CI TRENDS CI Trends: Espionage Related 1 Activity in Southern California Espionage Related Activity in Southern California, Part 2

Home , Katrina Leung, Richard Miller (agent), Stewart Nozette

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Corporate Headquarters 222 North Sepulveda Boulevard, Suite 1780 El Segundo, California 90245 (310) 536-9876 www.advantagesci.com COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

MARCH 2012 VOLUME 1 ISSUE 3 Inside this Issue CI TRENDS CI Trends: Espionage Related 1 Activity in Southern California Espionage Related Activity in Southern California, Part 2

Suspect Counterfeit Electronic 2 In last month’s newsletter, we had only illustrative of one of the oldest techniques Parts Can Be Found on scraped the surface of espionage and used in espionage. The fine art of Front Companies: Who Is the 7 End User? national security related crimes occurring seduction has been used throughout

DARPA’s Shredder Challenge 9 within the Los Angeles area. As one of the history to obtain classified information purposes of this newsletter includes serving from males and females. In the cases of Threats To Nanotechnology 10 as an educational tool, the use of actual Data Exfiltration and Output 11 Richard Miller and J.J. Smith, both were Devices - An Overlooked cases to illustrate how espionage has seduced, and then they betrayed the How spies used Facebook to 14 occurred in the past serves to meet this confidences placed in them by the U.S. steal Nato chiefs’ details purpose. Government. Extracts from Wikipedia

pertaining to Miller and Smith (not a Retired agent suspected of 16 Everyone likes to hear “spy stories”, except Espionage spying for China: definitive source, but very illustrative for when they hit closest to home. Then the these two cases) follow: ARRESTS, TRIALS, 17 stories are not so fun to hear. It’s easy here CONVICTIONS to write about the Chi Mak’s and Greg EXTRACT BEGINS: On October 3, 1984, Miller was arrested with Svetlana and Nikolai Former DuPont Scientist 17 Chung’s of the world. The cleared defense Pleads Guilty To Economic Ogorodnikov, Russian immigrants who had contractor community has been victimized moved to Los Angeles in 1973 to seek refuge, Noted Scientist Sentenced to 18 again and again by “trusted insiders” who but who were actually access agents of the 13-Year Prison Term for Attempted have stolen classified and proprietary Soviet KGB. Miller was alleged to have Espionage, Fraud and Tax provided classified documents, including an information and passed it on to their FBI Counterintelligence manual, to the New York Resident and His 20 Company Sentenced for “handlers”. Lest anyone have any doubt, or Conspiracy to Export short memories, these “spy stories” have Computer-Related Equipment hit close to home for members of the FBI, Australian Man and His Firm 21 especially in the Los Angeles area. Indicted in Plot to Export Restricted Military and Other Twice, Special Agents assigned to the Los U.S. Technology to Iran Angeles office of the FBI were charged with Ex-Marine Accused of 23 activity bordering on espionage or Attempting to Export Sensitive Military Items mishandling of classified documents. These cases, both relating to sexual relationships CYBER THREATS 25 between foreign born female sources and Richard Miller’s home in Lynwood PRODUCTS, SERVICES AND 30 their male FBI Special Agent “handlers”, are continued on page 3 TRAINING

NOTE: Much of the Information contained within this newsletter originates from websites maintained by agencies of the U.S. Federal Government. The original web address from which material has been derived is posted at the beginning of reproduced articles. Readers are always encouraged to visit the web address from where the article has been derived from, in order to view the article in the original form in which it was presented. This newsletter also contains commentary from the editor of the newsletter. Such commentary is solely the opinion of the newsletter editor and does not represent the views of the U.S. Government, nor the agency originally presenting this information on the internet. Questions or comments may be directed to the editor at [email protected] or to Richard Haidle at 310-536-9876 x237 1 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Suspect Counterfeit Electronic Parts Can Be Found on Internet Purchasing Platforms

GAO-12-375, Feb 21, 2012 http://www.gao.gov/products/GAO-12-375

What GAO Found

Suspect counterfeit and bogus—part numbers that are not associated with any authentic parts—military-grade electronic parts can be found on Internet purchasing platforms, as none of the 16 parts vendors provided to GAO were legitimate. “Suspect counterfeit,” which applies to the first two categories of parts that were tested, isthe strongest term used by an independent testing lab, signifying a potential violation of intellectual property rights, copyrights, or trademark laws, or misrepresentation to defraud or deceive. After submitting requests for quotes on both platforms, GAO received responses from 396 vendors, of which 334 were located in China; 25 in the United States; and 37 in other countries, including the United Kingdom and Japan. Of the 16 parts purchased, vendors usually responded within a day. GAO selected the first of any vendor among those offering the lowest prices that provided enough information to purchase a given part, generally within 2 weeks. Under GAO’s selection methodology, all 16 parts were provided by vendors in China.

Specifically, all 12 of the parts received after GAO requested rare part numbers or postproduction date codes were suspect counterfeit, according to the testing lab. Multiple authentication tests, ranging from inspection with electron microscopes to X-ray analysis, revealed that the parts had been re-marked to display the part numbers and manufacturer logos of authentic parts. Other features were found to be deficient from military standards, such as the metallic composition of certain pieces. For the parts requested using postproduction date codes, the vendors also altered date markings to represent the parts as newer than when they were last manufactured, as verified by the parts’ makers. Finally, after submitting requests for bogus parts using invalid part numbers, GAO purchased four parts from four vendors, which shows their willingness to supply parts that do not technically exist.

Why GAO Did This Study

Counterfeit parts—generally the misrepresentation of parts’ identity or pedigree—can seriously disrupt the Department of Defense (DOD) supply chain, harm weapon systems integrity, and endanger troops’ lives. In a November testimony (GAO-12-213T), GAO summarized preliminary observations from its investigation into the purchase and authenticity testing of selected, military-grade electronic parts that may enter the DOD supply chain. As requested, this report presents GAO’s final findings on this issue. The results are based on a nongeneralizable sample and cannot be used to make inferences about the extent to which parts are being counterfeited. GAO created a fictitious company and gained membership to two Internet platforms providing access to vendors selling military- grade electronic parts. GAO requested quotes from numerous vendors to purchase a total of 16 parts from three categories: (1) authentic part numbers for obsolete and rare parts; (2) authentic part numbers with postproduction date codes (date code after the last date the part was manufactured); and (3) bogus, or fictitious, part numbers that are not associated with any authentic parts. To determine whether the parts received were counterfeit, GAO contracted with a qualified, independent testing lab for full component authentication analysis of the first two categories of parts, but not the third (bogus) category. Part numbers have been altered for reporting purposes. GAO is not making recommendations in this report.

For more information, contact Richard J. Hillman at (202) 512-6722 or [email protected] or Timothy Persons at (202) 512-6522 or [email protected].

To view the 23 page report in its entirety please go to the following web link: http://www.gao.gov/assets/590/588736.pdf

2 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Espionage Related Activity in Southern California, Part 2 continued from page 1

Ogorodnikovs after demanding $50,000 in gold and classified materials to their trysts. In July 2003, he $15,000 cash in return. Miller, who had eight children was sentenced to three months home confinement and was faced with financial difficulties, was having an after he pled guilty to lying to the FBI about his affair with the married Svetlana Ogorodnikov, and was affair. He also was ordered to perform 100 hours of preparing to travel with her to Vienna at the time of community service. Smith pleaded guilty to a his arrest. It was later alleged that Svetlana Ogorodni- charge of falsely concealing his affair with a Chinese kov had been in touch with a KGB case officer working spy, Katrina Leung, from the FBI. The plea allowed out of the Soviet Consulate in San Francisco and had Smith to avoid prison time. Prosecutors also agreed made arrangements for Miller to meet with the KGB in to drop three other charges, including two counts of Vienna. gross negligence in his handling of national security documents. END OF EXTRACT After a 10-week trial, and in an agreement with Feder- al prosecutors, both Ogorodnikovs pleaded guilty to The point to make here is that motivational tools one count of conspiracy. Nikolai Ogorodnikov was im- for “trusted insiders” range from ideology (Chi Mak, mediately sentenced to eight years imprisonment. His Greg Chung) to sexual (Miller, Smith). Another mo- wife later received a sentence of 18 years, but main- tivator is financial, whether through greed or finan- tained her innocence and stated that Miller had never cial need. We illustrated that point last month with provided her with any classified information. the Thomas Cavanagh case.

Richard Miller pleaded innocent, and after 11 weeks of Another motivator is political motivation tied with a testimony, a mistrial was declared. Following a second “whistleblower” conceit. By all means, there are trial which ended on June 19, 1986, Miller was found some instances when “whistleblowers” have been guilty of espionage and bribery. During his trial, Miller in the right, and have conducted themselves honor- attempted to claim that his actions were the result of ably and have served the purposes of the greater his unapproved attempts to infiltrate the KGB as a dou- good. But as the “Wikileaks” release of vast hold- ble agent. This claim was rejected by the jury. ings of classified U.S. Government communications has shown, irreparable harm can be caused by On July 14, 1986, Richard Miller was sentenced to two “trusted insiders” taking it upon themselves to de- consecutive life terms and 50 years on other charges. cide what should be made public to the world. This conviction was overturned in 1989 on the grounds that U.S. District Judge David Kenyon erred in ad- A prime, Southern California example of this is the mitting polygraph evidence during the trial. In October so called “Pentagon Papers” case. Again, extracted 1989, Miller was granted bail while awaiting a new from Wikipedia is the following: trial. EXTRACT BEGINS: After serving in Vietnam, Daniel On October 9, 1990, Miller was convicted on all counts Ellsberg resumed working at RAND. In 1967, he con- of espionage for the second time and on February 4, tributed to a top-secret study of classified docu- 1991, was sentenced to 20 years in Federal prison. On ments regarding the conduct of the Vietnam War January 28, 1993, a Federal Appeals Court upheld his that had been commissioned by Defense Secretary conviction. McNamara. These documents, completed in 1968, later became known collectively as the Pentagon On May 6, 1994, Miller was released from prison fol- Papers. It was because Ellsberg held an extremely lowing the reduction of his sentence to 13 years by a high-level security clearance and desired to create a Federal judge. At the time of his release, Svetlana Ogo- further synthesis from this research effort that he rodnikov was still incarcerated. was one of very few individuals who had access to the complete set of documents. In late 1969—with Smith was arrested on Wednesday, April 9, 2003 and the assistance of his former RAND Corporation col- charged with gross negligence for allowing an FBI as- league Anthony Russo and the staff of Senator Ed- set, Katrina Leung access to classified material. He had ward Kennedy—Ellsberg secretly made several sets been having an affair with Leung for 20 years, and al- of photocopies of the classified documents to which legedly brought to he had access; these later became known as the continued on page 4 3 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Espionage Related Activity in Southern California, Part 2 continued from page 3 Pentagon Papers. Ellsberg allowed some copies of Los Angeles area émigré and business man John Yai: the documents to circulate privately, including EXTRACT BEGINS: A recent example of attempted es- among scholars at the Institute for Policy Studies pionage by a naturalized citizen and successful busi- (IPS). Ellsberg also shared the documents with New nessman is the case of John Joungwoong Yai, arrest- York Times correspondent Neil Sheehan under a ed early in 2003, who sent only publicly available in- pledge of confidentiality. Sheehan broke his prom- formation to North Korea for at least 3 years while he ise to Ellsberg, and built a scoop around what he'd plotted to get access to classified information for him- received both directly from Ellsberg and from con- self and worked to plant young Koreans in jobs that tacts at IPS. would have access to classified information to serve On Sunday, June 13, 1971, the Times published the as his collectors. Yai communicated with and took first of nine excerpts and commentaries on the taskings from his North Korean handlers in coded 7,000 page collection. For 15 days, the Times was messages by fax, email, and in meetings with them in prevented from publishing its articles by court or- Europe, China, and North Korea where they paid him der…On June 28, 1971, two days before a Supreme for his efforts. He pled guilty to acting as an agent of Court ruling saying that a federal judge had ruled a foreign power and to several counts of customs vio- incorrectly about the right of the New York Times lations for failure to declare his earnings on reentry to publish the Pentagon Papers, Ellsberg publicly into the United States from meetings with his han- surrendered to the United States Attorney's Office dlers. In February 2003, Yai was sentenced to 2 years for the District of Massachusetts in Boston. In ad- in prison (Krikorian, 2003; Federal Bureau of Investi- mitting to giving the documents to the press, Ells- gation, Affidavit, 2002). END OF EXTRACT berg said: An area of interest representing past activity is that I felt that as an American citizen, as a responsible of a well known terrorist who visited the Los Angeles citizen, I could no longer cooperate in concealing area in 1992 and 1993. The “Blind Sheikh” Omar Ab- this information from the American public. I did dul-Rahman, the spiritual advisor and proponent of this clearly at my own jeopardy and I am prepared the February 1993 attack on the World Trade Center to answer to all the consequences of this decision. visited a mosque in Anaheim in 1992 and early 1993. An interesting sidelight to Abdul-Rahman’s visit was a He and Russo faced charges under the Espionage technique he and his followers utilized while residing Act of 1917 and other charges including theft and in the area. Knowing full well that they were under conspiracy, carrying a total maximum sentence of surveillance by the FBI, Abdul-Rahman directed one 115 years. Their trial commenced in Los Angeles on of his followers to disguise himself to look like Abdul- January 3, 1973, presided over by U.S. District Rahman. The disguised surrogate then went outside, Judge William Matthew Byrne, Jr. END OF EX- followed/accompanied by Abdul-Rahman’s security TRACT detail. They would hop into their van and away they went on their merry way, followed respectfully be- Ultimately, because of governmental improprie- hind by the FBI surveillance team. ties, Judge Byrne threw out all the charges. Ells- berg was not re-tried. This interesting anecdote aside, Los Angeles has seen its share of terrorists and terrorist wanna-bes trans- The result of all of this can be debated endlessly, iting or attempting to visit the area. This is only logi- but there is no doubt that the lives of American cal because the Los Angeles area provides a wealth of soldiers, sailors, airmen and marines were lost be- potential high value targets. Those of us in the de- cause of Ellsberg self deciding what classified infor- fense industry should consider ourselves potential mation should be made a part of public discourse. targets too. By virtue of supporting the military we In last month’s part one of this article we discussed may potentially be targeted by terrorists, saboteurs, the activity by North Korea to plant spies in the anarchists, spies or potential representatives of fu- Los Angeles area. The following extract from a re- ture adversarial nations. It is a well known fact that port on espionage from 1947-2007 pertains to terrorists in Iraq and Afghanistan are angry about continued on page 5

