DOCSLIB.ORG

Exhibit N.DOC

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Exhibit N.DOC Page 1 1 of 1 DOCUMENT Copyright 2010 The Washington Post All Rights Reserved The Washington Post April 21, 2010 Wednesday Suburban Edition SECTION: A-SECTION; Pg. A15 DISTRIBUTION: Maryland LENGTH: 692 words HEADLINE: Google hackers duped company personnel to penetrate networks; Cyberattacks growing more sophisticated, experts say BYLINE: Ellen Nakashima BODY: The hackers who penetrated the computer networks of Google and more than 30 other large companies used an in- creasingly common means of attack: duping system administrators and other executives who have access to passwords, intellectual property and other information, according to cybersecurity experts familiar with the cases. "Once you gain access to the directory of user names and passwords, in minutes you can take over a network," said George Kurtz, worldwide chief technology officer for McAfee, a Silicon Valley computer security firm that has been working with more than half a dozen of the targeted companies. Kurtz and others said hackers are mounting ever more sophisticated and effective attacks that often begin with a ruse familiar to many computer users -- a seemingly innocuous link or attachment that admits malicious software. The attacks were publicized in January when Google, one of the world's most advanced tech firms, announced that intruders had penetrated its network and compromised valuable intellectual property. Google asserted that the attacks originated in China; Chinese officials say they are investigating. The New York Times reported on its Web site Monday that the Google theft included source code for a password system that controls access to almost all of the company's Web services. But the cyber-espionage campaign went far beyond Google, targeting companies with apparently strong intrusion- detection systems, including Adobe, Northrop Grumman and Yahoo, industry sources said. A decade ago "it was the bad guys burrowing in, breaking through a firewall from the outside," Kurtz said. "Now, in essence, what they're doing is having good people on the inside unwittingly connect out to a malicious Web site where their machines can be infected." 2577415.1 Page 2 Google hackers duped company personnel to penetrate networks; Cyberattacks growing more sophisticated, experts say The Washington Post April 21, 2010 Wednesday Once a hacker can impersonate a system administrator or a senior executive, it becomes difficult to identify the at- tackers. "Many of these other companies don't know if source code has been stolen because the hackers have assumed the identities of people whose passwords have been stolen," Kurtz said. The hackers' goal, industry officials and analysts said, is to obtain information that benefits China in strategic in- dustries and in areas where the country seeks an advantage over U.S. firms. "The bottom line here is if your company has any business dealings with China or has extremely valuable technol- ogy or intellectual property, you have a high likelihood of being a target," said Rob Lee, a director with Mandiant, a security firm that is working with some of the targeted companies. He said he believes the same group or groups that have targeted Google and the other companies have penetrated "hundreds if not thousands" more firms. They target not only system administrators but anyone with privileged access to a company's network, he said. Figuring out whom to target and how is the result of research, said Shawn Carpenter, a principal forensics analyst at the security firm NetWitness whose former job involved trying to hack into government agencies' Web sites to help them find their weak spots. "One of the first things we do is build up a dossier," he said. "What conferences has this person spoken at? What people do they know? Are they likely to open up this type of e-mail attachment if I spoof it as coming from a person who has sat on a panel with them?" The essence of the attack is "exploiting those human tendencies of curiosity and trust," Carpenter said. The targeting of personnel is only one aspect of a larger, more sophisticated operation that involves planning the mode of attack, reconnaissance inside a company's network, deciding what type of data to go after, and harvesting and analyzing the data, experts said. "There's a life cycle of activities that occurs, involving many steps, both with human intelligence and electronic in- telligence, to ultimately penetrate these organizations," said Eddie Schwartz, NetWitness's chief security officer. "When you're combining all of these techniques, this is the work of a highly organized group or groups that has specific targets in mind." Staff researcher Julie Tate contributed to this report. LOAD-DATE: April 21, 2010 2577415.1 Project E V E R E S T Evaluation and Validation of Election Related Equipment, Standards and Testing REPO R T OF FINDINGS Ohio Secretary of State Jennifer L. Brunner Columbus, Ohio December 14, 2007 Project EVEREST (Evaluation & Validation of Election-Related Equipment, Standards, & Testing) Risk Assessment Study of Ohio Voting Systems Executive Report Ohio Secretary of State Jennifer Brunner December 14, 2007 2 Table of Contents INTRODUCTION...........................................................................................5 OBJECTIVES................................................................................................ 6 HISTORY ......................................................................................................7 OHIO’S PURCHASE OF ELECTRONIC VOTING MACHINES ...................................................... 7 PUBLIC CONFIDENCE IN ELECTRONIC VOTING..................................................................... 7 PROJECT EVEREST ............................................................................................................8 STRUCTURE OF STUDY ............................................................................. 12 SECURITY ASSESSMENT ...........................................................................14 MICROSOLVED .................................................................................................................. 14 Method......................................................................................................................... 14 Findings ....................................................................................................................... 15 Summary.................................................................................................................. 15 Penetration Testing: Specific Results .................................................................... 