Friday, December 19, 2008

U.S. Unprepared for Cyber Attacks

Reuters reported on the results of a two-day "cyber war game" and concluded that the U.S. still is not prepared for a significant attack.
"Billions of dollars must be spent by both government and industry to improve security, said U.S. Rep. Dutch Ruppersberger of Maryland, the Democratic chairman of the intelligence subcommittee on technical intelligence."

This is unlikely without serious legislation and government regulation (see Commentary: U.S. CEOs to Assist in Critical Infrastructure Protection? - Not Likely).

The article goes on to quote U.S. Homeland Security Secretary Michael Chertoff:
"International law and military doctrines need to be updated to deal with computer attacks, Chertoff said.

"We know that if someone shoots missiles at us, they're going to get a certain kind of response. What happens if it comes over the Internet?," he said."


U.S. not ready for cyber attack

Wednesday, December 17, 2008

U.S. Nuclear Regulatory Commission Issues New Cyber Security Rules

The U.S. Nuclear Regulatory Commission (NRC) issued a press release concerning new security requirements for nuclear power plants. The release had one line referring to increased cyber security. No other details were provided:
"Additionally, there are new sections requiring a comprehensive cyber security program at nuclear power plants..."

NRC APPROVES FINAL RULE EXPANDING SECURITY REQUIREMENTS FOR NUCLEAR POWER PLANTS

Tuesday, December 16, 2008

2009 Georgia Tech Cyber Threat Report

The Georgia Tech Information Security Center (GTISC) 2nd annual report on cyber threats covers five broad areas of interest:
  1. Malware
  2. Botnets
  3. Cyber warfare
  4. Threats to VoIP and mobile devices
  5. The evolving cyber crime economy
The cyber warfare section provides a discussion of the Russian-Georgian cyber conflict and the uncanny timing between online and kinetic attacks and then quotes several security commentators on the situation.

The report concludes with a discussion of the need and types of government regulation required to address these threats.

The full report is available at:
Emerging Cyber Threats Report for 2009

Sunni-Shi'ite Cyber Attacks Motivated by Religious Beliefs




The Middle East Media Research Institute (MEMRI) has published a summary of the history and religious motivation of Sunni-Shi'ite cyber attacks:
"The Sunni-Shi'ite cyberwar started in 2007 when a group of Sunni hackers calling itself "XP Group" threatened to attack all Shi'ite websites on the Internet, and proceeded to hack some 120 Shi'ite sites."

Sunni groups escalated the cyber confrontation in 2008 adding the religious motivation behind the attacks:
"Among them were two groups called Shabab Al-Salafiyin and Al-Ayyoubiyoun. The latter declared on various forums that the war against Shi'ite sites was a form of jihad that brought one closer to Allah."

The article concludes with quotes from Egyptian columnist Diana Muqallid:
"Battles between Sunni and Shi'ite sites are being waged [on the Internet], with each side virtually killing and harming the other by targeting the websites of religious figures, political leaders, and media outlets... In our lifetimes, [we have seen] journalists murdered, incarcerated, tortured and exiled. Media outlets have been closed in our region or placed under supervision, [and their premises] have been burned down. Electronic attacks convey the very same sentiment of wanting to negate the other..."


Recent Rise in Sunni–Shi'ite Tension (Part I): Sunni – Shi'ite Hacker War on the Internet

View of Cyber Terrorism from Taipei

The Taipei Times ran an editorial (by a US author) on they growing threat of cyber-terrorism. Unfortunately, for the most part it simply rehashed recent international cyber events such as the Russian-Georgia-Estonia conflict. However, the article's summary did make several good points:
"Governments can hope to deter cyber attacks just as they deter nuclear or other armed attacks. But deterrence requires a credible threat of response against an attacker. And that becomes much more difficult in a world where governments find it hard to tell where cyber attacks come from, whether from a hostile state or a group of criminals masking as a foreign government.

"While an international legal code that defines cyber attacks more clearly, together with cooperation on preventive measures, can help, such arms-control solutions are not likely to be sufficient. Nor will defensive measures like constructing electronic firewalls and creating redundancies in sensitive systems.

"Given the enormous uncertainties involved, the new cyber dimensions of security must be high on every government’s agenda."


Modern society faces growing cyber-terror threat

Monday, December 15, 2008

Commentary: U.S. CEOs to Assist in Critical Infrastructure Protection? - Not Likely

Coverage and analysis of the report "Securing Cyberspace for the 44th Presidency" released by the Center for Strategic and International Studies continues.




A recent article from NetworkWorld discusses the recommendation to create a C-level panel of advisers called The President’s Committee for Secure Cyberspace. This panel would represent four key industries: Energy, finance, information technology/communications and government.
"The four industries were chosen for the committee because they “form the backbone of cyberspace. … Keep these sectors running and cyberspace will continue to deliver services in a crisis. Bring them down, and all other sectors will be damaged.”

There will be no problem getting CEOs to sit on a highly visible presidential committee where they can be seen to be doing something for little or no cost. However, expecting for-profit corporations to voluntarily make costly security changes and investments, especially during an economic down-turn, is wishful thinking at best. It will never happen. Remember, these are the same CEOs that require extensive ROIs for the most mundane security investment.

Therefore, the report also recommends new regulatory powers to force security changes:
"The report also seeks new regulations with the teeth to enforce standards that would establish a more secure infrastructure."

The article discusses several possible forms these regulations could take. Unfortunately, if past behavior provides any insight of future behavior, these regulations will be passed with little forethought or, if there is open discussion and debate, will be significantly weakened via lobbying when corporations realize the cost of compliance.

Top execs would roll up sleeves to fight cyber war, according to think tank study

Friday, December 12, 2008

Greenpeace Reports Computer Compromises Allow Environmental Damage in Brazil

Greenpeace has just released a story concerning a major investigation in Brazil in which computers that control the logging and exporting of timber in the Amazon rain forest have been compromised to allow logging companies to exceed their timber quotas:
"Police started investigating the suspect hackers in April 2007, swooping a couple of months later to arrest 30 ring leaders. One is still in jail - the intermediary who brought the hackers and the loggers together - and in total, 202 people are facing prosecution. "
Greenpeace is highlighting this activity in advance of a vote by the Brazilian congress allowing greater legal logging of timber:
"If this scandal weren't bad enough, it comes as the Brazilian national congress prepares to vote on a change to the country's forest code which could massively increase the amount of legal logging that will be allowed"

Hackers help destroy the Amazon rainforest

Wednesday, December 10, 2008

Calls to Define Cyberwar

One of the critical points made in the recently released report from the Commission on Cybersecurity for the 44th President was the need to actually define what is and is not cyber war.
"The U.S. military , meanwhile , lacks a formal doctrine on offensive military operations in cyberspace, although the Bush administration is " racing " to finalize such a policy before it leaves office, says one person familiar with the White House ' s work on the issue."
It is always concerning when we see a government body "racing" to do anything and this issue is too important to be done in a haphazard fashion.

However, the report does define three important questions that need to be answered sooner rather than later:

"There are three central issues with which the international legal community must grapple as the debate continues, says James Lewis, the project director of the Commission on Cybersecurity of the 44th Presidency, which issued its report this week. Each country might have different answers, but the questions will be universal.

  • "At what point does a cyberattack constitute an act of war or a violation severe enough to justify a response?
  • "How do we protect the civil liberties of the Internet-using public while improving security?
  • "Which legal authorities will assume responsibility for investigating a cyberattack—the intelligence community, the military, or law enforcement?"
Answering these questions, combined with the creation of Rules of Engagement for Cyber Warfare and better investigative capabilities to determine actual source and motive, would be excellent first steps in gaining some measure of control over the situation.

When Do Online Attacks Cross the Line Into Cyberwar?

