Thursday, October 14, 2010

Cyber Terrorism

I was recently requested to write an opinion piece for the Czech Republic's Prague Post on cyber terrorism:
"The risk is real for a malicious and intentional disruption of basic infrastructure but, unfortunately, the problem is poorly understood and too often the subject of hyperbole by both the media and security professionals with a "solution" to sell."

Virtual Hostage: Cyber Terrorism and Politically Motivate Computer Crime Are a Big Concern for the Real World

Tuesday, September 07, 2010

Recommended: Internet Use in Ukraine's Orange Revolution

Researchers Volodymyr Lysenko and Kevin Desouza have published an analysis of the effect and use of technology in Ukraine's Orange Revolution. The report provides an extensive review of the development of Internet and telecommunication based methods to disseminate information and organize political opposition.

Interestingly, the report discusses the fact that the free-flow of information can have a multiplying effect even when only a small portion of the population has direct access to the Internet:
"In the case of Ukraine we observed that, due to the two–step nature of the information communication process, the provision of alternative information to even a relatively small number of dissenters was apparently sufficient to initiate a network–related effect, when the information spreads exponentially, like an epidemic. We can therefore conclude that the Internet does not need to have a mass penetration rate in order to effectively help in the promotion of a major socio–political change. "
The authors go on to discuss some of the attributes required for successful online opposition:
"[An] important finding was the necessity of locating the oppositional Web sites beyond the reach of the repressive authorities by hosting them on servers located in strong democratic countries. Moreover, in order to protect them relatively robustly from the cyberattacks initiated by authoritarian regimes, the servers should be situated in countries with relatively strong technical defenses and a highly ramified Internet network..."
"Additional strength is achievable by the creation of several mirror sites situated at different servers in physically different parts of the Internet. It is also essential that the national Internet domain name registrars remain free from control by the non–democratic authorities to prevent the authorities from suspending registration of the oppositional Internet resources and thus switching them off."
The report also discusses how both traditional media (television, print and radio) as well as online information sources were used by both sides in the conflict to control messages, counter-messages and disinformation.

Overall, this report is an excellent analysis and case study of Internet based protest and opposition.

Role of Internet–based information flows and technologies in electoral revolutions: The case of Ukraine’s Orange Revolution

Saturday, July 03, 2010

North Korea Not Believed to Be Responible for 2009 Attacks

A series of attacks targeting U.S. government and South Korean web sites during early July of 2009 were initially blamed on North Korea:
"In the days after the fast-moving, widespread attack, analysis pointed to North Korea as the likely starting point because code used in the attack included Korean language and other indicators."
But according to unnamed "cybersecurity experts" in the article this no longer appears to be the case. Of course, with the same type of flawed analysis, the "experts" can now speculate who else might be involved:
"These officials point suspicions at South Koreans, possibly activists, who are concerned about the threat from North Korea and would be looking to ramp up antagonism toward their neighbor."
The article, as usual, provides little to no details that can be independently analyzed and appears to be confused about the exact nature of the attack, The article first describes the attacks as "...crippling strikes, known as "denial of service" attacks" but later says "...the attacks were largely restricted to vandalizing the public Web pages..." of the victims.

That confusion aside, this is another classic case of "cybersecurity experts" trying to use only technical analysis to determine motive. By itself, it just doesn't work (see Analyzing the Google Attacks - Plenty of Room for Mistakes). To assume that the use of the Korean language in attack code implies the source is North (or South) Korea is a very weak inference. It might be true but other explanations (such as a Korean national in San Francisco or a Korean speaker in Japan) are equally likely.

It requires more than a few technical indicators to develop a strong case showing source and motive.

US largely ruling out NKorea in 2009 cyberattacks

Friday, April 30, 2010

Applying International Law to Cyber Space

How well can existing international law map to cyber space? A recent article in The Legal Intelligencer looks at the legal concept of a "duty to assist" and how it might apply in cyberspace.
" law requires anyone receiving an SOS signal to "proceed with all possible speed" to render assistance. Today, similar legal duties abound -- what we might call "duties to assist" -- whether in response to a pilot's mayday call, distress signals, or emergency numbers."
However, this duty does not currently extend to the Internet. The article argues (rightly) that existing efforts (more technology and the militarization of cyber space) will not prevent large scale international cyber attacks:
"Technological prevention measures -- thicker security firewalls and better mechanisms to detect and repel attacks -- will undoubtedly be part of any effective counterattack strategy. Similar progress may come from efforts to reach agreement on how militaries should operate in cyberspace and increased transnational coordination among law enforcement agencies.

