--"There are two types of companies left in America; those that have been hacked and know it, and those that have been hacked and don't know it." -- Chairman of the House Intelligence Committee, Rep. Mike Rogers (R-MI), 2012------------------------------------------------|

Aurora Cyberconflict Research Group; US/1; ATTN: YQ/G-1; US/121; US/12; CID/2; OSINT/1; JAG/1

Information Security News, IT Security News & Expert Insights: SecurityWeek.ComPutting SCADA Protection on the Radar

SCADA Networks are the Most Unprotected Networks of All and Now Attackers Have Them in Their Sights.

By Marc Solomon on May 17, 2012 

Recent high-profile compromises point to an urgent need to secure process control networks. Stuxnet, a purpose-built worm for attacking industrial control systems, led the way in showing just what can be done by a professional team. More recently, Duqu entered the threat landscape enabling attackers to steal data from manufacturers of industrial control systems and use that data to exploit entities using these systems.

Why are these networks under attack? Most large organizations are serious about security. They run specialized departments tasked with protecting two key networks: 
 data center (servers) and office automation (workstations). These networks are essential for supporting the business processes throughout the organization. 

However a “third network,” the process control network, has yet to receive the same attention.

Often referred to as SCADA (supervisory control and data acquisition) networks due to their association with industrial processes, these networks connect equipment rather than computers and support systems rather than people. In sectors such as utilities, transportation, logistics, manufacturing and pharmaceuticals, these networks are critical to the operation of the organization. In utilities, they are so important as to be considered part of the national critical infrastructure. In logistics, they route millions of parcels a day. But in other companies this network operates behind the scenes, quietly mediating access to buildings, controlling heating and ventilation, elevators and data center cooling.

SCADA networks are the most unprotected networks of all and now cyber-criminals have them in their sights. If they get access, the consequences for many organizations, their customers and perhaps the population at large, could be extremely damaging.

What makes these networks more vulnerable?

• Attacks are becoming more sophisticated as motives move away from amateur glory seeking, to politics in the form of ‘hactivism,’ espionage and nation-state aggression. Advanced persistent threats—the professionals—are driving a new level of stealthy and complex attacks that are difficult to discern let alone disarm.

• Networks are becoming more connected as the business hungers for data to drive decision-making and suppliers Internet-enable everything in order to drive down support costs and increase customer retention. • Designed in a different time, process control networks have been considered inherently safe and often do not include security basics. When released by systems vendors, patches are difficult to apply due to system availability requirements.

• The SCADA network is often ‘invisible’ and lacks the attention and investment to raise the level of security commensurate with increased threats.

• In most organizations process control engineers manage the process control network while the IT department runs the other networks. The two groups have separate mandates and priorities.

Given the typical separate of duties, when considering security solutions organizations should shift their “IT security” mindset to account for the unique requirements and priorities of process control engineers charged with managing the SCADA network. First, security tools should not interfere with closed loop processes that could pose a risk to control. Second, availability/uptime is the most important goal of the network. Third, regular password change policies could endanger a plant, locking engineers out of a system. And, fourth, security tools that require direct Internet access are not viable—many control networks are tightly firewalled from the Internet.

At the same time, process control networks have various areas of vulnerability that must be protected. The Human Machine Interface (HMI), process servers and historians are typically MS-Windows based and are potential entry points for any attacker coming in via the corporate network and using known exploits. The Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) are often proprietary and require sophisticated knowledge of the control system in order to penetrate, as demonstrated by Stuxnet and Duqu.

The following guidelines should help organizations identify security solutions that respect the requirements and priorities of the process control network environment while enhancing protection. Specifically, organizations should consider solutions that can:

• Provide the flexibility to operate in passive mode or in-line without interrupting closed-loop processes, even in the event of a software, hardware or power failure
• Support a vast rule library and an open rule format in order to accept SCADA rule sets, rules provided by government agencies, other third-party rules and proprietary rules unique to an organization’s own network

• Control network usage by application, user and group as an ideal way of segregating control network zones for maximum flexibility

• Provide passive asset discovery, automatic impact assessment and rules tuning to take corrective action only on threats that are relevant to an organization’s specific network

• Offer centralized monitoring and management to unify critical network security functions, streamline administration and expedite response

Process control networks are mission critical and security is of paramount importance. Increasingly on the radar of sophisticated attackers, it’s time for the SCADA network to be on the radar of management and get the organizational attention, and protection, it deserves.

Related Reading: A New Cyber Security Model for SCADA

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]


Remember Stuxnet? Why the U.S. is Still Vulnerable

Last week, the Department of Homeland Security revealed a rash of cyber attacks on natural gas pipeline companies. Just as with previous cyber attacks on infrastructure, there was no known physical damage. But security experts worry it may only be a matter of time. 

Efforts to protect pipelines and other critical systems have been halting despite broad agreement that they're vulnerable to viruses like Stuxnet — the mysterious worm that caused havoc to Iran's nuclear program two years ago. 

The Frankenstein-like virus infected a type of industrial controller that is ubiquitous — used around the world on everything from pipelines to the electric grid. 

Experts say manufacturers haven't fixed security flaws in these essential but obscure devices. 

Why hasn't more been done? Here's why Stuxnet remains a top national security risk. 

Q. What is Stuxnet, anyway? 

Stuxnet first made headlines when it burrowed into computers that controlled uranium centrifuges in Iran's renegade nuclear program. Its self-replicating computer code is usually transmitted on flash drives anyone can stick into a computer. Once activated, the virus made Iran's centrifuges spin out of control while making technicians think everything was working normally — think of a scene in a bank heist movie where the robbers loop old security camera footage while they sneak into the vault.
Q. Who created it? 

Whoever knows the answer to this isn't telling — but if cybersecurity researchers, the Iranian government and vocal Internet users are to be believed, the two prime suspects are the U.S. and Israeli governments

Q. How does it work? 

Stuxnet seeks out little gray computers called programmable logic controllers, or PLCs. The size and shape of a carton of cigarettes, PLCs are used in industrial settings from pretzel factories to nuclear power plants. Unfortunately, security researchers say the password requirements for the devices are often weak, creating openings that Stuxnet (or other viruses) can exploit. Siemens made the PLCs that ran Iran's centrifuges; other makers include Modicon and Allen Bradley. Once introduced via computers running Microsoft Windows, Stuxnet looks for a PLC it can control.
Q. How big is the problem? 

Millions of PLCs are in use all over the world, and Siemens is one of the top five vendors. 

Q. After Iran, did Siemens fix its devices? 

Siemens released a software tool for users to detect and remove the Stuxnet virus, and encourages its customers to install fixes Microsoft put out for its Windows system soon after the Iran attack became public (most PLCs are programmed from computers running Windows.) It is also planning to release a new piece of hardware for its PLCs, called a communications processor, to make them more secure — though it's unclear whether the new processor will fix the specific problems Stuxnet exploited. Meanwhile, the firm acknowledges its PLCs remain vulnerable— in a statement to ProPublica, Siemens said it was impossible to guard against every possible attack. 

Q. Is Siemens alone? 

Logic controllers made by other companies also have flaws, as researchers from NSS labs, a security research firm, have pointed out. Researchers at a consulting firm called Digital Bond drew more attention to the problem earlier this year when they released code targeting commonly used PLCs using some of Stuxnet's techniques. A key vulnerability is password strength — PLCs connected to corporate networks or the Internet are frequently left wide open, Digital Bond CEO Dale Peterson says.
Q. What makes these systems so tough to protect? 

Like any computer product, industrial control systems have bugs that programmers can't foresee. Government officials and security researchers say critical systems should never be connected to the Internet — though they frequently are. But having Internet access is convenient and saves money for companies that operate water, power, transit and other systems. 

Q. Is cost an issue? 

System manufacturers are reluctant to patch older versions of their products, government and private sector researchers said. Utility companies and other operators don't want to shell out money to replace systems that seem to be working fine. Dan Auerbach of the Electronic Frontier Foundation, formerly a security engineer at Google, says the pressure on tech companies to quickly release products sometimes trumps security. "There's an incentive problem," he said. 

Q. What's the government doing? 

The Department of Energy and the Department of Homeland Security's Computer Emergency Readiness Team, or CERT, work with infrastructure owners, operators and vendors to prevent and respond to cyber threats. Researchers at government-funded labs also assess threats and recommend fixes. But government agencies cannot — and do not attempt to — compel systems vendors to fix bugs. 

The only national cybersecurity regulation is a set of eight standards approved by the Federal Energy Regulatory Commission — but these only apply to producers of high-voltage electricity. A Department of Energy audit last year concluded the standards were weak and not well implemented. 

Q. So is Congress weighing in? 

Cybersecurity has been a much-debated issue. Leading bills, including the Cyber Intelligence Sharing and Protection Act, would enable government and the private sector to share more threat information. But while CISPA and other bills give the Department of Homeland Security and other agencies more power to monitor problems, they all take voluntary approaches. 

"Some of my colleagues have said nothing will change until something really bad happens," said Peterson, whose consulting firm exposed vulnerabilities. "I'm hoping that's not true." 

Q. What does the Obama administration want?
The White House has called for legislation that encourages private companies to notify government agencies after they've faced cyber intrusions, and recommends private companies secure their own systems against hackers. But the White House stops short of calling for mandatory cybersecurity standards for the private sector. 

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]


Partners in Pre-ANTI-CRIMECourt Won't Order Google-NSA Interactions Released

By: Frederic J. Frommer, Associated Press
05/15/2012 ( 9:00am)

WASHINGTON (AP) — A federal appeals court has turned down a Freedom of Information Act request to disclose National Security Agency records about the 2010 cyberattack on Google users in China.

The Electronic Privacy Information Center, which focuses on privacy and civil liberties, sought communications between Google and the NSA, which conducts worldwide electronic surveillance and protects the U.S. government from such spying. But the NSA refused to confirm or deny whether it had any relationship with Google. The NSA argued that doing so could make U.S. government information systems vulnerable to attack.

A federal district court judge sided with the NSA last year, and on Friday, a three-judge panel of the U.S. Court of Appeals for the District of Columbia upheld the ruling.

