With their head in the clouds

 

by David Moss

 

October 2010

 

updated November 2010
updated December 2010
updated January 2011
updated April 2011
updated May 2011
updated June 2011
updated July 2011
updated October 2011
updated November 2011
updated December 2011
updated January 2012

updated February 2012
updated March 2012
updated April 2012
updated May 2012
updated June 2012
updated August 2012
updated September 2012
updated November 2012
updated December 2012
updated January 2013
updated February 2013

updated March 2013
updated May 2013
updated June 2013
updated September 2013
updated October 2013
updated November 2013
updated December 2013
updated January 2014
updated February 2014
updated March 2014

 

Around about the Harvest Festival here in the UK there was a sudden crop of articles in the media about breaches of website security:

• Stuxnet Worm computer virus 'aims to sabotage Iran's nuclear plant', said the Times: "A computer virus that has infected more than 60,000 machines in Iran may be a sophisticated cyber-warfare attack on Iran’s clandestine nuclear arms programme".

• E-crime detectives as vital as bobbies on beat, said the Telegraph: "Online fraud generated £52 billion worldwide in 2007 – a staggering sum. We believe there is major under-reporting of all types of cyber crime".

• In the light of the ACS:Law leak, how safe is our data?, asked the Guardian:

Late on 24 September an archive containing thousands of emails from solicitors ACS:Law appeared on the internet ... This year the Information Commissioner's Office (ICO) was granted powers to levy fines of up to £500,000 for serious breaches of data protection 'principles'. This contrasts with the powers of the Financial Services Authority, who this summer levied a £2.27m fine on insurance firm Zurich for its failure to adequately protect customer data.

Nothing new, it's been going on for years.

Back in 2003, the BBC reported that a "computer hacker has gained access to more than 5 million Visa and Mastercard credit card accounts in the US".

You need a certain amount of expertise to carry out these crimes and luckily, if that's the word, the inventiveness of the free market being what it is, training is available: "the websites shared tips on how to commit fraud and provided a forum by which people could buy the information and tools they needed to commit such crime".

Which could account for the increase in the magnitude of cyber crime that we are seeing now: "Albert Gonzalez ... is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts".

It's not just banks and insurance companies and retailers and solicitors and Iranian power plants that are affected. So are UK government websites. Back in 2006, we read that:

Forty organised tax credit frauds involving the theft of thousands of identities and worth at least £5 million are being investigated by Revenue and Customs inspectors, it was disclosed yesterday ... This is the latest problem to hamper Gordon Brown's beleaguered tax credit scheme, which was criticised this week by an influential committee of MPs after it overpaid £4 billion to claimants in two years ... Richard Bacon, the Tory MP whose inquiries uncovered the illegal activities, said he understood that manufacturers and large retailers were targeted. People's identities were being stolen on 'an industrial scale' ...

What with the increase in supply, the price of stolen identities has collapsed.

In 2005, a chap could get $60 a pop:

Cummings, who worked for Teledata Communications - a New York-based software company which helps lenders access major credit databases - had access to clients' codes and passwords. He would steal people's credit reports and pass them on to an accomplice, who would sell them on and share the profits with Cummings. The stolen identities, bought by intermediaries for about $60 per name, were then used to access the victims' bank accounts and use their credit cards.

A year later, the Sunday Times told us that "the stolen identities of Britons – including their credit card details, home addresses and security passwords – are being sold on Russian websites for as little as £1 each".

You have to buy in bulk, of course, to get prices that low but, apparently, you can sometimes get your money back if you're not satisfied – this is a professional and mature business with standards to maintain, international brands to build, customer satisfaction to consider, loyalty and amour propre.

The police do have their successes. In 2005, they "smashed" a £25 million cheque fraud and they "foiled" a £220 million bank theft. Which is good but it's an uphill struggle when you consider the geo-political scale of the threat:

American officials have been holding secret talks with Russia and the United Nations in an attempt to strengthen internet security and rein in the growing threat of cyberwarfare ... The potential for online warfare has become a hot topic in recent years, after a string of major incidents. Large-scale cyberattacks took place during last year's conflict between Russia and Georgia while the Estonian government came grinding to a halt after an internet assault in 2007.

Wherever you see that a new application has been found for the web, you need to be sceptical.

One last example. Washington DC, for the most democratic of reasons, are trying to ensure that temporarily absent residents do not lose their vote. The proposed web-based voting system was "hijacked" by well-meaning (white hat) computer scientists who demonstrated how easily black hat hackers could take over and ensure the election result of their choice. The system has been scrapped. As a spokesman for the Washington DC Board of Elections and Ethics says: "This is an abundance-of-caution sort of thing".

Naturally the more punctilious website operators all proceed with an abundance of caution. They all conform to an alphabet spaghetti of security standards. But it doesn't seem to help – the general impression remains that if the hackers want to invade your website, they will, whoever you are.

Organisations which put their business applications and data on the web take part in what is known as "cloud computing". It follows from the evidence adduced above that anyone who can avoid putting their head in the clouds should avoid it, it is a dangerous thing to do, imprudent and inadvisable. Contra-indicated. Deprecated ...

Cloud computing sounds modern and exciting and is often promoted as efficient and green and it sounds Luddite to attack it but just how modern, excited, efficient and green will you feel when your bank account details are sold for £1 and all your money disappears?

And with that question, finally, we get to the point, which is that the UK government is currently considering civil service proposals – the G-Digital Programme – to rain down public services on us from a G-Cloud.

There are 10 million people in the UK who, God bless them, have never used the web. That's 10 million people who would be excluded by the G-Digital Programme. It is dangerous to put public services on the web. And, arguably, pointless – they won't reach the people who need them most.

It is to be hoped that Rt Hon Francis Maude MP, Cabinet Office Minister, will keep the G-Cheque book securely locked in his G-Plan desk.

Whatever else you may say about Mr Maude, he is not Tony Blair.

The Cabinet Office promised the credulous Mr Blair four years ago that they would transform government if only he gave them all the Christmas presents they asked for. Which he did and yet there is nothing to show for their promises today, there is no reason to give them a second chance, we know they can't deliver, they've proved it.

And that's just as well, as we would all promptly be defrauded if they ever did deliver, and the country would be brought to a halt by any of our enemies who could be bothered.


29 September 2008: Cloud computing is a trap, warns GNU founder Richard Stallman:

"It's stupidity. It's worse than stupidity: it's a marketing hype campaign" ... The 55-year-old New Yorker said that computer users should be keen to keep their information in their own hands, rather than hand it over to a third party.

His comments echo those made last week by Larry Ellison, the founder of Oracle, who criticised the rash of cloud computing announcements as "fashion-driven" and "complete gibberish".

"The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do," he said. "The computer industry is the only industry that is more fashion-driven than women's fashion. Maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?"

29 March 2009: Spy chiefs fear Chinese cyber attack:

INTELLIGENCE chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.

They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.

The warnings coincide with growing cyberwarfare attacks on Britain by foreign governments, particularly Russia and China ...

Ministers expressed concern that replacing the Chinese components with British parts would clash with government policy on competition.

8 March 2010: Cyberwar declared as China hunts for the West’s intelligence secrets:

Urgent warnings have been circulated throughout Nato and the European Union for secret intelligence material to be protected from a recent surge in cyberwar attacks originating in China.

The attacks have also hit government and military institutions in the United States, where analysts said that the West had no effective response and that EU systems were especially vulnerable because most cyber security efforts were left to member states.

Nato diplomatic sources told The Times: "Everyone has been made aware that the Chinese have become very active with cyber-attacks and we’re now getting regular warnings from the office for internal security." The sources said that the number of attacks had increased significantly over the past 12 months, with China among the most active players.

In the US, an official report released on Friday said the number of attacks on Congress and other government agencies had risen exponentially in the past year to an estimated 1.6 billion every month.

