Tuesday, March 31, 2009

Intercept Modernisation Programme to Include Social Networks

Following the implementation of the EU Data Retention Directive requiring member states to retain communication traffic information for law enforcement, the U.K. developed the "Intercept Modernisation Programme".
"The Home Office already has plans to log details of all phone calls, emails and websites visited by web users in the UK, as part of a grander scheme, a massive "mother of all databases" under the "Intercept Modernisation Programme" umbrella."
The Home Office is now looking at expanding beyond the EU Directive to include communications between users of social networking sites such as Facebook and Twitter:
"The Home Office minister Vernon Coaker told MPs that the fact that the EU Data Retention Directive lacks some features is "why the Government is looking at what we should do about the intercept modernisation programme because there are certain aspects of communications which are not covered by the directive."
This, of course, is stirring a significant debate on civil liberties. However, when investigating large-scale crimes involving the Internet (and especially international activity), traffic analysis of communications is probably the single best investigative tool available and this is one of the arguments put forth by proponents of the activity:
"The government said that it will not be interested in what is being discussed but rather who talks to whom online, something that the government says is vital in preventing criminals and terrorists' communicating facilities."


As an aside:

The keywords "Intercept Modernisation Programme" generates more traffic to this blog than any other so I'm always interested in performing traffic analysis on the spike after an article on the subject is posted. Historically, over 80% of traffic can be traced to U.K. defense or other governmental contractors.

UK Government Plans To Monitor Social Networking Websites


Social network sites 'monitored'

Famous Last Words

The Times of India quotes an Indian Army Lt. General saying the Indian Army is secure from cyber attacks:
"We have put in place a very secure network and I can confidently say that it cannot be tampered with,'' said signal officer-in-chief Lt-General P Mohapatra on Monday.

"There are various cryptographic controls that we have put in place and there are training activities to ensure that no loss of information takes place,'' he added."

The report further adds that "periodic cyber-security audits" provide additional protection.

Sigh...

Cyber war: Army says its systems are hack-proof

Sunday, March 29, 2009

U.K. Intelligence Fears Chinese Made Telecommunication Systems

The Sunday Times report on U.K. intelligence officers' fear China may be able to disrupt British telecommunications via Chinese systems provided to British Telecom (BT):
"A confidential document circulating in Whitehall says that while BT has taken steps to reduce the risk of attacks by hackers or organised crime, “we believe that the mitigating measures are not effective against deliberate attack by China”."
The primary concern is BT using systems manufactured by Huawei:

"According to the sources, the ministerial committee on national security was told at the January meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

"Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network...”

Spy chiefs fear Chinese cyber attack

GhostNet: Massive Spy Network Uncovered

A series of reports and newspaper articles were released today on the investigation of what is being called GhostNet. The investigation began with complains from Tibetan groups based out of India including the Private Office of the Dalai Lama. The forward from the primary report describes the scope of the activity uncovered:
"The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information."

...

"From the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value."
The attacks appears to be from China but the authors correctly point out the difficulty in determining the exact source:
"Some may conclude that what we lay out here points definitively to China as the culprit. Certainly Chinese cyber-espionage is a major global concern. Chinese authorities have made it clear that they consider cyberspace a strategic domain, one which helps redress the military imbalance between China and the rest of the world (particularly the United States). They have correctly identified cyberspace as the strategic fulcrum upon which U.S. military and economic dominance depends.

"But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading. Numbers can tell a different story. China is presently the world’s largest Internet population. The sheer number of young digital natives online can more than account for the increase in Chinese malware. With more creative people using computers, it’s expected that China (and Chinese individuals) will account for a larger proportion of cybercrime.

"Likewise, the threshold for engaging in cyber espionage is falling. Cybercrime kits are now available online, and their use is clearly on the rise, in some cases by organized crime and other private actors."
The report provides a detailed analysis of both methods and targets. Specifically:
"...our investigation... led to the discovery of insecure, web-based interfaces to four control servers. These interfaces allow attacker(s) to send instructions to, and receive data from, compromised computers... This extensive network consists of at least 1,295 infected computers in 103 countries.

"Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters."

