Wednesday, December 30, 2009

Belarus to Implement Controls over Internet

Belarus' President Alexander Lukashenko announced new legislation that:
"...would require the registration and identification of all online publications and of each Web user, including visitors to Internet cafes. Web service providers would have to report this information to police, courts and special services."

Belarus to toughen control over Internet

Thursday, December 17, 2009

Isaeli Chief of Military Intelligence Comments on Cyberwar

Israel's Chief of Military Intelligence, Major-General Amos Yadlin provided a glimpse into the Israeli cyberwarfare program in his first public comments on the subject.

Speaking to the Israeli Institute for National Security Studies, he said:

"Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states"...

and added:

"The potential exists here for applying force ... capable of compromising the military controls and the economic functions of countries, without the limitations of range and location."


Spymaster sees Israel as world cyberwar leader

U.S. Predator Drones Compromised

In a stunning admission, the U.S. military confirmed that Iraqi insurgents have intercepted video streams from Predator Drones [emphasis added]:
"Shiite fighters in Iraq used off-the-shelf software programs ... available for as little as $25.95 on the Internet — to regularly capture drone video feeds, the Wall Street Journal reported Thursday. The hacking was possible because the remotely flown planes have an unprotected communications link."

"...in December 2008, the military apprehended a Shiite militant in Iraq whose laptop contained files of intercepted drone video feeds, the Journal reported. In July, they found pirated feeds on other militant laptops, leading some officials to conclude that groups trained and funded by Iran were regularly intercepting feeds and sharing them with multiple extremist groups."
Even more incredulous is the admission that the system was not originally designed to encrypt transmissions:
"The military has known about the vulnerability for more than a decade, but assumed adversaries would not be able to exploit it."
This is a classic, textbook example of inadequate security design and risk assessments - the root causes of most security issues in both the public and private sector.

What should be more alarming is, if this vulnerability has been there for more than a decade, who else (with better resources) had access to the feeds and what other vulnerabilities exist in other systems that are not being addressed?

Pentagon: Insurgents intercepted drone spy videos

Sunday, December 06, 2009

Importance of the Internet for Opposition Groups in Iran

Like many modern political opposition groups, Iranian protesters make extensive use of social networks and other Internet services to plan and coordinate protest activity:
"The opposition, which relies on the Web and cell phone service to organize rallies and get its message out, has vowed to hold rallies Monday, the first anti-government show of force in a month."
Likewise, governments may target these communications as a means to limit protests. Reports are alleging the Iranian Government is restricting Internet and mobile phone services to limit opposition communications prior to planned protests:

"Internet connections in the capital, Tehran, have been slow or completely down since Saturday. Blocking Internet access and cell phone 'service has been one of the routine methods employed by the authorities to undermine the opposition in recent months.

"The government has not publicly acknowledged it is behind the outages, but Iran's Internet service providers say the problem is not on their end and is not a technical glitch. A day or two after the demonstrations, cell phone and Internet service is restored."


Iran slows Internet access before student protests

Wednesday, October 07, 2009

International Telecommunications Union (ITU) Focus on Cybersecurity

ITU has announced a partnership with the Intentional Multilateral Partnership against Cyber Threats (IMPACT) to increase international cooperation.
"IMPACT... set up its Global Response Centre (GRC) in Cyberjaya, Malaysia, earlier this year as the international community’s foremost cyberthreat resource, to proactively track and defend against cyberthreats."
The ITU Secretary-General spoke at the ITU Telecom World 2009 on the need for better coordination:
"ITU Secretary-General Dr Hamadoun Touré stressed the importance of cyberpeace, where nations collaborate in a global cybersecurity framework based on enlightened self-interest. "Every country is now critically dependent on technology for commerce, finance, healthcare, emergency services, food distribution and more. Loss of vital networks would quickly cripple any nation – and none is immune to cyberattack."

Cybersecurity in action at ITU Telecom World 2009

Thursday, October 01, 2009

Russian FSB Arrests for Dagestan Intrusions

Axis Information and Analysis provided a short report on the arrest by Russian FSB (Federal Security Services) of an individual for politically motivated intrusions into the systems of various Russian republics:
"In the course of investigation the FSB employees managed to find cyber-criminals of the Ansar group of insurgents who had been engaged in hacker attacks with an aim of distribution of their ideas through the world-wide web, and the 27 y.o. hacker Albert Saayev. The FSB established his participation in breaking of some of the state information resources, including sites of authorities of the Chechen Republic, Dagestan and Ingushetia."
The article alleges that Mr. Saayev had previously been arrested and convicted of similar crimes.

Dagestan hackers suspected of cyber-extremism detained by Federal Security Service in Moscow

Wednesday, September 30, 2009

Attack Aimed at Foreign Journalists in China

Infowar Monitor has posted a short analysis of a cyber attack targeting foreign journalists based in China including "Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa." The attack consisted of an email from a purported journalists interested in visiting China containing an attached PDF file with malware. The technique appears to be related to previous attacks with political motivation in the region:
"The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past."
The post also provides some speculation on motives and attribution.

Targeted Malware Attack on Foreign Correspondents based in China

Singapore Creates Agency to Protect against IT Threats

The Singapore Government issued a press release announcing the creation of the Singapore Infocomm Technology Security Authority (SITSA) "to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage."

Specifically SITSA will provide:
  • IT Security Consultancy for strategic Government projects that have national security impact
  • Partnership Development to build relationships with key entities strategic to enhancing Singapore’s IT security
  • Critical Infocomm Infrastructure Protection to systematically harden the CIIs in nationally critical sectors
  • Technology Development to develop and maintain SITSA’s technical competencies and to provide insights on developments in IT security and threats
  • Singapore’s planning and preparedness, and response, against any major external cyber attack
The authority will be part of the Ministry of Home Affairs.

Singapore Infocomm Technology Security Authority Set Up to Safeguard Singapore against IT Security Threats

Tuesday, September 29, 2009

Changes to India's Cybercrime Laws

It appears that the Indian Government will soon amend the Information Technology Act of 2008 with changes to:

"...[strengthen] Extradition Law of India to effectively challenge the cyber crimes, including effective provisions regarding cyber war and cyber terrorism in India, International harmonisation of cyber law, providing sound cyber law and cyber security..."

It does not appear that an actual text of the proposed amendment is available online.

Cyber Law Of India to be amended soon

Report on Georgian Cyber Attacks

U.S. Cyber Consequences Unit, a U.S. based non-profit organization released the results of its study of the cyber attacks on Georgia in 2008.
"The study concludes that the cyberattacks against Georgian targets were carried out by civilians, many of them recruited via social networking forums devoted to dating, hobbies and politics."
It points out the complexities involved in politically motivated attacks due to the involvement of actors with varying skills and agendas:
"...sympathizers who were not hackers, and who didn't even know much about computers, could participate.

"The report says the civilian cyberattackers were aided and supported by Russian organized crime. Although they found no evidence of direct involvement by the Russian government or military, the report concludes that the organizers were tipped off about the timing of Russian military operations."

The report has not been made public.

Study warns of cyberwarfare during military conflicts

Thursday, April 09, 2009

Analysis of Report on Power Grid Intrusions

After publishing a post on The Wall Street Journal article concerning intrusions into the US electrical grid, I re-read the report and noticed a discrepancy in comments by various "government officials". The story first states (I've added the emphasis):
"The intruders haven't sought to damage the power grid or other key infrastructure..."
but then reports that:
"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."
The article goes on to state:
"Officials cautioned that the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt."

With the caveat that the article provides no real data to perform an accurate risk assessment, these statements, as reported, are worrying to say the least. If software really has been planted that can "destroy infrastructure components" then my professional opinion is that:
  1. Damage has occurred - If a system is penetrated to the extent that software has been installed that disrupts operations, the system has been damaged. The integrity and operational capacity of the system is compromised. In a large complex network, it is very difficult to regain control when this level of compromise has taken place.

  2. There is immediate danger - As long as systems are compromised with malicious software, the motive of the intruders is unclear and the vulnerabilities and entry points of the intruders remain, then there is an immediate danger. The companies owning these systems are not in control.

U.S. Electrical Grid Intrusions

Does China have "Exploit Factories" to Discover Vulnerabilities?