Monday, December 08, 2008

China to Require Disclosure of Security

The Chinese government is moving forward with plans to require companies operating in China to obtain approval before using any type of security technology. The rules are scheduled to take effect May 1, 2009 and have resulted in pressure from the U.S. government to scrap the requirement.
"Giving [Chinese] regulators the power to reject foreign technologies could help to promote sales of Chinese alternatives. But that might disrupt foreign manufacturing, research or data processing in if companies have to switch technologies or move operations to other countries to avoid the controls. Requiring disclosure of technical details also might help Beijing read encrypted e-mail or create competing products."


China irks US with computer security review rules

Thursday, December 04, 2008

Myopic Focus on Technology Creates "Achilles' Heel" in Military Cyber Security

One of the greatest failures of both commercial and governmental IT security programs is their tactical and myopic focus on technology at the expense of the larger issues in understanding and mitigating cyber threats. These include organizational, process and people issues.

This dysfunctional situation was noted during a keynote address by the U.S. Air Force's chief information officer, Lt. Gen. Michael Peterson:

"This is our Achilles' heel," he said. "It's not about a denial-of-service attack; it's about the information on the network -- ensuring it's accurate, protected, and available. [But] we're still fighting over what patch to put on."

Lt. General Peterson also tried to put military cyber attacks in a more strategic perspective:

"Despite Russia's cyberwarfare tactics against Estonia and Georgia, Peterson said an all-out cyberwar won't happen; instead, cyberattacks will become one of many combat strategies used by adversaries to bring government to its knees.

"It won't be a pure fight," he said. "It will incorporate all domains … The battle is ongoing and these guys are very good."

Air Force CIO says cybersecurity federal "Achilles' heel"

U.S. Military Officials Look to Obama Administration for Better Cyber Security

StratagyPage.com is reporting that cyber attacks against U.S. military systems are not only growing in numbers but they are being targeted against specific information or individuals.

The article also claims that U.S. military officials want the new Administration to give a higher priority to cyber security:
"U.S. commanders are hoping president-elect Obama, the most computer literate presidents ever, will provide more support for Cyber War efforts, both defensive and offensive."

Pentagon Pounding Persists

Australian Prime Minister Sees National Cyber Threat

Prime Minister Kevin Rudd commented in Australia's National Security Statement that technological dependence and cyber threats from "hackers, ...commercial entities and foreign states" place Australia's information infrastructure at risk. Prime Minister Rudd stated:
"The irony of technology today is that, while on the one hand we are seeking to invest in sophisticated information, intelligence and military technology, on the other, we have to protect ourselves from the extreme use of basic, readily available technology and hardware by terrorist groups."

Hacker threat: Rudd promises action

Wednesday, December 03, 2008

Media Coverage of Cyber Attacks on U.S. Military Systems in Afghanistan

There have been several sketchy news articles on attacks against unclassified U.S. military systems in Afghanistan resulting in the banning of removable media by the U.S. Army's Strategic Command.

This article summarizes a variety of other media coverage. Once again, China is alleged to be the source of the attacks with little or no data related to the true motive or source of the attacks:
"According to the same source, there is still no indication whether the Chinese hackers were sponsored by the government in Beijing or if they were working independently. This seems to be a recurring question that never gets its answer, even though it is not the first time that attacks on U.S. government systems originate in China."

Cyber-Attack Cripples Critical U.S. Military Networks

Sunday, November 30, 2008

Rules of Engagement for Cyber Warfare

An interesting article calling for the development of rules of engagement for cyber warfare:
"Cyber attack and warfare rules of engagement will undoubtedly require hundreds of pages to establish a decision framework. That being said, there are a few critical areas that will pose the most significant challenge to policy makers. One of these areas will be the level of confidence in the identification of the entity behind an attack on a nation. Tracing and tracking cyber attacks back to those responsible is not an easy task. Usually this takes months or years not minutes and hours. Current intelligence and surveillance capabilities will provide only minimal assistance in this effort."

Cyber Attacks & Warfare - Rules of Engagement

Friday, November 28, 2008

More Indian-Pakistani Cyber Attacks

As an update to the previous post, further reports of tit-for-tat cyber attacks between Indian and Pakistani "hackers" are surfacing. From the Indian online business magazine, domain-b.com:

"Hostilities between India and Pakistan seem to have reached cyberspace even as the two neighbors strive to resolve differences through dialogue. The first casualty in the cyber war appears to be the Andhra Pradesh Crime Investigation Department (CID) website that was hacked by pro-Pakistan hackers.

"Ohter [sic] Indian web sites that have come in for similar treatment are web sites of Bank of Baroda and that of a news channel."

And from the Pakistani Daily website:

"In what seems to be an intensifying cyber war between hackers of Pakistan and India, Pakistani hackers managed to hack website of ONGC (Oil and Natural Gas Corporation) of India on Tuesday.

"A group named ‘Pakistan Cyber Army’ (PCA) said that it hacked Indian ONGC website in response to hacking of the website of Pakistan’s OGRA (Oil and Gas Regulatory Authority) by Indian hackers."

Andhra Police website hacked

Pakistani group hacks Indian websites

Ongoing Indian-Pakistani Cyber Attacks

Underneath the current terrorist attacks in Mumbai, a string of cyber attacks between Indian and Pakistani groups has been simmering for the last few weeks. At this point, the intrusions do not seem related to the ongoing physical attacks, however, with the potential for tensions between the two countries to intensify, cyber attacks will almost certainly increase as well.
"The cyber warfare began in mid-November when an Indian group of hackers known as HMG or "Guards of Hindustan" defaced the website of Pakistan's Oil and Gas Regulatory Authority and deleted all its data."

"Apparently acting in retaliation, a group calling itself the Pakistan Cyber Army (PCA) yesterday [25-Nov-2008] hacked five Indian websites, including those of ONGC, Indian Institute of Remote Sensing (IIRS), Indian Railways and the Kendriya Vidyalaya in Ratlam."

Indian, Pak hackers deface govt websites

Thursday, November 20, 2008

REVIEW: 2008 Report on US-China Economic and Security Review

The U.S.-China Economic and Security Review Commission has published its 2008 report to the U.S. Congress. As in previous years, the report discusses Chinese Cyber capabilities and initiatives. This year's report concludes:
"The Nature and Extent of China’s Space and Cyber Activities and their Implications for U.S. Security
  • Cyber space is a critical vulnerability of the U.S. government and economy, since both depend heavily on the use of computers and their connection to the Internet. The dependence on the Internet makes computers and information stored on those computers vulnerable.
  • China is likely to take advantage of the U.S. dependence on cyber space for four significant reasons. First, the costs of cyber operations are low in comparison with traditional espionage or military activities. Second, determining the origin of cyber operations and attributing them to the Chinese government or any other operator is difficult. Therefore, the United States would be hindered in responding conventionally to such an attack. Third, cyber attacks can confuse the enemy. Fourth, there is an underdeveloped legal framework to guide responses.
  • China is aggressively pursuing cyber warfare capabilities that may provide it with an asymmetric advantage against the United States. In a conflict situation, this advantage would reduce current U.S. conventional military dominance."
The report provides further details into U.S. perceptions of Chinese cyber capabilities and intentions including:
"China has an active cyber espionage program. Since China’s current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts."

"By some estimates, there are 250 hacker groups in China that are tolerated and may even be encouraged by the government to enter and disrupt computer networks. The Chinese government closely monitors Internet activities and is likely aware of the hackers’ activities. While the exact number may never be known, these estimates suggest that the Chinese government devotes a tremendous amount of human resources to cyber activity for government purposes. Many individuals are being trained in cyber operations at Chinese military academies..."

"In the past two decades, China has observed how the U.S. military has operated successfully overseas and also has noted that the United States in many cases utilizes a deployment or buildup phase. Examples include the first Gulf War, Kosovo, and Operation Iraqi Freedom. Due to the great distances in the Pacific area of operations, were the United States to think a conflict near China was probable, the U.S. military would begin its preparations with a deployment or buildup phase. China is depending on this and believes that, by cyber attacking U.S. logistics functions in the early buildup stages of a conflict, it can delay or disrupt U.S. forces moving to the theater. This conceivably could alter the course of a conflict over Taiwan."

