Tuesday, March 25, 2008

Controlling Terrorism on the Internet

IEEE has posted an article on the difficulties of combating online terrorism including the most fundamental issue: What constitutes terrorism?

The article gives several examples in the U.K. of political attempts to ban content and the difficulties, both legal and technical, in actually establishing controls.
"Blocking websites also brings into play the incredibly labyrinthine arguments around just what is terror-inducing material. For example, a website that trumpets itself as a holy warriors' resource, complete with instructions on bomb-making, might easily be called a terrorist site and treated as such under law. However, what actions could—or should—an ISP take on an arborists' informational site that includes instructions on how to make a stump-blowing charge of black powder? Or is that arborists' site a front for a terror organization?"

Terror on the Internet: A Complex Issue, and Getting Harder

Monday, March 24, 2008

Similar Tactics Used to Attack Darfor and Tibet Support Groups

Several organizations have recently reported similar attacks against their computer systems. Organizations such as Save Darfur Coalition, the AFP and members of a pro-Tibetan mailing list have all been the victims of email infected attacks using similar methods.

Once again, China is most often named as the source.

F-Secure's weblog "News from the Lab" has a posting which details the specifics of the pro-Tibeten attacks with screen shots of the email message and details of the attached malicious code.

Perhaps most informative, the Washington Post ran an article with some specific details of malicious software that attempts to capture users encryption keys once a system is compromised:

"The specificity of information sought in the targeted attacks also suggests the attackers are searching for intelligence that might be useful or valuable to a group that wants to keep tabs on human rights groups, said Nathan Dorjee, a graduate student who provides technology support to Students for a Free Tibet.

"Dorjee said one recent e-mail attack targeted at the group's members included a virus designed to search victim's computers for encryption keys used to mask online communications. The attackers in this case were searching for PGP keys, a specific technology that group members routinely use to prevent outsiders or eavesdroppers from reading any intercepted messages.

"Dorjee said the attacks have been unsettling but ineffective, as the Students for a Free Tibet network mostly operates on more secure platforms, such as Apple computers and machines powered by open source operating systems."

Targeted Malware Attacks against pro-Tibet Groups

FBI Suspects Chinese Hackers Damaged Darfur Site

Cyber Attacks Target Pro-Tibet Groups

Thursday, March 20, 2008

Review: The National Security Strategy of the United Kingdom

The United Kingdom has released the first ever National Security Strategy "set[ting] out the Government's approach to dealing with threats to national security, ranging from war and terrorism to climate change, disease and poverty."

The report summarizes a wide range of threats and provides a comprehensive prevention and control strategy. Within the report are several references to national threats from computer crime:

Under the heading of "Defending the United Kingdom against state-led threats" the strategy defines the requirements as:
  • "...to defend the territory of the United Kingdom, its sea and air approaches, its information and communications systems, and its other vital interests..."
  • "On intelligence, in addition to the major effort required to tackle the current level of terrorist threat, the security and intelligence agencies will continue to protect the United Kingdom against covert activity by foreign intelligence organisations aimed at political, economic and security targets, including cyber-attack."

Under the heading "Responding to global trends" the report discusses a strategy to handle cyber incidents:
"In response to the technological challenges, we are committed to working with international, public, and private sector partners to ensure that our government systems and critical national infrastructure are adequately protected against cyberattack.

"We are also investing, through the interception modernisation programme, to update our intelligence and law-enforcement capability to meet the challenges of rapidly advancing communications technology. We are committed to maximising the opportunities and benefits of the internet, by protecting the freedom to develop and host new services, while also reducing the scope for terrorists and criminals to exploit those opportunities and freedoms, and ensuring that the internet itself is resilient enough to withstand attacks and accidents.

"Finally, we support international efforts to monitor and protect the safety and security of new technology including the internet and communications networks, and the space assets that are increasingly important for communications. We will continue to explore how new confidence‑building and arms control measures might contribute to international security in this area."

Finally, under the heading "The interdependence of threats, risks and drivers – an integrated response" the report discusses how many of the threats to the United Kingdom are interrelated and discusses how cyber threats will be managed:
"The Centre for the Protection of National Infrastructure (CPNI) was established in 2007 to act as an interdepartmental organisation providing advice on information, physical and personnel security to businesses and organisations across the national infrastructure. CPNI works closely with the private sector, delivering advice to reduce the vulnerability of critical infrastructure to terrorism and other national security threats."
The full report is available at:

The National Security Strategy of the United Kingdom

Tibet Supporters Receiving Email Viruses

Several Pro-Tibet groups have reported receiving email viruses and threatening telephone calls because of their support for activists in Tibet.

