Home Tags Nato

Tag: Nato

“We all love the Tomahawk:” a brief history of US’s favorite...

Since 1983, TLAM has been the DOD’s favorite way to reach out and touch someone.

Cyberattacks threaten democracy itself, warns NATO

Society is at risk from hackers attempting to interfere in elections, argues NATO's Jamie Shea.

These hackers set a ‘trap’ for security researchers probing their malware

Malicious Word document with 'Russian doll' technique targets NATO countries.

NATO Members Targeted by Unique Macro Malware

Researchers say NATO member were targeted over the holidays by macro malware that used advanced utilized an advanced workflow and was able to avoid analysis.

More, cheaper, bigger, faster: The defense and cyber strategy of Donald...

Enlarge / Where's the defense and cyber-weapon procurement budget going, Mr. President-elect?Getty Images | Joe Raedle reader comments 75 Share this story Since Election Day, President-elect Donald Trump has taken an inordinate interest in some of the minutia of defense policy. His tweets (particularly about the F-35 Joint Strike Fighter and the Air Force One presidential aircraft replacement program) have sent shockwaves through the defense industry. The same is true of the cyber realm—particularly in his treatment of the intelligence community that currently dominates the US' cyber-defense capabilities. The one thing that is certain is that Trump wants more muscle in both departments, urging an increase in the number of troops, ships, planes, and weapons deployed by the Department of Defense; the end of defense budget sequestration; and an expansion of the US nuclear and ballistic missile defense arsenal. And he has also pledged a new focus on offensive "cyber" capabilities, as outlined by his campaign, "to deter attacks by both state and non-state actors and, if necessary, to respond appropriately." That sort of aggressive posture is not a surprise. But the policies that will drive the use of those physical and digital forces are still a bit murky. Considering the position Trump has taken regarding the North Atlantic Treaty Organization (NATO) and his attitudes toward Russia, Trump's statements may hint at a desire for a Fortress America—armed to the teeth and going it alone in every domain of conflict. Saddle up While not quite on a Reagan-esque scale, the Trump surge would (based on his statements) bring forces back above their active size during the wars in Afghanistan and Iraq (though less than during the 2007 "surge" period of the Iraq War). Trump declared that he'll add about 60,000 more active duty soldiers to the Army, increase the Navy's fleet to 350 ships, increase the Marine Corps' strength by over a dozen battalions (roughly 12,000 Marines), and "provide the Air Force with the 12,000 fighters they need." On the strategic front, Trump has tweeted that he wants to expand and improve the US military's nuclear capabilities, modernizing and increasing weapons to improve their deterrent value. The modernization effort had already been queued up by President Barack Obama's administration, including the new Long Range Strike Bomber program awarded to Northrop Grumman. But those investments have been at the expense of other military (particularly Air Force) programs. Trump has also proposed investment in a "serious missile defense system" based on updating the Navy's Ticonderoga-class guided missile cruisers' Aegis systems and building more Arleigh Burke-class guided missile destroyers. The ballistic missile defense version of Aegis and the Standard Missile 3 (RIM-161) missile it controls are currently only capable of intercepting short- and intermediate-range ballistic missiles, not intercontinental ballistic missiles; to have a chance at taking down a US-targeted threat from North Korea, for example, they would have to be very close to the launch site and hit it early in its launch (the boost phase). How will Trump pay for all this hardware? By "conducting a full audit of the Pentagon, eliminating incorrect payments, reducing duplicative bureaucracy, collecting unpaid taxes, and ending unwanted and unauthorized federal programs," whatever those might be. There's certainly some room in the budget to be gained through increased administrative efficiency, as a Defense Business Board report found that the DOD could save as much in $125 billion in overhead (though that number may have been slightly inflated, as it was based on corporate, and not military, business models). Cyber up On the cyber side, it appears Trump wants to put the military on point for cyber defense. The campaign platform pushed for the DOD to place a new emphasis on offensive capabilities, including making enhancements to the US Cyber Command—currently led by NSA Director Admiral Mike Rogers—to increase its offensive punch and turn it into an effective cyber-deterrence force. “As a deterrent against attacks on our critical resources, the United States must possess the unquestioned capacity to launch crippling cyber counter-attacks,” Trump said in a speech in October. Just exactly how that would work isn't clear. Given the difficulty of attribution—a point Trump made repeatedly in his castigation of intelligence findings of Russian interference in the election—the kind of very attributable cyber force that US Cyber Command would wield as part of the Strategic Command would likely not act as much of a deterrent to low-level intrusions, espionage, and information operations. Yet those make up the majority of what has recently been dumped into the "cyberwarfare" shopping cart. Trump's policy outline also calls for the Joint Chiefs of Staff to participate in Trump's vaunted "Cyber Review Team," contributing experts to evaluate "all US cyber defenses"—including critical infrastructure in the private sector—alongside law enforcement and experts from private industry. The Cyber Review Team, which may or may not have anything to do with the group being headed by former New York City Mayor Rudy Giuliani, has a big mandate: The Cyber Review Team will provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats and will follow up regularly at various federal agencies and departments. The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on evolving methods of cyber-attack. On the domestic end, the Trump administration would seek to take the same model that has been applied to terrorism to the cyber side, creating joint task forces that put Department of Justice, FBI, and Department of Homeland Security personnel alongside state and local law enforcement to respond to "cyber threats." Nothing Trump or his proxies have said indicates any policy around shaping what "norms" in the world connecting the digital to the physical should be. If anything, Trump's position seems to be that a cyber-armed world is a polite world—or at least one that will be polite to the United States, the only confirmed state cyberwar actor to hit another nation's infrastructure (aside from squirrels). The eyes have it It will take some time to see how Trump's indifference toward the US' obligations toward allies will affect overall defense and cyber-security policy. But if reports are true regarding US intelligence officials warning allies of Trump's Russia ties and if Trump goes forward with weakening the US involvement in NATO, his views could significantly affect both—especially in the realm of digital intelligence collection. A weakened relationship with the other members of the "Five Eyes" group—the UK, Australia, New Zealand, and Canada—on a military level could impact the National Security Agency's (and the CIA's) ability to collect intelligence from infrastructure that has up until now been widely shared. Only one thing is for certain: the defense industry should be expecting an aircraft carrier full of dollars headed in their direction.