In 2010, Google complained about major attacks on its website by Chinese hackers and suggested the Chinese government may have instigated them. The Chinese government denied any involvement. Soon after, there were news reports that Google was teaming up with the NSA to analyze the attack and help prevent future ones.

The privacy center's FOIA request drew a "Glomar" response, in which an agency refuses to confirm or deny the existence of records. The term refers to a case in the 1970s, when the CIA refused to confirm or deny the existence of the Glomar Explorer, a ship disguised as an ocean mining vessel that the CIA used to salvage a sunken Soviet submarine. Courts consistently have upheld Glomar responses.

"In reviewing an agency's Glomar response, this court exercises caution when the information requested" involves national security, Judge Janice Rogers Brown wrote in the unanimous appeals court panel's ruling. "NSA need not make a specific showing of potential harm to national security in order to justify withholding information" under one of the law's exemptions because Congress has already, in enacting the FOIA statute, decided that disclosure of NSA activities is potentially harmful.

Brown said the question was whether acknowledging the existence or nonexistence of the requested material would reveal an NSA activity. The privacy center argued that some of the records it sought — unsolicited communications from Google to NSA — are not covered by exemptions cited by the NSA.

"The existence of a relationship or communications between the NSA and any private company certainly constitutes an 'activity' of the agency" subject to exemption, Brown wrote. "Whether the relationship — or any communications pertaining to the relationship — were initiated by Google or NSA is irrelevant to our analysis."

"Moreover," she added, "if private entities knew that any of their attempts to reach out to NSA could be made public through a FOIA request, they might hesitate or decline to contact the agency, thereby hindering its information assurance mission," which focuses on protecting national security information and information systems.

Brown, an appointee of former President George W. Bush, was joined in the ruling by Judges Brett Kavanaugh, another George W. Bush appointee, and Douglas Ginsburg, who was appointed by former President Ronald Reagan.

CONTINUE Reading Full Story HERE…

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]


CyberIntelligenceNETWORK; US/1; ATTN: ALL

The first episode of the three part documentary series Danger in the Download presented by Ed Butler will be broadcast on BBC World Service on Tuesday 1 May at 00:06GMT and will be available afterwards on i-player.


30 April 2012Last updated at 04:21 ET

Web War II: What a future cyberwar will look like

How might the blitzkrieg of the future arrive? By air strike? An invading army? In a terrorist's suitcase? In fact it could be coming down the line to a computer near you.
Operation Locked Shields, an international military exercise held last month, was not exactly your usual game of soldiers. It involves no loud bangs or bullets, no tanks, aircraft or camouflage face-paint. Its troops rarely even left their control room, deep within a high security military base in Estonia

These people represent a new kind of combatant - the cyber warrior

One team of IT specialists taking part in Locked Shields, were detailed to attack nine other teams, located all over Europe. At their terminals in the Nato Co-operative Cyber Defence Centre of Excellence, they cooked up viruses, worms, Trojan Horses and other internet attacks, to hijack and extract data from the computers of their pretend enemies. 

The idea was to learn valuable lessons in how to forestall such attacks on military and commercial networks. The cyber threat is one that the Western alliance is taking seriously. 

It's no coincidence that Nato established its defence centre in Estonia. In 2007, the country's banking, media and government websites were bombarded with Distributed Denial of Service (DDOS) attacks over a three week period, in what's since become known as Web War I. The culprits are thought to have been pro-Russian hacktivists, angered by the removal of a Soviet-era statue from the centre of the capital, Tallinn. 

DDOS attacks are quite straightforward. Networks of thousands of infected computers, known as botnets, simultaneously access the target website, which is overwhelmed by the volume of traffic, and so temporarily disabled. However, DDOS attacks are a mere blunderbuss by comparison with the latest digital weapons. Today, the fear is that Web War II - if and when it comes - could inflict physical damage, leading to massive disruption and even death.

"Sophisticated cyber attackers could do things like derail trains across the country," says Richard A Clarke, an adviser on counter-terrorism and cyber-security to presidents Clinton and Bush. 

"They could cause power blackouts - not just by shutting off the power but by permanently damaging generators that would take months to replace. They could do things like cause [oil or gas] pipelines to explode. They could ground aircraft.

Clarke's worries are fuelled by the current tendency to put more of our lives online, and indeed, they appear to be borne out by experiments carried out in the United States. 

At the heart of the problem are the interfaces between the digital and physical worlds known as Scada - or Supervisory Control And Data Acquisition - systems.
Today, these computerised controllers have taken over a myriad jobs once performed manually. They do everything from opening the valves on pipelines to monitoring traffic signals. Soon, they'll become commonplace in the home, controlling smart appliances like central heating.

And crucially, they use cyberspace to communicate with their masters, taking commands on what to do next, and reporting any problems back. Hack into these networks, and in theory you have control of national electricity grids, water supplies, distribution systems for manufacturers or supermarkets, and other critical infrastructure. 

In 2007, the United States Department of Homeland Security (DHS) demonstrated the potential vulnerability of Scada systems. Using malicious software to feed in the wrong commands, they attacked a large diesel generator. Film of the experiment shows the machine shaking violently before black smoke engulfs the screen. 

Although this took place under laboratory conditions, with the attackers given free rein to do their worst, the fear is that, one day, a belligerent state, terrorists, or even recreational hackers, might do the same in the real world. 

"Over the past several months we've seen a variety of things," says Jenny Mena of the DHS. "There are now search engines that make it possible to find those devices that are vulnerable to an attack through the internet. In addition we've seen an increased interest in this area in the hacker and hacktivist community."

One reason why Scada systems may be prone to hacking is that engineers, rather than specialist programmers, are often likely to have designed their software. They are expert in their field, says German security consultant Ralph Langner, but not in cyber defence. "At some point they learned how to develop software," he adds, "but you can't compare them to professional software developers who probably spent a decade learning." 

Moreover, critical infrastructure software can be surprisingly exposed. A power station, for example, might have less anti-virus protection than the average laptop. And when vulnerabilities are detected, it can be impossible to repair them immediately with a software patch. "It requires you to re-boot," Langner points out. "And a power plant has to run 24-7, with only a yearly power-down for maintenance." So until the power station has its annual stoppage, new software cannot be installed.
Langner is well-qualified to comment. In 2010 he, along with two employees, took it upon himself to investigate a mystery computer worm known as Stuxnet, that was puzzling the big anti-virus companies. What he discovered took his breath away

Stuxnet appeared to target a specific type of Scada system doing a specific job, and it did little damage to any other applications it infected. It was clever enough to find its way from computer to computer, searching out its prey.

And, containing over 15,000 lines of computer code, it exploited no fewer than four previously undiscovered software errors in Microsoft Windows. Such errors are extremely rare, suggesting that Stuxnet's creators were highly expert and very well-resourced. 

It took Langner some six months to probe just a quarter of the virus. "If I'd wanted to do all of it I might have gone bust!" he jokes. But his research had already drawn startling results. 

Stuxnet's target, it turned out, was the system controlling uranium centrifuges at Iran's Natanz nuclear facility. There is now widespread speculation that the attack was the work of American or Israeli agents, or both. Whatever the truth, Langner estimates that it delayed Iran's nuclear project by around two years - no less than any air strike was expected to achieve - at a relatively small cost of around $10 million. This success, he says, means cyber weapons are here to stay. 

Optimists say Stuxnet does at least suggest a scrap of reassurance. Professor Peter Sommer, an international expert in cyber crime, points out that the amount of research and highly skilled programming it involved would put weapons of this calibre beyond anyone but an advanced nation state. And states, he point out, usually behave rationally, thus ruling out indiscriminate attacks on civilian targets. 

"You don't necessarily want to cause total disruption. Because the results are likely to be unforeseen and uncontrollable. In other words, although one can conceive of attacks that might bring down the world financial system or bring down the internet, why would one want to do that? You would end up with something not that different from a nuclear winter."

But even this crumb of comfort is denied by Langner, who argues that, having now infected computers worldwide, Stuxnet's code is available to anyone clever enough to adapt it, including terrorists. 

"The attack vectors and exploits used by Stuxnet - they can be copied and re-used reliably against completely different targets. Until a year ago no one was aware of such an aggressive and sophisticated threat. With Stuxnet that has changed. It is on the table. The technology is out there on the internet."

One thing is for sure, he adds: If cyber weapons do become widespread, their targets will lie mostly in the west, rather than in countries like Iran, which have relatively little internet dependence. This means that the old rules of military deterrence which favoured powerful, technologically advanced countries like the United States do not apply: Responding in kind to a cyber attack could be effectively impossible. 

This asymmetry is likely to grow, as developed countries become ever more internet-dependent. So far, the Internet Protocol format allows only 4.3 billion IP addresses, most of which have now been used. But this year, a new version is rolling out, providing an inexhaustible supply of addresses and so allowing exponential growth in connectivity. Expect to see far more machines than people online in the future

In the home, fridges will automatically replenish themselves by talking to food suppliers; ovens and heating systems will respond to commands from your smartphone. Cars may even drive themselves, sharing GPS data to find the best routes. For industry, commerce and infrastructure, there will be even more reliance on cyber networks that critics claim are potentially vulnerable to intrusion. 

"There will be practically infinite number of IP addresses," says former hacker Jason Moon. "Everything can have an IP address. And everything will have one. Now, that's great. But think what that's going to do for the hacker!" 

In fact, it has already become a challenge for even sensitive installations, let alone households, to remain offline. Although military and other critical networks are supposedly isolated from the public internet, attackers can target their contractors and suppliers, who plug into the "air-gapped" system at various times. Somewhere down the food chain, a vulnerable website or a rogue email will provide a way in. 

According to Richard Clarke, the mighty American armed forces themselves are not immune, since their command & control, supplies, and even some weapons systems, also rely on digital systems.

"The US military ran headlong into the cyber age," he says. "And we became very dependent on cyber devices without thinking it through. Without thinking that if someone got control of our software, what would we be able to do? Do we have backup systems? Can we go back to the old days?"

The answer it seems is no. A new form of weapon appears to be emerging. And the world may have to learn to adapt.

The first episode of the three part documentary series Danger in the Download presented by Ed Butler will be broadcast on BBC World Service on Tuesday 1 May at 00:06GMT and will be available afterwards on i-player.