The report discusses China's motivation to develop cyber warfare capabilities:
"...authors of China’s military doctrine have articulated five key elements. These elements are the following:
  • Defense. Many Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive.
  • Early use. PLA analysts believe that in many cases a vulnerable U.S. system could be unplugged in anticipation of a cyber attack. Therefore, for an attack to be truly effective, it must be launched early in a conflict before the adversary has time fully to protect itself.
  • Information operations. Cyber operations can be used to manipulate an adversary’s perception of the crisis, such as by planting misinformation. This could obviate the need for a conventional confrontation or advantageously shape an adversary’s response.
  • Attacking an enemy’s weaknesses. China’s strategists believe the United States is dependent on information technology and that this dependency constitutes an exploitable weakness.
  • Preemption. Many PLA strategists believe there is a first mover advantage in both conventional and cyber operations against the United States. Therefore, in order to succeed, they should strike first."
Finally, the report notes the vulnerabilities to telecommunication systems:
"The global supply chain for telecommunications items introduces another vulnerability to U.S. computers and networks. Components in these computers and networks are manufactured overseas— many of them in China. At least in theory, this equipment is vulnerable to tampering by Chinese security services, such as implanting malicious code that could be remotely activated on command and place U.S. systems or the data they contain at risk of destruction or manipulation. In a recent incident, hundreds of counterfeit routers made in China were discovered being used throughout the Department of Defense. This suggests that at least in part, Defense Department computer systems and networks may be vulnerable to malicious action that could destroy or manipulate information they contain."

The full report is available at:

2008 REPORT TO CONGRESS of the U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION

ITU Passes Anti-Cyberwar Resolution

The International Telecommunication Union (ITU) has passed a resolution to attempt to curb cyber warfare between nation states. The core of the resolution states:
"resolves to invite Member States
  1. to refrain from taking any unilateral and/or discriminatory actions that could impede another Member State from accessing public Internet sites, within the spirit of Article 1 of the ITU Constitution and the WSIS principles;
  2. to report to the Director of the Telecommunication Standardization Bureau on any incident referred to in 1 above,"
"instructs the Director of the Telecommunication Standardization Bureau
  1. to integrate and analyse the information on incidents reported from Member States;
  2. to report this information to Member States, through an appropriate mechanism,"
"invites Member States and Sector Members

to submit contributions to the ITU-T study groups that contribute to the prevention and avoidance of such practices."
The full resolution is available here:

Resolution 69 – Non-discriminatory access and use of Internet resources

For a broader view of the political context this resolution is mired in and the international infighting between Internet governance organizations see:

Controversy Over Internet Governance: ITU Families And ICANN Cosmetics?

Wednesday, November 19, 2008

Israeli "Hackers" Penetrate Gaza Phone Network to Offer Reward

StrategyPage.com reports of an intrusion into the Gaza phone network to offer rewards for the return of an Israeli soldier:
"Israeli Cyber War troops again hacked into the cell phone networks in Gaza, and sent a message offering a $10,000 reward for anyone who could provide information that led to the rescue of kidnapped Israeli soldier Gilad Shalit."



Tuesday, November 18, 2008

Estonian Spy Passes NATO Cyber Defense Info to Russians

In September 2008, Herman Simm, an Estonian defense ministry official and Estonia's liaison with NATO, was arrested for allegedly passing NATO classified information to Russia. The U.K. Times is reporting that some of that information included NATO cyber security strategies:

"...Mr Simm was not some relic from the days of Kim Philby or other notorious deep-cover agents. He was at the cutting edge of one of Nato’s most important new strategic missions: to defend the alliance against cyber-attack.

"Mr Simm headed government delegations in bilateral talks on protecting secret data flow. And he was an important player in devising EU and Nato information protection systems."


Russian spy in Nato could have passed on missile defence and cyber-war secrets

Mauritanian Government Shuts Down Critics with Botnet Attacks

StrategyPage reports on use of bot nets by the Mauritanian government to censor online critics. No sources or technical details are given in the article:
"In the African nation of Mauritania, the military dictatorship has used Cyber War techniques to shut down two opposition web sites that provide the most information on what is going on inside the country. The generals apparently hired several botnets" to perform denial-of-service attacks.

Dictators Prefer Botnets

Saturday, November 15, 2008

IMF Systems Compromised

There are several reports of allegations that the International Monetary Fund (IMF) systems were penetrated last month with speculation that the source of the attacks was China. The Dark Visitor, a site that follows the Chinese computer underground, reports on why the Chinese might be interested in IMF communications.

Chinese hackers hit International Monetary Fund

Friday, November 14, 2008

U.S. Data Mining for Terrorist Activities Ineffective

Investor's Business Daily reviewed a report by the National Research Council on the U.S. Government's use of data mining to identify potential terrorists. The report, titled Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment, concludes that the data mining initiative "is ineffective and threatens the privacy of millions of law-abiding Americans".

"We were consistently concerned that data mining does not have demonstrated efficacy for fighting terrorists," said Ben Shneiderman, a University of Maryland computer science professor and one of the 21 committee members."

The report discusses the danger is relying on databases that are notorious for inaccuracies:

"The DHS has purchased at least parts of databases from ChoicePoint, LexisNexis and Axiom, says [Stephen] Fienberg, who also works in Carnegie Mellon's CyLab, the largest university-based cybersecurity institute in the U.S."

"Merging data from various databases inevitably leads to mistakes. But government counterterrorism programs don't always take into account where its information comes from or whether it might not be true.

"It's basically a problem where government programs really are not focused on the data sources and the correctness, but rather the use of the data they have at hand," Fienberg said."


Data Mining Failing To Hit Mother Lode In Finding Terrorists

Wednesday, November 12, 2008

German Lower House of Parliament Passes New Cyber Investigative Powers

The German lower house of parliament has passed a bill extending search and monitoring capabilities to police in terrorism cases:
"Under the new law, a judge can issue a warrant allowing police the right to spy on a suspect's computer or hard drive, tap their telephone conversations and watch and eavesdrop on their homes."

The upper house still needs to approve the legislation before it becomes law.

German parliament moves to increase police powers

Monday, November 10, 2008

Death Penalty for Cyber Terrorism

Pakistani President Asif Ali Zardari has issued a decree that any act of "cyber terrorism" resulting in death may merit the death penalty:

"Whoever commits the offence of cyber terrorism and causes death of any person shall be punishable with death or imprisonment for life," according to a copy of the ordinance, published by the state-run APP news agency.

"The law will apply to Pakistanis and foreigners whether living in Pakistan or abroad.

"The ordinance described cyber terrorism as accessing of a computer network or electronic system by someone who then "knowingly engages in or attempts to engage in a terroristic act."

"The ordinance listed several definitions of a "terroristic act" including stealing or copying, or attempting to steal or copy, classified information necessary to manufacture any form of chemical, biological or nuclear weapon."


Pakistan Sets Death Penalty For "Cyber Terrorism"

Friday, November 07, 2008

U.K. Interception Modernisation Programme

The U.K. government is reportedly considering requiring major ISPs to allow the gather Internet traffic data:

"At Monday's meeting in London representatives from BT, AOL Europe, O2 and BSkyB were given a presentation of the issues and the technology surrounding the Government's Interception Modernisation Programme (IMP), the name given by the Home Office to the database proposal.

"They were told that the security and intelligence agencies wanted to use the stored data to help fight serious crime and terrorism."

The Interception Modernisation Programme has received a lot of attention in the U.K. press lately including a proposal to invest billions of pounds in the programme:

"Detica will very likely be among the first to profit from the IMP bonanza. Based in Guildford, it might warrant the title of The Most Important IT Company Most People Have Never Heard Of. According to sources with knowledge of systems that have long allowed GCHQ to eavesdrop on phone calls, Detica owns and operates the current "black box" infrastructure under contracts funded by the secret intelligence budget.