"But these measures will not be enough to solve the problem. Open networks will always be vulnerable to malicious attack as new security measures generate improved hacking techniques in an endless game of cat and mouse. The laws of war that govern military uses of force do not translate easily into cyberspace. Criminal laws, similarly, are a blunt instrument for protection. The difficulties inherent in trying to identify the precise location from which attacks arise and the identities of anonymous attackers stem from the basic structure of the global internet. Those difficulties make enforcement of criminal penalties (or the laws of war) difficult and at times impossible."
The authors give a brief description of how this duty might work to improve the situation:
"A duty to assist can work without identifying the attackers. It focuses instead on minimizing the attack's effects. A victim would send out a distress call... and all those in a position to provide assistance -- whether governments or private actors -- would have an obligation to respond. Help could come in many forms. If attackers denied service to a computer resource, internet service providers could provide additional bandwidth. If an attack crossed through a nation's territory, that nation's government would have to deny attackers further use of its information networks and help trace the attack to its true origins."

Do Cyber-Attacks Require a 'Duty to Assist'?

Monday, April 12, 2010

Increased Espionage against US Defense Contractors

The Counterintelligence Directorate of the U.S. Defense Security Office recently released a report on espionage against the U.S. defense industry. The study identified four broad methods of information gathering including the use and misuse of technology:
  1. Direct Request - Email requests for information, webcard purchase requests, price quote requests, phone calls, or marketing surveys
  2. Suspicious Internet Activity - Confirmed intrusion, attempted intrusion, computer network attack, potential pre-attack, or spam
  3. Solicitation and Seeking Employment - Offering technical and business services..., resume submissions, or sales offers
  4. Foreign Visits and Targeting - Suspicious activity at a convention, unannounced visit..., solicitations to attend a convention, offers of paid travel to a seminar, targeting of travelers, questions beyond scope, or overt search and seizure
The alleged sources of attacks are world wide including:
  • "East Asia and the Pacific and Near East entities remaining the most prolific collectors of United States technology or information"; and,
  • Europe and Eurasia
The largest growth in cyber activity was from East Asia and the Pacific:
"Suspicious Internet activity with IP addresses originating in the East Asia and the Pacific region represented 79 percent of the regional cyber collection effort, a significant increase over last year’s 52 percent. These apparent cyber operations mainly targeted cleared defense contractor networks used for research and development documentation, especially those related to information systems technology."
The report noted an interesting trend between Asian and Near East activity and that of Europe and Eurasia [emphasis added]:
"Europe and Eurasia collectors do not need to use high-profile collection techniques because their covert collection methodologies are already efficient and effective as to render the more blatant, overt requests largely supplemental to other collection competencies. It is noteworthy that even though their overt collection efforts have declined, European and Eurasian cyber actors remain some of the most active targeters of United States technology."
The report contains in-depth analysis of the types of information targets and regional statistics and analysis of activity. The report forecasts increased cyber activity in the future:
"Government and commercial collection entities worldwide are highly likely to continue the use of cyber collection activities against United States government and its CDCs. Cyber intrusion offers a relatively low-risk, high-gain technique giving illicit collectors the opportunity to acquire sensitive and proprietary information stored on United States computer networks. Cyber targeting may also be utilized as a collection planning tool to identify targets of opportunity not readily apparent to traditional collectors. This cyber reconnaissance allows foreign elements to design targeting plans employing the full range of collection techniques on focused targets."


Tuesday, April 06, 2010

Recommended Reading: Shadows in the Cloud

In a followup to the "Tracking GhostNet" report, a new analysis of attacks against Tibetan and Indian cyber targets has been released titled "Shadows in the Cloud: Investigating Cyber Espionage 2.0". I highly recommend this report.

The report is an excellent synopsis of an in-depth investigation into attacks and information thefts that:
"...documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information."
The analysis shows strong links to the People's Republic of China as the origin of the attacks.