The identification and exploitation of vulnerabilities in software is a never ending job for cyber criminals. Strategy Page looks at the possibility of what I would call "exploit factories" in China:
"China, for example, obtains these ZDEs [Zero Day Exploits] the same way they have become the place where software manufacturers go to get their software (especially game software) tested cheaply, and thoroughly. In China, you can fill up a large hall hundreds of bright, but otherwise unemployed, Chinese guys, equip them with PCs, and instructions on what to do to test software. Offer bonuses for those who find flaws, and off you go. Finding ZDEs is basically the same drill, except it takes a week or so of on-the-job training to familiarize your searchers with the testing and searching tools (some of them available at hacking sites) used to dig around in software for flaws."

The article goes on to discuss the potential link to the military and use in cyber warfare:
"The extent and effectiveness of this Internet based crime has military implications, because the same tools used by criminal hackers, are employed by Cyber War specialists."


The Secret Menace

Wednesday, April 08, 2009

U.S. Electrical Grid Intrusions

The Wall Street Journal reheated the debate of infrastructure vulnerability with an article concerning intrusions into and mapping of the U.S. electrical grid. The report points to China and Russia as the source, but provides almost no details beyond the generalized comments of anonymous sources to substantiate the claims.

One interesting note is the lack of detection of the intrusions by the companies themselves:

"Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Of course, the story is spawning many other reports and analysis including the suggestion that the power grid should be disconnected from the Internet:
"The onetime Counter Terrorism Czar, who famously criticized the Bush Administration for doing little to combat al Qaeda early in his first term before 9/11, chided the Obama Administration for not moving fast enough to decide upon the best defense strategy to counter cyber attacks on key infrastructure.

"One thing you can do is disconnect the power grid control system from the internet," Clarke said. "There's no reason for it to be connected."
This could be said of many critical systems. One such system that is rarely discussed is emergency communications including 911 systems that have slowly been connecting to the Internet despite security issues.

Electricity Grid in U.S. Penetrated By Spies
Disconnect electrical grid from Internet, former terror czar Clarke warns

Monday, April 06, 2009

Indian Political Party Calls for Cyber Warfare Preparations

New Zealand based website Scoop ran an article of escalating calls by political parties in India that advocate offensive nuclear and cyber warfare capabilities:
"We took note of the nuclear saber-rattling in these columns earlier ("India's Right Wing Wants Nuclear War," December 18, 2008). The chief of the Rashtriya Swayamsevak Sangh (National Volunteers' Association), patriarch of the "parivar" as the far-right "family" is popularly known, proclaimed nuclear war as the final solution to the problem of terrorism. Kuppahalli Sitaramayya Sudarshan, no less the führer of the far right despite his relatively low profile, thought nothing of this growing into a nuclear Third World War against terrorism. His Nazi-like logic was that such a war of extreme nationalism would cleanse the world as well. "
This had been followed by calls from India's Bharatiya Janata Party (BJP) to create a cyber warfare program with both defensive and offensive capabilities:
"The party spells out its policy on the subject in a document, released some days back, titled "BJP"s IT Vision." Calling for "an integrated National Cyber Security Plan, covering all aspects of external defense and internal security," the document also stresses the need for "an independent Digital Security Agency."

"This agency, it is declared, will be "responsible for cyber warfare, cyber counter-terrorism and cyber security of national digital assets."

...

"The document itself, however, leaves little doubt that the wording about an agency for cyber warfare was deliberate. Before issuing this call, the BJP emphasizes the need for building both "defensive and offensive capabilities for electronic warfare."
The threat of cyber war was then addressed by the current Indian government:
"On March 26, Cabinet Secretary K M Chandrasekhar said in New Delhi: "Cyber attacks and cyber terrorism are the new looming threats on the horizon. There could be attacks on critical infrastructure such as telecommunications, power distribution, transportation, financial services, essential public utility services and others." He did not name China as the enemy in this regard, but tied the threats to terrorism.

"China, however, was to figure prominently in a series of reports on cyber threats since then. On March 28, an unidentified high military officer was reported to have told well-known daily The Hindustan Times that, according to army intelligence, Beijing was planning an "information war" impliedly as a prelude to a major conflict by 2017."


India: After Nuclear War Far Right Wants Cyber War

Tuesday, March 31, 2009

Intercept Modernisation Programme to Include Social Networks

Following the implementation of the EU Data Retention Directive requiring member states to retain communication traffic information for law enforcement, the U.K. developed the "Intercept Modernisation Programme".
"The Home Office already has plans to log details of all phone calls, emails and websites visited by web users in the UK, as part of a grander scheme, a massive "mother of all databases" under the "Intercept Modernisation Programme" umbrella."
The Home Office is now looking at expanding beyond the EU Directive to include communications between users of social networking sites such as Facebook and Twitter:
"The Home Office minister Vernon Coaker told MPs that the fact that the EU Data Retention Directive lacks some features is "why the Government is looking at what we should do about the intercept modernisation programme because there are certain aspects of communications which are not covered by the directive."
This, of course, is stirring a significant debate on civil liberties. However, when investigating large-scale crimes involving the Internet (and especially international activity), traffic analysis of communications is probably the single best investigative tool available and this is one of the arguments put forth by proponents of the activity:
"The government said that it will not be interested in what is being discussed but rather who talks to whom online, something that the government says is vital in preventing criminals and terrorists' communicating facilities."


As an aside:

The keywords "Intercept Modernisation Programme" generates more traffic to this blog than any other so I'm always interested in performing traffic analysis on the spike after an article on the subject is posted. Historically, over 80% of traffic can be traced to U.K. defense or other governmental contractors.

UK Government Plans To Monitor Social Networking Websites


Social network sites 'monitored'

Famous Last Words

The Times of India quotes an Indian Army Lt. General saying the Indian Army is secure from cyber attacks:
"We have put in place a very secure network and I can confidently say that it cannot be tampered with,'' said signal officer-in-chief Lt-General P Mohapatra on Monday.

"There are various cryptographic controls that we have put in place and there are training activities to ensure that no loss of information takes place,'' he added."

The report further adds that "periodic cyber-security audits" provide additional protection.

Sigh...

Cyber war: Army says its systems are hack-proof

Sunday, March 29, 2009

U.K. Intelligence Fears Chinese Made Telecommunication Systems

The Sunday Times report on U.K. intelligence officers' fear China may be able to disrupt British telecommunications via Chinese systems provided to British Telecom (BT):
"A confidential document circulating in Whitehall says that while BT has taken steps to reduce the risk of attacks by hackers or organised crime, “we believe that the mitigating measures are not effective against deliberate attack by China”."
The primary concern is BT using systems manufactured by Huawei:

"According to the sources, the ministerial committee on national security was told at the January meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

"Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network...”

Spy chiefs fear Chinese cyber attack

GhostNet: Massive Spy Network Uncovered

A series of reports and newspaper articles were released today on the investigation of what is being called GhostNet. The investigation began with complains from Tibetan groups based out of India including the Private Office of the Dalai Lama. The forward from the primary report describes the scope of the activity uncovered:
"The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information."

...

"From the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value."
The attacks appears to be from China but the authors correctly point out the difficulty in determining the exact source:
"Some may conclude that what we lay out here points definitively to China as the culprit. Certainly Chinese cyber-espionage is a major global concern. Chinese authorities have made it clear that they consider cyberspace a strategic domain, one which helps redress the military imbalance between China and the rest of the world (particularly the United States). They have correctly identified cyberspace as the strategic fulcrum upon which U.S. military and economic dominance depends.

"But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading. Numbers can tell a different story. China is presently the world’s largest Internet population. The sheer number of young digital natives online can more than account for the increase in Chinese malware. With more creative people using computers, it’s expected that China (and Chinese individuals) will account for a larger proportion of cybercrime.

"Likewise, the threshold for engaging in cyber espionage is falling. Cybercrime kits are now available online, and their use is clearly on the rise, in some cases by organized crime and other private actors."
The report provides a detailed analysis of both methods and targets. Specifically:
"...our investigation... led to the discovery of insecure, web-based interfaces to four control servers. These interfaces allow attacker(s) to send instructions to, and receive data from, compromised computers... This extensive network consists of at least 1,295 infected computers in 103 countries.

"Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters."

Tracking GhostNet: Investigating a Cyber Espionage Network

Related Articles:

The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement

Vast Spy System Loots Computers in 103 Countries

Saturday, March 28, 2009

Dealing with Online Hate Speech

Security Magazine has an article discussing the issues involved in controlling hate speech on the Internet - in particular - the the often irreconcilable differences between various countries legal approaches:
"Some European countries have made certain forms of hate speech, like Nazi propaganda and Holocaust denial, a crime. Free speech protections guaranteed in the First Amendment of the U.S. Constitution make it impossible to outlaw hate speech in the United States, however. This impediment presents one of the biggest challenges for those seeking international solutions to the problem of hate speech."
However, even with legal issues, it is possible to develop some mechanisms to limit hate speech:
"Experts agree that part of the solution lies in working with businesses that provide access to the Internet or online applications. While the government cannot outlaw hate speech, a company has the right to establish a policy that requires users to abide by stated limits on what can be posted online."

Internet Hate: A Tough Problem to Combat

Friday, March 27, 2009

Cat and Mouse: Social Networks Help Protesters and Police

In a classic study of the power of online communications, social networking sites such as Twitter will be used both by protesters of the G20 meeting in London and by law enforcement to monitor the protesters:

"Marina Pepper, one of the organizers of G20 Meltdown, said that Twitter, the blogging tool that allows short updates to be filed, published and read via cellphones, would be used to coordinate the protests -- and warn participants of possible trouble.

"In terms of mobilizing people and shifting them around, Twitter will be used next week," Pepper told CNN. "We can also keep people empowered, because information is power."

"But Commander Simon O'Brien, one of the senior officers involved in policing security around the G20, said social networking sites would also be a "key area of our intelligence gathering."

"That's where we are picking up a lot of our intelligence about numbers and what certain groups are aiming to achieve," O'Brien said."


Protesters, police go online in G20 battle

Tuesday, March 17, 2009

Canada Sees Cyber Security As Top National Security Concern

Canada's Public Safety Minister is in Washington for bilateral talks on security and in an interview discussed Canada's cyber concerns:
"Canada is facing a growing threat of cyber attacks from hostile governments and criminals that could cripple critical infrastructure and financial systems, says Public Safety Minister Peter Van Loan."
In fact, the Minister sees cyber attacks as one of the top security concerns for Canada:
"...Van Loan said cyberspace and border security will top the agenda for high-level meetings with his America."

Cyber war tops Public Safety agenda

Monday, March 16, 2009

UN Concern over "Cyber Weapons"

Every day, there is a rash of articles on the potential of cyber war and what should or shouldn't be done about it. The U.N. is becoming involved and now considers "cyber weapons" an issue for disarmament discussions:
"So worried are governments by the prospect of an all-out cyber-attack that last month UN secretary-general Ban Ki-moon revealed that cyber-weapons are to be added to the list of arms falling under the remit of the UN's Advisory Board on Disarmament Matters, which develops policy on weapons of mass destruction. Ban said recent breaches of critical systems represent "a clear and present threat to international security", since the public and private sectors have grown increasingly dependent on electronic information."

Pentagon readies its cyberwar defences

Friday, March 13, 2009

U.S. Legal Issues on Cyber War

The Congressional Research Service has published a report on the legal and policy issues related to cyber warfare and defense in the United States. The paper summarizes the issues in terms of the three branches of the Federal government:
"Given that cyber threats originate from various sources, it is difficult to determine whether actions to prevent cyber attacks fit within the traditional scope of executive power to conduct war and foreign affairs. Nonetheless, under the Supreme Court jurisprudence, it appears that the President is not prevented from taking action in the cybersecurity arena, at least until Congress takes further action. Regardless, Congress has a continuing oversight and appropriations role. In addition, potential government responses could be limited by individuals’ constitutional rights or international laws of war."
One of the key problems with the Comprehensive National Cybersecurity Initiative (CNCI) is that originated in a classified Presidential Directive. This immediately causes conflict with the private sector on which the government is dependent:
"Given the secretive nature of the CNCI, one of the common concerns voiced by many security experts is the extent to which non-federal entities should have a role in understanding the threat to the nation’s telecommunications and cyber infrastructure and assist with providing advice, assistance, and coordination in preparation and response for ongoing and future intrusions and attacks."
The report provides background and discussion on the various roles and responsibilities of the three governmental branches and recommends the following Congressional actions to clarify and strengthen the legal basis for government action:
  • determine the most appropriate and effective organizational entity in which the nation’s principal cybersecurity prevention, response, and recovery responsibilities should reside;

  • require the senior U.S. government official in charge of all CNCI related activities be a Senate confirmable position to facilitate ongoing information exchange regarding Initiative plans and areas of progress and difficulty;

  • enact legislative language recognizing and defining the classified and unclassified aspects of the CNCI and the need for greater transparency and inclusiveness;

  • require the new Administration to develop and revise annually a classified and unclassified national cyber security strategy and intelligence community generated National Intelligence Estimate that provides Congress, the telecommunications industry, and the American public information related to the CNCI, the current and strategic cyber threats facing the nation, and programs being implemented to prepare for evolving technological risks;

  • define the privacy and civil liberty considerations that should accompany all aspects of the CNCI;

  • include legislative language in applicable authorizations bills to establish a programmatic foundation for CNCI related programs and suggest funding for current and future year’s activities; or

  • identify and codify relevant laws defining a national security related cyber offense against the United States, offensive versus defensive cyber activities, and the situations in which the Congress should be notified prior to the United States undertaking an offensive or counteroffensive cyber act.
The full report is available through the Washington Post:

Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations

Religious Cyber Wars on Facebook

TG Daily is reporting on an ongoing conflict on Facebook between a Christian group and Islamic supporters.
"The attack appears to be ongoing as the group's image has been changed, and the group's Basic Info section has also been changed to carry several paragraphs which claim to report on the foundation of Islam, including the first principle declaration in two parts, and several passages relating to the deity Allah and his prophet/servant/apostle Muhammad."
The article not only provides a chronology of activity but provides some of the religious history behind some of the postings.

UPDATE #3: Religious hack attack against Christianity seen on Facebook

Militarizing Cyberspace

PCWorld discusses what it calls the militarization of the Internet - from the increasing use of distributed denial of service attacks:
"Governments are interested in using DDOS attacks since tracing their originators and financiers proves difficult for security researchers."
The article discusses the government attempts to censor dissidents and opponents and the use of DDoS attacks such as those in Estonia.

Political Cyberattacks to Militarize the Web

Tuesday, March 10, 2009

"Political Hacking" Is a Growing Trend

International Relations and Security Network (ISN) published an article on the increasing nature of politically motivated computer crime and hacktivism:
"A growing trend of politicized hacking or "hacktivism" is emerging. The incidents in Estonia and Georgia were most likely carried out by state-encouraged Russian nationalist youth groups and criminal organizations, as well as at-large volunteers. One German youth claimed on a web forum that, with instruction from a Russian website, he was initiating fully functional denial-of-service attacks against targets in Georgia in a manner of hours. In reaction to a Danish newspaper cartoon of the Prophet Mohammad, loose groups of hackers in Turkey and other Muslim countries cyberattacked that publication's website."

The report summarizes some of the related recent activity.

The State of the Data War

Recommended Reading: Combating Extremists Online

The U.K. based International Centre for the Study of Radicalisation and Political Violence (ICSR) has released a paper on "Countering Online Radicalisation: A Strategy for Action".

This extensive report looks at a wide range of extremist-generated content on the Internet - from traditional terrorist organizations to white supremacist groups.

The paper begins with a look at why and how radical groups use the Internet. The power of the Internet (for all of society) is:
  1. Low cost of communication;

  2. Unlimited access knowledge;

  3. Create networks irrespective of boarders; and,

  4. Enables ‘risky’ or ‘embarrassing’ behavior.
However, extremist groups take this to, well, an extreme level:
  • "The internet can be used by extremists to illustrate and reinforce ideological messages and/or narratives. Through the internet, potential recruits can gain near-instantaneous access to visually powerful video and imagery which appear to substantiate the extremists’ political claims.

