehran’s nuclear status.
“A number of technological challenges and difficulties” have beset Iran’s
program, Moshe Yaalon, Israel’s minister of strategic affairs, told Israeli
public radio late last month.
The troubles, he added, “have postponed the timetable.”
They got their start years ago as cyberpranksters, an online
community of tech-savvy kids more interested in making mischief than political
But the coordinated attacks on major corporate and government Web sites in
defense of WikiLeaks, which began on Wednesday and continued on Thursday,
suggested that the loosely organized group called Anonymous might have come of
age, evolving into one focused on more serious matters: in this case, the
definition of Internet freedom.
While the attacks on such behemoths as MasterCard, Visa and PayPal were not
nearly as sophisticated as some less publicized assaults, they were a step
forward in the group’s larger battle against what it sees as increasing control
of the Internet by corporations and governments. This week they found a cause
and an icon: Julian Assange, the former hacker who founded WikiLeaks and is now
in a London jail at the request of the Swedish authorities investigating him on
accusations of rape.
“This is kind of the shot heard round the world — this is Lexington,” said John
Perry Barlow, a co-founder of the Electronic Frontier Foundation, a civil
liberties organization that advocates for a freer Internet.
On Thursday, the police in the Netherlands took the first official action
against the campaign, detaining a 16-year-old student in his parents’ home in
The Hague who they said admitted to participating in attacks on MasterCard and
Visa. The precise nature of his involvement was unclear, but in past
investigations, the authorities have sometimes arrested those unsophisticated
enough not to cover their tracks on the Web.
Meanwhile, a lawyer for Mr. Assange, 39, said he strongly denied that he had
encouraged any attacks on behalf of WikiLeaks.
“It is absolutely false,” the lawyer, Jennifer Robinson, told the Australian
Broadcasting Corporation in London on Thursday. “He did not make any such
instruction, and indeed he sees that as a deliberate attempt to conflate hacking
organizations” with “WikiLeaks, which is not a hacking organization. It is a
news organization and a publisher.”
Although Anonymous remains shadowy and without public leaders, it developed a
loose hierarchy in recent years as it took on groups as diverse as the Church of
Scientology and the Motion Picture Association of America.
The coordination and the tactics developed in those campaigns appeared to make
this week’s attacks more powerful, allowing what analysts believe is a small
group to enlist thousands of activists to bombard Web sites with traffic, making
them at least temporarily inaccessible. Experts say the group appears to have
used more sophisticated software this time that allowed supporters to repeatedly
visit the sites at a specific time when the command was given.
The Twitter account identified with the Anonymous movement contained messages
with little more than the words “Fire now.”
The attacks thus far have been of limited effect, shutting down the MasterCard
Web site, not its online transactions.
But to security experts and people who have tracked or participated in the
Anonymous movement, they indicated a step forward for cyberanarchists railing
against the “elites” — corporations and governments with power over both the
machinery and, critics increasingly argue, the content on the Web.
“In the past, Anonymous made quite a lot of noise but did little damage,” said
Amichai Shulman, chief technology officer at Imperva, a California-based
security technology company. “It’s different this time around. They are starting
to use the same tools that industrial hackers are using.”
Despite the name, Anonymous can be found in many locations and formats. Members
converse in online forums and chat rooms where friendships and alliances often
“It’s the first place I go when I turn on my computer,” said one Anonymous
activist, reached on an online chat service, who did not want to be named
discussing the structure of the organization.
Groups of these friends, who form new conversations, or threads, sometimes
decide on a topic or an issue that they feel is deserving of more attention, the
“You post things, discuss ideas and that leads to putting out a video or a
document” for a campaign. In the case of WikiLeaks, the activist said, it
appears that two groups decided almost simultaneously to mount a concerted
effort against the site’s enemies.
“I got e-mailed these two links on Sunday or Monday,” he said. Denouncing
“what’s being done to Julian and WikiLeaks,” he said, he decided to join in.
These ideas bubble up, but ultimately a small group decides exactly what
affiliated site should be attacked and when, according to a Dutch writer on the
Anonymous movement, who writes a blog under the name Ernesto Van der Sar. There
is a chat room “that is invite only, with a dozen or so people,” he said, that
pick the targets and the time of attack.
He described the typical Anonymous member as young; he guessed 18 to 24 years
While Anonymous has recently had success with attacks on sites related to
copyright infringement cases, the WikiLeaks cause has brought a much greater
intensity to its efforts.
The campaigns are part of Operation Payback, created in the summer to defend a
file-sharing site in Sweden that counts itself part of the mission of keeping
the Internet unfettered and unfiltered and that was singled out by the
“We could move against enemies of WikiLeaks so easily because there was already
a network up and running, there was already a chat room for people to meet in,”
said Gregg Housh, an activist who has been involved in Anonymous campaigns but
disavows a personal role in any illegal online activity.
The software used to coordinate the attacks is being downloaded about 1,000
times per hour, with about one-third of those downloads coming from the United
States. Recently the software was improved so that a command could be sent to a
supporter’s computers and the attack would begin — no human needed.
But even Mr. Barlow of the Electronic Frontier Foundation appeared to have
second thoughts about where such escalation could lead: On Thursday, he said
that the Anonymous group members represented “a stunning force in the world.
“But still,” he said, it is “better used to open, not to close.” He added that
he opposed denial-of-service attacks on principle: “It’s like the poison gas of
cyberspace. The fundamental principle should be to open things up and not close
Things were hardly so serious when Anonymous first made a name for itself. The
group grew out of online message boards like 4chan, an unfiltered meeting place
with more than its share of misanthropic behavior and schemes.
Mr. Housh said of Anonymous: “It was deliberately not for any good. We kind of
took pride in it.”
That changed when Mr. Housh and a few dozen others were incensed by the Church
of Scientology’s attempt to use copyright law to remove a long video in which
the actor Tom Cruise had spoken about church beliefs.
With its work on behalf of WikiLeaks, Anonymous has found a much more
high-profile cause. As the campaign expands, many fear a more contentious
Internet as governments and businesses respond to more serious attacks by
activists who benefit from improvements in bandwidth and readily available
“Home field advantage goes to the attacker,” said Gunter Ollmann, vice president
of research at Damballa, an Atlanta-based firm that specializes in Internet
protection. “With a little bit of coordination and growing numbers of
participants, these things will continue to happen regularly.”
Reporting was contributed by John Markoff
and Ashlee Vance from
Ravi Somaiya from London and Marlise Simons from Paris.
LONDON — In a campaign that had some declaring the start of a “cyberwar,”
hundreds of Internet activists mounted retaliatory attacks on the Web sites of
multinational companies and other organizations they deemed hostile to the
WikiLeaks antisecrecy organization and its jailed founder, Julian Assange.