I have not completed a detailed reading of the report but a first pass provides two immediate impressions:
  1. The strong similarities with investigations performed in the late 1980s involving espionage by the then Soviet Union using German nationals a proxies; and,

  2. The analysis, including attribution, appear to be sound.
The similarities described in this report to other, known cases of computer based espionage is striking. The only major difference between the Soviet espionage case of the 1980's and this one is that most of the techniques of infiltration, compromise and data theft are now automated. The patterns of behavior, use of proxies and movement and collection of information are very similar.

Furthermore, this analysis, at least on first reading, appears to be careful, methodical and does not suffer from some of the errors made by other technicians analyzing large-scale international cyber attacks (see Analyzing the Google Attacks - Plenty of Room for Mistakes).

This care of analysis is best summed up by the authors when discussing the attribution of the source of the attacks (emphasis added):
"Attribution concerning cyber espionage networks is a complex task, given the inherently obscure modus operandi of the agents or groups under investigation. Cyber criminals aim to mask their identities, and the networks investigated in this report are dispersed across multiple platforms and national jurisdictions. Complicating matters further is the politicization of attribution questions, particularly concerning Chinese intentions around information warfare. Clearly this investigation and our analysis tracks back directly to the PRC, and to known entities within the criminal underground of the PRC. There is also an obvious correlation to be drawn between the victims, the nature of the documents stolen, and the strategic interests of the Chinese state. But correlations do not equal causation. It is certainly possible that the attackers were directed in some manner — either by sub-contract or privateering — by agents of the Chinese state, but we have no evidence to prove that assertion. It is also possible that the agents behind the Shadow network are operating for motives other than political espionage, as our investigation and analysis only uncovered a slice of what is undoubtedly a larger set of networks. Even more remote, but still at least within the realm of possibility, is the false flag scenario, that another government altogether is masking a political espionage operation to appear as if it is coming from within the PRC. Drawing these different scenarios and alternative explanations together, the most plausible explanation, and the one supported by the evidence, is that the Shadow network is based out of the PRC by one or more individuals with strong connections to the Chinese criminal underground. Given the often murky relationships that can exist between this underground and elements of the state, the information collected by the Shadow network may end up in the possession of some entity of the Chinese government."

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

North Korea Develops Its Own Operating System Aimed at User Monitoring

South Korea's Science and Technology Policy Institute has released information concerning a homegrown operating system developed by North Korea called Red Star. It appears to be based on Linux and Microsoft code and primarily developed to monitor and limit user activities.

The South Korean report also states:
"North Korea has launched a cyber-war unit that targets sites in South Korea and the US"
but no further details were provided in the BBC article.

North Korean Red Star operating system details emerge

Fine Line between Criminal Activity and National Security

NPR ran a lengthy report on cyber war centered around last month's congressional testimony by the Director of National Intelligence Dennis Blair citing cyber attacks as a top threat to U.S. security.

One important factor noted in the broadcast is the fine line between criminal activity and national security threats. The difference is not so much technique as motive:
"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes," says [Richard] Clarke [former Presidential cyber security adviser]. "The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things."

Cyber Insecurity: U.S. Struggles To Confront Threat

Wednesday, March 24, 2010

U.K. Internet Cafes Asked to Monitor Web Usage for Terrorism

After several terrorism related convictions in the U.K. where suspects were believed to have used Internet cafes, police are seeking cooperation for the cafe owners:
"The new initiative involves getting internet cafe owners to monitor the websites their customers view and to pass on any worries over suspicious activity to the police."
and additionally,
"The police want internet cafe owners to check the hard drives of their computers to help spot any suspicious activity."
It should probably go without having to say, there are critics of the program(me). One commentator is quoted::

"What is dangerous about this initiative is that it does not just focus on preventing access to illegal material but also material that is defined as 'extremist' without offering an objective definition of what that is.

"It thus potentially criminalises people for accessing material that is legal but which expresses religious and political opinions that police officers find unacceptable."

Anti-terror police seek help from internet cafes

Friday, March 12, 2010

Increasing Use of the Internet by Terrorist Groups

The LA Times reports on the extensive and effective use of the Internet by traditional terrorist organizations:
"From charismatic clerics who spout hate online, to thousands of extremist websites, chat rooms and social networking pages that raise money and spread radical propaganda, the Internet has become a crucial front in the ever-shifting war on terrorism."
The article also discusses using the Internet for terrorist training activities:
"The new militancy is driven by the Web," agreed Fawaz A. Gerges, a terrorism expert at the London School of Economics. "The terror training camps in Afghanistan and Pakistan are being replaced by virtual camps on the Web."