  • "The internet makes it easier to join and integrate into more formal organisations. It provides a comparatively risk-free way for potential recruits to find like-minded individuals and network amongst them, enabling them to reach beyond an isolated core group of conspirators.

  • "It creates a new social environment in which otherwise unacceptable views and behaviour are normalised. Surrounded by other radicals, the internet becomes a virtual ‘echo chamber’ in which the most extreme ideas and suggestions receive the most encouragement and support.
"It seems obvious, then, that the internet can have a role in intensifying and accelerating radicalisation. In fact, one may argue that the internet is of particular benefit to marginal and/or illegal groups and movements, because it facilitates the formation of (virtual) communities which would be more ‘risky’, if not impossible, to establish in the real world. There can be no doubt, therefore, that the internet is problematic, but is it the problem?"
The researchers propose four measures to combat online radicalization:
  • "Deterring producers - The selective use of takedowns in conjunction with prosecutions would signal that individuals engaged in online extremism are not beyond the law.

  • "Empowering online communities - The creation of an Internet Users Panel in order to strengthen reporting mechanisms and complaints procedures would allow users to make their voices heard.

  • "Reducing the appeal - More attention must be paid to media literacy, and a comprehensive approach in this area is badly needed.

  • "Promoting positive messages - The establishment of an independent start-up fund would provide seed money for grassroots online projects aimed at countering extremism."
The report looks at the pros, cons, tools and methods related to each of these areas. Of particular note, the paper rejects the all-to-common, knee-jerk reaction to just ban offensive material:
"Traditionally, most governments have focused on identifying technical solutions, believing that if somehow radicalising material can be removed from the web or made unavailable for viewing, the problem will go away. Yet, as this report has shown, any strategy that relies on reducing the availability of content alone is bound to be crude, expensive and counterproductive.

"The comparison with efforts to counter child sexual abuse on the internet is flawed, because much of the material involved in child sexual abuse is clearly illegal and there are no political constituencies which might be offended if repressive action is taken against it. Child sexual abuse is not a free speech issue, whereas radical political propaganda is.

"Any strategy hoping to counter online radicalisation must aim to create an environment in which the production and consumption of such materials become not just more difficult in a technical sense but unacceptable as well as less desirable."
The solutions offered are correct. The problem is, they are not easy answers and whether we are looking at protecting personal information in a commercial organization or combating extremists, most institutions only want easy answers.

Countering Online Radicalisation A Strategy for Action

Friday, March 06, 2009

Recommended Reading: Internet Radicalization by Extremists in Southeast Asia

Most of the time, media and research reports on terrorism, technology and politically motivated computer crime are shallow, to say the least. However, once in a while, a research report surfaces that actually has both the breadth and depth of research to increase our understanding of the phenomena and the Australian Strategic Policy Institute in conjunction with the S. Rajaratnam School of International Studies at Nanyang Technological University have just compiled such a report.

Titled "Countering internet radicalisation in Southeast Asia", it looks at terrorist interactions with the Internet in Southeast Asia:
"Although there is a growing body of research on terrorists’ use of the internet in Europe, the Middle East and North America , less attention has been given to the role of the internet in online radicalisation in Southeast Asia and how it affects neighbouring countries, such as Australia."
The paper's forward states the primary area of research - the use of social networks in radicalization:
"Although the internet has become an important tool for tactical operations such as bombings, psychological warfare and fundraising, the focus in this paper is on its use as a tool to radicalise potential supporters.

"This study found that the internet has contributed to radicalisation, will probably grow in regional significance, and might become the dominant factor in radicalisation in the region. And it’s not just passive websites that are important in this context: social networking sites of all kinds, such as blogs and forums, are evolving rapidly.

"This paper discusses several policy approaches to counter the use of the internet for radicalisation in our region. These include blocking sites, creating counternarrative websites to promote tolerance, and intelligence-led methods to tackle the problem."
The study is filled with analysis and case studies. Some of the key points and trends include:
  • The number, technical sophistication and variety of extremist blogs and social networks is increasing and "create a stable network among members of the Bahasa and Malay language online community". Extremist websites increased from 15 in 2007 to 117 in 2008;

  • Blogs and social networks allow localization of radical messages. "Translated materials were once the staple of the Bahasa and Malay language extremist websites, but their online media units are now increasingly producing their own materials to better resonate with the home audience.";

  • While there are several strategies for combating online radicalization, "regional governments and national law enforcement agencies have done little to stop the rise of online radicalisation."
The report provides three broad policies to counter Internet radicalization and discusses the pros and cons of each:
  1. Zero tolerance - where governments ban and block websites, censor Internet traffic, etc.;
  2. Counter messaging - to educate potential recruits and provide alternate points of view;
  3. Intelligence based strategies - "leading to targeting, investigation, disruption and arrest."
Highly recommended reading.


Countering internet radicalisation in Southeast Asia

Thursday, March 05, 2009

California May Censor Google Earth

Following reports that terrorists in India and Israel were using Google Earth in planning attacks, California lawmaker Joel Anderson has introduced a bill (AB 255) in the California Assembly to force censorship of potential targets:
"(a) An operator of a commercial Internet Web site or online service that makes a virtual globe browser available to members of the public shall not provide aerial or satellite photographs or imagery of a building or facility in this state that is identified on the Internet Web site by the operator as a school or place of worship, or a government or medical building or facility, unless those photographs or images have been blurred.

"(b) An operator of a commercial Internet Web site or online service that makes a virtual globe browser available to members of the public shall not provide street view photographs or images of the buildings and facilities described in subdivision (a)."


ASSEMBLY BILL No. 255

Wednesday, March 04, 2009

Internet Censorship in the Middle East

Lebanon's Daily Star analyzes the motivation for network control and censorship in the Middle East. The author provides three motivations:

  1. The degree of Internet proliferation;
  2. Press freedom and democracy; and,
  3. Culture
The report provides statistics concerning how each of these elements affects censorship in various countries. For example:
"Obviously, to the extent that internet usage in a given country is low due to economic or technological reasons or because of the absence of the requisite human resources, there is no need to regulate the internet through legislation because there is no internet. Thus Yemen had only 1.4 percent internet penetration in 2008, followed by Libya (4.2), Sudan (8.7) and Algeria (10.4). Conversely, the Middle East countries with the most internet legislation and regulation are also the leaders in internet penetration: Israel (52 percent), the UAE (49.8), Turkey (36.9), Iran (34.9), Kuwait (34.7), Tunisia (27), Saudi Arabia (22) and Egypt (12.9 percent)."


For many Arab states, internet suffocation is the norm

Online Communication of Operations by Terrorists

An interesting article on why terrorist organizations do not plan or communicate operations online. The article discusses a blog posting proposing "...al-Qaida on the Arabian Peninsula (QAP) fire Katyusha rockets from the Saudi shore of the Gulf of Aqaba toward Sharm al-Sheikh, where international leaders are meeting...".

As the article points out, "...the jihadi internet is used for many things, but not for operational planning.":
"...the idea [for an attack] is useless the moment you post it on online for all the intelligence services in the world to see.

"The posting is nevertheless interesting, first of all because it is unusually specific and shows that we cannot completely dismiss the Internet’s potential as an arena for operational brainstorming. At the same time, it illustrates the lack of military know-how of many online jihadists. In much of the forum material, there is a spectacular disconnection between intention and capability. Unfortunately, the haute couture of terrorism is prepared behind closed doors."


Prêt à porter terrorism

Use of Technology by Terrorists Targeting India

Frontier Media, an Indian blog on defense and intelligence issues, posted an article with the following concerning terrorist use of technology:
"Cyber and communications crimes attained maturity as a result of two incidents. The first was the hacking of a wireless network by the so-called Deccan Mujaheedin terrorists (desperate Pakistani terrorists use such generic names for projecting it as an Indian outfit), which resulted in an e-mail threat that implicated a foreigner. The second incident was the Pakistani terrorists Lashkar-e-Taiba’s (Jamaat-ud-Dawa) use of a satellite phone and Russian server during the attack on Mumbai, which resulted in the deaths of more than 180 Indians and foreign citizens alike – women and children among them."