Tracking GhostNet: Investigating a Cyber Espionage Network

Related Articles:

The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement

Vast Spy System Loots Computers in 103 Countries

Saturday, March 28, 2009

Dealing with Online Hate Speech

Security Magazine has an article discussing the issues involved in controlling hate speech on the Internet - in particular - the the often irreconcilable differences between various countries legal approaches:
"Some European countries have made certain forms of hate speech, like Nazi propaganda and Holocaust denial, a crime. Free speech protections guaranteed in the First Amendment of the U.S. Constitution make it impossible to outlaw hate speech in the United States, however. This impediment presents one of the biggest challenges for those seeking international solutions to the problem of hate speech."
However, even with legal issues, it is possible to develop some mechanisms to limit hate speech:
"Experts agree that part of the solution lies in working with businesses that provide access to the Internet or online applications. While the government cannot outlaw hate speech, a company has the right to establish a policy that requires users to abide by stated limits on what can be posted online."

Internet Hate: A Tough Problem to Combat

Friday, March 27, 2009

Cat and Mouse: Social Networks Help Protesters and Police

In a classic study of the power of online communications, social networking sites such as Twitter will be used both by protesters of the G20 meeting in London and by law enforcement to monitor the protesters:

"Marina Pepper, one of the organizers of G20 Meltdown, said that Twitter, the blogging tool that allows short updates to be filed, published and read via cellphones, would be used to coordinate the protests -- and warn participants of possible trouble.

"In terms of mobilizing people and shifting them around, Twitter will be used next week," Pepper told CNN. "We can also keep people empowered, because information is power."

"But Commander Simon O'Brien, one of the senior officers involved in policing security around the G20, said social networking sites would also be a "key area of our intelligence gathering."

"That's where we are picking up a lot of our intelligence about numbers and what certain groups are aiming to achieve," O'Brien said."


Protesters, police go online in G20 battle

Tuesday, March 17, 2009

Canada Sees Cyber Security As Top National Security Concern

Canada's Public Safety Minister is in Washington for bilateral talks on security and in an interview discussed Canada's cyber concerns:
"Canada is facing a growing threat of cyber attacks from hostile governments and criminals that could cripple critical infrastructure and financial systems, says Public Safety Minister Peter Van Loan."
In fact, the Minister sees cyber attacks as one of the top security concerns for Canada:
"...Van Loan said cyberspace and border security will top the agenda for high-level meetings with his America."

Cyber war tops Public Safety agenda

Monday, March 16, 2009

UN Concern over "Cyber Weapons"

Every day, there is a rash of articles on the potential of cyber war and what should or shouldn't be done about it. The U.N. is becoming involved and now considers "cyber weapons" an issue for disarmament discussions:
"So worried are governments by the prospect of an all-out cyber-attack that last month UN secretary-general Ban Ki-moon revealed that cyber-weapons are to be added to the list of arms falling under the remit of the UN's Advisory Board on Disarmament Matters, which develops policy on weapons of mass destruction. Ban said recent breaches of critical systems represent "a clear and present threat to international security", since the public and private sectors have grown increasingly dependent on electronic information."

Pentagon readies its cyberwar defences

Friday, March 13, 2009

U.S. Legal Issues on Cyber War

The Congressional Research Service has published a report on the legal and policy issues related to cyber warfare and defense in the United States. The paper summarizes the issues in terms of the three branches of the Federal government:
"Given that cyber threats originate from various sources, it is difficult to determine whether actions to prevent cyber attacks fit within the traditional scope of executive power to conduct war and foreign affairs. Nonetheless, under the Supreme Court jurisprudence, it appears that the President is not prevented from taking action in the cybersecurity arena, at least until Congress takes further action. Regardless, Congress has a continuing oversight and appropriations role. In addition, potential government responses could be limited by individuals’ constitutional rights or international laws of war."
One of the key problems with the Comprehensive National Cybersecurity Initiative (CNCI) is that originated in a classified Presidential Directive. This immediately causes conflict with the private sector on which the government is dependent:
"Given the secretive nature of the CNCI, one of the common concerns voiced by many security experts is the extent to which non-federal entities should have a role in understanding the threat to the nation’s telecommunications and cyber infrastructure and assist with providing advice, assistance, and coordination in preparation and response for ongoing and future intrusions and attacks."
The report provides background and discussion on the various roles and responsibilities of the three governmental branches and recommends the following Congressional actions to clarify and strengthen the legal basis for government action:
  • determine the most appropriate and effective organizational entity in which the nation’s principal cybersecurity prevention, response, and recovery responsibilities should reside;