Internet making it easier to become a terrorist

Thursday, March 11, 2010

Report: Internet Controls Violate Human Rights

The U.S. Department of State's 2009 Human Rights Report highlights Internet censorship as a major human rights concern. The report's introduction included cyber monitoring and controls resulting in privacy violations and censorship:
"2009 also was a year in which more people gained greater access than ever before to more information about human rights through the Internet, cell phones, and other forms of connective technologies. Yet at the same time it was a year in which governments spent more time, money, and attention finding regulatory and technical means to curtail freedom of expression on the Internet and the flow of critical information and to infringe on the personal privacy rights of those who used these rapidly evolving technologies."
Most notable in the report were China and Iran:
"The government of China increased its efforts to monitor Internet use, control content, restrict information, block access to foreign and domestic Web sites, encourage self-censorship, and punish those who violated regulations. The government employed thousands of persons at the national, provincial, and local levels to monitor electronic communication ... The government at times blocked access to selected sites operated by major foreign news outlets, health organizations, foreign governments, educational institutions, and social networking sites, as well as search engines, that allow rapid communication or organization of users... The government also automatically censored e-mail and Web chats based on an ever-changing list of sensitive key words."
The report also notes that government interference is not always effective:
"Despite official monitoring and censorship, dissidents and political activists continued to use the Internet to advocate and call attention to political causes such as prisoner advocacy, political reform, ethnic discrimination, corruption, and foreign policy concerns."
The report cites Iran for cracking down on Internet access in the run-up to the June presidential election:
"...the government blocked access to Facebook, Twitter, and other social networking sites. After the June election, there was a major drop in bandwidth, which experts posited the government caused to prevent activists involved in the protests from accessing the Internet and uploading large video files."
Receiving honorable mentions were North Korea because:
"Internet access was limited to high-ranking officials and other elites..."
and Vietnam where:
"Bloggers were detained and arrested under vague national security provisions for criticizing the government and were prohibited from posting material the government saw as sensitive or critical. The government also monitored e-mail and regulated or suppressed Internet content, such as Facebook and other Web sites operated by overseas Vietnamese political groups."

2009 Human Rights Report: Introduction

Tuesday, March 09, 2010

Law Firms Increasingly the Victims of Espionage

Law firms are one of the latest targets of alleged cyber espionage from China and others interested in obtaining information on clients or litigation that involve their interests:
"Law firms are attractive targets for cyberattackers because they maintain sensitive client information on their systems, according to attorneys and technology consultants. Perpetrators may be digging for litigation strategies, negotiation tactics, details on pending deals, or other specific information that could aid governments, competitors, or other entities. The bulk of cyberattacks originate overseas, with China leading the pack..."
Law firms are at high risk because of both the sensitive nature of the information they possess and because they don't understand the threat or how to protect themselves. From an adversaries perspective, they are high value targets with a high potential for a successful attack and low risk of being caught.

Understanding the exact extent of law firm intrusions is difficult due to ignorance or fear of reputational damage:
"Often, law firms never figure out on their own that their networks have sustained serious breaches, largely because... attacks are designed to be difficult to detect. Most firms learn of network security problems from third parties, often law enforcement authorities..."

"Law firms often fear that disclosing such a breach may prompt their clients to take their business to a competing firm, even though that competing firm likely has no better capacity to protect the client's information..."

Firms Slow to Awaken to Cybersecurity Threat

Friday, March 05, 2010

Political Cyber Crimes Growing

The increasing nature of politically motivated computer crime is the subject of a recent article discussing how companies focus on profit motivated cyber crime while ignoring other threats. The author states that because of "fear-mongering from the media and opportunistic profiteers, we've all become myopically obsessed with [profit based] cyber-crime."
"While monetary gains are certainly a big motivator for cybercrime, increasingly cyber-criminals are acting out of political interests."
The article blames much of this on security vendors hyping specific threats that their products are designed to protect against. I agree: I see it every day when advising my clients.