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]




 Web Site Ranks Hacks and Bestows Bragging Rights

Published: August 21, 2011
So you think you can hack?
Some 700 hackers looking to show off their talents have piled into an upstart Web site called in the last month. Emerging from the shadowy underground, they have submitted evidence of more than 1,200 Web site hacks, eager to have their feats measured against those of their peers.
The site was created by a hacker nicknamed Solar to bring a little accountability to the online forums and chat rooms where hackers gather to learn tricks of the trade, buy and sell contraband and form alliances. There, eBay-style ratings systems meant to establish reputations are routinely abused, morality tends to be fluid and anonymous young people often talk big while carrying a small stick.
RankMyHack offers a way to separate the skilled from the so-called script kiddies by verifying hacks using codes that participants must plant somewhere on sites they have compromised. As in a video game, RankMyHack awards points, which are based on the popularity of the hacked site and the technical difficulty of the hack. Total scores determine hackers’ ranks on the “leader board of legends.” Players can even challenge one another to duels.
“So have you got what it takes to be the best?” Solar taunts on the site’s home page, which has a distinctively retro design.
Participants can also win “bounties” for hacking racist sites as well as university, military and government sites, an element intended “to focus the abilities of talented hackers against political and government forces.”
In an e-mail interview, Solar, who declined to disclose his name or age, said he was a computer-science student in Britain and aspired to a career in computer security. He acknowledged hacking illegally “in the past” to develop his skills, but said he had never engaged in criminal acts like fraud.
As of Sunday, the top break-in on the site was said to be a hack of The Huffington Post, worth nearly 1.7 million points and claimed by Mudkip, who is also the site’s top-ranked hacker. The second-biggest hack, worth 1.5 million points, was said to be on Google, by Blackfan.
The Huffington Post did not respond to requests for comment. Google said Blackfan had told it about a minor bug in the mobile version of as part of its program to reward security researchers for finding and disclosing vulnerabilities. The flaw poses no risk to users, Google said.
Hackers like Mudkip and Blackfan can use a RankMyHack banner to display their stats on other Web sites, including hacker forums.
But the banners can also help crime groups find talented and willing recruits, warned Rob Rachwald, director of security strategy at Imperva, a security company. “If you like blood on your hands, this shows you’re willing to do the dirty work.”
And RankMyHack could be useful to the authorities. “The ability to verify that a person compromised a system is a law enforcement person’s dream,” said Holt Sorenson, a security specialist who helps run the Capture the Flag competition at the annual Def Con hacker conference in Las Vegas.
RankMyHack seems to take a page from competitions like Capture the Flag that attract some of the world’s most skilled hackers. In that game, competing teams defend their computers from attack while trying to steal a piece of data from or plant data on another team’s computer. Organizers verify hacks and declare winners.
At Def Con, no real damage is done and a strong performance can cement a reputation — and attract job offers. But RankMyHack, which celebrates and some say incites illegal hacking, could hurt Solar’s prospects for a career path that requires trust.
Solar argued that the hacks would occur regardless, and that the site was positive because hackers did not need to do damage to prove they had infiltrated a site.
He said security companies should be impressed that, “secured to the teeth” and attacked a hundred times a day, RankMyHack itself was still standing.

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]

US/1; ATTN: US/[redacted]; CID/2

National Security

Enter the Cyber-dragon

Hackers have attacked America’s defense establishment, as well as companies from Google to Morgan Stanley to security giant RSA, and fingers point to China as the culprit. The author gets an exclusive look at the raging cyber-war—Operation Aurora! Operation Shady rat!—and learns why Washington has been slow to fight back.

INTRUDERS They steal secrets and identities—and are skilled at covering their tracks.

correction appended

Lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said “2011 Recruitment Plan.” It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.

The parent company disclosed the breach on March 17 in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA’s popular SecurID security service. As spring gave way to summer, bloggers and computer-security experts found evidence that the attack on RSA had come from China. They also linked the RSA attack to the penetration of computer networks at some of RSA’s most powerful defense-contractor clients—among them, Lockheed Martin, Northrop Grumman, and L-3 Communications. Few details of these episodes have been made public.

The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty. Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government. In some cases, the evidence suggests that government and military groups are executing the attacks themselves. In others, Chinese authorities are merely turning a blind eye to illegal activities that are good for China’s economy and bad for America’s. Last year Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit Intel, Morgan Stanley, and several dozen other corporations. (The attack was given that name because the word “aurora” appears in the malware that victims downloaded.) Earlier this year, details concerning the most sweeping intrusion since Operation Aurora were discovered by the cyber-security firm McAfee. Dubbed “Operation Shady rat,” the attacks (of which more later) are being reported here for the first time. Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits—or for fear of offending the Chinese and jeopardizing their share of that country’s exploding markets. The U.S. government, for its part, has been fecklessly circumspect in calling out the Chinese.

A scattered alliance of government insiders and cyber-security experts are working to bring attention to the threat, but because of the topic’s extreme sensitivity, much of their consciousness-raising activity must be covert. The result in at least one case, according to documents obtained by Vanity Fair, has been a surreal new creation of American bureaucracy: government-directed “hacktivism,” in which an intelligence agency secretly provides information to a group of private-sector hackers so that truths too sensitive for the government to tell will nevertheless come out.

This unusual project began in March, when National Security Agency officials asked a private defense contractor to organize a cadre of elite non-government experts to study the RSA cyber-attacks. The experts constituted a SEAL Team Six of cyber-security and referred to their work as Operation Starlight. “This is the N.S.A. outsourcing the finger-pointing to the private sector,” says one person who was invited to join the group and has been privy to its e-mail logs. The N.S.A. provided Operation Starlight with the data it needed for its forensic analysis.

Operation Starlight’s secret “Working Draft Version 0.2” report, dated April 4, 2011, has a cover page that bears a galactic image resembling a meteor-pockmarked moon. The source who provided Vanity Fair with the document emphasized that the draft is just that—a draft—and said that Starlight’s provisional conclusions are subject to change. (The source also says that Operation Starlight’s analysis will continue for a matter of months, and possibly as long as a year.) As of April, however, the draft report argued that the RSA hacks represent an “organized, concerted campaign on behalf of China.” It also suggested that RSA had been under attack, perhaps by different groups, for months prior to the attack that the company acknowledged in March. In July, in the lengthiest interview that RSA officials have given since their troubles began, executive chairman Art Coviello and EMC chief security officer Dave Martin resisted those suggestions. Coviello admitted that the SecurID hack was preceded in March by “pretty heavy-duty reconnaissance.” He refused to say specifically when the attack began or ended, but described the duration as “a matter of days, not weeks.” He agreed that the evidence suggested that the SecurID attack had come from a nation-state, but declined to accuse a specific country.

“The Adversary”

If you were designing a new jetfighter for Lockheed Martin, sooner or later you would have to travel to an air-force base to talk to military personnel about what they want the new jetfighter to do. Meetings over, you’d go back to your hotel room, fire up your laptop, and log on to Lockheed’s remote network to get some work done. In order to log on, you’d have to glance down at an inch-long red-white-blue-and-gray plastic key-chain fob, shaped vaguely like a key, on which a little L.E.D. screen displays strings of six to eight digits that change every minute or so. Adding those numbers to the basic password that you’d memorized, you would type the whole hybrid string of characters into the Lockheed-network log-in box—and then you would be in. That key fob, called a SecurID token, is RSA’s best-known product. The strings of numbers on its screen are generated by a microchip using the SecurID algorithm and a unique cryptographic seed.

Each numeric string is called a “one-time password,” and, when entered in combination with your own chosen password, it bumps up your network’s security by means of “two-factor authentication.” As of March 2011, RSA commanded 70 percent of the market for this form of security. More than 25 million of these tokens are in circulation, and for years they have been used by most U.S. intelligence and military officers, defense contractors, White House officials, and Fortune 500 executives.

So it was of great concern to many of the world’s most powerful people when, on the same day the company alerted the S.E.C., executive chairman Coviello posted an open letter to customers on RSA’s Web site, announcing that the company’s security system had identified “an extremely sophisticated cyber attack in progress,” an attack that “resulted in certain information being exported from RSA’s systems,” some of which was “specifically related to RSA’s SecurID two-factor authentication products.”

The letter was so vague and judiciously bland that many readers assumed what the later Lockheed hack seemed to suggest: that SecurID’s seed-key algorithm and some, if not all, of its seed-key database may have been stolen. RSA executives have consistently refused to say precisely what the company lost. Coviello did say in an interview that “the information taken, in and of itself, would not allow a direct attack.” 

An attacker, he went on, “would have had to get other information that only the customer had in their possession.” To weaponize the stolen SecurID information would require a strategy of coordinated intrusions, involving attacks not just on RSA but also preliminary attacks on every other target company—something that seemed so complicated as to be almost impossible. Yet within two months, the impossible had come to pass. Attackers, whom security experts often refer to in the satanic singular as “the Adversary,” had broken into Lockheed Martin’s network using SecurID information stolen from RSA.

On April 1, the RSA Web site published a blog posting titled “Anatomy of an Attack” by the company’s head of new technologies, Uri Rivner. Chatty and anecdotal, it described the “2011 Recruitment Plan” e-mail, one of two e-mails sent to low-level employees. 
(“You wouldn’t consider these users particularly high profile or high value targets,” Rivner wrote.) The post said nothing about when the attack began, how long it lasted, or what was taken, but some of Rivner’s language seems intended to suggest that the intrusion was short-lived: “Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything.” Rivner wrote that the RSA hackers used a Flash zero-day vulnerability—that is, a flaw in the code that is unknown to the program’s developers and has not been used in prior attacks—to install an extremely common downloader called Poison Ivy. But he gave no details about the malware that Poison Ivy downloaded into RSA’s system.