16 Premier................................................................................................................ 16 Description of the Premier System................................................................. 16 Physical Access Testing...................................................................................20 Network and Communications Access Testing..............................................22 File Systems Access Testing............................................................................22 Baseline Comparison ......................................................................................22 ES&S ....................................................................................................................22 Description of the ES&S Voting System.........................................................22 Physical Access Testing...................................................................................26 Network and Communications Access Testing..............................................27 File Systems Access Testing............................................................................28 Baseline Comparison ......................................................................................28 Hart InterCivic....................................................................................................28 Description of the Hart InterCivic Voting System .........................................28 Physical Access Testing................................................................................... 31 Network and Communications Access Testing..............................................32 File Systems Access Testing............................................................................32 Baseline Comparison ......................................................................................32 Suggested Improvements: All Voting Systems..........................................................32 Summary of Boards of Elections Officials’ Review of MicroSolved’s Findings on the Security Assessment of the State’s Voting Systems ...................................................33 UNIVERSITY RESEARCH TEAMS .........................................................................................35 Method.........................................................................................................................35 Findings .......................................................................................................................37 Summary..................................................................................................................37 Specific Results: Source Code Analysis and Red Team (Penetration) Testing ....38 ES&S ....................................................................................................................38 Failure to Protect Election
Load more

Recommended publications
  • Hacking the Master Switch? the Role of Infrastructure in Google's
    Hacking the Master Switch? The Role of Infrastructure in Google’s Network Neutrality Strategy in the 2000s by John Harris Stevenson A thesis submitteD in conformity with the requirements for the Degree of Doctor of Philosophy Faculty of Information University of Toronto © Copyright by John Harris Stevenson 2017 Hacking the Master Switch? The Role of Infrastructure in Google’s Network Neutrality Strategy in the 2000s John Harris Stevenson Doctor of Philosophy Faculty of Information University of Toronto 2017 Abstract During most of the decade of the 2000s, global Internet company Google Inc. was one of the most prominent public champions of the notion of network neutrality, the network design principle conceived by Tim Wu that all Internet traffic should be treated equally by network operators. However, in 2010, following a series of joint policy statements on network neutrality with telecommunications giant Verizon, Google fell nearly silent on the issue, despite Wu arguing that a neutral Internet was vital to Google’s survival. During this period, Google engaged in a massive expansion of its services and technical infrastructure. My research examines the influence of Google’s systems and service offerings on the company’s approach to network neutrality policy making. Drawing on documentary evidence and network analysis data, I identify Google’s global proprietary networks and server locations worldwide, including over 1500 Google edge caching servers located at Internet service providers. ii I argue that the affordances provided by its systems allowed Google to mitigate potential retail and transit ISP gatekeeping. Drawing on the work of Latour and Callon in Actor– network theory, I posit the existence of at least one actor-network formed among Google and ISPs, centred on an interest in the utility of Google’s edge caching servers and the success of the Android operating system.
    [Show full text]
  • Barbara Simons Was Appointed to the Board of Advisors of the U.S
    An expert on electronic voting, Dr. Barbara Simons was appointed to the Board of Advisors of the U.S. Election Assistance Commission in 2008. She co-authored Broken Ballots: Will Your Vote Count? with Prof. Douglas Jones. She was a member of the National Workshop on Internet Voting that was convened at the request of President Clinton and produced a report on Internet Voting in 2001. She also participated on the Security Peer Review Group for the US Department of Defense’s Internet voting project (SERVE) and co-authored the report that led to the cancellation of SERVE because of security concerns. Simons co-chaired the Association for Computing Machinery (ACM) study of statewide databases of registered voters, and she co-authored the League of Women Voters report on election auditing. Simons was President of ACM, the nation’s oldest and largest educational and scientific society for computing professionals, from July 1998 until June 2000. She founded ACM’s US Public Policy Committee (USACM) in 1993 and served for many years as the Chair or co- Chair of USACM. In 2005 Simons became the only woman to receive the Distinguished Engineering Alumni Award from the College of Engineering of U.C. Berkeley. She is also a Fellow of ACM and the American Association for the Advancement of Science. She received the Alumnus of the Year Award from the Berkeley Computer Science Department, the Distinguished Service Award from Computing Research Association, the Making a Difference Award from ACM’s Special Interest Group on Computing and Society, the Norbert Wiener Award from Computer Professionals for Social Responsibility, the Outstanding Contribution Award from ACM, and the Pioneer Award from the Electronic Frontier Foundation.