French spies warn politicians of hack risk as election draws near

Authorities uneasy in wake of alleged Russian interference in US presidential race French authorities are warning political parties about the increased threat of cyber attacks as the country prepares to elect a new president in May. Last year's US presidential election was marred by cyber attacks and leaks. US intel agencies blame Russia for the hack1 and subsequent leak of sensitive emails and other information from the Democratic National Committee (DNC).

French authorities fear the possibility of similar interference. The National Agency for the Security of Information Systems (L'Agence nationale de la sécurité des systèmes d'information or ANSSI) director Guillaume Poupard told FRANCE 24: "We're clearly not up against people who are throwing punches just to see what happens.

There's a real strategy that includes cyber [attacks], interference and leaked information...

These are people whom we're obviously following closely.

Even if we can't be sure that they're the same, they're attackers who regularly come knocking on our ministers' doors. "Political parties and campaign staff are particularly vulnerable to hackers with tactics likely to include spear phishing and website attacks.

Fundamentally, political parties, like small and medium-size businesses... are not equipped to deal with the situation alone." A spokesman for independent candidate and former economy minister Emmanuel Macron's political movement, En Marche, admitted that an attack on its website in October look at "least one full night of work to repair". ANSSI is teaching political parties how to protect themselves as well as referring them to a list of pre-approved companies for additional advice. Ilia Kolochenko, chief exec of web security firm High-Tech Bridge, commented: "Cybersecurity awareness, additional security assessment and hardening of the critical national infrastructure is definitely a good move. "We should all be aware of the risks associated with modern technologies, such as e-voting and mobile voting, especially the risks related to such an important process as a presidential election." ® Bootnote 1New research on APT28 – the Russian state-sponsored hacking crew blamed for the DNC hack as well as previous assaults on NATO, TV5Monde, World Anti-Doping Agency among others – was published by FireEye last week.

