Politically Motivated Computer Crime and Hacktivism

Cyber Terrorism

2010-10-14T10:50:00.000-07:00

I was recently requested to write an opinion piece for the Czech Republic's Prague Post on cyber terrorism:

"The risk is real for a malicious and intentional disruption of basic infrastructure but, unfortunately, the problem is poorly understood and too often the subject of hyperbole by both the media and security professionals with a "solution" to sell."

Virtual Hostage: Cyber Terrorism and Politically Motivate Computer Crime Are a Big Concern for the Real World

Recommended: Internet Use in Ukraine's Orange Revolution

2010-09-07T08:15:00.000-07:00

Researchers Volodymyr Lysenko and Kevin Desouza have published an analysis of the effect and use of technology in Ukraine's Orange Revolution. The report provides an extensive review of the development of Internet and telecommunication based methods to disseminate information and organize political opposition.

Interestingly, the report discusses the fact that the free-flow of information can have a multiplying effect even when only a small portion of the population has direct access to the Internet:

"In the case of Ukraine we observed that, due to the two–step nature of the information communication process, the provision of alternative information to even a relatively small number of dissenters was apparently sufficient to initiate a network–related effect, when the information spreads exponentially, like an epidemic. We can therefore conclude that the Internet does not need to have a mass penetration rate in order to effectively help in the promotion of a major socio–political change. "

The authors go on to discuss some of the attributes required for successful online opposition:

"[An] important finding was the necessity of locating the oppositional Web sites beyond the reach of the repressive authorities by hosting them on servers located in strong democratic countries. Moreover, in order to protect them relatively robustly from the cyberattacks initiated by authoritarian regimes, the servers should be situated in countries with relatively strong technical defenses and a highly ramified Internet network..."

and...

"Additional strength is achievable by the creation of several mirror sites situated at different servers in physically different parts of the Internet. It is also essential that the national Internet domain name registrars remain free from control by the non–democratic authorities to prevent the authorities from suspending registration of the oppositional Internet resources and thus switching them off."

The report also discusses how both traditional media (television, print and radio) as well as online information sources were used by both sides in the conflict to control messages, counter-messages and disinformation.

Overall, this report is an excellent analysis and case study of Internet based protest and opposition.

Role of Internet–based information flows and technologies in electoral revolutions: The case of Ukraine’s Orange Revolution

North Korea Not Believed to Be Responible for 2009 Attacks

2010-07-03T09:30:00.000-07:00

A series of attacks targeting U.S. government and South Korean web sites during early July of 2009 were initially blamed on North Korea:

"In the days after the fast-moving, widespread attack, analysis pointed to North Korea as the likely starting point because code used in the attack included Korean language and other indicators."

But according to unnamed "cybersecurity experts" in the article this no longer appears to be the case. Of course, with the same type of flawed analysis, the "experts" can now speculate who else might be involved:

"These officials point suspicions at South Koreans, possibly activists, who are concerned about the threat from North Korea and would be looking to ramp up antagonism toward their neighbor."

The article, as usual, provides little to no details that can be independently analyzed and appears to be confused about the exact nature of the attack, The article first describes the attacks as "...crippling strikes, known as "denial of service" attacks" but later says "...the attacks were largely restricted to vandalizing the public Web pages..." of the victims.

That confusion aside, this is another classic case of "cybersecurity experts" trying to use only technical analysis to determine motive. By itself, it just doesn't work (see Analyzing the Google Attacks - Plenty of Room for Mistakes). To assume that the use of the Korean language in attack code implies the source is North (or South) Korea is a very weak inference. It might be true but other explanations (such as a Korean national in San Francisco or a Korean speaker in Japan) are equally likely.

It requires more than a few technical indicators to develop a strong case showing source and motive.

US largely ruling out NKorea in 2009 cyberattacks

Applying International Law to Cyber Space

2010-04-30T08:28:00.000-07:00

How well can existing international law map to cyber space? A recent article in The Legal Intelligencer looks at the legal concept of a "duty to assist" and how it might apply in cyberspace.

"...international law requires anyone receiving an SOS signal to "proceed with all possible speed" to render assistance. Today, similar legal duties abound -- what we might call "duties to assist" -- whether in response to a pilot's mayday call, distress signals, or emergency numbers."

However, this duty does not currently extend to the Internet. The article argues (rightly) that existing efforts (more technology and the militarization of cyber space) will not prevent large scale international cyber attacks:

"Technological prevention measures -- thicker security firewalls and better mechanisms to detect and repel attacks -- will undoubtedly be part of any effective counterattack strategy. Similar progress may come from efforts to reach agreement on how militaries should operate in cyberspace and increased transnational coordination among law enforcement agencies.

"But these measures will not be enough to solve the problem. Open networks will always be vulnerable to malicious attack as new security measures generate improved hacking techniques in an endless game of cat and mouse. The laws of war that govern military uses of force do not translate easily into cyberspace. Criminal laws, similarly, are a blunt instrument for protection. The difficulties inherent in trying to identify the precise location from which attacks arise and the identities of anonymous attackers stem from the basic structure of the global internet. Those difficulties make enforcement of criminal penalties (or the laws of war) difficult and at times impossible."

The authors give a brief description of how this duty might work to improve the situation:

"A duty to assist can work without identifying the attackers. It focuses instead on minimizing the attack's effects. A victim would send out a distress call... and all those in a position to provide assistance -- whether governments or private actors -- would have an obligation to respond. Help could come in many forms. If attackers denied service to a computer resource, internet service providers could provide additional bandwidth. If an attack crossed through a nation's territory, that nation's government would have to deny attackers further use of its information networks and help trace the attack to its true origins."

Do Cyber-Attacks Require a 'Duty to Assist'?

