By now just about everyone knows that hackers from China attacked The New York Times and The Wall Street Journal. The obvious question is how they know that.

Grady Summers of Mandiant, a cyber security firm hired by the Times, appeared on PBS Newshour last night to describe how they figured out it the attack was coming from China.

"We take this issue of attribution very seriously—we don't just casually toss out a country or particular threat actor," Summers said.

He then details how Mandiant's method is like that of a real-life detective. 

Watch Summers describe the process: 

Source: PBS News Hour

Through Mandiant the New York Times figured out that the hackers from China was attempting to access the emails of a few China-based journalists. The writers had just published a piece of investigative journalism on Chinese Prime Minister Wen Jiabao.

From the Times:

The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

The Times says that through cyber espionage, the hackers were hoping to find human sources of information for the aforementioned article.

Oddly enough though, the journalists say all the information was in Chinese public records.

China's hack on the New York Times is yet another of many headlines we've seen over the past year, and emphasizes the Defense Department's push to gird America's cyber-offensive and defensive capabilities.

SEE ALSO: Chinese Hackers Could Have Disrupted The New York Times Publishing System >

SEE ALSO: Check out the Military & Defense Facebook page for updates

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

Just the words 'barcodes' or 'QR codes' inspire a certain paranoia among some people. Their uses are many, but until the Center for Land Use Interpretation (CLUI) published a recent report, not many Americans were aware of barcodes on the ground across the country.

These two-dimensional images were largely painted in the 1950s and '60s for use by the Air Force and NASA to calibrate aerial cameras.

Still used today, the images are clustered around the Mojave Desert where they were likely employed by the A12, SR-71, and U-2 spy-planes that each used highly sophisticated and powerful cameras to spy on nations across the globe.

A 21 year veteran of the USMC Flight Test center, and member of Strategic Aeronautics, sent this in to clarify the locations in the following pictures:

In your article today, the first image is Webster Field in St. Indigoes, Maryland (http://www.airnav.com/airport/KNUI)

It is an outlying field (OLF) for NAS Patuxent River used for sensors, helicopter, and UAS test & evaluation.

The panels are used to assess the spatial frequency response of sensor systems (lens, detector, and processor combination).

Much like the eye chart in the optometrist’s office, sensor systems are evaluated at various ranges and environmental conditions to determine which pattern the user can discern (similar to reading the 20/20 line or just the Big ‘E’) (Ed: Thanks, Jon)

Check out CLUI's page for greater detail on the mysterious barcodes.

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

The Chinese army appears to be conducting cyberhacking and espionage against large U.S. corporations, according to an extensive report from computer security firm Mandiant.

The report even identifies the unit and the building behind the cyberwar.

Beijing has long been suspected of espionage costing global corporations billions of dollars — such as when a hacking incident at Lockheed Martin was followed by the appearance of suspiciously familiar Chinese jets — though it was hard to find evidence.

Indeed, it makes sense that China, in its breakneck push to become a world power, would use all available technology to catch the west.

Following Mandiant's 75-page report, however, the cyberwar is all but official. 

We have distilled the alarming report and posted it below.

According to Mandiant, what China's hacking program coordinators do is seek students with outstanding English skills who are handpicked for "Advanced Persistent Threat" training (APT). The APT teams are broken down into groups and divided among locations in and around Shanghai, universities, commercial corridors, and largely innocuous places.

Wherever they go, each team is assigned a Military Unit Cover Designator (MUCD). The MUCD is a five-digit number by which the unit, its people, its location, and its work is referred to. The designation makes the teams more difficult to isolate and track.

MUCDs report all the way up to the Chinese equivalent to the Joint Chiefs of Staff, according to Mandiant. That implies this practice is part of China's overt military policy against foreign nations.

Mandiant offers an example of the type of expertise required: 

• Covert communications
• English linguistics
• Operating system internals
• Digital signal processing
• Network security

The needs are then broken down further into Profession Codes — such as 080902 for Circuits & Systems — Required Proficiencies — such as 101 for political, 201 for English, etc.

With hundreds or thousands of these teams lined up, the Chinese start phishing for passwords, according to Mandiant. The teams have refined and perfected dialogue, slang, and responses that appear nearly seamless to the colleagues they're trying to impersonate. In the beginning it all looks just like this:

Victims who click that link will download a malicious ZIP file named Internal_Discussion_Press_Release_In_Next_Week8.zip, which contains a custom APT1 backdoor called WEBC2-TABLE.

Happening on such a large scale, these attacks presumably have government support. Mandiant writes: "The sheer scale and duration of these sustained attacks leave little doubt about the enterprise scale of the organization behind this campaign."

Not surprisingly, China is denying the report.

Chinese Foreign Ministry spokesman Hong Lei told reporters on Tuesday:

"To make groundless accusations based on some rough material is neither responsible nor professional."

Mandiant says it felt compelled to expose this hack despite possibly compromising its ability to collect information. Here's why:

"The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one. What started as a “what if” discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk to our ability to collect intelligence on this particular APT group.

It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively. The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.

We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches. At the same time, there are downsides to publishing all of this information publicly. Many of the techniques and, technologies described in this report are vastly more effective when attackers are not aware of them.

