Importance of the Internet for Opposition Groups in Iran

Like many modern political opposition groups, Iranian protesters make extensive use of social networks and other Internet services to plan and coordinate protest activity:

"The opposition, which relies on the Web and cell phone service to organize rallies and get its message out, has vowed to hold rallies Monday, the first anti-government show of force in a month."

Likewise, governments may target these communications as a means to limit protests. Reports are alleging the Iranian Government is restricting Internet and mobile phone services to limit opposition communications prior to planned protests:

"Internet connections in the capital, Tehran, have been slow or completely down since Saturday. Blocking Internet access and cell phone 'service has been one of the routine methods employed by the authorities to undermine the opposition in recent months.

"The government has not publicly acknowledged it is behind the outages, but Iran's Internet service providers say the problem is not on their end and is not a technical glitch. A day or two after the demonstrations, cell phone and Internet service is restored."

Iran slows Internet access before student protests

International Telecommunications Union (ITU) Focus on Cybersecurity

ITU has announced a partnership with the Intentional Multilateral Partnership against Cyber Threats (IMPACT) to increase international cooperation.

"IMPACT... set up its Global Response Centre (GRC) in Cyberjaya, Malaysia, earlier this year as the international community’s foremost cyberthreat resource, to proactively track and defend against cyberthreats."

The ITU Secretary-General spoke at the ITU Telecom World 2009 on the need for better coordination:

"ITU Secretary-General Dr Hamadoun Touré stressed the importance of cyberpeace, where nations collaborate in a global cybersecurity framework based on enlightened self-interest. "Every country is now critically dependent on technology for commerce, finance, healthcare, emergency services, food distribution and more. Loss of vital networks would quickly cripple any nation – and none is immune to cyberattack."

Cybersecurity in action at ITU Telecom World 2009

Russian FSB Arrests for Dagestan Intrusions

Axis Information and Analysis provided a short report on the arrest by Russian FSB (Federal Security Services) of an individual for politically motivated intrusions into the systems of various Russian republics:

"In the course of investigation the FSB employees managed to find cyber-criminals of the Ansar group of insurgents who had been engaged in hacker attacks with an aim of distribution of their ideas through the world-wide web, and the 27 y.o. hacker Albert Saayev. The FSB established his participation in breaking of some of the state information resources, including sites of authorities of the Chechen Republic, Dagestan and Ingushetia."

The article alleges that Mr. Saayev had previously been arrested and convicted of similar crimes.

Dagestan hackers suspected of cyber-extremism detained by Federal Security Service in Moscow

Attack Aimed at Foreign Journalists in China

Infowar Monitor has posted a short analysis of a cyber attack targeting foreign journalists based in China including "Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa." The attack consisted of an email from a purported journalists interested in visiting China containing an attached PDF file with malware. The technique appears to be related to previous attacks with political motivation in the region:

"The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past."

The post also provides some speculation on motives and attribution.

Targeted Malware Attack on Foreign Correspondents based in China

Singapore Creates Agency to Protect against IT Threats

The Singapore Government issued a press release announcing the creation of the Singapore Infocomm Technology Security Authority (SITSA) "to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage."

Specifically SITSA will provide:

• IT Security Consultancy for strategic Government projects that have national security impact
• Partnership Development to build relationships with key entities strategic to enhancing Singapore’s IT security
• Critical Infocomm Infrastructure Protection to systematically harden the CIIs in nationally critical sectors
• Technology Development to develop and maintain SITSA’s technical competencies and to provide insights on developments in IT security and threats
• Singapore’s planning and preparedness, and response, against any major external cyber attack

The authority will be part of the Ministry of Home Affairs.

Singapore Infocomm Technology Security Authority Set Up to Safeguard Singapore against IT Security Threats

Changes to India's Cybercrime Laws

It appears that the Indian Government will soon amend the Information Technology Act of 2008 with changes to:

"...[strengthen] Extradition Law of India to effectively challenge the cyber crimes, including effective provisions regarding cyber war and cyber terrorism in India, International harmonisation of cyber law, providing sound cyber law and cyber security..."

It does not appear that an actual text of the proposed amendment is available online.

Cyber Law Of India to be amended soon

Report on Georgian Cyber Attacks

U.S. Cyber Consequences Unit, a U.S. based non-profit organization released the results of its study of the cyber attacks on Georgia in 2008.

"The study concludes that the cyberattacks against Georgian targets were carried out by civilians, many of them recruited via social networking forums devoted to dating, hobbies and politics."

It points out the complexities involved in politically motivated attacks due to the involvement of actors with varying skills and agendas:

"...sympathizers who were not hackers, and who didn't even know much about computers, could participate.

"The report says the civilian cyberattackers were aided and supported by Russian organized crime. Although they found no evidence of direct involvement by the Russian government or military, the report concludes that the organizers were tipped off about the timing of Russian military operations."

