The Washington Post reports that the US Deputy Defense Secretary has publicly acknowledged what is being described as the most significant breach of U.S. military computers.

The cause was a flash drive inserted into a U.S. military laptop in the Middle East in 2008.

And the consequence was that the malicious code, which had been placed on the drive by a foreign intelligence agency, uploaded itself onto the network run by the U.S. military’s Central Command. Apparently, the code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

This disclosure was apparently part of a deliberate strategy to raise the awareness of the US Congress and the American people of the cyber-threat being faced by the USA.  Apparently, the Pentagon’s 15,000 networks and 7 million computing devices are being probed thousands of times daily and the US Government’s concern is that cyberwar is asymmetric and that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult to identify the instigator of an attack.

The problems faced by the Pentagon are no doubt faced – on a smaller scale – by the UK Ministry of Defence and the British armed services.  I do not, however, detect a similar openness about the threat by the UK’s Coalition Government – perhaps because the strategy to address the problem is nothing like as well-developed as it should be.

I’ve commented before on the market that has developed for hackers and malware writers to sell on their “products” to other criminals – even promoting their activities via Twitter.

This concern has now been repeated by the Canadian Criminal Intelligence Service in its 25th Annual Report on Organised Crime.  According to the Montreal Gazette:

“The report, released Friday, focuses on securities fraud, and states the size and complexity of schemes help conceal criminal activity, generate ample profits and facilitate tax evasion.

It said social-networking websites are allowing criminals to efficiently and anonymously issue fake news releases and promotional material to potential victims.

Aside from the use of Facebook and Twitter, criminal organizations are taking advantage of the hacker-for-hire black market, it said.

The report offered few further details. However, it did say that because of the availability of these services, fraudsters don’t need to acquire the necessary technical expertise to hijack computer accounts on their own.”

Thanks to my good friends at Team Cymru, I have been keeping up-to-date on current developments on cyber security while I have been away.

Two items, in particular, caught my eye.

The first was that India is now developing its own army of software professionals to hack computer systems of hostile nations.

The second was about the vulnerability of major companies to “spoofing” – plausible sounding cold callers seeking information over the telephone AND being provided with enough material to assist hackers to penetrate information systems.  Apparently, at the recent DefCon conference in Las Vegas there was a “social engineering” contest challenging hackers to call workers at 10 companies including Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.  According to an article in The Age,  one employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

The article continued:

‘”You often have to crack through firewalls and burn the perimeter in order to get into the internal organisation,” said Mati Aharoni of Offensive Security, a company that tests company computer defences.

“It is much easier to use social engineering techniques to get to the same place.”

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continued Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

“We didn’t want anyone fired or feeling bad at the end of the day,” Aharoni said. “We wanted to show that social engineering is a legitimate attack vector.”

A saying that long ago made it onto t-shirts at the annual DefCon event is “There is no patch for human stupidity.”

“Companies don’t think their people will fall for something as simple as someone calling and just asking a few questions,” Hadnagy said.

“It doesn’t require a very technical level of attacker,” Aharoni added. “It requires someone with an ability to schmooze well.”

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

“As humans, we naturally want to help other people,” Hadgagy said. “I’m not advocating not helping people. Just think about what you say before you say it.”

I suspect most organisations and businesses in the UK would be vulnerable to this sort  of approach …..

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

According to a German News Service, a man from the Rhineland has been arrested for spying on more than 150 girls in their bedrooms by hacking into their computers and using their webcams to watch them, provoking warnings that others will be doing the same thing.

Apparently, Thomas Floß from the association of data protection advisors, discovered the case. He often visits schools to talk with children about data protection and sensible behaviour on the internet and gives a presentation including a video showing how children can be spied on via their webcam.

“I want to show how dangerous webcams are,” he said. “I became suspicious when from February, increasing numbers of girls expressed the suspicion this was happening to them.”

According to the report:

“Two girls told him the little lights on their webcams were not going out when they had finished using them. On examining one of the computers Floß discovered a so-called Trojan computer program which was being used to control the equipment, and which had been spread via the chat service ICQ.

The hacker had allegedly broken into the chat service account of one schoolgirl, and used it to choose which others he wanted to spy upon, and send the Trojan to their computers.

He was traced to the Aachen region and arrested – when police officers arrived at his home they found several live feeds to bedroom cameras running on his computer.

Floß said he believed many more people were doing the same thing. “I have visited 50 to 60 schools, and every time at least one schoolgirl tells me they have such a problem [with webcams not switching off],” he said.”

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

Apparently, last weekend the Vatican was subjected to a cyber attack from an unknown source.  According to the Rome-based Zenit News Agency, the attack meant that anyone typing Vatican into Google was directed to the site “www.pedofilo.com” as the first suggestion, rather than the proper Vatican Web page.  According to the Agency:

“When this misdirection was discovered, Google was informed, said Jesuit Father Federico Lombardi, director of the Vatican press office.

The Internet organization immediately apologized and assured the Holy See that it would do what it could to resolve the problem as soon as possible.

On Sunday morning the problem seemed to be corrected, as users were once again directed to the proper Vatican Web page upon initiating a search for it.

Although the person who caused this problem has not been found, the indications suggested that the operation may have been carried out by someone who had significant knowledge of how Google functions.”

Heavens!  Is nothing sacred?

I have just had a meeting with a senior civil servant in his office in one of the more security-conscious parts of the Whitehall diaspora. I couldn’t help noticing the four separate screens on his desk. When I asked, he explained that one screen allowed him to access public material, one monitor was linked to a computer system that was authorised to handle material up to a RESTRICTED classification, another to a system that could handle CONFIDENTIAL material, and the fourth was – you guessed it – was for SECRET items.
I was suitably impressed.

I am not looking for any recognition, as you know these things don’t matter to me at all and I am profoundly disinterested in where this blog comes in the annual Total Politics ranking of political blogs, so I really am not asking for you to vote for me or my blog ……..

but ……..

should you be so inclined (and I repeat I really, really don’t mind one way or the other), this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

The New York Times reports that an English-language manual on “How to be a Terrorist” has been produced by the propaganda arm of Al Qaeda in the Arabian Peninsula.  The manual in magazine format includes instructions on how to “make a bomb in the kitchen of your mom,” an article on “Mujahedeen 101” and a lesson in sending and receiving encrypted messages.

Apparently, the publication which was circulating on the internet earlier this week was only three pages long.  The reason?   Some sort of virus seemed to have corrupted the remaining 64 pages.

And the New York Times speculates that this:

“could have been the work of hackers, possibly working for the United States government.”

Interesting, if true.