Rivner characterized the attackers’ technique as a form of “Advanced Persistent Threat,” or A.P.T.—security lingo for “Pretty sure it came from China,” in the words of Brian Krebs, a leading cyber-security blogger. According to Operation Starlight’s draft report, some of the malware that was used to attack RSA was “compiled,” or written, in December of 2010—a full three months before the SecurID hack. “APT attack groups typically launch their attacks within hours of compilation, providing a useful date indicator for the targeted intrusion,” the draft says. The draft acknowledges that “these compile dates are easily modified,” but it goes on: “The earliest compile date [of malware used in the RSA hack] that has not been materially modified is 12/22/2010, potentially providing at least three months of persistent access into RSA operations.” One prominent cyber-security analyst with firsthand knowledge of the RSA intrusions confirms that RSA appeared to be under attack by other A.P.T. groups prior to the SecurID hack. These groups “were not going after seed values,” the analyst says, though “we don’t know whether they were doing advanced reconnaissance” for the later attacks. In addition, RSA was being hit by “drive-by malware,” meant to harvest run-of-the-mill kinds of data. Coviello, for his part, says “we have no evidence” of intrusions beginning earlier than March.

The SecurID hack, whenever it began and however long it lasted, was a sophisticated intrusion. Though RSA has not said how the Adversary managed to stay undetected inside its network, previous examples of stealth techniques used by A.P.T. attackers illustrate how resourceful they can be. Jonathan Pollet, the head of Red Tiger Security, based in Houston, Texas, was hired in 2010 by three Fortune 100 companies to clean up after a spate of cyber-attacks that came from servers in China. (These intrusions were similar in many ways to the attacks known as Night Dragon, which targeted various energy industries at about the same time.) Pollet says the victims knew that something strange was going on because they kept getting locked out of their e-mail accounts for no apparent reason. But the Adversary stayed under the radar by making an ingeniously malevolent move: taking control of the companies’ virtual I.T. help desks, impersonating their I.T. help-desk staff, and answering employees’ service complaints themselves. “Attackers want to be a parasite, want to make sure the host is happy,” says Pollet. “So if they know the help desk is going to get overwhelmed with complaints, they decide, ‘Let’s just solve these problems ourselves.’ ”

Body Count

China’s aggressive campaign of cyber-espionage began about a decade ago, with attacks on U.S. government agencies. (The details have still not been divulged.) Then China broadened the scope of its efforts, infiltrating the civilian sector in order to steal intellectual property and gain competitive advantage over Western companies. Dmitri Alperovitch, vice president of threat research at McAfee, who gave Aurora and Night Dragon their names and has written definitive studies of A.P.T. attacks, says that “today we see pretty much any company that has valuable intellectual property or trade secrets of any kind being pilfered continually, all day long, every day, relentlessly.”

Some of China’s intellectual-property thefts are like virtual cat burglaries; others are inside jobs; and many combine elements of both. Dongfan “Greg” Chung, a former Boeing and Rockwell engineer, was convicted in 2009 of acting as an agent of the P.R.C. in stealing secrets related to the Space Shuttle program and the Delta IV rocket. In March of this year, a man named Sixing “Steve” Liu, a Chinese engineer who worked for a division of L-3 Communications, was arrested on charges of illegally exporting military data to China. (Liu has pleaded not guilty and the case is pending.) A former Google executive told me, “The party is very aggressive in enforcing loyalty among Chinese employees of American companies. This creates a dilemma of divided loyalties. Google’s response was to take the risk and plow ahead. Google did not hire private investigators. There may have been a cost for that.” Early news coverage of Operation Aurora, against Google, indicated that some Google China employees had been denied access to internal networks and others had been put on leave or reassigned in the wake of the attacks. According to a Google spokesperson, the company “ran some tests … internally to ensure that the network was safe and secure and we gave Googlers in China a holiday on the Tuesday we made the announcement.”

The vulnerability of corporations to attack stems in part from ignorance, in part from denial. Google executives reportedly believed that the American government monitors this country’s Internet infrastructure the same way it monitors foreign military threats to keep the geographic homeland secure. A former White House official told me, “After Google got hacked, they called the N.S.A. in and said, ‘You were supposed to protect us from this!’ The N.S.A. guys just about fell out of their chairs. They could not believe how naïve the Google guys had been.” (In response to detailed questions regarding Operation Aurora and the company’s response to it, Google declined to comment.)

Martin Libicki, a Rand Corporation analyst and the author of Cyberdeterrence and Cyberwar, says that the 2007 hack of Defense Secretary Robert Gates’s computer finally made some in Washington take the cyber-espionage problem seriously. The Pentagon has admitted that in June of that year it had to shut down part of the computer system in Gates’s office after the attack, which senior U.S. officials attributed to the People’s Liberation Army. “It got personal at that point,” Libicki says. Other Western nations started talking publicly about the problem at around the same time. In August of that same year, German chancellor Angela Merkel reportedly confronted Chinese premier Wen Jiabao after hackers from his country gained access to the computers in her office, as well as those in the German foreign, economic, and research ministries. In December, M.I.5 sent a letter to 300 British C.E.O.’s and security chiefs warning them that state-sponsored Chinese organizations may have been spying on their computer systems.

Public awareness of cyber-espionage was dramatically heightened in January 2010 when Google started talking about Operation Aurora. Operation Aurora gathered source code, the virtual equivalent of Coca-Cola’s secret formula, from a broad array of U.S. corporations. Because source code is so valuable, and because the manner of its theft was so innovative, many experts were puzzled by the way that Google announced the attacks, emphasizing Aurora’s secondary goal (reconnaissance of “human-rights activists” in China) rather than its primary one (stealing Google’s virtual DNA).

Access to source code makes it relatively easy to discover new vulnerabilities in a Web application. For malware writers, these vulnerabilities are the keys to the kingdom, the open windows in the house that let them get inside to steal the furniture—or, depending on their goals, to move the furniture around, by altering the code and therefore potentially changing the functions of the company’s product.

It was eventually revealed that intruders had made off with source code for a Google password-management program called Gaia. The company’s losses are widely rumored to have been much greater, however. New information from security experts who were personally briefed by Google’s security chief, Heather Adkins, while Operation Aurora unfolded, offers a far more comprehensive picture of the attack than Google publicly told.

Three people who visited Google’s Mountain View, California, headquarters while the attacks were in progress describe dramatic scenes of a company under siege. Google “built a physically separate area for the security team,” one of them says. Sergey Brin, one of the company’s co-founders, was deeply involved in the cyber-defense. “He moved his desk to go sit with the Aurora responders every day. Because he grew up in the Soviet Union, he personally has a real hard-on for the Chinese now. He is pissed.” Caught unawares and shorthanded, the company made a list of the world’s top security professionals, and Brin personally called to offer them jobs—with $100,000 signing bonuses for some, according to one person who received such an offer—and quickly built Google’s small, pre-Aurora security operation into a group of more than 200.

Meanwhile, representatives of other companies hit by Aurora were invited to the Googleplex for private meetings with Adkins. She told two of the visitors that the attackers had made a beeline for Google’s “legal-discovery portals,” the system the company uses to evaluate requests for information from law-enforcement agencies and foreign governments. “The activity on those portals is closely monitored,” one visitor says. “Someone noticed that a bunch of Chinese names were queried on one woman’s computer [in the legal-discovery department] and asked her, ‘Why did you query all these people?’ She said, ‘I didn’t.’ ”

Security took her laptop to analyze it, and “that was the string they started pulling” that unraveled the Aurora attack.

Much more significant, however—and previously unreported—is that the intruders used Google’s internal search engine to look for words related to the company’s signing certificates: virtual credentials that verify the identity of the source of any software before it can be downloaded to a computer. This part of the attack was foiled because Google keeps its signing certificates offline, in an “air-gapped” network—a network that is not connected to the Internet.

The search for signing certificates is a disturbing new piece of information about Operation Aurora’s intentions. It also suggests a link to the SecurID theft. In both Operation Aurora and the RSA hack, not only did the attackers seek to steal proprietary information, they sought to steal the digital identities that would allow them to impersonate the companies.

Google’s initial announcement of Operation Aurora stated that “at least twenty other large companies from a wide range of businesses—including the Internet, finance, technology, media and chemical sectors”—had been affected, and early news reports named Yahoo and Symantec as among the other victims. As the year wore on, the body count grew: Adobe, Juniper Networks, and Rackspace admitted that they’d been attacked, then Intel. Before long a cache of e-mails written by analysts at the security firm HBGary and its sister company HBGary Federal were made public, after the companies were caught in the crosshairs of the hacktivist group Anonymous, a loose coalition of individuals who perform coordinated cyber-attacks, sometimes with the stated goal of advancing Internet freedom. The e-mails revealed that Aurora or similar attacks had also hit Baker Hughes, ExxonMobil, Royal Dutch Shell, BP, Conoco Phillips, Marathon Oil, Lockheed, Northrop Grumman, Symantec, Juniper, Disney, Sony, Johnson & Johnson, General Electric, General Dynamics, the law firm King & Spalding, and DuPont. DuPont was hit so intensely that, one HBGary analyst wrote, “their hair is on fire.”

Not only did the HBGary e-mails provide new details about Aurora, they also described similar attacks that had been going on for much longer than the public knew. “Many of the leading defense contractors … all had … aurora-type attacks as far back as 2005,” one analyst wrote. “So a search engine makes a big media stink about one intrusion, and that leads to a bunch of hype? I think the discussion needs to be on why it’s taken 5+ years for the rest of the industry to catch on.”

Pointing Fingers

From the start, Google openly asserted its view that the attack originated in China, and Hillary Clinton, after being “briefed by Google on these allegations,” issued a statement that pointedly said, “We look to the Chinese government for an explanation.” A report by Verisign iDefense, a security-intelligence service based in Dulles, Virginia, went further, stating that Aurora was directed by “agents of the Chinese state or proxies thereof.” The Chinese government made no official, public response to Clinton’s statement. But shortly thereafter, a spokesman for China’s Ministry of Industry and Information Technology told Xinhua, the official news agency, about the allegations regarding Google, that the “accusation that the Chinese government participated in [any] cyber attack, either in an explicit or inexplicit way, is groundless and aims to denigrate China.”