The report has not been made public.

Study warns of cyberwarfare during military conflicts

Analysis of Report on Power Grid Intrusions

After publishing a post on The Wall Street Journal article concerning intrusions into the US electrical grid, I re-read the report and noticed a discrepancy in comments by various "government officials". The story first states (I've added the emphasis):

"The intruders haven't sought to damage the power grid or other key infrastructure..."

but then reports that:

"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

The article goes on to state:

"Officials cautioned that the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt."

With the caveat that the article provides no real data to perform an accurate risk assessment, these statements, as reported, are worrying to say the least. If software really has been planted that can "destroy infrastructure components" then my professional opinion is that:

1. Damage has occurred - If a system is penetrated to the extent that software has been installed that disrupts operations, the system has been damaged. The integrity and operational capacity of the system is compromised. In a large complex network, it is very difficult to regain control when this level of compromise has taken place.


2. There is immediate danger - As long as systems are compromised with malicious software, the motive of the intruders is unclear and the vulnerabilities and entry points of the intruders remain, then there is an immediate danger. The companies owning these systems are not in control.

U.S. Electrical Grid Intrusions

Does China have "Exploit Factories" to Discover Vulnerabilities?

The identification and exploitation of vulnerabilities in software is a never ending job for cyber criminals. Strategy Page looks at the possibility of what I would call "exploit factories" in China:

"China, for example, obtains these ZDEs [Zero Day Exploits] the same way they have become the place where software manufacturers go to get their software (especially game software) tested cheaply, and thoroughly. In China, you can fill up a large hall hundreds of bright, but otherwise unemployed, Chinese guys, equip them with PCs, and instructions on what to do to test software. Offer bonuses for those who find flaws, and off you go. Finding ZDEs is basically the same drill, except it takes a week or so of on-the-job training to familiarize your searchers with the testing and searching tools (some of them available at hacking sites) used to dig around in software for flaws."

The article goes on to discuss the potential link to the military and use in cyber warfare:

"The extent and effectiveness of this Internet based crime has military implications, because the same tools used by criminal hackers, are employed by Cyber War specialists."

The Secret Menace

U.S. Electrical Grid Intrusions

The Wall Street Journal reheated the debate of infrastructure vulnerability with an article concerning intrusions into and mapping of the U.S. electrical grid. The report points to China and Russia as the source, but provides almost no details beyond the generalized comments of anonymous sources to substantiate the claims.

One interesting note is the lack of detection of the intrusions by the companies themselves:

"Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Of course, the story is spawning many other reports and analysis including the suggestion that the power grid should be disconnected from the Internet:

"The onetime Counter Terrorism Czar, who famously criticized the Bush Administration for doing little to combat al Qaeda early in his first term before 9/11, chided the Obama Administration for not moving fast enough to decide upon the best defense strategy to counter cyber attacks on key infrastructure.

"One thing you can do is disconnect the power grid control system from the internet," Clarke said. "There's no reason for it to be connected."

This could be said of many critical systems. One such system that is rarely discussed is emergency communications including 911 systems that have slowly been connecting to the Internet despite security issues.

Electricity Grid in U.S. Penetrated By Spies
Disconnect electrical grid from Internet, former terror czar Clarke warns

Indian Political Party Calls for Cyber Warfare Preparations

New Zealand based website Scoop ran an article of escalating calls by political parties in India that advocate offensive nuclear and cyber warfare capabilities:

"We took note of the nuclear saber-rattling in these columns earlier ("India's Right Wing Wants Nuclear War," December 18, 2008). The chief of the Rashtriya Swayamsevak Sangh (National Volunteers' Association), patriarch of the "parivar" as the far-right "family" is popularly known, proclaimed nuclear war as the final solution to the problem of terrorism. Kuppahalli Sitaramayya Sudarshan, no less the führer of the far right despite his relatively low profile, thought nothing of this growing into a nuclear Third World War against terrorism. His Nazi-like logic was that such a war of extreme nationalism would cleanse the world as well. "

This had been followed by calls from India's Bharatiya Janata Party (BJP) to create a cyber warfare program with both defensive and offensive capabilities:

"The party spells out its policy on the subject in a document, released some days back, titled "BJP"s IT Vision." Calling for "an integrated National Cyber Security Plan, covering all aspects of external defense and internal security," the document also stresses the need for "an independent Digital Security Agency."

"This agency, it is declared, will be "responsible for cyber warfare, cyber counter-terrorism and cyber security of national digital assets."

...

"The document itself, however, leaves little doubt that the wording about an agency for cyber warfare was deliberate. Before issuing this call, the BJP emphasizes the need for building both "defensive and offensive capabilities for electronic warfare."