Unfortunately, the rest of the article mostly delves into spam, phishing and fraud issues.

Software for meeting India’s Cyber- and IP-related challenges

Friday, February 27, 2009

Political Motivation Still Top Motive for Web Defacement

Breach Security, Inc has released its annual report analyzing web page defacement. The study found that although financial motivation for web attacks is increasing, political and ideological motivations are still the primary drivers:
"On the other end of the spectrum, the ideologists use the Internet to convey their message using Web hacking. Their main vehicle is defacing web sites."
...
"When further analyzing defacement incidents, we found that the majority were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign. Others have a cultural aspect, mainly Islamic hackers defacing western web sites."

The report also looks at who is targeted most often for web defacements:
"Government is a prime target due to ideological reasons, while universities are more open than other organizations. These statistics, however, are biased, to a degree, as the public disclosure requirements of government and other public organizations are much broader than those of commercial organizations..."

"On the commercial side, Internet-related organizations top the list. This group includes retail shops, comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers."

THE WEB HACKING INCIDENTS DATABASE 2008

Wednesday, February 25, 2009

A New Military Branch for Cyber Warfare?

IANewsletter has published an article (starting on page 14) looking at the need for a separate cyber branch of the U.S. military on par with the Army, Navy, Marines and Air Force.

The authors review the historical context of the existing branches and the unique nature of cyber warfare:
"...occasionally, a new technology is so significant that it creates a discontinuity in the conduct of war that necessitates creation of an entirely new military service. This situation occurred in the United States, resulting in the formation of the Air Force in 1947. The advent of air power fundamentally altered the conduct of warfighting and drove the transformation of the Army Air Corps into the United States Air Force.

"The revolution in cyberwarfare places today’s militaries at a similar cusp in history and necessitates the formation of a cyberwarfare branch of the military, on equal footing with the Army, Navy, and Air Force."
...
"Cyberwarfare is fundamentally different from traditional kinetic warfare. National boundaries in cyberspace are difficult, if not impossible, to define. Lawyers and pundits are still debating the
formal definition of an “act of war.” Asymmetries abound and defenders must block all possible avenues of cyber attack. An attacker need only exploit a single vulnerability to be successful."
The article then discusses why it would be better to have a separate military branch rather than trying to integrate cyber capabilities into each existing branch:
"The cultures of today’s military services are fundamentally incompatible with the culture required to conduct cyberwarfare. This assertion in no way denigrates either culture. Today’s militaries excel at their respective missions of fighting and winning in ground, sea, and air conflict; however, the core skills each institution values are intrinsically different from those skills required to engage in cyberwarfare. Cyber requires a deep understanding of software, hardware, operating systems, and networks at both the technical and policy levels."

Army, Navy, Air Force, and Cyber—Is it Time for a Cyberwarfare Branch of Military?

Monday, February 23, 2009

Russian Consulate Website Attacked to Protest Sinking of Ship

Several sites are carrying information concerning an attack on the Russian Consulate in Shanghai to protest the Russian Navy's sinking of a Chinese ship as it tried to escape after being impounded for alleged smuggling.

The website was defaced with a protest message:
“Russia invaded our territory to kill people from the People’s Republic. Hack done for the Chinese crew of controversy! Russia must be punished! ! ! Hacked BY: Yu”
Yu is described in the article as "a network security enthusiast that has been defacing Chinese, Japanese, Korean, Taiwanese and U.S sites for a while, but had to give up his activities due to college studies."

Chinese hackers deface the Russian Consulate in Shanghai (ZDNet)

Chinese hackers take down Russian Consulate website (Dark Visitor)

Azerbaijan Cellular Website Attacked from Iran

From a very short article describing an attack on the website of Catel, Azerbaijan’s first CDMA operator:
"Iranian hackers, who describe themselves as “Balck [sic] Hats”, changed the appearance of the index page by posting a banner which reads that they will destroy the websites of companies with a US and Israeli stake."


Hackers attack Azerbaijan’s first CDMA operator’s website

Tuesday, February 17, 2009

New Arrest in Indymedia Investigation in the U.K.

The investigation of the online activist site, Indymedia, as discussed several weeks ago, continues in the U.K. with the arrest of an individual hosting a server for the group. Police are investigating the publication of personal information belonging to a judge in an animal rights trial.

This case is an excellent study of the conflicting issues related to free speech and political dissent, the need to investigative crimes, international and cultural differences concerning privacy and how laws passed to give investigative powers in one area (terrorism) are quickly applied in unrelated areas (invasion of privacy).

Indymedia's view of the situation and events is provided below:

"This Monday, Kent Police arrested a man in Sheffield under the Serious Crime Act 2007 in relation to the recent Indymedia server seizure. His home was raided, all computer equipment and related papers taken. He was released after eight hours. The person had neither technical, administrative nor editorial access to the Indymedia UK website. He was only associated to the project by hosting its server.

"The arrest took place under Section 44-46 of the Serious Crime Act, which was passed into law on 1st October 2008 to combat serious international crime like drug trafficking, prostitution, money laundering and armed robbery. Sections 44-46 refer to “encouraging or assisting offences”.

"Kent police claim that they are after the IP address of the poster of two anonymous comments to a report about a recent animal liberation court case, which included personal details of the Judge. The IP address of the poster is not stored as Indymedia does not log IP addresses. This was acknowledged by British Transport Police in 2005, after the Bristol IMC server seizure.

"For the police to arrest the person who happened to sign the contract for server hosting, is sheer intimidation, in light of Indymedia’s openly stated policy of no IP logging.

"With the implementation of the EU Data Retention Directive in March 2009, the UK government attempts to turn every internet service provider in the country into part of the law enforcement apparatus. This legislation will provide a legal basis to track, intimidate, harass, and arrest people who are doing valuable and necessary work for social change, for example as peace activists, campaigners for economic and social justice or against police brutality."

Also of interest are the comments to this post discussing activists perceptions of this situation and similiar issues encountered by other political activists around the world.

Friday, February 13, 2009

DNI: Cyber Security a Top U.S. National Security Issue

The U.S. Director of National Intelligence, Dennis Blair, has provided his annual threat assessment to Congress. His Statement for the Record has been published and cyber security issues are defined as a major threat to the United States. Mr. Blair's statement includes the following summary of the threat (emphasis has been added):

"A growing array of state and non-state adversaries are increasingly targeting—for exploitation and potentially disruption or destruction—our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year.

"We assess that a number of nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. Terrorist groups, including al-Qa’ida, HAMAS, and Hizballah, have expressed the desire to use cyber means to target the United States. Criminal elements continue to show growing sophistication in technical capability and targeting and today operate a pervasive, mature on-line service economy in illicit cyber capabilities and services available to anyone willing to pay. Each of these actors has different levels of skill and different intentions; therefore, we must develop flexible capabilities to counter each. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.

"We expect disruptive cyber activities to be the norm in future political or military conflicts. The Distributed Denial of Service (DDoS) attacks and Web defacements that targeted Georgia in 2008 and Estonia in 2007 disrupted government, media, and banking Web sites. DDoS attacks and Web defacements targeted Georgian government Web sites, including that of Georgian President Saakishvili, intermittently disrupting online access to the official Georgian perspective of the conflict and some Georgian Government functions but did not affect military action. Such attacks have been a common outlet for hackers during political disputes over the past decade, including Israel’s military conflicts with Hizballah and HAMAS in 2006 and 2008, the aftermath of the terrorist attacks in Mumbai last year, the publication of cartoons caricaturing the Prophet Mohammed in 2005, and the Chinese downing of a US Navy aircraft in 2001."
The report also discusses online activity by organized crime.

Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence

Recommended: Detailed Report on the State of Network and Information Security in Europe

For anyone that deals with cyber security issues in Europe, it is always a challenge to keep up on each member country's initiatives, institutions and regulations. A new report looks to be a valuable resource in navigating the complex European environment.

The European Network and Information Security Agency (ENISA) has published an extensive (over 600 pages) report on network and information security in its 30 member countries (the 27 EU member countries plus 3 members of the European Economic Community). This report is an excellent who's who of cyber security in Europe.