10 October 2010: Worm cripples Iran nuclear plant:

For decades the possibility of a cyberwar has fascinated experts. After land, sea and air engagements, battles in cyberspace could require the rewriting of military doctrines for an era in which a country could be brought to its knees by a few strokes of a laptop. That moment appears to have arrived.

According to security experts, a computer worm that has infested Iran’s Bushehr nuclear plant was launched by another state. It has disrupted the production of nuclear material, proving that a cybermissile can have as much impact as an airstrike.

13 October 2010: UK infrastructure faces cyber threat, says GCHQ chief:

The UK's critical infrastructure - such as power grids and emergency services - faces a "real and credible" threat of cyber attack, the head of GCHQ says.

The intelligence agency's director Iain Lobban said the country's future economic prosperity rested on ensuring a defence against such assaults.

4 November 2010: Europe attacks itself in cyber-warfare test – As OECD admits major security fail:

... it emerged today that the Organisation for Economic Co-operation and Development (OECD), said it had been under sustained cyber attack for the last few months and is still battling to get its computers cleaned up.
OECD spokesman Stephen Di Biasio told EUobserver that the organisation had a team trying to close entry points, but wasn't able to definitely say that hackers were not still accessing its systems.
He said: "What we know is it's quite a sophisticated attack. We've got quite high levels of security protocols at the OECD and this has been able to bypass those security measures ..."

8 November 2010: Royal Navy website infiltrated by computer hacker:

The navy's website was shut down this morning after a self-confessed security enthusiast claimed to have hacked into the site and its databases.
In a new post on his blog the hacker, a Romanian national known only as TinKode, claims to have penetrated the security of the navy's site late on Friday night.
The shocking breach comes just weeks after the coalition Government announced plans to make countering cyber-terrorism a major defence priority.

18 November 2010: China 'hijacks' 15 per cent of world's internet traffic:

China "hijacked" 15 per cent of the world's internet traffic for 18 minutes earlier this year, including highly sensitive email exchanges between senior US government and military figures, a report to the US Congress said.

20 November 2010: Government services to be online-only:

Britons will be forced to apply online for government services such as student loans, driving licences, passports and benefits under cost-cutting plans to be unveiled this week.
Officials say getting rid of all paper applications could save billions of pounds. They insist that vulnerable groups will be able to fill in forms digitally at their local post offices.

29 November 2010: US embassy cables: The background:

The latest batch of documents to be released by Wikileaks is made up of diplomatic messages sent from US embassies around the world.

The whistle-blowing website says it has obtained more than 250,000 cables passed between the US State Department and hundreds of American diplomatic outposts - but it has so far only published a small sample of those messages.

9 December 2010: Hackers hit Mastercard and Visa over Wikileaks row:

Hackers have attacked the websites of credit card giants Mastercard and Visa.

The attacks came after the Anonymous group of hackers pledged to pursue firms that have withdrawn services from Wikileaks.

Mastercard payments were disrupted but the firm said there was "no impact" on people's ability to use their cards.

Visa's website also experienced problems. The attacks came after both companies stopped processing payments to the whistle-blowing site.

13 December 2010: Gawker falls victim to hackers:

Quarter of a million passwords published and Twitter feed used to taunt 'arrogant' management in audacious security breach.

The 24-hour attack penetrated deep into Gawker's computer systems, shattering its security shield and catching its executives off guard.

13 December 2010: WikiLeaks: government websites could be hacked in revenge attacks:

Websites holding the personal data of British taxpayers could be targeted by the computer hackers who are attacking organisations seen as enemies of WikiLeaks, the national security adviser has warned.

Sir Peter Ricketts told senior civil servants that Whitehall should be prepared to come under fire from "hacktivists" angry at British authorities over the arrest of Julian Assange, the anti-secrecy site's editor ...

He said there was particular concern about sites belonging to the Department for Work and Pensions, which holds information on benefits claimants, and HMRC, which has data on all taxpayers.

20 December 2010: Hackers leak e-mail account details of government and defence staff:

The e-mail account details of government officials, civil servants and defence company staff have been leaked online after computer hackers attacked a prominent group of gossip and news websites, a Times investigation shows.

The work e-mail addresses and passwords of senior staff at the Crown Prosecution Service, officials at the Charity Commission and employees of BAE Systems are among those in a file of more than one million user names that is circulating online, putting highly sensitive correspondence at risk.

The leaked details belong to people who used their work e-mail to access websites run by the Gawker Media group, founded by Nick Denton.

20 December 2010: English Defence League donor details 'stolen' after database hacked:

Supporters of the English Defence League (EDL) are facing potential embarrassment after a database containing their personal details was hacked into.

Police are believed to be investigating the security breach, which also included the far-Right groups’s payment system being illegally accessed.

Amid fears of violence toward members, the EDL said it will support vulnerable people. They also urged members to change their online shopping details after concerns were raised that they would be published on the internet.

29 December 2010: Gawker was hacked six months ago, say sources close to Gnosis:

Hackers had access to the gossip site Gawker's content management system (CMS) and password files for around six months, rather than the few days suggested by the company, the Guardian has learnt from sources connected to the break-in ...

The hacking of Gawker and its associated sites led to the usernames, email addresses and passwords of 1.3 million registered users of the sites being made available – among them, those for Gawker staff including its chief Nick Denton ...

The Guardian's sources insist that the Gnosis attack was not a short-term thing. "They didn't just crack it in a day, they spent a fair bit of time working on it and they had full access for at least a month. Mind you, when the database leak rumour was going around, Gawker publicly announced that they weren't compromised. Either they were lying to the public and trying to fix the hole, or they didn't even notice Gnosis in there – given the proper tools it's very easy to hide yourself on a Linux system."

9 January 2011: Army adds cyberattack to arsenal:

“In the future I don’t think state-to-state warfare will start in the way it did even 10 years ago,” he said.

“It will be cyber or banking attacks — that’s how I’d conduct a war if I was running a belligerent state or a rebel movement. It’s semi-anonymous, cheap and doesn’t risk people.”

The first known incidence of state-to-state cyberattacks came in Estonia in 2007 when Russia caused chaos in the tiny Baltic state by disabling the websites of government ministries, political parties, newspapers, banks and companies in retaliation for the removal of a Soviet war memorial in Tallinn, the capital. Estonia has mobilised a cyberdefence league to protect itself.

Moscow used the same tactic the following year during the Russian invasion of Georgia. It disabled government and commercial computer systems.

More damaging still was the Stuxnet computer worm that was used to attack the Iranian nuclear programme in 2009. It disabled hundreds of centrifuges used to enrich uranium for possible use in weapons.

14 January 2011: Reducing Systemic Cybersecurity Risk (pp.8-9):

Three current trends in the delivery of ICT services give particular concern: World Wide Web portals are being increasingly used to provide critical Government-to-citizen and Government-to-business facilities. Although these potentially offer cost savings and increased efficiency, over-dependence can result in repetition of the problems faced by Estonia in 2007. A number of OECD governments have outsourced critical computing services to the private sector; this route offers economies and efficiencies but the contractual service level agreements may not be able to cope with the unusual quantities of traffic that occur in an emergency. Cloud computing also potentially offers savings and resilience; but it also creates security problems in the form of loss of confidentiality if authentication is not robust and loss of service if internet connectivity is unavailable or the supplier is in financial difficulties

17 January 2011: Security & Resilience in Governmental Clouds:

7. ... The cloud computing business model, on the one hand, has the potential to offer public administrations substantial benefits and improvements over current IT provisioning ...

On the other hand, it still shows weaknesses and exposures to significant threats that could undermine the full exploitation of all the benefits that such a model could offer. Weaknesses and threats are mainly linked to the lack of governance and control over IT operations and the potential lack of compliance with laws and regulations ...