Additionally, publishing certain kinds of indicators dramatically shortens their lifespan. When Unit 61398 changes their techniques after reading this report, they will undoubtedly force us to work harder to continue tracking them with such accuracy. It is our sincere hope, however, that this report can temporarily increase the costs of Unit 61398’s operations and impede their progress in a meaningful way. We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism."

Below this Mandiant APT1 Report are a couple of photos and a list of the hardest hit English-speaking industries.

Now Watch: How Syria Might Have Gotten Its Chemical Weapons

SEE ALSO: Here Is What It Takes To Join The US Marines

SEE ALSO: How Israel's Mighty Iron Dome Works

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

Chinese army hackers have systematically stolen secrets from U.S. corporations for at least seven years, according to an extensive report from cybersecurity firm Mandiant.

This aggressive action warrants a strong U.S. response. Unfortunately, America appears to have only one viable option, which could take years to pay off: diplomacy.

On Wednesday the Obama administration said as much when it announced its Strategy on Mitigating the Theft of U.S. Trade Secrets. The plan seems to be lacking teeth as it states only that the Justice Department "will continue to make the investigation and prosecution of trade secret theft by foreign competitors and foreign governments a top priority" while talking a lot about beefing up security against incoming attacks.

Nevertheless, here are America's other options, and why they won't work.

Fines will be ineffective as long as China can deny accountability, which they have already done, calling Mandiant's report deeply flawed. China could also claim that it doesn't have control over the hackers.

"The Chinese can say we're victims too, and they probably are,"Brookings Fellow Dr. Jonathan D. Pollack told BI.

The next step would be to appeal to the U.N.

International law expert Dr. Wolff Heintschel von Heinegg told BI that the evidence that China violated America's intellectual property rights and sovereignty "is quite impressive."This could be sufficient to demand an international investigation.

"We could say, 'what we really want is access to that building in Shanghai,'" said Pollack. If U.N. inspectors were denied access the facilities, then the denial could be taken as prima facie evidence of wrongdoing.

That's when room would be cleared for more aggressive diplomatic actions, like economic sanctions. Still, with the U.S. so entangled with China economically, that course of action is clearly not a good one.

Pollack pointed out that Coca Cola was a victim of alleged Chinese hacks, but at the same time, Coke is spending billions on access and marketing to Chinese consumers.

"Do we really want a trade war with China?" Asks Dr. Martin Libicki, a senior management scientist and cyber security specialist at the Rand Corporation (who also holds a Ph.D. in economics).

"Deep down it's our economy that's under attack here," Dave Aitel, CEO of security firm Immunity, told BI. "That's the hardest part of the game."

Furthermore, America first needs to find out how much damage Chinese hackers have done before any meaningful economic action is likely to pass through Congress.

"We really haven’t figured out how much this is hurting the American public," said Libicki. "Is this a one billion dollar problem, or is this a one trillion dollar problem? If it’s a trillion dollar problem, we do different things then."

Meanwhile, physical force is not a reasonable option.

Outgoing Defense Secretary Leon Panetta said last year that the U.S. could respond with physical force to a cyberattack that causes "physical destruction and loss of life," but China has contained itself to stealing corporate secrets.

"That type of cyber event would constitute an act of war," says David B. Lacquement, a former Army general in charge of operations for U.S. Cyber Command, and currently an expert in cyber security with Science Applications International Corporation, a firm that works closely with the government, as well as private entities, on cyber security.

Libicki said initial attempts at reaching to China's military leaderswill likely be "brushed aside," and China is unlikely to stop the hackers on its own.

"We've really done nothing to address the issue with China, other than speak sternly to them," Libicki. "There's a feeling that if we actually did something, they'd take us more seriously."

"What is there left on the table to do to the Chinese? And that's probably the question that the Americans are asking themselves now," Aitel said. "They have something to point to, now what do they do with that. Hopefully they knew that they want to do, and had the report come out."

For now, corporations may have to take defense into their own hands.

Private companies and their defenses are "woefully behind the power curve" compared to state-sponsored actors, he said.

Lacquement and colleague Charles E. Beard, Jr., Chief Information Officer for SAIC, said while these companies wait for international legal action to develop, they can be boosting their own defenses.

"Clearly corporations aren't going to do offensive operations," said Beard. "If we were to take an offensive operation against state-sponsored actors, you're clearly outgunned and outmanned."

The answer, the two said, falls in line with the administration's recent executive order on information exchanges between government and private entities.

The country needs a "mechanism that allows government and commercial sharing at a very rapid rate," Beard said."Automatic blocking and neutering of the most virile threat actors out there."

And so the hacking continues and the waiting begins. Now here's the kind of email phishing scam workers should watch out for >

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

Earlier this week, Mandiant, a company hired by The New York Times to track down hackers that invaded the paper's database, unleashed a report blaming China for the invasion.

The document went on to illustrate a complex military cyber-espionage unit based in Shanghai, that had been busy scouring the networks of more than 140 companies.

While accusations continue to fly and denials resound, there are now some who believe China may actually have meant to be caught.

“They're very careful not to cover their tracks very well,” Yael Shahar, an Israeli cybersecurity expert at the International Institute for Counter-Terrorism, told the National Journal. “It's a projection of power; it's not that they're trying to hide it,” adding that it enhanced Chinese self-perceptions of “face” to leave a calling card.