"In contrast to that arrangement, the proposed central communications database would not target the content of calls, emails, texts and other communications; rather, MI6 and GCHQ want to retain the powerful, searchable data detailing who contacted whom."
As a side note, the keywords "interception modernisation programme" is a major driver of traffic to this blog...


Internet black boxes to record every email and website visit
Spy chiefs plot £12bn IT spree for comms überdatabase


Obama, McCain Systems Compromised?

Newsweek magazine is reporting that the computer systems of both candidates for U.S. president were compromised last summer. However, few details were provided and there seems to be some issues with the story such as why there would be senior level White House involvement in the investigation:
"The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem ... and you have to deal with it."

The Newsweek article alleges that the source of the intrusions were from outside of the U.S. (again, the article provides no details or supporting evidence):
"Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps' policy positions—information that might be useful in negotiations with a future administration. The Feds assured the Obama team that it had not been hacked by its political opponents."

Hackers and Spending Sprees

Monday, November 03, 2008

China's Cyber Warfare Capabilities

International-Relations.com has published a report hypothesizing that China plans to leapfrog U.S. military capabilities using cyber warfare capabilities. This lengthy report begins by providing details on China's traditional military capability and then discusses the U.S. military's dependence on technology (and perceived weakness) including:
  1. Network-centric warfare - "Militarily, the information revolution has given rise to an increasing reliance on situational awareness, weather monitoring, surveillance, communication, and precision strikes. Chinese military strategists have made special note of the US reliance on, and dominance with, electronic means in the Kosovo, Afghanistan, and Iraqi conflicts"

  2. Information operations - "...activities include PSYOPS troops who try to manipulate the adversary’s thoughts and beliefs, military deception and disinformation, media warfare, electronic warfare (EW), and computer network operations (CNO). Thus Information Operations Roadmap stands as an another example of the US commitment to transform military capabilities to keep pace with emerging threats and to exploit new opportunities afforded by innovation and rapidly developing information technologies."

  3. Future combat systems - "...places a particular emphasis on advanced robotics, including Unmanned Ground Vehicles (UGVs), Unmanned Aerial Combat Vehicles (UCAVs), Non- Line of Sight Launch Systems, and Unattended Systems. This system of systems seeks to make warfare as networked as the internet, as mobile as a mobile phone, and as intuitive as a video game. "

The report summarizes the importance of military cyber capabilities within China:
"The information revolution has given more power to individuals and increased globalization through the interconnectedness of economies, rapid dissemination of news, and improved access to communication and information of all types. Any attempt to compete on a global level without the use of these technologies would place the PRC at a significant military and financial disadvantage. For this reason, the benefits of electronic reliance outweigh the risks involved. Further, it is impossible for a state to develop a defence against cyber warfare without simultaneously learning how to execute attacks themselves."

The report also discusses the linkage between "offensive" and "defensive" capabilities:
"To learn how to conduct cyber security, the Chinese must have a full understanding of how attacks are conducted; therefore they will learn offence along with the defence - the two are inseparable. China has repeatedly stated its goal of military modernization, and cyber warfare is where modern militaries are headed. However, cyber warfare would unlikely be used alone. It could be used simultaneously with a traditional attack, perhaps as a first blow to take an opponent off guard, or in tandem with multiple non-traditional attacks, such as PSYOPS and economic operations, or variants of each. Additional combined tactics that will be discussed in the following sections include cyber attack, cyber reconnaissance, and market dominance."

Based on this concept the report delves into several cyber capabilities including:
  1. Internet security
  2. Cyber reconnaissance and attack
  3. Security hacking
  4. Military applications of hacking

The paper concludes:
"This research has shown that China seeks to leapfrog in military competitiveness by utilizing cyber warfare. Chinese military doctrine places an emphasis on asymmetric attack. Cyber warfare epitomizes this a low cost means of levelling the playing field. Cyber attack strikes at a superior adversary’s weakness – in the case of the US, a heavy reliance on hi-tech computerized weaponry and a civilian population reliant on an unsecured computer infrastructure. Cyber reconnaissance follows China’s tradition of technology transfer and reverse engineering for domestic production as a means of leapfrogging. Cyber reconnaissance gives the added benefit of providing deniability, low cost, a lack of legal framework against it, and the removal of geographical distance."


How China Will Use Cyber Warfare to Leapfrog in Military Competitiveness

Hamas Offers Cash Reward for Israeli Cyber Attacks

The Iranian branch of Hamas has offered a $2,000 reward to attack Israeli websites.
"Observers noted that the contest gives a chance for Iran's many under-employed but tech-savvy computer geeks to earn some quick cash with their expertise."


IRAN: Hamas' office declares cyber-war on Israel

Wednesday, October 29, 2008

Motivation for Cyber Attacks against al-Qaida Websites

In a classic example of how little is known about the motives of (potential) politically motivated cyber attacks, The Guardian newspaper reports on recent cyber attacks against al-Qaida websites and provides a string of speculation on potential motives including:

  • "...governments are targeting them in a shadowy new front in the "war on terror"

  • "...the websites have fallen victim to Shia groups engaged in tit-for-tat sectarian cyber warfare with Sunnis"

  • "technical problems"

  • "...al-Qaida sympathisers closed the forums themselves because they were too good a source of intelligence for their enemies"

  • "[I]nternet vigilantes"





Cyber-attack theory as al-Qaida websites close

Terrorist Twitters

The Federation of American Scientists has posted a draft report produced by an U.S. Army intelligence unit that looks at several uses of technology by al-Qaida and other terrorist organizations for communications include the use of the quick messaging system, twitter.com.


The short section titled "Potential for Terrorist Use of Twitter: A Red Teaming Perspective" provides background on twitter and discusses its use by activists protesting at the U.S. Republican Convention:
"...extremist and terrorist use of Twitter could evolve over time to reflect tactics that are already evolving in use by hacktivists and activists for surveillance. This could theoretically be combined with targeting. Twitter was recently used as a counter-surveillance, command and control, and movement tool by activists at the Republican National Convention (RNC). The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near realtime."

The article concludes with three simple scenarios of terrorist use of Twitter.

The full report can be found at:

Sample Overview: alQaida-Like Mobile Discussions & Potential Creative Uses

Monday, October 20, 2008

Georgian Government Releases Report on Cyber Attacks

The Government of Georgia has released a report concerning the cyber attacks on Georgia originating in Russia. The report provides details of attacks and makes allegations against individuals in Russia responsible for organizing the attacks.

The report directly blames the Russian government for the attacks:
"To help to make a final judgment regarding the cyberwar against Georgia these two declarations from Russian officials can help us to evaluate how Moscow thinks in regard to online warfare. The Russian State Duma deputy and member of the Security Committee Deputy Nikolai Kuryanovich stated in 2006 within a formal Russian parliamentary letter of appreciation to hackers who had taken down several Israeli web sites:
  • "In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces."
"Should we interpret this declaration as a statement of intent, or merely a prediction? A few days ago, the Editor of the Russian Online journal cybersecurity.ru, made a similar statement that provides insight into the Russian war aims:
  • “Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare.”


Russian Invasion of Georgia: Russian Cyberwar on Georgia

Friday, October 17, 2008

Recommended Reading: Analysis of Russian Cyber Attacks

Project Grey Goose have released a detailed study of the capabilities and methods used in cyber attacks believed to have originated in Russia. The report gives four high level findings:

  1. "We assess with high confidence that the Russian government will likely continue its practice of distancing itself from the Russian nationalistic hacker community thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions."

  2. "We assess with high confidence that nationalistic Russian hackers are likely adaptive adversaries engaged in aggressively finding more efficient ways to disable networks."

  3. "We judge with moderate confidence that a journeyman-apprentice relationship will continue to be the training model used by nationalistic Russian hackers."