The author then prescribes three actions companies should take. These are summarized as:
  1. "...put up the best defenses you can. Make sure that you are putting the resources you already have, such as log files, to the best possible use";

  2. "...implement the best people-processes you can"; and,

  3. prepare to be "hacked".
Unfortunately, these recommendations just repeat the very error the article points out: Blindly implementing security controls without understand the nature of the threats the organization faces.

There are many cyber threats with a multitude of motives and one of the key contributors to the increased effectiveness of all types of cyber-crime is the myopic focus on technology while not understanding threats and risks. This leads to some threats not being mitigated while others are over-protected thereby wasting valuable budget and resources (see IT security professionals must evolve for changing market for further discussion).

Companies need to start with a thorough assessment of threats and risks. Then, they can design the organization, skills, policies and processes to best mitigate those risks. Only after these steps are completed should they begin to choose and implement (technical) controls that help automate and manage the mitigation and monitoring processes. Anything else is just a waste of money.

Managing threats and risks should drive the selection and use of controls - not the other way around.

The author is correct that too many organizations are not prepared for cyber attacks and assume (incorrectly) that if they have a firewall and some log management or other tools in place they don't need to worry. No security control or process is perfect even if resources and budgets weren't an issue. Companies need to have a robust incident response capability and one that isn't developed when a crisis occurs.

Focus on Cyber-Crime Misses Real Threat

Thursday, March 04, 2010

NATO Facing Increased Cyber Threats

NATO's Secretary-General commented at a NATO seminar in Finland that the alliance needs to increase defenses against cyber threats. While not releasing any details it appears NATO is concerned about a wide range of potential problems:
"It's really a broad range of threats. There are many actors in cyberspace, and we have to develop a capacity to protect ourselves against those attacks," [said Secretary-General Anders] Fogh Rasmussen."
Swedish Foreign Minister Carl Bildt also commented at the same meeting on the threat saying:
"There are terrorists, spies, subversive attempts, ongoing attacks as well as preparations for much more disruptive and destructive operations... There will be no security for our societies if we can't secure both our cyberspace and our orbital space."

NATO chief calls attention to cyber threats

Tuesday, March 02, 2010

Germany Suspends Communication Data Retention Law

Citing security and transparency concerns, the German Federal Constitution Court has suspended the law requiring communication providers and ISPs to retain traffic information for six months for use by law enforcement:
"The judges said the data storage was not secure enough and that it was not sufficiently clear what it would be used for."
The law was implemented to follow an EU Directive aimed at fighting terrorism but the court ordered the suspension until new rules for the storage and use of the data could be implemented:
"The court demanded that stricter conditions be attached to the use and storage of the data, saying it needed to be encoded and that there should be "transparent control" of what the information was used for."
The court additionally ordered all data stored to date to be deleted.

German High Court Limits Phone and E-Mail Data Storage

Thursday, February 25, 2010

Political Motivation Behind Google Ruling in Italy?

The New York Times suggests the recent Italian court ruling that Google executives are criminally responsible for offensive Internet content may have a broader political motivation and that the ruling is related to Prime Minister Berlusconi's ownership and control of many of Italy's media outlets:
"Critics of Mr. Berlusconi say the measures go beyond routine copyright questions and are a way to stave off competition from the Web to public television stations and his own private channels — and to keep a tighter grip on public debate."
Specifically, the accusation is that those who control the broadcast media in Italy want to control the Internet as well:
"Paolo Gentiloni, a leading opposition member and a former communications minister, said Internet regulation was inevitably political. Today in Italy, he said, “political power is in the hands of people who do TV, not the Internet."
The Italian government denies any such motivation for the courts ruling or recently proposed measures by the Italian legislature to regulate Internet activities:
"Paolo Romani, a deputy communications minister who sponsored the measure, said the issue was copyright protection. “It has nothing to do with the fact that our prime minister also owns television stations,” he said. “It’s in Berlusconi’s interest not to be accused of conflict of interest.”

Larger Threat Is Seen in Google Case

In a Cyberwar, US Would Lose

The U.S. Senate heard testimony from "industry experts" warning of catastrophic consequences from cyber war attacks - including pronouncements that the "government faces the prospect of losing in an all-out cyberwar".