4 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Espionage Related Activity in Southern California, Part 2 continued from page 4 their inability to strike back at the drone aircraft that Iran. are rapidly decreasing their numbers. Some have suggested striking back at the makers of these The discussions eventually led to Maghloubi taking drones. delivery of three fully automatic Uzis and one pair of Also, as potential targets, we need to consider what night vision goggles. exists in the area that could act as threat vectors. As At all times, the plea agreement says, Maghloubi -- one example, the Los Angeles area contains the larg- who was born in Iran and is a naturalized U.S. citizen est population of Iranians outside of Iran. Several -- sought to deliver the military equipment to a fac- members of that community have committed crimi- tion within Iran's government that is aligned with a nal activity on behalf of the government of Iran. former president who is a political foe of the coun- Most frequently these criminal violations have been try's president, Mahmoud Ahmadinejad. represented by attempts to violate the export laws of the United States. Usually with weapons as in the In that light, Maghloubi's attorney said, his client following example, but also with computer software was trying "to actually try and help a rapprochement and computer equipment as well. between the U.S. and Iran."

FROM THE LA TIMES: A West Hills man has pleaded "This had nothing to do with terrorism," Deputy Fed- guilty to an audacious plan to buy as many as eral Public Defender Guy Iversen said. 100,000 Uzis in the United States and sell them to officials in Iran's government. A spokesman for the U.S. attorney's office had no comment on the plea agreement. Under a plea agreement reached this week, Seyed Mostafa Maghloubi, 49, acknowledged that he tried Though Maghloubi faces a potential maximum pris- to obtain submachine guns and night vision goggles on term of 20 years, the federal sentencing guide- and ship them to Iran, in violation of U.S. laws prohib- lines call for a sentence of up to 41 months. His sen- iting such transactions. tencing is scheduled for Nov. 26 before U.S. District Judge George H. King. END OF EXTRACT According to the plea agreement, Maghloubi's plan dated to at least October 2005 when he approached The point being made here is that, should hostilities an unidentified individual and said he was interested between Israel and Iran breakout into open warfare, in buying the weapons and goggles. the potential is great that agents of Iran, lurking among the lawful Iranian émigré and expatriate The individual, who was identified only as a cooper- community residing in Southern California, could ating witness for the government, brokered a meeting strike out with acts of espionage, sabotage, and between Maghloubi and an undercover Los Angeles worse.

police detective who Maghloubi believed was an arms th dealer. It goes without saying that throughout the 20 century and through today, the Los Angeles area has During that meeting in February, Maghloubi said that been a hotbed of National Security related criminal he was interested in buying the items for Iran and activity. From Neutrality Act matters that led to the that he had high-level contacts with government offi- arrest of Mexican revolutionaries in 1909, to the ar- cials in that country, according to the plea agreement. rest of three Cuban Americans from Los Angeles in December 1995 for the same Neutrality Act viola- Through several meetings and telephone conversa- tions after the FBI seized a stockpile of assault rifles, tions, the agreement says, Maghloubi and the under- body armor and other military equipment from a cover officer worked out details of the transaction. At warehouse. (Rene Cruz, 68, his son, Rene Cruz Jr., one point, the defendant asked the purported arms 47, and Rafael Garcia, 45, were charged with con- dealer if he could ship the Uzis and goggles to Dubai spiracy and with mounting an expedition against a so Maghloubi could bring them across the border to friendly nation (defined as any country with which continued on page 6

5 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Espionage Related Activity in Southern California, Part 2 continued from page 5 the United States is not at war). But the charges were dismissed.)

From Soviet Spies in Hollywood in the 1930’s, to Christopher Boyce and Andrew Dalton Lee spying on behalf of the Soviet Union in the 1970’s, up to and including Chi Mak and Greg Chung, the Los Angeles area has provided fertile ground for espionage. This will be a never-ending trend. As long as there are secrets to be had in the Los Angeles area there will be spies attempting to steal those secrets. Be fore- warned and fore armed against this eternal threat.

The “Blind Sheikh” Omar Abdul-Rahman

Richard Miller

Christopher Boyce

J.J. Smith & Katrina Leung

Greg Chung

FBI Surveillance Photo of Richard Miller and Svetlana Ogorodnikov (3rd and 4th from left)

6 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Front Companies: Who Is the End User?  may have an office in an embargoed country. http://www.dss.mil/isp/count_intell/  wants to close the deal quickly and provides the front_comp_who_user.html money up front.

Introduction •The front company representative

The Defense Security Service (DSS) receives many  may attempt to test the honesty of the U.S. con- reports each year of suspected "front companies," which tractor or its representative to determine wheth- are referred to the FBI and U.S. Customs for er an illicit deal can be arranged. investigation as appropriate. Front companies can  may ask if the U.S. contractor has offices in a third present a serious problem to the U.S. Government and country to which the item can be shipped. the defense industry, because they can potentially be  may offer financial incentives (bribes) to the U.S. used to circumvent export restrictions and embargoes. contractor to overcome reluctance in shipping an The Technique item. A front company frequently operates like a consultant. It  may imply that officials in the foreign country can works on behalf of a customer, often with the intent of be readily bribed to take part in an illicit deal. hiding the identity of the end user. Front companies may be used to locate and acquire technology legally and Case Studies then export it illegally to an unauthorized recipient. A U.S. incorporated company in California sent an un- Suspicious indicators may include the following: solicited request for information to purchase jamming •The U.S. contractor receives an unsolicited request for equipment from a U.S. defense contractor. Jamming military-related information by fax, mail, email, or equipment is listed under the International Traffic in phone from a "relatively unknown" company. The Arms Regulations (ITAR) and would require a license if request itself is simple, low cost, nonthreatening, and exported outside the United States. The U.S. company risk free. requesting the jamming equipment consisted of only •The unsolicited request several people and was an unknown entity to the U.S.  is sent in "broken" English. defense contractor. The request was sent in broken  is sent on "shoddy" business letterhead or in an English on letterhead most likely made on a personal unprofessional manner in contrast to standard computer. The U.S. company requesting the jamming business practices. equipment was obviously not the end user and was  frequently, but not always, involves a dual-use type more likely a front company. of technology (electronics, avionics, communications), which may or may not require a In another incident, a U.S. company submitted a re- license for export depending on the intended end quest for quote (RFQ) to a U.S. defense contractor on use. an aircraft part for a system configuration sold only to •The front company a southwest Asian country. The southwest Asian  is only comprised of several employees. These country has since been placed on a U.S. embargo list. employees may also have other incorporated The U.S. company submitting the RFQ was a small pre- businesses. viously unknown company in Texas. The stated end  does not know much about the equipment being use for the part was a west European country. The requested, which someone working with the request was handwritten on business letterhead most equipment would reasonably be expected to know. likely produced on a home computer. The U.S. de-  declines a maintenance warranty or operator fense contractor became suspicious when a similar training associated with the equipment. request for the same aircraft part arrived from a  conveys the impression the equipment is for a third different U.S. company in Florida. In the second re- party and the real end user is unknown. quest, no end user was listed but the part number,  may identify itself as being in the consulting or quantity, and item number were exactly the same. brokering business. The two U.S. companies submitting the RFQs were  may have connections or business with a foreign likely front companies either operated by or operating embassy. on behalf of the southwest Asian country.  may be financed by a foreign bank. continued on page 8 7 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Front Companies: Who Is the End User? (continued) continued from page 7 Some front companies can be more blatant and obvious. A company, located in Florida, sent a letter and a few weeks later telephoned a U.S. defense contractor to establish a business arrangement for the sale of a classified airborne infrared countermeasures system. The U.S. defense contractor could not obtain an export license for this country and so declined to pursue the business arrangement. The company soliciting the business arrangement subsequently approached the U.S. defense contractor about exporting the countermeasures system through a foreign office or subsidiary in a country where an export license could be approved.