"We are getting virus attacks that are just shameless... claiming to be desperate people inside Tibet. The emails are well-written and emotional, pleading for us to open the images," she [Lhadon Tethong, director of Students for a Free Tibet] told AFP.

Tashi Choephel, a researcher at the India-based Tibetan Centre for Human Rights and Democracy, said their email system was unusable because of attacks."

The attacks appear to be originating from locations around the world.

Pro-Tibet groups bombarded with abusive calls, viruses

Thursday, March 13, 2008

Review: 2009 FBI Congressional Budget Submission

The U.S. Department of Justice has submitted its FY 2009 budget for the FBI to Congress. This report provides insight into what the FBI believes are critical threats and the initiatives it would like funded. The 2009 budget reveals cyber crime (including politically motivated crimes) as a major issue and priority of the Bureau.

The Highlights:

  1. Requests over US $54,000,000 in increased budgeting for cyber crime initiatives - more than any other FBI initiative;
  2. Protecting cyber attacks against the U.S. is the third overall priority of the Counterterrorism/Counterintelligence (CT/CI) decision unit after preventing terrorist attacks (first priority) and foreign intelligence operations and espionage (second priority);
  3. Increasing threat from "Islamist extremists who have directly expressed an interest in attacking government and private computer systems";
  4. There has been a major increase in CI/CT computer intrusion cases: from 18 pending CT/CI computer intrusion cases in 2001 to 326 cases in 2007;
  5. More than 20 terabytes of sensitive information has been stolen from military and other sensitive national interest systems; and,
  6. The FBI continues to be challenged by rapid technology changes, shortage of skill sets and limited technical forensic capabilities.

The Details:

The report provides several 'external drivers and influences' related to cyber crime:
  • Communications revolution – advances in communications technology outpace the ability of the FBI to perform court-authorized intercepts; use of encryption and other communications technologies requires closer access to end-nodes; identity theft will make perpetrator identification more difficult;
  • Technological and scientific revolutions – reduced ability for threat groups or governments to hide undercover identity of agents; increase in espionage and cyber crime against U.S. corporations... inexpensive computing technology outpaces forensic science capacities
The report also notes an important attribute of nationalist-based politically motived computer crime:
"Sub-national and non-governmental entities are expected to play an increasing role in world affairs in the coming years, presenting new “asymmetric” and non-traditional threats to the U.S. Although the U.S. will continue to occupy a position of economic and political leadership — and although other governments will also continue to be important actors on the world stage — terrorist groups, criminal enterprises, and other non-state actors will assume an increasing role in international affairs. Nation states and their governments will exercise decreasing control over the flow of information, resources, technology, services, and people."
To meet the challenge of increasing computer intrusions, the budget requests 70 new Special Agents:
"The most significant challenge facing the Cyber program in FY 2009 is improving the FBI’s capacity for addressing more sophisticated and more frequent computer intrusion events. Acquiring this capability will necessitate the addition of 70 new Special Agent positions in FY 2009."
Interestingly, the FBI's cyber initiatives receive the greatest increases of any program in FY 2009 including:
  • Computer Intrusion Program - To conduct CT, CI, and criminal computer intrusion investigations where the Internet, computers, or networks are the primary tools or targets of the activity: US $10,231,000
  • Comprehensive National Cybersecurity Initiative - To allow the FBI to combat computer intrusions that hinder U.S. national security interests: US $38,648,000
  • Cyber Training - To provide additional specialized cyber training courses: US $5,389,000
These sums are for budget line items specifically related to cyber threats and do not include amounts incorporated in other line items. These amounts are larger than the proposed investment increase for such initiatives as 'Response to a WMD Incident' with a requested funding increase of US $30,055,000.