  • require the senior U.S. government official in charge of all CNCI related activities be a Senate confirmable position to facilitate ongoing information exchange regarding Initiative plans and areas of progress and difficulty;

  • enact legislative language recognizing and defining the classified and unclassified aspects of the CNCI and the need for greater transparency and inclusiveness;

  • require the new Administration to develop and revise annually a classified and unclassified national cyber security strategy and intelligence community generated National Intelligence Estimate that provides Congress, the telecommunications industry, and the American public information related to the CNCI, the current and strategic cyber threats facing the nation, and programs being implemented to prepare for evolving technological risks;

  • define the privacy and civil liberty considerations that should accompany all aspects of the CNCI;

  • include legislative language in applicable authorizations bills to establish a programmatic foundation for CNCI related programs and suggest funding for current and future year’s activities; or

  • identify and codify relevant laws defining a national security related cyber offense against the United States, offensive versus defensive cyber activities, and the situations in which the Congress should be notified prior to the United States undertaking an offensive or counteroffensive cyber act.
The full report is available through the Washington Post:

Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations

Religious Cyber Wars on Facebook

TG Daily is reporting on an ongoing conflict on Facebook between a Christian group and Islamic supporters.
"The attack appears to be ongoing as the group's image has been changed, and the group's Basic Info section has also been changed to carry several paragraphs which claim to report on the foundation of Islam, including the first principle declaration in two parts, and several passages relating to the deity Allah and his prophet/servant/apostle Muhammad."
The article not only provides a chronology of activity but provides some of the religious history behind some of the postings.

UPDATE #3: Religious hack attack against Christianity seen on Facebook

Militarizing Cyberspace

PCWorld discusses what it calls the militarization of the Internet - from the increasing use of distributed denial of service attacks:
"Governments are interested in using DDOS attacks since tracing their originators and financiers proves difficult for security researchers."
The article discusses the government attempts to censor dissidents and opponents and the use of DDoS attacks such as those in Estonia.

Political Cyberattacks to Militarize the Web

Tuesday, March 10, 2009

"Political Hacking" Is a Growing Trend

International Relations and Security Network (ISN) published an article on the increasing nature of politically motivated computer crime and hacktivism:
"A growing trend of politicized hacking or "hacktivism" is emerging. The incidents in Estonia and Georgia were most likely carried out by state-encouraged Russian nationalist youth groups and criminal organizations, as well as at-large volunteers. One German youth claimed on a web forum that, with instruction from a Russian website, he was initiating fully functional denial-of-service attacks against targets in Georgia in a manner of hours. In reaction to a Danish newspaper cartoon of the Prophet Mohammad, loose groups of hackers in Turkey and other Muslim countries cyberattacked that publication's website."

The report summarizes some of the related recent activity.

The State of the Data War

Recommended Reading: Combating Extremists Online

The U.K. based International Centre for the Study of Radicalisation and Political Violence (ICSR) has released a paper on "Countering Online Radicalisation: A Strategy for Action".

This extensive report looks at a wide range of extremist-generated content on the Internet - from traditional terrorist organizations to white supremacist groups.

The paper begins with a look at why and how radical groups use the Internet. The power of the Internet (for all of society) is:
  1. Low cost of communication;

  2. Unlimited access knowledge;

  3. Create networks irrespective of boarders; and,

  4. Enables ‘risky’ or ‘embarrassing’ behavior.
However, extremist groups take this to, well, an extreme level:
  • "The internet can be used by extremists to illustrate and reinforce ideological messages and/or narratives. Through the internet, potential recruits can gain near-instantaneous access to visually powerful video and imagery which appear to substantiate the extremists’ political claims.