The threat of cyber war was then addressed by the current Indian government:

"On March 26, Cabinet Secretary K M Chandrasekhar said in New Delhi: "Cyber attacks and cyber terrorism are the new looming threats on the horizon. There could be attacks on critical infrastructure such as telecommunications, power distribution, transportation, financial services, essential public utility services and others." He did not name China as the enemy in this regard, but tied the threats to terrorism.

"China, however, was to figure prominently in a series of reports on cyber threats since then. On March 28, an unidentified high military officer was reported to have told well-known daily The Hindustan Times that, according to army intelligence, Beijing was planning an "information war" impliedly as a prelude to a major conflict by 2017."

India: After Nuclear War Far Right Wants Cyber War

Intercept Modernisation Programme to Include Social Networks

Following the implementation of the EU Data Retention Directive requiring member states to retain communication traffic information for law enforcement, the U.K. developed the "Intercept Modernisation Programme".

"The Home Office already has plans to log details of all phone calls, emails and websites visited by web users in the UK, as part of a grander scheme, a massive "mother of all databases" under the "Intercept Modernisation Programme" umbrella."

The Home Office is now looking at expanding beyond the EU Directive to include communications between users of social networking sites such as Facebook and Twitter:

"The Home Office minister Vernon Coaker told MPs that the fact that the EU Data Retention Directive lacks some features is "why the Government is looking at what we should do about the intercept modernisation programme because there are certain aspects of communications which are not covered by the directive."

This, of course, is stirring a significant debate on civil liberties. However, when investigating large-scale crimes involving the Internet (and especially international activity), traffic analysis of communications is probably the single best investigative tool available and this is one of the arguments put forth by proponents of the activity:

"The government said that it will not be interested in what is being discussed but rather who talks to whom online, something that the government says is vital in preventing criminals and terrorists' communicating facilities."

As an aside:

The keywords "Intercept Modernisation Programme" generates more traffic to this blog than any other so I'm always interested in performing traffic analysis on the spike after an article on the subject is posted. Historically, over 80% of traffic can be traced to U.K. defense or other governmental contractors.

UK Government Plans To Monitor Social Networking Websites

Social network sites 'monitored'

Famous Last Words

The Times of India quotes an Indian Army Lt. General saying the Indian Army is secure from cyber attacks:

"We have put in place a very secure network and I can confidently say that it cannot be tampered with,'' said signal officer-in-chief Lt-General P Mohapatra on Monday.

"There are various cryptographic controls that we have put in place and there are training activities to ensure that no loss of information takes place,'' he added."

The report further adds that "periodic cyber-security audits" provide additional protection.

Sigh...

Cyber war: Army says its systems are hack-proof

U.K. Intelligence Fears Chinese Made Telecommunication Systems

The Sunday Times report on U.K. intelligence officers' fear China may be able to disrupt British telecommunications via Chinese systems provided to British Telecom (BT):

"A confidential document circulating in Whitehall says that while BT has taken steps to reduce the risk of attacks by hackers or organised crime, “we believe that the mitigating measures are not effective against deliberate attack by China”."

The primary concern is BT using systems manufactured by Huawei:

"According to the sources, the ministerial committee on national security was told at the January meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

"Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network...”

Spy chiefs fear Chinese cyber attack

GhostNet: Massive Spy Network Uncovered

A series of reports and newspaper articles were released today on the investigation of what is being called GhostNet. The investigation began with complains from Tibetan groups based out of India including the Private Office of the Dalai Lama. The forward from the primary report describes the scope of the activity uncovered:

"The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information."

...

"From the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value."

The attacks appears to be from China but the authors correctly point out the difficulty in determining the exact source:

"Some may conclude that what we lay out here points definitively to China as the culprit. Certainly Chinese cyber-espionage is a major global concern. Chinese authorities have made it clear that they consider cyberspace a strategic domain, one which helps redress the military imbalance between China and the rest of the world (particularly the United States). They have correctly identified cyberspace as the strategic fulcrum upon which U.S. military and economic dominance depends.

"But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading. Numbers can tell a different story. China is presently the world’s largest Internet population. The sheer number of young digital natives online can more than account for the increase in Chinese malware. With more creative people using computers, it’s expected that China (and Chinese individuals) will account for a larger proportion of cybercrime.

"Likewise, the threshold for engaging in cyber espionage is falling. Cybercrime kits are now available online, and their use is clearly on the rise, in some cases by organized crime and other private actors."

The report provides a detailed analysis of both methods and targets. Specifically:

"...our investigation... led to the discovery of insecure, web-based interfaces to four control servers. These interfaces allow attacker(s) to send instructions to, and receive data from, compromised computers... This extensive network consists of at least 1,295 infected computers in 103 countries.

"Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters."

Tracking GhostNet: Investigating a Cyber Espionage Network

Related Articles:

The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement

Vast Spy System Loots Computers in 103 Countries