In other words, the Chinese hackers may have wanted to be exposed as a public demonstration to Washington of Beijing's level of skill and infiltration. 

The Chinese government denies such claims.  

CNBC hosted one Chinese ministry spokesman who said Mandiant's claims are "unfounded accusations based on preliminary results," and that "China resolutely opposes hacking actions and has established relevant laws and regulations, and taken strict law enforcement measures to defend against online hacking activities.''

We posted the full report and the findings seem more than preliminary. What's been detailed since Tuesday's report is even more beguiling.

The Washington Post and the National Journal took time to explore how Mandiant got the break that led them to China's elite cyber-espionage ring. It seems to imply that the hackers did an intentionally "sloppy" hack job.  

First, it's important to look at how most tech-savvy Chinese military hackers discretely access social networks. The bulk of them set up a Virtual Private Network, or VPN, to get them across the "Great Firewall of China" that blocks much of the Web from general users. Basically, it's how crafty people access the World Wide Web from China.

Picture a bunch of different doors everywhere, but the footprints across the floor (those hacking via VPN) are all the same. 

When Mandiant looked around at the "doors" opening from China's network of servers they saw all the VPN footprints. But what caught their attention was a couple of users not using a VPN who were accessing Facebook and Twitter from China.

Rather than logging out of the "attack infrastructure" and into one of the VPNs, these two Chinese military hackers — "UglyGorilla" and "DOTA"— went straight from their military terminal to social media sites, and to Google.

This is strange because it means they were not not practicing basic online security. 

Accusations, denials, outrage, and indignation have been shooting back-and-forth between nations for days and there's the distinct possibility that being exposed is what Beijing had in mind all along.

 

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

There's a pretty simple way to keep your trade secrets secret from China's army of clever hackers: pause, breathe, and hover your mouse pointer over that email from a coworker.

Cybersecurity firm Mandiant has concluded that the onslaught of complicated Chinese Tactics, Techniques and Procedures to exploit systems and run your business into the ground starts with just a click — in particular, your click.

Imagine this: The names and emails of your staff, to include your executives, are either listed publicly, or accessible via the web in a matter of five diligent minutes.

Once you're targeted, and a hacker has that info, he then signs up for a dummy email account, named after your boss, your Chief Financial Officer or your fellow worker (often all three). Then you start to get emails from those dummy accounts, containing language commonly seen in the workplace.

The tactic is called "Spear Phishing," and it relies the user and reflexive clicking.

From Mandiant:

On some occasions, unsuspecting email recipients have replied to the spear phishing messages, believing they were communicating with their acquaintances. In one case a person replied, “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, someone in APT1 responded with a terse email back: “It’s legit.”

The solution to this is simple: calm down, breath, and hover that mouse. Most browsers and email platforms allow users to identify the exact email of a sender.

So for example: If Henry Blodget emails me from hblodget@businessinsider.com, I'd know that from Henry's email. On the flip side, if he emails me from henry.blodget@rocketmail.com, then I shouldn't click.

Rather, I should contact Henry and ask him if he's been using a new email account.

These emails can also come from other sources, like faux PayPal (subject: "account disabled!") or credit card dummy accounts.

Within these emails is usually a harmless looking word document or excel spreadsheet which actually contains malicious code.

Once the code has penetrated the system, it becomes markedly more difficult for IT Officers to clean up the mess.

So the simplest defense begins with education of employees and personnel, not to  click reflexively on seemingly "legit" emails — first hover, verify the source — generally emails from coworkers are over company platforms. Same goes for credit card companies: they don't shoot customers sensitive account emails from platforms like @rocketfish.com.

Now this isn't a guarantee, but according to Mandiant, it'll go a long way toward guarding secrets. So be smart, be patient, and avoid the reflexive click — your business may depend on it.

SEE ALSO: New "google for spooks" mine social media at the push of a button >

SEE ALSO: Here's how the U.S. invited Iranian hackers to make attempts on big banks >

SEE ALSO: Our Military and Defense Facebook page for updates >

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

CHINESE hackers may get all the notoriety, but their cyber-security exploits against American targets are chickenfeed compared with the damage done by organised crime. This past week, a large metropolitan utility in the United States announced it had suffered a massive “distributed denial of service” (DDoS) attack, knocking out its automated online- and telephone-payment systems and forcing 155,000 customers to pay their bills in person over the ensuing 48 hours.

At its peak, the utility’s back-end computers that run its customer database were flooded with 5.7m spurious packets of data a second, bringing all legitimate transactions to a standstill. On the second day of the attack, the utility called in Prolexic Technologies. Based in Florida, Prolexic maintains “scrubbing centres” around America, Europe and Asia to suck up such malevolent deluges. The attack on the utility was identified as originating within the United States.

Make no mistake, the attackers were not pranksters bent on causing mischief. Nor was the attack a simple “smash and grab” aimed at stealing a few passwords. The kind of perpetrators involved were hardened criminals who use rented “botnets” to extort money from their victims, or to steal intellectual property, industrial secrets and marketing plans for sale to rivals at home and abroad.