The report is structured by country and provided details of cyber security activities including:
  • General country information including statistics on IT use;
  • The major governmental and private stakeholders that set and implement cyber security policies and their relationships;
  • An overview and detailed look at current initiatives, focus points and activities of each entity;
  • Cyber security events taking place in each country;
  • Cyber security trends including information on security breaches
An excellent reference on the state of cyber security in Europe. Let's hope they plan to keep in updated.

ENISA Country Reports

Chinese Cyber Attacks Back in the News

Attacks from China have resurfaces in the news although its difficult to determine from the coverage if these are new attacks. In a recent interview, Rep. Bennie Thompson, Chairman of the House Homeland Security Committee, provided a few details concerning attack targets:

"Currency trading is among the financial networks targeted by hackers, Thompson said. An attack would be particularly damaging in light of the financial system’s troubled state, he said.

"He said electric utilities’ networks also have several points of weakness.

“We were provided alarming data on the vulnerability of our electrical grid in this country,” he said."

China strongly denies the allegations:

“Allegations that the Chinese government is behind cyber attacks against the U.S. computer networks are totally unwarranted and misleading for the America public,” Wang [Baodong, a spokesman for the Chinese Embassy in the U.S.] said in an e-mailed statement.

Wang said the Chinese government is “cracking down” on computer hacking and other cyber crimes.


Chinese Hackers Attack U.S. Computers, Thompson Says

Tuesday, February 10, 2009

More 'Political Hacking' in India

CyberMedia India Online (CIOL) looks at politically motivated computer crime in an article with the subtitle "Imagine if computer hackers, the daredevils of the networked world, turn into principled political activists".

The article mostly reviews incidents around the world, not all with political motivation. However, it does discuss some recent activity in India related to attacks that are alleged to have originated in Pakistan or are in support of Islamic causes:
"In a virtual act of mocking the cyber crime department of the police the official website of the Andhra Pradesh Crime Investigation Department (CID), www.cidap.gov.in, was hacked and defaced recently. Though no one has publicly claimed responsibility for the act, the abusive message posted on the website points to some Islamic fundamentalist group.

"The group had hacked nearly five India's site, including that of the ONGC, in a 'retaliatory' action against the hacking of the site of Pakistan's OGRA (Oil and Gas Regulatory Authority)

"Amidst reports from all over the world regarding hacking celebrity sites and other websites, the community site of the former President of India, Dr. APJ Kalam, in Orkut World, was recently targeted by Pakistani hackers."

Is hacking a war tool?

"Cyber War" to Protect Sharia Law?

In an article titled "Protection of Sharia (Islamic Law) and social reforms in AIMPLB [All India Muslim Personal Law Board]" the India-based ShahilOnline website is reporting on recent speeches given by Islamic scholars to more than 25,000 people.

During one of these speeches, the issue of cyberwar and technology came up:
"Moulana Salam Nadvi in his address said that the younger generation of the community should obtain higher education particularly they have to gain proficiency in the field of 'Information Technology' not for the purpose of accumulating wealth by getting employment in American companies in Bangalore, but to fight against the cyber-war being waged by anti-Islamic lobby particularly by western media [sic]."

Protection of Sharia (Islamic Law) and social reforms in AIMPLB

Monday, February 09, 2009

Why Are There No Internet Terrorist Attacks?

Strategy Page posted an analysis of the fact that we have not seen a significant Internet based terrorist attack:
"The Internet Jihad (struggle) has been mostly smoke, and very little fire.

"Attempts by terrorists to recruit hackers have had very poor results. There are a growing number of programmers and Internet specialists in the Moslem world, but most of them have legitimate jobs in software firms, or maintaining software and Internet services for companies."

The article also rightly points out that what little activity we have seen has been ineffective and isolated:

"At most, there have been some defacing of web pages, often by hackers driven more by nationalism than religion."

The post goes on to explain categorically why:

"Counter-terrorism organizations know why there have not been more of these attacks by al Qaeda, or any other self-proclaimed Islamic warriors. The fact is that the Islamic terrorists are not nearly as well organized or skilled as the mass media would lead you to believe."
The premise that we are not seeing major cyber terrorist attacks is correct but I disagree with the conclusion. The potential of the Internet is the fact that it does not take a lot of organization to exploit it's strengths (positively or negatively). This is why an individual or small (unorganized) group can have a presence and voice on the world stage. As the article points out, "there are Cyber War tools available that even the poorly educated terrorist computer user could operate."

If a group has the organization to recruit a suicide bomber, they have at least the potential to launch a cyber attack. Furthermore, if the almost chaotic organization of various hacktivist protesters can launch (mostly ineffective) cyber attacks then most terrorist organizations could do at least the same; and that's the key - the effectiveness of these types of attacks.

A more likely explanation is that they choose not to use them for the same reason that they choose not to carry out low-level physical attacks - only a large, physical attack causes the damage groups such as al-Qaeda believe furthers their cause - creating fear and inspiring their followers. Even the best DDoS attack would only cause temporary outages. It might gain some headlines (which the hacktivist is happy to have) but would hardly inspire uneducated Jihadists in the slums of Middle East cities to rise up.

Terrorists groups do see the power of the Internet for communication, intelligence gathering and propaganda and will continue to use it for these purposes. Only if they truly believe a cyber attack will further their cause will they be motivated to carry one out. Even then, it won't have the same impact as a physical attack - inconvenience does not translate to fear.


What Happened To The Internet Jihad?

Indian Summary of Davos Discussions

The Hindu Newspaper's Business Line reports on the discussions of cyber crime at the World Economic Forum in Davos and provides an Indian perspective:

"We, in India, have often seen reports of many Government of India Web sites being defaced, possibly from attacks originating from Pakistan.

"Fortunately these have been isolated instances, not amounting to a major cyber war. There is, however, no room for complacence. The government may not be able to share with us all that it has done to protect systems in India. We will have to rest content with the belief that we remain in a perpetual state of alertness to meet a severe challenge from neighbouring countries."


Don’t let down guard

Thursday, February 05, 2009

Guessing at the Source of Cyber Attacks

Yet another example of how difficult it is to determine both motive and source of cyber attacks. As with most "cyber war" attacks, it is pure speculation as to who is behind the latest activity against Kyrgyzstan and arguments can be made for any number of sources.

The New York Times has an article discussing two different possibilities for the most recent Kyrgyzstan attacks:
  1. Russian "cyber-militias" are attacking to intimidate the Kyrgyzstan government for any number of reasons; or,
  2. Kyrgyzstan hired Russian "hackers" to attack itself in order to "crackdown on an opposition party in Kyrgyzstan that uses the Internet to organize".
This is the danger: Without better intelligence and investigative capabilities, it will be next to impossible to determine exact source and motive. This leads to an inability to respond properly to a cyber attack or, potentially worse, responding inappropriately.

I have been involved in numerous complex, international cyber investigations where the source and motive were determined. However, it is almost never simple and requires extensive intelligence gathering and analysis (beyond basic Internet traffic analysis). This requires time and expenses beyond what most organizations are willing to invest in. Yet doing anything less leaves only guesswork.

Also see Analyzing Goggle Attacks - Plenty of Room for Error

Are ‘Cyber-Militias’ Attacking Kyrgyzstan?

NATO Officers Targeted by Trojan Code

This BBC article looks at several aspects of NATO cyber defenses including Trojan code that is specifically designed and targeted to NATO officers for espionage purposes:

"Mr Anil reveals that there has been more than one incidence of Nato officials being socially profiled, and then subjected to "targeted trojans".

"He explains how their unseen adversaries gather as much information as possible about the individual then send them an email purporting to come from a friend or a relative."


Nato's cyber defence warriors

Convergence of Electronic and Network Warfare

The Fort Leavenworth Lamp discusses the convergence of traditional electronic warfare (EW) with computer network operations (CNO):
"In the operational environment, the lines between CNO and EW are blurred," [Lt. Col. John] Bircher said. "We can use EW to disable our enemies' cellular phone device or we can use CNO to deny the device's access to its network."

"Do we use CNO or EW to deny our adversary, and does it matter to the tactical commander?" Bircher continued, "and in our conceptual research we found that it didn't matter. What's important is controlling the data, the bandwidth and the electromagnetic spectrum."