Within 12 hours of a British judge’s decision to deny Mr. Assange bail in a
Swedish extradition case, attacks on the Web sites of WikiLeaks’s “enemies,” as
defined by the organization’s impassioned supporters around the world, caused
several corporate Web sites to become inaccessible or slow down markedly on
Targets of the attacks, in which activists overwhelmed the sites with traffic,
included the Web site of MasterCard, which had stopped processing donations for
WikiLeaks; Amazon.com, which revoked the use of its computer servers; and
PayPal, which stopped accepting donations for Mr. Assange’s group. Visa.com was
also affected by the attacks, as were the Web sites of the Swedish prosecutor’s
office and the lawyer representing the two women whose allegations of sexual
misconduct are the basis of Sweden’s extradition bid.
On Thursday, Gregg Housh, an activist with the loosely affiliated group of
so-called hacktivists, said the group was redoubling its efforts to bring down
PayPal, which is better protected than some other sites. PayPal, an online
payment service company, said the attacks had slowed its Web site “but have not
significantly impacted payments.”
No other major Web sites appeared to be suffering disruptions in service early
Thursday, however, suggesting that the economic impact of the attacks was
The Internet assaults underlined the growing reach of self-described
“cyberanarchists,” antigovernment and anticorporate activists who have made an
icon of Mr. Assange, a 39-year-old Australian.
The speed and range of the attacks Wednesday appeared to show the resilience of
the backing among computer activists for Mr. Assange, who has appeared
increasingly isolated in recent months amid the furor stoked by WikiLeaks’s
posting of hundreds of thousands of secret Pentagon documents on the wars in
Afghanistan and Iraq.
Mr. Assange has come under renewed attack in the past two weeks for posting the
first tranche of a trove of 250,000 secret State Department cables that have
exposed American diplomats’ frank assessments of relations with many countries,
forcing Secretary of State Hillary Rodham Clinton to express regret to world
leaders and raising fears that they and other sources would become more
The New York Times and four other news organizations last week began publishing
articles based on the archive of cables made available to them.
In recent months, some of Mr. Assange’s closest associates in WikiLeaks
abandoned him, calling him autocratic and capricious and accusing him of
reneging on WikiLeaks’s original pledge of impartiality to launch a concerted
attack on the United States. He has been simultaneously fighting a remote battle
with the Swedish prosecutors, who have sought his extradition for questioning on
accusations of “rape, sexual molestation and forceful coercion” made by the
Swedish women. Mr. Assange has denied any wrongdoing in the cases.
American officials have repeatedly said that they are reviewing possible
criminal charges against Mr. Assange, a step that could lead to a bid to
extradite him to the United States and confront him with having to fight for his
freedom on two fronts.
The cyberattacks in Mr. Assange’s defense appear to have been coordinated by
Anonymous, a loosely affiliated group of activist computer hackers who have
singled out other groups before, including the Church of Scientology. Last
weekend, members of Anonymous vowed in two online manifestos to take revenge on
any organization that lined up against WikiLeaks.
Anonymous claimed responsibility for the MasterCard attack in Web messages and,
according to Mr. Housh, the activist associated with the group, conducted waves
of attacks on other companies during the day. The group said the actions were
part of an effort called Operation Payback, which began as a way of punishing
companies that tried to stop Internet file-sharing and movie downloads.
Mr. Housh, who disavows a personal role in any illegal online activity, said
that 1,500 supporters had been in online forums and chat rooms organizing the
mass “denial of service” attacks. His account was confirmed by Jose Nazario, a
senior security researcher at Arbor Networks, a Chelmsford, Mass., firm that
tracks malicious activity on computer networks.
Most of the corporations whose sites were targeted did not explain why they
severed ties with WikiLeaks. But PayPal issued statements saying its decision
was based on “a violation” of its policy on promoting illegal activities.
The sense of an Internet war was reinforced Wednesday when netcraft, a British
Internet monitoring firm, reported that the Web site being used by the hackers
to distribute denial-of-service software had been suspended by a Dutch hosting
A sense of the belligerent mood among activists was given when one contributor
to a forum the group uses, WhyWeProtest.net, wrote of the attacks: “The war is
on. And everyone ought to spend some time thinking about it, discussing it with
others, preparing yourselves so you know how to act if something compels you to
make a decision. Be very careful not to err on the side of inaction.”
Mr. Housh acknowledged that there had been online talk among the hackers of a
possible Internet campaign against the two women who have been Mr. Assange’s
accusers in the Swedish case, but he said that “a lot of people don’t want to be
A Web search showed new blog posts in recent days in which the two women,
identified by the Swedish prosecutors only as Ms. A. and Ms. W., were named, but
it was not clear whether there was any link to Anonymous. The women have said
that consensual sexual encounters with Mr. Assange became nonconsensual when he
stopped using condoms.
The cyberattacks on corporations Wednesday were seen by many supporters as a
counterstrike against the United States. Mr. Assange’s online supporters have
widely condemned the Obama administration as the unseen hand coordinating
efforts to choke off WikiLeaks by denying it financing and suppressing its
network of computer servers.
Mr. Housh described Mr. Assange in an interview as “a political prisoner,” a
common view among WikiLeaks supporters who have joined Mr. Assange in condemning
the sexual abuse accusations as part of an American-inspired “smear campaign.”
Another activist used the analogy of the civil rights struggle for the
“Are they disrupting business?” a contributor using the name Moryath wrote in a
comment on the slashdot.org technology Web site. “Perhaps, but no worse than the
lunch counter sit-ins did.”
December 3, 2010
The New York Times
By RAVI SOMAIYA and J. DAVID GOODMAN
LONDON — An American provider of Internet domain names withdrew its service
to the WikiLeaks Web site late Thursday after a barrage of attacks by hackers
threatened to destabilize its entire system. But within hours, WikiLeaks had
registered its domain name in Switzerland, and it was back online by early
Shortly after the action by EveryDNS.net, which provides domain names for about
500,000 Web sites, the French government began seeking measures to keep the
whistle blowing organization from being hosted in France. The moves follow a
decision on Wednesday by Amazon.com Inc. to expel WikiLeaks from its servers.
The organization remains on the servers of a Swedish host, Bahnhof.
WikiLeaks appears increasingly engaged in a game of digital Whac-A-Mole as it
struggles to stay online after publicizing a huge array of some 250,000 leaked
State Department documents relating to American foreign policy around the globe.
The Web infrastructure that supports WikiLeaks is deliberately diffuse and
difficult to track, with servers spread through many countries in order to
insulate the site from hostile states or companies. But cyberattacks and
problems with service providers have kept the site and its founder, Julian
“Since April of this year, our timetable has not been our own; rather it has
been one that has centered on the moves of abusive elements of the United States
government against us,” Mr. Assange wrote in a discussion on Friday on the Web
site of the British newspaper The Guardian. “The threats against our lives are a
matter of public record,” he added later, saying he and others who work on
WikiLeaks were taking “appropriate precautions.” Mr. Assange is being sought for
questioning in connection to alleged sex crimes in Sweden, which he has denied
the allegations, and his location was not disclosed.
