(Photo: Wikimedia Commons)

After several months of near-constant chatter about Chinese hackers, the U.S. government has finally come right out and said it: the Chinese military is probably, right this very minute, trying to hack into America's computers to steal our precious bodily fluids state secrets.

That's from the Pentagon's annual report to Congress which, as the New York Times reports, was unusually direct in accusing China of hax0ring America's shit. For example:

“In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” the nearly 100-page report said.

One possible motive? Mapping “military capabilities that could be exploited during a crisis.” The report also says that cyberweapons are an increasingly important element of China's strategic arsenal. Don't everyone start writing Red Dawn-meets-Neuromancer all at once!

China, however, has denied everything:

‘‘We’re willing to carry out an even-tempered and constructive dialogue with the U.S. on the issue of Internet security. But we are firmly opposed to any groundless accusations and speculations, since they will only damage the cooperation efforts and atmosphere between the two sides to strengthen dialogue and cooperation.’’

Oh, well, in that case, a thousand pardons.

(Photo: Deviant Art)

Devices like security cameras, traffic light systems, and high tech temperature controls can all be connected to the web, but they aren’t indexed by Google, which makes them difficult to find without deep computer expertise. Now SHODAN, a search engine that crawls the web for devices like routers, webcams and servers, is helping to expose some of the security flaws inherent to these devices.

Called the "Google for hackers" by ZDNet, SHODAN provides a powerful search platform for those looking for security holes in web-connected devices. According to CNN:

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

Many of these devices are ill-equipped to handle hackers: since they're rarely indexed, there hasn't been a need to set up typical security controls. Many can even be accessed via default passwords like "1234."

A researcher at the cybersecurity conference DEFCON recently demonstrated just how easy it is to access the devices found on SHODAN. Writes CNN:

Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city's entire traffic control system was connected to the Internet and could be put into "test mode" with a single command entry.

We smell a Michael Bay-style infrastructure hacking movie on the horizon.

(Photo: Facebook)

If you've recently received an email--not sent by your kooky aunt--with the subject line "Check out these kitties! :-)," you may have been the victim of a fake cyberattack. The Wall Street Journal reports that companies are hiring "ethical hackers" to build fake phishing scam emails to test which employees are dumb enough--or big enough cat lovers--to fall for them.

Users who click the link promising more cute cat pics are greeted with a gotcha warning: you've been the victim of a simulated cyberattack, ya dummy. If you want cute cat pics, just Google for 'em.

But the deception goes much deeper. Companies can hire firms like Trustwave Holdings, which will do everything from randomly scattering USB drives around to see if employees stick them in their computers to dressing up in disguises to dupe security. Trustwave's Ryan Jones keeps an arsenal of costumes and frequently employs crutches to "persuade sympathetic people to open locked doors."

He's basically the Gene Parmesan of cybersecurity.

The moral of this story? Never trust a man with crutches asking you to "have a peek at the server room."

That dude knows what's up. (Image: Krebs on Security)

Got a massive pile of stolen money lying around? Happens to us all. You just need the right people to help launder it. And that, of course, is where the Internet comes in.

Security blogger Brian Krebs points to the advertisement above, which is making the rounds on Russian forums for cyber criminals. He reports that the flyer (featuring an anime-style illustration of a dude who looks like he's about to take allll your money) promises "willing and ready foot soldiers for hire in California, Florida, Illinois and New York." Translation: They've got a whole network of folks on the ground in the U.S., ready to help you move your loot into your international bank account.

It's actually easier said than done getting money stolen virtually out of America and into offshore bank accounts. High-priced merch has to be picked up and hawked somewhere, and you can't simply transfer tens of thousands of dollars out of a bank account without raising a red flag. Often the solution is to recruit unknowing "money mules" through shady work-from-home schemes, but that runs the risk they'll realize something's up and bolt.

These "foreign agents" call themselves “nerazvodni” or “not deceived,” meaning they know what's up, and so they're ready and willing to keep their shit together and stay quiet. As Mr. Kreb puts it: "These are mules that can be counted on not to freak out or disappear with the cash." Customers even get access to a dashboard where they can monitor their accomplices' progress.

That makes them very, very valuable, which means they can charge up to 45 percent for their services. Hey, know-how don't come cheap.

In a sensible move, however, the organization works by reference only. So unless you've got someone in the underground to vouch for you, looks like you're shit outta luck.

President Barack Obama. (Photo: Wikimedia)

At some point in October this year, President Obama signed the slightly creepy-sounding and secret Presidential Policy Directive 20, a source tells The Washington Post. According to the Post, the directive gives the military license to "act more aggressively" when combating cyber-attacks directed at major U.S. networks.

In essence, anyone waging war on the country via the internet is on notice:

The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

Policy Directive 20 is a refresh of a presidential directive signed during the Bush administration and falls in line with the Obama administration's concerns regarding internet-based threats to the nation's infrastructure.

Given the reported mid-October signing of Directive 20, it's worth noting the timing of Secretary of Defense Leon Panetta's October 11 speech about cyber threats. In his address, Secretary Panetta outlined a nightmare scenario combining real and cyber attacks, resulting in what he termed a "cyber Pearl Harbor." Mr. Panetta said such devastating actions would result in "physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability."