Security Countermeasures

The best security countermeasure is to know your customer. Many U.S. defense contractors conduct business with the same companies on a daily basis. When a "new company" enters the picture requesting sensitive or classified information and technology, prudent risk management would suggest doing a little checking of the company's history. If a company fits any of the indicators mentioned above and is cause for suspicion, the company facility security officer should notify the DSS Industrial Security Representative, FBI, and U.S. Customs, as appropriate. Public Release #981210-05

DARPA’s Shredder Challenge Solved

http://www.darpa.mil/NewsEvents/Releases/2011/12/02_.aspx

December 02, 2011

Challenge reinforces difficulty of reconstructing documents

Almost 9,000 teams registered to participate in DARPA's Shredder Challenge. Thirty-three days after the challenge was announced, one small San Francisco-based team correctly reconstructed each of the five challenge documents and solved their associated puzzles. The ‘All Your Shreds Are Belong to U.S.’ team, which won the $50,000 prize, used custom-coded, computer-vision algorithms to suggest fragment pairings to human assemblers for verification. In total, the winning team spent nearly 600 man-hours developing algorithms and piecing together documents that were shredded into more than 10,000 pieces. “Lots of experts were skeptical that a solution could be produced at all let alone within the short time frame,” said Dan Kaufman, director, DARPA Information Innovation Office. “The most effec- tive approaches were not purely computational or crowd-sourced, but used a combination blend- ed with some clever detective work. We are impressed by the ingenuity this type of competition elicits.” The Shredder Challenge represents a preliminary investigation into the area of information security to identify and assess potential capabilities that could be used by war fighters operating in war zones to more quickly obtain valuable information from confiscated, shredded documents and gain a quantitative understanding of potential vulnerabilities inherent to the shredding of sensitive U.S. National security documents. DARPA Director, Regina E. Dugan emphasized, “The DARPA Shredder Challenge underscores the value of increasing the number and diversity of problem solvers. The varied methods used have potential implications for so-called 'wicked problems,' generally considered insolvable by conven- tional means, and offer the possibility of increased speed, agility and breadth in innovation.” Puzzle solutions and pictures of the winning submissions are available on the Challenge website: www.shredderchallenge.com .

8 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

DARPA’s Shredder Challenge Solved (continued)

CONGRATULATIONS to “All Your Shreds Are Belong To U.S.”! http://www.shredderchallenge.com/ "All Your Shreds Are Belong To U.S." successfully reconstructed and solved all 5 Puzzles earning $50,000! View the announcement

Caution…these links contain spoiler information! View the Puzzle Solutions View the Winning Team's Submissions What was the Overall Theme? Honorable Mentions

Welcome to DARPA's Shredder Challenge!

Today's troops often confiscate the remnants of destroyed documents in war zones, but reconstructing them is a daunting task. DARPA's Shredder Challenge called upon computer scientists, puzzle enthusiasts and anyone else who likes solving complex problems to compete for up to $50,000 by piecing together a series of shredded documents.

The goal was to identify and assess potential capabilities that could be used by our warfighters operating in war zones, but might also create vulnerabilities to sensitive information that is protected through our own shredding practices throughout the U.S. national security community.

The Shredder Challenge was comprised of five separate puzzles in which the number of documents, the document subject matter and the method of shredding were varied to present challenges of increasing difficulty. To complete each problem, participants were required to provide the answer to a puzzle embedded in the content of the reconstructed document.

The overall prize winner and prize to be awarded was dependent on the number and difficulty of the problems solved. The Challenge began on October 27, 2011 and concluded on December 2, 2011 after all five puzzles were successfully solved by "All Your Shreds Are Belong To U.S."

In case you missed it, try this Puzzle just for fun! http://www.darpa.mil/Shredder_Puzzle.aspx#Shredder

9 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Threats To Nanotechnology Researchers What is Nanotechnology?

Below are four examples of attacks or attempted attacks on Nanotechnology is the understanding and control researchers or research facilities located in Mexico and Swit- of matter at the nano scale, at dimensions between zerland. Companies, researchers and members of academia approximately 1 and 100 nanometers, where doing work in the nanotechnology field should be aware of unique phenomena enable novel applications. these incidents and be alert for any suspicious activity asso- A nanometer is one billionth of a meter. A sheet of ciated with their work. If anything suspicious occurs please paper is about 100,000 nanometers thick, and there are 25,400,000 nanometers in an inch. work with your security departments, local or campus police, or the FBI and report the information. Nanotechnology includes: nanoscience, nanotechnology, and nanomanufacturing among federal In December 2011, a teacher with the security committee at agencies, academia, industry, professional socie- the Pachuca Polytechnic University in Mexico received minor ties, and state and local organizations. burns on his hands after opening a letter bomb addressed to NEWSLETTER EDITOR COMMENTARY a nanotechnology professor at the university. The following article, reprinted from the DHS Daily Mexican officials have not said whether this incident is con- report of February 21, 2012 should be of interest to Security and Safety Departments located at busi- nected to two similar bombs sent to other technology re- nesses, corporations, and other commercial and searchers in Mexico during 2011. non-commercial entities doing work in the field of nanotechnology. As noted below, there is a height- In August 2011, a person or group using the moniker ened risk associated with industrial level produc- “Individualidades tendiendo a lo salvaje” (Individuals Tend- tion of nanomaterials, due essentially to the explo- ing Toward Savagery, or ITS) reportedly sent a package sive potential associated with the dust produced through the processes involved in the manufactur- bomb to the Monterrey Mexico Institute of Technology and ing of nano materials. Please see the below article Higher Education in Mexico, injuring two professors who for details and check out the associated link for conduct nanotechnology-related research. further elaboration.

In April 2011, ITS also reportedly sent a package bomb to a February 15, American Chemical Society – (National) Dust from industrial-scale processing of nanotechnology researcher at the Polytechnic University of nanomaterials carries high explosion risk. With ex- the Valley of Mexico. The bomb detonated, wounding a se- panded industrial scale production of nanomateri- curity guard, but leaving the nanotechnology researcher un- als fast approaching, scientists are reporting indica- harmed. tions that dust generated during processing of nanomaterials may explode more easily than dust In April 2010, three members of a violent anti-technology from wheat flour, cornstarch, and most other com- extremist group based in Italy were arrested for their in- mon dust explosion hazards, according to a volvement in the thwarted bombing of a US-based nanotechnology research facility in Switzerland. The suspects were stopped just a few miles from the facility by Swiss police who found in the suspects’ vehicle a large quantity of explosives and a note indicating a planned attack. On 22 July 2011, a Swiss court convicted all three members and sentenced each to more than three years in prison.

continued on page 11

10 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Threats To Nanotechnology Researchers (continued) continued from page 10

February 15 release from the American Chemical Society (ACS). Their article in ACS’ journal Industrial & Engineer- ing Chemistry Research indicates that nanomaterial dust could explode due to a spark with only 1/30th the energy needed to ignite sugar dust — the cause of the 2008 Portwentworth, Georgia, explosion that killed13 people, in- jured 42 people, and destroyed a factory. After reviewing results of studies that exist on the topic, the researchers concluded that the energy needed to ignite nanomaterials made of metals, such as aluminum, is less than 1 mJ, which is less than1/30th the energy required to ignite sugar dust or less than 1/60th the energy required to set wheat dust aflame. Flocking is often made with a process that generates static electricity, which could set off an explosion of flocculent dust, they point out. And the addition of a flammable gas or vapor to a dust as a hybrid mixture increases the chance that the dust will explode. The researchers warn that precautions should be taken to prevent these materials from exposure to sparks, collisions, or friction, which could fuel an explosion.

Source: http://portal.acs.org/portal/acs/corg/content? _nfpb=true&_pageLabel=PP_ARTICLEMAIN&node_id=223&content_id=CNBP_029293&use_sec=true&sec_url_var =region1&__uuid=912905f8-dcbd-4315-8799-b3fa9e5e6cec

Data Exfiltration and Output Devices- An Technology in the workplace enables employees to efficiently do their jobs and accomplish Overlooked Threat the mission of the organization. It is often the- By Insider Threat Team on October 17, 2011 1:40 PM se technologies that also enable malicious insiders to cause harm to the organization. http://www.cert.org/blogs/insider_threat/2011/10/ Management, Information Security, and Infor- data_exfiltration_and_output_devices_- mation Technology support teams must work _an_overlooked_threat.html to secure both the physical and virtual envi- Hi, this is George Silowash and recently, I had the opportunity to ronments. This typically entails implementing review our insider threat database looking for a different type of physical protections for servers, workstations, insider threat to the enterprise…paper. Yes, paper. In particular, and mobile devices while Access Control Lists printouts and devices that allow for extraction of digital (ACLs) restrict access to data. Often times oth- information to paper or the management of paper documents. er devices are overlooked and left with little This area is often overlooked in enterprise risk assessments and I to no protection. thought I would share some information regarding this type of These devices should be included in organiza- attack. tional risk assessments: Our database of over 500 cases contains the following types of cases in which a scanner, copier, printer, or FAX machine were  printers used as part of the insider’s attack:  scanners  FAX machines  copiers Device Used Number of Incidents Printers can allow a malicious insider to ex- Copier 1 tract sensitive company documents and re- Fax 3 move the documents from the organization to share with competitors or even start their Printer 30 own business. Scanner 2  In one case, the insider was a disgruntled It should be noted that our database contains one instance in scientist at a technology component man- which a copier, FAX, and printer were all used in the same attack. ufacturer. The insider exfiltrated research More on that later. documents using his access privileges. He downloaded the documents onto his lap- top, sent them to his email account, and physically carried the document

11 continued on page 12 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Data Exfiltration and Output Devices- An Overlooked Threat (continued) printouts out of the workplace. He also mailed some of  An insider was employed by a document the research documents to the component manufactur- imaging company. The imaging company er's competitors. The total losses were estimated to be was a trusted business partner of a uni- about $3 million. The insider was sentenced to five years versity. The insider stole 1,700 student probation, fined over $7000, and ordered to perform transcripts containing the students' PII 200 hours of community service. while digitally archiving them for the university. The insider was never identified, In another case, the insider worked with a conspirator to and the monetary impact of the incident sell physical blueprints and trade secrets to a competitor was never fully understood. organization. Although potential losses were estimated Companies need to provide commensurate levels to be between $50 million and $100 million, the victim of protection to printed documents as they do organization was able to prevent the information from for digital files. People receiving printouts must being used by the competitor. The insider was sen- have a valid need to know and permission to tenced to prison and fined $20,000. have access to these hard copies. In the above cases, trusted business partners had access to Organizations should carefully monitor printer activity physical documents to perform a contractual ob- and retain logs of printed documents. These logs should ligation. Contracts with trusted business partners be audited as part of an organization’s continuous log need to stipulate the need for thorough back- monitoring program. Personnel should be alerted when ground investigations. In addition, if company anomalies occur, such as printing before or after busi- sensitive documents are being scanned, a compa- ness hours or printing an unusually high number of doc- ny representative should monitor the process to uments for that particular user. ensure that the contractor is not mishandling company information. Companies must also ensure that hardcopy documents are properly disposed of when they are no longer need- FAX machines are an older technology that con- ed. Documents containing proprietary information must tinues to exist in many organizations. These de- be destroyed by those who are authorized to do so. Or- vices can be used by an insider to send docu- ganizations should consider who has access to hardcopy ments out of the organization, often without be- documents during the document’s lifecycle. The CERT ing detected. database has cases where janitors took documents containing personally identifiable information (PII) or other  Insiders were employed by a financial sensitive information from the organization. If the docu- institution and used the institution's ments had been properly managed and disposed of, the computer systems to access PII of 68 risk of malicious insider activity may have decreased. customers, including the customers'

credit card numbers. They then faxed Scanners also pose a threat to organizations. Documents this information outside of their organi- that are not in digital form or are not accessible in elec- zation to their accomplices. In total, al- tronic form due to access restrictions can be scanned by a user who has authorized access to a scanner. most $600,000 was stolen through the fraudulent activity. The insider was sen-  In one case, an insider was contracted by a telecom- tenced to over one year imprisonment, munications company to scan physical trade secret two years of supervised release, partici- documents into digital form. After scanning the doc- pate in a drug/alcohol program and re- uments, the insider stole some of the electronic files pay over $99,500 in restitution. and posted them on a hacking website. The total potential damages were estimated to be $25 million while the insider was ordered to repay over