Electronic Warfare Proponent: Changes by adversaries, advances in technology drive EW's operational importance

Thailand Struggles with Internet Content

The Bangkok Post ran an lengthy article discussing the issue of freedom of speech and control of inappropriate content. Much of the article is concerned with controlling disparaging comments made online about the Thai Monarchy.

The article provides an excellent example of how each culture is struggling to deal with these issues and the difficulty in enforcing any regulations that are passed:
"Blocking content on over 2,000 web sites just prevents Thai residents accessing them while others worldwide still can. This method therefore cannot truly protect the honour of the monarchy," added Chiranuch Premchaiporn, director of Prachathai, an online news web site.

"The ICT [Information and Communication Technology] Ministry's combative stance on cyperspace is viewed as another draconian measure, in addition to the Computer Crime Act 2007 that deals with cyber-dissidents or online criminals. But the group at the seminars fears that such extreme measures will do more harm than good.

"We support the law and the policy to handle such crimes as hacking, deception, child pornography, pirate video clips, and theft of personal information, but the measure that allows state agents to block and close web sites can also lead to a violation of freedom of speech and limits public access to information," said Supinya Klangnarong, CPMR [the Campaign for Popular Media Reform]."

IN NETIZEN, WE TRUST

Wednesday, February 04, 2009

Social Networks Limit Undercover Work

Yet another "security" issue with social networks - intelligence agency recruitment:

"Herein lies the problem: if you're planning on having a second identity for undercover work, it doesn't help if your photos, friends and real name are splattered all over various social networking sites. Try finding a student at a university who hasn't done just that.

"The UK's intelligence agencies are worried. From schoolchildren on Bebo, through Facebook-obsessed young professionals, to well-networked CEOs on LinkedIn, having an online presence is a must in this day and age. But with the explosion of social networking sites, it has become virtually impossible to find recruits who don't have some sort of an online trail."

I would expect this to be a similar problem for law enforcement...

Social networking websites make recruiting spies difficult

Cyber Security Is a National Security Problem for the United States

Vice Adm. Carl Mauney, deputy commander for the U.S. Strategic Command told the 2009 Network Centric Warfare conference that "cyber security is a national security problem".

During his presentation he told the audience some of the problems the DoD is facing and that cyber defense required better coordination of effort:
"Also complicating cyber sleuths’ lives is the world’s billions of eye-blink-fast interconnected computers. But keeping up is vital. “Cyberspace has become a warfighting domain like land, sea, air, space,” Mauney told attendees. “And in light of growingly astute cyber enemies, it’s in our interest to maintain freedom of action,” he said.

"However, he cautioned, “It can’t be done in isolation.” There’s a “compelling need to integrate all elements of cyberspace operation and to [move] at net speed.” This is because the DOD on a daily basis faces millions of denial-of-service attacks, hacking, malware, bot-nets, viruses and other ruinous intrusions, some of which are associated with nations and nation-states, he said."
More importantly, Admiral Mauney stressed the need for individual accountability:
"What is needed is “a focus on accountability, from leadership to the user level. Our mindset needs to reflect the way we treat other military systems,” he said. “We don’t accept substandard performance in maritime, air and ground ops — and this is no different.” [emphasis added]

Hear Hear!


Greater cooperation needed to defeat cyber enemies

Europe Needs More Work on Cyber Defense

Trend News in Azerbaijan is reporting on a German DPA interview with Estonia's Minister of Defense concerning European readiness to defend against cyber attacks:

"For the time being, Europe's capability to defend itself from cyber-attacks is on the level of some of the capabilities of member states. Little value-added on the European level has been developed: we need to do more," he [Estonian Defence Minister Jaak Aaviksoo] said.

"In particular, the 27-member bloc must work harder to coordinate the efforts of various national defence and law-enforcement agencies and push for better cooperation with third countries which can serve as a safe haven for web-based attackers, he said."

Minister: Europe has not yet done enough on cyber-defence

Monday, February 02, 2009

Indymedia Server Seized - A Lesson in Network Resilience

Indymedia - one of the largest international clearinghouses of news and information for social activism - was recently raided by police in the UK. The raid was apparently the result of an investigation into the publication of personal information belonging to a trail judge in a comment to an article on an animal rights trial.

Indymedia had already removed the offending article per their own policies, however, police seized a server containing a large quantity of information:
"...by seizing this server they [the police] are not only getting information on Indymedia but also on wholly unrelated groups."
However, the seizure of the server did not interrupt Indymedia operations. Indymedia's network is highly distributed and redundant with extensive mirroring of data:
"As with previous cases, Indymedia UK stayed online this time. This was possible due to a system of "mirrors", which was set up to protect the technical infrastructure of the alternative media project. Despite the resource intensive interruptions caused by server seizures, the DIY-media activists continue to provide a platform for "news straight from the streets"."
Although it appears the police were not attempting to censor the information, this case shows both the flexibility, power and dynamic nature of online communication. However, this resilience cuts both ways: Activists and other politically motivated sites are difficult to censor or disrupt, but likewise, when commercial or government sites are the target of online protests by hacktivists, their online attacks often have limited or no operational impact on their targets for the same reason.

Other case studies of this phenomenon are documented in Hacktivism and Politically Motivated Computer Crime.

Police Seize UK Indymedia Server (Again)

Turkish "Hacker" Spied for PKK

The Turkish newsite,Today's Zaman, is reporting that a "hacker" originally arrested for theft is now accused of supporting the Kurdistan Workers' Party (PKK).

Analysis of his system and recovered media revealed classified information which he is alleged to have transferred to the PKK in Northern Iraq.

The article discusses an interesting method of obtaining the information:
"[The suspect] said during police interrogation that the contact between him and the PKK's Karayılan was established through a terrorist friend of his who resides in France. He also stated that he acquired confidential information belonging to the General Staff, MİT [the Turkish National Intelligence Organization] and other institutions through computer virus programs he placed on pornographic Web sites visited by army members."

PKK hacker faces up to 10 years in prison

Sunday, February 01, 2009

World Economic Forum Short on Answers to Cyber Warfare and Computer Crime

The World Economic Forum in Davos held a panel discussion on cyber threats and named cyber warfare as one of the top three (crime and the basic design of the web were the other two).

Most of the discussion of cyber warfare centered around Russian attacks against its neighbors but also discussed the difficulty of control on the Internet:

"...the internet[sic] is a global network, it doesn't obey traditional boundaries, and traditional ways of policing don't work," one expert said."
The panel also discussed what should be done about the problem and it appears from news reports that there were no new ideas. In fact, some panelists seemed to think just letting things work themselves out was the best answer:

"But several panellists worried about the heavy hand of government. The internet's strength was its open nature. Centralising it would be a huge threat to innovation, evolution and growth of the web.

"The amount of control required [to exclude all risk] is quite totalitarian," one of them warned.

"Instead they suggested to foster the civic spirit of the web, similar to the open source software movement and the team that had sorted the YouTube problem"

While no one wants "totalitarian" control of the Internet, it is dangerously naive to think that fostering "civic spirit" would even begin to make a dent in computer crime. In fact, one could argue that civic spirit is a major motivator for politically motivated cyber attacks.

Cybercrime threat rising sharply

Looking at the Pattern of Cyber Attacks from Russia

Terming cyberattacks against Russian's neighbors as "cyber bullying", Strategy Page provides a synopsis of previous attacks originating from Russia and discusses their escalation to the present attack against Kyrgyzstan. The article also discusses NATO reaction including the creation of the Cyber Defense Center in Estonia last year:
"The Center will study Cyber War techniques and incidents, and attempt to coordinate efforts by other NATO members to create Cyber War defenses, and offensive weapons."

CyberBully

Wednesday, January 28, 2009

A Cyber Iron Curtain?



HOSTEXPLOIT.com has published an interesting article summarizing recent cyber attacks allegedly originating from Russia and suggesting there is a new Cyber Iron Curtain:
"Hence from a ‘Cyber Iron-Curtain’ perspective there is now provided a ‘control at will’ by Russia of communication and increasing cyber influence over its former Soviet satellites, a modern parallel to Winston Churchill’s post second world war description of the Soviet sphere of influence. Separately, the blocking of these major websites in Kyrgyzstan suggests that we should probably move this country up the relative scale of importance for the monitoring cyberwar around the world."