A detailed breakdown and justification for the Computer Intrusion Program includes:
"The FBI requests 57 positions (35 agents) and $10,231,000 ($655,000 non-personnel) for its Computer Intrusion Program (CIP). The request consists of 39 field personnel (25 agents, 6 investigative support, 7 clerical and 1 Information Technology Specialist) and 18 Headquarters (HQ) personnel (10 agents and 8 Management and Program Analysts) to conduct counterterrorism (CT), counterintelligence (CI), and criminal computer intrusion-related investigations where the Internet, computers, or networks are the primary tools or targets of the activity.


"The emerging threat to the U.S. of foreign information operations is expanding rapidly. The number of actors with the ability to utilize computers for illegal, harmful, and possibly devastating purposes continues to rise; most significant is the immediate threat posed by hostile nation states to our government, military, defense industrial base, and critical infrastructure networks. More than 20 terabytes of sensitive information has been stolen to date, disrupting military operations and significantly impacting the confidence in the integrity of our national information infrastructure. There is a growing threat of Islamist extremists who have directly expressed an interest in attacking government and private computer systems. As they develop more advanced skills, Islamist extremist hackers will pose an increasing threat, especially as they are not deterred by geopolitical realities that restrain the behavior of nation-states. As the only federal agency that has the statutory authority, expertise, and ability to combine the CT, CI, and criminal resources needed to effectively address illegal computer-supported operations, the FBI is in a unique position to counter cyber threats. As attacks increase in frequency, number, and sophistication, the FBI’s workload subsequently increases. Since FY 2001, there has been a 78 percent increase in the total number of computer intrusion investigations..."

"Of particular note is the increase in CT and CI computer intrusions. In FY 2001, there were 18 pending CT/CI computer intrusion cases, and as of December 2007, there were 316 cases."

The Cyber Program is described as:
"The FBI’s Cyber Program consolidates Headquarters and field resources dedicated to combating cyber-crime under a single entity. This allows the to Cyber Program coordinate, supervise, and facilitate the FBI's investigation of those federal violations in which the Internet, computer systems, or networks are exploited as the principal instruments or targets of terrorist organizations, foreign government-sponsored intelligence operations, or criminal activity.

"Included under the purview of the Cyber Program are counterterrorism, counterintelligence and criminal computer intrusion investigations; intellectual property rights-related investigations involving theft of trade secrets and signals; copyright infringement investigations involving computer software; credit/debit card fraud where there is substantial Internet and online involvement; online fraud and related identity theft investigations; and the Innocent Images National Initiative."

The budget documents the FBI's strategies to manage the case load of cyber crimes:
"Strategies to Accomplish Outcomes - With the current FY 2009 budget enhancement, the FBI anticipates addressing an ever-increasing caseload and hence changes in the amount of subsequent convictions/pre-trial diversions. The strategies to accomplish these outcomes includes; continuing and enhancing the alliances with the Intelligence Community (IC), the coordination of intelligence across the IC, and the most critical - the chairmanship of the Strategic Alliance Cyber Crime Working Group. This strategic alliance is a key initiative that addresses the increasing need for defending national security through joint cyber training, curriculum exchanges and joint investigative initiatives among five countries. This high-profile initiative has vast potential, with the ability to identify and exploit the Counterterrorism and Counterintelligence efforts within each of the participating countries. The Working Group has put forth a set of initiatives to develop cyber crime law enforcement strategy, leverage international cooperation between governments, law enforcement, and private industry, share information and training, share and develop new tools, and educate the public. Given the transnational nature of cyber crime, it is imperative to establish effective international cooperation and develop appropriate and consistent legislation. As cyber crimes cross national boundaries, international law enforcement cooperation is crucial. Because most laws and agencies operate within national borders, gaps exist in international legal coverage and harmonization of offences [sic], and agencies seek (or provide) international assistance only when a crime impacts their interests. A lack of staff with sufficient technical skills to effectively assist in investigating cyber crimes compounds this situation."
The report also contains background information and initiatives for other cyber threats such as child pornography, identity theft and online fraud.

FY2009 DoJ Congressional Budget Submission - Federal Bureau of Investigation

Tuesday, March 11, 2008

Reporters without Borders to Host Cyber Protest against Internet Censorship March 12

Reporters without Borders will host a day long cyber protest against online censorship on March 12, 2008:

"To denounce government censorship of the Internet and to demand more online freedom, Reporters Without Borders is calling on Internet users to come and protest in online versions of the nine countries that are “Internet enemies” during the 24 hours from 11 a.m. on 12 March to 11 a.m. on 13 March (Paris time). Anyone with Internet access will be able to create an avatar, choose a message for their banner and take part in one of the nine cyber-demos (Burma, China, North Korea, Cyba, Egypt, Erithrea, Tunisia, Turkmenistan and Viêt-nam).