Increased Espionage against US Defense Contractors

2010-04-12T10:18:00.000-07:00

The Counterintelligence Directorate of the U.S. Defense Security Office recently released a report on espionage against the U.S. defense industry. The study identified four broad methods of information gathering including the use and misuse of technology:

Direct Request - Email requests for information, webcard purchase requests, price quote requests, phone calls, or marketing surveys
Suspicious Internet Activity - Confirmed intrusion, attempted intrusion, computer network attack, potential pre-attack, or spam
Solicitation and Seeking Employment - Offering technical and business services..., resume submissions, or sales offers
Foreign Visits and Targeting - Suspicious activity at a convention, unannounced visit..., solicitations to attend a convention, offers of paid travel to a seminar, targeting of travelers, questions beyond scope, or overt search and seizure

The alleged sources of attacks are world wide including:

"East Asia and the Pacific and Near East entities remaining the most prolific collectors of United States technology or information"; and,
Europe and Eurasia

The largest growth in cyber activity was from East Asia and the Pacific:

"Suspicious Internet activity with IP addresses originating in the East Asia and the Pacific region represented 79 percent of the regional cyber collection effort, a significant increase over last year’s 52 percent. These apparent cyber operations mainly targeted cleared defense contractor networks used for research and development documentation, especially those related to information systems technology."

The report noted an interesting trend between Asian and Near East activity and that of Europe and Eurasia [emphasis added]:

"Europe and Eurasia collectors do not need to use high-profile collection techniques because their covert collection methodologies are already efficient and effective as to render the more blatant, overt requests largely supplemental to other collection competencies. It is noteworthy that even though their overt collection efforts have declined, European and Eurasian cyber actors remain some of the most active targeters of United States technology."

The report contains in-depth analysis of the types of information targets and regional statistics and analysis of activity. The report forecasts increased cyber activity in the future:

"Government and commercial collection entities worldwide are highly likely to continue the use of cyber collection activities against United States government and its CDCs. Cyber intrusion offers a relatively low-risk, high-gain technique giving illicit collectors the opportunity to acquire sensitive and proprietary information stored on United States computer networks. Cyber targeting may also be utilized as a collection planning tool to identify targets of opportunity not readily apparent to traditional collectors. This cyber reconnaissance allows foreign elements to design targeting plans employing the full range of collection techniques on focused targets."

TARGETING U.S. TECHNOLOGIES: A TREND ANALYSIS OF REPORTING FROM DEFENSE INDUSTRY

North Korea Develops Its Own Operating System Aimed at User Monitoring

2010-04-06T09:32:00.000-07:00

South Korea's Science and Technology Policy Institute has released information concerning a homegrown operating system developed by North Korea called Red Star. It appears to be based on Linux and Microsoft code and primarily developed to monitor and limit user activities.

The South Korean report also states:

"North Korea has launched a cyber-war unit that targets sites in South Korea and the US"

but no further details were provided in the BBC article.

North Korean Red Star operating system details emerge

Fine Line between Criminal Activity and National Security

2010-04-06T08:39:00.000-07:00

NPR ran a lengthy report on cyber war centered around last month's congressional testimony by the Director of National Intelligence Dennis Blair citing cyber attacks as a top threat to U.S. security.

One important factor noted in the broadcast is the fine line between criminal activity and national security threats. The difference is not so much technique as motive:

"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes," says [Richard] Clarke [former Presidential cyber security adviser]. "The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things."

Cyber Insecurity: U.S. Struggles To Confront Threat

U.K. Internet Cafes Asked to Monitor Web Usage for Terrorism

2010-03-24T08:44:00.000-07:00

After several terrorism related convictions in the U.K. where suspects were believed to have used Internet cafes, police are seeking cooperation for the cafe owners:

"The new initiative involves getting internet cafe owners to monitor the websites their customers view and to pass on any worries over suspicious activity to the police."

and additionally,

"The police want internet cafe owners to check the hard drives of their computers to help spot any suspicious activity."

It should probably go without having to say, there are critics of the program(me). One commentator is quoted::

"What is dangerous about this initiative is that it does not just focus on preventing access to illegal material but also material that is defined as 'extremist' without offering an objective definition of what that is.
"It thus potentially criminalises people for accessing material that is legal but which expresses religious and political opinions that police officers find unacceptable."

Anti-terror police seek help from internet cafes

Increasing Use of the Internet by Terrorist Groups

2010-03-12T09:03:00.000-08:00

The LA Times reports on the extensive and effective use of the Internet by traditional terrorist organizations:

"From charismatic clerics who spout hate online, to thousands of extremist websites, chat rooms and social networking pages that raise money and spread radical propaganda, the Internet has become a crucial front in the ever-shifting war on terrorism."

The article also discusses using the Internet for terrorist training activities:

"The new militancy is driven by the Web," agreed Fawaz A. Gerges, a terrorism expert at the London School of Economics. "The terror training camps in Afghanistan and Pakistan are being replaced by virtual camps on the Web."

Internet making it easier to become a terrorist

Report: Internet Controls Violate Human Rights

2010-03-11T10:37:00.000-08:00

The U.S. Department of State's 2009 Human Rights Report highlights Internet censorship as a major human rights concern. The report's introduction included cyber monitoring and controls resulting in privacy violations and censorship:

"2009 also was a year in which more people gained greater access than ever before to more information about human rights through the Internet, cell phones, and other forms of connective technologies. Yet at the same time it was a year in which governments spent more time, money, and attention finding regulatory and technical means to curtail freedom of expression on the Internet and the flow of critical information and to infringe on the personal privacy rights of those who used these rapidly evolving technologies."

Most notable in the report were China and Iran:

"The government of China increased its efforts to monitor Internet use, control content, restrict information, block access to foreign and domestic Web sites, encourage self-censorship, and punish those who violated regulations. The government employed thousands of persons at the national, provincial, and local levels to monitor electronic communication ... The government at times blocked access to selected sites operated by major foreign news outlets, health organizations, foreign governments, educational institutions, and social networking sites, as well as search engines, that allow rapid communication or organization of users... The government also automatically censored e-mail and Web chats based on an ever-changing list of sensitive key words."

The report also notes that government interference is not always effective:

"Despite official monitoring and censorship, dissidents and political activists continued to use the Internet to advocate and call attention to political causes such as prisoner advocacy, political reform, ethnic discrimination, corruption, and foreign policy concerns."

The report cites Iran for cracking down on Internet access in the run-up to the June presidential election:

"...the government blocked access to Facebook, Twitter, and other social networking sites. After the June election, there was a major drop in bandwidth, which experts posited the government caused to prevent activists involved in the protests from accessing the Internet and uploading large video files."

