FBI Expects Number of Cyber Attacks ‘To Grow Exponentially’ in Coming Years

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cnsnews.com/news/article/paul-lagarde/fbi-expects-number-cyber-attacks-grow-exponentially-coming-years

Cyber attacks on the nation’s private sector and government networks are
expected to “grow exponentially” and will continue to pose a serious threat
to privacy, security and the U.S. economy for the foreseeable future, an
FBI official warned members of Congress.

FBI assistant director Joseph Demarest testified that “the frequency and
impact of cyber attacks on our nation’s private sector and government
networks have increased dramatically in the past decade and are expected to
grow exponentially" during a joint hearing of the House Counterterrorism
and Intelligence and the Cybersecurity, Infrastructure Protection, and
Security Technologies Subcommittees on Capitol Hill Wednesday.

But Demarest added that "the FBI and our partners have had multiple recent
investigative successes against the threat, and we continue to push
ourselves to respond more rapidly to prevent attacks before they occur."

In his opening statement at the hearing, subcommittee chairman Rep. Peter
King (R-NY]) noted the changing nature of national security efforts.

“While the U.S. has made great strides to secure the homeland since 9/11,
our enemies have evolved, and we must now consider that a foreign
adversary, terrorist network, or a criminal organization will use
cyberspace to penetrate America’s defenses," he said.

King expressed his approval of the efforts of law enforcement to combat
“persistent and emerging cyber threats to the United States,” hailing the
FBI's recent indictments of Chinese military hackers and users of a
malicious program called “Blackshades” as encouraging successes.

“I hope it is a signal of more aggressive U.S. actions to address the cyber
threat as we move forward, because this threat is not going away," King
said.

The FBI lists cyber crime as its third highest national security priority,
behind only terrorism and counterintelligence.

Earlier this week, the Department of Justice (DOJ) unsealed economic
espionage indictments against five Chinese military officers who allegedly
hacked into the computer servers of multiple U.S. businesses, including
Westinghouse, U.S. Steel, and Alcoa, to steal sensitive information.

On Monday, the FBI also announced the results of a “cyber takedown” of
Swedish national Alex Yucel and U.S. citizen Michael Hogue, who are charged
with developing “a particularly insidious computer malware known as
Blackshades,” which was sold and distributed to thousands of people in more
than 100 countries and has been used to infect more than half a million
computers worldwide.

An “unprecedented law enforcement operation” undertaken in coordination
with 18 other countries resulted in over 300 investigations of hackers
using Blackshades to penetrate computer systems and over 90 arrests,
according to the FBI.

Blackshades employs a form of malware known as a Remote Access Tool (RAT)
that can be purchased online for as little as $40. With this tool, criminal
hackers can steal passwords and banking credentials, hack into social media
accounts, access computer files, record keystrokes, activate webcams,
encrypt computer files to hold for ransom, and use the victim’s computer to
spread the malware to others.

Last month, a software security firm known as Codenomicon discovered
another major bug. Internet services firm Netcraft estimates that this bug,
dubbed “Heartbleed,” initially infected about 17% of SSL (Secure Socket
Layer) web servers worldwide, including those used by popular websites
Twitter, Tumblr and Yahoo.

Caused by a vulnerability in the OpenSSL cryptographic software library,
Heartbleed allows remote hackers to eavesdrop on emails and instant
messages and retrieve encrypted data from Internet users, including names,
passwords, and content.

However, most large websites have already created patches to fix the bug,
according to a report by California firm Sucuri Security.

Larry Zelvin,  director of the National Cybersecurity and Communication
Integrations Center (NCCIC),  who also testified at the hearing, stated
that the NCCIC has been able to reduce the number of federal Heartbleed
vulnerabilities from 270 to 2 in less than three weeks.

“More than half of these vulnerabilities were identified and mitigated in
the first six days of scanning,” Zelvin stated.

In mid-April, Stephen Arthuro Solis-Reyes, a 19-year-old Canadian, became
the first person arrested for a Heartbleed-related security breach after he
was accused of hacking into the Canadian Revenue Agency’s website and
stealing over 900 Social Insurance numbers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!