The public cloud option is already able to provide a very resilient service with an associated satisfactory level of data assurance and is the most cost effective. Moreover public cloud offers potentially the highest level of service availability, but due to the current regulatory complexity of intra-EU and extra-EU trans-border data transfer, its adoption should be limited to non-sensitive or non critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy.

20 January 2011: Carbon trade cyber-theft hits €30m:

Cyber-thieves have stolen as much as €30m in carbon allowances from the European Union’s emissions trading system, authorities said, as exchanges across Europe halted trading on Thursday.

Exchanges including ICE Futures Europe, Nasdaq OMX Commodities Europe and London-based LCH.Clearnet stopped trading of emissions contracts, which are central to the bloc’s fight against global warming.

21 January 2011: Lush hackers cash in on stolen cards:

Cyber thieves are cashing in after stealing credit cards in a hack attack on the website of cosmetics firm Lush.

The online shop was shut down on 21 January and its home page replaced with a message revealing the attack.

Lush said anyone who placed an online order between 4 October and 20 January should contact their bank in case their card details had been compromised.

26 January 2011: Facebook's Mark Zuckerberg 'attacked by hackers':

Last night Zuckerberg’s fan page on the website was attacked by hackers, who took over his page and posted the following message, pretending to be him...

The hacker attack comes just days after French President Nicolas Sarkozy’s Facebook account was also breached.

31 January 2011: British and US stock exchanges fend off cyber raids:

Stock exchanges in Britain and the US have turned to the security services for help after discovering they were the victims of terrorist plots and attempted cyber attacks that aimed to spread panic in leading global financial markets.

4 April 2011: Epsilon email hack: millions of customers' details stolen:

Computer hackers have stolen the names and email addresses of millions of people in one of the largest internet security breaches in US history.

26 April 2011: PlayStation Network hackers access data of 77 million users:

Sony has warned that the names, addresses and other personal data of about 77 million people with accounts on its PlayStation Network (PSN) have been stolen.

3 May 2011: Sony says 25m more users hit in second cyber attack:

Sony said hackers have stolen the personal information from a further 25m users in a second massive breach of its online games system ... The theft comes on top of the 77 million PlayStation accounts taken in a cyberattack revealed last week.

26 May 2011: China admits training cyberwarfare elite unit:

China today admitted for the first time the existence of a super-elite unit of cyberwarriors – a team supposedly trained to protect the People’s Liberation Army from outside assault on its networks.

The revelation of the 30-strong crack unit, known as the “Blue Army" ...

29 May 2011: Lockheed Martin computers under 'significant attack':

In what appeared to be one of the most audacious acts of cyber-warfare conducted so far, the breach came against a backdrop of repeated attempts by rivals of the US, chiefly China and Russia, to infiltrate information networks and glean details of major weapons systems.

31 May 2011: Cyber weapons 'now integral part of Britain's armoury':

A "toolbox" of offensive cyber weapons is being assembled to fight hackers targeting military facilities, secret databases, critical emergency services and Whitehall departments.

1 June 2011: Google phishing: Chinese Gmail attack raises cyberwar tensions:

Tensions between the US, UK and China over the issue of cyber-attacks were set to escalate after it emerged that Chinese hackers have stolen the login details of hundreds of senior US and South Korean government officials as well as Chinese political activists.

1 June 2011: US could respond to cyber-attack with conventional weapons:

In an effort to lay down military guidelines for the age of internet warfare, President Barack Obama's administration has been formalising rules on cyberspace amid growing concern about the reach of hackers.

Defence company Lockheed Martin, the biggest supplier to the Pentagon, admitted over the weekend that its computer networks had been subjected to a sustained attack, though it said security had not been seriously compromised.

The White House's strategy statement on cybersecurity said the United States "will respond to hostile acts in cyberspace as we would to any other threat to our country".

12 June 2011: IMF hit by cyber attack from unknown nation state:

The International Monetary Fund has been the target of a significant and sustained cyber attack by hackers working on behalf of a nation state aiming to establish a “digital insider presence” on its network.

16 June 2011: LulzSec hackers claim breach of CIA website:

The CIA has become the latest target of self-styled "pirate ninja" hackers LulzSec.

The Central Intelligence Agency website was unavailable for a few minutes on Wednesday evening as the group announced the attack via Twitter: "Tango down – cia.gov – for the lulz".

"We are looking into these reports," a CIA spokeswoman said.

The hackers, who describe themselves as "the world's leaders in high-quality entertainment at your expense", have gained international notoriety this month with a series of security breaches.

Over the weekend LulzSec broke into a public website of the US Senate and released data stolen from the legislative body's computer servers.

Last week they hacked the website of an unnamed NHS organisation – one of England's primary care trusts. The Department of Health said no patient's medical records were accessed during the incident, which it described it as "a local issue" and "quite a low-level" lapse in IT security.

Earlier this month LulzSec broke into the website of Sony Pictures Entertainment and exposed information from 37,000 users, including names, passwords, birthdates and email addresses. It also hacked into a webserver belonging to Nintendo in the US.

The name of the group is derived from "LOL" (laugh out loud) and "security".

In Malaysia, at least 51 state-linked websites have been hit by cyber-attacks in recent days, the country's telecommunications regulator has confirmed.

The sites are believed to have been targeted by the Anonymous group of hackers, who had threatened to disrupt Malaysian sites in protest at a crackdown on entertainment piracy.

5 July 2011: Government backs international cybercrime agency:

The International Cybercrime Security Protection Alliance (ICSPA) will be a coalition of businesses, the Government and international police forces such as Europol. Chaired by David Blunkett, the former Home Secretary, the new body aims to stem the exponential growth of cybercrime, which it is estimated will cost the UK £27 billion this year.

12 July 2011: Hackers steal 90,000 email addresses in cyber attack on US military contractor Booz Allen Hamilton:

An arm of the online collective Anonymous said it had broken into the computer systems of Booz Allen Hamilton and then posted the details on the internet ...

The hackers also wiped out four gigabytes of Booz Allen source code in an attack they called “Military Meltdown Monday.”

The group said: “We infiltrated a server on their network that basically had no security measures in place.”

Booz Allen provides technological services including cyber-security consulting to the military and other US government agencies ...

14 July 2011: Pentagon Tries to Lean Forward in Cyberdefense:

Aviation Week also reported that [Deputy Defense Secretary William Lynn] said one U.S. weapon system under development may have to undergo redesign following a cyber breach in March. He did not identify the system. More than 24,000 files containing an unspecified but large amount of data were copied from a defense contractor’s internal databases, according to Lynn. Whether and how much redesign will be necessary is still being studied.

15 July 2011: US forced to redesign secret weapon after cyber breach:

The United States may be forced to redesign an unnamed new weapon system now under development – because tech specs and plans were stolen from a defence contractor's databases.

15 July 2011: Pentagon reveals 24,000 files stolen in cyber-attack:

The Pentagon has disclosed that it suffered one of its largest ever losses of sensitive data in March when 24,000 files were stolen in a cyber-attack by a foreign government.

25 July 2011: Anonymous hacks Italy's critical-national-IT protection:

Hacktivists have posted "secret documents" stolen from an Italian cybercrime unit.

The documents – 8GB of files – were extracted from a system maintained by the Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche (CNAIPIC), the organisation charged with guarding the country's critical IT infrastructure.

25 July 2011: Head fed cyberspook resigns abruptly:

The head of a group that helps the federal government ward off computer attacks abruptly resigned Friday, amid a spate of high-profile assaults hitting government agencies and contractors.

The departure of US Computer Emergency Readiness Team director Randy Vickers was first reported Monday by InformationWeek, which cited an internal email sent to US-CERT staff. The email gave no reason for the resignation, which is effective immediately.


Over the past six months, security breaches have hit a variety of government contractors and partners, including Lockheed Martin, L3 Communications, and affiliates of the FBI. Attacks have also successfully targeted the CIA, the US Senate, and the Oak Ridge National Laboratory.