    [Show full text]
  • USAF Counterproliferation Center CPC Outreach Journal #1022
    Issue No. 1022, 31 August 2012 Articles & Other Documents: Featured Article: After Early Successes, Obama Struggles to Implement Disarmament Vision 1. Iran Determined to Continue Uranium Enrichment: Soltanieh 2. Iran Denies Plans to Show Nuclear Sites to Diplomats Visiting Tehran 3. Nuclear Agency Establishes Iran Task Force 4. Iran Will Not Build Nuclear Bomb: Ayatollah Khamenei 5. Iran's Nuclear-Arms Guru Resurfaces 6. IAEA: Iran Doubled Nuclear Capacity in 'Major Expansion' 7. Supreme Leader Ayatollah Ali Khamenei Spells out Iran's N-Ambitions 8. Iran Rejects Latest IAEA Accusations 9. Iran Makes Little Headway on Key Nuclear Equipment 10. China Test-Fires New Nuclear-Capable ICBM 11. S. Korea to Upgrade Preparedness against North's Cyber, Nuclear Attacks 12. China Continues to Increase Defensive Potential 13. Inside China: Missile Defense Conspiracy? 14. N. Korea Vows to Expand Nuclear Deterrent 'Beyond Imagination' 15. NKorea Makes "Significant" Nuclear Reactor Progress - IAEA 16. Pakistan against N Weapons Race: Malik Amad 17. Russia Calls on U.S. to Ratify Nuclear Test Ban Treaty 18. Russia to Develop Sea-Based Space-Defense System 19. Lugar, Nunn Honored for Nuclear Security Efforts 20. U.S. Hails Russia’s Readiness for Nuclear Cuts 21. After Early Successes, Obama Struggles to Implement Disarmament Vision 22. Nuclear-Weapon States Aren't Created Equal 23. Inflating the China Threat 24. Prepare Against Pakistan Nukes 25. Iran’s Nuclear Quest 26. Iran at the Brink 27. A Doctrine of No Use Welcome to the CPC Outreach Journal. As part of USAF Counterproliferation Center’s mission to counter weapons of mass destruction through education and research, we’re providing our government and civilian community a source for timely counterproliferation information.
    [Show full text]
  • How China Will Use Cyber Warfare to Leapfrog in Military Competitiveness Jason Fritz
    Culture Mandala: The Bulletin of the Centre for East-West Cultural and Economic Studies The Bulletin of the Centre for East-West Cultural and Economic Studies Volume 8 | Issue 1 Article 2 10-1-2008 How China will use cyber warfare to leapfrog in military competitiveness Jason Fritz Follow this and additional works at: http://epublications.bond.edu.au/cm Recommended Citation Fritz, Jason (2008) "How China will use cyber warfare to leapfrog in military competitiveness," Culture Mandala: The Bulletin of the Centre for East-West Cultural and Economic Studies: Vol. 8: Iss. 1, Article 2. Available at: http://epublications.bond.edu.au/cm/vol8/iss1/2 This Article is brought to you by the Centre for East-West Cultural and Economic Studies at ePublications@bond. It has been accepted for inclusion in Culture Mandala: The ulB letin of the Centre for East-West Cultural and Economic Studies by an authorized administrator of ePublications@bond. For more information, please contact Bond University's Repository Coordinator. How China will use cyber warfare to leapfrog in military competitiveness Abstract Extract: The eP ople’s Republic of China (PRC) may be a global power economically but its military lacks force projection beyond the Asia Pacific er gion. Its traditional military hardware is one to three generations behind the US and Russia. In light of these deficiencies it is probable that cyber warfare will provide China with an asymmetric advantage to deter aggression from stronger military powers as they catch up in traditional military capabilities. Cyber warfare would also allow China to leapfrog by means of technology transfer and exploiting adversary weaknesses.