APT28 (AKA Fancy Bear) is suspected by other security firms to be a unit of Russian military intelligence agency, the GRU. Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Did the Russians “hack” the election? A look at the established...

Enlarge / Trump denies there's any truth intelligence community claims of Russian interference in the election, claiming it could have been anyone.Chip Somodevilla | Getty Images reader comments 159 Share this story President-elect Donald Trump continues to discount or attempt to discredit reports that the intelligence community has linked the hacking of the DNC, the Hillary Clinton presidential campaign, and related information operations with a Russian effort to prevent Clinton from winning the election—thus assuring Trump's victory. In his latest of a stream of tweets, Trump posted: Unless you catch "hackers" in the act, it is very hard to determine who was doing the hacking. Why wasn't this brought up before election? — Donald J. Trump (@realDonaldTrump) December 12, 2016 The hacking was brought up well before the election. And it was monitored as it was happening—by the intelligence and law enforcement communities and by private information security firms. "CrowdStrike's Falcon endpoint technology did catch the adversaries in the act," said Dmitri Alperovitch, chief technology officer of Crowdstrike. "When the DNC brought us in to conduct an investigation in May 2016, we deployed this technology on every system within DNC's corporate network and were able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network." Much of the evidence from Crowdstrike and other security researchers has been public since June and July. But while the hackers may have been caught in the act digitally, the details by themselves don't offer definitive proof of the identity of those behind the anti-Clinton hacking campaign. Public details currently don't offer clear insight into the specific intent behind these hacks, either. What is indisputable, however, is the existence of genuine hacking evidence. And this information certainly does provide enough to give the reported intelligence community findings some context. The evidence The FBI warned the DNC of a potential ongoing breach of their network in November of 2015. But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April. This campaign was linked to a "threat group" (designated variously as APT28, Sofacy, Strontium, Pawn Storm, and Fancy Bear) that had previously been tied to spear-phishing attacks on military, government, and non-governmental organizations. "[SecureWorks] researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government," the report from SecureWorks concluded. The DNC's information technology team first alerted party officials that there was a potential security problem in late March, but the DNC didn't bring in outside help until May. This is when CrowdStrike's incident response team was brought in. CrowdStrike identified two separate ongoing breaches, as detailed in a June 15, 2016 blog post by CrowdStrike CTO Dmitri Alperovitch. The findings were based both on malware samples found and a monitoring of the breach while it was in progress. One of those attacks, based on the malware and command and control traffic, was attributed to Fancy Bear. The malware deployed by Fancy Bear was a combination of an agent disguised as a Windows driver file (named twain_64.dll) in combination with a network tunneling tool that allowed remote control connections. The other breach, which may have been the breach hinted at by the FBI, was a long-running intrusion by a group previously identified as APT29, also known as The Dukes or Cozy Bear. Cozy Bear ran SeaDaddy (also known as SeaDuke, a backdoor developed in Python and compiled as a Windows executable) as well as a one-line Windows PowerShell command that exploited Microsoft's Windows Management Instrumentation (WMI) system. The exploit allowed attackers to persist in WMI's database and execute based on a schedule. Researchers at Fidelis who were given access to malware samples from the hack confirmed that attribution. In addition to targeting the DNC and the Clinton campaign's Google Apps accounts, the spear-phishing messages connected to the campaign discovered by SecureWorks also went after a number of personal Gmail accounts. It was later discovered that the campaign had compromised the Gmail accounts of Clinton campaign chair John Podesta, former Secretary of State Colin Powell, and a number of other individuals connected to the Clinton campaign and the White House. Many of those e-mails ended up on DC Leaks. The Wikileaks posting of the Podesta e-mails include an e-mail containing the link used to deliver the malware. After Crowdstrike and the DNC revealed the hacks and attributed them to Russian intelligence-connected groups, some of the files taken from the DNC were posted on a website by someone using the name Guccifer 2.0. While the individual claimed to be Romanian, documents in the initial dump from the DNC by Guccifer 2.0 were found to have been edited using a Russian-language version of Word and by someone using a computer named for Felix Dzerzhinsky, founder of the Soviet secret police. (The documents are linked in this article by Ars' Dan Goodin.) In addition to publishing on his or her own WordPress site, Guccifer used the DC Leaks site to provide an early look at new documents to The Smoking Gun using administrative access. The Smoking Gun contacted one of the victims of the breach and confirmed he had been targeted using the same spear-phishing attack used against Podesta. The DC Leaks site also contains a small number of e-mails from state Republican party operatives. Thus far, no national GOP e-mails have been released. (The New York Times reports that intelligence officials claim the Republican National Committee was also penetrated by attackers, but its e-mails were never published.) Attribution and motive There are several factors used to attribute these hacks to someone working on behalf of Russian intelligence. In the case of Fancy Bear, attribution is based on details from a number of assessments by security researchers. These include: Focus of purpose. The methods and malware families used in these campaigns are specifically built for espionage. The targets. A list of previous targets of Fancy Bear malware include: Individuals in Russia and the former Soviet states who may be of intelligence interest Current and former members of NATO states' government and military Western defense contractors and suppliers Journalists and authors Fancy Bear malware was also used in the spear-phishing attack on the International Olympic Committee to gain access to the World Anti Doping Agency's systems. This allowed the group to discredit athletes after many Russian athletes were banned from this year's Summer Games. Long-term investment. The code in malware and tools is regularly and professionally updated and maintained—while maintaining a platform approach. The investment suggests an operation funded to provide long-term data espionage and information warfare capabilities. Language and location. Artifacts in the code indicate it was written by Russian speakers in the same time zone as Moscow and St. Petersburg, according to a FireEye report. These don't necessarily point to Fancy Bear being directly operated by Russian intelligence. Other information operations out of Russia (including the "troll factory" operated out of St. Petersburg to spread disinformation and intimidate people) have had tenuous connections to the government. Scott DePasquale and Michael Daly of the Atlantic Council suggested in an October Politico article that the DNC hack and other information operations surrounding the US presidential campaign may have been the work of "cyber mercenaries"—in essence, outsourcing outfits working as contractors for Russian intelligence. There is also an extremely remote possibility that all of this has been some sort of "false flag" operation by someone else with extremely deep pockets and a political agenda. WikiLeaks' Julian Assange has insisted that the Russian government is not the source of the Podesta and DNC e-mails. That may well be true, and it can still be true even if the Russian government had a hand in directing or funding the operation. But that is all speculation—the only way that the full scope of Russia's involvement in the hacking campaign and other aspects of the information campaign against Clinton (and for Trump) will be known is if the Obama administration publishes conclusive evidence in a form that can be independently analyzed.