$145,000 in restitution.

continued on page 13

12 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Data Exfiltration and Output Devices- An Overlooked Threat (continued) continued from page 12

 In another case the insider was a disgruntled Finally, the malicious insider who used all of the engineer for a product manufacturing company. methods that we have been discussing, worked as an Fearing his job was in jeopardy, he sent administrative assistant to a top executive at the vic- technical drawings to a competitor organization tim organization. As part of her job responsibilities, via fax and email. The damage to the victim she had access to confidential trade secrets and oth- organization was estimated to be roughly $1.5 er proprietary information. She was caught making million. The insider was sentenced to over two copies of confidential documents and leaving with years in prison and ordered to repay $1.3 million them from her workplace and attempting to sell in restitution. them for money. She handed over some of the copies to buyers, as well as faxed some. The insider also In the above examples, the insiders were able to FAX printed out some of the executive's emails which documents to accomplices or competitors. One contained confidential project information. The only solution to reduce this threat is to limit access to monetary impact reported was $40,000 restitution FAX machines whereby employees in the ordered to be paid by the insider. organization must submit their documents to

another individual to review and transmit. These cases highlight the need for organizations to

be more vigilant about all technologies used in the Copiers allow insiders to duplicate company organization. Scanners, copiers, printers, and FAX documents without the worry of having to remove machines all have a place in an organization. Howev- original documents from the organization, which er, incorporating them into enterprise risk assess- could lead to faster detection. ments as well as polices that govern their use will  The insider was employed as a mail room help to identify and mitigate risks associated with supervisor by the victim organization, which was their use. a financial institution. While on site and during work hours, the insider opened the organization’s mail and copied checks that customers had sent in for deposits. The insider sold the copies to an identity theft group, which used the valid account numbers to make fraudulent checks. The insider was arrested, but information regarding the monetary impact was unknown.

 Access to copiers needs to be limited when company sensitive information is at stake. In the above example, the insider was able to copy customer checks for identity theft purposes. The insider’s activities should have raised red flags when opened mail was delivered.

13 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

They thought they had become genuine friends of Nato's Supreme Allied Commander - but instead How spies used Facebook to steal Nato every personal detail on Facebook, including pri- chiefs’ details vate email addresses, phone numbers and pictures were able to be harvested. http://www.telegraph.co.uk/technology/9136029/How- spies-used-Facebook-to-steal-Nato-chiefs-details.html Nato officials are reluctant to say publicly who was behind the attack. But the Sunday Telegraph has NATO'S most senior commander was at the centre of a learned that in classified briefings, military officers major security alert when a series of his colleagues fell for and diplomats were told the evidence pointed to a fake Facebook account opened in his name - apparently "state-sponsored individuals in China". by Chinese spies. Although they are unlikely to have found any genuine military secrets from the Facebook accounts they accessed , the incident is highly embarrass- ing.

In the wake of it Nato has advised senior officers and officials to open their own social networking pages to prevent a repeat of the security breach.

Admiral Stirvis - who was in charge of operations in Libya to bring about the end of Colonel Muam- mar Gaddafi's regime - now has an official Face- book site while the bogus one has been perma- Adml James Stavridis Photo: GETTY nently deleted from the internet.

But it opened up a treasure trove of personal information to the people behind the fake.

As well as their names, people routinely put personal email addresses, dates of birth, clues about their home address and personal and family pictures online. Some even state their current location, and messages on a page's "wall" can reveal huge amounts about their beliefs and state of mind.

Although it is not known how much information was harvested, foreign intelligence agencies would be delighted to have such huge amounts of information which can be used to produce detailed The real Facebook page of Adml James Stavridis profiles of potential targets for espionage or even blackmail. By Jason Lewis, Investigations Editor, in Washington DC Senior Nato staff were warned about the fake ac- 9:00PM GMT 10 Mar 2012 count late last year and made representations to Facebook Senior British military officers and Ministry of Defence officials are understood to have been among those who ac- It is understood that Facebook uses very sophisti- cepted "friend requests" from the bogus account for cated techniques to identify bogus accounts American Admiral James Stavridis. which, it says, have very different footprints to genuine Facebook users.

14 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

How spies used Facebook to steal Nato chiefs’ details (continued) It is understood that Facebook uses very sophisticated British institutions are equally vulnerable including techniques to identify bogus accounts which, it says, Chinese hackers successful getting access to House have very different footprints to genuine Facebook us- of Commons secure computer network. ers. Shawn Henry, the FBI's executive assistant director A spokesman said: "After the profile was reported to us, in charge of targeting cyber crime said: "We see it was taken down as soon as we were notified and in- thousands of breaches every month across all indus- vestigated the issue." try and retail, infrastructure and across all sectors.

Last night officials at SHAPE, the Supreme Headquarters "We know that the capabilities of foreign states are Allied Powers Europe, reluctantly confirmed that its substantial and we know the type of information commander had been targeted. that they are targeting."

They refused to be drawn on the origin of the security The state-sponsored attacks are aimed at stealing breach although other senior security sources confirmed information to give them an economic, political and that it had been traced to China. military advantage.

A spokesman for SHAPE said: "This type of compromis- Some hawkish figures in the US also fear that a hos- ing attempts are called "Social Engineering" and has tile country or terror group might launch a "cyber nothing to do with "hacking" or "espionage". war" against them attempting to attack and destroy military and civil infrastructure using viruses or other "Discussions/chats/postings on Facebook are of course electronic weapons. However most experts think only about unclassified topics." this is highly unlikely.

A NATO official added: "There have been several fake It is similar to the so-called "Night Dragon" attacks supreme allied commander pages. Facebook has coop- which targeted executives of some of the world big- erated in taking them down. We are not aware that they gest oil and gas companies. are Chinese. The names of the firms involved have not been dis- "The most important thing is for Facebook to get rid of closed. Their reluctance is widespread as companies them. First and foremost we want to make sure that the fear disclosure will damage customer confidence in public is not being misinformed. Social media played a them and it their share price. crucial role in the Libya campaign last year. The attacks infiltrated the energy companies com- "It reflected the groundswell of public opposition, but puter system and looked for how the firms operated. also we received a huge amount of information from social media in terms of locating Libyan regime forces. It The attackers targeted the Western firms' public was a real eye-opener. That is why it is important the websites and specific individuals using Facebook and pubic has trust in our social media." other social networking sites to learn about them first, and then trying to dupe them into revealing The so-called "spear fishing" exercise is the latest tactic their log in names and passwords. in the wide ranging use of the internet to spy on key Western figures and to steal their secrets. The hackers were traced to China, to Beijing and investigators found the attacks only happened on Fears centre on the espionage operation of Chinese in- week days between 9am and 5pm local time sug- telligence agencies - which are targeting not just military gesting they were working at an office or a govern- secrets but every aspect of western life. ment facility. Among the items stolen are said to be the secrets of stealth aircraft, submarine technology, the space pro- Security expert Dmitri Alperovich, who helped un- gramme and solar energy. cover the "Night Dragon" breach, says Western businesses and Government are all routinely being targeted. He said: "They will know your strategy, your 15 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

How spies used Facebook to steal Nato chiefs’ details (continued) price list, everything to undercut and beat you. The Chi- recruited by Beijing after his retirement around nese are using every trick in the book . four years ago, said the United Daily News.

"They stole emails between executives about high level Tung was suspected of tricking several former negotiations. They are stealing their negotiation play- agents to China under the pretext of travelling or book and then they outbid them. If they know your doing business, but they were detained upon strategy they can't lose." arrival on the mainland for interrogation, the report said. Last year an employee at a key US computer security firm, RSA, opened a personal email with the subject line Taiwan's intelligence units are assessing the pos- "2011 Recruitment Plan" and clicked on the attached sible damage Tung has caused. China allegedly Excel spreadsheet. used him and other ex-agents to gather information on local spies stationed on the mainland, The attachment contained a virus, apparently engi- it said. neered by the Chinese, which breached RSA's systems. RSA's customers include the White House, the Central The case came to light after another ex-agent Intelligence Agency, the National Security Agency, the who was temporarily held in China reported Tung Pentagon and the Department of Homeland Security to Taiwanese authorities. Tung was arrested last (DHS), as well as organizations around the world. month when he returned to Taiwan to collect his pension, the report added. The breach meant it had to contact its customers to warn them of the security risk. Taiwan and China have spied on each other ever since they split in 1949 at the end of a civil war. Such is concern over the cyber-attacks that the DHS now Beijing still claims the island as its territory sees it as a key priority along with tackling terrorism. awaiting reunification— by force if necessary.

Bruce McConnell, its director of cyber security said: "The Since 2008, the two sides have seen significant internet is civilian space. It is a marketplace. Like the progress when Ma Ying-jeou became Taiwan's market in Beirut in the '70s, it will sometimes be a president. He was re-elected in January for a final battleground." four-year term. He likened his department's job to attempts to co- But Ma has said that Taiwan should strengthen ordinate the civilian response to a hurricane. its defences against Chinese espionage, following But "unlike in a hurricane, we are responding to inci- a string of spy scandals that showed intelligence dents every day," he added. gathering has continued despite warming ties. Last month, a Taiwanese air force captain was Retired agent suspected of spying for arrested for allegedly leaking classified data to China via his uncle, a businessman based on the China: media report mainland. http://www.chinapost.com.tw/taiwan/national/ Taiwan's military court last year handed out life national-news/2012/03/19/335068/Retired-agent.htm sentences to an army general and an intelligence officer for spying for China in the island's worst TAIPEI--A retired Taiwanese agent is in police custody spy scandal in recent years. for allegedly luring his colleagues to China to force sensitive information out of them, a report said Saturday. The Investigation Bureau was not immediately Tung Chien-nan, a former agent at the Investigation available for comment over the latest case. Bureau's China situation division, was allegedly

16 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS ARRESTS, TRIALS, CONVICTIONS

Chao’s plea comes in connection with the super- Former DuPont Scientist Pleads Guilty To seding indictment returned three weeks ago Economic Espionage charging Walter Liew, Christina Liew, Robert Mae- gerle, and USA Performance Technology Inc., http://www.justice.gov/usao/can/ among others, for their efforts to sell DuPont news/2012/2012_03_02_chao.guiltyplea.press.html trade secrets to companies controlled by the PRC FOR IMMEDIATE RELEASE government. Those companies – the Pangang Group and three subsidiaries – also were named March 2, 2012 as defendants in the indictment and charged with SAN FRANCISCO - Tze Chao pleaded guilty in federal conspiracy to commit economic espionage and court in San Francisco late yesterday afternoon to attempted economic espionage. As part of his plea conspiracy to commit economic espionage, United agreement, Chao agreed to cooperate in the in- States Attorney Melinda Haag announced. vestigation and prosecution of this case. In pleading guilty, Chao, who was employed by DuPont from 1966 to 2002, admitted that he provided Chao, 77 of Newark, Del., was indicted by a federal trade secrets concerning DuPont’s proprietary Grand Jury on Feb. 7, 2012. He was charged with titanium dioxide (TiO2) manufacturing process to one count of conspiracy to commit economic espi- companies he knew were controlled by the onage, in violation of 18 U.S.C. § 1831(a)(5). Under government of the People’s Republic of China (PRC). the plea agreement, Chao pleaded guilty to this charge as alleged in the superseding indictment. Chao admitted that beginning in 2003, the year after he left DuPont, he began consulting for the Pangang Chao was arraigned yesterday in San Francisco Group, a PRC government controlled company that and released on his own recognizance. He entered produces TiO2. According to his plea agreement, Chao his guilty plea before the Honorable Jeffrey S. had “learned that the PRC government had placed a White late yesterday afternoon in San Francisco. A priority on developing chloride-process TiO2 date for sentencing was not set. The maximum technology in a short period of time and wished to statutory penalty is 15 years in prison and a fine of acquire this technology from western companies.” $500,000, plus restitution if appropriate. However, In 2008, Chao submitted a bid to design a 100,000 ton any sentence following conviction would be im- per year TiO2 facility for the Pangang Group. In posed by the court after consideration of the U.S. connection with his bid, Chao provided DuPont Sentencing Guidelines and the federal statute gov- information to the Pangang Group, including erning the imposition of a sentence, 18 U.S.C. § information that, according to his plea agreement, he 3553. “understood to be secret to DuPont and not available to the public.” Chao did not win the contract but in This case is being prosecuted by the Special Prose- 2009 was asked by Pangang Group to review design cutions and National Security Unit of the U.S. work done by USA Performance Technology Inc. He Attorney’s Office in San Francisco and the Coun- did so, and in the course of this review, provided terespionage Section of the National Security Divi- additional DuPont trade secret information to sion of the U.S. Department of Justice. The investi- Pangang Group. gation is being conducted by the Federal Bureau of Investigation. 17 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Noted Scientist Sentenced to 13-Year Prison Term for Attempted