1 August 2011: LulzSec hacking: teenager ‘had cache of 750,000 passwords’:

Jake Davis, 18, used a network of 16 machines at his home in the Shetland Islands, prosecutors said this morning. The information held on the network included web log-in details of hundreds of thousands of people, it is alleged ...

In June, Ryan Cleary, a 19-year-old from Wickford in Essex, was also charged in relation to the attack on Soca's website. A further arrest, of a 16-year-old boy from south London, followed in July. He was released on police bail pending further inquiries.

1 October 2011: Flaw in software puts online savers at risk:

Millions of online banking customers are at risk of fraud because of a "fundamental" flaw in key security software, The Times has learnt.

Major British banks, including HSBC and Santander, strongly advise customers to install specialist software called Trusteer Rapport in order to protect themselves from fraudsters when logging into banking websites ...

Times Money has seen evidence that the software's keylogger protections — designed to prevent fraudsters recording users' login and credit card details — can be hacked by computer security specialists with "minimal effort" in less than a minute ...

Neil Kettle, a computer security researcher who discovered the problem, says that it was "almost inevitable" that criminals would start exploiting the weakness, particularly because the software allows them to identify online banking customers.

19 October 2011: Stuxnet-based cyber espionage virus targets European firms:

... while Stuxnet was created to cause physical damage to Iran’s uranium enrichment facilities by surreptitiously adjusting machinery, Duqu is an intelligence-gathering tool.

The new virus’ precise targets have not been disclosed, but they include European firms that make the software that controls power stations and other industrial facilities. By infiltrating their computer networks, it aims to steal confidential information and potentially reveal vulnerabilities that could be exploited in later attacks.

27 October 2011: Chinese hackers suspected of interfering with US satellites:

Chinese hackers are suspected of having interfered with the operation of two US government satellites on four occasions via a ground station, according to a report being prepared for the US Congress.

31 October 2011: Strong protection is vital to keep a force for good:

The volume of e-crime and attacks on government and industry systems continue to be disturbing. I can attest to attempts to steal British ideas and designs — in the IT, technology, defence, engineering and energy sectors, as well as other industries — to gain commercial advantage or to profit from secret knowledge of contractual arrangements. Such intellectual property theft doesn’t just cost the companies concerned: it represents an attack on the UK’s continued economic wellbeing.

We are also aware of similar techniques being employed to try to acquire sensitive information from British government computer systems, including one significant (but unsuccessful) attempt on the Foreign Office and other government departments this summer.

Criminals are using cyberspace to extort money and steal identities, as well as exploit the vulnerable. Increasingly sophisticated techniques target individuals. We are witnessing the development of a global criminal market place — a parallel black economy where cyber dollars are traded in exchange for UK citizens’ credit card details ...

Iain Lobban is the Director of GCHQ

20 November 2011: Cyber-attack claims at US water facility:

US homeland security and FBI officials are investigating an apparent cyber-attack on a water utility near Springfield, Illinois.

The attack may have been the cause of a water pump shutdown, and could be the first case of foreign hackers successfully targeting a US industrial facility.

US press reported that the company's database was compromised with hackers retrieving the supervisory control and data acquisition (Scada) software. During the attack the Scada system was turned on and off, burning out the water pump.

21 November 2011: Lockheed Martin set to open British cyber security division:

The world’s largest defence company is to establish a cyber security division in Britain to counter the growing threat from digital attacks.

Lockheed Martin will open its Security Intelligence Centre at Farnborough in Hampshire next week and expects to employ up to 300 people there by 2015.

The American company is hoping to challenge rivals such as BAE Systems, EADS and Thales, which already provide cyber protection in the UK.
Cyber attack has been identified as one of the four most serious threats to national security as amateur hackers and criminal gangs, as well as nations, look to exploit system weaknesses.

According to a recent report from the Cabinet Office, cyber crime costs British business about £21 billion a year.

25 November 2011:

UK cyber security strategy due to be unveiled
UK cyber crime unit to launch attacks on ‘enemies’
GCHQ to sell off spy expertise
GCHQ to offer British firms expertise in cybercrime

24 December 2011: Hidden Dragon: The Chinese cyber menace:

Cybercrooks and patriotic state-backed hackers in China are collaborating to create an even more potent security threat, according to researchers ...

The Wall Street Journal reported last Tuesday that US authorities have managed to trace several high-profile hacking attacks, including assaults against RSA Security and defence contractor Lockheed Martin, back to China. Information obtained during an attack on systems behind RSA's SecurID tokens was later used in a failed attack against Lockheed Martin.

25 December 2011: Hackers 'steal US data in Christmas-inspired assault':

Hackers with the loose-knit movement "Anonymous" have claimed to have stolen a raft of emails and credit card data from US-based security think tank Stratfor, promising it was just the start of a weeklong, Christmas-inspired assault on a long list of targets ...

Hours after publishing what it claimed was Stratfor's client list, Anonymous tweeted a link to encrypted files online. It said the files contained 4,000 credit cards, passwords and home addresses belonging to individuals on the think tank's private client list.

8 January 2012: Hackers expose defence and intelligence officials in US and UK:

Thousands of British email addresses and encrypted passwords, including those of defence, intelligence and police officials as well as politicians and Nato advisers, have been revealed on the internet following a security breach by hackers.

Among the huge database of private information exposed by self-styled "hacktivists" are the details of 221 British military officials and 242 Nato staff. Civil servants working at the heart of the UK government – including several in the Cabinet Office as well as advisers to the Joint Intelligence Organisation that acts as the prime minister's eyes and ears on sensitive information – have also been exposed.

The exposure of the database came after hackers – who are believed to be part of the Anonymous group – gained unauthorised access over Christmas to the account information of Stratfor ...

16 January 2012: Israel hit by cyber-attacks on stock exchange, airline and banks:

Hackers disrupted online access to the Tel Aviv stock exchange, El Al airlines and three banks on Monday, in what the government described as a cyber-offensive against Israel.

The attacks came just days after an unidentified hacker, proclaiming Palestinian sympathies, posted the details of thousands of Israeli credit card holders and other personal information on the internet in a mass theft.

Stock trading and El Al flights operated normally despite the disruption, which occurred as Israeli media reported that pro-Palestinian hackers had threatened at the weekend to shut down the Tase stock exchange and airline websites.

While apparently confined to areas causing only limited inconvenience, the attacks have caused particular alarm in a country that depends on high-tech systems for much of its defence against hostile neighbours. Officials insist, however, that they pose no immediate security threat ...

3 February 2012: Anonymous spies on FBI / UK Police hacking investigation conference call:

A recording of a confidential conference call between the FBI and UK law enforcement officers at the Metropolitan Police has been released by Anonymous on the internet.

The inference has to be that hackers were able to secretly access the call because they have compromised a police investigator's email account.

7 March 2012: LulzSec leader Sabu was working for us, says FBI:

The world's most notorious computer hacker has been working as an informer for the FBI for at least the last six months, it emerged on Tuesday, providing information that has helped contribute to the charging of five others, including two Britons, for computer hacking offences.

11 March 2012: Chinese steal jet secrets from BAE:

CHINESE spies hacked into computers belonging to BAE Systems, Britain’s biggest defence company, to steal details about the design, performance and electronic systems of the West’s latest fighter jet, senior security figures have disclosed. The Chinese have exploited vulnerabilities in BAE’s computer defences to steal vast amounts of data on the £200 billion F-35 Joint Strike Fighter (JSF), a multinational project to create a plane that will give the West air supremacy for years to come, according to the sources. The attack has prompted fears that the jet’s radar capabilities could have been compromised.

27 March 2012: NSA Chief: China Behind RSA Attacks:

China is stealing a "great deal" of military-related intellectual property from the United States and was responsible for last year's attacks against cybersecurity company RSA, U.S. Cyber Command commander and National Security Agency director Gen. Keith Alexander told the Senate Armed Services Committee on Tuesday ...