Flash Exploit Found in Seven Exploit Kits

A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future. The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide.

APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was singled out by Microsoft for using separate Flash and Windows zero days in targeted attacks this year. The Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks.

Despite the improvements in Flash security, attackers still take a shine to these exploits. Recorded Future’s report “New Kit, Same Player” says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year’s top 10 vulnerabilities were present in a similar analysis done last year. Exploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear.

Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums.

The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab confirmed the connection between the Lurk gang and Angler distribution in an August report. Nonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware.
Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim’s browser to the exploit kit’s landing page.

Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt. CVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunger.
It, by far, had the highest penetration into exploits kits, according to Recorded Future. But since Angler’s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits.
Sundown’s payload, however, differs in that it drops banking Trojans on users’ machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks. Sundown also contained CVE-2016-0189, an Internet Explorer bug used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well.

The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times.

CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three.

CVE-2016-4117 was used by the ScarCruft APT group, Kaspersky Lab researchers said in June, in watering hole attacks.

Sharing Threat Intel: Easier Said Than Done

For cyber intelligence sharing to work, organizations need two things: to trust each other and better processes to collect, exchange and act on information quickly. As cyberthreats become more sophisticated and expand to the Cloud and the Internet of Things, the sharing of meaningful threat intel  between trusted organizations has become more critical than ever before.  At Fortinet  this year, our teams witnessed the benefits of info sharing first hand as part of a joint operation that helped INTERPOL and the Nigerian Economic & Financial Crime Commission uncover the head of an international criminal network. What did we learn? For one thing, these partnerships demonstrate the importance of global threat intelligence research and analytics that security vendors can offer in dealing with cyberthreats.
In my opinion, security vendors have a responsibility to share threat findings with each other, as well as end-user advocacy groups.
It is essentially the best way to combat adversaries and assist law enforcement in fighting cybercriminals. Yet, serious challenges remain to the worthwhile goal of info sharing, even among classified, trusted networks. One of the major barriers to information sharing is the perception of liability.
In a 2014 Ponemon survey of over 700 IT security practitioners, 71% of respondents who participate in information sharing said that sharing improves their security posture.