  • "The internet makes it easier to join and integrate into more formal organisations. It provides a comparatively risk-free way for potential recruits to find like-minded individuals and network amongst them, enabling them to reach beyond an isolated core group of conspirators.

  • "It creates a new social environment in which otherwise unacceptable views and behaviour are normalised. Surrounded by other radicals, the internet becomes a virtual ‘echo chamber’ in which the most extreme ideas and suggestions receive the most encouragement and support.
"It seems obvious, then, that the internet can have a role in intensifying and accelerating radicalisation. In fact, one may argue that the internet is of particular benefit to marginal and/or illegal groups and movements, because it facilitates the formation of (virtual) communities which would be more ‘risky’, if not impossible, to establish in the real world. There can be no doubt, therefore, that the internet is problematic, but is it the problem?"
The researchers propose four measures to combat online radicalization:
  • "Deterring producers - The selective use of takedowns in conjunction with prosecutions would signal that individuals engaged in online extremism are not beyond the law.

  • "Empowering online communities - The creation of an Internet Users Panel in order to strengthen reporting mechanisms and complaints procedures would allow users to make their voices heard.

  • "Reducing the appeal - More attention must be paid to media literacy, and a comprehensive approach in this area is badly needed.

  • "Promoting positive messages - The establishment of an independent start-up fund would provide seed money for grassroots online projects aimed at countering extremism."
The report looks at the pros, cons, tools and methods related to each of these areas. Of particular note, the paper rejects the all-to-common, knee-jerk reaction to just ban offensive material:
"Traditionally, most governments have focused on identifying technical solutions, believing that if somehow radicalising material can be removed from the web or made unavailable for viewing, the problem will go away. Yet, as this report has shown, any strategy that relies on reducing the availability of content alone is bound to be crude, expensive and counterproductive.

"The comparison with efforts to counter child sexual abuse on the internet is flawed, because much of the material involved in child sexual abuse is clearly illegal and there are no political constituencies which might be offended if repressive action is taken against it. Child sexual abuse is not a free speech issue, whereas radical political propaganda is.

"Any strategy hoping to counter online radicalisation must aim to create an environment in which the production and consumption of such materials become not just more difficult in a technical sense but unacceptable as well as less desirable."
The solutions offered are correct. The problem is, they are not easy answers and whether we are looking at protecting personal information in a commercial organization or combating extremists, most institutions only want easy answers.

Countering Online Radicalisation A Strategy for Action

Friday, March 06, 2009

Recommended Reading: Internet Radicalization by Extremists in Southeast Asia

Most of the time, media and research reports on terrorism, technology and politically motivated computer crime are shallow, to say the least. However, once in a while, a research report surfaces that actually has both the breadth and depth of research to increase our understanding of the phenomena and the Australian Strategic Policy Institute in conjunction with the S. Rajaratnam School of International Studies at Nanyang Technological University have just compiled such a report.

Titled "Countering internet radicalisation in Southeast Asia", it looks at terrorist interactions with the Internet in Southeast Asia:
"Although there is a growing body of research on terrorists’ use of the internet in Europe, the Middle East and North America , less attention has been given to the role of the internet in online radicalisation in Southeast Asia and how it affects neighbouring countries, such as Australia."
The paper's forward states the primary area of research - the use of social networks in radicalization:
"Although the internet has become an important tool for tactical operations such as bombings, psychological warfare and fundraising, the focus in this paper is on its use as a tool to radicalise potential supporters.

"This study found that the internet has contributed to radicalisation, will probably grow in regional significance, and might become the dominant factor in radicalisation in the region. And it’s not just passive websites that are important in this context: social networking sites of all kinds, such as blogs and forums, are evolving rapidly.