Receiving honorable mentions were North Korea because:

"Internet access was limited to high-ranking officials and other elites..."

and Vietnam where:

"Bloggers were detained and arrested under vague national security provisions for criticizing the government and were prohibited from posting material the government saw as sensitive or critical. The government also monitored e-mail and regulated or suppressed Internet content, such as Facebook and other Web sites operated by overseas Vietnamese political groups."

2009 Human Rights Report: Introduction

Law Firms Increasingly the Victims of Espionage

2010-03-09T08:21:00.000-08:00

Law firms are one of the latest targets of alleged cyber espionage from China and others interested in obtaining information on clients or litigation that involve their interests:

"Law firms are attractive targets for cyberattackers because they maintain sensitive client information on their systems, according to attorneys and technology consultants. Perpetrators may be digging for litigation strategies, negotiation tactics, details on pending deals, or other specific information that could aid governments, competitors, or other entities. The bulk of cyberattacks originate overseas, with China leading the pack..."

Law firms are at high risk because of both the sensitive nature of the information they possess and because they don't understand the threat or how to protect themselves. From an adversaries perspective, they are high value targets with a high potential for a successful attack and low risk of being caught.

Understanding the exact extent of law firm intrusions is difficult due to ignorance or fear of reputational damage:

"Often, law firms never figure out on their own that their networks have sustained serious breaches, largely because... attacks are designed to be difficult to detect. Most firms learn of network security problems from third parties, often law enforcement authorities..."

"Law firms often fear that disclosing such a breach may prompt their clients to take their business to a competing firm, even though that competing firm likely has no better capacity to protect the client's information..."

Firms Slow to Awaken to Cybersecurity Threat

Political Cyber Crimes Growing

2010-03-05T07:58:00.000-08:00

The increasing nature of politically motivated computer crime is the subject of a recent article discussing how companies focus on profit motivated cyber crime while ignoring other threats. The author states that because of "fear-mongering from the media and opportunistic profiteers, we've all become myopically obsessed with [profit based] cyber-crime."

"While monetary gains are certainly a big motivator for cybercrime, increasingly cyber-criminals are acting out of political interests."

The article blames much of this on security vendors hyping specific threats that their products are designed to protect against. I agree: I see it every day when advising my clients.

The author then prescribes three actions companies should take. These are summarized as:

"...put up the best defenses you can. Make sure that you are putting the resources you already have, such as log files, to the best possible use";

"...implement the best people-processes you can"; and,

prepare to be "hacked".

Unfortunately, these recommendations just repeat the very error the article points out: Blindly implementing security controls without understand the nature of the threats the organization faces.

There are many cyber threats with a multitude of motives and one of the key contributors to the increased effectiveness of all types of cyber-crime is the myopic focus on technology while not understanding threats and risks. This leads to some threats not being mitigated while others are over-protected thereby wasting valuable budget and resources (see IT security professionals must evolve for changing market for further discussion).

Companies need to start with a thorough assessment of threats and risks. Then, they can design the organization, skills, policies and processes to best mitigate those risks. Only after these steps are completed should they begin to choose and implement (technical) controls that help automate and manage the mitigation and monitoring processes. Anything else is just a waste of money.

Managing threats and risks should drive the selection and use of controls - not the other way around.

The author is correct that too many organizations are not prepared for cyber attacks and assume (incorrectly) that if they have a firewall and some log management or other tools in place they don't need to worry. No security control or process is perfect even if resources and budgets weren't an issue. Companies need to have a robust incident response capability and one that isn't developed when a crisis occurs.

Focus on Cyber-Crime Misses Real Threat

NATO Facing Increased Cyber Threats

2010-03-04T08:46:00.000-08:00

NATO's Secretary-General commented at a NATO seminar in Finland that the alliance needs to increase defenses against cyber threats. While not releasing any details it appears NATO is concerned about a wide range of potential problems:

"It's really a broad range of threats. There are many actors in cyberspace, and we have to develop a capacity to protect ourselves against those attacks," [said Secretary-General Anders] Fogh Rasmussen."

Swedish Foreign Minister Carl Bildt also commented at the same meeting on the threat saying:

"There are terrorists, spies, subversive attempts, ongoing attacks as well as preparations for much more disruptive and destructive operations... There will be no security for our societies if we can't secure both our cyberspace and our orbital space."

NATO chief calls attention to cyber threats

Germany Suspends Communication Data Retention Law

2010-03-02T10:29:00.000-08:00

Citing security and transparency concerns, the German Federal Constitution Court has suspended the law requiring communication providers and ISPs to retain traffic information for six months for use by law enforcement:

"The judges said the data storage was not secure enough and that it was not sufficiently clear what it would be used for."

The law was implemented to follow an EU Directive aimed at fighting terrorism but the court ordered the suspension until new rules for the storage and use of the data could be implemented:

"The court demanded that stricter conditions be attached to the use and storage of the data, saying it needed to be encoded and that there should be "transparent control" of what the information was used for."

The court additionally ordered all data stored to date to be deleted.

German High Court Limits Phone and E-Mail Data Storage

Political Motivation Behind Google Ruling in Italy?

2010-02-25T09:26:00.000-08:00

The New York Times suggests the recent Italian court ruling that Google executives are criminally responsible for offensive Internet content may have a broader political motivation and that the ruling is related to Prime Minister Berlusconi's ownership and control of many of Italy's media outlets:

"Critics of Mr. Berlusconi say the measures go beyond routine copyright questions and are a way to stave off competition from the Web to public television stations and his own private channels — and to keep a tighter grip on public debate."

Specifically, the accusation is that those who control the broadcast media in Italy want to control the Internet as well:

"Paolo Gentiloni, a leading opposition member and a former communications minister, said Internet regulation was inevitably political. Today in Italy, he said, “political power is in the hands of people who do TV, not the Internet."

The Italian government denies any such motivation for the courts ruling or recently proposed measures by the Italian legislature to regulate Internet activities:

"Paolo Romani, a deputy communications minister who sponsored the measure, said the issue was copyright protection. “It has nothing to do with the fact that our prime minister also owns television stations,” he said. “It’s in Berlusconi’s interest not to be accused of conflict of interest.”