Yet, in the case of Aurora, there is evidence of involvement. After researchers found similarities between the tools used in the Aurora attacks and malware tools that were posted on open Chinese hacker forums, many analysts speculated that Beijing had employed civilian hackers as proxies to launch the attacks. A leading security-intelligence analyst says he received several dozen tips from sources in China suggesting that, “in point of fact, it was the P.R.C. government taking or demanding access to some of the research that the hackers had been doing, and then using it themselves.” The analyst goes on: “The Chinese government has employed this same tactic in numerous intrusions. Because their internal police and military have such a respected or feared voice among the hacking community, they can make use of the hackers’ research with their knowledge and still keep the hackers tight-lipped about it. The hackers know that if they step out of line they will find themselves quickly in a very unpleasant prison in western China, turning large rocks into smaller rocks.” In an undated cable made public by WikiLeaks, one American diplomat in Beijing reported to Washington that Aurora was an act of revenge ordered by a Chinese politburo member who had Googled himself and found a raft of unflattering articles.

The SecurID hack used the same basic technique as Operation Aurora and many other recent intrusions, though it made use of different specific tools. The technique, called “spear-phishing,” begins with reconnaissance to find personal information about a company’s employees. The Adversary may troll social-networking sites, including Facebook and Twitter, or may research e-mail archives exfiltrated in previous attacks to diagram its victims’ social situations. Then the Adversary writes e-mails or sends instant messages individually tailored to the recipients and sends them, with malicious attachments, from identities that the victim is likely to trust. If the recipient clicks on the attachment, the malware, called a remote-access tool, or “rat,” hooks itself into the user’s Windows operating system inside the company’s firewall. The rat is manually operated by the Adversary—an actual person, sitting at a computer, waiting to take over the victim’s machine. “The initial machine is just a beachhead,” explains McAfee’s Dmitri Alperovitch. “From that point, the Adversary will move into document repositories, e-mail archive servers, proceed to take the data and ship it out of the company through another mechanism, typically by setting up a second, command-and-control server that they will exfiltrate data to. From the moment you’ve clicked on the malware, there is another individual on the other end adapting to your network eco-system, your security system, and trying various things until they succeed in getting what they want. It’s like a Predator drone in Pakistan that’s being controlled by a joystick in Nevada.”

Some of the types of tools that the RSA hackers used—the rat, the command-and-control-server infrastructure, and the remote domains—had previously been employed in a persistent series of attacks on the Department of Defense and other U.S.-government systems. These attacks were originally code-named Titan Rain. After Titan Rain was made public, it was re-christened with the code name Byzantine Hades, and after that name, too, was made public, Byzantine Hades was re-dubbed with at least three more new classified code names, according to a former N.S.A. analyst. Some top intrusion specialists attribute this series of attacks to a group in China called the Red Hacker Alliance, which has suspected ties to the People’s Liberation Army. (The particular malware and command-and-control servers used in the SecurID hack, however, were unique, and had not been used in previous attacks.)

Act of War?

On May 21, the computer systems of America’s largest military contractor, Lockheed Martin, detected an intruder. A week later, Lockheed acknowledged the breach in a statement. The company called the attack “significant and tenacious” but also said that it had been detected “almost immediately,” at which point the company took “aggressive” actions to stop it. “Our systems remain secure; no customer, program or employee personal data has been compromised,” the statement said—leaving open the questions of how an intrusion could be both “tenacious” and detected “almost immediately,” and how it could be “significant” without compromising any data. The event was noteworthy enough that President Obama was briefed on the situation. An unnamed Lockheed executive told The New York Times that investigators “cannot rule out” a connection to the RSA breach. RSA said that it was “premature to speculate” on the cause of the attack.

On May 31, news broke that L-3 Communications, which provides intelligence, surveillance, and reconnaissance technology to the U.S. government, had also been attacked, according to an e-mail to L-3 employees dated April 6. The e-mail said that L-3 had been “actively targeted with penetration attacks leveraging the compromised information” from the RSA breach. When asked whether intruders had gained the ability to clone SecurID key fobs, an RSA spokeswoman said, “That’s not something we had commented on and probably never will.”

The next day, June 1, Fox News reported that Northrop Grumman had cut off remote access to its network without warning, resetting domain names and passwords, and causing “chaos” across the company, according to an unnamed Northrop executive. The company’s official response to Fox’s questions on the matter was, verbatim, the same as its response to my questions about previous reported hacks, going back several years: “We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions.”

That same day, Google made its first allegation of Chinese hacking since Operation Aurora, announcing that it had thwarted an attempt from China to steal the Gmail passwords of senior U.S. government officials. The next week, on June 7, RSA’s Art Coviello gave a mea culpa interview to The Wall Street Journal, admitting that the entire SecurID system was compromised, offering to replace practically all of the millions of tokens on the market—and infuriating many of its customers, some of whom were reported to be sundering their relationship with RSA and hiring new security companies. Coviello says that he made the replacement offer because, “post-Lockheed, customers had a lower tolerance for risk,” and he says that “less than 10 percent of our customers have requested replacement tokens.”

This onslaught of revelations was all the more extraordinary because American industry has so few incentives to come clean about its losses, and so many incentives to cover them up. Was it a coincidence that, only hours before Northrop’s and Google’s alleged hacks became public, the Pentagon provided an element of its forthcoming cyber-war strategy to The Wall Street Journal, declaring that the U.S. will consider some cyber-attacks to be the equivalent of physical acts of war?

Like so many Rip Van Winkles, most of Washington has been asleep while cyber-attacks proliferated. But a few voices have been trying to wake the town up. One belongs to Scott Borg, director and chief economist of the U.S. Cyber-Consequences Unit, whose research indicates that China, to sustain economic growth, “is relying increasingly on large-scale information theft. This means that cyber attacks are now a basic part of China’s national development strategy.” Another voice is that of James A. Lewis, a former diplomat who now leads the Technology and Public Policy Program at the Center for Strategic and International Studies. He says, “The thing we have to work through is, how do we want to work with the Chinese on this issue? This administration has decided they want to cooperate, not have a confrontation.” A senior State Department official elaborates: “One of the core things we’re trying to do diplomatically is to build a consensus internationally to build norms of behavior, rules of the road,” as described in the president’s “International Strategy for Cyberspace.” (The norms include “Upholding Fundamental Freedoms,” “Respect for Property,” and “Right of Self-Defense.”) James A. Lewis goes on: “This is what we did on missile proliferation. Our allies showed up and we all said, ‘Here are the norms.’ But how do we get a flow of countries to show up and say, ‘You’re crossing a line. Back off, or there will be consequences’? What is the cost to the Chinese right now? Until there is some cost, they’re not going to stop.”

Another White House document, the “Comprehensive National CyberSecurity Initiative,” as well as several bills in Congress, propose ways of protecting critical infrastructure, such as electrical grids, from cyber-intrusions. China has so thoroughly probed and mapped our power system that former director of national intelligence Dennis Blair once publicly admitted that “a number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”

Still others are trying to address the economic impact of cyber-espionage. On May 11, Senator Jay Rockefeller and several of his colleagues sent a letter to Mary Schapiro, chair of the U.S. Securities and Exchange Commission, asking the S.E.C. to issue interpretive guidance for companies about disclosing material risk due to cyber-breaches. The morning Rockefeller sent his letter, Tom Kellermann, a former cyber-security specialist at the World Bank, told me that the S.E.C. would force companies to make significant disclosures. “The dragon lady’s gonna rain down fire,” he said.

The dragon lady has her work cut out for her. One industrial-control-systems security specialist recalls a conversation with a chief financial officer and a chief information officer of a major corporation after finding 65 vulnerabilities in the company’s networks, which would have required a huge investment to fix. “What’s the worst that can happen if we don’t fix any of these?” the C.F.O. asked.

“We have large exposure,” answered the C.I.O. “We could potentially be attacked—”

“No, no, no. What is the financial impact if we don’t do any of these?”

“We’re not regulated or audited, so there won’t be any fines.”

The C.F.O. answered, “You get no budget,” and the topic was closed.

The persistent culture of secrecy surrounding all things cyber compounds the difficulty of taking practical steps against Chinese hacking. Much, perhaps most, information about cyber-conflict of all types is classified, which creates tremendous practical problems of communication. Sometimes, when the F.B.I. learns of an intrusion through classified channels, the Bureau has to find other, unclassified evidence of the intrusion in order to be able to tell the victim what is happening. “If it’s a defense contractor being hacked, then the victim company includes people with clearances, so communication is easy. But if you’re talking about a company where no one has clearances, that presents a significant problem”—and can create a significant time delay between the discovery of a hack and the victim’s awareness of exposure, according to one cyber-security analyst.

Playing the Fool

Yet the deeper I delved into the Chinese hacking problem, the more I discovered a network of individuals in government and the private sector who are serving as a semi-official Resistance in this secret war. A handful of influential congressional staffers who shape Hill debate on these matters put me in touch with top intrusion specialists who are former hackers, military personnel, or National Security Agency officials. These analysts are the civilian, cyber-equivalent of special-ops forces. When my phone rang very late one night this spring, I was surprised to see the name of one of these analysts on the screen. In the mood to talk, he spent most of an hour describing his work to me, naming names and counting losses with shocking precision, though forbidding me to repeat the details of his disclosures.

In this conversation—the first of several that took place over the following months—the man said that he had started his career protecting government networks against foreign attacks. On that job, he became so preoccupied with the scale of Chinese hacking that a senior military officer told him to stop talking about it, with the gruff explanation that “the reason this is still going on is that the Chinese government now owns us.” Frustrated, the analyst eventually left government service for the private sector.

The problem may be reaching a boil that will take significant willpower to ignore. In mid-July, the security firm McAfee shared exclusively with Vanity Fair the results of its latest cyber-espionage investigation. McAfee reports that, over a period of five years, a single Adversary penetrated more than 70 organizations, from giant multi-national corporations to tiny nonprofits, representing more than 30 industries around the world, and exfiltrated intellectual property—including e-mail archives, legal contracts, negotiation plans for business activities, design schematics, and government secrets—as soon as its spear-phishing victims clicked on a link to a Web page. One country’s Olympic committee was compromised for a full 28 months; many other organizations were compromised for two whole years. McAfee has given the name Operation Shady rat to this set of intrusions. Dmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”

The full list of Operation Shady rat’s victims includes government agencies and corporations worldwide. The vast majority of victims—more than two-thirds of the total—are in the U.S. Among the other countries targeted are Taiwan, South Korea, Japan, Hong Kong, Singapore, India, Germany, and the U.K. In 2007, the year before the Beijing Olympics, one international athletics organization and the Olympic committees of three different countries were breached by this intruder. Alperovitch believes the targeting of the Olympic committees and of American political nonprofits suggests the intrusions were state-sponsored, explaining, “There’s no economic gain to compromising them.” When asked if the People’s Republic of China was conceivably behind Shady rat—given that China was not itself attacked—Alperovitch noted that McAfee’s policy was not to comment on attribution. He added, “If others want to draw that conclusion, I certainly wouldn’t discourage them.”