This is big business now organised crime has access to automated exploit-kits and cloud-based software services that are every bit as sophisticated as (some say even more so than) those used by Fortune 500 companies. No longer do criminals need their own tame programmers. They can rent all the crimeware services they need to infiltrate a target’s computer network invisibly, and remain undetected for months or years while siphoning off secrets for sale.

How many firms pay the ransom or buy the phony “remedial solutions” to get their businesses back up and running is anyone’s guess. Various figures circulate for the cost of doing business with cyber-criminals. Symantec, a large security-software provider famous for its Norton Antivirus products, estimates that global cyber-crime costs victims $110 billion a year in remediation and lost business as well as ransom payments.

That is probably a reasonable guess (other security-software firms put the figure far higher). Shawn Henry, a former assistant director of the Federal Bureau of Investigation, told Congress recently about how one company had all its data on a ten-year, $1 billion research programme copied by hackers in a single night.

While it may make headlines, fears that attacks by the People’s Liberation Army and other Chinese hackers could wreak havoc on America’s critical infrastructure—especially, its oil and gas pipelines, electricity and water supplies, wireless networks, air-traffic control systems, even its missile defences—are overblown. The Chinese have far too much at stake to risk such provocation.

What China’s cyber-crooks are focused on plain and simple is theft. They are out to steal all the industrial secrets they can from America’s high-tech firms—especially those with advanced “fracking” technology for extracting natural gas and tight oil from shales and rocks deep underground. By all accounts, the authorities in Beijing are concerned that an energy-independent America could shift the global balance of power in a significant way.

In a sense, though, the victims of such attacks have only themselves to blame. Many organisations have a false sense of security, complacency even, as a result of having invested heavily in security tools in the past. Yet “non-agile” defences like passwords, firewalls and antivirus software, as well as intrusion-detection and prevention systems have become less than effective now attackers have started using encryption and other tricks to evade them, notes Deloitte& Touche, a management consultancy.

Most websites keep usernames and passwords in master files that are “hashed” with software which encrypts both the username and the password together, so no one can see the plain-text version of either. When someone attempts to log in, the website automatically encrypts both the username and password entered. It then determines whether the hash matches the one stored in the site’s user database. If not, a well-designed site will freeze the account after a limited number of unsuccessful attempts to gain access.

That is why most cyber-criminals go “spear-phishing” instead. This involves targeting a low-level individual in an organisation using an e-mail scam that fools the hapless individual into visiting a tainted website. Once there, a malicious tag (called an “iframe”) in the HTML code responsible for the page’s appearance is injected into the visitor’s browser. The inserted malware can be a virus, a Trojan or, most likely, a key-logger. This watches for the user’s log on and password, and reports the keystrokes back to the attackers. It is then only a short step to stealing secrets from the victim’s employer.

Having gained access to the target network, attackers usually run the standard application for accessing databases known as SQL (Structured Query Language). A query is sent to the database masquerading as an innocent request for information, but is really a malicious command designed to reveal confidential data, such as credit-card names and numbers. Literally millions of databases that reside behind websites have been compromised by SQL-injection.

But that is only the half of it. Over the past five years, web attackers have combined forces with botnet operators, who rent their armies of zombie computers to shady organisations responsible for spam, fraud and other nefarious activities. As Mary Landesman, a noted cyber-crime writer, has observed, organised crime has embraced the cloud with a vengeance, and begun delivering “malware as a service” through these powerful distributed networks of infected computers.

Meanwhile, two particularly nasty pieces of crimeware have emerged from the hacking underworld. One is an exploit kit known as Blackhole, which invisibly redirects someone visiting a legitimate website to a compromised site where malware can be loaded. Meanwhile, the victim never knows his browser has left the legitimate site. Cyber-criminals can rent access to Blackhole software by the day or lease a Blackhole server for periods of three months to a year at a time. Today, it accounts for about a third of all detected threats, says Sophos, a data-security firm based in Britain.

The other piece of crimeware to be aware of is a rootkit called ZeroAccess. Like all rootkits, ZeroAccess is capable of hiding its presence from all normal methods of detection, while maintaining privileged access to a computer’s inner workings. Because it is effectively invisible to security software, cyber-criminals use it for secretly installing other malware, including Blackhole. With its invisibility cloak, ZeroAccess lets attackers exploit a compromised network for months or even years on end.

There is no doubt that cyber-crime is on the increase. One reason is simply that the internet was conceived without any form of security in mind. Another is that social media like Facebook and Twitter have made it insanely easy to gather information about a person or a business—and thereby build persuasive scams that exploit human weaknesses to penetrate a network’s outer perimeter.

What is to be done? In a recent blog, Tyler Durden of Kaspersky Lab, a computer-security company with headquarters in Moscow and branches around the world, says that essentially it is a matter of impressing people, at a personal level, about the seriousness of the threat. “It’s not about IPs, firewalls, ports and protocols any more... Building secure perimeters and adding corporate policies and certificates is great, but [such things] are starting to become useless.”

The trouble is people use their own devices—smartphones, tablets and laptops—for corporate as well as private tasks. They also use their social-media accounts and cloud services like Dropbox to send and receive important data. As far as company policies are concerned, the computer-security situation is out of control. Today is a paradise for attackers, says Mr Durden.