"Reporters Without Borders will release its latest list of “Internet enemies” together with a new version of its Handbook for Cyber-Dissidents."

Wednesday 12 March : launch of Online Free Expression Day plus repeat of last year’s "24-hour online demo"

CNN Reports Allegations that Chinese 'Hackers' Were Payed by the Chinese Government

In the ongoing guessing game of the motives behind alleged cyber attacks from China targeting U.S., British and German government systems, CNN is reporting on an interview with a Chinese 'hacker' (calling himself 'Xiao Chen') who stated off the air that the Chinese government had paid 'hackers' for the information they obtained from compromised systems. These allegations have been strongly denied by China:

"Beijing hit back at that, denying such an allegation and calling on the United States to provide proof. "If they have any evidence, I hope they would provide it. Then, we can cooperate on this issue," Qin Gang, a spokesman for the Chinese Foreign Ministry, said during a regular press briefing this week.

"But again off-camera, Xiao Chen says after the alleged Pentagon attack, his colleagues were paid by the Chinese government. CNN has no way to independently confirm if that is true.

"His allegations brought strenuous denials from Beijing. "I am telling you honestly, the Chinese government does not do such a thing," Qin said.

"But if Xiao Chen is telling the truth, it appears his colleagues launched a freelance attack -- not initiated by Beijing, but paid for after the fact."

The veracity of these claims are also questioned by the website 'The Dark Visitor' that reports on the Chinese computer underground. The blog also provides an analysis of the underground website featured in the CNN report.

Chinese hackers: No site is safe

Chinese hacker Xiao Chen’s Organization Revealed!

Chinese hacker Xiao Chen denies he hacked into Pentagon

Friday, March 07, 2008

NATO Recognizes Cyber Threat and U.K. Tory Party Proposes 'Cyber Securiity Minister'

The Guardian is reporting on a speech by a NATO official that cyber attacks are a major concern of the organization:
"Suleyman Anil, who is in charge of protecting Nato against computer attacks, said: "Cyber defence is now mentioned at the highest level along with missile defence and energy security."
The article also mentions a new proposal from the U.K.'s Tory party to create a ministry level position on cyber security:
"To coincide with the congress, shadow home secretary David Davis will today announce Conservative proposals on online crime - including the creation of a new post of cyber security minister. The Tory plans also outline the reinstitution of a national hi-tech crimes police squad, and forming a dedicated unit inside the Crown Prosecution Service for dealing with computer crime cases."

Nato says cyber warfare poses as great a threat as a missile attack

Extremist Websites Targeting Children and Women

The YaleGlobe has a story concerning the increase in extremist websites developed for children and Women. The article gives several examples of specific websites and their messages.
"The internet has long been a favorite tool of the terrorists. Decentralized and providing almost perfect anonymity, it cannot be subjected to control or restriction, and allows access to anyone who wants it. Large or small, terrorist groups have their own websites, using this medium to spread propaganda, raise funds and launder money, recruit and train members, communicate and conspire, plan and launch attacks. Al Qaeda, for example, now operates approximately 5,600 websites, and 900 more appear each year. Besides websites, modern terrorists rely on e-mail, chatrooms, e-groups, forums, virtual message boards, and resources like You-Tube and Google Earth."

Online Terrorists Prey on the Vulnerable

U.S. Project to Research Terrorist Use of Social Networks

The Office of the Director of National Intelligence (ODNI) recently published a report to Congress that included information on a new research initiative to monitor online social networks. The project named "Reynard" will attempt to identify online terrorist activity.
"A senior intelligence officer at the ODNI said Reynard was in its very early stages and it was too soon to say which online worlds it would be studying. He added that any work on it would be purely for research rather than "operational" purposes."

US seeks terrorists in web worlds

Tuesday, March 04, 2008

Review: U.S. Report on China's Military Cyber Capabilities

The U.S. Department of Defense's annual report to Congress on China's military capabilities includes a section on potential threats in cyberspace:
"Cyberwarfare Capabilities. In the past year, numerous computer networks around the world, including those owned by the U.S. Government, were subject to intrusions that appear to have originated within the PRC. These intrusions require many of the skills and capabilities that would also be required for computer network attack. Although it is unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC government, developing capabilities for cyberwarfare is consistent with authoritative PLA writings on this subject.