Another security researcher who was on the front lines during Operation Aurora says, “Those of us who are hands-on-keyboard want this story to be told, because we feel like the top corporate managers—following the advice of their lawyers—are reflexively keeping breach information secret from other companies that are trying to defend themselves. In the big picture, a little bit of short-term embarrassment is worth it, to get the American people to understand that there’s a low-level Cold War going on.” 

Despite—and also because of—the extreme secrecy surrounding industrial cyber-espionage, this phenomenon is gradually effecting a fundamental re-arrangement of the relationship between state and corporate power.

Michael Hayden was the director of the N.S.A. and then the C.I.A. during the period when the problem of Chinese cyber-espionage developed. In a conversation with him about Operation Aurora, I asked what he believed to be the most significant fact about those intrusions.

He answered, “You see Google acting in some ways as nation-states used to act, exercising to the best of their ability some attributes traditionally associated with sovereign states. ‘We’re going to break relationship’—cease doing business there, you know. It’s something I dwell on a lot. The cyberworld is so new that the old structures, you know—state, non-state, public, private—they all break down … The last time we had such a powerful discontinuity is probably the European discovery of the Western Hemisphere. At that point, we had some big, multi-national corporations—East India Company and Hudson’s Bay—that acted as states. And I see elements of that with the big Microsofts and Googles of the world. Because of their size, they actually are making decisions that have the impact of the kinds of decisions made in the halls of government. Google is not a state. But what constitutes Google’s inherent right of self-defense in this new environment against this kind of attack? I’m not accusing anyone of doing anything wrong. These situations are just so different. What do we believe would be legitimate for Google to do in response to this? Now, I don’t have answers. I really don’t know, but it’s a really good question.”

Operation Starlight has an old-fashioned answer to that question: Find the culprits and put them to shame. Its draft report declares: “The attacker’s name, telephone number records, and other pertinent information should be divulged to the public in order to support attacker attribution and assist in tracking back to the source.”

But no one believes that this tactic by itself will solve the problem—or that corporations will embrace their long-term best interest anytime soon. Rather, so long as executives and politicians are guided by short-term self-interest, they will continue to play the fool to the country that would be king. “You need to consider: What are the subconscious assumptions that companies bring to the issue of foreign cyber-attacks on their networks?,” a senior Senate staffer who works on cyber-issues asked me. “They assume that if something bad happens government will take care of the losses. They act like they don’t really believe that a bank could get completely taken out, or that a tech giant could get its whole lunch eaten, because it sounds as fictional as 9/11 would have sounded before it happened. But terrorism is not the best analogy here. Who could have imagined that people would have flown airplanes into buildings? The difference with cyber is there are people trying to fly planes into buildings every day now. And everybody just looks the other way.”

correction: The online version of this story reflects two developments that came to light since the magazine went to press. The number of athletics organizations breached in 2007 by the Shady rat intruder was one, not two. Additionally, American defense contractors were not among those whose systems were compromised for two whole years.


[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]

US/1; ATTN: US/12; HST/2


Terrorist Magazine Celebrates Its Most Epic Failures

By Spencer Ackerman | July 19, 2011  |  6:09 pm

Previous issues of a jihadi lifestyle magazine published by al-Qaida’s boldest affiliate celebrated the group’s operations. The new one celebrates — and tries lamely to spin — al-Qaida’s biggest failures.

The sixth issue of Inspire, the English-language webzine published by al-Qaida in the Arabian Peninsula, is all about death. But not American death — their own. Osama bin Laden is the subject of numerous florid eulogies. The feature well of the magazine is packed with tales of other jihadis who met a violent end. And these tales of futility are meant to get American Muslims to pick up bin Laden’s call to eschatological, conspiratorial murder.

Most conspicuously, Inspire doesn’t pledge to avenge bin Laden, nor does it boast of future plots. If its how-to section for homegrown terrorism, the “AQ Chef,” started turning out bland dishes in January, its cupboard now appears pretty barren.

Even the issue’s message on bin Laden is muddied. Separate eulogies wave it off by arguing that bin Laden “achieved what Prophet Muhammad always yearned for: shahada” — that is, martyrdom. Except that bin Laden didn’t die in battle, he died hiding in a compound when the SEALs came for him. And they don’t express any happiness about what’s supposed to be the culmination of bin Laden’s cunning plan, just “a mixed sentiment of sadness, contentment and aspiration.” There’s even a flirtation with denialism, as the mag floats the construction, “even if America has been able to kill Usama…”

Inspire’s old issues bragged about setting bombs in printer cartridges for $4,200 and pledged more attacks on U.S.-bound aircraft. This time: nothing. “As long as Islam is alive,” writes Samir Khan, the American citizen who’s one of Inspire’s main contributors, “jihad will so to [sic] remain alive.” The mag even thanks the Pakistani Taliban for “taking revenge” for bin Laden, rather than boasting of reprisal plots.

Maybe that’s why the issue’s DIY-Terrorism section is abbreviated. It consists of exactly two tips: advice on how to shoot an AK-47, and instructions for cooking the explosive acetone peroxide. Neither contains anything that can’t be independently found with two minutes’ worth of Googling. What, no more monster trucks of doom?

Even more striking are the apologies that al-Qaida throws in for its dicey strategic situation. Is it marginalized by the democratic flowering of the Arab Spring? Heavens no: “the protesters have never protested against the shari’ah nor have shown displeasure with it.” The rising U.S. shadow war in Yemen? Meh, Anwar al-Awlaki joked that “someone must be angry” after a drone missed him — and he was close enough to hear the missile.

Remember that the purpose of Inspire is to, well, inspire American Muslim kids to become terrorists. If the most inspirational tales it can tell is about how all these people died at the hands of the fearsome American military, then maybe U.S. counterterrorism officials aren’t the only ones who misunderstand the kind of war they’re fighting.

See Also:
Spencer Ackerman is Danger Room's senior reporter, based out of Washington, D.C., covering weapons of doom and the strategies they're used to implement. 


[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]


[ed.note: AQAP US ‘LONE-WOLF’ US Military CENTRAL Committee Planning & INFORMATION OPS…Coming 21 JULY 2011 to a BlackNET near you…]

Accused Fort Hood Shooter to Have Military Trial, Will Face Death Penalty

Published July 06, 2011: 1200 ET

DEVELOPING: The Army psychiatrist charged in the deadly Fort Hood rampage in Texas will be court-martialed and face the death penalty, Fox News confirms. 

Fort Hood's commanding general announced the decision Wednesday for Maj. Nidal Hasan.

The 40-year-old is expected to appear in a Fort Hood courtroom for an arraignment and could enter a plea.

Hasan is charged with 13 counts of premeditated murder and 32 counts of attempted premeditated murder in the November 2009 shooting spree at the Army post.

Hasan's lead attorney, John Galligan, had urged the commanding general not to seek the death penalty, saying such cases were more costly, time-consuming and restrictive.

Two Army colonels previously recommended that Hasan be tried in a military court and face the death penalty.

The Associated Press contributed to this report.

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]

SEE: W. Scott Malone and Anthony L. Kimery on Al Qaeda Cyber-JIHAD HIT LIST - Names NAMED...


Al-Qaeda propaganda forum 'forced offline'

A website that served as al-Qaeda’s main channel for spreading its extremist ideology has been shut down by what experts said had the hallmarks of a hacking attack by a Western intelligence agency.

4:31PM BST 30 Jun 2011

The al-Shamukh forum was used by the terror group to issue official statements, including its acknowledgement that Osama bin Laden was killed by US special forces in May, and video messages from his successor Ayman al-Zawahiri. 

But the website is now completely crippled after its address was revoked and then its contents were deleted from the server that hosted it in Malaysia. Its operators reported "technical difficulties" via other jihadi forums. 

“First, the address stopped working, but the forum was still available via its direct IP address,” said Evan Kohlmann of Flashpoint Partners, a security consultancy that works with British and American counter-terrorism agencies. 

“Then, about 12 hours later, the entire site got wiped clean at the level of the data hosting server. Those were two separate and distinct events that occurred in rather close proximity to each other.” 

Last year al-Shamukh replaced an earlier forum, al-Faloja, which was also used to distribute propaganda and martyrdom videos. This week’s apparent attack leaves al-Qaeda without an official communications channel online.

Related Articles

02 Jun 2011
“Since about last August, every single thing you've seen from al-Qaeda, the videos of Ayman al-Zawahiri, the Bin Laden death statement, has originated from this lone channel,” said Mr Kohlmann. 

The shut down also comes soon after al-Shamukh published a roster of senior government, industry and media figures to be targeted for assassination by lone terrorists. Earlier this month the FBI warned 40 prominent individuals that they were named on the hit list. 

The apparent sophistication of the attack on al-Shamukh prompted claims that hackers working for Western intelligence agencies were responsible. 

“When you run an al-Qaeda website, you should expect to receive a regular delivery of half-witted hacking attacks by hecklers, and efforts by crusading activists on the web to shut the site down, but most of those efforts end up coming to little fruition,” said Mr Kohlmann. 

“This is the most significant outage in at least a year, so quite obviously something was a little different this time.” 

Earlier this month it emerged that MI6 and GCHQ hackers hijacked the an issue of al-Qaeda’s propaganda magazine, Inspire, and inserted baking recipes in an action dubbed “Operation Cupcake”.
British intelligence took action after the CIA blocked the plan in the US, arguing that disrupting the launch would cut off the flow of valuable intelligence. Similar debates surround jihadi forums such as al-Shamukh, which serve as a magnet for young extremists. 