Espionage, Fraud and Tax Charges http://www.justice.gov/opa/pr/2012/March/12-nsd-348.html He was subsequently indicted by a federal grand jury. The WASHINGTON – Stewart David Nozette, 54, a scientist indictment does not allege that the government of Israel or who once worked for the Department of Energy, the anyone acting on its behalf committed any offense under Department of Defense, the National Aeronautics and U.S. laws in this case. Space Administration and the White House’s National Space Council, was sentenced today to 13 years in “Stewart Nozette's greed exceeded his loyalty to our coun- prison for attempted espionage, conspiracy to try” said U.S. Attorney Machen. “He wasted his talent and defraud the United States and tax evasion. ruined his reputation by agreeing to sell national secrets to someone he believed was a foreign agent. His time in pris- The sentence covered charges in two cases. In one, on will provide him ample opportunity to reflect on his de- Nozette pleaded guilty in September 2011 to cision to betray the United States.” attempted espionage for providing classified information to a person he believed to be an Israeli “Stewart Nozette betrayed his country and the trust that intelligence officer. In the other, he pleaded guilty in was placed in him by attempting to sell some of America’s January 2009 to fraud and tax charges stemming from most closely-guarded secrets for profit. Today, he re- more than $265,000 in false claims he submitted to ceived the justice he deserves. As this case demonstrates, the government. we remain vigilant in protecting America’s secrets and in bringing to justice those who compromise them,” said As- The sentencing, which took place this morning in the sistant Attorney General Monaco. “I thank the many U.S. District Court for the District of Columbia, was agents, analysts and prosecutors who worked on this im- announced by Ronald C. Machen Jr., U.S. Attorney for portant case.” the District of Columbia; Lisa Monaco, Assistant Attorney General for National Security; and Principal “As this case demonstrates, those who attempt to evade Deputy Assistant Attorney General John A. DiCicco of their taxes by abusing the tax-exempt status of non-profit the Tax Division. entities will be investigated, prosecuted and punished,” said Principal Deputy Assistant Attorney General DiCicco. Joining in the announcement were James W. McJunkin, Assistant Director in Charge of the FBI’s “Today’s sentencing demonstrates that espionage remains Washington Field Office; Paul K. Martin, Inspector a serious threat to our national security,” said Assistant General for the National Aeronautics and Space Director in Charge McJunkin. “The FBI and our partners in Administration (NASA OIG); Eric Hylton, Acting Special the defense and intelligence communities work every day Agent in Charge of the Washington Field Office of the to prevent sensitive information from getting into the Internal Revenue Service-Criminal Investigation (IRS- wrong hands, and I commend the hard work of the dedicat- CI); and John Wagner, Special Agent in Charge of the ed agents, analysts and prosecutors who spent a significant Washington, D.C., Office of the Naval Criminal amount of time bringing this case to resolution.” Investigative Service (NCIS). “We are particularly proud that NASA OIG’s fraud investiga- In addition to the prison term, the Honorable Paul L. tion of Nozette, which began in 2006, served as the catalyst Friedman ordered that Nozette pay more than for further investigation and today's outcome,” said NASA $217,000 in restitution to the government agencies Inspector General Martin. he defrauded. “IRS-Criminal Investigation provides financial investigative Nozette has been in custody since his arrest for expertise in our work with our law enforcement partners,” attempted espionage on Oct. 19, 2009. At the time, said Acting Special Agent in Charge Hylton. “Pooling the he was awaiting sentencing on the fraud and tax skills of each agency makes a formidable team as we inves- evasion charges. FBI agents arrested Nozette tigate allegations of wrongdoing. Mr. Nozette decided to following an undercover operation in which he betray his country to line his own pockets rather than play provided classified materials on three occasions, by the rules. He now is being held accountable for his ac- including one that formed the basis for his guilty plea. tions.”

18 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Noted Scientist Sentenced to 13-Year Prison Term for Attempted Espionage, Fraud and Tax Charges (continued) Investigation concerning ACT led investigators to suspect that Nozette had misused government infor- betray his country to line his own pockets rather than mation. From 1989 through 2006, Nozette held secu- play by the rules. He now is being held accountable for rity clearances as high as TOP SECRET and had regu- his actions.” “Federal agents take an oath to protect our lar, frequent access to classified information and doc- nation ‘against all enemies, foreign and domestic.’ That uments related to the national defense of the United would include ‘insider threats’ like Stewart Nozette,” States. said Special Agent in Charge Wagner. “NCIS is On Sept. 3, 2009, Nozette was contacted via tele- committed to working with our law enforcement phone by an individual purporting to be an Israeli in- partners and prosecutors to find and hold accountable telligence officer from the Mossad, but who was, in those like Nozette who put personal gain above national fact, an undercover employee of the FBI. That same security.” day, Nozette informed the undercover employee that Nozette received a Ph.D. in Planetary Sciences from the he had clearances “all the way to Top Secret SCI” and Massachusetts Institute of Technology. Beginning in at that anything “that the U.S. has done in space I’ve least 1989, he held sensitive and high-profile positions seen.” He stated that he would provide classified within the U.S. government. He worked in various information for money and a foreign passport to a capacities on behalf of the government in the country without extradition to the United States. development of state-of-the-art programs in defense A series of contacts followed over the next several and space. During his career, for example, Nozette weeks, including meetings and exchanges in which worked at the White House on the National Space Nozette took $10,000 in cash left by the FBI at pre- Council, Executive Office of the President. He also arranged drop-off sites. Nozette provided information worked as a physicist for the U.S. Department of classified as SECRET/SCI and TOP SECRET/SCI that re- Energy’s Lawrence Livermore National Laboratory, lated to the national defense. Some of this infor- where he designed highly advanced technology. mation directly concerned satellites, early warning systems, means of defense or retaliation against large Nozette was the president, treasurer and director of -scale attack, communications intelligence infor- the Alliance for Competitive Technology (ACT), a non- mation and major elements of defense strategy. profit organization that he organized in March 1990. Nozette and the undercover employee met for the Between January 2000 and February 2006, Nozette, final time on Oct. 19, 2009, at the Mayflower Hotel. through his company, ACT, entered into agreements During that meeting, Nozette pushed to receive larg- with several government agencies to develop highly er payments for the secrets he was disclosing, declar- advanced technology. Nozette performed some of this ing that, “I gave you even in this first run, some of the research and development at the U.S. Naval Research most classified information that there is. . . . I’ve sort Laboratory (NRL) in Washington, D.C., the Defense of crossed the Rubicon.” Advanced Research Projects Agency (DARPA) in Nozette was arrested soon after he made these state- Arlington, Va., and NASA’s Goddard Space Flight Center ments. in Greenbelt, Md. The investigation of the fraud and tax evasion case was conducted by NASA-OIG, NCIS, the Defense Crim- In connection with the fraud and tax case, Nozette inal Investigative Service (DCIS), IRS-CI, the IRS Tax admitted that, from 2000 through 2006, he used ACT to Exempt & Government Entities Group, the Naval Au- defraud the NRL, DARPA and NASA by making and dit Service, the Defense Contract Audit Agency and presenting more than $265,000 in fraudulent the FBI’s Washington Field Office. reimbursement claims, most of which were paid. He The prosecution of the fraud and tax evasion case also admitted that, from 2001 through 2005, he willfully was handled by Assistant U.S. Attorney Michael K. evaded more than $200,000 in federal taxes. In Atkinson from the Fraud and Public Corruption Sec- addition, he admitted using ACT, an entity exempt from tion of the U.S. Attorney’s Office for the District of taxation because of its non-profit status, to receive Columbia and Trial Attorney Kenneth C. Vert from the income and to pay personal expenses, such as Department of Justice’s Tax Division. mortgages, automobile loans, sedan services and other items. continued on page 17 19 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Noted Scientist Sentenced to 13-Year Prison Term for Attempted Espionage, Fraud and Tax Charges (continued) New York Resident and His Company

Sentenced for Conspiracy to Export Com- The prosecution of the fraud and tax evasion case puter-Related Equipment to Iran was handled by Assistant U.S. Attorney Michael K. Department of Justice Office of Public Affairs Atkinson from the Fraud and Public Corruption Sec- tion of the U.S. Attorney’s Office for the District of FOR IMMEDIATE RELEASE Friday, February 17, 2012 Columbia and Trial Attorney Kenneth C. Vert from the Department of Justice’s Tax Division. WASHINGTON – Jeng “Jay” Shih, 54, a U.S. citizen, was sentenced today in the District of Columbia to 18 The investigation of the attempted espionage case months in prison, while his Queens, N.Y., company, was conducted by the FBI’s Washington Field Office, Sunrise Technologies and Trading Corporation, was with assistance from NCIS; Naval Audit Service; Na- sentenced to 24 months corporate probation for con- tional Reconnaissance Office; Air Force Office of Spe- spiracy to illegally export U.S.-origin computers from cial Investigations; Defense Computer Forensics La- the United States to Iran through the United Arab boratory; Defense Advanced Research Projects Agen- Emirates (UAE). Both Shih and his company were cy; DCIS; Defense Contract Audit Agency; U.S. Army also sentenced to forfeiture in the amount of $1.25 902nd Military Intelligence Group; NASA Office of million, for which they are jointly liable. Counterintelligence; NASA-OIG; Department of Ener- gy Office of Intelligence and Counterintelligence; IRS- The sentences were announced by Lisa Monaco, As- CI; IRS Tax Exempt & Government Entities group; U.S. sistant Attorney General for National Security; Ronald Customs and Border Protection; and the U.S. Postal C. Machen Jr., U.S. Attorney for the District of Colum- Inspection Service, as well as other partners in the bia; John Morton, Director of U.S. Immigration and U.S. intelligence community. Customs Enforcement (ICE); David W. Mills, Assistant Secretary for Export Enforcement, Department of The prosecution of that case was handled by Assis- Commerce; and Adam Szubin, Director of the Office tant U.S. Attorney Anthony Asuncion, from the Na- of Foreign Assets Control (OFAC), Department of the tional Security Section of the U.S. Attorney’s Office Treasury. for the District of Columbia, and Trial Attorneys Deb- On Oct. 7, 2011, Shih and his company each pleaded orah A. Curtis and Heather M. Schmidt, from the guilty to conspiracy to violate the International Emer- Counterespionage Section of the Justice Depart- gency Economic Powers Act (IEEPA) and to defraud ment’s National Security Division. the United States. Under the terms of the plea and

related civil settlements with the U.S. Department of 12-348 National Security Division Commerce’s Bureau of Industry and Security and

OFAC, Shih and his company agreed to forfeiture in

the amount of $1.25 million. In addition, Shih and

Sunrise are denied export privileges for 10 years; alt-

hough, this penalty will be suspended provided that

neither Shih nor Sunrise commits any export viola-

tions.