  4. "We estimate with moderate confidence that hacker forums engaged in training Russian cyber warriors will continue to evolve their feedback loop which effectively becomes their Cyber Kill Chain."
In reading this report, it is striking how similar the techniques used today are compared to historical cyber attacks and espionage. While the software tools used by modern cyber criminals have increased their efficiency by orders of magnitude, the basics are still the same.

Of particular interest is finding 3 concerning the "journeyman-apprentice relationship". This is not a new phenomenon and was seen in the earliest days of network intrusions, especially those with political motivation. For example, during the 1987-88 investigations of the cyber espionage case in which West German nationals where working for the Soviet Union, it was discovered that the five West German principals had set up a network of "apprentice hackers" to assist in network mapping and initial intrusions.

Unfortunately, very little information has been published in open sources concerning the investigation of these early intrusions. Clifford Stoll's 1989 book "The Cuckoo's Egg" documented a small portion of the overall activity and investigation. Some very generalized information concerning the techniques and methods used by the West Germans (and other cases) is provided in: International Intrusions: Motives and Patterns.



The full Grey Goose report is available at:

Russia/Georgia Cyber War – Findings and Analysis

A good summary article is also available from the Washington Post:

Report: Russian Hacker Forums Fueled Georgia Cyber Attacks

Wednesday, October 15, 2008

Computer Intrusions Rise to the Attention of South Korea's Prime Minister

The Prime Minister of South Korea has issued a warning to his cabinet on the growing threat of network intrusions from North Korea and China targeting government information:
"The National Intelligence Service (NIS), Seoul's main spy agency, said it had told [South Korean Prime Minister Han Seung-Soo] that about 130,000 items of government information had been hacked over the past four years."
and;
"The documents largely focused on foreign policy and national security, he [A NIS spokesman] added without elaborating."


SKorean PM warns of hacking threat by NKorea, China (AFP)

Friday, October 10, 2008

Increase in High-Tech Terrorists in India

Indian police are reporting and increase in recruiting of high-tech individuals to assist in terrorist attacks. Most recently was the arrest of three IT professionals that used computer intrusions to send e-mails just before and after bombings in India:
"Evidence is mounting that recruiters for Islamist terror groups have targeted the information technology and engineering sectors, in a successful effort to give India’s jihadist movement a quantum jump in skills and ideological focus.

"Most of the 15 men arrested in Mumbai on Monday, on charges of participating in the hit-teams which planted explosives in Ahmedabad and Surat, are criminals linked to Pakistan-based ganglord Amir Raza Khan.

"But three men in the group were, till their arrest, believed to be model citizens. Key among them is Mohammed Mansoor Asghar Peerbhoy, who worked as a software engineer at multinational Yahoo India."

India - White-collar jihadists,a cause for growing concern

Saudi Owned Television News Website Attacked

The defacement of Al Arabiya's website, a Dubai based, Saudi-owned television station, was in apparent retaliation for recent attacks on Shiite websites:



The number of web site defacements continues to escalate between opposing Sunni and Shiite groups:
"Last month, prominent Sunni religious commentator Sheikh Yusuf al-Qaradawi charged that Shiites are "invading" Sunni societies. Also, a tit-for-tat cyber war disabled 900 websites, belonging to both sects, as Shiite and Sunni hackers infiltrated religious websites and uploaded their own messages."

More information on these attacks is available at: Sunni-Shiite hacking war disables 900 websites


Al Arabiya hit by Sunni-Shiite hacking war

Wednesday, October 08, 2008

US Considering Automated Cyber Retaliation

The U.S. Department of Homeland Security is considering the development of an automated system to retaliate against cyber attacks:
"Homeland Security Secretary Michael Chertoff on Friday said he'd like to see a government computer infrastructure that could look for early indications of computer skullduggery and stop it before it happens.

"The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0.""

"Einstein" is the name of the U.S. government's current intrusion detection system.

Homeland Security seeks cyber counterattack system

Sunday, October 05, 2008

More Details on Skype Surveillance in China

As a followup to an earlier report, The New York Times published an article with further details of the surveillance of Skype communications in China. Interesting details include how the interceptions were detected:

"The researchers stumbled upon the surveillance system when Nart Villeneuve, a senior research fellow at Citizen Lab, began using an analysis tool to monitor data that was generated by the Tom-Skype software, which is meant to permit voice and text conversations from a personal computer. By observing the data generated by the program, he determined that each time he typed a particular swear word into the text messaging program an encrypted message was sent to an unidentified Internet address.

"To his surprise, the coded messages were being stored on Tom Online computers. When he examined the machines over the Internet, he discovered that they had been misconfigured and that the computer directories were readable with a simple Web browser.

"One directory on each machine contained a series of files in which the messages, in encrypted form, were being deposited. Hunting further, Mr. Villeneuve soon found a file that contained the numerical key that permitted him to decode the encrypted log files.

"What he uncovered were hundreds of files, each containing thousands of records of messages that had been captured and then stored by the filtering software. The records revealed Internet addresses and user names as well as message content. Also stored on the computers were calling records for Skype voice conversations containing names and in some cases phone numbers of the calling parties."

The original report from Citizen Lab can be found at: BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform


Surveillance of Skype Messages Found in China

Friday, October 03, 2008

Study of Terrorist Recruitment in Europe and Use of the Internet

King’s College London has published an in-depth study of jihadist recruitment and mobilization for the European Commission. The paper provides an extensive background and history of terrorist recruitment that started in local mosques and moved to prisons and the Internet. It also discusses the psychological processes and rationalizations involved in recruitment.

The basic structure of online terrorist communications is provided:
"Despite the impression of anarchy, the ‘architecture’ of the Islamist militant Internet presence is relatively straightforward. First, there are the official web sites, representing clerics, strategists, or Islamist militant organisations. They are very unstable, but they are often well run and may contain downloadable videos, communiqués, discussion papers and religious rulings, and frequently also provide opportunities for interaction with leading personalities. Second, there are the web forums which are mostly administered and populated by grassroots supporters. The web forums are the soap boxes of the Islamist militant movement, where key debates about the latest news take place, networks are formed, and a real sense of community emerges. Often password-protected, they are also used to exchange videos, training material, and links to other web sites. The third element of the Islamist militant Internet architecture are so-called distributor sites, which include ‘jihadist’ web directories, ‘tribute’ sites, and the web pages of so-called ‘media groups’. These sites sustain the infrastructure of the Islamist militant web presence, as they distribute ‘jihadist’ material and provide updated links on where to locate official sites and web forums. Web forums can also perform the function of distributor site."

The researchers describe two elements of terrorist activity on the Internet:
  1. Internet supported recruitment; and,
  2. Virtual self recruitment
These elements can be summarized as follows:
"The Internet has come to play an increasingly important role. The main function is to support ‘real-world’ recruitment (by reinforcing religious and political themes; by facilitating networking; and by creating a climate of exaggeration). In recent years, however, new forms of Islamist militant online activism have emerged, which rely less on human contact and can be described as ‘virtual self-recruitment’."

The paper makes clear that the Internet has not replaced the human element in the recruiting process:
"Realworld social relationships continue to be pivotal in recruitment, therefore, but that does not exclude some role for the Internet altogether. On the contrary, whilst pointing out that the Internet is not the one dominant factor, nearly all our interviewees emphasised that it was important in supporting the process of recruitment."

The study provides several recommendations to combat terrorst recruitment. For online activity they recommend:
"More attention needs to be paid to extremist activities on the Internet. Governments need to become as Internet savvy as the extremists they are meant to counter, which requires investment in staff and technical capacity. Initiatives aimed at monitoring extremist activities on the net are important and welcome, but governments should not shy away from taking disruptive action where necessary. It has become a cliché to say that no extremist site can be taken down for long, but de-stabilising the extremist Internet ‘architecture’ – in particular distributor sites and large web forums – may produce valuable short-term gains. Also, the Internet may be difficult to regulate, but the successes in curbing the distribution of other ‘undesirable’ materials, such as child pornography, may hold valuable lessons for the fight against ‘jihadism online’."

