Confusion Center: Feds Now Say Hacker Didn’t Destroy Water Pump

A report from an Illinois intelligence fusion center saying that a water utility was hacked cannot be substantiated, according to an announcement released Tuesday by the Department of Homeland Security.

Additionally, the department disputes assertions in the fusion center report that an infrastructure-control software vendor was hacked prior to the water utility intrusion in order to obtain user names and passwords to break into the utility company and destroy a water pump.

The DHS notice, released late Tuesday, asserts that information released by the Illinois Statewide Terrorism and Intelligence Center earlier this month about the water pump was based on raw and unconfirmed data, implying that it should never have been made public.

But Joe Weiss, a control system expert who first reported the information from the fusion report, is skeptical of the new claim by the government that the report was all wrong.

“This smells to high holy heaven, because when you look at the Illinois report, nowhere was the word preliminary ever used,” Weiss said, noting that the fusion center — which is composed of Illinois state police, as well as representatives from the FBI and DHS — distributed the report to other critical infrastructure facilities in that state. “It was just laying out facts. How do the facts all of a sudden all fall apart?”

On Nov. 10 the Illinois fusion center released a report titled “Public Water District Cyber Intrusion” disclosing that someone had hacked into an unidentified water utility company, taken control of its Supervisory Control and Data Acquisition System (SCADA) and turned it on and off repeatedly, resulting in the burnout of a water pump.

The facility, later identified by reporters as the Curran-Gardner Township Public Water District, discovered the breach on Nov. 8. According to the unusually detailed fusion report, forensic evidence indicated that the hackers might have been in the system as early as September, and that they launched their attack from IP addresses based in Russia.

The report also asserted that the intruders gained access to the utility’s SCADA system by first hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords that the vendor maintained for its customers, and then used those credentials to gain remote access to the utility’s network.

“It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft,” the report stated, according to Weiss, managing partner of Applied Control Solutions, who obtained a copy of the document and read it to reporters last week.

The fusion report also indicated that the hack into the utility system shared a similarity to a recent hack into an MIT server last June that was used to launch attacks on other systems. In both cases, the intrusions involved PHPMyAdmin, a front-end tool used to manage databases. The MIT server was used to search for systems that were using vulnerable versions of PHPMyAdmin that could then be attacked. In the case of the water utility in Illinois, the fusion report said that the company’s log files contained references to PHPMyAdmin, but didn’t elaborate.

But now the federal government says the fusion center was confused.

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report — which was based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.

Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

Efforts to obtain comment from the fusion center in Illinois were unsuccessful. An analyst at the center said the center had no one in place to speak with reporters and referred inquiries to the FBI office in Springfield, Illinois. But FBI spokesman Bradley Ware said he could not speak for the fusion center, and referred calls back to the center. A second analyst at the center said he would pass questions to Master Sergeant Kelly Walter, who did not respond to the inquiry from Threat Level.

Weiss expressed frustration over the conflicting reports.

“There’s a lot of black and white stuff in that report,” he said. “Either there is or there isn’t a Russian IP address in there. It’s hard to miss that. This stuff about the vendor being hacked…. How can two government agencies be so at odds at what’s going on here? Did the fusion center screw up, or is the fusion center being thrown under the bus?”

Photo: Darwin70 / Flickr

Mobile ‘Rootkit’ Maker Tries to Silence Critical Android Dev

A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.

Though the software is installed on millions of Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user’s phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent.

Eckhart called the software a “rootkit,” a security term that refers to software installed at a low-level on a device, without a user’s consent or knowledge in order to secretly intercept the device’s workings. Malware such as keyloggers and trojans are two examples.

He also mirrored the Mountain View, Calif. company’s training manuals he’d found on Carrier IQ’s publicly available website. The manuals provide a limited roadmap for how Carrier IQ works, Eckhart said in a telephone interview.

When Carrier IQ discovered Eckhart’s recent research and his posting of those manuals, Carrier IQ sent him a cease-and-desist notice, saying Eckhart was in breach of copyright law and could face damages of as much as $150,000, the maximum allowed under U.S. copyright law per violation. The company removed the manuals from its own website, as well.

On Monday, the Electronic Frontier Foundation announced it had came to the assistance of the 25-year-old Eckhart of Connecticut, whom Carrier IQ claims has breached copyright law for reposting the manuals.