The good news is that the threat of cyber-crime is being seen increasingly as a business opportunity. There are more venture start-ups in data security today than at any time in recent decades. Meanwhile, governments have begun to take the problem seriously.

As Mr Durden notes, everyone at the recent RSA 2013, the computer-security world's annual shindig, was talking about Barack Obama’s executive order—"in a good way". In his state-of-the-union address last month, the president decreed that America’s cyber-defences should be strengthened by the increasing of information sharing, and the development of standards to protect the country’s national security, its jobs and its people’s privacy. The security industry waits to learn how these fine words translate into action. So, presumably, do the cyber-criminals.

Click here to subscribe to The Economist

SEE ALSO: There's Only One Thing Stopping Enemy Nations From Smashing America's Power Grid

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

A Virginia man is accused of orchestrating at least three attempted bank robberies while posing as a federal agent named "Theo,"Tom Schoenberg of Bloomberg reports.

Prosecutors say that Joshua Brady, 26, persuaded 21-year-old Herson Torres to go into banks in Alexandria and Fairfax County, Virginia, with handwritten notes demanding money.

Torres said Brady told him he could earn $25,000 and a job with the government by taking part in “Operation Downstrike,” aimed at testing bank security.

When Torres was arrested, he told authorities about "Theo"— the man who hired him and orchestrated the robbery attempts — and showed them a so-called immunity letter on Defense Intelligence Agency letterhead that Brady had given him.

The lead detective soon began receiving calls from Theo, who claimed to work for the Central Intelligence Agency and sought Torres’s release, Schoenberg reports.

In an October jailhouse interview, Brady insisted to Schoenberg that he was an intelligence agent and was training Torres for clandestine work.

“When they pull the alarm, then you have a short time to get out of there,” he said. “You need to be able to escape, and that’s going to be stressful. If you crack under stress, then you’re useless to the agency.”

The charges— impersonating a government official and three counts of attempted bank robbery— have been dropped after Brady pled guilty to sending a forged judge’s signature to Verizon in a dispute over an unpaid mobile-phone bill.

As part of a plea deal, Brady has been sentenced to time served (7 months), three years of court supervision, and mental health treatment.

The government’s doctor diagnosed Brady with a delusional disorder while a doctor hired by Brady's lawyers diagnosed him with PTSD, paranoid schizophrenia, and schizotypal personality disorder.

“Looking back on this, I’m not sure how I could even fathom working for the CIA,” Brady said in court on Wednesday. “It seems quite silly to me I had those delusions.”

SEE ALSO: Rogue Chemist Arrested After Admitting She Faked Drug Tests

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

Amidst continued outrage over an expansive NSA surveillance program called PRISM— first reported by The Guardian and The Washington Post — Director of National Intelligence James Clapper has responded with an official "fact sheet" of what the program actually is.

"Over the last week we have seen reckless disclosures of intelligence community measures used to keep Americans safe," Clapper said in statement."In a rush to publish, media outlets have not given the full context–including the extent to which these programs are overseen by all three branches of government–to these effective tools."

Clapper went on to chide The Guardian and The Washington Post for breaking the story, saying the program is "lawful and conducted under authorities widely known ... and authorized by Congress."

Clapper continued in his statement, writing, "Not all the inaccuracies can be corrected without further revealing classified information. I have, however, declassified for release the attached details about the recent unauthorized disclosures in hope that it will help dispel some of the myths and add necessary context to what has been published."

Here are some of the most important points made in the Fact Sheet:

• The authority behind PRISM comes from Section 702 of the FISA Act, created by Congress "and has been widely known and publicly discussed since its inception in 2008."
• The U.S. government "does not unilaterally obtain information from the servers of U.S. electronic communications providers." A FISA court approval is required.
• Section 702 cannot be used to intentionally target any U.S. citizen.
• Communications collected under the program have "yielded intelligence regarding proliferation networks and have directly and significantly contributed to successful operations to impede" proliferation of WMDs and related technologies.

Join the conversation about this story »

It's hard to fathom many of the shocking claims from NSA whistleblower Edward Snowden of vast government surveillance — such as the notion that the agency constantly intercepts millions of phone calls and emails with the help of telecommunication companies.

But when put into a broader context, with the inclusion of testimony from other leakers from the NSA, however, those claims sound much more believable.

William Binney, a 32-year NSA veteran,  detailed a top-secret surveillance program called "Stellar Wind" in an Aug. 2012 video shot by Laura Poitras for The New York Times.

"I can pull your entire life together from all those domains and map it out and show your entire life over time," Binney said in the interview.

In a new interview with Binney on Jun. 7, the former codebreaker —  one of the best in NSA history — directly disputes Intelligence chief James Clapper, who told the Senate Intelligence Committee the NSA does not collect any type of data on millions of Americans. 

From Libertas Institute:

WB: They’re eating crow right now. Those are lies. Those are just outright lies. Obviously they are, with that court order. They’re scooping up the metadata of everything, and the PRISM program is a scoop up of actual content. Emails, video, photographs, all of that—that’s content. So they’re collecting all of it, and it’s a big vacuum. So you know, those are just outright lies.

LI: Do you think there is a pattern of deceit within the intelligence community? Are these lies representative of more lies being fed to the public?