Shih was arrested on a criminal complaint on April 6, 2011. He and his company were later indicted on April 21, 2011. According to court documents filed in the case, beginning as early as about 2007, Shih con- spired with a company operating in Dubai, UAE, and Tehran, Iran, to procure U.S.-origin computers through Sunrise and export those computers from the United States to Iran, through Dubai, without first Stewart David Nozette obtaining a license or authorization from OFAC.

20 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS New York Resident and His Company Sentenced for Conspiracy to Export Computer- Related Equipment to Iran (continued)

Specifically, in April 2010, the defendants caused the Australian Man and His Firm Indicted in illegal export of 368 units of computer-related goods Plot to Export Restricted Military and Oth- to Dubai, which were later sent to Iran. Later that month, the defendants caused the illegal export of er U.S. Technology to Iran 158 additional units of computer-related goods to http://www.justice.gov/opa/pr/2012/February/12-nsd- Dubai, which were later sent to Iran. The defendants 264.html subsequently caused an additional 185 units of computer-related goods to be illegally exported to Iran via Department of Justice Office of Public Affairs Dubai. FOR IMMEDIATE RELEASE This investigation was conducted by the ICE’s Home- Wednesday, February 29, 2012 land Security Investigations (HSI) field offices New York and San Diego, and the Department of Com- WASHINGTON – An Australian man and his company merce Office of Export Enforcement field offices in have been indicted today by a federal grand jury in the New York and Los Angeles, with assistance from ICE- District of Columbia for conspiring to export sensitive HSI offices in Chicago, Newark, N.J., Los Angeles and military and other technology from the United States to Orange County, Calif. The Department of Homeland Iran, including components with applications in missiles, Security’s U.S. Customs and Border Protection and drones, torpedoes and helicopters. OFAC’s Office of Enforcement also assisted in the in-

vestigation. Chief Counsel Attorney Gregory Michel- The five-count indictment charges David Levick, 50, an sen and Attorney-Advisor Elizabeth Abraham from Australian national, and his company, ICM Components the U.S. Department of Commerce, and Assistant Di- Inc., located in Thorleigh, Australia, each with one count rector of Enforcement Michael Geffroy and Enforce- of conspiracy to defraud the United States and to vio- ment Officer Elizabeth Fruzynski of the U.S. Depart- late the International Emergency Economic Powers Act ment of Treasury handled the civil settlements for (IEEPA) and the Arms Export Control Act; as well as four their respective agencies. counts of illegally exporting goods to an embargoed na- The prosecution was handled by Assistant U.S. Attor- tion in violation of IEEPA; and forfeiture of at least neys T. Patrick Martin and Anthony Asuncion, from $199,227.41.The indictment was announced by Lisa the U.S. Attorney’s Office for the District of Columbia, Monaco, Assistant Attorney General for National Securi- and Trial Attorney Jonathan C. Poling from the Coun- ty; Ronald C. Machen Jr., U.S. Attorney for the District of terespionage Section of the Justice Department’s Na- Columbia; John J. McKenna, Special Agent in Charge of tional Security Division. the Commerce Department’s Office of Export Enforce- ment Boston Field Office; James W. McJunkin, Assistant 12-232 National Security Division Director in Charge of the FBI’s Washington Field Office; Kathryn Feeney, Resident Agent in Charge of the De- fense Criminal Investigative Service (DCIS) Resident Agency in New Haven, Conn.; and Bruce M. Foucart, Special Agent in Charge of U.S. Immigration and Cus- toms Enforcement’s (ICE) Homeland Security Investiga- tions (HSI) in Boston.

Levick, who is the general manager of ICM Components, remains at large and is believed to be in Australia. If convicted, Levick faces a potential maximum sentence of five years in prison for the conspiracy count and 20 years in prison for each count of violating IEEPA.

21 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Australian Man and His Firm Indicted in Plot to Export Restricted Military and Other U.S. Technology to Iran (continued) State Department or exported to Iran without a license from the Treasury Department. According to the indictment, beginning as early as March 2007 and continuing through around  Precision Pressure Transducers. These are sensor March 15, 2009, Levick and ICM solicited devices that have a wide variety of applications in purchase orders from a representative of a the avionics industry, among others, and can be trading company in Iran for U.S.-origin aircraft used for altitude measurements, laboratory parts and other goods. This person in Iran, testing, measuring instrumentations and referenced in the charges as “Iranian A,” also recording barometric pressure. These items may operated and controlled companies in Malaysia not be exported to Iran without a license from the that acted as intermediaries for the Iranian Treasury Department. trading company.  Emergency Floatation System Kits. These kits The indictment alleges that Levick and ICM then contained a landing gear, float bags, composite placed orders with U.S. companies on behalf of cylinder and a complete electrical installation kit. Iranian A for aircraft parts and other goods that Such float kits were designed for use on Bell 206 Iranian A could not have directly purchased from helicopters to assist the helicopter when landing in the United States without U.S. government either water or soft desert terrain. These items may permission. Among the items the defendants not be exported to Iran without a license from the allegedly sought to procure from the United Treasury Department. States are the following:  Shock Mounted Light Assemblies. These items are · VG-34 Series Miniature Vertical packages of lights and mounting equipment designed Gyroscopes. These are aerospace products used for high vibration use and which can be used on to measure precisely and/or maintain control of helicopters and other fixed wing aircraft. These items pitch and roll in applications such as helicopter may not be exported to Iran without a license from flight systems, target drones, missiles, torpedoes the Treasury Department. and remotely piloted vehicles. They are classified as defense articles by the U.S. According to the charges, Levick and ICM, when government and may not be exported from the necessary, used a broker in Florida to place orders for United States without a license from the State these goods with U.S. firms to conceal that they were Department or exported to Iran without a license intended for transshipment to Iran. The defendants also from the Treasury Department. concealed the final end-use and end-users of the goods  K2000 Series Servo Actuators designed for from manufacturers, distributors, shippers and freight use on aircraft. The standard Servo Actuator forwarders in the United States and elsewhere, as well as is designed to be used for throttle, nose wheel steering and most flight control from U.S. Customs and Border Protection. To further surfaces. High-torque Servo Actuators are conceal their efforts, the defendants structured payments designed to be used for providing higher between each other for the goods to avoid restrictions on torque levels for applications such as flaps and landing gear retraction. These items are Iranian financial institutions by other countries. classified as defense articles by the U.S. The indictment further alleges that Levick and ICM wired government and may not be exported from money to companies located in the United States as the United States without a license from the payment for these restricted goods. Levick, ICM and other members of the conspiracy never obtained the required licenses from the Treasury or State Department for the export of any of these goods to Iran, according to the charges.

22 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Australian Man and His Firm Indicted in Plot to Export Restricted Military and Other U.S. Technology to Iran (continued) In addition to the conspiracy allegations, the Sean Elias Sayegh, 41, of Rosamond, was taken into custo- indictment charges the defendants with exporting or dy at his residence by agents with U.S. Immigration and attempting to export four specific shipments of goods Customs Enforcement’s (ICE) Homeland Security Investiga- from the United States to Iran in violation of IEEPA. tions (HSI). These include a shipment of 10 shock mounted light assemblies on Jan. 27, 2007; a shipment of five Sayegh, who retired from the Marine Corps in December precision pressure transducers on Dec. 20, 2007; a 2011, was named in an indictment returned by a federal shipment of 10 shock mounted light assemblies on grand jury last Friday that charges him with four counts of March 17, 2008; and a shipment of one emergency making false statements. Specifically, the indictment alleg- floatation system kit on June 24, 2008. es that on four occasions Sayegh made fraudulent claims on U.S. Postal Service customs declaration forms, stating This investigation was jointly conducted by agents of that packages he was shipping contained camera lenses the Department of Commerce Office of Export and other camera equipment, when the items were actual- Enforcement, FBI, DCIS and ICE-HSI. The prosecution ly laser light interference filters (LIFs). The alleged viola- is being handled by Assistant U.S. Attorneys John W. tions, which occurred between December 2009 and Febru- Borchert and Ann Petalas of the U.S. Attorney’s Office ary 2010, involved the shipment of more than 100 LIFs. for the District of Columbia; and Trial Attorney Jonathan C. Poling of the Counterespionage Section of LIFs, which are used with military night vision goggles, are the Justice Department’s National Security Division. on the U.S. Munitions List and cannot legally be exported without a license issued by the Department of State. LIFs The public is reminded that an indictment contains protect the optics inside night vision goggles from being mere allegations. Defendants are presumed innocent damaged by lasers. The technology is considered sufficient- unless and until proven guilty in a court of law. ly sensitive that the military requires that LIFs be destroyed 12-264 National Security Division when they reach the end of their service life. The Defense Criminal Investigative Service (DCIS) initiated the probe into Sayegh’s activities after receiving a lead Ex-Marine Accused of Attempting to Ex- about the possible sale of Munitions List items on eBay. port Sensitive Military Items DCIS referred the matter to the Naval Criminal Investigative Service (NCIS). HSI joined the investigation, at the request http://www.fbi.gov/losangeles/press- of NCIS, because of the potential export violations. HSI car- releases/2012/ex-marine-accused-of-attempting-to ried out the undercover investigation. -export-sensitive-military-items Each false statement charge in the indictment carries a U.S. Attorney’s Office Central District of California statutory maximum penalty of five years in federal prison. March 05, 2012 Therefore, if he is convicted of the four counts in the indict- (213) 894-2434 ment, Sayegh would face a maximum sentence of 20 years in prison, as well as a $1 million fine. — filed under: Intellectual Property Theft, Press Sayegh is expected to be arraigned on the indictment this Release afternoon in United States District Court in Los Angeles. LOS ANGELES—A retired Marine Corps staff ser- “These items may look innocuous, but their sophistication geant, who until recently worked in the Marine Avi- makes them highly sought after by our adversaries,” said ation Supply Office at Edwards Air Force Base, was Claude Arnold, special agent in charge for HSI Los Angeles. arrested by federal agents this morning following “They were developed to give America and its allies a stra- an undercover probe that allegedly revealed he lied tegic military advantage, which is why HSI will continue to to the government as part of a scheme to sell sensi- work with its law enforcement partners to ensure such tive military equipment to buyers around the globe. technology doesn’t fall into the wrong hands.”