"This paper discusses several policy approaches to counter the use of the internet for radicalisation in our region. These include blocking sites, creating counternarrative websites to promote tolerance, and intelligence-led methods to tackle the problem."
The study is filled with analysis and case studies. Some of the key points and trends include:
  • The number, technical sophistication and variety of extremist blogs and social networks is increasing and "create a stable network among members of the Bahasa and Malay language online community". Extremist websites increased from 15 in 2007 to 117 in 2008;

  • Blogs and social networks allow localization of radical messages. "Translated materials were once the staple of the Bahasa and Malay language extremist websites, but their online media units are now increasingly producing their own materials to better resonate with the home audience.";

  • While there are several strategies for combating online radicalization, "regional governments and national law enforcement agencies have done little to stop the rise of online radicalisation."
The report provides three broad policies to counter Internet radicalization and discusses the pros and cons of each:
  1. Zero tolerance - where governments ban and block websites, censor Internet traffic, etc.;
  2. Counter messaging - to educate potential recruits and provide alternate points of view;
  3. Intelligence based strategies - "leading to targeting, investigation, disruption and arrest."
Highly recommended reading.


Countering internet radicalisation in Southeast Asia

Thursday, March 05, 2009

California May Censor Google Earth

Following reports that terrorists in India and Israel were using Google Earth in planning attacks, California lawmaker Joel Anderson has introduced a bill (AB 255) in the California Assembly to force censorship of potential targets:
"(a) An operator of a commercial Internet Web site or online service that makes a virtual globe browser available to members of the public shall not provide aerial or satellite photographs or imagery of a building or facility in this state that is identified on the Internet Web site by the operator as a school or place of worship, or a government or medical building or facility, unless those photographs or images have been blurred.

"(b) An operator of a commercial Internet Web site or online service that makes a virtual globe browser available to members of the public shall not provide street view photographs or images of the buildings and facilities described in subdivision (a)."


ASSEMBLY BILL No. 255

Wednesday, March 04, 2009

Internet Censorship in the Middle East

Lebanon's Daily Star analyzes the motivation for network control and censorship in the Middle East. The author provides three motivations:

  1. The degree of Internet proliferation;
  2. Press freedom and democracy; and,
  3. Culture
The report provides statistics concerning how each of these elements affects censorship in various countries. For example:
"Obviously, to the extent that internet usage in a given country is low due to economic or technological reasons or because of the absence of the requisite human resources, there is no need to regulate the internet through legislation because there is no internet. Thus Yemen had only 1.4 percent internet penetration in 2008, followed by Libya (4.2), Sudan (8.7) and Algeria (10.4). Conversely, the Middle East countries with the most internet legislation and regulation are also the leaders in internet penetration: Israel (52 percent), the UAE (49.8), Turkey (36.9), Iran (34.9), Kuwait (34.7), Tunisia (27), Saudi Arabia (22) and Egypt (12.9 percent)."


For many Arab states, internet suffocation is the norm

Online Communication of Operations by Terrorists

An interesting article on why terrorist organizations do not plan or communicate operations online. The article discusses a blog posting proposing "...al-Qaida on the Arabian Peninsula (QAP) fire Katyusha rockets from the Saudi shore of the Gulf of Aqaba toward Sharm al-Sheikh, where international leaders are meeting...".

As the article points out, "...the jihadi internet is used for many things, but not for operational planning.":
"...the idea [for an attack] is useless the moment you post it on online for all the intelligence services in the world to see.

"The posting is nevertheless interesting, first of all because it is unusually specific and shows that we cannot completely dismiss the Internet’s potential as an arena for operational brainstorming. At the same time, it illustrates the lack of military know-how of many online jihadists. In much of the forum material, there is a spectacular disconnection between intention and capability. Unfortunately, the haute couture of terrorism is prepared behind closed doors."


Prêt à porter terrorism

Use of Technology by Terrorists Targeting India

Frontier Media, an Indian blog on defense and intelligence issues, posted an article with the following concerning terrorist use of technology:
"Cyber and communications crimes attained maturity as a result of two incidents. The first was the hacking of a wireless network by the so-called Deccan Mujaheedin terrorists (desperate Pakistani terrorists use such generic names for projecting it as an Indian outfit), which resulted in an e-mail threat that implicated a foreigner. The second incident was the Pakistani terrorists Lashkar-e-Taiba’s (Jamaat-ud-Dawa) use of a satellite phone and Russian server during the attack on Mumbai, which resulted in the deaths of more than 180 Indians and foreign citizens alike – women and children among them."

Unfortunately, the rest of the article mostly delves into spam, phishing and fraud issues.

Software for meeting India’s Cyber- and IP-related challenges