WB: Oh yes. I call it techno-babble. They’re outright lying to the public and are trying to hide it. That’s why everything’s a secret interpretation or secret decision. You know, and now they’re all eating crow in public. The point is that they never had to do it from the beginning. There were ways and means that I had showed them how to do it while protecting U.S. citizens. You could do that, and find all the bad guys in the world and not have to violate the constitutional rights of everybody.

But some would ask how — in the post 9/11 age — is the intelligence community supposed to track and target terrorists, who often use digital communications tools located inside the U.S. Binney detailed this as well, in a Jul. 2, 2012 sworn declaration:

There are more than two dozen such sites on the U.S. coasts where fiber-optic cables come ashore. If the NSA had taken that route, it would have been able to limit its interception of electronic communications to international/international and international/domestic communications and exclude domestic/domestic communications. Instead the NSA chose to put its intercept equipment at key junction points (for example Folsom Street) and probably throughout the nation, thereby giving itself access to purely domestic communications.

...

The sheer size of that capacity indicates that the NSA is not filtering personal electronic communications such as email before storage but is, in fact, storing all that they are collecting. The capacity of NSA’s planned infrastructure far exceeds the capacity necessary for the storage of discreet, targeted communications or even for the storage of the routing information from all electronic communications. The capacity of NSA’s planned infrastructure is consistent, as a mathematical matter, with seizing both the routing information and the contents of all electronic communications.

So when the government says that it's not collecting information on millions of innocent Americans, check in with whistleblowers like Binney.

SEE ALSO: 29-Year Old NSA Whistleblower Makes Mindblowing Claims About The Power He Had

Join the conversation about this story »

A Chinese supercomputer is the fastest in the world, according to survey results announced Monday, comfortably overtaking a US machine which now ranks second.

Tianhe-2, a supercomputer developed by China's National University of Defense Technology, achieved processing speeds of 33.86 petaflops (1000 trillion calculations) per second on a benchmarking test, earning it the number one spot in the Top 500 survey of supercomputers.

The tests show the machine is by far the fastest computer ever constructed. Its main rival, the US-designed Titan, had achieved a performance of 17.59 petaflops per second, the survey's website said.

Five of the world's 10 fastest computers are installed in the US, the survey said, with the two in China, two in Germany and one in Japan.

The recognition of Tianhe-2, meaning Milky Way-2, as the world's fastest computer marks the return of the title to China after the machine's predecessor, the Tianhe-1 was ranked the world's fastest in November 2010, only to be overtaken by a machine from the US.

Unlike some of its Chinese predecessors, most of the Tianhe-2's parts are developed in China, except for its main processors, which are designed by US firm Intel.

"Most of the features of the system were developed in China...the interconnect, operating system, front-end processors and software are mainly Chinese," the list's website quoted editor Jack Dongarra as saying.

But the US still dominates the overall supercomputer rankings, with 252 systems making the top 500. The number of European machines, at 112 systems remains lower than the number of Asian machines, at 119, the list's website said.

The supercomputers on the Top 500 list, which is produced twice a year, are rated based on speed of performance in a benchmark test by experts from Germany and the United States.

Join the conversation about this story »

Verizon has a nice little business going in wiretaps. It charges the federal government $775 to tap a customer's phone and then $500 a month after that to maintain it, making it the most expensive of the government's wireless service intelligence assets, according to the Associated Press.

Here is how the companies named in the NSA's PRISM domestic surveillance scandal stack up against each other, as ranked by what they charge for intelligence requests:

• Phone taps
• Verizon: $775 startup fee then $500 per month
• AT&T: $325 "activation fee" and $10 a day afterward (~$310 per month)
• Cricket: ~$250 per wiretap
• U.S. Cellular: ~ $250 per wiretap
• Sprint: $30 per month
• Email access:
• Microsoft, Yahoo and Google: ~$25 per account

This is a real business, by the way. The AP says AT&T collected $24 million in government fees between 2007 and 2011. Verizon collects $3-5 million.

Join the conversation about this story »

As we learned today from Edward Snowden's preferred encryption email service, Lavabit, security is no good "unless you actually use it."

Cue the Japanese government, which set up a Google shared group and forgot to enable security.

From IT News:

An official at Japan's Ministry of the Environment created the group to share mails and documents related to Japan's negotiations during the Minamata Convention, a meeting held in Geneva in January to create international standards to limit international mercury use. But the official used the default privacy setting, leaving the exchanges open to searches and views in the months since. The information has now been removed.

Doh!

So, in essence, not only was the email compromised of anyone who mailed through that network, but all of their communications were available as well.

That's a potentially huge leak because it's like getting a look at the other team's playbook. Their negotiation strategies have been laid bare.

Japan is now conducting an internal investigation into the matter.

Join the conversation about this story »

The federal government has made legal requests to more than one major internet company for the passwords to users' accounts, according to CNET.

The report is frustratingly thin on details.

But it represents an even worse scenario than the one posited by NSA leaker Edward Snowden, who claimed the feds have a program named PRISM that gives them access to the servers of Google, Facebook, Microsoft and other major web providers. The companies have denied that such a program exists, saying they only respond to specific legal requests about individuals.