But for organizations that don’t share, half pointed to “potential liability” as the principal reason for holding back.  To get beyond these obstacles, two things must be in place: trust between organizations and a process to receive to receive and implement threat intelligence information quickly. Trust but VerifyNot only do organizations need detailed protocols in place about what information can be shared, but they also need to trust the organizations with whom they are sharing, or the process being used to collect, process and exchange such information. Another major concern revolves around data privacy and protecting personally identifiable information (PII). How can you share information that provides details about an attack and attacker without having it be connected, even contextually, to customers and thereby risk customer privacy and assume liability? Organizations have to rely on trusted partners who rigidly adhere to and enforce agreed-upon protocols, e.g. only sharing information related to the adversary, and anonymizing PII. Here are a few tips for developing trusted relationships: Start with folks you know in your industry.

Ask them their thoughts about threat sharing. Join an ISAO (Information Sharing and Analysis Organization) or ISAC (Information Sharing and Analysis Center).

These are groups focused on sharing threat intelligence relevant to that vertical that have established protocols and procedures best suited for an industry’s needs. Organizations like INTERPOL, the NATO Industry Cyber Partnership (NICP), and even regional organizations have active partnerships with vendors and industry leaders to collect and share threat data.

For security vendors, participation in industry organizations such as the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group makes everyone safer. Meet people in person.

Trust is a slow process and few things work better than meeting with peers over dinner or drinks to establish a rapport.

There are dozens of industry-related conferences, local meet-ups and user groups designed to bring folks together. As Ronald Reagan famously said, “Trust, but verify.” Sharing and receiving critical security information requires constant monitoring.

Are you sharing critical information but receiving junk? Is data being appropriately anonymized? Are you receiving the same data you shared? Keeping everyone honest is critical for maintaining a trusted relationship. Rapid ProcessingA common critique of many information-sharing services is that they are slow and unreliable.

For sharing to work, organizations need to be able to receive, process and implement threat intelligence information quickly.

They also need to ensure that any threat intelligence they share is immediately useful.  Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.  Actionable information is the best way to move from being reactive to proactive.
It allows organizations to move from simply stopping attacks to actually catching cybercriminals.

Developing and sharing truly actionable intelligence requires the efforts of a trained security team on the part of the organization developing that information, as well as on the part of the users or organizations consuming it. While many organizations are actively engaged in collecting as much data as they can from a variety of sources — including their own — much of the work in processing, correlating and converting it into policy is still done manually.

This makes it very difficult to respond to an active threat quickly, or share timely and actionable information.
Ideally, the consumption, processing and correlation of threat intelligence is automated. Security vendors also need to automate the sharing of threat intelligence information – and not just with outside entities. Many organizations are still struggling to share threat intelligence between deployed security devices or even between different team members.

Automation ensures that time-sensitive threat information immediately reaches all stakeholders so it can be shared in real time and acted on. Trusted sharing, even with a known partner or community, is easier said than done. When evaluating your security landscape, characteristics of network design should be considered that will securely facilitate the receiving and sharing of threat intelligence.