"The ability to do it against a company like RSA is such a high-order capability that, if they can do it against RSA, that makes other companies vulnerable ..."

31 March 2012: Hackers steal details of millions of credit cards:

Hackers have stolen the details of millions of credit cards in the US, exposing customers of Visa, Mastercard and American Express to fraud.

The US Secret service confirmed it was investigating a major cyber intrusion at Processor Global Payments, an Atlanta-based payment processor which said it had discovered “unauthorised access” on its system early this month ...

Individual banks and processors said they had not yet determined the full extent of the breach, but the blog Krebs on Security, which first reported the breach, said it was “massive” and could affect more than 10 million cardholders.

11 April 2012: comment on DMossEsq blog

A comment kindly posted on the DMossEsq blog brings attention to a paper on cyberwarfare written by Dr Thomas Rid, Reader in the Department of War Studies at King's College London. According to Dr Rid in his February 2012 paper Cyber War Will Not Take Place, cyber attacks do not amount to acts of war. Sabotage, espionage and subversion – yes. But not war. Dr Rid also downplays the impact of distributed denial of service attacks (DDoS) such as those carried out by Anonymous. Are we all talking nonsense when we talk about the dangers of cyberwar/sabotage/espionage/subversion? No. Dr Rid gives the following example of the consequences of defective web seurity:

... A second example is Anonymous’ perhaps most striking operation, a devastating assault on HBGary Federal, a technology security company. HBGary’s clients included the US government and companies like McAfee. The firm with the tag-line detecting tomorrow’s malware today had analyzed GhostNet and Aurora, two of the most sophisticated known threats. In early February 2011, Aaron Barr, then its chief executive officer (CEO), wanted more public visibility and announced that his company had infiltrated Anonymous and planned to disclose details soon. In reaction, Anonymous hackers infiltrated HBGary’s servers, erased data, defaced its website with a letter ridiculing the firm with a download link to a leak of more than 40,000 of its emails to The Pirate Bay, took down the company’s phone system, usurped the CEO’s twitter stream, posted his social security number, and clogged up fax machines. Anonymous activists had used a number of methods, including SQL injection, a code injection technique that exploits faulty database requests. ‘You brought this upon yourself. You’ve tried to bite the Anonymous hand, and now the Anonymous hand is bitch-slapping you in the face’, said the letter posted on the firm’s website. The attack badly pummeled the security company’s reputation.

15 April 2012: How tiny Estonia stepped out of USSR's shadow to become an internet titan:

Some revisionism going on here?

In 2007, the government infuriated its Russian-speaking minority by moving a Soviet war memorial from central Tallinn to a cemetery on the city's outskirts. Violence flared on the streets, and later reached the internet. The first cyberattack was simplistic, and easily dealt with: thousands of unknown individuals bombarding government, media and banking websites with "denial of service" (DoS) attacks.

"It was like an internet riot," said Hillar Aarelaid, who led Estonia's response, at the time.

But what started as an emotional backlash soon became a far larger, longer and better co-ordinated assault on Estonia's very being.

It lasted three weeks and could only be contained by restricting internet traffic in and out of the country. It was, in effect, a cybersiege.

"This is how a lot of myths were created," remembered Pärgmäe. "Those outside the country couldn't access Estonian websites, but they didn't realise that people inside still could."

Rumours circulated about the collapse of the Estonian online banking system, and how people were struggling to buy groceries. "But actually the longest downtime for a bank's website was just one and a half hours."

23 April 2012: Iranian oil ministry hit by cyber-attack:

Iran's oil ministry has called a crisis meeting after its main website and internal communications system were hit by an apparent cyber-attack that forced authorities to cut off the country's oil export terminal from the internet.

Local news agencies reported on Monday that a virus had struck the computer and communication systems of Iran's main oil export facilities on Kharg Island as well as the internal network and the websites of its oil ministry and subsidiary organisations.

3 May 2012: Attack takes Soca crime agency website down:

The website of the UK's Serious Organised Crime Agency (Soca) has been taken offline following a cyber-attack.

Soca confirmed to the BBC that soca.gov.uk had suffered a Distributed Denial of Service (DDoS) attack.

A spokesman said the site was taken offline at 22:30 on Wednesday, but that the attack did not "pose a security risk to the organisation".

Soca has recently shut down 36 websites believed to be selling stolen credit card information.

3 May 2012: Hackers have breached top secret MoD systems, cyber-security chief admits:

Computer hackers have managed to breach some of the top secret systems within the Ministry of Defence, the military's head of cyber-security has revealed.

Major General Jonathan Shaw told the Guardian the number of successful attacks was hard to quantify but they had added urgency to efforts to beef up protection around the MoD's networks.

"The number of serious incidents is quite small, but it is there," he said. "And those are the ones we know about. The likelihood is there are problems in there we don't know about."

Government computer systems come under daily attack, but though Shaw would not say how or by whom, this is the first admission that the MoD's own systems have been breached.

28 May 2012: Computer worm that hit Iran oil terminals 'is most complex yet':

A cyber-attack that targeted Iran's oil ministry and main export terminal was caused by the most sophisticated computer worm yet developed, experts have warned ...

Orla Cox, a senior analyst at Symantec, the international computer security firm, said: "I would say that this is the most sophisticated threat we have ever seen" ...

Analysis now shows that the worm has been around, undetected, for at least two years, and experts are confident it was responsible for the disruption to Iran's oil industry last month.

According to reports, the cyber-attack forced Iran to convene a "crisis committee" that ordered the disconnection of six of its main oil terminals from the internet, to stop the worm spreading.

The Iranian Students' News Agency said that the virus had successfully erased information on hard disks at the oil ministry's headquarters.

Though the oil ministry insisted that the worm had been contained and that no significant data had been erased, the likelihood is that W32.Flamer had been inside the network for many months and may already have completed its primary mission. Cox said the worm was designed to gather and send information covertly – unlike Stuxnet, which was built to identify and destroy equipment.

"Once the attacker has that level of access, then all bets are off," she said. "Once the worm has infected a system, it would be possible to add new commands over time, to add an element of disruption" ...

1 June 2012: US role in cyber attack on Iran nuclear plant revealed:

A computer worm designed to cripple Iran’s uranium enrichment programme was the result of a joint operation between the US National Security Agency and a secret Israeli cyberwarfare unit, American officials have confirmed for the first time.

The officials, interviewed by a reporter from the New York Times, say that the Stuxnet worm was originally commissioned by President Bush but has been enthusiastically embraced by his successor, Barack Obama.

7 June 2012: LinkedIn passwords leaked by hackers:

Social networking website LinkedIn has said some of its members' passwords have been "compromised" after reports that more than six million passwords had been leaked onto the internet.

Hackers posted a file containing encrypted passwords onto a Russian web forum.

They have invited the hacking community to help with decryption.

7 June 2012: eHarmony, Last.fm hit by same hackers that leaked LinkedIn passwords:

Internet dating mainstay eHarmony bills itself the "No 1 Most Trusted Dating Site," but the company confirmed Thursday that an unspecified number of its users' passwords were compromised and allegedly posted to a hacker network this week.

Hours later the music website Last.fm announced that it, too, is investigating the leak of "some" of its members' passwords.

11 June 2012: Flame and Stuxnet virus makers 'co-operated at least once':

The new findings reveal that the teams shared source code of at least one module prior to 2010. “What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected,” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.

17 June 2012: Frustrated firms go on the offensive against hackers:

AMERICAN companies under siege from hackers increasingly taking “retaliatory action” against their assailants, cyber experts claim.

Frustrated by their inability to stop breaches or use the law to punish attackers, a number are using “active defence” or “strike back” reprisals, which range from steps to distract and delay a hacker to more radical measures.

5 August 2012: Iranian state goes offline to dodge cyber-attacks:

Iran is to move key ministries and state bodies off the worldwide internet next month in an effort to shield them behind a secure computer wall from disruptive cyber attacks like the Stuxnet and Flame viruses.