If intelligence agencies were not behind the shut down, it is possible that the many digital vigilantes who pursue al-Qaeda online were responsible. A security source who investigated the forum for several months said its software was relatively insecure and leaked administrator passwords. 

Despite the crippling of al-Shamukh, copies of the jihadi material it hosted remain online. Mr Kohlmann said its loss was nevertheless a blow to al-Qaeda, which is already under pressure following bin Laden’s death. 

“It either has to wait until the forum is resurrected, or else it must establish a new relationship with another jihadi forum, which it has been somewhat reluctant to do in recent years, likely out of security concerns.” 


In technology

Census 'hack': who are LulzSec?

Lulzsec census hack reports 'concerning'

Magician's iPhone illusions

Gadgets taken apart

Smartphone aerial photos

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]


Hacker group LulzSec says it’s disbanding after attacks on CIA, Sony, US Senate, PBS, and more

By Associated Press, Published: June 25. 2011

NEW YORK — A publicity-seeking hacker group that has blazed a path of mayhem on the Internet over the last two months, including attacks on law enforcement sites, said unexpectedly on Saturday it is dissolving itself.

Lulz Security made its announcement through its Twitter account. It gave no reason for the disbandment, but it could be a sign of nerves in the face of law enforcement investigations. Rival hackers have also joined in the hunt, releasing information they say could point to the identities of the six-member group.

One of the group’s members was interviewed by The Associated Press on Friday, and gave no indication that its work was ending. LulzSec claimed hacks on major entertainment companies, FBI partner organizations, the CIA, the U.S. Senate and a pornography website.

As a parting shot, LulzSec released a grab-bag of documents and login information apparently gleaned from gaming websites and corporate servers. The largest group of documents — 338 files — appears to be internal documents from AT&T Inc., detailing its buildout of a new wireless broadband network in the U.S. The network is set to go live this summer. An AT&T spokesman could not immediately confirm the authenticity of the documents.

In an unusual strategy for a hacker group, LulzSec has sought publicity and conducted a conversation with the public through its Twitter account. Observers believe it’s an offshoot of Anonymous, a larger, more loosely organized group that attempts to mobilize hackers for attacks on targets it considers immoral, like oppressive Middle Eastern governments and opponents of the document-distribution site WikiLeaks. LulzSec, on the other hand, attacked anyone they could for “the lulz,” which is Internet jargon for “laughs.”


[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]

NSA allies with Internet carriers to thwart cyber attacks against defense firms

By Ellen Nakashima, Published: June 16, 2011

The National Security Agency is working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries, senior defense and industry officials say.

The novel program, which began last month on a voluntary, trial basis, relies on sophisticated NSA data sets to identify malicious programs slipped into the vast stream of Internet data flowing to the nation’s largest defense firms. Such attacks, including one last month against Bethesda-based Lockheed Martin, are nearly constant as rival nations and terrorist groups seek access to U.S. military secrets.

“We hope the . . . cyber pilot can be the beginning of something bigger,” Deputy Defense Secretary William J. Lynn III said at a global security conference in Paris on Thursday. “It could serve as a model that can be transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security.”

The prospect of a role for the NSA, the nation’s largest spy agency and a part of the Defense Department, in helping Internet service providers filter domestic Web traffic already had sparked concerns among privacy activists. Lynn’s suggestion that the program might be extended beyond the work of defense contractors threatened to raise the stakes. 

James X. Dempsey, vice president for public policy at the Center for Democracy & Technology, a civil liberties group, said that limiting the NSA’s role to sharing data is “an elegant solution” to the long-standing problem of how to use the agency’s expertise while avoiding domestic surveillance by the government. But, he said, any extension of the program must guarantee protections against government access to private Internet traffic.

“We wouldn’t want this to become a backdoor form of surveillance,” Dempsey said.

Officials say the pilot program does not involve direct monitoring of the contractors’ networks by the government. The program uses NSA-developed “signatures,” or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic flowing to major defense contractors. That allows the Internet providers to disable the threats before an attack can penetrate a contractor’s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats. 

The Internet carriers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed, Falls Church-based CSC, McLean-based SAIC and Northrop Grumman, which is moving its headquarters to Falls Church. The contractors have the option, but not the obligation, to report the success rate to the NSA’s Threat Operations Center.

All three of the Internet carriers declined to comment on the pilot program. Several of the defense contractors declined to comment as well.

Partnering with the major Internet providers “is probably the technically quickest way to go and the best way to go” to defend dot-com networks, said Gen. Keith B. Alexander, who heads the NSA and the affiliated U.S. Cyber Command at Fort Meade, testifying before Congress in March.

The premise of this strategy is that combining the providers’ ability to filter massive volumes of traffic — a large Internet carrier can monitor up to 100 gigabits per second — with the NSA’s expertise will provide a greater level of protection without violating privacy laws.

But the initiative stalled for months because of numerous concerns, including Justice Department worries that the program would run afoul of privacy laws forbidding government surveillance of private Internet traffic. Officials have, at least for now, allayed that concern by saying that the government will not directly filter the traffic or receive the malicious code captured by the Internet providers. The Department of Homeland Security is a partner in the pilot program.

“The U.S. government will not be monitoring, intercepting or storing any private-sector communications,” Lynn said. “Rather, threat intelligence provided by the government is helping the companies themselves, or the Internet service providers working on their behalf, to identify and stop malicious activity within their networks...”


[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]

- OPEN SOURCE; US/121; TSP/2; US/1

The damage done from ONE single air-burst nuclear warhead over AMERICA--A Red Dawn Return to the 19th Century for all citizens:


Speaking of Cyber war, below you’ll see a screen grab showing what’s apparently the text of one of the phony phishing emails sent to senior U.S. government officials’ Gmail, Hotmail and Yahoo mail accounts by hackers in China. The message was custom crafted to look legit enough to trick a State Department official into opening and downloading the attachment. Once that was done, the hackers would extract the officials login info and then have access to their private email account.

As an Op-Ed in the Wall Street Journal points out, the language used in the email is closely designed to mimic the tone used in millions of emails by U.S. bureaucrats and other professionals. It doesn’t sound like one of those African money transfer scheme emails we all get and laugh off. While China denies any official involvement in the attack, this hardly seems like the work of amateur hackers. These custom tailored attacks were targeted at specific individuals — possibly even a Presidential cabinet member — who had knowledge of U.S. government policy.

Screenshots via Contagio, click here for more.

UMUC: Cultivating Tomorrow's Cyber Warriors
UMUC's cybersecurity programs are designed to address the serious workforce shortages of highly skilled cyber professionals needed to protect our nation's infrastructure. These programs provide students — looking to advance professionally, change careers or build on existing skill sets — with the proper tools to enter the cybersecurity field. UMUC is designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security. To learn more about these degree and certificate programs offered entirely online, visit

[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]


 Written by
 Thursday March 11, 2004

[ed.note: Below is the story of how the BlackNET came to be.]




FOR: Legal Counsel 30 October 2000


FROM: Scott Malone

CASE#: ___________

SUBJ: 'BLACKNET' Investigation #1


According to two special agents of the Federal Bureau of Investigation (FBI), someone affiliated with a loosely associated network of alleged "cyber-criminals" have appropriated my "cyber-identity" to commit apparently unauthorized access to NASA computer systems. Investigation to date reveals that this has apparently occurred, and it involves a "multi-agency," very secret investigation of the alleged perpetrators (one of whom I am apparently not). This alleged cyber-criminal network is further described by intelligence sources as very dangerous.


This report is a compilation and an expansion of two memoranda written on an internet-connected, AOL account "WSMfiles"-linked, Dell computer (Model Dimension 4100). This report is being written on my PBS-linked Macintosh PowerBook laptop (Model 520c). As far as can be determined to date, this matter apparently pertains to the time period of 1998-1999, and is not APPARENTLY related directly to my work on two rather sensitive cases for a Washington corporate security consulting group..

The first memorandum I wrote was dated 17 OCT 2000, and was entitled "FBI Visit." It stated in its entirety:

"Special Agents (SAs) Steven J. PANDELIDES and John T. CURRAN of the Washington Field Office (WFO), VA Branch, visited with me in the OpCenter for approximately 45 minutes at 10:00 am this morning. They stated that they are checking out a request from 'another office' about whether my computer or computer identities have apparently been appropriated via some method of 'cyber theft,' and employed to enter the NASA computer systems at the Johnson Space Center in Houston and their Goddard Space Flight Center facility in Greenbelt [MD]. This allegedly occurred sometime in 1998 or 1999. SA PANDELIDES had specified in a telcon message (recorded) on 16 OCT 2000 that I was apparently the 'unknowing victim of a computer-type intrusion.'

"During our meeting, the Special Agents inquired as to my programming proficiency, and they seemed most interested in LINUX. I informed the agents that the most important thing I knew about FORTRAN was 'rubber bands, since if you drop your IBM programming cards [while] standing in line to run your program, your program would quickly get out of order.' They asked about the operating system I used, (Mac OS 7.5 circa 1995). I informed the agents that I did have very sensitive 'proprietary information' on this computer, which they declined to examine (although it was on and sitting in front of me during the interview).

"They inquired if I recognized the following 'screen names' (I did not):







The special agents also inquired if I had ever participated in any "chat-rooms." To my certain knowledge, the true "" has NEVER participated in any single chat-room, ever. The above listed screen names are apparently linked to some sort of "chat-room chat," as may well be the "WSMfiles" impostor(s).

The SAs also inquired as to any web sites I may have visited. I informed them that, to the best of my recollection, I had visited the following governmental sites:

NSA re: VENONA transcripts

NRO re: Satellite Coverage



NOAA re: Weather reports




The SAs expressed no further interest, not even in the dates I may have visited the above listed sites (most all in 1997). I did explain to SA CURRAN that the NRO stood for the National Reconnaissance Office, which has recently employed a "PAO" (Public Affairs Officer).