As part of the debate of the Cyber Security Act of 2009, Senator's were told the status quo is not acceptable:
We are "...under attack every day, losing every day vital secrets. We can not wait," [James Lewis, Center for Strategic and International Studies] said. "We need a new framework for cybersecurity and this bill helps provide that.
Lewis went on to add that "...[t]he cyberattack is mainly espionage, some crime".

There is no doubt that the U.S. and most other developed countries are at high risk from significant cyber attacks as demonstrated almost daily by intrusions into military, government, commercial and non-profit organizations. However, it is interesting that many of the companies that would benefit the most from the funding to "fix" the problem are the ringing the congressional alarm bells the loudest.

Experts warn of catastrophe from cyberattacks

Friday, February 12, 2010

Hacktivists Attack Australian Government Systems

A hacktivist group call "Anonymous" is claiming responsibility for Distributed Denial-of-Service attacks against government systems in Australia. The attacks are a protest against proposed filtering of Internet content by the Australian government.
"The group consists of "a few thousand people" based all over the world Coldblood said."
Coldblood is a psydonym for an individual claiming to be a spokesperson for the group. The spokesperson also claimed responsibility for other hacktivist attacks protesting other forms of censorship:
"They staged cyber attacks on Iran following the election protests and have publicly protested against the Scientology movement. "

Cyber attacks against Australia 'will continue'

Sunday, February 07, 2010

US Faces "Significant" Threat from Cyber Espionage

John Brennan, Deputy National Security Adviser for Homeland Security and Counterterrorism, stated during a television interview that the United States faced a "serious and significant" threat from cyberspace:

"We're looking at these issues from the standpoint of espionage, from governments, from different individuals, whether they be hackers or terrorist organizations," Brennan said.

"National security is something that is at risk. That's why what we're trying to do is to ensure that our networks, our government networks, our private sector networks have the ability to withstand these attempts to hack in."

US faces 'serious' cyberspace threats: advisor

Sunday, January 31, 2010

Wide Ranging Espionage by China in Britian

The Sunday Times reports on a leaked MI5 memo warning UK companies of extensive espionage by China including both traditional means and cyber attacks.

The targets are described as:
"UK defence, energy, communications and manufacturing companies in a concerted hacking campaign. It claims China has also gone much further, targeting the computer networks and email accounts of public relations companies and international law firms."

Several methods are mentioned in the article including "sexual entrapment" knowledge of "illegal activities to pressurise individuals to co-operate with them", bugging hotel rooms in China and other countries, and:

"...that undercover intelligence officers from the People’s Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of “gifts” and “lavish hospitality”.

"The gifts — cameras and memory sticks — have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users’ computers."

An important point, left to the end of the article, provides some insight into the seriousness that the UK government gives the problem:
"The growing threat from China has led [Jonathan] Evans [Jonathan Evans, the director-general of MI5] to complain that his agency is being forced to divert manpower and resources away from the fight against Al-Qaeda."

China bugs and burgles Britain

Friday, January 22, 2010

Analyzing the Google Attacks - Plenty of Room for Mistakes

SecureWorks has posted an analysis of the malicious code alleged to have been used to attack Google and other companies, collectively referred to as "Operation Aurora". SecureWorks' posting is one of the first pieces of evidence and technical analysis that goes beyond simple speculation.

The analysis centers on a somewhat unique piece of error-correcting code (called a CRC) that appears to have been developed in China and only published in Chinese language papers.

It is great that some good technical analysis is starting to come out and I recommend those interested to read the posting. It has some technical information but the main points should be accessible to non-technical readers.

However, from an investigator's point of view, there are some shortcomings in this type of analysis and it might prove interesting to discuss a few of these.

Most technical analysis focuses on answering what happened and how an incident occurs. Technicians can reverse engineer (malicious) code, analyze network traffic patterns and review logs of system activity to understand how someone gained access to a system and what they did. This analysis is a very necessary and important step. However, just knowing how an incident occurs is not enough for security professionals.

To understand the risk from these types of attacks requires more information. If our response to an attack is solely based on how it occurs then we risk wasting resources by over reacting or misapplying controls that are ineffective (one of the most common problems in information security). The current Google incident is a perfect example.