Legal demands for password, as reported by CNET, go beyond the mere one-time production of data from a users' account, of course. On Google, for instance, once someone has the password to your Gmail account they've got lengthy access to your calendar, search history, Drive docs, Gmail chats, and maybe your Google+ account.

CNET reports the unnamed companies have pushed back on the demands.

SEE ALSO: Microsoft Tells The Obama Administration: 'The Constitution Is Suffering' Under PRISM

Join the conversation about this story »

In the wake of seemingly endless leaks from ex-NSA contractor Edward Snowden, President Obama's attempt to manage the political fallout seems destined to fail.

On Friday, Obama announced that he would form a "high-level group of outside experts" to review intelligence and communications technologies. This group, Obama said, would be "independent"— able to step back freely — to review surveillance technologies and "consider how we can maintain trust of the people."

It only took the weekend for much of any trust in that group to fade.

On Monday, Director of National Intelligence James Clapper confirmed that yes, the review group would happen. He also confirmed that, yes, he would be establishing it.

This is the same James Clapper who gave false information to Congress when asked whether the NSA was collecting data on Americans. He later apologized.

Perhaps most interesting in Clapper's statement on Monday is the absence of wording used on Friday: independent, and outside. In an expanded statement, the White House said the group would present their interim findings to his office, and the final report would go "through the Director of National Intelligence."

"In practice — not theory — Clapper gets to chop the draft of the interim and final reports, and the Office of the Director of National Intelligence would — again, in practice — assist in selecting the members of the review group," Robert Caruso, a former assistant command security manager in the Navy and consultant, said in an email.

This arrangement is sure to arouse suspicions, with many Americans showing distrust after leaks of previously unknown spying programs. Even Sen. John McCain (R-Ariz.), a veteran politician and national security hawk, admitted as much to Fox News Sunday:

“Right now there’s kind of a generational change. Young Americans do not trust this government,” McCain said.“Without trusting government you can’t do a lot of things.”

Still, Caruso believes there can be good to come from such a review. "I trust [Clapper] has the best intentions at heart." But on whether that final report would be transparent or heavily redacted, he told me, "we'll have to wait and see."

Join the conversation about this story »

Anti-secrecy organization Wikileaks just released a treasure trove of files, that at least for now, you can't read.

The group, which has been assisting ex-NSA contractor Edward Snowden after he leaked top-secret documents to the media, posted links for about 400 gigabytes of files on their Facebook page Saturday, and asked their fans to download and mirror them elsewhere.

Here's the cryptic post:

The organization posted the same message about its "insurance" files to Twitter.

You can download the files via torrent but since they are encrypted — and Wikileaks has not yet provided the key — you won't be able to open them.

We can garner at least one thing of note from the file names alone: They probably have a very high level of encryption. The end of the files, "aes256," likely stands for Advanced Encryption Standard-256 bits.

It's a way of locking up your files that even the NSA has approved for use on top secret data.

What's in the files is anyone's guess for now, but there's already plenty of speculation.

SEE ALSO: TIME Journalist: I Can't Wait To Write About The Drone Strike That Kills Julian Assange

Join the conversation about this story »

If you want to maintain your privacy online, it seems the only way to do it these days is to turn off your computer.

All of the big tech companies are bound by the Patriot Act and receive National Security Letters (NSL's) from the government asking them to turn over user data when it's "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities."

It's pretty well known that if you use services like Google and Facebook, you shouldn't expect much when it comes to privacy. But if you prefer to stay off the grid, what can you do?

For the average Internet user, the options are dwindling.

On Aug. 5, researchers discovered the Tor service, known for anonymizing its users' web browsing, was actually revealing user data which they believe had a "high likelihood" of being sent back to the NSA. Just days later on Aug. 9, two U.S.-based providers of secure email services voluntarily shut down. Both were preemptive efforts to protect their users from government eyes.

These aren't new developments. In 2007, Canada-based encrypted email provider Hushmail turned over emails to the DEA in response to a court order.

But even advanced users knowledgeable in encryption have reason to fear.

"With the tapping of backbone internet providers, interested parties can now see all traffic on the internet," wrote Louis Kowolowski of Silent Circle, one of the encrypted email services that was shuttered. "The days where it was possible for two people to have a truly private conversation over email, if they ever existed, are long over."

Perhaps more interesting is a slide detailing the formerly secret "XKEYSCORE" program run by the NSA and leaked by former contractor Edward Snowden.

"How do I find a cell of terrorists that has no connection to known strong-selectors?," a question on the slide reads. The answer: "Look for anomalous events."

Among the anomalous events is "someone who is using encryption" or someone searching "for suspicious stuff."

According to the NSA, if you are using encryption — that is, trying to make sure no one besides the person you just emailed is reading the words you have typed — you are lumped in with terrorists.

It's the digital equivalent of a police car patrolling your neighborhood and deeming your home suspicious because the blinds are shut.

As former intelligence analyst Joshua Foust writes in an essay titled "Face It: Privacy Is Dead," it's pretty tough to stay off the radar when the Internet was created by the government to begin with.