14 September 2012: UK boffins get £3.8m pot to probe 'science of cyber-security':

GCHQ, the UK's nerve-centre for eavesdropping spooks, has established what's billed as Blighty's first academic research institute to investigate the "science of cyber security".

The lab - which was set up with the Research Councils' Global Uncertainties Programme and the government's Department for Business, Innovation and Skills - is a virtual organisation involving several universities ...

21 September 2012: Chinese hacktivists launch cyber attack on Japan:

Chinese hackers have taken up cyber arms and followed up widespread anti-Japan protests in the People’s Republic over a set of disputed islands by attacking at least 19 Japanese government and other web sites ...

Things got even worse for the the Tokyo Institute of Technology, whose site was defaced endured an attack that saw names and telephone numbers of over 1,000 members of staff leaked.

23 September 2012: The internet in pieces:

New evidence that Iran is following through on its dramatic plan to move large parts of its networked computer systems off the web reflects how the global struggle for the internet has reached a new intensity over the last 12 months ...

Two months ago the situation had become sufficiently grave to lure Jonathan Evans, the head of MI5, out of his traditional obscurity. "The extent of what's going on is astonishing with industrial scale processes involving many thousands of people" he said, pointing out that one British company had lost a staggering £800m as a consequence of a recent hack.

31 October 2012: One million Facebook users' names and email addresses: $5:

Name and email addresses of Facebook users are available online at prices as low as $5 per million.

The dodgy trade was uncovered by Bogomil Shopov, an internet marketeer and blogger in the Czech Republic. Shopov said he approached the social network about the problem. He said Facebook asked him to forward and then delete the data, which came in the form on a compressed spreadsheet. Facebook representatives also wanted to know where he'd bought the data and what payment systems were used, he said, adding that he had been happy to answer.

However, the Czech blogger said he objected to requests he says were made by the Facebook representatives to keep his conversations with with them about the matter a secret ...

27 November 2012: Conmen swipe 100,000 Brits' sensitive info in UK.gov fraud bid:

Crooks attempted to defraud the UK government after swiping sensitive details on tens of thousands of civil servants, postmen, BT staff and public-sector workers, The Register has learnt ...

The non-profit sports body, which organises activities and leisure facilities, was alerted to the breach when a criminal investigation into fraud attempts on central government traced the data used in the scams to CSSC's [Civil Service Sports Council] database.

28 November 2012: Hackers hit International Atomic Energy Agency server:

A group of hackers leaked email contact information of experts working with the International Atomic Energy Agency (IAEA) after breaking into one of the agency's servers ...

The hacker group calls itself Parastoo and wants the IAEA to investigate Israel's nuclear activities at the Negev Nuclear Research Center near Dimona, an Israeli city located in the Negev desert. "Israel owns a practical nuclear arsenal tied to a growing military body and it is not a member of internationally respected nuclear, biochemical and chemical agreements," the group said ...

21 December 2012: 10,000 Indian government and military emails hacked:

India’s government and military have suffered one of the worst cyber attacks in the nation’s history, after over 10,000 email accounts belonging to top officials were compromised, despite a warning from the country’s cyber security agency ...

23 December 2012: La SNCB Europe divulgue les données personnelles de plus d'un million d'usagers:

Pendant plusieurs semaines, les données personnelles de millions de clients de la SNCB Europe étaient librement accessibles sur Internet. Si l'on ignore les termes exacts de la requête effectuée par l'internaute à l'origine de la divulgation, les données étaient bel et bien accessibles via une simple requête dans un moteur de recherche ...

CUST_ID, CONTACT_STATE, ACTIVE, DISTRIBUTOR, CUST_TYPE, GENDER, FIRSTNAME, LASTNAME, BIRTHDATE, LOGON_ID, REGISTERED, CONTACT_LANGUAGE, CONTACT_LANGUAGE_XX, STREET, HOUSE_NR, ADDITIONAL_NR, POSTAL_CODE, CITY, COUNTRY, PRIVATE_FIXED_TELEPHONE, PRIVATE_MOBILE_TELEPHONE, BUSINESS_TELEPHONE, EMAIL ...

... le fichier comporte 1 460 734 entrées. Chaque ligne concerne un client de la SNCB Europe ...

7 January 2013: ENISA Threat Landscape:

6 Threat Trends: The Emerging Threat Landscape
6.1 Threat Trends in Mobile Computing
6.2 Threat Trends in Social Technology
6.3 Threat Trends in Critical Infrastructures
6.4 Threat Trends in Trust Infrastructure
6.5 Threat Trends in Cloud Computing
6.6 Threat Trends in Big Data

11 January 2013: Exclusive: hackers posing as Wikipedia researchers hit mining boss:

The chairman of one of the world’s biggest mining companies was targeted by hackers who disguised themselves as Wikipedia researchers in order to retrieve explosive confidential documents from his computer, according to documents seen by The Times.

The report added: “Sensitive documents and communications, which have only resided on the chairman’s laptop, have since been published in the public domain.” Investigators believe that the computer was hacked using “suspicious” e-mails sent to Mr Tan during July and August last year. The e-mails purported to have been sent by “Steve”, who falsely claimed to be associated with Wikipedia, with a falsified account steve@wikipedia.org.

26 January 2013: Anonymous takes down US Sentencing Commission website:

Hacktivist group Anonymous said Saturday it had hijacked the website of the US Sentencing Commission in a brazen act of cyber-revenge for the death of internet freedom advocate Aaron Swartz ...

The website of the commission, an independent agency of the judicial branch involved in sentencing, was replaced with a message warning that when Swartz killed himself two weeks ago "a line was crossed." In a message posted on the website and in an accompanying YouTube video, the hackers said they had infiltrated several government computer systems and copied secret information they threatened to make public.

30 January 2013: Hackers in China Attacked The Times for Last 4 Months:

The timing of the attacks coincided with the reporting for a Times investigation ... that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings ...

The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them ... the hackers stole the corporate passwords for every Times employee ...

Last year, Bloomberg News was targeted by Chinese hackers ... after Bloomberg published an article on June 29 about the wealth accumulated by relatives of Xi Jinping, China’s vice president at the time ... The intelligence-gathering campaign ...is as much about trying to control China’s public image, domestically and abroad, as it is about stealing trade secrets ...

AT&T informed The Times that it had noticed behavior that was consistent with other attacks believed to have been perpetrated by the Chinese military ... The Times notified and voluntarily briefed the Federal Bureau of Investigation on the attacks ... when it became clear that attackers were still inside its systems despite efforts to expel them, The Times hired Mandiant ... Investigators still do not know how hackers initially broke into The Times’s systems. They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers ...

In the case of a 2011 breach at the United States Chamber of Commerce ... the trade group worked closely with the F.B.I. to seal its systems ... But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China ...

hashed passwords can easily be cracked using so-called rainbow tables ... the attackers cracked the passwords and used them to gain access to a number of computers ... "They could have wreaked havoc on our systems," said Marc Frons, the Times’s chief information officer. "But that was not what they were after." ... What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza ...

After Google was attacked in 2010 and the Gmail accounts of Chinese human rights activists were opened, for example, investigators were able to trace the source to two educational institutions in China, including one with ties to the Chinese military ...

2 February 2013: Twitter: hackers may have stolen passwords of 250,000 users:

The security breach is one of the biggest to ever affect Twitter, which has 200 million active users, and highlights growing concerns over the danger of so-called cyber attacks ...

5 February 2013: 'Massive' Credit Card Fraud Steals $200M:

Eighteen people have been charged in what federal prosecutors in New Jersey called one of the largest credit card fraud schemes ever uncovered by the U.S. Department of Justice, spanning 28 states and eight countries.

"The defendants are part of a massive international fraud enterprise involving thousands of false identities, fraudulent identification documents, doctored credit reports and more than $200 million in confirmed losses," FBI Special Agent James Simpson said in court records ...