In a statement on its Web site, EveryDNS.net said it terminated WikiLeaks’
domain name at around 10 p.m., Eastern time for violating its terms of service.
The old domain, WikiLeaks.org, “has become the target of multiple distributed
denial of service (DDOS) attacks,” the company said. Such attacks usually
involve bombarding a Web site with requests for access, effectively blocking
legitimate users, and are designed to make a targeted Web site unavailable. When
questioned about similar cyberattacks on Sunday against WikiLeaks, American
officials vigorously denied any involvement.
According to WhoIs.com, the new domain, WikiLeaks.ch, is registered to the Swiss
branch of the Swedish Pirate Party, a political organization that has previously
worked with Mr. Assange.
In an interview with The New York Times earlier this year, the Pirate Party’s
leader, Rickard Falkvinge, expressed an open offer to host the WikiLeaks site
because “our organizations generally share the same values — we value privacy,
transparency, democracy and knowledge.” Mr. Falkvinge added that any sharing of
Web services between the two organizations would offer “heightened political
“Any prosecutors will have to target a political party in us, and the price for
doing that is much higher,” he said.
WikiLeaks reacted to the domain name switch on its Twitter feed, writing just
after midnight on Friday morning: “WikiLeaks.org domain killed by U.S.
EveryDNS.net after claimed mass attacks.”
It implored supporters to “keep us strong” and provided a link for financial
donations. Hours later, a message on the WikiLeaks Twitter feed said: “WikiLeaks
moved to Switzerland” and provided the new Web address.
In France, Industry Minister Eric Besson asked the French government on Friday
to explore measures to “ensure that it is no longer hosted in France” after
reports surfaced that WikiLeaks has servers there, according to a letter seen by
Reuters. “France cannot host an internet site that violates the secrecy of
diplomatic relations and endangers people,” Mr. Besson said.
Earlier this week, Amazon — which rents server space to companies in addition to
its online retail business — canceled its relationship with WikiLeaks after
inquiries from an aide to Senator Joseph I. Lieberman, independent of
Connecticut. The company said the organization was violating the terms of
service for the program.
“When companies or people go about securing and storing large quantities of data
that isn’t rightfully theirs, and publishing this data without ensuring it won’t
injure others, it’s a violation of our terms of service, and folks need to go
operate elsewhere,” the company said.
Anna Mossberg, Bahnhof’s chief executive, said her company held “two physical
WikiLeaks servers in our data hall in Stockholm.” Those servers, she said, have
been attacked in recent weeks, though Bahnhof has come under no overt government
pressure to abandon them. “But I know we are not the only provider of WikiLeaks’
servers — they are everywhere.”
Ravi Somaiya reported from London,
J. David Goodman from New York.
contributed reporting from Washington,
January 22, 2010
The New York Times
By BRIAN KNOWLTON
WASHINGTON — Coupling a salute to Internet freedom with a carefully worded
caution to countries like China and Iran, Secretary of State Hillary Rodham
Clinton said Thursday that countries that engaged in cyberattacks should face
consequences and international condemnation.
“In an interconnected world, an attack on one nation’s networks can be an attack
on all,” she said in a speech in Washington. “By reinforcing that message, we
can create norms of behavior among states and encourage respect for the global
Mrs. Clinton’s comments came in a speech in which she announced a new $15
million effort to help more young people, women and citizens groups in other
countries communicate on the Web.
“Given the magnitude of the challenges we’re facing, we need people around the
world to pool their knowledge and creativity to help rebuild the global economy,
protect our environment, defeat violent extremism and build a future in which
every human being can realize their God-given potential,” she said, according to
the advance text of a speech at the Newseum in Washington.
Her remarks came at a time when Internet controls have drawn increasing public
attention. Limits on Internet searches led to a dispute made public this month
between Google and China, and sites such as Facebook and Twitter, which played a
critical role in helping protesters in Iran spread news and images of violent
crackdowns on antigovernment demonstrations, have been blocked by the
authorities in Tehran.
Foreign companies and millions of Chinese Google users have been watching the
matter with keen interest.
Google announced on Jan. 12 that it was “no longer willing to continue
censoring” search results for its Chinese users, pointing to breaches of Gmail
accounts held by human rights activists in China. Tens of other companies had
also been targets of hacking, the company found. Google has taken a cautious
approach to the dispute, avoiding placing direct blame on the government in
Beijing, and the Chinese government has sought to describe the situation as
None of the proposals Mrs. Clinton mentioned focused specifically on China or
Iran, and the financing is relatively modest.
Still, Mrs. Clinton made an unmistakable allusion to Google and China when she
said, “Countries or individuals that engage in cyberattacks should face
consequences and international condemnation.
She did not suggest what the consequences should be, though.
Five United States senators, led by Sam Brownback, Republican of Kansas, have
urged Mrs. Clinton to move quickly to support organizations that have tried to
make it easier for people in countries like China and Iran to sidestep
government restrictions on Internet use.
The senators, in a letter written before the recent Google dispute, urged Mrs.
Clinton to quickly spend $45 million earmarked over the last two years for
Her announcement, while calling for spending just a third that amount, appeared
to be otherwise in line with their urgings.
Mrs. Clinton said the new programs would help expand Internet access to women
and other groups, put in place programs to train and support civil society
groups and nongovernmental organizations in new media technologies; and support
pilot projects to increase access, particularly among young people, in the
Middle East and North Africa.
Mrs. Clinton paid tribute to the power of the Internet both for opening new
forums for the exchange of ideas and for fostering social and economic
development. “In this context,” she said, “the Internet can serve as a great
equalizer. By providing people with access to knowledge and potential markets,
networks can create opportunity where none exists.”
Brett Solomon, executive director of the group AccessNow.org, which promotes
digital openness, praised Mrs. Clinton’s speech.
“This is a big couple of weeks for Internet freedom,” he said, mentioning both
Google’s stand and Mrs. Clinton’s proposal. “Digital activists across the world
may now increasingly see their demands for democracy and justice pierce the
August 27, 2009
The New York Times
By JOHN MARKOFF
It is still out there.
Like a ghost ship, a rogue software program that glided onto the Internet last
November has confounded the efforts of top security experts to eradicate the
program and trace its origins and purpose, exposing serious weaknesses in the
world’s digital infrastructure.
The program, known as Conficker, uses flaws in Windows software to co-opt
machines and link them into a virtual computer that can be commanded remotely by
its authors. With more than five million of these zombies now under its control
— government, business and home computers in more than 200 countries — this
shadowy computer has power that dwarfs that of the world’s largest data centers.
Alarmed by the program’s quick spread after its debut in November, computer
security experts from industry, academia and government joined forces in a
highly unusual collaboration. They decoded the program and developed antivirus
software that erased it from millions of the computers. But Conficker’s
persistence and sophistication has squelched the belief of many experts that
such global computer infections are a thing of the past.