“I’m mirroring the stuff so other people are able to read this and verify my research,” he said. “I’m just a little guy. I’m not doing anything malicious.”

The company is demanding Eckhart retract (.pdf) his “rootkit” characterization of the software, which is employed by most major carriers, Eckhart said.

The EFF says Eckhart’s posting of the files is protected by fair use under the Copyright Act for criticism, commentary, news reporting and research, and that all of Carrier IQ’s claims and demands are “baseless.” (.pdf)

Andrew Coward, Carrier IQ’s marketing manager, said in a telephone interview Tuesday that the company, not Eckhart, should be in “control” of the manuals.

“Whatever content we distribute we want to be in control of that,” he said. “I think obviously, any company wants to be responsible for the information that gets distributed.”

He said “legal matters” prohibited the 6-year-old company from discussing the Eckhart flap further.

He said the company’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”

“We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said.

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

Marcia Hofmann, an EFF senior staff attorney, said the civil rights group has concluded that “Carrier IQ’s real goal is to suppress Eckhart’s research and prevent others from verifying his findings.”

In a Monday letter to Carrier IQ, Hofmann said Eckhart’s speech was protected by the First Amendment.

What’s more, the company is demanding that Eckhart inform Carrier IQ of the names of all persons to which Eckhart has forwarded the training material. The company also wants Eckhart to send “written retractions” to everybody who has viewed his research in hard copy or on the web.

Among other things, Carrier IQ insists that Eckhart retract his “root kit” characterization of the unremovable software, and other statements, by issuing a press release to The Associated Press.

PC Magazine describes a rootkit as this:

A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have “root” access to the computer, which means it runs at the lowest level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user. Rootkits came from the Unix world and started out as a set of altered utilities such as the ls command, which is used to list file names in the directory (folder).
Legitimate Rootkits?
Rootkits can also be used for what some vendors consider valid purposes. For example, if digital rights management (DRM) software is installed and kept hidden, it can control the use of licensed, copyrighted material and also prevent the user from removing the hidden enforcement program. However, such usage is no more welcomed than a rootkit that does damage or allows spyware to thrive without detection.

In 2005, Sony came under fire for installing a rootkit on music CDs. Security expert Bruce Schneier wrote then that “The Sony code modifies Windows so you can’t tell it’s there, a process called ‘cloaking’ in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can’t be removed; trying to get rid of it damages Windows.”

In a letter to Eckhart, Carrier IQ said, “If you do not comply with these cease and desist demands within this time period, please be advised the Carrier IQ, Inc. will pursue all available legal remedies, including seeking monetary damages, injunctive relief, and an order that you pay court costs and attorney’s fees.”

The deadline expired Nov. 18, but so far Carrier IQ has not made good on its threats.

Bradley Manning Defense to Call 50 Witnesses to Hearing

The defense attorney representing alleged WikiLeaks leaker Bradley Manning plans to call up to 50 witnesses at a pre-trial hearing scheduled to occur next month in Maryland, as well as introduce a number of unspecified motions, according to the organizers of a support group for the soldier.

The witnesses could include Daniel Ellsberg, famed Pentagon Papers leaker, who would talk about the benefit Manning’s alleged leaks provided to the public, as well as technical experts who would speak to the actual evidence on which the charges against Manning are based. The latter might include assessments of forensic evidence from classified networks and databases that contained the sensitive documents Manning is charged with downloading and leaking.

The information on the defense’s tactics came at a press conference on Tuesday held by representatives of the Bradley Manning Support Network.

Jeff Paterson, an organizer with the Network, said it’s unclear how many witnesses the court will allow to testify, but said that Manning’s defense attorney David E. Coombs intends to release a complete list of the witnesses if the court blocks him from calling a substantial number of them. Paterson said that prosecutors have not released a list of witnesses they plan to call.

Coombs was unavailable for comment and has indicated he will not be speaking with any media prior to the hearing.

The pre-trial hearing, to be held Dec. 16 at Fort Meade outside Baltimore, Maryland, is expected to last about five days but could spill over into January, with a recess for the December holidays, if the court allows a large number of witnesses to testify.