Given that the time to compromise for today’s attacks continues to shorten, it is essential that we begin to to automate as much of the process as possible — including time-sensitive activities such as sharing, consuming, hand-correlating intelligence, and distributing updated policies.  Related Content: Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ...
View Full Bio More Insights

Hack us and you’re basically attacking America, says UK defence sec

And we'll attack you back, promises Defence Secretary Britain is splurging £265m on military cyber security – and that includes offensive capabilities, according to Defence Secretary Sir Michael Fallon. Speaking at the Royal United Services Institute yesterday, Sir Michael said the investment into the Cyber Vulnerability Investigations programme would “help us protect against these threats”. “The average cost of the most severe online security breaches for bigger companies starts at almost £1.5m, up £600,000 from 2014,” said Sir Michael, adding: “It’s only a matter of time before we have to deal with a major attack on UK interests.” So far Britain has managed to avoid the sort of targeted large-scale hacks that have seen big US tech companies such as Yahoo! see 500 million user accounts compromised, or the Target hack which saw millions of credit card and debit card details as well as names and addresses leaked into the hands of cyber-criminals. It seems, from Sir Michael's speech, that Blighty is gearing up to proactively attack any cyber-villains with designs on British internet infrastructure. Lauding various government security initiatives, including the National Cyber Security Centre in Victoria, London, the Defence Secretary said: “This cannot just be about our defence.
It must be about our offence too.
It is important that our adversaries know there is a price to pay if they use cyber weapons against us, and that we have the capability to project power in cyberspace as elsewhere.” Given that most large-scale hacks tend to be backed by states such as China and Russia, it seems that Sir Michael's speech is a public shot across their bows, warning them not to target Blighty – while simultaneously urging NATO to treat the Article 5 collective defence provisions as applying to cyberspace. Originally, Article 5 of the Washington Treaty, which founded NATO, was intended to ensure that any westward expansion of the Soviet Union would trigger World War Three by dragging Britain and America in, thereby keeping the Soviets and the Eastern Bloc's expansionist aims firmly under control. It is unlikely that many countries would take Article 5 seriously in the context of cyberspace, given that many NATO member states effectively ignore the treaty requirement for them to spend two per cent of GDP on military spending. ®