“It’s using the best current practices and state of the art to communicate and
to protect itself,” Rodney Joffe, director of the Conficker Working Group, said
of the malicious program. “We have not found the trick to take control back from
the malware in any way.”
Researchers speculate that the computer could be employed to generate vast
amounts of spam; it could steal information like passwords and logins by
capturing keystrokes on infected computers; it could deliver fake antivirus
warnings to trick naïve users into believing their computers are infected and
persuading them to pay by credit card to have the infection removed.
There is also a different possibility that concerns the researchers: That the
program was not designed by a criminal gang, but instead by an intelligence
agency or the military of some country to monitor or disable an enemy’s
computers. Networks of infected computers, or botnets, were used widely as
weapons in conflicts in Estonia in 2007 and in Georgia last year, and in more
recent attacks against South Korean and United States government agencies.
Recent attacks that temporarily crippled Twitter and Facebook were believed to
have had political overtones.
Yet for the most part Conficker has done little more than to extend its reach to
more and more computers. Though there had been speculation that the computer
might be activated to do something malicious on April 1, the date passed without
incident, and some security experts wonder if the program has been abandoned.
The experts have only tiny clues about the location of the program’s authors.
The first version included software that stopped the program if it infected a
machine with a Ukrainian language keyboard. There may have been two initial
infections — in Buenos Aires and in Kiev.
Wherever the authors are, the experts say, they are clearly professionals using
the most advanced technology available. The program is protected by internal
defense mechanisms that make it hard to erase, and even kills or hides from
programs designed to look for botnets.
A member of the security team said that the Federal Bureau of Investigation had
suspects, but was moving slowly because it needed to build a relationship with
“noncorrupt” law enforcement agencies in the countries where the suspects are
An F.B.I. spokesman in Washington declined to comment, saying that the Conficker
investigation was an open case.
The first infections, last Nov. 20, set off an intense battle between the hidden
authors and the volunteer group that formed to counter them. The group, which
first called itself the “Conficker Cabal,” changed its name when Microsoft,
Symantec and several other companies objected to the unprofessional connotation.
Eventually, university researchers and law enforcement officials joined forces
with computer experts at more than two dozen Internet, software and computer
The group won some battles, but lost others. The Conficker authors kept
distributing new, more intricate versions of the program, at one point using
code that had been devised in academia only months before. At another point, a
single technical slip by the working group allowed the program’s authors to
convert a huge number of the infected machines to an advanced peer-to-peer
communications scheme that the industry group has not been able to defeat. Where
before all the infected computers would have to phone home to a single source
for instructions, the authors could now use any infected computer to instruct
all the others.
In early April, Patrick Peterson, a research fellow at Cisco Systems in San
Jose, Calif., gained some intelligence about the authors’ interests. He studies
nasty computer programs by keeping a set of quarantined computers that capture
and observe them — his “digital zoo.”
He discovered that the Conficker authors had begun distributing software that
tricks Internet users into buying fake antivirus software with their credit
cards. “We turned off the lights in the zoo one day and came back the next day,”
Mr. Peterson said, noting that in the “cage” reserved for Conficker, the
infection had been joined by a program distributing an antivirus software scam.
It was the most recent sign of life from the program, and its silence has set
off a debate among computer security experts. Some researchers think Conficker
is an empty shell, or that the authors of the program were scared away in the
spring. Others argue that they are simply biding their time.
If the misbegotten computer were reactivated, it would not have the
problem-solving ability of supercomputers used to design nuclear weapons or
simulate climate change. But because it has commandeered so many machines, it
could draw on an amount of computing power greater than that from any single
computing facility run by governments or Google. It is a dark reflection of the
“cloud computing” sweeping the commercial Internet, in which data is stored on
the Internet rather than on a personal computer.
The industry group continues to try to find ways to kill Conficker, meeting as
recently as Tuesday. Mr. Joffe said he, for one, was not prepared to declare
victory. But he said that the group’s work proved that government and private
industry could cooperate to counter cyberthreats.
“Even if we lose against Conficker,” he said, “there are things we’ve learned
that will benefit us in the future.”
SEOUL, South Korea — Cyberattacks that have crippled the Web sites of several
major American and South Korean government agencies since the July 4th holiday
weekend appear to have been launched by a hostile group or government, South
Korea’s main government spy agency said on Wednesday.
Although the National Intelligence Service did not identify whom they believed
responsible, the South Korean news agency Yonhap reported that the spy agency
had implicated North Korea or pro-North Korea groups.
A spokesman at the intelligence agency said it could not confirm the Yonhap
report, which said that the spy agency briefed lawmakers about their suspicions
on Wednesday. The opposition Democratic Party accused the spy agency of
spreading unsubstantiated rumors to whip up support for a new anti-terrorism
bill that would give it more power.
Access to at least 11 major Web sites in South Korea — including those of the
presidential Blue House, the Defense Ministry, the National Assembly, Shinhan
Bank, the mass-circulation daily newspaper Chosun Ilbo and the top Internet
portal Naver.com — have crashed or slowed down to a crawl since Tuesday evening,
according to the government’s Korea Information Security Agency.
On Wednesday, some of the sites regained service, but others remained unstable
In an attack linked with the one in South Korea, 14 major Web sites in the
United States — including those of the White House, the State Department and the
New York Stock Exchange — came under similar attacks, according to
anti-cyberterrorism police officers in Seoul.
“This is not a simple attack by an individual hacker, but appears to be
thoroughly planned and executed by a specific organization or on a state level,”
the National Intelligence Service said in a statement, adding that it is
cooperating with the American investigative authorities to investigate the
The Associated Press reported Tuesday night that a widespread and unusually
resilient computer attack that began July 4 knocked out the Web sites of several
American government agencies, including some that are responsible for fighting
The Treasury Department, Secret Service, Federal Trade Commission and
Transportation Department Web sites were all down at varying points over the
holiday weekend and into this week, The A.P. reported, citing officials inside
and outside the American government. The fact that the government Web sites were
still being affected after three days signaled an unusually lengthy and
sophisticated attack, the news agency reported, citing anonymous American
The Washington Post, which also came under attack, reported on its Web site
Wednesday that a total of 26 Web sites were targeted. In addition to sites run
by government agencies, several commercial Web sites were also attacked,
including those operated by Nasdaq, it reported, citing researchers involved in
Amy Kudwa, a Department of Homeland Security spokeswoman, said that the agency
was aware of the attacks on “federal and private sector public-facing Web
sites.” The department, she said, has issued a notice to federal departments and
agencies, as well as other partner organizations, on the activity and advised
them of steps to take to help mitigate against such attacks.
“We see attacks on federal networks every day, and measures in place have
minimized the impact to federal websites,” she said.
In the attack, an army of thousands of “zombie computers” infected by the
hackers’ program were ordered to request access to these Web sites
simultaneously, causing an overload that caused the sites’ servers to crash,
South Korean officials said.
