c55b1a0c   
   XPost: alt.privacy, alt.computers, alt.politics.bush   
   XPost: alt.politics.democrats.d   
   From: jismquiff@yahoo.com   
      
   "It would seem the cyberattack merry-go-round has become an insoluble   
   problem.   
      
   Like, who's to say the Chertoff Group is not complicit in some or many   
   of the attacks this piece describes?   
      
   If there are profits to be made or properties to be stolen, hackers of   
   every stripe would be foolish not to 'get in the game.' "   
      
   +++++   
      
   "Recall it wasn't many years ago when hackers, mostly young people,   
   were being eagerly hired by private industry -- and possibly   
   governments -- to troubleshoot and ferret out -- hacking and   
   hackers!   
      
   And we laughed and marveled at these seemingly innocent   
   prankster-"geniuses," who generally did no jail time and gleefully   
   collected generous paychecks. "   
      
   =========================   
   "In cyberattacks, hacking humans is highly effective way to access   
   systems"   
      
      
   By Robert O’Harrow Jr.   
   September 26,  2012   
      
      
   THE E-MAILS arrived like poison darts from cyberspace.   
      
   Some went to the Chertoff Group, a national security consulting firm   
   in Washington. Others targeted intelligence contractors, gas pipeline   
   executives and industrial-control security specialists. Each note came   
   with the personal touches of a friend or colleague.   
      
   “Attach[ed] is a quote for the Social Media training we discussed,”   
   said one message sent on July 3 to the vice president of EnergySec, a   
   federally funded group in Oregon that focuses on the cybersecurity of   
   the nation’s power grid.   
      
   But like much of the digital universe, the e-mails were not what they   
   seemed. They were cyberweapons, part of a devastating kind of attack   
   known as “social engineering.”   
      
   Emerging details about the e-mails show how social engineering — long   
   favored by con artists, identity thieves and spammers — has become one   
   of the leading threats to government and corporate networks in   
   cyberspace.   
      
   The technique involves tricking people to subvert a network’s   
   security. It often relies on well-known scams involving e-mail, known   
   as “spear phishing,” or phony Web pages. But such ploys now serve as   
   the pointed tips of far more sophisticated efforts by cyberwarriors to   
   penetrate networks and steal military and trade secrets.   
      
   The e-mails this spring and summer appear to be part of a long-running   
   espionage campaign by a hacker group in China, according to interviews   
   with security researchers and documents obtained by The Washington   
   Post. Some of the e-mails, including those sent to the Chertoff Group   
   and EnergySec, were caught by suspicious employees. Others hit home.   
      
   “Multiple natural gas pipeline sector organizations have reported   
   either attempted or successful network intrusions related to this   
   campaign,” officials at the Department of Homeland Security said in a   
   confidential alert obtained by The Post.   
      
   The May 15 alert, by the ­department’s specialists in industrial   
   control systems, said “the number of persons targeted appears to be   
   tightly focused. In addition, the email messages have been   
   convincingly crafted to appear as though they were sent from a trusted   
   member internal to the organization.”   
      
   Social-engineering attacks revolve around an instant when a computer   
   user decides whether to click on a link, open a document or visit a   
   Web page. But the preparation can take weeks or longer.   
      
   Serious hackers investigate their targets online and draw on troves of   
   personal information people share about themselves, their friends and   
   their social networks. Facebook, Twitter and other social media have   
   become prime sources for the hackers, specialists said.   
      
   “Everybody has their trigger,” said Bruce M. Snell, director of   
   technical marketing at McAfee Security Systems. “A good social   
   engineer will find that trigger.”   
      
   Once malicious software code is delivered, it burrows in and hides in   
   a targeted network. That code, known as malware, can lurk for years in   
   intelligence or attack schemes that are sometimes known as “advanced   
   persistent threats.” Eventually, the code reaches back out to the   
   hackers for instructions, often cloaking the communication through   
   encryption or masking it to seem like innocuous Web browsing by an   
   employee.   
      
   Over the past three years, most major cyberattacks on U.S.   
   corporations have included social engineering, specialists said. That   
   includes hacks of Google and security giant RSA. Researchers think   
   that scores of attacks were designed by the same Chinese hackers who   
   appear to be involved in the current e-mail campaign. Some U.S.   
   officials think the hackers may have links to the Chinese military.   
      
   The Chinese are not the only ones using the technique. Cyberwarriors   
   at the Pentagon receive social-engineering training for offensive and   
   defensive missions, knowledgeable specialists said.   
      
   David Kennedy, a security consultant and former National Security   
   Agency analyst, said he is amazed at the effectiveness of the   
   techniques.   
      
   “I have done hundreds of these, and I have never been stopped,” said   
   Kennedy, who teaches social engineering to other security specialists.   
   “It sounds horrible, but it works every single time.”   
      
   The human factor   
      
      
   Social engineering works because it targets a vulnerable part of   
   cyberspace that cannot be patched with technical fixes: human beings.   
   People want to believe that their communication is safe.   
      
   “Because it goes at the human level, not at the technological level,   
   we’re all vulnerable,” said Joseph Nye Jr., a distinguished service   
   professor at Harvard University who is on the board of advisers to the   
   Chertoff Group. Nye said he has received at least six spear-phishing e-   
   mails purporting to be from the Chertoff Group. He said he deleted   
   them all, but he added, “Every once in awhile, one of these will get   
   by you.”   
      
   The explosive growth of cyberspace has created a fertile environment   
   for hackers. Facing the flood of e-mail, instant messages and other   
   digital communication, many people have a hard time judging whether   
   notes or messages from friends, family or colleagues are real. Many   
   don’t even try. Hackers are so confident about such permissiveness   
   that they sometimes begin their attacks in social media three or four   
   steps removed from their actual targets. The hackers count on the   
   malicious code spreading to the proper company or government agency —   
   passed along in photos, documents or Web pages.   
      
   “This is the next evolution of social engineering, where victims are   
   researched in advance and specifically targeted,” said a recent   
   Internet threat report by Symantec, a computer security firm. “The   
   very nature of social networks makes users feel that they are amongst   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)