Larger Threat Is Seen in Google Case

In a Cyberwar, US Would Lose

2010-02-25T09:05:00.000-08:00

The U.S. Senate heard testimony from "industry experts" warning of catastrophic consequences from cyber war attacks - including pronouncements that the "government faces the prospect of losing in an all-out cyberwar".

As part of the debate of the Cyber Security Act of 2009, Senator's were told the status quo is not acceptable:

We are "...under attack every day, losing every day vital secrets. We can not wait," [James Lewis, Center for Strategic and International Studies] said. "We need a new framework for cybersecurity and this bill helps provide that.

Lewis went on to add that "...[t]he cyberattack is mainly espionage, some crime".

There is no doubt that the U.S. and most other developed countries are at high risk from significant cyber attacks as demonstrated almost daily by intrusions into military, government, commercial and non-profit organizations. However, it is interesting that many of the companies that would benefit the most from the funding to "fix" the problem are the ringing the congressional alarm bells the loudest.

Experts warn of catastrophe from cyberattacks

Hacktivists Attack Australian Government Systems

2010-02-12T18:37:00.000-08:00

A hacktivist group call "Anonymous" is claiming responsibility for Distributed Denial-of-Service attacks against government systems in Australia. The attacks are a protest against proposed filtering of Internet content by the Australian government.

"The group consists of "a few thousand people" based all over the world Coldblood said."

Coldblood is a psydonym for an individual claiming to be a spokesperson for the group. The spokesperson also claimed responsibility for other hacktivist attacks protesting other forms of censorship:

"They staged cyber attacks on Iran following the election protests and have publicly protested against the Scientology movement. "

Cyber attacks against Australia 'will continue'

US Faces "Significant" Threat from Cyber Espionage

2010-02-07T14:37:00.000-08:00

John Brennan, Deputy National Security Adviser for Homeland Security and Counterterrorism, stated during a television interview that the United States faced a "serious and significant" threat from cyberspace:

"We're looking at these issues from the standpoint of espionage, from governments, from different individuals, whether they be hackers or terrorist organizations," Brennan said.
"National security is something that is at risk. That's why what we're trying to do is to ensure that our networks, our government networks, our private sector networks have the ability to withstand these attempts to hack in."

US faces 'serious' cyberspace threats: advisor

Wide Ranging Espionage by China in Britian

2010-01-31T21:16:00.000-08:00

The Sunday Times reports on a leaked MI5 memo warning UK companies of extensive espionage by China including both traditional means and cyber attacks.

The targets are described as:

"UK defence, energy, communications and manufacturing companies in a concerted hacking campaign. It claims China has also gone much further, targeting the computer networks and email accounts of public relations companies and international law firms."

Several methods are mentioned in the article including "sexual entrapment" knowledge of "illegal activities to pressurise individuals to co-operate with them", bugging hotel rooms in China and other countries, and:

"...that undercover intelligence officers from the People’s Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of “gifts” and “lavish hospitality”.

"The gifts — cameras and memory sticks — have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users’ computers."

An important point, left to the end of the article, provides some insight into the seriousness that the UK government gives the problem:

"The growing threat from China has led [Jonathan] Evans [Jonathan Evans, the director-general of MI5] to complain that his agency is being forced to divert manpower and resources away from the fight against Al-Qaeda."

China bugs and burgles Britain

Analyzing the Google Attacks - Plenty of Room for Mistakes

2010-01-22T08:17:00.000-08:00

SecureWorks has posted an analysis of the malicious code alleged to have been used to attack Google and other companies, collectively referred to as "Operation Aurora". SecureWorks' posting is one of the first pieces of evidence and technical analysis that goes beyond simple speculation.

The analysis centers on a somewhat unique piece of error-correcting code (called a CRC) that appears to have been developed in China and only published in Chinese language papers.

It is great that some good technical analysis is starting to come out and I recommend those interested to read the posting. It has some technical information but the main points should be accessible to non-technical readers.

However, from an investigator's point of view, there are some shortcomings in this type of analysis and it might prove interesting to discuss a few of these.

Most technical analysis focuses on answering what happened and how an incident occurs. Technicians can reverse engineer (malicious) code, analyze network traffic patterns and review logs of system activity to understand how someone gained access to a system and what they did. This analysis is a very necessary and important step. However, just knowing how an incident occurs is not enough for security professionals.

To understand the risk from these types of attacks requires more information. If our response to an attack is solely based on how it occurs then we risk wasting resources by over reacting or misapplying controls that are ineffective (one of the most common problems in information security). The current Google incident is a perfect example.

Based on the current public information there is tremendous speculation that this may be sponsored or directed by the Chinese government for the purposes of espionage. If that is true, it requires a significant reaction both in terms of spending by (potential) targets and by action from other governments. However, if this is being carried out by a group of teenagers in Romania (just using Chinese systems as a front) simply for the technical challenge, our response can and should be completely different. Therefore, understanding who the adversaries are and their motives changes the risk equation and our response to it (additionally, we need to understand capabilities but that's another topic).

We need to answer not only what happened and how but also by whom and why.

Here we often hit a brick wall: Due to the virtual nature of data and the Internet, it can be very difficult to clearly identify who and why - yet it is not impossible. Unfortunately, many technicians take the what and how information and try to infer answers to who and why- often with poor results.

Inference chains, or inference concatenates, are used by intelligence analysts, investigators and prosecutors to link data points and evidence to develop a conclusion based on what is known or to prove guilt based on evidence. Inference chains can be either weak or strong. Unfortunately, most inferences used to determine "who" perpetrates a cyber attack are weak.

With this in mind, let's go back and look at the technical analysis and where it might have some shortcomings or problems.

One example is the following quote from the SecureWorks posting:

"...outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof."

It is great to see such caution in analysis but it needs to go a little further: How do we know the PRC (People's Republic of China) IP addresses "prove" any involvement by anyone in China or their agents? It might be someone outside of China using a Chinese system. Until we know exactly who the perpetrators are, we don't know what their affiliation with the PRC is. Therefore, we would say that to infer that the perpetrator is Chinese based solely on the use of a Chinese IP address is weak: It might be true but it might not.