He writes:

When people really want to keep their data secret, they invest heavily in the infrastructure to do so. The intelligence community went to the expense of building its own alternate networks to keep their data safe (so long as they’re not broken by construction crews in Tyson’s Corner, VA). It also forbids the use of cell phones, cameras, and even CD players in its intel facilities. When they were not prohibited, like at Bradley Manning’s base in Iraq, a massive breach occurred.

But the average citizen can't afford — nor would it even make sense — to build a system such as the military's SIPRnet to communicate with others. Instead, we have cheap alternatives such as PGP that aren't exactly a breeze to set up.

So the alternative it seems is not one you want to hear: If you really value your privacy, turn off your cell phone, unplug your network cable, and only talk face-to-face. Foust may be right when he deems online privacy dead, but more compelling is that the government has effectively deemed it illegal.

SEE ALSO: Government Reportedly Threatened Arrest Against Founder Of Snowden's Encrypted Email Service

Join the conversation about this story »

Of all the horrifying scenarios that hackers could pull off — from launching nukes to spoofing air traffic control— the one that poses the biggest risk for Wall Street would be a cyber attack on equity markets.

In the summer issue of hacker magazine 2600, pseudonymous writer "Eightkay" shows how such a scenario could pan out:

Now imagine this attack scenario. Agents of an enemy of the United States successfully break into the mainframes of a High Frequency Trading Company, Dark Pool Crossing Network, or Brokerage Company. They infect the system with rogue trading algorithms or change the code on currently deployed algorithms. In a single coordinated attack, they buy and sell millions of shares of a single company or multiple companies, causing trading to halt or decimating the value of a single stock. Multiply that by 100 stocks of the top Fortune 500 companies and we have market collapse. Trading for the day would halt and Uncalculated economic damage would be done.

The days of screaming floor traders have long passed as computers now make financial moves in microseconds. The shift has already given way to (non-hacker initiated) computer glitches costing serious money: Knight Capital lost $450 million in 2012, and Goldman Sachs is still trying to get to the bottom of $100 million in botched trades. 

Hackers were able to "repeatedly [penetrate] the computer network" of the Nasdaq Stock Market in 2011 — although they luckily weren't able to make it into the exchange trading platform.

And a report from Reuters in July of this year found 53% of the world's securities exchanges had experienced at least one cyberattack in the last year. Most were simple denial-of-service or virus attacks — but they are getting better.

"Cybercrime also appears to be increasing in terms of sophistication and complexity, widening the potential for infiltration and large-scale damage," the report read.

While there are safeguards such as market monitors and circuit breakers, "Eightkay" writes, "this attack could happen quickly, rapidly, and across multiple fronts" laying waste to investor confidence and damaging the economy.

It's also worth noting that "Eightkay" doesn't advocate such an attack or show how it can be pulled of in his column. He's simply sounding the alarm bell.

SEE ALSO: The 7 Deadliest Computer Hacks Known To Mankind

Join the conversation about this story »

Millions of Android smartphone users are susceptible to security vulnerabilities such as viruses and malware, according to an internal bulletin prepared by the Department of Homeland Security and the FBI.

The July 23 bulletin, obtained by the website Public Intelligence, reveals that Android — as the most widely used mobile OS — continues to be the target of attacks due to "its market share and open source architecture."

"44 percent of Android users are still using version 2.3.3 through 2.3.7 — known as Gingerbread — which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions," the bulletin reads.

Android leads the smartphone market, with roughly 80% global market share. While more popular in the consumer, rather than the public sector, the bulletin warns that software needs to be kept up-to-date as more federal, state, and local authorities use Android.

The bulletin describes some of the threats if the OS isn't updated to the latest, and more secure software. These include viruses that send out text messages without the user's knowledge, and "rootkits," which are able to log user locations and passwords.

The current 4.3 version of Android, known as Jelly Bean, is considered much safer — with a built-in feature that allows users to scan installed apps for signs of malicious or dirty code, according to Phandroid.

Join the conversation about this story »

All Apple devices have been successfully infected by the NSA with spyware, according to new documents published by Der Speigel, the German magazine.

We first saw the story on The Daily Dot, and it is chilling:

An NSA program called DROPOUTJEEP allows the agency to intercept SMS messages, access contact lists, locate a phone using cell tower data, and even activate the device’s microphone and camera.

... According to leaked documents, the NSA claims a 100 percent success rate when it comes to implanting iOS devices with spyware. The documents suggest that the NSA needs physical access to a device to install the spyware—something the agency has achieved by rerouting shipments of devices purchased online—but a remote version of the exploit is also in the works.

Here's a copy of a NSA document explaining how "DROPOUTJEEP," its Apple spyware, works:

It's not the first time we've seen documents alleging that the NSA spies on Apple customers. NSA leaker Edward Snowden produced an NSA document that calls Steve Jobs "Big Brother" and his customers "zombies."

This video lecture was published today by the journalist who got the scoop:

In the speech Applebaum all but accuses Apple of cooperating with the NSA to allow the agency to access any iPhone:

"[The NSA] literally claim that anytime they target an iOS device that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I'd like to believe that since Apple didn't join the PRISM program until after Steve Jobs died, that maybe it's just that they write sh---y software. We know that's true."

SEE ALSO: Purported NSA Slides Refer To iPhone Owners As 'Zombies' And Steve Jobs As 'Big Brother'

Join the conversation about this story »