19 February 2013: Apple, Macs hit by hackers who targeted Facebook:

Apple Inc was recently attacked by hackers who infected Macintosh computers of some employees, the company said Tuesday in an unprecedented disclosure describing the widest known cyber attacks targeting Apple computers used by corporations ...

The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday.

1 March 2013: Yes, Microsoft Azure Was Downed By Leap-Year Bug:

Microsoft has confirmed that Wednesday’s Windows Azure outage that left some customers in the dark for more than 12 hours was the result of a software bug triggered by the Feb. 29 leap-year date that prevented systems from calculating the correct time.

4 March 2013: Evernote hacked, forces millions of users to reset their passwords:

Evernote is asking its millions of users to reset their passwords following an attempt to hack the note-taking network.

In a blog post acknowledging the security breach Evernote's chief technology officer, Dave Engberg, explained that usernames and email addresses had been accessed along with encrypted password information.

6 March 2013: RBS and NatWest FAIL downs services across UK:

Thirsty NatWest and RBS customers across the UK are finding it difficult to get the last round in tonight, as the banks' systems have failed.

The megabork, which began at around 9:30pm, has taken down cash machines, online banking and telephone banking for the majority of its customers across the UK ...

The failure is also affecting debit card payments, according to multiple reports on twitter of problems processing transactions at petrol stations and supermarkets.

11 March 2013: Australian Central Bank Hit by Cyberattack:

The Australian central bank confirmed Monday that it had been hit by cyberattacks, but it said no data had been lost or systems compromised.

15 March 2013: US security agency database hacked:

A US government computer vulnerability database and several other websites at the National Institute of Standards and Technology have been down for nearly a week after workers there found malware on two Web servers.

18 March 2013: Details on the denial of service attack that targeted Ars Technica:

It is recommended that you read the entire Ars Technica article:

(a) People need to test the defences of their websites to see how well they can withstand attacks. So services grow up which allow them to launch a test attack. It's all perfectly legitimate-looking, you open an account, you pay $10 a month, or whatever, you get bulk purchase discounts, etc ... It's all made easy, with simple drop-down menus from which you choose the type of attack you would like to launch. But everything in the web security world is double-edged and, if the test site isn't too choosy, there's nothing to stop rogue account-holders from using the test site to launch real attacks ...

(b) There is a great variety of attack tactics, like chess gambits, which exploit the very virtues of web communications. When a message is sent to a site, it responds and, as a matter of good housekeeping, the site waits for an acknowledgement of its response. If you simply don't send that acknowledgement, the site can sit there waiting forever. Do that over and over again and the site's resources start to be eaten up ... Double-edged again, the protocol for orderly communications is itself used to disrupt communications.

(c) The attacker may be an engineer legitimately testing the defences he or she has designed. Or a rogue. Or "simply" someone playing competitive games trying to slow down his or her opponents. Double-edged, the tools designed to gain an advantage in something as apparently trivial as computer games are just the tools you need for carrying out the less trivial exploits listed on this page ...

20 March 2013: Hackers paralyse South Korean banks and broadcasters:

National broadcasters KBS, MBC and YTN reported shortly after 2pm that their computer networks had inexplicably come to a complete halt. Editing equipment had also been affected, affecting broadcasts. Shinhan Bank and Nonghyup Bank reported that their systems had also been affected at the same time ...

To date, Seoul has identified 442 sites and organisations that are dedicated to attacking South Korean interests through the Internet, including Uriminzokkiri, the [North Korean] regime's main Internet-based media and propaganda site ...

There is particular concern about the South's nuclear energy facilities, which supply nearly 36 percent of the nation's electricity and could be susceptible to viruses.

The report also indicated that South Korea's KTX high-speed railway network is vulnerable as it is controlled from a single command centre. A failure in the operating system would mean trains could no longer control speeds, routes or signals and - in a worst-case scenario, the report warned - they could be re-routed so they collide, causing hundreds of deaths.

Air traffic is also at risk, while the South Korean stock market could be immobilised or see fake transactions being made, contributing to a crash in the market.

30 April2013: Syrian Electronic Army: Assad's cyber warriors:

In recent weeks, the self-styled Syrian Electronic Army (SEA) has launched hacking attacks on the BBC, the Associated Press (AP) and most recently the Guardian. Last week the group succeeded in hijacking AP's main Twitter account, with 1.9 million followers. It falsely claimed that President Obama had been injured in an explosion. AP corrected the message, but not before $130bn had been briefly wiped off the value of stocks.

2 May 2013: China’s Cyberspies Outwit Model for Bond’s Q:

It is recommended that you read the entire Bloomberg article or the DMossEsq summary, "When it comes to cyber security QinetiQ couldn’t grab their ass with both hands".

2 May 2013: 'Chinese' attack sucks secrets from US defence contractor:

It is recommended that you read the entire ElReg article or the DMossEsq summary, "When it comes to cyber security QinetiQ couldn’t grab their ass with both hands".

5 May 2013: On the frontline of the fight against cybercrime:

Inside the tightly controlled security area of Symantec's Dublin headquarters, a screen on the wall flashes up hacking hotspots as they are detected around the world. Last year the company estimated it blocked nearly 250,000 cyber-attacks. One out of every 532 websites was infected with viruses, it said, and 1.6 million instances of malware were detected.

Overall, cyber-attacks were up 42% in 2012. They range from "hacktivist" targeting of industries such as defence to the fast-growing area of "ransomware" blackmail attempts, but more than a third of attacks focused on small- to medium-size businesses employing fewer than 500 people.

... there were now online toolkits hackers could buy on the internet to enable them to break into bank accounts.

28 May 2013: Chinese hackers breach US, Australian defence:

Designs for more than two dozen major US weapons systems including programmes critical to missile defence and combat aircraft and ships have been compromised by Chinese hackers, according to a Pentagon report ...

Chinese hackers have also reportedly stolen top-secret blueprints to the new $600 million (£385 million) headquarters for the Australian Security Intelligence Organisation (ASIO) in Canberra.

28 May 2013: China calls Australian spy HQ plans hacking claims 'groundless':

China has shrugged off allegations by Australian media that Chinese hackers have stolen the blueprints for the new Australian spy headquarters ...

"In many cases, [the defence contractors] don't know they've been hacked until the FBI comes knocking on their door," an unidentified senior military official told the newspaper. "This is billions of dollars of combat advantage for China. They've just saved themselves 25 years of research and development. It's nuts."

2 June 2013: US and China to hold talks on cyberhacking:

The United States and China have agreed to hold regular, high-level meetings aimed at setting standards of behaviour on cybersecurity and commercial spying in the first diplomatic move to defuse tensions over cyberattacks ...

However, officials said they did not expect the meetings to lead immediately to a reduction in the daily attacks by China, described by General Keith Alexander, head of the United States Cyber Command and director of the National Security Agency, as “the greatest transfer of wealth in history”.

12 September 2013: Vodafone Hacker Accesses 2 Million Customers’ Banking Data:

An intruder hacked into a Vodafone Group Plc (VOD) server in Germany, gaining access to 2 million customers’ personal details and banking information.

A person with insider knowledge stole data including names, addresses, birth dates, and bank account information, the world’s second-biggest mobile-phone carrier said in a statement today. The hacker had no access to credit-card information, passwords, PIN numbers or mobile-phone numbers, Vodafone said ...

Vodafone, based in Newbury, England, is the latest high-profile company to announce a security breach. Last month there were hacker attacks on Google Inc. (GOOG), Twitter Inc. and the New York Times. KT Corp., South Korea’s largest phone and Internet company, fell the most in seven months in July last year after saying customer data were leaked by hackers.

14 September 2013: Bank raiders tried to snatch millions with a remote control:

A dozen men have been arrested after police foiled a daring attempt to steal millions of pounds from a high-street bank armed with nothing more deadly than a remote-control transmitter.

