B.S. ALERT On U.S. Cyber Command – Anonymous DOES NOT CENSOR!

This is what the United States Sentencing Commission‘s hacked home page looked like.

(Credit: Screenshot of cached page by Edward Moyer/CNET)

In response to the death of tech activist Aaron Swartz, hacktivist collective Anonymous hacked a U.S. government Web site related to the justice system and posted a screed saying it would begin leaking a cache of government documents if the justice system is not reformed.

The group hacked the Web site for the United States Sentencing Commission late Friday, posting a message about what it’s calling “Operation Last Resort,” along with a set of downloadable encrypted files it said contain sensitive information. The sentencing commission is the caretaker of the guidelines for sentencing in U.S. federal courts.

“Two weeks ago today, a line was crossed,” the group’s statement reads. “Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice. Killed because he was forced into playing a game he could not win — a twisted and distorted perversion of justice — a game where the only winning move was not to play.”

The recent suicide of Swartz, a proponent of freely accessible information, has been blamed by some on what they say were outrageously aggressive efforts on the part of the U.S. Attorney in Massachusetts to punish Swartz for his alleged theft of millions of articles from a database of academic journals. The 26-year-old Swartz, who struggled with bouts of depression, had been charged with 13 felonies and threatened with decades in prison and fines exceeding $1 million. U.S. Attorney Carmin Ortiz says Swartz’s lawyers were also offered a plea bargain in which he’d plead guilty and serve perhaps six months.

Anonymous encouraged its followers to download the files on the hacked site, a set of nine downloads named after the U.S. Supreme Court’s nine justices and collectively referred to by the hacking collective as a “warhead.”

“Warhead-US-DOJ-LEA-2013.AEE256 is primed and armed. It has been quietly distributed to numerous mirrors over the last few days and is available for download from this website now. We encourage all Anonymous to syndicate this file as widely as possible.”

The group wouldn’t specify what, exactly, is in the files, saying only that “the contents are various and we won’t ruin the speculation by revealing them. Suffice it to say, everyone has secrets, and some things are not meant to be public. At a regular interval commencing today, we will choose one media outlet and supply them with heavily redacted partial contents of the file.”

The contents of the encrypted files can apparently be accessed only with a decryption key, and Anonymous said it didn’t necessarily want to provide that key to its followers — it mentioned “collateral damage” as a result of any leaks and said: “It is our hope that this warhead need never be detonated.” But the group said the U.S. government must begin acting on reforms to the justice system suggested by the system’s critics, and in spelling out its demands more specifically, it mentioned plea bargaining and suggested the overhaul of legislation such as the mid-1980s antihacking law titled the Computer Fraud and Abuse Act.

…in order for there to be a peaceful resolution to this crisis, certain things need to happen. There must be reform of outdated and poorly-envisioned legislation, written to be so broadly applied as to make a felony crime out of violation of terms of service, creating in effect vast swathes of crimes, and allowing for selective punishment. There must be reform of mandatory minimum sentencing. There must be a return to proportionality of punishment with respect to actual harm caused, and consideration of motive and mens rea [criminal intent]. The inalienable right to a presumption of innocence and the recourse to trial and possibility of exoneration must be returned to its sacred status, and not gambled away by pre-trial bargaining in the face of overwhelming sentences, unaffordable justice, and disfavourable odds. Laws must be upheld unselectively, and not used as a weapon of government to make examples of those it deems threatening to its power.

The group said it had acquired the files by compromising various government Web sites and installing “leakware,” which it has since removed to cover its tracks.

Here’s the video Anon posted on the commission’s site. A Google cache of the hacked home page, which includes the text version of the screed, can be seen here.




//////////////////////////////////////////////////

Help wanted at Pentagon to fend off hackers — 4,000 cybersecurity experts

eyed

The U.S. Department of Defense gave the go-ahead to a massive expansion of its cybersecurity force to fight off computer hacks and security compromises, according to media.

The expansion comes on the heels of an Anonymous attack on the U.S. Sentencing Commission’s website.

The Defense Department’s Cyber Command is expected to grow its staff from 900 to 4,900 over the next few years, according to media reports.

In public remarks at the Intrepid Sea, Air and Space Museum in New York in October 2012, Defense Secretary Leon Panetta warned of the potential for a “cyber-Pearl Harbor” and advised the United Stations to boost cybersecurity programs.