Although most of the North Korean military’s hardware is decrepit, the South
Korean authorities have recently voiced their concern over possible cyberattacks
from the North. In May, South Korean media reported that North Korea was running
a cyberwarfare unit that operates through the Chinese Internet network and tries
to hack into American and South Korean military networks.
In South Korea, the Blue House reported no data loss or other damage except
disrupted access. The Defense Ministry and banks attacked also reported no
immediate loss of security data or financial damage.
“The traffic to our site surged nine times of the normal level,” the Blue House
said in a statement. “Computer users in some regions still suffer slow or no
access at all to our site.”
Hwang Cheol-jeung, a senior official at the government’s Korea Communications
Commission, said the attacks were launched by computers infected by a well-known
“distributed denial of service,” or DDoS, hackers’ program.
The spy agency said 12,000 computers in South Korea and 8,000 overseas appeared
to have been mobilized in the attacks. The Korea Communications Commission
reported 22,000 infected computers.
“The infected computers are still attacking, and their number is not
decreasing,” Mr. Hwang told reporters in a briefing. The government was urging
users to upgrade their computers’ antivirus software.
Denial of service attacks against Web sites are not uncommon, but they can be
made far more serious if hackers infect and use thousands of computers. Hackers
frequently take aim at the American government: According to the Homeland
Security Department, there were 5,499 known breaches of American government
computers in 2008, up from 3,928 the previous year, and just 2,172 in 2006, The
The South Korean news agency Yonhap said the police have traced a possible
starting point for the attack back to members of a small cable TV Web site in
Seoul. But officials said that does not mean it originated there.
Mr. Hwang said South Korean authorities suspected that the hackers used a new
variant of the denial of service program to attack the Web sites.
Sharon Otterman contributed reporting from New York.
January 23, 2009
The New York Times
By JOHN MARKOFF
A new digital plague has hit the Internet, infecting millions
of personal and business computers in what seems to be the first step of a
multistage attack. The world’s leading computer security experts do not yet know
who programmed the infection, or what the next stage will be.
In recent weeks a worm, a malicious software program, has swept through
corporate, educational and public computer networks around the world. Known as
Conficker or Downadup, it is spread by a recently discovered Microsoft Windows
vulnerability, by guessing network passwords and by hand-carried consumer
gadgets like USB keys.
Experts say it is the worst infection since the Slammer worm exploded through
the Internet in January 2003, and it may have infected as many as nine million
personal computers around the world.
Worms like Conficker not only ricochet around the Internet at lightning speed,
they harness infected computers into unified systems called botnets, which can
then accept programming instructions from their clandestine masters. “If you’re
looking for a digital Pearl Harbor, we now have the Japanese ships steaming
toward us on the horizon,” said Rick Wesson, chief executive of Support
Intelligence, a computer security consulting firm based in San Francisco.
Many computer users may not notice that their machines have been infected, and
computer security researchers said they were waiting for the instructions to
materialize, to determine what impact the botnet will have on PC users. It might
operate in the background, using the infected computer to send spam or infect
other computers, or it might steal the PC user’s personal information.
“I don’t know why people aren’t more afraid of these programs,” said Merrick L.
Furst, a computer scientist at Georgia Tech. “This is like having a mole in your
organization that can do things like send out any information it finds on
machines it infects.”
Microsoft rushed an emergency patch to defend the Windows operating systems
against this vulnerability in October, yet the worm has continued to spread even
as the level of warnings has grown in recent weeks.
Earlier this week, security researchers at Qualys, a Silicon Valley security
firm, estimated that about 30 percent of Windows-based computers attached to the
Internet remain vulnerable to infection because they have not been updated with
the patch, despite the fact that it was made available in October. The firm’s
estimate is based on a survey of nine million Internet addresses.
Security researchers said the success of Conficker was due in part to lax
security practices by both companies and individuals, who frequently do not
immediately install updates.
A Microsoft executive defended the company’s security update service, saying
there is no single solution to the malware problem.
“I do believe the updating strategy is working,” said George Stathakopoulos,
general manager for Microsoft’s Security Engineering and Communications group.
But he added that organizations must focus on everything from timely updates to
“It’s all about defense in depth,” Mr. Stathakopoulos said.
Alfred Huger, vice president of development at Symantec’s security response
division, said, “This is a really well-written worm.” He said security companies
were still racing to try to unlock all of its secrets.
Unraveling the program has been particularly challenging because it comes with
encryption mechanisms that hide its internal workings from those seeking to
Most security firms have updated their programs to detect and eradicate the
software, and a variety of companies offer specialized software programs for
detecting and removing it.
The program uses an elaborate shell-game-style technique to permit someone to
command it remotely. Each day it generates a new list of 250 domain names.
Instructions from any one of these domain names would be obeyed. To control the
botnet, an attacker would need only to register a single domain to send
instructions to the botnet globally, greatly complicating the task of law
enforcement and security companies trying to intervene and block the activation
of the botnet.
Computer security researchers expect that within days or weeks the bot-herder
who controls the programs will send out commands to force the botnet to perform
some as yet unknown illegal activity.
Several computer security firms said that although Conficker appeared to have
been written from scratch, it had parallels to the work of a suspected Eastern
European criminal gang that has profited by sending programs known as
“scareware” to personal computers that seem to warn users of an infection and
ask for credit card numbers to pay for bogus antivirus software that actually
further infects their computer.
One intriguing clue left by the malware authors is that the first version of the
program checked to see if the computer had a Ukrainian keyboard layout. If it
found it had such a keyboard, it would not infect the machine, according to
Phillip Porras, a security investigator at SRI International who has
disassembled the program to determine how it functioned.
The worm has reignited a debate inside the computer security community over the
possibility of eradicating the program before it is used by sending out
instructions to the botnet that provide users with an alert that their machines
have been infected.
“Yes, we are working on it, as are many others,” said one botnet researcher who
spoke on the grounds that he not be identified because of his plan. “Yes, it’s
illegal, but so was Rosa Parks sitting in the front of the bus.”
This idea of stopping the program in its tracks before it has the ability to do
damage was challenged by many in the computer security community.
“It’s a really bad idea,” said Michael Argast, a security analyst at Sophos, a
British computer security firm. “The ethics of this haven’t changed in 20 years,
because the reality is that you can cause just as many problems as you solve.”
FRANCISCO — An e-mail scam aimed squarely at the nation’s top executives is
raising new alarms about the ease with which people and companies can be
deceived by online criminals.
Thousands of high-ranking executives across the country have been receiving
e-mail messages this week that appear to be official subpoenas from the United
States District Court in San Diego. Each message includes the executive’s name,
company and phone number, and commands the recipient to appear before a grand
jury in a civil case.
A link embedded in the message purports to offer a copy of the entire subpoena.
But a recipient who tries to view the document unwittingly downloads and
installs software that secretly records keystrokes and sends the data to a
remote computer over the Internet. This lets the criminals capture passwords and
other personal or corporate information.