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Denial-of-Service Attack against Kyrgzstan

The Wall Street Journal is reporting that Kyrgzstan's Internet infrastructure is under attack allegedly from Russia. There is very little detail in the report and only speculation on possible motives:
"Theories for the reason behind the current attack in Kyrgyzstan center on the U.S. use of an air base in the country to help with its military operations in Afghanistan. Another theory is that the attack was directed at the fledgling Kyrgyz opposition movement, which has used the Internet to express its discontent."
Wired Magazine offers a little more in-depth speculation:
"Using denial-of-service to clamp down opposition sounds a bit more plausible. During Kyrgyzstan's "Tulip Revolution" in 2005, demonstrators often depended on cell phones and text messages to organize. In post-Soviet states, where a smaller portion of the population is online, the authorities often allow the Internet to thrive as an outlet for dissent and free expression while clamping down on traditional media. But when the net becomes a more effective organizing tool -- or a more effective medium for investigative reporting -- the powers that be begin to take note."


Kyrgyzstan Knocked Offline (WSJ)

Russian 'Cyber Militia' Takes Kyrgyzstan Offline? (Wired)

Tuesday, January 27, 2009

Parent Support Website Attacked in China

In China, a webite was set up for parents of children affected by tainted milk. The Dark Visitor, a website that follows the computer underground in China, is reporting that the parent's website, jieshibaobao.com, has been attacked by "patriotic" hackers:
"A group of patriotic Chinese hackers have joined together to attack the website and force it down. They claim the website is illegal, posting photoshopped pictures and fabricating the condition of the patients. This casts a bad light on China’s period of prosperity and therefore, jieshibaobao.com has become the target of resentful patriotic youth."

Patriotic Chinese hackers attack website of melamine poisoned children

Egyptian Use of Socal Networks for Protest

Last week, I posted on how Saudis were using social networking sites to protest when physical protests were limited. The New York Times ran a lengthy report on the same phenomenon in Egypt:
"Freedom of speech and the right to assemble are limited in Egypt, which since 1981 has been ruled by Mubarak’s National Democratic Party under a permanent state-of-emergency law. An estimated 18,000 Egyptians are imprisoned under the law, which allows the police to arrest people without charges, allows the government to ban political organizations and makes it illegal for more than five people to gather without a license from the government. Newspapers are monitored by the Ministry of Information and generally refrain from directly criticizing Mubarak. And so for young people in Egypt, Facebook, which allows users to speak freely to one another and encourages them to form groups, is irresistible as a platform not only for social interaction but also for dissent."
The article discusses how social networks (Facebook in particular) and blogging was used to protest and discuss various aspects of the Gaza conflict:
"In most countries in the Arab world, Facebook is now one of the 10 most-visited Web sites, and in Egypt it ranks third, after Google and Yahoo. About one in nine Egyptians has Internet access, and around 9 percent of that group are on Facebook — a total of almost 800,000 members. This month, hundreds of Egyptian Facebook members, in private homes and at Internet cafes, have set up Gaza-related “groups.” Most expressed hatred for Israel and the United States, but each one had its own focus. Some sought to coordinate humanitarian aid to Gaza, some criticized the Egyptian government, some criticized other Arab countries for blaming Egypt for the conflict and still others railed against Hamas."
The article then looks at internal protest within Egypt, in particular, the April 6 Youth Movement that attempted to organize a national strike in Egypt. The case study not only shows how social networks can be used for protest but that they are not risk free:
"[Facebook] ...members who identified themselves as government security agents joined the April 6 group, too, posting comments under the insignia of the Egyptian police, and as April 6 approached, the government issued a strong warning against participation in the strike."
Shortly after, the Facebook organizer, Esraa Rashid was arrested.

The popularity of Egyptian and other online protests has caught the attention of the U.S. State Department:
"State Department officials ... believe that social-networking software like Facebook’s has the potential to become a powerful pro-democracy tool. They pointed to recent developments in Saudi Arabia, where in November a Facebook group helped organize a national hunger strike against the kingdom’s imprisonment of political opponents, and in Colombia, where activists last February used Facebook to organize one of the largest protests ever held in that country, a nationwide series of demonstrations against the FARC insurgency."


Revolution, Facebook-Style

Friday, January 23, 2009

China Releases a White Paper on National Defense

The Chinese government has released a white paper on their national defense strategy. The paper discusses information warfare and what the call the "informationizing" of the People's Liberation Army (PLA). The preface summarizes the cyber strategy:

"Conducting training in complex electromagnetic environments. The PLA is spreading basic knowledge of electromagnetic-spectrum and battlefield-electromagnetic environments, learning and mastering basic theories of information warfare, particularly electronic warfare. It is enhancing training on how to operate and use informationized weaponry and equipment, and command information systems. It is working on the informationizing of combined tactical training bases, and holding exercises in complex electromagnetic environments."

White paper on national defense published

Saudis Turn to the Internet for Protest

The Middle East Online discusses the increase in protest blogging in Saudi Arabia and makes the case that part of the driving force in its popularity is due to Saudi limitations on other forms of physical protest:
"Since the police’s dispersal of a demonstration in support for Palestinians in Gaza with rubber bullets and tear gas last December in the east of Saudi Arabia, hundreds of blogs and forums have flourished on the Web to carry out jihad (holy war) against Israel and the "puppet" Arab regimes."
This ability to voice anger and decent online has increased use of the Internet within the Kingdom:
"Today, the kingdom - with a population of 28.14 million, including 5.57 million expatriates - is under the influence of “Internet fever”. With over 6.2 million users in 2007, Saudi Arabia has got the 37th largest number of Internet users in the world, according to statistics compiled on December 18, 2008 by the CIA.

"By heavily showing their anger on the Web, Saudis prove they are the most faithful (Muslims) to the Palestinian cause," wrote a Saudi blogger.

"So we avoid the demagogy of rowdy street demonstrations," he added."
The article gives several examples of the use of blogs and social networks to vent anger over the Gaza conflict such as:
"We are the promoters of the Electronic Intifada. Our supporters are no less numerous than the demonstrators on the streets. We put our expertise to the resistance, to denounce the war against Gaza and the Arab silence ... without red lines to prevent us from expressing our anger," said a Saudi on YouTube."

Barrage of fire in Gaza, online ‘intifada’ in Saudi

Al Jazeera Report on Isaeli-Palistinian Online Conflict


Al Jazeera's English website has posted an analysis of the Israeli-Palestinian cyber conflict and provides a good summary of the classic pattern on online escalation:

"With the internet becoming a battleground of ideas, the average person, armed with a keyboard and an internet connection, became a participant in the conflict.

"On December 27, 2008, Israel launched 'Operation Cast Lead' against Hamas targets in the Gaza Strip. Within minutes of the first missile landing in Gaza, global reactions appeared online.

"During the first few days of the war, online discussions were restricted to war of words. Both sides engaged in heated debates and blamed each other for the fatal surge in military operations.

"As the discussions grew, attempts were then made by supporters of both sides to establish a coordinated response aimed at combatting [sic] the other side's propaganda."

Waging the web wars


Obama Adminstration Releases National Security Agenda Including Cyber Security

The new Obama Administration has posted their strategy for national security on the White House website. The document specifies a number of agenda items including terrorism, nuclear weapons and... information security.

The agenda is broad and encompasses many areas of information security that historically have been neglected, drowned in red tape and infighting or handed over to technical PhDs that can't see beyond the length of an encryption key to develop "solutions" that can't be implemented.

It remains to be seen if the new Administration can implement real change. However, if even a few of these initiatives were properly implemented it would be a major step forward.

Here is the full text of the cyber security section:

"Protect Our Information Networks

"Barack Obama and Joe Biden -- working with private industry, the research community and our citizens -- will lead an effort to build a trustworthy and accountable cyber infrastructure that is resilient, protects America's competitive advantage, and advances our national and homeland security. They will:

  • Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.

  • Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.

  • Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.

  • Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.

  • Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.

  • Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age."


THE AGENDA • HOMELAND SECURITY