Another example of this problem is the conclusion that because the (legitimate) CRC used in the malicious code appears to have been developed in China, the perpetrators must be Chinese (again, using what information to infer who).

The post describes the CRC code and that it appears to have been created in China and only published in simplified Chinese (a form of written Chinese promoted by the PRC).

The inference chain then goes like this:

A specialized CRC code (called CRC-16) was created in China for legitimate purposes;
A simple Google search returns only references to the CRC code in simplified Chinese papers;
Malicious code was developed that, in part, uses a CRC that "matches the structural implementation" of the CRC-16 code;
The malicious code was used to attack Google (and others);
Therefore, the "use of this unique CRC implementation in Hydraq [the malicious code] is evidence that someone from within the PRC authored the Aurora codebase".

Is this a strong inference chain? Not if other reasonable conclusions could be drawn. For example, simplified Chinese is also use in Singapore. We could also equally conclude (based solely on the inference chain above) that the perpetrator was in Singapore. Or perhaps a Chinese emigrant living in France. Within reason, we could come of up several other possibilities.

Again, it may be true, but it may not. Does this level of analysis, common in technical cyber crime studies, give us the information we need to react appropriately (technically, legally or politically) to the threat?

One additional problem with the analysis/inference is to rely solely on a simple Google search and conclude that it represents an exhaustive search of the whole space where the articles related to the CRC-16 code could have been published.

I don't want to be overly harsh on this particular analysis. As I said earlier, I think it answers some important what and how questions and, at a technical level, is an excellent piece of work: We need more like it. Likewise, it does provide some very interesting data points that can begin to be used to build the circumstantial evidence needed to answer the who and why questions. However, that will require more information (both technical and non-technical) to build strong inference chains that point to a single, reasonable conclusion. This can be done but with large international cyber cases it requires significant time, data collection and analysis of literally thousands and thousands of data points. It also requires intelligence and analysis of more than just technical information.

Unfortunately, this rarely happens.

We need to be very careful in how we infer the who and why of international cyber crimes. The consequences of making a mistake could be disastrous.

Operation Aurora: Clues in the Code

Attack on London Based Jewish Website

2010-01-19T01:40:00.000-08:00

The London based Jewish Chronicle's website was defaced with anti-Semitic and pro-Palestinian messages:

"In a message posted in English and Turkish, a group calling itself the "Palestinian Mujaheeds" quotes from the Quran and attacks Jews in anti-Semitic terms."

Associated Press articles attributed the attack to a recent dispute between Turkey and Israel:

"It comes a week after the eruption of a damaging diplomatic feud between Israel and Turkey. Ankara was outraged when Israel summoned its ambassador to express anger over a Turkish television drama that depicts Israeli agents kidnapping children and shooting old men."

The Jerusalem Post attributes the attacks to Turkish "hackers" and provides some background on previous cyber attacks believed to have originated in Turkey:

"Turkish hackers are notorious for playing a major role in coordinated international Web attacks, which usually come in response to international incidents perceived as affronts by the hackers."

and;

"After Operation Cast Lead in Gaza last year, Turkish hackers took part in a coordinated assault on Israeli and Western Web sites."

Palestinian attack on JC website

Turkish group hacks 'Jewish Chronicle'

London-based Jewish newspaper attacked by hackers

Indian National Security Advisor Believes Cyber Attacks Originated from China

2010-01-19T01:16:00.000-08:00

MK Narayanan, India's National Security Adviser, has reported that his office was subjected to attempted cyber attacks from malicious code contained in PDF files sent in emails. The attacks occurred on December 15, 2009 and coincided with similar attacks on US companies that are alleged to have originated from China.

Mr. Narayanan stated that he believed the Indian cyber attacks were from the same source:

"People seem to be fairly sure it was the Chinese. It is difficult to find the exact source but this is the main suspicion. It seems well founded."

China tried to hack our computers, says India’s security chief M.K. Narayanan

Attempted Cyberattack on Law Firm that Sued China

2010-01-15T07:41:00.000-08:00

The U.S. law firm Gipson Hoffman & Pancione has received email with malicious code they belive originated from China. Gipson Hoffman & Pancione is the firm representing Solid Oak Software Inc., a maker of Internet filtering software that they alleged was stolen and used by Chinese companies to create the "Green Dam Youth Escort" filtering software required by the Chinese government. The lawsuit named various Chinese companies and the Chinese government.

After analyzing the malicious code, a company spokesperson said:

"We have every reason to believe they're coming out of China... We have solid indications. We can say the payloads of these Trojan e-mails were located within China and the ISP routing bears out the connections with China. But what we don't know is specifically who they were sent by, where they were sent from, and why they were sent."

The spokesperson also noted the timing of the attack in relation to Google's announcement to stop censoring Internet searches in China:

"It is difficult to believe that the timing is merely coincidental."

U.S. Law Firm That Sued China Reports Cyberattack

Google Throws Down the Gauntlet to China - Maybe

2010-01-14T08:28:00.000-08:00

A flood of news reports have come out concerning the looming battle between Google and China over intrusions into the accounts of human rights activists ala Ghostnet.

To add to the confusion are almost simultaneous reports of alleged attacks by Iranians on China's largest search engine, Baidu, and the inevitable counterattacks of Iranian websites with pro-Chinese graffiti. What remains to be answered is why anyone in Iran would be motivated to attack and deface the Baidu website with pro-Iranian messages and graphics. The timing of these attacks are interesting as well.

As usual, there is plenty of speculation concerning the Google - China attacks and their motivations but little factual information available for analysis. Of course there is the usual problems with accurate attribution and sourcing of attacks and determining exact motivations and potential external influences including whether the Chinese government may have a role in the breaches.

However there are many other unanswered questions in the Google - China standoff. To name a few:

Are these attacks related to, or a continuation of, the Ghostnet attacks? In an official blogpost, David Drummond, Google's Chief Legal Officer, pointed specifically to the Ghostnet report but didn't explicitly link them;

Mr. Drummond's post also stated that "[a]s part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted." A full list of these companies has not been made public to date but it would be very informative to understand the exact relationship between the Google attacks (believed to target human rights activists) and the other companies. Is someone in China targeting human rights activists in chemical companies?!?;

What are Google's and China's next steps? It's obvious that both entities have merely set up negotiating positions: Google did not close google.cn nor has it (yet) stopped censoring Chinese Internet searches; China's initial, official responses have been muted. Obviously, both sides don't want to do anything rash and there may be other agendas in play.