Recruitment and Mobilisation for the Islamist Militant Movement in Europe

Thursday, October 02, 2008

Syria Increases Internet Censorship

The National newspaper in the UAE has an article discussing recent increases in Syrian censorship on the Internet. The article provides a good background on Internet use within Syria and the types of information that is censored:
"And in a sign that the censors are becoming more technologically advanced, a series of software gaps that existed in online controls a few months ago have been closed. It used to be a relatively simple matter for internet surfers to get around the censors using freely available programmes. Now accessing prohibited pages is much more difficult, and requires specialised knowledge."

Syria tightens control over internet

Skype Communications Monitored and Censored in China

Citizen Lab, an Internet and politics research lab at the University of Toronto has just released a detailed analysis of the interception, blocking and logging of text communications using TOM-Skype (the Chinese subsidiary of Skype).

More importantly, the analysis was made possible by poor security on the servers used to store intercepted and blocked communications and brings into question the complicity of western companies in aiding government surveillance and censorship:
"These findings should serve as a warning for groups engaging in political activism or promoting the use of censorship circumvention technology accessed through services provided by companies that have compromised on human rights. Private and politically sensitive messages sent through new communications technologies are only as secure as the robustness of the security of the technology companies themselves. In this case we were able to access volumes of sensitive data without the cooperation of the company involved due to lax security. There is no reason why an inquisitive government could not do the same.

"Trust in a well-known brand such as Skype is an insufficient guarantee when it comes to censorship and surveillance. This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision."
The report listed the following key findings:

  • The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
  • These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
  • The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
  • Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform

Wednesday, October 01, 2008

Myanmar's Cyber Warfare Capabilities

The Asia Times Online has an extensive article on Myanmar's cyber war capabilities and alleges that it has received training and assistance from China, Russia and Singapore. It also provides some details on the types of assistance and the history of Myanmar's cyber capabilities.

The article also alleges that Myanmar's government is using cyber warfare techniques to disrupt dissident groups around the world:
"...the junta's cyber-warfare specialists appear to have wider designs than just censoring an uncomfortable anniversary and they are receiving plenty of foreign assistance in upgrading their political dissent quashing capabilities."


Myanmar on the cyber-offensive

South Korean Missile Manufacturer Compromised with Malicious Code

This article provides very little information about an alleged breach of computer systems at South Korean guided missile manufacturer, LIGNex1 Hyundai Heavy Industries.

The report states that malicious code was planted "through which they stolen [sic] information.
"A spokesperson said: “The research institute suspects the culprits are Chinese or North Korean hackers but doesn't know specifically what information they stole. In the worst case, the blueprints of missiles and Aegis ship could have been stolen."


South Korean defence suppliers uncover malicious code

Information Security Is "on Vacation" in the U.S.

An interesting commentary on the state cyber war capabilities and vulnerabilities was recently published by Claremont College stating "[t]he security of America’s information infrastructure is on vacation". The article discusses recent cyber attacks, data losses and the nature of distributed denial-of-service (DDoS) attacks and concludes:
"This type of information espionage and Internet vandalism has the potential to be a serious form of assymetrical warfare, allowing state actors deniability and providing them with a powerful new tool in intelligence-gathering. International recognition of current U.S. military dominance has driven other nations to find alternative methods of strengthening their strategic position.

"While our dependency on the Internet grows both economically and politically, we need to provide stronger security regulation of government agencies and key industries..."


The State of Computer Security

GAO Report: US CERT's "Baseline Understanding" Inadequate

Last month, the U.S. Government Accountability Office (GAO) released yet another report condemning the Department of Homeland Security's cyber analysis and warning capability.

As previously observed, there is a deficiency in the most basic capabilities to understand (let alone protect) the national information infrastructure. The GAO report concluded:
"In seeking to counter the growing cyber threats to the nation’s critical infrastructures, DHS has established a range of cyber analysis and warning capabilities, such as monitoring federal Internet traffic and the issuance of routine warnings to federal and nonfederal customers. However, while DHS has actions under way aimed at helping US-CERT better fulfill attributes identified as critical to demonstrating a capability, US-CERT still does not exhibit aspects of the attributes essential to having a truly national capability. It lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance [emphasis added]."


This lack of a "comprehensive baseline understanding" is not confined to the U.S. Government; it is also rampant in the private sector where risk and threat assessments are too often a simple compliance check-off with little regard to the quality of analysis. In both the public and private sectors, engineers and other technicians tasked with managing information security are not trained as security professionals who can analyze risks and threats across a single organization let alone across entire information infrastructures and global networks.

This lack of professional competence in the information security industry is one of the key factors driving the continued increase in vulnerabilities, attacks and data and monetary losses despite record investment and spending.

The full GAO report is available online:

CYBER ANALYSIS AND WARNING: DHS Faces Challenges in Establishing a Comprehensive National Capability

Tuesday, September 30, 2008

More Calls for U.S. Offensive Cyber Capabilities

The Washington Post reports on U.S. Representative Jim Langevin's (chairman of the House Homeland Security subcommittee on emerging threats, cybersecurity and science and technology and a member of the House Permanent Select Committee on Intelligence) call for the U.S. to develop an offensive cyber capability. Rep. Langevin sees this as a deterrence against potential attacks on U.S. systems. In order for the deterrence to be effective, he called for much of the Comprehensive National Cybersecurity Initiative (CNCI) to be declassified and for responsibility of cyber security to be taken away from the Department of Homeland Security.

The article also discusses some of the important issues in implementing an offensive capability, namely the identification of the motive and source of an attack:

"We have a tremendous amount of trouble determining attribution ... where an attack actually came from, who was responsible, who might have been behind that computer. And we have a very, very long way to go on that," commission member Paul Kurtz, a former White House cybersecurity official, told the House intelligence committee.

"Until we start to get clarity in that piece, it's going to be very difficult to contemplate the military option, of responding appropriately," Mr. Kurtz added."



U.S. urged to go on offense in cyberwar

Jihadist Websites Move to the U.S.

FrontPage Magazine has an editorial piece concerning the movement of extremist websites to US ISPs:
"In counterterrorism circles there is significant buzz about “Al-Qaeda 2.0”, warning of highly decentralized jihadist networks operating independently and driven by a highly toxic internet-inspired Islamic ideology. The sad reality is, however, that an increasing number of jihadist websites, especially those in the English language, are finding safe haven in the US – and the US government seems powerless, or unwilling, to stop them."


Mainstream US Islamic Websites -- and Terror


Monday, September 29, 2008

The Law of Unintended Consequences - Security Creates Its Own Threat

An anti-war blog has posted an article alleging Israeli spying on US government communications by installing backdoors into telephone systems. Regardless of the accuracy of the article or its political slant, it does bring up an interesting issue: When can security controls or measures create vulnerabilities?

Specifically, the article discusses the potential vulnerability created by implementation of the FBI's 1994 Communications Assistance for Law Enforcement Act (CALEA) that mandated telecommunication providers develop the capability for law enforcement agencies to wiretap any communication in the U.S.:
"The real novelty – and the danger – of CALEA is that telecom networks are today configured so that they are vulnerable to surveillance. "We've deliberately weakened the computer and phone networks, making them much less secure, much more vulnerable both to legal surveillance and illegal hacking," says former DOJ cybercrimes prosecutor Mark Rasch. "Everybody is much less secure in their communications since the adopting of CALEA."
This issue is not academic: I have investigated many serious computer crimes where the intruder(s) targeted security information and controls to determine the status of investigations, to introduce backdoors into control systems or lockout or monitor the activities of investigators. Too often the very tools used by security personnel and investigators were used against them or in some way compromised.