• In 2007, the Department of Defense, other U.S. Government agencies and departments, and defense-related think tanks and contractors experienced multiple computer network intrusions, many of which appeared to originate in the PRC.

• Hans Elmar Remberg, Vice President of the German Office for the Protection of the Constitution (Germany’s domestic intelligence agency), publicly accused China of sponsoring computer network intrusions “almost daily.” Remberg stated, “across the world the PRC is intensively gathering political, military, corporate-strategic and scientific information in order to bridge their [sic] technological gaps as quickly as possible.” Referring to reports of PRC infiltration of computer networks of the German government, German Chancellor Angela Merkel said “we must together respect a set of game rules.” Similarly, in September 2007, French Secretary-General of National Defense Francis Delon confirmed that government information systems had been the target of attacks from the PRC.

• In addition to governments, apparent PRC origin network intrusions targeted businesses. In November 2007, Jonathan Evans, Director- General of the British intelligence service, MI 5, alerted 300 financial institution officials that they were the target of state-sponsored computer network exploitation from the PRC."
However, this is the totality of the discussion on information warfare. The report has a detailed analysis of other, physical capabilities and threats, China's military strategy, etc. yet the only other mention or analysis of cyber threats is a small sentence under asymmetric warfare capabilities stating Chinese interest in "cyber warfare against civilian and military networks – especially against communications and logistics nodes".

Complete analysis of the alleged cyber threat from China is impossible because most source information is classified. However, analysis of the wording of the report leaves some questions on the understanding of the threat. The report uses several "hedge words" or qualifiers such as:
"... intrusions that appear to have originated within the PRC."
"Although it is unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC government..."
These qualifiers, combined with the lack of any analysis of the threat and simply re-stating information from press articles, leaves more questions than answers concerning Chinese information warfare capabilities.

To further complicate any threat assessment, analysis of several attacks against commercial companies involving Chinese systems indicate the actual origin of the attacks more often leads to Russia or Eastern Europe systems that are simply using insecure Chinese systems as intermediaries.

ANNUAL REPORT TO CONGRESS: Military Power of the People’s Republic of China 2008

Monday, March 03, 2008

Discussion on 'Cyber Jihad'

FrontPage Magazine has published an online discussion concerning "cyber jihad".

Symposium: Cyber Jihad

Jihadist's Websites Compete with Each Other for Attention

Leela JACINTO from France24 has an interesting analysis of the popularity and success of jihadist websites:

"While some experts advocate keeping jihadist sites online for intelligence-gathering purposes, others believe their presence poses a security and propaganda threat. But keeping a lid on jihadist content in this day and age, experts admit, is easier said than done.

"Sites that are brought down promptly reappear on other servers in a process known as “piggybacking,” whereby site operators may not even be aware they are hosting militant Web content.

"The output is so profuse that security experts tracking jihadist sites say the West is losing the media war with Islamic extremists."

The article also points out that the jihadist's success comes with its own price - internal competition:

"There are now so many jihadist sites online that al Qaeda’s media bosses, experts say, are facing the same sort of headaches plaguing media chiefs across the world: how to stand out in a crowded market and retain audiences."

Al Qaeda: ‘Kicking butt’ online

Pakistan Accident Disables YouTube Worldwide

While there is no indication of malicious or political intent, the recent attempt by the Pakistan Telecommunications Authority to censor YouTube in Pakistan demonstrates the potential for a nation-state to disrupt communications and Internet activity.

"The lesson is that the Internet is still rather vulnerable as the multitude of websites, data and resources on it are still reachable only via a few routers and access points. Should something happen to one of these systems it could cause Internet and website outages and chaos in countries further afield. Recent events have also shown weaknesses in the hard lines that connect it all, namely the undersea cables that were recently damaged in the Mediterranean.

Whether it be man or Mother Nature that causes damage to these systems, the end result is the same: Internet blackouts. The likelihood of these types of problems will increase as the web expands, more people come to rely on it, and it essentially becomes a bigger target."

Pakistan site swipe exposes web fragility