    [Show full text]
  • Review of the EU Copyright Framework
    Review of the EU copyright framework European Implementation Assessment Review of the EU copyright framework: The implementation, application and effects of the "InfoSoc" Directive (2001/29/EC) and of its related instruments European Implementation Assessment Study In October 2014, the Committee on Legal Affairs (JURI) requested from the European Parliament Research Service (EPRS) an Ex Post Impact Assessment on Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society (InfoSoc). This EPRS publication was originally commissioned in the context of JURI's own- initiative implementation report, which was adopted in Plenary in July 2015, Rapporteur Julia Reda MEP. However, it is also relevant to the work of JURI Committees' Working Group on Intellectual Property Rights and Copyright (CWG), chaired by Jean Marie Cavada MEP. Furthermore, this request was made in the wider context of the Commission's review of the EU legislative framework on copyright, and the ensuing legislative proposals, which have been a long time in the planning and which are now expected for the 4th quarter of 2015. The objective of these proposals is to modernise the EU copyright framework, and in particular the InfoSoc Directive, in light of the digital transformation. Accordingly, in response to the JURI request, the Ex-Post Impact Assessment Unit of the European Parliament Research Service decided to produce a "European Implementation Assessment on the review of the EU copyright framework". Implementation reports of EP committees are now routinely accompanied by European Implementation Assessments, drawn up by the Ex-Post Impact Assessment Unit of the Directorate for Impact Assessment and European Added Value, within the European Parliament's Directorate-General for Parliamentary Research Services.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Cyber-Terrorism
    Cyber-Terrorism: Finding a Common Starting Point By Jeffrey Thomas Biller B.A., March 1998, University of Washington M.H.R., June 2004, University of Oklahoma J.D., May 2007, University of Kansas A Thesis submitted to The Faculty of The George Washington University Law School in partial satisfaction of the requirements for the degree of Master of Laws May 20, 2012 Thesis directed by Gregory E. Maggs Professor of Law, Co-director, National Security and U.S. Foreign Relations Law Program UMI Number: 1515265 All rights reserved INFORMATION TO ALL USERS The quality of this reproduction is dependent on the quality of the copy submitted. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed, a note will indicate the deletion. UMI 1515265 Copyright 2012 by ProQuest LLC. All rights reserved. This edition of the work is protected against unauthorized copying under Title 17, United States Code. ProQuest LLC. 789 East Eisenhower Parkway P.O. Box 1346 Ann Arbor, MI 48106 - 1346 Acknowledgements The author appreciates the generous support of the United States Air Force Jag Corps, for the opportunity to study; Professor Gregory Maggs, for the excellent feedback and guidance; and the author’s family, for the time and occasional solitude to complete this paper. ii Disclaimer Major Jeffrey T. Biller serves in the U.S. Air Force Judge Advocate General’s Corps. This paper was submitted in partial satisfaction of the requirements for the degree of Master of Laws in National Security and Foreign Relations at The George Washington University Law School.
    [Show full text]
  • China's Influence on Conflict Dynamics in South Asia
    USIP SENIOR STUDY GROUP FINAL REPORT China’s Influence on Conflict Dynamics in South Asia DECEMBER 2020 | NO. 4 USIP Senior Study Group Report This report is the fourth in USIP’s Senior Study Group (SSG) series on China’s influence on conflicts around the world. It examines how Beijing’s growing presence is affecting political, economic, and security trends in South Asia and the Indian Ocean region. The bipartisan group was comprised of senior experts, former policymakers, and retired diplomats. They met six times by videoconference over the course of 2020 to examine how an array of issues—from military affairs to border disputes, trade and development, and cultural issues—come together to shape and be shaped by Chinese involvement. The group members drew from their deep individual experiences working in and advising the US government to generate a set of top-level findings and actionable policy recommen- dations. Unless otherwise sourced, all observations and conclusions are those of the SSG members. Cover illustration by Alex Zaitsev/Shutterstock The views expressed in this report are those of the members of the Senior Study Group alone. They do not necessarily reflect the views of the United States Institute of Peace. An online edition of this and related reports can be found on our website (www.usip.org), together with additional information on the subject. © 2020 by the United States Institute of Peace United States Institute of Peace 2301 Constitution Avenue NW Washington, DC 20037 Phone: 202.457.1700 Fax: 202.429.6063 E-mail: [email protected] Web: www.usip.org First published December 2020.