It is critical that security professionals and engineers understand that many technological controls can (and probably will be) used by an adversary to their advantage. This is particularly true of communication systems and any control that monitors activity or collects intelligence data such as log files, network and host vulnerability scans, IP based communication systems such as VoIP and IP based surveillance and access control systems.

Trojan Horse: How Israeli Backdoor Technology Penetrated the US Government's Telecom System and Compromised National Security

Thursday, September 25, 2008

Commentary: The Problem with Information Security

A recent article from Australian IT provided an Australian perspective of the international cyber warfare games named Cyber Storm II. The exercise was conducted by private and public sectors in Australia, Britain, New Zealand, Canada and the United States. It is available at: Govt can do more on cyber security: report.

However, one point stood out in the article's analysis:
"...participants [of Cyber Storm II], which included the private sector, were surprised by the "borderless nature" of cyber attacks and the "speed with which they can escalate"."

How can people who call themselves "security professionals" be surprised that the Internet is "borderless" or that attacks (or any online activity) can occur quickly? This lack of understanding the basic nature of threats is mindboggling and one of the most daunting problems in information security.

Too often, the "security experts" (in both the government and private sectors) are simply IT engineers who view security as a technical problem with technical solutions. This myopic world view is not only misguided, it precludes proper threat and risk assessments.

While understanding the technological infrastructure and its vulnerabilities are an important component of any threat assessment, it is just as critical to understand adversary motivations, capabilities and methods. Likewise, threats must be analyzed at both the macro and micro levels.

For some reason, physical security professionals and intelligence analysts "get this". However, IT security engineers not only have difficulty incorporating the "people" element but are often hostile to anything that strays from their technical comfort zone.

It is no wonder that security problems are only growing in numbers and impact and they will continue to do so as long as information security is viewed as an engineering issue and the "experts" are "surprised by the "borderless nature" of cyber attacks".

For more on this topic see:

Friday, September 19, 2008

Saudi Arabia Arrests Five for Internet Use

The Saudi Ministry of Interior announced the arrest of five individuals "who used the Internet to propagate extremism and incite youths to go to troubled areas".

"The group members "hid behind their computers and gave themselves several assumed names" in order to post material under one alias and post support for it under a different alias, the [interior] ministry said.

"The aim was to give the impression that their ideas "enjoy support from society and to encourage those deluded (by the propaganda) to communicate with them as a prelude to recruiting them for their despicable goals," it added."



Saudi arrests five web 'jihadis'

U.K. Sentences 18 Year Old for Downloading Terrorist Material

Eighteen year old Hammaad Munshi was sentenced in the U.K. to two years in prison for using the Internet to gather terrorist related information:
"During his trial at Blackfriars Crown Court, the jury heard that Munshi had spent many hours viewing jihadist websites and had downloaded guides to making napalm, detonators and explosives."

Computer terror teenager jailed

VP Candidate Sarah Palin's Personal Email Compromised

Sarah Palin, the Republican Vice Presidential candidate's personal Yahoo email account was compromised and emails and family photographs were made public:

"Among the emails posted on the Internet is a message sent from Palin to the vice-governor of Alaska, Sean Parnell, who is currently seeking election to Congress.

"The hacking comes at a time when Palin is suspected of using her personal email account for conducting public affairs in Alaska.

"According to law, all messages relating to the official functions of governor must be archived and not destroyed, but allows for personal messages to be destroyed."


Hackers infiltrate Palin's email account

Wednesday, September 17, 2008

U.S. Cyber Security Not Adaquate

The U.S. Government Accountability Office (GAO) has released a report (originally dated July 2008) critical of the U.S. Government's cyber security.

The report defined, in part, the threat:
"There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on the national critical infrastructure, including the infrastructure’s control systems. The Department of Defense (DOD) and the Federal Bureau of Investigation, among others, have identified multiple sources of threats to our nation’s critical infrastructure, including foreign nation states engaged in information warfare, domestic criminals, hackers, virus writers, and disgruntled employees working within an organization. In addition, there is concern about the growing vulnerabilities to our nation as the design, manufacture, and service of information technology have moved overseas. For example, according to media reports, technology has been shipped to the United States from foreign countries with viruses on the storage devices. Further, U.S. authorities are concerned about the prospect of combined physical and cyber attacks, which could have devastating consequences. For example, a cyber attack could disable a security system in order to facilitate a physical attack."
The GAO broadly assessed operations in four areas: Monitoring, Analysis, Warning and Response and found issues in each domain.

One of the key challenges the report identified was organizational and management issues within the U.S. Department of Homeland Security (DHS) stating that the cyber security initiative is:
"...operating without organizational stability and leadership within DHS—the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT’s role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level."

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission."

CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Better Address Its Cybersecurity Responsibilities

Thursday, September 11, 2008

U.S. Considers Developing Offensive Cyber Warfare Capabilities

The Los Angeles Times reports on Pentagon debates about developing offensive cyber capabilities. It appears the renewed discussion is at least partially driven by the Russian Georgian conflict.

The article touches on some of the high level issues involved in cyber war. Like many technical revolutions in military history, cyber warfare presents many challenges and unknowns:
"To some, the tension over cyberspace echoes military debates through the centuries. Maj. Gen. William T. Lord, head of the Air Force cyber-effort, said that such discussions were akin to an old military puzzle known as "intelligence gain-loss."

"Do you not destroy a target because you can exploit it? Or do you destroy the target -- and lose the ability to exploit -- because troops are in harm's way?" Lord said. "That is not a debate. It is a discussion that goes on in war fighting."

Pentagon debates development of offensive cyberspace capabilities

Facebook Used to Target Israeli Interests

The Middle East Times ran an article discussing issues with the social networking site Facebook including accusations that Hezbollah uses Facebook to gather intelligence on Israel. Of more interest is that this surprising to anyone.
"...reports from the Lebanese capital, Beirut, are emerging that Hezbollah ... is using Facebook to learn of potential Israeli military movements, to gather possibly sensitive information about Israeli military bases and to pick up intelligence that could be harmful to Israel's security."

Cyber Terrorism: Perils of the Internet's Social Networks

Friday, September 05, 2008

Terrorism and Engineers - An Indian Perspective

CyberMedia India Online Ltd. (CIOL) published an interesting article on the relationship between terrorist groups and high tech individuals. The article discusses both why terror groups are interested in recruiting engineers for their operations (both cyber and physical) and why well educated and paid people would be attracted to terrorist organizations:
"Engineers that come from societies that are in themselves under threat from internal and external influences, and where alternate (and legal) means of expression are either banned or methodically suppressed will have the third terrorism necessity, a socio/political cause, and will be recruited by (or be found offering their services to) terrorist organizations."

Terror minds look for techie brainpower

Thursday, September 04, 2008

Various Articles on Russian Georgian Cyber Attacks

In an attempt to catch up on past articles concerning the Russian Georgian cyber attacks, I'll just post links to several articles that provide at least some factual information - Thanks to S.Y. for the pointers.

July 2008:

Wednesday, September 03, 2008

Recommended Reading: "Georgia Cyber Attacks By Russian Gov't? Not So Fast"

Gadi Evron, the founder of Israel's Government CERT group, wrote an article that was published in the Australian version of CIO.com (notably absent from the U.S. site) concerning the recent attacks on Georgia.

It is always refreshing to hear an experienced investigator discuss the issues:

"Running security for the Israeli government Internet operation and later founding the Israeli government CERT, I found that such attacks were routine. Seeing the panicked reaction this type of attack has generated seems quaint from my perspective. Not all fighting is warfare. While Georgia is obviously under DDoS attacks that are political in nature, it doesn't so far seem different from any other online aftermath by fans. Political tensions are always followed with online attacks by sympathizers.

"DDoS attacks harm the Internet itself rather than just this or that website, which often requires some of us in the vetted Internet security operations community to get involved in mitigating the attacks, if they don't just drop on their own. Our purpose is not to get involved in any local situation, but rather to preserve our common global critical infrastructure - the Internet.