Agents of influence: How reporters have been “weaponized” by leaks

EnlargeGeorge Hodan reader comments 166 Share this story Since June, some entity has been releasing e-mails and electronic documents obtained via network intrusions and credential thefts of politicians and political party employees. Some of the releases have appeared on sites believed to be associated with Russian intelligence operations; others have appeared on Wikileaks. On occasion, the leaker has also engaged journalists directly, trying to have them publish information drawn from these documents—sometimes successfully, other times not. The US government has pinned at least some of the blame for these leaks on Russia. This has led some observers to argue that WikiLeaks and Russian intelligence agencies are "weaponizing" the media. This is what national security circles refer to as an "influence operation," using reporters as tools to give credibility and cover to a narrative driven by another nation-state. The argument is that by willingly accepting leaked data, journalists have (wittingly or not) aided the leaker's cause. As such, they have become an "agent of influence." The Grugq, a veteran information security researcher who has specialized in counterintelligence research and a former employee of the computer security consulting company @stake, penned an article about the topic yesterday. "The primary role for an agent of influence," he wrote, "is to add credibility to the narrative/data that the agency is attempting to get out and help influence the public." Such agents might friendly with or controlled by the agency trying to spread the information, but they can also be unwitting accomplices "sometimes called a 'useful idiot,' unaware of their role as conduits of data for an agency." The actual impact of the leaked information on the US presidential election may not matter to an influence operation. The intended target of the campaign being waged through the WikiLeaks dumps, Guccifer 2.0, and DCLeaks is likely a larger public—perhaps including citizens in Russia itself and the people and decision-makers of the bordering nations. As Ars previously reported, the attacks on the Democratic National Committee (DNC) and on the US political process may be tied to a Russian effort to "contain" US foreign policy efforts and undermine confidence among the citizens of eastern European NATO members. The continued dumping of documents—and the chaos it creates for the US political process—shows the world that Russia can act upon the US at a distance. Therefore, Russia can also project power much closer to home. Assuming this attribution and analysis is in some broad sense accurate, the raises a question: what's a journalist to do with these sorts of hacks and leaks? Has everyone who draws on them become an unwitting "agent of influence?" And if so, is that actually a bad thing if the leaks are newsworthy? Ethics in information warfare journalism Dealing with a source's motivations is not a new problem for the press. Journalists get used all the time (just as they sometimes "use" their sources; it's part of the circle of life for investigative reporting). "The decision about whether or not to publish has always been about whether or not it's in the public interest, and also, I think, about what's the motivation or intention [of the source]," Jeremy Rue, acting dean of academics for the University of California at Berkeley's Graduate School of Journalism, told Ars. "Often journalists are so eager to get information, they don't take the time to ask what the motivation is behind this source," Rue said. "I think those motivations are important to factor in. Whether or not it changes the choice to publish, I don't really want to take a specific stand on that. It's a very complex issue and it keeps coming up in newsrooms. But I do definitely feel strongly that you should absolutely weigh all the different factors, like what are the motivations of your source." Glenn Greenwald of The Intercept has vocally disagreed with the idea that the source's intentions are material to a reporters' job, particularly in the case of publishing WikiLeaks' recent dumps. To him, if it's news, it's should be reported—regardless of source and motivation. In a recent article, Greenwald wrote as much: Some have been arguing that because these hacks were engineered by the Russian government with the goal of electing Trump or at least interfering in US elections, journalists should not aid this malevolent scheme by reporting on the material. Leaving aside the fact that there is no evidence (just unproven US government assertions) that the Russian government is behind these hacks, the motive of a source is utterly irrelevant in the decision-making process about whether to publish. While nothing in the public domain explicitly links the Russian government to the overall operation, there's at least some suggestive public evidence of Russia's involvement with Guccifer 2.0—who gave Greenwald exclusive access to some of the breach content—and with the DCLeaks "American hacktivist" site. That evidence includes both analysis by security experts of the initial Guccifer 2.0 document dump and an investigation by The Smoking Gun in August, which was triggered by Guccifer 2.0 reaching out directly to the site. For The Grugq, the way Greenwald has interacted with Guccifer 2.0 looks like a perfect example of how an influence operation works. "The Intercept was given 'exclusive' access to e-mails obtained by the entity known as Guccifer 2.0," he wrote. "The Intercept was both aware that the e-mails were from Guccifer 2.0, that Guccifer 2.0 has been attributed to Russian intelligence services, and that there is significant public evidence supporting this attribution." For a site like Wikileaks, the questions extend further. Assuming that it's right to publish material regardless of the source's motivations, how much of that material is fair game? The Investigative Reporter's Handbook frames the decision this way: When exposing private behaviors of public figures a reporter must make sure there is a need for the public to know this information. If there is not than a reporter should not report on it. If the behavior does not affect the figures public performance than there is no need to report on it. Naomi Klein, speaking on Glenn Greenwald's podcast this week, said something similar when talking about WikiLeaks: They’re very clearly looking for maximum media attention and you can tell that just by looking at the WikiLeaks Twitter feed and at how they are timing it right before the debates... These leaks are not, in my opinion, in the same category as the Pentagon Papers or previous WikiLeaks releases like the trade documents they continue to leak, which I am tremendously grateful for, because those are government documents that we have a right to, that are central to democracy. There are many things in that category. But personal e-mails—and there’s all kinds of personal stuff in these e-mails—this sort of indiscriminate dump is precisely what Snowden was trying to protect us from. For Wikileaks, of course, it's all fair game in the name of radical transparency. Snapperjack Between Scylla and Charybdis While there were certainly influence operations in the pre-Internet era, data breaches and digital media (including social media) have made them more accessible even to non-state actors. The "Climategate" incident, in which a collection of e-mails from the Climate Research Unit at the University of East Anglia was leaked in an attempt to sow doubt about scientists' consensus on climate change, is an example of selective publication of information to create controversy and political ammunition. So is the recent "Panama Papers" leak (which the Russian government has suggested was a US information operation). But if the DNC leaks and the wave of other breaches of political figures' e-mails have been an influence operation, they have operated at a much larger scale with much broader ambitions. There's enough to be concerned about ethically when it comes to accurate leaked data being provided by someone running an intentional influence campaign. But things get more complicated when false information is introduced into leaks. While WikiLeaks claims "a 100 percent accuracy rate" for its leaked documents, materials provided by Guccifer 2.0 showed signs of alteration. The entity behind Guccifer 2.0 claimed that one document was a file classified Secret and taken from the computer Hillary Clinton used at the State Department. But the document, which was actually an Obama transition team memorandum from before Clinton was even a nominee for Secretary of State, had been modified to include "Secret" in the document's header. This is the sort of thing that Jack Goldsmith, a former Department of Justice official, warned about at a recent seminar at Yale University. "Theft and publication of truthful information is small beans—what about theft and publication of faked information, which is hard to verify, or tampering with the vote itself?" Goldsmith said. "That could have huge consequences, the number of actors who could do this are many, and our ability to defend against it is uncertain." That places journalists trying to use the documents from these dumps in a very tight spot, trying to both determine the veracity of content they've obtained and decide its newsworthiness. Yes, journalists have been used for propaganda purposes before. Journalists are used by politicians and government agencies every day to put out information to shape perception. Wikileaks' dumps of the Podesta e-mails and other Democratic Party documents show among other things how journalists both use and are used by their sources, ingratiating themselves to get access. But this is the first time a foreign government's agent has used the combination of network infiltration, data theft, and public leaking of that data to the press and the world to affect another country's election—and the perception of that other country's election in areas of the world. Scott E. DePasquale, Senior Fellow at the Atlantic Council's Brent Scowcroft Center for International Security and Chairman & CEO of Utilidata, suggests that Wikileaks' decisions have made it a classic agent of influence. "We can divorce ourselves from whether Russia has actually paid the bills [for WikiLeaks] with no questions and no doubts that Assange knows he is doing benefit to Russia," he said. "Whether we get down to if they're on the Russian payroll, is it a deeply covert intelligence operation or something like that—all of that aside, because I think those are impossible questions to answer and even shed light on in an unclassified domain—it is without a doubt that Assange knows what he is doing is benefiting Russia. Whether he's doing it out of spite for the US as a political activist, or he is using the Russians... whatever the modality is, he knows very well that his interest and Putin's interest are deeply aligned. And that's deeply troubling for us at the end of the day." The worries don't even end with the first reporters to hit publish. Questions linger even for more traditional journalists who use only small bits of the most newsworthy leaked material. "There's the complicitness of serving this role of disseminating news for a state actor like Russia," said Rue. "I think that is a factor that should be part of the equation of whether or not to decide to publish something." A reporter or news organization may still decide that it's worth it to run with the material even if they believe that it's been provided by Russia "trying to embarrass the Clinton campaign," Rue acknowledged. But "you have to consider that as part of the equation to publish." The ethical decisions journalists now make about how they interact with that data are much more complicated as a result. And because of the impact of this particular influence operation, this approach may well become the norm—with more countries seeking to expose each others' secrets using journalists as their proxies.