    [Show full text]
  • The Crisis After the Crisis: How Ladakh Will Shape India's Competition with China
    ANALYSIS The Crisis after the Crisis: How Ladakh will Shape India’s Competition with China ARZAN TARAPORE MAY 2021 THE CRISIS AFTER THE CRISIS: HOW LADAKH WILL SHAPE INDIA’S COMPETITION WITH CHINA The Lowy Institute is an independent policy think tank. Its mandate ranges across all the dimensions of international policy debate in Australia — economic, political and strategic — and it is not limited to a particular geographic region. Its two core tasks are to: • produce distinctive research and fresh policy options for Australia’s international policy and to contribute to the wider international debate • promote discussion of Australia’s role in the world by providing an accessible and high-quality forum for discussion of Australian international relations through debates, seminars, lectures, dialogues and conferences. Lowy Institute Analyses are short papers analysing recent international trends and events and their policy implications. The views expressed in this paper are entirely the authors’ own and not those of the Lowy Institute. ANALYSIS THE CRISIS AFTER THE CRISIS: HOW LADAKH WILL SHAPE INDIA’S COMPETITION WITH CHINA KEY FINDINGS • The still-unresolved Ladakh crisis has created a new strategic reality for India, marked by renewed political hostility with China, and an increased militarization of the Line of Actual Control. • This new strategic reality imposes unequal costs on India and China. India is likely to defer much-needed military modernization and maritime expansion into the Indian Ocean – which would impair its ability to compete strategically with China. • In contrast, China incurred only marginal material costs; it was probably more concerned with the prospect of continued deterioration in its relationship with India.
    [Show full text]
  • Barbara Simons Hacking the Election?
    Joint Distinguished Colloquium in Interdisciplinary & Applied Mathematics & Columbia Data Science Institute Colloquium Barbara Simons IBM Research (retired) Hacking the Election? Why We won’t be able to Verify the Outcome of the 2016 Election Partially as a result of hanging chads, almost $4 billion dollars was allocated by Con- gress in 2002 to “modernize” our elections. The rush to spend money before there were any meaningful federal standards or testing resulted in the purchase of a large number of poorly designed and insecure voting systems. Most of these old systems still in use are way past their use-by date, with ancient software that may no longer be maintained and physical components in need of replacements that may no lon- ger be manufactured. Election officials trying to cope with failing voting systems and inadequate funding may consider what they hope are cheaper alternatives, such as Internet voting. Statewide databases of registered voters were also mandated in the 2002 legislation. Again, there are no standards, no independent review of the databases, and no guide- lines for states. As of this writing, we know that the Arizona and Illinois voter registra- tion databases were hacked into, with Russia viewed as the most likely culprit. I’ll present a very brief overview of how computers have made our elections more in- secure, and what needs to be done (both technical and legal) to move to an evidence based voting system. I’ll also discuss some of the false claims made about Internet voting, as well as why Internet voting is a major security threat to our democracy.
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • Cyber Warfare
    Downloaded by [University of Defence] at 23:51 30 May 2016 Cyber Warfare This book is a multidisciplinary analysis of cyber warfare, featuring contribu- tions by leading experts from a mixture of academic and professional backgrounds. Cyber warfare, meaning interstate cyber aggression, is an increasingly important emerging phenomenon in international relations, with state- orchestrated (or apparently state- orchestrated) computer network attacks occur- ring in Estonia (2007), Georgia (2008) and Iran (2010). This method of waging warfare – given its potential to, for example, make planes fall from the sky or cause nuclear power plants to melt down – has the capacity to be as devastating as any conventional means of conducting armed conflict. Every state in the world now has a cyber- defence programme and over 120 states also have a cyber- attack programme. While the amount of literature on cyber warfare is growing within disciplines, our understanding of the subject has been limited by a lack of cross- disciplinary engagement. In response, this book, drawn from the fields of computer science, military strategy, international law, political science and military ethics, provides a critical overview of cyber warfare for those approaching the topic from what- ever angle. Chapters consider the emergence of the phenomena of cyber warfare in international affairs; what cyber- attacks are from a technological standpoint; the extent to which cyber- attacks can be attributed to state actors; the strategic value and danger posed by cyber conflict; the legal regulation of cyber- attacks, both as international uses of force and as part of an ongoing armed conflict, and the ethical implications of cyber warfare.
    [Show full text]