The hearing will be the first time that Manning’s defense team will be able to hear the details of the prosecution’s case against the former army intelligence analyst.

Both the prosecution and defense will be able to call witnesses to the hearing and cross-examine them. The defense will also receive copies of the criminal investigation files and witness statements.

Paterson told reporters that the defense team has “received the vast majority of the discovery that’s needed to move forward on this case” since Manning’s confinement in May 2010, but said that “there is some more sensitive information that is still being withheld from the defense that is expected to be released at some point soon.”

He said the chat logs believed to be between Manning and former hacker Adrian Lamo, in which Manning allegedly confessed to leaking data to the secret-spilling site WikiLeaks, are “suspect as far as evidence in a military court,” and prosecutors will therefore likely have to rely on forensic evidence.

Generally at pre-trial hearings, the defense team refrains from revealing information that might tip off the prosecution to their defense strategy. But Paterson said that defense attorney Coombs “is going to present a pretty vigorous defense of [many] different angles on the charges.”

Paterson didn’t comment on the nature of the motions the defense might introduce at the hearing.

But Ellsberg and the Network’s legal adviser Kevin Zeese, who were on the press call, argued that public comments that President Obama has made earlier this year suggesting that Manning is guilty constitutes illegal command influence on the military court from the nation’s commander in chief, and therefore should be raised as an issue in the case.

Obama told an audience in April, “If I was to release stuff, information that I’m not authorized to release, I’m breaking the law.”

“I can’t imagine a juror who wants to have a future in the military … going against the statement of [guilty] made by his or her commander in chief,” said Zeese, referring to the military judge and jury who will preside over the hearing and subsequent court martial of Manning and could be swayed to convict based on Obama’s statements. “I hope that the defense is making an issue of it.”

The hearing is open to the public and the media, except for periods when classified information will be discussed, and is expected to draw a large crowd of observers. The Support Network said it expects the military will have a remote viewing area for up to 100 observers to accommodate spillover.

If the judge presiding over the hearing determines that the case should proceed for court-martial, Manning will be tried in the Washington, D.C., area, according to the Army. Paterson said a court-martial would likely occur sometime between April and August next year.

“There will be a lot of motions in between [the Article 32 hearing and the court martial],” Paterson said.

The Army has filed 22 counts against Manning, including a capital charge of aiding the enemy, for which the government said it would not seek the death penalty. Other charges include five counts of theft of public property or records, two counts of computer fraud, eight counts of transmitting defense information in violation of the Espionage Act, and one count of wrongfully causing intelligence to be published on the internet knowing it would be accessible to the enemy.

If convicted of all charges, Manning faces a maximum punishment of life in prison, the Army said in a press release.

The Support Network, which says it has raised nearly $400,000 for Manning’s legal defense so far, plans to hold demonstrations outside Fort Meade on Dec. 16, when Manning arrives for the hearing the first day, as well as a larger rally and march through the public streets on the north side of Fort Meade on Dec. 17, the day of Manning’s 24th birthday. Organizers around the world will also be holding an international day of support for Manning. The Support Network says it has raised nearly $50,000 to cover the travel expenses for Manning’s family to visit him in prison and attend the hearing, as well as to cover the costs of organizing rallies and other support.

Manning was arrested in May 2010 in Iraq after allegedly telling a former hacker that he had leaked vast amounts of classified material to WikiLeaks. He was subsequently transferred to Kuwait, where he was detained for about two months before being moved to the Quantico brig at the end of July.

For most of his time at the brig, Manning was held in highly restrictive pre-trial confinement. Designated a maximum-custody detainee under prevention-of-injury watch, or POI, he was confined to his cell for all but an hour a day, and had a number of other restrictions placed on him.

Last April, after charges from his attorney and supporters that Manning was being unfairly treated at the brig, he was moved to Fort Leavenworth, Kansas, where most of the restrictions on him were removed and he was able to eat, visit and exercise with other prisoners.

OpenPGP JavaScript Implementation Enables Encrypted Webmail

This is a pretty interesting progression in the encryption field, I’m pretty sure most of us here will use some kind of key based e-mail encryption (PGP/GPG etc) and various different software based implementations. Or perhaps some of you already use something totally web-based like Hushmail, the story is that researchers in Germany have...

Read the full post at