Based on the current public information there is tremendous speculation that this may be sponsored or directed by the Chinese government for the purposes of espionage. If that is true, it requires a significant reaction both in terms of spending by (potential) targets and by action from other governments. However, if this is being carried out by a group of teenagers in Romania (just using Chinese systems as a front) simply for the technical challenge, our response can and should be completely different. Therefore, understanding who the adversaries are and their motives changes the risk equation and our response to it (additionally, we need to understand capabilities but that's another topic).

We need to answer not only what happened and how but also by whom and why.

Here we often hit a brick wall: Due to the virtual nature of data and the Internet, it can be very difficult to clearly identify who and why - yet it is not impossible. Unfortunately, many technicians take the what and how information and try to infer answers to who and why- often with poor results.

Inference chains, or inference concatenates, are used by intelligence analysts, investigators and prosecutors to link data points and evidence to develop a conclusion based on what is known or to prove guilt based on evidence. Inference chains can be either weak or strong. Unfortunately, most inferences used to determine "who" perpetrates a cyber attack are weak.

With this in mind, let's go back and look at the technical analysis and where it might have some shortcomings or problems.

One example is the following quote from the SecureWorks posting:
"...outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof."
It is great to see such caution in analysis but it needs to go a little further: How do we know the PRC (People's Republic of China) IP addresses "prove" any involvement by anyone in China or their agents? It might be someone outside of China using a Chinese system. Until we know exactly who the perpetrators are, we don't know what their affiliation with the PRC is. Therefore, we would say that to infer that the perpetrator is Chinese based solely on the use of a Chinese IP address is weak: It might be true but it might not.

Another example of this problem is the conclusion that because the (legitimate) CRC used in the malicious code appears to have been developed in China, the perpetrators must be Chinese (again, using what information to infer who).

The post describes the CRC code and that it appears to have been created in China and only published in simplified Chinese (a form of written Chinese promoted by the PRC).

The inference chain then goes like this:
  1. A specialized CRC code (called CRC-16) was created in China for legitimate purposes;
  2. A simple Google search returns only references to the CRC code in simplified Chinese papers;
  3. Malicious code was developed that, in part, uses a CRC that "matches the structural implementation" of the CRC-16 code;
  4. The malicious code was used to attack Google (and others);
  5. Therefore, the "use of this unique CRC implementation in Hydraq [the malicious code] is evidence that someone from within the PRC authored the Aurora codebase".
Is this a strong inference chain? Not if other reasonable conclusions could be drawn. For example, simplified Chinese is also use in Singapore. We could also equally conclude (based solely on the inference chain above) that the perpetrator was in Singapore. Or perhaps a Chinese emigrant living in France. Within reason, we could come of up several other possibilities.

Again, it may be true, but it may not. Does this level of analysis, common in technical cyber crime studies, give us the information we need to react appropriately (technically, legally or politically) to the threat?

One additional problem with the analysis/inference is to rely solely on a simple Google search and conclude that it represents an exhaustive search of the whole space where the articles related to the CRC-16 code could have been published.

I don't want to be overly harsh on this particular analysis. As I said earlier, I think it answers some important what and how questions and, at a technical level, is an excellent piece of work: We need more like it. Likewise, it does provide some very interesting data points that can begin to be used to build the circumstantial evidence needed to answer the who and why questions. However, that will require more information (both technical and non-technical) to build strong inference chains that point to a single, reasonable conclusion. This can be done but with large international cyber cases it requires significant time, data collection and analysis of literally thousands and thousands of data points. It also requires intelligence and analysis of more than just technical information.

Unfortunately, this rarely happens.

We need to be very careful in how we infer the who and why of international cyber crimes. The consequences of making a mistake could be disastrous.

Operation Aurora: Clues in the Code

Tuesday, January 19, 2010

Attack on London Based Jewish Website

The London based Jewish Chronicle's website was defaced with anti-Semitic and pro-Palestinian messages:
"In a message posted in English and Turkish, a group calling itself the "Palestinian Mujaheeds" quotes from the Quran and attacks Jews in anti-Semitic terms."
Associated Press articles attributed the attack to a recent dispute between Turkey and Israel:
"It comes a week after the eruption of a damaging diplomatic feud between Israel and Turkey. Ankara was outraged when Israel summoned its ambassador to express anger over a Turkish television drama that depicts Israeli agents kidnapping children and shooting old men."
The Jerusalem Post attributes the attacks to Turkish "hackers" and provides some background on previous cyber attacks believed to have originated in Turkey:
"Turkish hackers are notorious for playing a major role in coordinated international Web attacks, which usually come in response to international incidents perceived as affronts by the hackers."
"After Operation Cast Lead in Gaza last year, Turkish hackers took part in a coordinated assault on Israeli and Western Web sites."