Another piece of the software allows the computer to be controlled remotely.
According to researchers who have analyzed the downloaded file, less than 40
percent of commercial antivirus programs were able to recognize and intercept
The tactic of aiming at the rich and powerful with an online scam is referred to
by computer security experts as whaling. The term is a play on phishing, an
approach that usually involves tricking e-mail users — in this case the big fish
— into divulging personal information like credit card numbers. Phishing attacks
that are directed at a particular person, rather than blasted out to millions,
are also known as spear phishing.
The latest campaign has been widespread enough that two California federal
courts and the administrative office of the United States Courts posted warnings
about the fake messages on their Web sites. Federal officials said they stopped
counting after getting hundreds of phone calls from corporations about the
messages. At midday on Tuesday, one antispam company, MX Logic, said in a Web
posting that its service was still seeing at least 30 of the messages an hour.
Security researchers at several firms indicated they believed there had been at
least several thousand victims of the attack whose computers had been
“We have seen about 2,000 victims, more or less,” said John Bambenek, a security
researcher at the University of Illinois at Urbana-Champaign and a volunteer at
the Internet Storm Center, a network security organization.
Researchers were studying a list of the Internet addresses of infected computers
that iDefense Labs, a research unit of VeriSign, had assembled by monitoring
Personalized scam messages have been on the radar of security researchers and
law enforcement officials for several years, but the latest variant is a fresh
indication of the threat posed by such digital ruses.
“I think that it was well done in terms of something people would feel compelled
to respond to,” said Steve Kirsch, the chief executive of Abaca, an antispam
company based in San Jose, Calif.
Mr. Kirsch himself received a copy of the message and forwarded it to the
company lawyer. “It had my name, phone number, company and correct e-mail
address on it and looked pretty legitimate,” Mr. Kirsch said. “Even the U.R.L.
to find out more looked legitimate at first glance.”
When the lawyer tried to download a copy of the subpoena and the computer
restarted itself, they quickly realized that the file contained malicious
Several computer security researchers said that the attack was the work of a
group that tried a similar assault in November 2007. In that case, the e-mail
message appeared to come from the Justice Department and stated that a complaint
had been filed against the recipient’s company.
The software used in the latest attack tries to communicate with a computer in
Singapore. That system was still functioning on Tuesday evening, but security
researchers said many Internet service providers had blocked access to it.
A number of clues, like misspellings, in the fake subpoena led several
researchers to believe that the attackers were not familiar with the United
States court system and that the group might be based in a place that used a
British variant of English, such as Hong Kong.
“This is probably Chinese-based,” said Mr. Bambenek. “If all the key players are
in China there is not much the F.B.I. can do.”
Several security researchers said that the real danger of the attack lay in a
second level of deception, after the hidden software provided the attackers with
digital credentials like passwords and electronic certificates.
“There are very subtle nuances to their attacks that are well known in the
financial industry but are not well publicized,” said Matt Richard, director of
the Rapid Response Team at iDefense.
Mr. Richard said the criminals were going after a particular area of the
financial industry, but he would not elaborate. He said that law enforcement
officials were investigating the fraudulent documents.
Calls to the Federal Bureau of Investigation for comment were not returned.
Although the software package used to deliver the eavesdropping program is well
known, it was hidden in such a way that it avoided detection by commercial
programs in many cases, researchers said.
“This is pretty well-known code,” said Don Jackson, a researcher at SecureWorks,
a computer security firm. “The issue has to do with repacking it.”
Recipients of the e-mail messages are directed to a fraudulent Web site with a
copy of the graphics from the real federal court site. They are then asked to
download and install what is said to be a piece of software from Adobe that is
used to view electronic documents.
“There are several layers of social engineering involved here,” said Mike Haro,
a spokesman for Sophos, a company that sells software to protect against
malicious software and spam.
March 28, 2008
Filed at 11:50 a.m. ET
The New York Times
By THE ASSOCIATED PRESS
PORTLAND, Maine (AP) -- Hannaford Bros. Co. says unauthorized software
installed on the supermarket chain's internal servers enabled a massive data
breach that compromised up to 4.2 million credit and data cards.
The Maine-based grocer confirmed a report in The Boston Globe that it told
Massachusetts regulators this week about the link to the illicit computer
Hannaford spokeswoman Carol Eleazer said the company doesn't know how the
malicious software, known as malware, got on the servers.
The company has said that the data theft, which occurred between Dec. 7 and
March 10, happened as shoppers swiped their cards at checkout line machines and
the information was transmitted to banks for approval.
Filed at 10:53 a.m. ET
The New York Times
By THE ASSOCIATED PRESS
N.Y. (AP) -- MySpace.com has agreed with more than 45 states to add extensive
measures to combat sexual predators.
An official familiar with the multistate agreement said MySpace, the huge online
social networking Web site, has agreed to include several online protections and
participate in a working group to develop age-verification and other
The official said MySpace will also accept independent monitoring and changes to
the structure of its site.
The agreement is scheduled to be announced today in Manhattan by attorneys
general from New Jersey, North Carolina, Connecticut, Pennsylvania, Ohio and New
The official spoke on condition of anonymity because the agreement hadn't yet
The attorneys general have been seeking greater controls for online networking
sites to prevent sexual predators from using those sites to contact children.
There was no immediate comment from MySpace, a unit of News Corp.
Investigators have increasingly examined MySpace, Facebook.com and similar
social networking sites that allow people to post information and images on the
Web and invite contacts from others.
Last year, New York investigators said they set up Facebook profiles as 12- to
14-year olds and were quickly contacted by other users looking for sex.
A multistate investigation of the sites -- announced last year -- was aimed at
putting together measures to protect minors and remove pornographic material,
but lawsuits were possible, officials said.
''We have to find the best way to make sure parents have the tools ... to
protect their children when they're on social networking sites,'' North Carolina
Attorney General Roy Cooper said in September.
By THE ASSOCIATED PRESS
Filed at 2:46 a.m. ET
The New York Times
(AP) -- A 27-year-old man described as one of the world's most prolific spammers
was arrested Wednesday, and federal authorities said computer users across the
Web could notice a decrease in the amount of junk e-mail.
Robert Alan Soloway is accused of using networks of compromised ''zombie''
computers to send out millions upon millions of spam e-mails.
''He's one of the top 10 spammers in the world,'' said Tim Cranton, a Microsoft
Corp. lawyer who is senior director of the company's Worldwide Internet Safety
Programs. ''He's a huge problem for our customers. This is a very good day.''
A federal grand jury last week returned a 35-count indictment against Soloway
charging him with mail fraud, wire fraud, e-mail fraud, aggravated identity
theft and money laundering.
Soloway pleaded not guilty Wednesday afternoon to all charges after a judge
determined that -- even with four bank accounts seized by the government -- he
was sufficiently well off to pay for his own lawyer.