This? No problem. Keeping a laptop safe? No dice. (Photo: flickr.com/usnavy)

Maybe Mat Honan is right--for all the importance we place on them, passwords don't really work worth a damn. Many privacy breaches skip straight to the goodies, like social security and credit card numbers. The latest illustration: Reuters reports that NASA is telling employees that a laptop packed with personal information was lifted from a (locked) car.

Apparently there's so much information "that must be reviewed and validated," it could take as long as 60 days to notify everyone involved.

Free credit monitoring for everyone!

According to Reuters:

The laptop, issued to an employee at NASA headquarters in Washington, was password protected but its disk was not fully encrypted, NASA wrote employees in a letter dated Tuesday and distributed this week.

Five bucks says the password was "MoonMan1969."

But here's what's really embarrassing: This isn't even the first such incident. Another laptop was stolen back in March. In fact, Reuters adds,

A NASA inspector general report this year determined 48 NASA laptops and mobile computing devices were lost or stolen between April 2009 and April 2011, many containing sensitive data.

Did they check outer space?

(Photo: The Atlantic)

Superstorm Sandy washed and blew away some polling places and displaced thousands of residents in New York and New Jersey. New Jersey, in an effort to make sure every voice is heard, has enabled voting via email.

New York didn't want to go with the email voting option because officials feel it might be vulnerable to fraud.

Writing in Norman's "Security Exposed" blog, Norman's vice president and GM Darin Andersen examines the problem of email voting.

Mr. Andersen writes that polling machines may have their own security problems but admits there hasn't been reliable evidence of hacker interference in previous elections. However, Mr. Andersen is wary of email voting:

In light of a natural disaster, email voting seems like a fair solution, but unfortunately, today’s sophisticated malware is a real threat to voting processes. I urge affected New Jersey residents to opt for voting at an alternative polling location if they haven’t already submitted an absentee ballot. In the future, I believe that with strict regulations and the correct cyber defense measures in place, innovative internet-based voting could enable quicker and more convenient voting and ballot counting processes.

In worst-case scenarios any vote could be compromised. They could be changed via theoretical (but entirely doable) man-in-the-middle attacks, snatched by Mr. Andersen's feared "sophisticated malware" if sent via email. Or voters could arrive at polling places to find machines just aren't there. Casting a vote remains a big, national act of faith that the system will ultimately work.

At least voting machines aren't accompanied by banner ads. Yet.

Chinese flag

A Chinese hacking crew dubbed the Comment Group has been romping through corporate America's computer networks for a few years now. The extent of the breaches wasn't clear until Bloomberg published an in-depth report Sunday detailing in part how soft drink giant Coke was hacked in 2009 and didn't tell.

The deep hacking of sensitive data from Coke's systems destroyed a $2.4 billion acquisition deal with China Huiyuan Juice Group, which would have been the largest deal of its kind at the time:

Coca-Cola, the world’s largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information, despite its potential effect on the deal. It is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees -- and in some cases even from senior executives.

When hackers last year waged a large-scale attack on BG Group Plc (BG/), raiding troves of sensitive data, the British energy company never made it public. Luxembourg-based steel maker ArcelorMittal (MT) also kept mum when intruders targeted, among others, its executive overseeing China. As did Chesapeake Energy Corp. (CHK), after cyber attackers made off with files from its investment banking firm about natural gas leases that were up for sale.

Using sources with in-depth knowledge of the breaches and their effects on each company, Bloomberg goes on to report an alarming pattern of steadfast corporate denial in addition to threadbare security guarding remarkably sensitive, high-value data.

The Chinese Foreign Ministry, naturally, has denied the hacks are state-sponsored and told Bloomberg allegations the Comment Group is a secret branch of the Chinese military are not supported by "concrete evidence and investigation."

Cybersecurity expert James Lewis defined the bottom line behind the attacks and the best reason to believe they are part of an active, state-sponsored program when he told Bloomberg reporters, "This has been a part of their plan to catch up to the West [...] You steal their technology, you steal their business secrets."

Secretary Panetta. (Photo: flickr.com/usnavy)

Earlier this week, Defense Secretary Leon Panetta took a little trip to the Intrepid Air and Space Museum, where he gave a speech. The New York Times reports that in that speech, he proceeded to do what appears to have been his damnedest to scare the ever-loving crap out of everyone, everywhere about the prospect of cyberattacks on our precious bodily fluids American infrastructure.

Painting a picture that sounds an awful lot like a Michael Bay film, Secretary Panetta warned: 

“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

Mass chaos: It's not just for Deceptacons any more!

He also dropped the term "cyber-Pearl Harbor," because of course.

The New York Times also points out that Mr. Panetta is currently stumping for new legislation demanding new standards for things like power plants and gas pipelines. So, you know--grain of salt and all.

Leaky. (Screengrab)

If you own one of the world's billion or so Windows computers, we are sorry to inform you it probably contains a Java vulnerability that could allow a malicious attacker to sidestep Java security and exploit your browser.

According to Softpedia, most browsers are vulnerable:

The researchers have confirmed that Java SE 5 – Update 22, Java SE 6 – Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack.

The affected web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89, Firefox 15.0.1, and Internet Explorer 9.0.8112.16421.

Researchers at Security Explorations, who have made it their business to pick out all the vulnerabilities in Java, have given Oracle a full breakdown of the problem complete with source code and proof-of-concept demonstrations of how the exploit might work.

Oracle doesn't issue critical patch updates for Java until the middle of October. Whether much of the planet's population waiting for this hole to be fixed will goose them into moving faster to fix the problem remains to be seen.