“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said then, according to media reports.

“They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country.

© Copyright 2013 The Washington Times, LLC. Click here for reprint permission.

/////////////////////////////////////////////////////////////

Mikko Hypponen enjoys his position as the chief research officer at the Helsinki-based security firm F-Secure. He has no intention of leaving. But lately, he’s been spending a lot of time looking at job openings.

Over the past few months, Hypponen has been periodically visiting the “careers” section of defense contractors’ websites and online job listings, particularly those targeted at candidates with secret clearances, and searching for words like “exploit,” “offensive,” and “vulnerability.” And the positions he’s been seeing show a new recruiting focus–or newly explicit focus–among the Beltway firms that serve the Pentagon: offensive cyberwarfare.

“This exciting and fast-paced Research and Development project will plan, execute, and assess an Offensive Cyberspace Operation (OCO) mission,” reads a posting for a job with the bland title “Cyber Software Engineer” at defense firm Northrop Grumman. Booz Allen Hamilton seeks a “Target Digital Network Analyst” capable of “exploit development for personal computer and mobile device operating systems, including Android, Blackberry, iPhone and iPad.”

Defense contractor giant Raytheon is looking for a “Unix Attack developer.” TeleCommunications Systems wants a “Windows Attack/Exploit Developer.” NSA contractor SAIC seeks a “Red Team Developer.” All three of those companies’ job descriptions include the phrase: “analyzing software for vulnerabilities as well as development of exploit code.”

Hypponen says the job searches he began out of curiosity show a marked uptick in these self-described offensive hacker jobs for U.S. government contractors. “I think this is new,” he says. “The arms race has started, and this proves it. It’s a clear sign of the demand to stockpile cyber weapons and expand the operations underway.”

Despite the creation of a U.S. Cyber Command under NSA head General Keith Alexander in 2009, the U.S. government and military has remained guarded about its role as an attacker rather than a mere defender in digital military operations. Even after confirmation that the ultra-sophisticated Stuxnet malware was created by U.S. and Israeli agents and strong evidence that the Flame spyware was developed by the same coders, no government source has officially acknowledged targeting foreign countries’ militaries or civilians with malicious code.

But rocketing demand and a lagging supply of skilled hackers is boosting salaries and driving the defense industry’s war for talent into the open, says Alan Paller, the director of research at the cybersecurity education-focused SANS Institute. He cites SANS’ statistics that highly skilled cybersecurity staffers were paid as much as $175,000 in 2011, up 25 to 30 percent from two years before, and points to comments from the Booz Allen Hamilton executive Patrick Gorman to Bloomberg last year that the company tries to hire 1,000 cybersecurity experts a year, and struggles to find them.

“We don’t have the people, and we don’t have a way to make them yet,” says Paller. “We’ve got a really good core of people, but it’s tiny. We’re not even in the game. We can’t field a team.”

“Help wanted” ads for computer security positions by month. Click to enlarge. (Source: Conference Board Help Wanted Online Data Series)

Cybersecurity job openings as a whole are taking off: According to business research group the Conference Board, 15,901 jobs in cybersecurity were posted online in May of this year. That’s up 18% from the 13,477 in the previous May, and nearly double the 8,731 cybersecurity jobs posted in May five years ago.

Just how many of the cybersecurity positions will focus on offensive, or “black-hat” hacking, rather than defensive, or “white-hat” hacking, is tough to measure. But Paller says the military’s demand for hackers who can break into systems or write malware is already enormous and growing. “Every single control system an adversary has, if there’s a way to take it over, you want to be able to take it over,” he says. “Power system, communications system, radar system, control systems for satellites, field communications unit. If you were going to war with someone, every one would be a potential target for a Stuxnet-like attack, against each of the nations you’re going up against. So you get a sense of the number of people needed.”

Spokespersons I reached out to at Northrop Grumman, Raytheon, SAIC and Booz Allen Hamilton all declined to discuss their recruitment practices for offensive hackers, and Lockheed Martin didn’t respond to my request. A Northrop Grumman spokesperson did point me toward the company’s recent move to give $1 million to undergraduate programs in cybersecurity at the University of Maryland, with the goal of fostering more local talent.