SA John T. CURRAN, listed above, was subsequently physically described to me, (with no prompting or descriptions from me), by a source familiar with the Foreign Counter-Intelligence (FCI) operations of the WFO, down to his most recent haircut.[2] SA CURRAN's FBI business card has his Washington WFO phone number crossed-out and a VA number handwritten in, unlike his counterpart, SA PANDELIDES.[3]

After I physically escorted these two FBI SAs from the premises, I informed them that I would be happy to cooperate in anyway on this investigation, and I would make all the services available that were mine to offer. My final words to these two SAs as they walked West on across L St. N.W. toward 17th, to their parking space, were: "Don't call me a confidential informant--just call me."[4]

Pursuant to a spare-time investigation, I began to draft another memorandum on the same internet-connected, AOL account "WSMfiles"-linked, Dell computer. It was originally dated 25 OCT 2000, and entitled "The 'BLACK NETWORK' Investigation." It states, in rough-draft form, the following:

"Over the weekend [21-22 OCT 2000], I learned that there was a loosely organized group of apparent cyber-criminals going by the name of the "BlackNet." Some of these operators were arrested and prosecuted in 1999. They were former telephone company technicians and were able to re-route around some telephone company switching stations. These individuals would purloin confidential databases of credit card holders; telephone credit card accounts and virtually anything in any database anywhere believed to be of value. They sold this information over the internet to all sorts of customers, including P.I.s.

"This alleged criminal network frequently (and apparently gleefully), practiced what they described as 'social engineering.' Social engineering entails making pretext phone calls or cyber-visits wherein the hackers attempt to solicit information to attack the victims' computer systems. Some of these so-called 'social engineering' techniques are explored in a new book about cyber-crime:

[To] save [themselves] some time and trouble [hackers will] phone claiming to be from the "Help Desk" or "Tech Support"...Hackers revel in developing adroit 'social engineering' skills. They pose as telephone repair men, they pose as cable installers, they pose as long distance operators, they pose as co-workers you have never met. They cajole or bully you depending upon which they sense will get the best results. The questions they ask could be as simple as "What version of the operating system is installed o your system? We're doing an enterprise-wide update." The questions could be as brazen as "Could you tell me your password? We need to reconfigure your user account. There's been some file corruption and we can't retrieve your ID info..."[5]

"In light of the above, I recalled an anomaly that would comport with an attempted 'social engineering' approach to my home. On Monday, 23 OCT 2000 (10:00 am), SA Steven J. PANDELIDES of the FBI WFO returned my page (Pager #202-592-7845; Cell #703-902-9812). I informed him that I had additional, possibly relevant information to impart. Specifically, approximately a year and a half ago (May 1999), a call was placed to my then rather recently installed third telephone line (703)524-5605. The caller inquired as to whether 'WSM Files' was a 'business.' When informed it was not, the caller seemed somewhat disappointed and hung up.

"SA PANDELIDES apparently took this information down. When I inquired as to the location of the 'another office' which had made the request to SA PANDELIDES' office to interview me, SA PANDELIDES declined to answer, stating that he would have the 'case agent' call me if the case agent deemed it 'necessary.' As of 4:00 PM, 25 OCT 2000, I have not been called.

"I inquired if this was the 'but-end of the BlackNet case,' to which SA PANDELIDES did not respond. I further inquired as to the other 'victims,' and as to whether any of them were journalists, investigators or members of other, similar professions. SA PANDELIDES responded that there were indeed 'other victims,' but that he did not have that information and that the 'case agent' had that information.

[Not described to anyone, my AOL account at that time was charged monthly to a credit card issued by the USAA insurance company, which also provided my long-distance telephone carrier, U.S. Sprint, with "bonus points." My AOL WSMfiles account 'profile' does NOT contain any identifying data whatsoever. This obviously is how my new telephone number received a "WSM Files" social engineering phone call.]

"At 1:30 PM on 24 OCT 2000, I was contacted by a source formerly with No Such Agency, who informed me what he be told by a former colleague now working at NASA. This source confirmed that the 'BlackNet' was the subject of a 'very large scale investigation.' The source further advised that this investigation was 'multi-agency,' involving NSA, NASA, FBI and other agencies not further specified. The source confirmed that this investigation commenced in 1998 and is 'still very current.' The members of this 'BLACKNET' are 'someone to be afraid of, very afraid.'

"The source added that this investigation is a 'very sensitive, close hold' case and it should not be disclosed to 'the media.' I informed the source that it was a little bit late considering the alleged nature and background of the actual 'WSM Files' AOL account holder circa 1998-1999.

"Another source, a frequent web browser and chat room participant, described for me on 24 OCT 2000 some of his own interesting troubles with his daughters AOL account approximately one year ago."


The above listed “AOL” source further described how he had an AOL account “for my kids. One day my daughter calls upstairs and says ‘will you please get off Dad.’ I was not on any AOL account; I never used it. So I instant messaged (IM) the account and asked ‘who are you?’ And the person wrote back that it was ‘none of your business.’ I asked ‘why are you on here,’ to which he responded ‘because I can.’ Then he wrote ‘try and stop me if you can’.”

“In the meantime,” this AOL source continued, “I had gotten AOL on the phone while I still had this intruder on the account. They told me they could see the intruder, but they refused to identify him. Subsequently, some people at my office told me that they never tried to contact me at home anymore because ‘you’re always on there’.” This AOL source checked with an online contact by the screen name of “WEDGE,” whose identity is known to another source of mine. WEDGE told the AOL source that his computer and his accounts were “completely owned,” and that he should change everything, which the AOL source subsequently did.[7]

There must be hundreds, if not thousands, of other such cyber-theft victims. I will later check out the no doubt many anti-AOL web sites and chat rooms.

It does clearly appear that AOL has a rather significant cyber-security problem. According to the Washington Post, AOL has had its customer database data stolen on at least one RECENT occasion. "This [Microsoft break-in] is the second computer break-in at a major technology company that has been publicized in RECENT months. In JUNE [2000], hackers using a similar METHOD [Trojan Horse e-mail] broke in to the BILLING SYSTEMS of the world's largest on-ramp to the information superhighway, Dulles-based AMERICA ONLINE INC., and pilfered names, addresses and other personal information."[8]

The two FBI special agents who visited my home in Arlington apparently did not properly identify themselves to at least one of my neighbors. I was informed by my next door neighbor that TWO young men in "suits" identified themselves as "FBI agents" and displayed "IDs on chains hanging around their necks," NOT their formal wallet-style credentials. They informed my neighbor that ""William Malone might be able to help us on a case." These two "FBI agents" also stated that they had "spoken to a neighbor across the street." After they left the first neighbor's home, "they went down and picked up a ticket off your car window, looked at it, and then put it back. [As observed by my neighbor], they then went back on your front porch and banged on the door again."[9] (A canvas of immediate neighbors by me turned up no others who had talked to these agents.)

There was a indeed a traffic citation on the windshield of my 1989 Jeep Grand Wagoneer for an expired inspection rejection sticker. Upon being informed of this fact, I retrieved the ticket (which had indeed been moved since I had previously placed it to cover-up the above mentioned rejection sticker). I carefully placed this citation into a plastic baggie, for later possible fingerprint identification should these two "agents" later have turned out not to have been bona fide Federal agents. It is apparently a federal felony to falsely pose as a federal agent.

When I informed a former federal law enforcement officer with the CIA's Office of Security and the Naval Investigative Service, and a recently retired Supervisory Special Agent (SSA) with the FBI, of the above statements from my neighbor, they advised the author on 9 OCT 2000 that these agents had not exercised proper federal investigative procedure and may, in fact, NOT be bona fide federal agents.[10]

On 10 OCT 2000, I telephonically contacted the "Duty Officer for the week of October 10th" of the FBI's WFO (202-228-2000) and inquired if the WFO was looking for my assistance, if not my presence. The duty officer advised that she could not say “one way or the other.” When further advised of the situation with the neck “Ids” and the lack of business cards. The duty officer stated that the proper procedure was to file a complaint, which I did then and there telephonically

I subsequently ascertained the name of the Assistant Special Agent in Charge (ASAC) of the WFO for "Administration--SHUBERT," along with the WFO's mailing address. On 16 OCT 2000, about the same time I received a voice message from SA PANDELIDES, I also received a voice message from a “Melissa MALOROW (PH) of the FBI” (Tel.703-762-3152). She did not return my voice mail message of the same date (after I had actually spoken to SA PANDELIDES and set up an appointment).

On 26 OCT 2000 (11:15 am), I spoke with SA PANDELIDES for a third time. He stated that he had “already conveyed your previous info” to “him,” the “case agent.” SA PANDELIDES stated that perhaps I should “file a complaint about the cyber-theft” I had experienced. When I reminded him that the real WSM-Files had been an investigative reporter for twenty-five years (I had already provided him with my resume), SA PANDELIDES advised that “you’re free to write whatever you want.”[11]

It should also be noted that at NO TIME during their interview with me or during two subsequent telephone conversations, did the two FBI special agents advise me to change my AOL account name or password.[12]



[1] WSM-Memorandum, 10/17/00.

[2] Confidential Source Interview, 10/10/00.

[3]John T. Curran, FBI Business Card; Steven J. Pandelides, FBI Business Card; both received 10/17/00.

[4]WSM-Interview with SAs Steven J. Pandelides and John T. Curran, 10/17/00.

[5]Richard Power, Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace, Que-Macmillan, 2000, pp,300-301.

[6]WSM-Draft Memorandum, 10/25/00.

[7] AOL Source Interview, 10/24/00.

[8]Ariana Eunjung Cha and Carrie Johnson, Washington Post, 10/28/00.

[9]Sue Cornwell, 728 N. Cleveland St. (Home Tel.703-528-2279), Interviews, 10/7/00; 10/17/00.

[10] DPF & WTR Interviews, 10/9/00.

[11] FBI-WSM Telcon, 10/26/00.

[12]FBI-WSM Interview, 10/17/00; FBI-WSM Telcons, 10/23/00, 10/26/00. (Nor did I ask if I should.)

[US12; US/8]
[Information contained in BKNT E-mail is considered Attorney-Client and Attorney Work Product privileged, copyrighted and confidential. Views that may be expressed are those of the author(s) and do not necessarily reflect those of any government, agency, or news organization.]

Member Contribution - "Brightnets"