The raid, in which an electronic device was fitted to a computer in the Surrey Quays branch of Santander, in East London, was described by police as “a very significant and audacious” attempted cyber robbery.

25 September 2013: Data Broker Giants Hacked by ID Theft Service:

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity ...

Two of the hacked servers were inside the networks of Atlanta, Ga.-based LexisNexis Inc., a company that according to Wikipedia maintains the world’s largest electronic database for legal and public-records related information ...

Two other compromised systems were located inside the networks of Dun & Bradstreet, a Short Hills, New Jersey data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management.

20 October 2013: Experian Sold Consumer Data to ID Theft Service:

An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.

28 October 2013: British man charged with hacking U.S. military networks:

(Reuters) - A British man has been arrested in England and charged by the United States and Britain with hacking into U.S. government computer systems, including those run by the military, to steal confidential data and disrupt operations, authorities said.

Lauri Love and three co-conspirators allegedly infiltrated thousands of systems including those of the Pentagon's Missile Defense Agency, the U.S. Army Corps of Engineers, the U.S. space agency NASA and the U.S. Environmental Protection Agency, according to a U.S. grand jury indictment made public on Monday.

22 November 2013: Hackers for hire can rob you blind for $300 an hour:

Hackers for hire are offering bespoke services at an hourly rate of $100 to $300 depending on their reputation. For “Fullz” — a dossier of personal information about an individual, usually including name, address, phone numbers, e-mail addresses and passwords, date of birth, bank account details and credit card information — the price is $25 in the US or $30 to $40 in the UK.

19 December 2013: Target card heist hits 40 million:

Payment details from up to 40 million credit cards could have been stolen after they were used in the stores of US retail giant Target ...

Target said the thieves had taken credit card numbers, names, expiration dates and security codes for the cards ...

... sources at credit card payment processing firms had told him the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores ...

The largest ever credit card breach at a US retailer took place in 2007 when cyber-thieves managed to steal information related to almost 46 million credit and debit cards from TJ Maxx and Marshalls ...

2 January 2014: Hackers steal Snapchat users’ numbers:

A smartphone app [Snapchat] that can send potentially embarrassing photos and videos that are supposed to disappear once viewed has been hacked, exposing the phone numbers of 4.6 million users ... The hacked phone numbers were posted online, with partially edited user names ...

22 January 2014: Korean credit card bosses offer to RESIGN over huge data breach:

An IT contractor has been arrested over the theft of credit card and personal details of 20 million South Koreans ...

The huge breach was apparently only possible because the sensitive data wasn't encrypted, according to an official at the country's Financial Services Commission ...

The Korea Credit Bureau's role as a national credit reference agency gave it access to databases maintained by South Korea's three largest credit card firms: KB Kookmin Card, Lotte Card and NH Nonghyup Card.

Chiefs of the three firms publicly apologised for the leaks before offering to resign, owing up to responsibility over the whole sorry mess in a classy move we doubt many Western execs in the same situation would follow.

See 20 February 2014 follow-up: Korean credit card companies hit with 90-day, $100m sales ban

28 January 2014: Botnet Bust – SpyEye Malware Mastermind Pleads Guilty:

SpyEye infected more than 1.4 million computers—many located in the U.S.—obtaining victims’ financial and personally identifiable information stored on those computers and using it to transfer money out of victims’ bank accounts and into accounts controlled by criminals.

Ultimately, though, Panin sold his malware online to the wrong customer—an undercover FBI employee. And after an investigation involving international law enforcement partners as well as private sector partners, a dangerous cyber threat was neutralized.

4 February 2014: Orange France hack sees 800,000 customer details compromised:

The attack, which affected 800,000 customers, apparently took place on 16 January 2014, through the company's website at Orange.fr, and includes names, email addresses, phone numbers and more ...

A similar hack on Adobe's customer base in October 2013, which the company initially said only affected 2.9 million users, was eventually shown to have affected 38 million.

The unsecured state:

3 March 2014: UK Parliament XSS Flaw
4 March 2014: EduBase XSS
5 March 2014: 2,000+ NHS Security Vulnerabilities
6 March 2014: UK Government Websites Spewing Spam
7 March 2014: Abandoned Inquiries

There needs to be a radical re-think in the way that the state approaches digital infrastructure. This means long term legacy planning - not just thinking in terms of election cycles. It means employing people who know what they are talking about - not just the heads of "Think Tanks". It means no longer being afraid of technology - but rather embracing the promise it brings of a better world for all.

Sadly, for now, when dealing with the UK Government's attitude to their websites, I think it best to hang a large banner above your browser reading "Lasciate ogne speranza, voi ch'entrate".

5 March 2014: New design flaw found in crypto's TLS: Pretend to be a victim online:

Security researchers have developed a new man-in-the-middle attack against the cryptographic protocol TLS – a protocol that is used to encrypt online banking and shopping, and other sensitive connections, to thwart eavesdroppers.

6 March 2014: Ukraine and Russia locked in a cyber stand-off:

Security experts have warned that Ukraine and neighbouring Russia are locked in a cyber stand-off amid diplomatic efforts to reduce political tensions between the two countries.

Ukraine has accused Russia of disrupting mobile communications in the wake of smaller-scale attacks in which Ukraine websites have been defaced with propaganda messages, reports the BBC.

In response, Ukrainian hacktivist group Cyber-Berkut claims to have vandalised 40 Russian websites since the dispute began, prompting speculation about an escalation of cyber conflict.

Russia is suspected of conducting distributed denial of service (DDoS) attacks on neighbouring Georgia in the run up to conventional military conflict in 2008.

Russia denied being behind the DDoS attacks on Georgia and has not commented on accusations that it is disrupting mobile communications in Ukraine and tampered with fibre-optic networks.

However, experts say it is unlikely that Ukraine will experience cyber attacks on the same scale as Estonia in 2007, when the country was hit by 10 days of attacks on its internet services.

7 March 2014: Twelve million hit as Korea suffers ANOTHER massive data breach:

The South Korean government was forced to launch an inquiry today after another massive data breach rocked the country, time the theft of account information belonging to 12 million customers of telco KT Corp ...

The data grab apparently went undetected by KT for an entire year with the suspects allegedly snatching up to 300,000 records in a single day. The nabbed details included names, registration numbers and bank account info ...

This is the third time in two years that the country’s second biggest carrier has been hit with a major data breach.

10 March 2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records:

Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam ...

Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.

Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013
Until last week, the government had shared few details about the scope and the size of the data breach, such as how many Americans may have been targeted by thieves using Ngo’s identity theft service. According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity, Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.

The government alleges that the service’s customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending Feb. 2013, Ngo’s customers made approximately 3.1 million queries on Americans.

14 March 2014: Morrisons staff payroll data stolen and published on the internet:

"The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation. Our immediate priority is the security of your financial information. We are currently working with Experian and the major banks to ensure that we provide full support and assistance to all affected colleagues. This will include support and advice around protection of your bank account."

18 March 2014: Notorious hacker caught in Bangkok:

Essebar, who is from Morocco and a Russian citizen, was detained by officials officials from the Department of Special Investigation (DSI), the Immigration Bureau, and the Office of the Attorney-General ...

The 27-year-old Russian citizen is wanted on a computer crime charges arrest warrant in Switzerland. He is accused of cracking banking computer systems and hacking bank websites in the country, causing damage worth more than US$4 billion or 128 billion baht to customers in Europe in 2011, the DSI official said ...

He and another person spread the Zotob computer worm targeting Windows 2000 in 2005. The computer virus disrupted operations at CNN, ABC News, the New York Times, Caterpillar, United Parcel Service, Boeing and the United States Department of Homeland Security.


David Moss has spent seven years campaigning against the Home Office's ID card scheme.

© 2010 Business Consultancy Services Ltd
on behalf of Dematerialised ID Ltd