23 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Ex-Marine Accused of Attempting to Export Sensitive Military Items (continued)

In November 2009, the government announced the Jeffrey Morrow, special agent in charge for NCIS’ Export Control Initiative to streamline the complex Southwest Field Office, stated, “One of the U.S. mili- system of U.S. export controls and enhance the co- tary’s greatest advantages is its ability to operate effec- ordination of efforts to address current security tively at night when our adversaries cannot. In large threats. As part of those ongoing reforms, HSI re- part, this advantage is reliant on equipment and tech- cently established the Long Beach-based Counter nologies like former-SSGT Sayegh attempted to sell to Proliferation Investigations CPICs are located in unauthorized buyers abroad. Actions like this risk the strategic cities where the threat of illegal exporta- technological advantage that the U.S. military main- tions is greatest. The goal of these centers is to tains and for this reason this case is significant. NCIS better facilitate regional enforcement efforts to will work aggressively with our law enforcement part- target the illegal exportation of sensitive weapons ners to stop the compromise of these important tech- and technology. In addition to DCIS, NCIS, USPIS, nologies.” and CBP, other federal agencies currently partici- Chris Hendrickson, special agent in charge, DCIS, West- pating in the HSI-led initiative include the Depart- ern Field Office, commented, “DCIS will use all tools ment of Commerce’s Office of Export Enforcement; available—our ability to track worldwide financial deal- the Air Force Office of Special Investigations; the ings, our advanced cyber capabilities, and our world- Bureau of Alcohol, Tobacco, Firearms, and Explo- wide law enforcement alliances—to protect America’s sives; the FBI; and the National Aeronautics Space warfighters and the taxpayers’ interests. DCIS and its Agency (NASA) Office of Inspector General. The law enforcement partners are committed to identifying center enables the participating agencies to pool and bringing to justice individuals intent on illegally their resources, expertise, and intelligence to pur- exporting this country’s critical assets at the expense of sue cases involving export enforcement. America’s security.” Contact: Assistant United States Attorney William In addition to HSI, NCIS, and DCIS, the U.S. Postal In- A. Crowfoot spection Service (USPIS) and U.S. Customs and Border Protection (CBP) also played a prominent role in the National Security Section case. (213) 894-4465 “This type of offense is unjustifiable,” said B. Bernard Ferguson, inspector in charge for the Los Angeles Divi- sion of the Postal Inspection Service. “U.S. Postal In- spectors will continue to aggressively investigate those who violate the laws meant to protect the Postal Ser- vice, its employees, and our nation’s citizens.”

24 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS CYBER THREATS

Cyber-Related Threats Reported in the DHS Daily Open Source Infrastructure Report

The following are extracts from DHS Daily Open Source Infrastructure Report, located at http://www.dhs.gov/files/ programs/editorial_0542.shtm . These reports link back to more detailed reporting from the original source. Included here are extracts pertaining to cyber threats prevalent on a daily basis. Readers may find practical applications for this material both in their work and in their personal use of computing devices and internet usage.

February 17, Help Net Security – (International) Fake Facebook notification delivers keylogger. Fake Facebook notifications about changes in users’ account information have been hitting inboxes and delivering malware to unwary users, warn Barracuda Labs researchers. The e-mail address of the sender is spoofed to make it look like it has been sent by the social network, and the message contains only an image implying that the recipient needs to install Silverlight in order to view the content. Hovering with mouse over the image shows that the offered file is a Windows PIF file, and that is hosted on an IP address in Malaysia. The file is actually a keylogger, the Jorik Trojan. Once the keylogger is installed, it starts recording every keystroke and Web page title into a disk file, which is ultimately sent to a C&C server operated by cyber criminals.

Source: http://www.net-security.org/malware_news.php?id=2002

February 16, University of Minnesota – (International) University of Minnesota researchers discover that cell phone hackers can track your physical location without your knowledge. Cellular networks leak the locations of cell phone users, allowing a third party to easily track the location of the cell phone user without the user’s knowledge, according a February 16 press release announcing the findings of new research by computer scientists in the University of Minnesota’s College of Science and Engineering. Using an inexpensive phone and open source software, the researchers were able to track the location of cell phone users without their knowledge on the Global System for Mobile Communications (GSM) network, the predominant worldwide network. In a field test, the research group was able to track the location of a test subject within a 10-block area as the subject traveled across an area of Minneapolis at a walking pace. The researchers used readily available equipment and no direct help from the service provider. The researchers have contacted AT&T and Nokia with low cost techniques that could be implemented without changing the hardware, and are in the process of drafting responsible disclosure statements for cellular service providers.

Source: http://www1.umn.edu/news/news-releases/2012/UR_CONTENT_374462.html

February 21, Associated Press – (California; International) Authorities say debt collector scam bilked millions. An international phone scam where callers in India posed as debt collectors bilked millions of dollars out of more than 10,000 U.S. residents by using threats of arrest or the loss of their jobs, U.S. authorities said February 21. The callers, who apparently coordinated with someone in the United States, drew on personal data snatched from payday loan Web sites, a Federal Trade Commission (FTC) official said. Over a 2-year period, at least 20 million calls may have been placed, with phony collectors typically demanding around $500, but sometimes asking for as much as $2,000. The investigation of a scam with so many millions of calls flooding in from India was a first of its kind, the FTC’s Midwest director said. From 2010 to 2012, $5 million was paid in 17,000 transactions to accounts controlled by the alleged fraudsters, the FTC said. No criminal charges have been filed, but the FTC charged Villa Park, California-based American Credit Crunchers LLC, Ebeeze, LLC, and their owner with violating the FTC Act and the Fair Debt Collection Practices Act in connection to the alleged scheme. The owner allegedly withdrew thousands of dollars paid by victims that ended up in his company accounts, though the FTC said it was not clear if the scheme was directed primarily from California or India.

Source: http://www.foxnews.com/us/2012/02/21/authorities-say-debt-collector-scambilked-millions/

February 21, InformationWeek – (International) Symantec pcAnywhere remote attack code surfaces. Code has been published that attackers could use to crash fully patched versions of pcAnywhere on any Windows PC, without first having to authenticate to the PC. The exploit details were made public February 17 in a Pastebin post from Alert Logic’s director of security research. Advertised as a “PCAnywhere Nuke,” the Python code can be used to create a denial of

25 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Cyber-Related Threats Reported in the DHS Daily Open Source Infrastructure Report

service by crashing “the ashost32 service,” he said. “It’ll be respawned so if you want to be a real pain you’ll need to loop this ... my initial impressions are that controlling execution will be a pain.” He said the exploit works even against the most recent, fully patched version of pcAnywhere (version 12.5.0 build 463 and earlier). “Symantec is aware of the posting and is investigating the claims,” said a Symantec spokeswoman.

Source: http://www.informationweek.com/news/security/vulnerabilities/232601182

February 14, Help Net Security – (International) Stratfor clients now targeted with malware. The customers of Stratfor, a U.S.-based research group that provides geopolitical analysis to government organizations and major corporations, are being targeted again with malicious spam e-mails. Following the December breach of the company’s servers by Anonymous and the stealing of names, home addresses, credit card details, and passwords of its clients, those very clients began to receive spearphishing e-mails purportedly being sent by Stratfor’s CEO, asking them to fill out an attached document with personal information. This time, the e-mails appear to be sent by a Stratfor administrator, who first warns clients not to open -e mails and attachments from “doubtful senders,” and then urges them to download (attached) security software to check their systems for a nonexistent piece of malware. “The link displayed in the emails appears legitimate at first glance, but looking closely at the target address, you notice that it doesn’t originate from the address in the email text,” according to Microsoft. “Stratfor is based in Texas, United States however the download URL is located somewhere in Turkey. A sample of another PDF file contained a download link for yet another compromised site, this time in Poland.” Less careful users will end up with a malicious PDF file or a variant of the Zbot information stealer trojan on their systems.

Source: http://www.net-security.org/malware_news.php?id=1996

February 8, Threatpost – (International) New tool will automate password cracks on common SCADA product. Researchers are planning a February 14 release of tools that make it easy to test and exploit vulnerable programmable logic controllers (PLCs) and other industrial control systems. Among the releases will be a tool for cracking passwords on ECOM programmable logic controllers by Koyo electronics, a Japanese firm, said a researcher at Digital Bond. Writing February 8, he said a February 14 release would include a “module to brute-force” passwords for ECOM and ECOM100 PLCs. Researchers revealed those devices have limited password space (forcing customers to implement short, weak passwords) and no lockout or timeout feature to prevent multiple log-in attempts used in brute force attacks. The Koyo ECOM models were among many popular PLC brands analyzed by top supervisory control and data acquisition security researchers as part of Project Basecamp. Their work revealed significant security issues with every system, with some PLCs too brittle and insecure to even tolerate security scans and probing. The Koyo ECOM100 modules were found to come with a bundled Web server that contained denial of service and cross site scripting vulnerabilities, and an administrative panel that could be accessed without authentication. Organizers already released two modules for the Metasploit and Nessu vulnerability testing tools that can search for vulnerabilities discovered in D20 PLCs made by GE and promised more in February.

Source: http://threatpost.com/en_us/blogs/new-tool-will-automate-password-crackscommon-scada-product-020812

February 23, Ars Technica – (International) GPS jammers and spoofers threaten infrastructure, say researchers. During the Global Navigation Satellite System (GNSS) Vulnerability 2012 event at Great Britain’s National Physical Laboratory February 22, experts discussed the threat posed by a growing number of GPS jamming and spoofing devices. The increasing popularity of jammers is troubling, according to the conference organizer, because even low-power GPS jammers pose a significant threat to cell phone systems, parts of the electrical grid, and drivers. Since cell phone towers and some electrical grid systems use GPS signals for time-keeping, jamming can throw them off and cause outages. “We’re seeing a large number of low power devices which plug into power sockets in a car,” the conference organizer said. “These devices take out the GPS tracker in the vehicle, but they also create a ‘bubble’ of interference, sometimes out to up to 100 yards. They are illegal, so their quality control is generally not good.” One presenter at the conference,

continued on page 27 26 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Cyber-Related Threats Reported in the DHS Daily Open Source Infrastructure Report

an assistant professor at the University of Texas, presented findings on the impact of spoofing and jamming on cell phones. The professor, who claims his lab possesses the most powerful civilian-owned GPS spoofer, said that in U.S. tests, his team succeeded in interfering with timing devices used in cellular network towers, breaking down synchronization between cells, and preventing calls from being handed off from one cellular station to another. “So far, no credible high profile attack has been recorded,” he said, “but we are seeing evidence of basic spoofing, likely carried out by rogue individuals or small groups.”

Small short-range jammers have created isolated problems in the United States. In late 2009, a single truck using a GPS jammer caused problems at the Newark Liberty International Airport in New Jersey as it interfered with a navigation aid every time the truck passed on the New Jersey Turnpike. Truck drivers and other drivers who want to conceal their movements from tracking devices sometimes use basic GPS jammers embedded in their vehicles.

Source: http://arstechnica.com/business/news/2012/02/uk-research-measures-growinggps-jamming-threat.ars

February 24, National Defense– (National) Cyber intrusions into Air Force computers take weeks to detect. When a hacker manages to penetrate U.S. Air Force computer networks, it generally takes experts more than a month to piece together what went wrong, the National Defense Industrial Association reported February 24. A forensics investigation into a network breach lasts an average of 45 days, said the senior adviser for intelligence and cyber-operations for the 24th Air Force, the organization that operates and defends the service’s networks. “That’s way better than we used to be, but that’s not tactically acceptable,” he told an Armed Forces Communications and Electronics Association (AFCEA) information technology conference. The Air Force needs hardware and software that leaves no back doors to the network open, officials said. Currently, if hackers find a hole they can unload “truckloads of information” without the service even knowing they were even on the network, said the inspector general of the Air Force. Officials asked for industry help to improve its ability to watch over the network and detect and respond to unauthorized activity.