Palestinian attack on JC website

Turkish group hacks 'Jewish Chronicle'

London-based Jewish newspaper attacked by hackers

Indian National Security Advisor Believes Cyber Attacks Originated from China

MK Narayanan, India's National Security Adviser, has reported that his office was subjected to attempted cyber attacks from malicious code contained in PDF files sent in emails. The attacks occurred on December 15, 2009 and coincided with similar attacks on US companies that are alleged to have originated from China.

Mr. Narayanan stated that he believed the Indian cyber attacks were from the same source:
"People seem to be fairly sure it was the Chinese. It is difficult to find the exact source but this is the main suspicion. It seems well founded."

China tried to hack our computers, says India’s security chief M.K. Narayanan

Friday, January 15, 2010

Attempted Cyberattack on Law Firm that Sued China

The U.S. law firm Gipson Hoffman & Pancione has received email with malicious code they belive originated from China. Gipson Hoffman & Pancione is the firm representing Solid Oak Software Inc., a maker of Internet filtering software that they alleged was stolen and used by Chinese companies to create the "Green Dam Youth Escort" filtering software required by the Chinese government. The lawsuit named various Chinese companies and the Chinese government.

After analyzing the malicious code, a company spokesperson said:
"We have every reason to believe they're coming out of China... We have solid indications. We can say the payloads of these Trojan e-mails were located within China and the ISP routing bears out the connections with China. But what we don't know is specifically who they were sent by, where they were sent from, and why they were sent."
The spokesperson also noted the timing of the attack in relation to Google's announcement to stop censoring Internet searches in China:
"It is difficult to believe that the timing is merely coincidental."

U.S. Law Firm That Sued China Reports Cyberattack

Thursday, January 14, 2010

Google Throws Down the Gauntlet to China - Maybe

A flood of news reports have come out concerning the looming battle between Google and China over intrusions into the accounts of human rights activists ala Ghostnet.

To add to the confusion are almost simultaneous reports of alleged attacks by Iranians on China's largest search engine, Baidu, and the inevitable counterattacks of Iranian websites with pro-Chinese graffiti. What remains to be answered is why anyone in Iran would be motivated to attack and deface the Baidu website with pro-Iranian messages and graphics. The timing of these attacks are interesting as well.

As usual, there is plenty of speculation concerning the Google - China attacks and their motivations but little factual information available for analysis. Of course there is the usual problems with accurate attribution and sourcing of attacks and determining exact motivations and potential external influences including whether the Chinese government may have a role in the breaches.

However there are many other unanswered questions in the Google - China standoff. To name a few:
  1. Are these attacks related to, or a continuation of, the Ghostnet attacks? In an official blogpost, David Drummond, Google's Chief Legal Officer, pointed specifically to the Ghostnet report but didn't explicitly link them;

  2. Mr. Drummond's post also stated that "[a]s part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted." A full list of these companies has not been made public to date but it would be very informative to understand the exact relationship between the Google attacks (believed to target human rights activists) and the other companies. Is someone in China targeting human rights activists in chemical companies?!?;

  3. What are Google's and China's next steps? It's obvious that both entities have merely set up negotiating positions: Google did not close nor has it (yet) stopped censoring Chinese Internet searches; China's initial, official responses have been muted. Obviously, both sides don't want to do anything rash and there may be other agendas in play.
One of the biggest problems in understanding these attacks is the disjointed approach to investigating. These attacks span the world (The US, China, Iran, EU countries, Japan, Taiwan...) each with its own agenda and political and economic considerations. Additionally, there is no central coordination of information or analysis. Even within the US, some victims will cooperate; others will not. Among those that cooperate, some will have good monitoring and data collection capabilities; others will not. It's most likely we will never fully understand these attacks and if we don't understand them it will be next to impossible to effectively counter them.

Iranian Hackers Deface Top China Website
Hackers in Frontline of China's Cyberwar
A New Approach to China
China gives first response to Google threat