He has been living in a ritzy apartment and drives an expensive Mercedes
convertible, said prosecutor Kathryn Warma. Prosecutors are seeking to have him
forfeit $773,000 they say he made from his business, Newport Internet Marketing
A public defender who represented him for Wednesday's hearing declined to
Prosecutors say Soloway used computers infected with malicious code to send out
millions of junk e-mails since 2003. The computers are called ''zombies''
because owners typically have no idea their machines have been infected.
He continued his activities even after Microsoft won a $7 million civil judgment
against him in 2005 and the operator of a small Internet service provider in
Oklahoma won a $10 million judgment, prosecutors said.
U.S. Attorney Jeff Sullivan said Wednesday that the case is the first in the
country in which federal prosecutors have used identity theft statutes to
prosecute a spammer for taking over someone else's Internet domain name. Soloway
could face decades in prison, though prosecutors said they have not calculated
what guideline sentencing range he might face.
The investigation began when the authorities began receiving hundreds of
complaints about Soloway, who had been featured on a list of known spammers kept
by The Spamhaus Project, an international anti-spam organization.
The Santa Barbara County, Calif., Department of Social Services said it was
spending $1,000 a week to fight the spam it was receiving, and other businesses
and individuals complained of having their reputations damaged when it appeared
spam was originating from their computers.
''This is not just a nuisance. This is way beyond a nuisance,'' Warma said.
Soloway used the networks of compromised computers to send out unsolicited bulk
e-mails urging people to use his Internet marketing company to advertise their
products, authorities said.
People who clicked on a link in the e-mail were directed to his Web site. There,
Soloway advertised his ability to send out as many as 20 million e-mail
advertisements over 15 days for $495, the indictment said.
The Spamhaus Project rejoiced at his arrest.
''Soloway has been a long-term nuisance on the Internet -- both in terms of the
spam he sent, and the people he duped to use his spam service,'' organizers
wrote on Spamhaus.org.
Soloway remained in federal detention pending a hearing Monday.
In their persistent quest to breach the Internet’s defenses, the bad guys are
honing their weapons and increasing their firepower.
With growing sophistication, they are taking advantage of programs that secretly
install themselves on thousands or even millions of personal computers, band
these computers together into an unwitting army of zombies, and use the
collective power of the dragooned network to commit Internet crimes.
These systems, called botnets, are being blamed for the huge spike in spam that
bedeviled the Internet in recent months, as well as fraud and data theft.
Security researchers have been concerned about botnets for some time because
they automate and amplify the effects of viruses and other malicious programs.
What is new is the vastly escalating scale of the problem — and the precision
with which some of the programs can scan computers for specific information,
like corporate and personal data, to drain money from online bank accounts and
“It’s the perfect crime, both low-risk and high-profit,” said Gadi Evron, a
computer security researcher for an Israeli-based firm, Beyond Security, who
coordinates an international volunteer effort to fight botnets. “The war to make
the Internet safe was lost long ago, and we need to figure out what to do now.”
Last spring, a program was discovered at a foreign coast guard agency that
systematically searched for documents that had shipping schedules, then
forwarded them to an e-mail address in China, according to David Rand, chief
technology officer of Trend Micro, a Tokyo-based computer security firm. He
declined to identify the agency because it is a customer.
Although there is a wide range of estimates of the overall infection rate, the
scale and the power of the botnet programs have clearly become immense. David
Dagon, a Georgia Institute of Technology researcher who is a co-founder of
Damballa, a start-up company focusing on controlling botnets, said the consensus
among scientists is that botnet programs are present on about 11 percent of the
more than 650 million computers attached to the Internet.
Plagues of viruses and other malicious programs have periodically swept through
the Internet since 1988, when there were only 60,000 computers online. Each
time, computer security managers and users have cleaned up the damage and
patched holes in systems.
In recent years, however, such attacks have increasingly become endemic, forcing
increasingly stringent security responses. And the emergence of botnets has
alarmed not just computer security experts, but also specialists who created the
early Internet infrastructure.
“It represents a threat but it’s one that is hard to explain,” said David J.
Farber, a Carnegie Mellon computer scientist who was an Internet pioneer. “It’s
an insidious threat, and what worries me is that the scope of the problem is
still not clear to most people.” Referring to Windows computers, he added, “The
popular machines are so easy to penetrate, and that’s scary.”
So far botnets have predominantly infected Windows-based computers, although
there have been scattered reports of botnet-related attacks on computers running
the Linux and Macintosh operating systems. The programs are often created by
small groups of code writers in Eastern Europe and elsewhere and distributed in
a variety of ways, including e-mail attachments and downloads by users who do
not know they are getting something malicious. They can even be present in
pirated software sold on online auction sites. Once installed on
Internet-connected PCs, they can be controlled using a widely available
communications system called Internet Relay Chat, or I.R.C.
ShadowServer, a voluntary organization of computer security experts that
monitors botnet activity, is now tracking more than 400,000 infected machines
and about 1,450 separate I.R.C. control systems, which are called Command &
The financial danger can be seen in a technical report presented last summer by
a security researcher who analyzed the information contained in a 200-megabyte
file that he had intercepted. The file had been generated by a botnet that was
systematically harvesting stolen information and then hiding it in a secret
location where the data could be retrieved by the botnet master.
The data in the file had been collected during a 30-day period, according to
Rick Wesson, chief executive of Support Intelligence, a San Francisco-based
company that sells information on computer security threats to corporations and
federal agencies. The data came from 793 infected computers and it generated
54,926 log-in credentials and 281 credit-card numbers. The stolen information
affected 1,239 companies, he said, including 35 stock brokerages, 86 bank
accounts, 174 e-commerce accounts and 245 e-mail accounts.
Sensor information collected by his company is now able to identify more than
250,000 new botnet infections daily, Mr. Wesson said.
“We are losing this war badly,” he said. “Even the vendors understand that we
are losing the war.”
According to the annual intelligence report of MessageLabs, a New York-based
computer security firm, more than 80 percent of all spam now originates from
botnets. Last month, for the first time ever, a single Internet service provider
generated more than one billion spam e-mail messages in a 24-hour period,
according to a ranking system maintained by Trend Micro, the computer security
firm. That indicated that machines of the service providers’ customers had been
woven into a giant network, with a single control point using them to pump out
The extent of the botnet threat was underscored in recent months by the
emergence of a version of the stealthy program that adds computers to the
botnet. The recent version of the program, which security researchers are
calling “rustock,” infected several hundred thousand Internet-connected
computers and then began generating vast quantities of spam e-mail messages as
part of a “pump and dump” stock scheme.
The author of the program, who is active on Internet technical discussion groups
and claims to live in Zimbabwe, has found a way to hide the infecting agent in
such a way that it leaves none of the traditional digital fingerprints that have
been used to detect such programs.