Source: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=688

February 29, Yomiuri Shimbun – (International) U.S. firm posts PLC hacking methods online. A U.S. information security company posted hacking techniques for disabling programmable logic controllers (PLCs) on the Internet, the Yomiuri Shimbun learned. A PLC is an electronic control system that enables machinery to work as programmed and is widely used in production systems at factories and in critical infrastructure. Alarmed by the hacking method released online by U.S. firm Digital Bond, Inc., DHS’s Industrial Control Systems Cyber Emergency Response Team issued a warning stating cyberattacks against PLCs could cause a major systemic breakdown. Four companies in the United States, Japan, and France produce PLC control systems for automakers, electric power substations, and others. Digital Bond stated it posted the hacking method to “inform the public of the risks” of PLC breakdowns, arguing companies and governments have been slow to cope with PLCs’ vulnerabilities. About 2 million PLC units per year are manufactured in Japan, approximately 1.4 million of which were exported. While cyberattacks targeting computer control systems have sharply increased overseas, this is the first time a Japanese PLC maker was revealed to be exposed to the risk of a cyberattack. The firms put at risk by Digital Bond’s post are: Japan’s Koyo Electronics Industries Co.; the United States’ General Electric Co. and Rockwell Automation, Inc.; and France’s Schneider Electric SA. After figuring out the design flaws of the companies’ PLCs, Digital Bond posted programs attacking them on the firms’ Web sites February 14, according to the U.S. network security company. Koyo Electronics said it sells several thousands of its PLCs domestically, as well as in the United States and other countries every year. The control systems are mainly used at automobile, semiconductor, and machine tool plants. Should the disclosed hacking techniques be abused, there is a danger the systems involved could be illegally controlled by a remote party. The PLCs made by the remaining three manufacturers feature designs that are different from each other, and are also used at a wide range of factories and

27 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Cyber-Related Threats Reported in the DHS Daily Open Source Infrastructure Report

transformer stations. Should these systems be hacked using Digital Bond’s methods or other tricks, production and other systems would break down or develop anomalies such as abnormal restarts. However, no direct links to Digital Bond’s post have been confirmed, industry sources said.

Source: http://www.yomiuri.co.jp/dy/national/T120228005028.htm

February 7, Computerworld – (National) FBI declares cloud vendors must meet CJIS security rules. The FBI February 7 reaffirmed its rule that all cloud products sold to U.S. law enforcement agencies must comply with the FBI’s Criminal Justice Information Systems (CJIS) security requirements. While the nation’s top law enforcement agency conceded some vendors may have a tough time meeting those rules, it insisted there would be no compromising on security. The CJIS database, maintained by the FBI, is one of the world’s largest repositories of criminal history records and fingerprints. The records are available to law enforcement agencies and contractors around the country that comply with the security rules, which include requirements that all data, both in transit and at rest, be encrypted and that anyone who accesses the database pass FBI background checks. A spokesman for the FBI’s CJIS division February 7 maintained the CJIS security requirements are compatible with cloud computing.

Source: http://www.computerworld.com/s/article/9224048/ FBI_declares_cloud_vendors_must_meet_CJIS_security_rules?taxonomyId=17

February 5, eWeek – (International) State of SCADA security worries researchers. Recent reports painted a bleak picture of the security issues plaguing industrial control systems, but the situation is exacerbated by the fact administrators are naive about the dangers, researchers said. Researchers presented some alarming findings about the state of security for supervisory control and data acquisition (SCADA) systems at the Kaspersky Security Analyst Summit February 3. SCADA systems are used across varied industries such as oil, water systems, electric grids, controlling building systems, and the basic security model underlying these systems is completely inadequate, they said.

Source: http://www.eweek.com/c/a/Security/State-of-SCADA-Security-Worry-Researchers-234517/

January 31, Ars Technica – (International) Fake Windows updater targets government contractors, stealing sensitive data. Two security companies released a joint report January 31 describing an ongoing series of attacks against government contractors that have been occurring since at least early 2009. According to the vendors Seculert and Zscaler, attackers are sending firms phishing e-mails with fake invitations to conferences, often in the form of PDF files that exploit flaws in Adobe Reader. The file installs what the vendors call an “MSUpdater” trojan that poses as a legitimate Windows Update process. In reality, the trojan is a remote access tool that can steal data from a company’s network for as long as the breach remains undiscovered. “Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks,” the report states, without identifying specific attack targets. The vendors believe the attacks are either state- sponsored or perpetrated by a high-profile group of attackers, but they have not yet been able to determine their identities, according to Seculert’s CTO.

Source: http://arstechnica.com/business/news/2012/01/fake-windows-updater-targetsgovernment-contractors- stealing-sensitive-data.ars

March 1, H Security – (International) Report:Thousands of embedded systems on the net without protection. At the RSA Conference 2012, a Zscaler researcher provided evidence many embedded Web servers (EWS) can be easily accessed by outsiders via the Internet. Where multi-function printers or video conferencing systems are concerned, this can cause serious data leaks: the printers store scanned, faxed, and printed files on hard disks and then disclose documents. Video conferencing hardware allows outsiders to monitor rooms remotely or listen to meetings in progress. The researcher’s aim was to scan 1 million Web servers and create a catalog of all the EWS he found. After a round of testing, he entered typical character strings from the EWS Web pages into Shodan. A scan managed to

28 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Cyber-Related Threats Reported in the DHS Daily Open Source

examine the 1 million servers in a short time and came up with the following results: many thousands of multi-function devices, 8,000 Cisco IOS devices, and almost 10,000 VoIP systems and phones did not require any log-in authentication. The majority of the devices were not protected by passwords. This means any Web user can access their Web interfaces through a browser and view the documents stored on such photocopiers and printers, forward incoming faxes to an external number, or record scan jobs. The scan run also identified more than 9,000 video conferencing systems by Polycom and Tandberg (now Cisco). The researcher used a video to demonstrate how he managed to monitor the targeted conference rooms via an accessible video conferencing system that provided both sound and images. Source: http://www.h-online.com/security/news/item/Report-Thousands-of-embeddedsystems-on-the-net-without- protection-1446441.html March 6, Softpedia– (International) 200,000 webpages compromised to lead visitors to fake AV sites. In the past several months, mass infections were not uncommon, and now security experts believe they found another one. Websense found 30,000 unique Web sites are currently compromised to redirect visitors to sites that promote fake antivirus software. A total of 200,000 Web pages, part of the 30,000 sites, are compromised, with the campaign apparently designed to target mostly sites hosted by the WordPress content management system. After multiple redirects, victims are taken to a Web site that performs a fake scan, pointing out many infections and threats. The scan is designed to appear as if it takes place in a Windows Explorer window, but in reality it is simply a Web page designed to fool users. When the scan is complete, the user is urged to install an antivirus tool. However, the antivirus tool is a trojan that once installed provides complete control of the infected machine. More than 85 percent of the compromised sites are located in the United States. The injected code is usually placed before the tag. Web site administrators who suspect their sites may be compromised should check their code for the malicious script. According to researchers, if one of the Web pages displays the code, then most likely the entire site is compromised and each page should be thoroughly checked and cleaned. Source: http://news.softpedia.com/news/200-000-Webpages-Compromised-to-Lead-Visitors-to-Fake-AV-Sites- 256874.shtml

March 7, Wired –(International) Researchers seek help in solving DuQu mystery language. DuQu, the malicious code that followed in the wake of Stuxnet, has been analyzed nearly as much as its predecessor. However, one part of the code remains a mystery, and researchers are asking programmers for help in solving it. The mystery concerns an essential component of the malware that communicates with command and control servers and has the ability to download additional payload modules and execute them on infected machines. Researchers at Kaspersky Lab are unable to determine the language in which the communication module is written. While other parts of DuQu are written in the C++ programming language and are compiled with Microsoft’s Visual C++ 2008, this part is not, according to the chief security expert at Kaspersky Lab. He and his team also determined it is not Objective C, Java, Python, Ada, Lua, or many other languages they know. While it is possible the language was created exclusively by DuQu’s authors for their project and has never been used elsewhere, it is also possible it is a language that is commonly used, but only by a specific industry or class of programmers. Kaspersky is hoping someone in the programming community will recognize it and come forward to identify it. Identification of the language could help analysts build a profile of DuQu’s authors, particularly if they cantie the language to a group of people known to use this specialized programming language or even to people who were behind its development. DuQu was discovered in 2011 by Hungarian researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics. Source: http://www.wired.com/threatlevel/2012/03/duqu-mystery-language/

March 19, PC Magazine – (International) Linkedin e-mail scam deposits banking trojan. GFI Labs recently discovered a LinkedIn e-mail phishing scam that installs the Cridex banking Trojan. The fake LinkedIn e-mail looks like an authentic -e mail reminder about pending invitations. The phishing scam shares the same IP address (41.64.21.71) as several recent Better Business Bureau and Intuit spam runs. The Cridex bot, also known as Cardep or Dapato, was discovered in the wild in August 2011. It spreads through e-mailed or shared attachments. Once installed, the trojan connects to a remote command and control (C&C) server. Then it injects itself into the target’s Internet Explorer process, where it steals online banking credentials, -e mail accounts, cookies, and FTP credentials, and sends them back to the C&C server. Earlier this month, M86 Labs reported that Cridex currently infects 25,000 machines. Source: http://securitywatch.pcmag.com/security/295538-linkedin-email-scamdeposits-banking-trojan 29 COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS Corporate Headquarters PRODUCTS, SERVICES AND TRAINING

Advantage SCI, LLC Advantage SCI offers services supporting the counterintelligence needs of the 222 North Sepulveda Boulevard cleared defense contractor community, private business, government, utilities, and Suite 1780 municipalities with requirements to protect classified information, trade secrets, El Segundo, California 90245 intellectual property and other privileged information. Services include: Phone: 310.536.9876  Vulnerability Assessments Fax: 310.943.2351  Threat briefings/Foreign Travel Briefings/Debriefings www.advantagesci.com  CI Awareness Training / Insider Threat Training  TSCM services in classified or unclassified spaces Advantage SCI Vision:  Plans, SOPs and Regulatory related materials “Educate America’s 300  Other matters related to improving CI related posture Advantage SCI is a veteran owned, Woman-Owned Small Business, 8(a), SDVOSB, million people and business WBE, WOSB, SDB, GS-07F-5900R, (Schedule 84) leaders on prevention, detection, and response to NEW FROM ADVANTAGE SCI iTravelSAFE is a comprehensive travel tool, being launched by Advantage SCI, as 21st century threats.” an App for the iPhone and iPad. The international traveler can use the App prior Newsletter Editor: to, during, and after all international travel. Once iTravelSAFE is downloaded Richard Haidle, onto the iPhone and/or iPad, the vast majority of content is viewable, both online Counterintelligence Services and offline. Manager [email protected] Some features of iTravelSAFE — 310.536.9876 x237  iTravelSAFE provides online or offline functionality  Detailed information on more than 200 countries  Online and Offline Country Maps  Updated Travel Threat Advisories  How to Avoid International Financial Scams iTravelSAFE  Links to all Information for International Travel Available now for the  Travel Tips for Business Travelers iPhone and iPad (with an iPad-specific version to be  Travel Tips for Students available shortly).  Tips on Driving Overseas iTravelSAFE will soon be  Tips on Hotel Safety available for the Android  Tips on Personal Safety operating system.  Crime Information If you are a business traveler, there are tips to consider during foreign travels: How can I protect business and private information when traveling? What are the signs that personal information is being targeted? If you are a college student going overseas for study or travels: What considerations should be made for appropriate attire, appearance and behavior? If you are traveling to a country for a pleasant vacation: What criminal activity occurs in that country that could spoil a vacation? How can that criminal activity be avoided? Who should you call if you are a victim of crime? What is the telephone number for the U.S. Embassy or a nearby consulate? The answers to these questions and many more are all available within the iTravelSAFE App.