One of the biggest problems in understanding these attacks is the disjointed approach to investigating. These attacks span the world (The US, China, Iran, EU countries, Japan, Taiwan...) each with its own agenda and political and economic considerations. Additionally, there is no central coordination of information or analysis. Even within the US, some victims will cooperate; others will not. Among those that cooperate, some will have good monitoring and data collection capabilities; others will not. It's most likely we will never fully understand these attacks and if we don't understand them it will be next to impossible to effectively counter them.

Iranian Hackers Deface Top China Website
Hackers in Frontline of China's Cyberwar
A New Approach to China
China gives first response to Google threat

Belarus to Implement Controls over Internet

2009-12-30T11:45:00.000-08:00

Belarus' President Alexander Lukashenko announced new legislation that:

"...would require the registration and identification of all online publications and of each Web user, including visitors to Internet cafes. Web service providers would have to report this information to police, courts and special services."

Belarus to toughen control over Internet

Isaeli Chief of Military Intelligence Comments on Cyberwar

2009-12-17T21:35:00.000-08:00

Israel's Chief of Military Intelligence, Major-General Amos Yadlin provided a glimpse into the Israeli cyberwarfare program in his first public comments on the subject.

Speaking to the Israeli Institute for National Security Studies, he said:

"Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states"...

and added:

"The potential exists here for applying force ... capable of compromising the military controls and the economic functions of countries, without the limitations of range and location."

Spymaster sees Israel as world cyberwar leader

U.S. Predator Drones Compromised

2009-12-17T10:08:00.000-08:00

In a stunning admission, the U.S. military confirmed that Iraqi insurgents have intercepted video streams from Predator Drones [emphasis added]:

"Shiite fighters in Iraq used off-the-shelf software programs ... available for as little as $25.95 on the Internet — to regularly capture drone video feeds, the Wall Street Journal reported Thursday. The hacking was possible because the remotely flown planes have an unprotected communications link."

"...in December 2008, the military apprehended a Shiite militant in Iraq whose laptop contained files of intercepted drone video feeds, the Journal reported. In July, they found pirated feeds on other militant laptops, leading some officials to conclude that groups trained and funded by Iran were regularly intercepting feeds and sharing them with multiple extremist groups."

Even more incredulous is the admission that the system was not originally designed to encrypt transmissions:

"The military has known about the vulnerability for more than a decade, but assumed adversaries would not be able to exploit it."

This is a classic, textbook example of inadequate security design and risk assessments - the root causes of most security issues in both the public and private sector.

What should be more alarming is, if this vulnerability has been there for more than a decade, who else (with better resources) had access to the feeds and what other vulnerabilities exist in other systems that are not being addressed?

Pentagon: Insurgents intercepted drone spy videos

Importance of the Internet for Opposition Groups in Iran

2009-12-06T10:14:00.000-08:00

Like many modern political opposition groups, Iranian protesters make extensive use of social networks and other Internet services to plan and coordinate protest activity:

"The opposition, which relies on the Web and cell phone service to organize rallies and get its message out, has vowed to hold rallies Monday, the first anti-government show of force in a month."

Likewise, governments may target these communications as a means to limit protests. Reports are alleging the Iranian Government is restricting Internet and mobile phone services to limit opposition communications prior to planned protests:

"Internet connections in the capital, Tehran, have been slow or completely down since Saturday. Blocking Internet access and cell phone 'service has been one of the routine methods employed by the authorities to undermine the opposition in recent months.

"The government has not publicly acknowledged it is behind the outages, but Iran's Internet service providers say the problem is not on their end and is not a technical glitch. A day or two after the demonstrations, cell phone and Internet service is restored."

Iran slows Internet access before student protests

International Telecommunications Union (ITU) Focus on Cybersecurity

2009-10-07T07:57:00.000-07:00

ITU has announced a partnership with the Intentional Multilateral Partnership against Cyber Threats (IMPACT) to increase international cooperation.

"IMPACT... set up its Global Response Centre (GRC) in Cyberjaya, Malaysia, earlier this year as the international community’s foremost cyberthreat resource, to proactively track and defend against cyberthreats."

The ITU Secretary-General spoke at the ITU Telecom World 2009 on the need for better coordination:

"ITU Secretary-General Dr Hamadoun Touré stressed the importance of cyberpeace, where nations collaborate in a global cybersecurity framework based on enlightened self-interest. "Every country is now critically dependent on technology for commerce, finance, healthcare, emergency services, food distribution and more. Loss of vital networks would quickly cripple any nation – and none is immune to cyberattack."

Cybersecurity in action at ITU Telecom World 2009

Russian FSB Arrests for Dagestan Intrusions

2009-10-01T09:20:00.000-07:00

Axis Information and Analysis provided a short report on the arrest by Russian FSB (Federal Security Services) of an individual for politically motivated intrusions into the systems of various Russian republics:

"In the course of investigation the FSB employees managed to find cyber-criminals of the Ansar group of insurgents who had been engaged in hacker attacks with an aim of distribution of their ideas through the world-wide web, and the 27 y.o. hacker Albert Saayev. The FSB established his participation in breaking of some of the state information resources, including sites of authorities of the Chechen Republic, Dagestan and Ingushetia."

The article alleges that Mr. Saayev had previously been arrested and convicted of similar crimes.

Dagestan hackers suspected of cyber-extremism detained by Federal Security Service in Moscow

Attack Aimed at Foreign Journalists in China

2009-09-30T08:36:00.000-07:00

Infowar Monitor has posted a short analysis of a cyber attack targeting foreign journalists based in China including "Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa." The attack consisted of an email from a purported journalists interested in visiting China containing an attached PDF file with malware. The technique appears to be related to previous attacks with political motivation in the region:

"The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past."

The post also provides some speculation on motives and attribution.