US DNC hackers blew through SIX zero-days vulns last year alone

Most targets were individuals with Gmail addresses Security researchers have shone fresh light on the allegedly Russian state-sponsored hacking crew blamed ransacking the US Democratic National Committee's computers. Sednit – also known as APT28, Fancy Bear and Sofacy – has been operating since 2004 and attacking targets as diverse as the DNC, the German parliament, and the French TV network TV5Monde. Other targets have included high-profile figures in Eastern European politics – including Ukrainian leaders, NATO officials and Russian political dissidents. The Spetsnaz of computer hacking favor phishing attacks and zero-day exploits, according to security researchers at ESET, the Slovakian IT security company: Most of the targets uncovered by ESET's research have Gmail addresses, the majority of which belong to individuals. Individual targets included political leaders and heads of police of Ukraine, members of NATO institutions, members of the People's Freedom Party, Russia's People's Freedom Party, Russian political dissidents 'Shaltay Boltai,' an anonymous Russian group known to release private emails of Russian politicians, journalists based in Eastern Europe, academics visiting Russian universities, and Chechen organizations. The group exploited no fewer than six zero-day vulnerabilities in the likes of Windows, Adobe Flash and Java last year alone, according to ESET. "A run-of-the-mill criminal gang would be unlikely to make use of quite so many previously unknown, unpatched vulnerabilities because of the significant skill, time and resources required to properly uncover and exploit them," it concludes. The first part of ESET's planned three-part white paper into Sednit can be found here [PDF]. ®