"Could this somehow be indirectly related to Russian military action? Yes, but there is no evidence to indicate it is the case as of yet. If anything, the opposite seems likely at this point in time."

As with similar online attacks, there is wild speculation and near hysteria in the media concerning cyber attacks against Georgia originating in Russia. It is rare to have a commentator that can take a step back and analyze the situation based on known facts and an understanding based on real-world investigations.

Mr. Evron also notes the effect of the traditional media as both a motivator and as propogandia. This symbiotic relationship between poitically motivated cyber attacks and PR is documented in Hacktivism & Politically Motivated Computer Crime.

Georgia Cyber Attacks by Russian Gov't? Not So Fast

Researching Politically Motivated Computer Crimes

The Washington Post provides details of two groups researching politically motivated computer crimes. The article provides some information concerning the Georgian Russian online attacks as well as a discussion about online tactics and the effects of attacks:
"It's unclear who is behind the attacks, however. In some cases, the locations of botnet controllers can be traced, but it's impossible to know whether an attacker is working on the behalf of another organization or government."


A New Breed of Hackers Tracks Online Acts of War

Tuesday, August 26, 2008

Chinese "Hacker" Discusses Chinese Underground and Attacks on Western Systems

An interview with a Chinese "hacker" who claims to have participated in pro-Chinese attacks against CNN and other western organizations has been posted on YouTube.
"If there is a cyber war between two countries and if our country needs us, as cyber citizens or as IT fans, we can work together and we can certainly protect ourselves."



Dutch Websites Defaced in Protest of Film Release

An attacker using the pseudonym of "nEt^DeViL" has attacked and defaced several hundred websites in the Netherlands in protest of the release of the Dutch film "Fitna" critical of Islamic extremists.

Part of the message left in the defacements states:
"If you think that ” Insulting GOD Religion is a Freedom of Speech as your country did , then allow me to show you my Freedom knowledge of Hacking ;)" [sic].

Hundreds of Dutch web sites hacked by Islamic hackers

Tuesday, June 24, 2008

Islamic Jihad Creates Cyber War Unit

Islamic Jihad, a Palestinian Islamist group, has created a cyber-war unit to aid its armed Al-Quds Brigades in attacks on Israel:
"It was a response to years of attacks by Israeli hackers, and according to the Brigades spokesman, Abu Hamza, it equals the playing field in cyber-space.

"The Israeli's have worked very hard the past few years on monitoring all the Palestinian websites, especially those of Islamic Jihad and Al-Quds Brigades," Hamza told MENASSAT.

"They (Israeli hackers) hacked these websites and erased them from the electronic boards or even added indecent pictures to them," he said.
"Hamza told MENASSAT that the Brigades had to establish an e-media military unit "because we had to fight the enemy in the electronic media to resist being assaulted on two fronts – physically and virtually."

The article discusses several specific attacks against Israeli interests; mostly web defacements but also discusses attempts at system based attacks against Israeli infrastructure targets:
"Abu Hamza said that the e-media military unit doesn't just work on breaking the security of the Israeli websites – both governmental and civilian –, but it is also "expanding its cyber-reach to include attempts at hacking and bugging the Israeli telecommunications network."

"So far, these attempts have not succeeded," he [said]."

Islamic Jihad’s cyber-war brigades

India's Military Concerned over Chinese Cyber Attacks

India's military is taking steps to counter alleged Chinese intrusions into Indian systems:
"In April 2008, Indian intelligence agencies detected Chinese hackers breaking into the computer network of the Ministry of External Affairs forcing the government to think about devising a new strategy to fortify the system. Though the intelligence agencies failed to get the identity of the hackers, the IP addresses left behind suggested Chinese hands."

The article rambles somewhat between discussion of web defacements in India (with no apparent link to China) and discussion of India's vulnerability to cyber attacks:

"Unless India takes adequate steps to protect itself from external cyber threats, the world famous IT giant could be facing a grim situation. Cyber attacks are dangerous for India because of the growing reliance on networks and technology to control critical systems that run power plants and transportation systems. Cyber attacks on banks, stock markets and other financial institutions could likewise have a devastating effect on a nation's economy.

"As a countermeasure, the Indian armed forces are trying to enhance their C4ISR capabilities, so that the country can launch its own cyber offensive if the need arises. Given Chinese cyber attacks, there is need for the army to fight digital battles as well."

China's cyber warfare against India

Kurdish Immigrant in Germany Convicted for Promoting Terrorism Online

An unnamed Kurdish immigrant to Germany has been convicted and sentenced to three years in prison for posting files and making statements that supported al-Qaeda leaders.

"The court in the northern German city of Celle convicted him on 22 counts of recruiting on behalf of a non-German terrorist organization, which is a crime under German law.

"Defence lawyers had called for the acquittal of the man, who has Iraqi nationality. Presiding judge Wolfgang Siolek said the verdict sets a legal precedent in Germany, as the first where a person has been jailed for remarks on the internet in support of a foreign terrorist cause.

"The court said the internet postings had the purpose of urging others to join in the jihad, and went well beyond a mere statement of sympathy with al-Qaeda, which would have been protected by free-speech laws and would not have been punishable."

Kurd used internet to urge terrorists on: three years jail

Friday, June 13, 2008

China Denies Attacks on U.S. Congressional Computer Systems Becuase It Lacks the Capability

China's Foreign Ministry has denied reports that China was the source of attacks on U.S. Congressional systems because it lacks the technology to do so:
"China denied accusations by two U.S. lawmakers that it hacked into congressional computers, saying Thursday that as a developing country it wasn't capable of sophisticated cybercrime.

"Is there any evidence? ... Do we have such advanced technology? Even I don't believe it," Foreign Ministry spokesman Qin Gang told a regularly scheduled news conference."

The article discusses the inconsistency in this statement - China is a leader in high technology; not only manufacturing but in design and development:

"China has a thriving information technology industry and claims to have 221 million Internet users — equal to the U.S. as the most in the world.

"I'd like to urge some people in the U.S. not to be paranoid," Qin said. "They should do more to contribute to mutual understanding, trust and friendship between the U.S. and China."


China denies hacking into US computers

U.S. Congressional Systems Targeted for Chinese Dissident Info - Maybe

Two U.S. congressmen have gone public accusing China as the source of intrusions into their computer systems searching for information on Chinese dissidents.

"Two congressmen, both longtime critics of Beijing's record on human rights, said the compromised computers contained information about political dissidents from around the world. One of the lawmakers said he'd been discouraged from disclosing the computer attacks by other U.S. officials.

"Rep. Frank Wolf, R-Va., said four of his computers were compromised beginning in 2006. New Jersey Rep. Chris Smith, a senior Republican on the House Foreign Affairs Committee, said two of the computers at his global human rights subcommittee were attacked in December 2006 and March 2007.

"Wolf said that following one of the attacks, a car with license plates belonging to Chinese officials went to the home of a dissident in Fairfax County, Va., outside Washington and photographed it."

The article discusses other potential intrusions in the US government systems from China and attempts by investigators to keep the attacks secret:

"Wolf said the FBI had told him that computers of other House members and at least one House committee had been accessed by sources working from inside China. The Virginia Republican suggested that Senate computers could have been attacked as well.

"He said the hacking of computers in his Capitol Hill office began in August 2006, that he had known about it for a long time and that he had been discouraged from disclosing it by people in the U.S. government he refused to identify.

"The problem has been that no one wants to talk about this issue," he said. "Every time I've started to do something I've been told 'You can't do this.' A lot of people have made it very, very difficult."

"The FBI and the White House declined to comment.

"The Bush administration has been increasingly reluctant publicly to discuss or acknowledge cyber attacks, especially ones traced to China."


Other articles have been published discussing the lack of specific evidence that the source of these attacks is actually China and discusses the difficulty in determining both source and motive.

Lawmakers say Capitol computers hacked by Chinese

Weak Evidence Links Congressmen's Cyber-attacks to China