Targeted Malware Attack on Foreign Correspondents based in China

Singapore Creates Agency to Protect against IT Threats

2009-09-30T08:18:00.000-07:00

The Singapore Government issued a press release announcing the creation of the Singapore Infocomm Technology Security Authority (SITSA) "to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage."

Specifically SITSA will provide:

IT Security Consultancy for strategic Government projects that have national security impact
Partnership Development to build relationships with key entities strategic to enhancing Singapore’s IT security
Critical Infocomm Infrastructure Protection to systematically harden the CIIs in nationally critical sectors
Technology Development to develop and maintain SITSA’s technical competencies and to provide insights on developments in IT security and threats
Singapore’s planning and preparedness, and response, against any major external cyber attack

The authority will be part of the Ministry of Home Affairs.

Singapore Infocomm Technology Security Authority Set Up to Safeguard Singapore against IT Security Threats

Changes to India's Cybercrime Laws

2009-09-29T09:00:00.000-07:00

It appears that the Indian Government will soon amend the Information Technology Act of 2008 with changes to:

"...[strengthen] Extradition Law of India to effectively challenge the cyber crimes, including effective provisions regarding cyber war and cyber terrorism in India, International harmonisation of cyber law, providing sound cyber law and cyber security..."

It does not appear that an actual text of the proposed amendment is available online.

Cyber Law Of India to be amended soon

Report on Georgian Cyber Attacks

2009-09-29T08:43:00.000-07:00

U.S. Cyber Consequences Unit, a U.S. based non-profit organization released the results of its study of the cyber attacks on Georgia in 2008.

"The study concludes that the cyberattacks against Georgian targets were carried out by civilians, many of them recruited via social networking forums devoted to dating, hobbies and politics."

It points out the complexities involved in politically motivated attacks due to the involvement of actors with varying skills and agendas:

"...sympathizers who were not hackers, and who didn't even know much about computers, could participate.
"The report says the civilian cyberattackers were aided and supported by Russian organized crime. Although they found no evidence of direct involvement by the Russian government or military, the report concludes that the organizers were tipped off about the timing of Russian military operations."

The report has not been made public.

Study warns of cyberwarfare during military conflicts

Analysis of Report on Power Grid Intrusions

2009-04-09T08:11:00.000-07:00

After publishing a post on The Wall Street Journal article concerning intrusions into the US electrical grid, I re-read the report and noticed a discrepancy in comments by various "government officials". The story first states (I've added the emphasis):

"The intruders haven't sought to damage the power grid or other key infrastructure..."

but then reports that:

"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

The article goes on to state:

"Officials cautioned that the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt."

With the caveat that the article provides no real data to perform an accurate risk assessment, these statements, as reported, are worrying to say the least. If software really has been planted that can "destroy infrastructure components" then my professional opinion is that:

Damage has occurred - If a system is penetrated to the extent that software has been installed that disrupts operations, the system has been damaged. The integrity and operational capacity of the system is compromised. In a large complex network, it is very difficult to regain control when this level of compromise has taken place.

There is immediate danger - As long as systems are compromised with malicious software, the motive of the intruders is unclear and the vulnerabilities and entry points of the intruders remain, then there is an immediate danger. The companies owning these systems are not in control.

U.S. Electrical Grid Intrusions

Does China have "Exploit Factories" to Discover Vulnerabilities?

2009-04-09T07:59:00.000-07:00

The identification and exploitation of vulnerabilities in software is a never ending job for cyber criminals. Strategy Page looks at the possibility of what I would call "exploit factories" in China:

"China, for example, obtains these ZDEs [Zero Day Exploits] the same way they have become the place where software manufacturers go to get their software (especially game software) tested cheaply, and thoroughly. In China, you can fill up a large hall hundreds of bright, but otherwise unemployed, Chinese guys, equip them with PCs, and instructions on what to do to test software. Offer bonuses for those who find flaws, and off you go. Finding ZDEs is basically the same drill, except it takes a week or so of on-the-job training to familiarize your searchers with the testing and searching tools (some of them available at hacking sites) used to dig around in software for flaws."

The article goes on to discuss the potential link to the military and use in cyber warfare:

"The extent and effectiveness of this Internet based crime has military implications, because the same tools used by criminal hackers, are employed by Cyber War specialists."

The Secret Menace

U.S. Electrical Grid Intrusions

2009-04-08T17:25:00.000-07:00

The Wall Street Journal reheated the debate of infrastructure vulnerability with an article concerning intrusions into and mapping of the U.S. electrical grid. The report points to China and Russia as the source, but provides almost no details beyond the generalized comments of anonymous sources to substantiate the claims.

One interesting note is the lack of detection of the intrusions by the companies themselves:

"Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Of course, the story is spawning many other reports and analysis including the suggestion that the power grid should be disconnected from the Internet:

"The onetime Counter Terrorism Czar, who famously criticized the Bush Administration for doing little to combat al Qaeda early in his first term before 9/11, chided the Obama Administration for not moving fast enough to decide upon the best defense strategy to counter cyber attacks on key infrastructure.

"One thing you can do is disconnect the power grid control system from the internet," Clarke said. "There's no reason for it to be connected."

This could be said of many critical systems. One such system that is rarely discussed is emergency communications including 911 systems that have slowly been connecting to the Internet despite security issues.

Electricity Grid in U.S. Penetrated By Spies
Disconnect electrical grid from Internet, former terror czar Clarke warns

Indian Political Party Calls for Cyber Warfare Preparations

2009-04-06T09:01:00.000-07:00

New Zealand based website Scoop ran an article of escalating calls by political parties in India that advocate offensive nuclear and cyber warfare capabilities:

"We took note of the nuclear saber-rattling in these columns earlier ("India's Right Wing Wants Nuclear War," December 18, 2008). The chief of the Rashtriya Swayamsevak Sangh (National Volunteers' Association), patriarch of the "parivar" as the far-right "family" is popularly known, proclaimed nuclear war as the final solution to the problem of terrorism. Kuppahalli Sitaramayya Sudarshan, no less the führer of the far right despite his relatively low profile, thought nothing of this growing into a nuclear Third World War against terrorism. His Nazi-like logic was that such a war of extreme nationalism would cleanse the world as well. "

This had been followed by calls from India's Bharatiya Janata Party (BJP) to create a cyber warfare program with both defensive and offensive capabilities:

"The party spells out its policy on the subject in a document, released some days back, titled "BJP"s IT Vision." Calling for "an integrated National Cyber Security Plan, covering all aspects of external defense and internal security," the document also stresses the need for "an independent Digital Security Agency."
"This agency, it is declared, will be "responsible for cyber warfare, cyber counter-terrorism and cyber security of national digital assets."