Moreover, although rustock is currently being used for distributing spam, it is
a more general tool that can be used with many other forms of illegal Internet
“It could be used for other types of malware as well,” said Joe Stewart, a
researcher at SecureWorks, an Atlanta-based computer security firm. “It’s just a
payload delivery system with extra stealth.”
Last month Mr. Stewart tracked trading around a penny stock being touted in a
spam campaign. The Diamant Art Corporation was trading for 8 cents on Dec. 15
when a series of small transactions involving 11,532,726 shares raised the price
of the stock to 11 cents. After the close of business that day, a Friday, a
botnet began spewing out millions of spam messages, he said.
On the following Monday, the stock went first to 19 cents per share and then
ultimately to 25 cents a share. He estimated that if the spammer then sold the
shares purchased at the peak on Monday he would realize a $20,000 profit. (By
Dec. 20, it was down to 12 cents.)
Computer security experts warn that botnet programs are evolving faster than
security firms can respond and have now come to represent a fundamental threat
to the viability of the commercial Internet. The problem is being compounded,
they say, because many Internet service providers are either ignoring or
minimizing the problem.
“It’s a huge scientific, policy, and ultimately social crisis, and no one is
taking any responsibility for addressing it,” said K. C. Claffy , a veteran
Internet researcher at the San Diego Supercomputer Center.
The $6 billion computer security industry offers a growing array of products and
services that are targeted at network operators, corporations and individual
computer users. Yet the industry has a poor track record so far in combating the
plague, according to computer security researchers.
“This is a little bit like airlines advertising how infrequently they crash into
mountains,” said Mr. Dagon, the Georgia Tech researcher.
The malicious software is continually being refined by “black hat” programmers
to defeat software that detects the malicious programs by tracking digital
Some botnet-installed programs have been identified that exploit features of the
Windows operating system, like the ability to recognize recently viewed
documents. Botnet authors assume that any personal document that a computer
owner has used recently will also be of interest to a data thief, Mr. Dagon
Serry Winkler, a sales representative in Denver, said that she had turned off
the network-security software provided by her Internet service provider because
it slowed performance to a crawl on her PC, which was running Windows 98. A few
months ago four sheriff’s deputies pounded on her apartment door to confiscate
the PC, which they said was being used to order goods from Sears with a stolen
credit card. The computer, it turned out, had been commandeered by an intruder
who was using it remotely.
“I’m a middle-aged single woman living here for six years,” she said. “Do I
sound like a terrorist?”
She is now planning to buy a more up-to-date PC, she said.
SAN FRANCISCO, Dec. 24 — Microsoft is facing
an early crisis of confidence in the quality of its Windows Vista operating
system as computer security researchers and hackers have begun to find
potentially serious flaws in the system that was released to corporate customers
late last month.
On Dec. 15, a Russian programmer posted a description of a flaw that makes it
possible to increase a user’s privileges on all of the company’s recent
operating systems, including Vista. And over the weekend a Silicon Valley
computer security firm said it had notified Microsoft that it had also found
that flaw, as well as five other vulnerabilities, including one serious error in
the software code underlying the company’s new Internet Explorer 7 browser.
The browser flaw is particularly troubling because it potentially means that Web
users could become infected with malicious software simply by visiting a
booby-trapped site. That would make it possible for an attacker to inject rogue
software into the Vista-based computer, according to executives at Determina, a
company based in Redwood City, Calif., that sells software intended to protect
against operating system and other vulnerabilities.
Determina is part of a small industry of companies that routinely pore over the
technical details of software applications and operating systems looking for
flaws. When flaws in Microsoft products are found they are reported to the
software maker, which then produces fixes called patches. Microsoft has built
technology into its recent operating systems that makes it possible for the
company to fix its software automatically via the Internet.
Despite Microsoft assertions about the improved reliability of Vista, many in
the industry are taking a wait-and-see approach. Microsoft’s previous operating
system, Windows XP, required two “service packs” issued over a number of years
to substantially improve security, and new flaws are still routinely discovered
by outside researchers.
On Friday, a Microsoft executive posted a comment on a company security
information Web site stating the company was “closely monitoring” the
vulnerability described by the Russian Web site. It permits the privileges of a
standard user account in Vista and other versions of Windows to be increased,
permitting control of all of the operations of the computer. In Unix and modern
Windows systems, users are restricted in the functions they can perform, and
complete power is restricted to certain administrative accounts.
“Currently we have not observed any public exploitation or attack activity
regarding this issue,” wrote Mike Reavey, operations manager of the Microsoft
Security Response Center. “While I know this is a vulnerability that impacts
Windows Vista, I still have every confidence that Windows Vista is our most
secure platform to date.”
On Saturday, Nicole Miller, a Microsoft spokeswoman, said the company was also
investigating the reported browser flaw and that it was not aware of any attacks
attempting to use the vulnerability.
Microsoft has spent millions branding the Vista operating system as the most
secure product it has produced, and it is counting on Vista to help turn the
tide against a wave of software attacks now plaguing Windows-based computers.
Vista is critical to Microsoft’s reputation. Despite an almost
four-and-half-year campaign on the part of the company, and the best efforts of
the computer security industry, the threat from harmful computer software
continues to grow. Criminal attacks now range from programs that steal
information from home and corporate PCs to growing armies of slave computers
that are wreaking havoc on the commercial Internet.
Although Vista, which will be available on consumer PCs early next year, has
been extensively tested, it is only now being exposed to the challenges of the
“I don’t think people should become complacent,” said Nand Mulchandani, a vice
president at Determina. “When vendors say a program has been completely
rewritten, it doesn’t mean that it’s more secure from the get-go. My expectation
is we will see a whole rash of Vista bugs show up in six months or a year.”
The Determina executives said that by itself, the browser flaw that was reported
to Microsoft could permit damage like the theft of password information and the
attack of other computers.
However, one of the principal security advances of Internet Explorer 7 is a
software “sandbox” that is intended to limit damage even if a malicious program
is able to subvert the operation of the browser. That should limit the ability
of any attacker to reach other parts of the Vista operating system, or to
However, when coupled with the ability of the first flaw that permits the change
in account privileges, it might then be possible to circumvent the sandbox
controls, said Alexander Sotirov, a Determina security researcher. In that case
it would make it possible to alter files and potentially permanently infect a
target computer. This kind of attack has yet to be proved, he acknowledged.
The Determina researchers said they had notified Microsoft of four other flaws
they had discovered, including a bug that would make it possible for an attacker
to repeatedly disable a Microsoft Exchange mail server simply by sending the
program an infected e-mail message.
Last week, the chief technology officer of Trend Micro, a computer security firm
in Tokyo, told several computer news Web sites that he had discovered an offer
on an underground computer discussion forum to sell information about a security
flaw in Windows Vista for $50,000. Over the weekend a spokesman for Trend Micro
said that the company had not obtained the information, and as a result could
not confirm the authenticity of the offer.
Many computer security companies say that there is a lively underground market
for information that would permit attackers to break in to systems via the