...

"The document itself, however, leaves little doubt that the wording about an agency for cyber warfare was deliberate. Before issuing this call, the BJP emphasizes the need for building both "defensive and offensive capabilities for electronic warfare."

The threat of cyber war was then addressed by the current Indian government:

"On March 26, Cabinet Secretary K M Chandrasekhar said in New Delhi: "Cyber attacks and cyber terrorism are the new looming threats on the horizon. There could be attacks on critical infrastructure such as telecommunications, power distribution, transportation, financial services, essential public utility services and others." He did not name China as the enemy in this regard, but tied the threats to terrorism.
"China, however, was to figure prominently in a series of reports on cyber threats since then. On March 28, an unidentified high military officer was reported to have told well-known daily The Hindustan Times that, according to army intelligence, Beijing was planning an "information war" impliedly as a prelude to a major conflict by 2017."

India: After Nuclear War Far Right Wants Cyber War

Intercept Modernisation Programme to Include Social Networks

2009-03-31T08:18:00.000-07:00

Following the implementation of the EU Data Retention Directive requiring member states to retain communication traffic information for law enforcement, the U.K. developed the "Intercept Modernisation Programme".

"The Home Office already has plans to log details of all phone calls, emails and websites visited by web users in the UK, as part of a grander scheme, a massive "mother of all databases" under the "Intercept Modernisation Programme" umbrella."

The Home Office is now looking at expanding beyond the EU Directive to include communications between users of social networking sites such as Facebook and Twitter:

"The Home Office minister Vernon Coaker told MPs that the fact that the EU Data Retention Directive lacks some features is "why the Government is looking at what we should do about the intercept modernisation programme because there are certain aspects of communications which are not covered by the directive."

This, of course, is stirring a significant debate on civil liberties. However, when investigating large-scale crimes involving the Internet (and especially international activity), traffic analysis of communications is probably the single best investigative tool available and this is one of the arguments put forth by proponents of the activity:

"The government said that it will not be interested in what is being discussed but rather who talks to whom online, something that the government says is vital in preventing criminals and terrorists' communicating facilities."

As an aside:

The keywords "Intercept Modernisation Programme" generates more traffic to this blog than any other so I'm always interested in performing traffic analysis on the spike after an article on the subject is posted. Historically, over 80% of traffic can be traced to U.K. defense or other governmental contractors.

UK Government Plans To Monitor Social Networking Websites

Social network sites 'monitored'

Famous Last Words

2009-03-31T08:05:00.000-07:00

The Times of India quotes an Indian Army Lt. General saying the Indian Army is secure from cyber attacks:

"We have put in place a very secure network and I can confidently say that it cannot be tampered with,'' said signal officer-in-chief Lt-General P Mohapatra on Monday.

"There are various cryptographic controls that we have put in place and there are training activities to ensure that no loss of information takes place,'' he added."

The report further adds that "periodic cyber-security audits" provide additional protection.

Sigh...

Cyber war: Army says its systems are hack-proof

U.K. Intelligence Fears Chinese Made Telecommunication Systems

2009-03-29T17:47:00.000-07:00

The Sunday Times report on U.K. intelligence officers' fear China may be able to disrupt British telecommunications via Chinese systems provided to British Telecom (BT):

"A confidential document circulating in Whitehall says that while BT has taken steps to reduce the risk of attacks by hackers or organised crime, “we believe that the mitigating measures are not effective against deliberate attack by China”."

The primary concern is BT using systems manufactured by Huawei:

"According to the sources, the ministerial committee on national security was told at the January meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.
"Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network...”

Spy chiefs fear Chinese cyber attack

GhostNet: Massive Spy Network Uncovered

2009-03-29T13:40:00.000-07:00

A series of reports and newspaper articles were released today on the investigation of what is being called GhostNet. The investigation began with complains from Tibetan groups based out of India including the Private Office of the Dalai Lama. The forward from the primary report describes the scope of the activity uncovered:

"The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information."

...

"From the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value."

The attacks appears to be from China but the authors correctly point out the difficulty in determining the exact source:

"Some may conclude that what we lay out here points definitively to China as the culprit. Certainly Chinese cyber-espionage is a major global concern. Chinese authorities have made it clear that they consider cyberspace a strategic domain, one which helps redress the military imbalance between China and the rest of the world (particularly the United States). They have correctly identified cyberspace as the strategic fulcrum upon which U.S. military and economic dominance depends.

"But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading. Numbers can tell a different story. China is presently the world’s largest Internet population. The sheer number of young digital natives online can more than account for the increase in Chinese malware. With more creative people using computers, it’s expected that China (and Chinese individuals) will account for a larger proportion of cybercrime.

"Likewise, the threshold for engaging in cyber espionage is falling. Cybercrime kits are now available online, and their use is clearly on the rise, in some cases by organized crime and other private actors."

The report provides a detailed analysis of both methods and targets. Specifically:

"...our investigation... led to the discovery of insecure, web-based interfaces to four control servers. These interfaces allow attacker(s) to send instructions to, and receive data from, compromised computers... This extensive network consists of at least 1,295 infected computers in 103 countries.

"Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters."

Tracking GhostNet: Investigating a Cyber Espionage Network

Related Articles:

The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement

Vast Spy System Loots Computers in 103 Countries

Dealing with Online Hate Speech

2009-03-28T11:19:00.000-07:00

Security Magazine has an article discussing the issues involved in controlling hate speech on the Internet - in particular - the the often irreconcilable differences between various countries legal approaches:

"Some European countries have made certain forms of hate speech, like Nazi propaganda and Holocaust denial, a crime. Free speech protections guaranteed in the First Amendment of the U.S. Constitution make it impossible to outlaw hate speech in the United States, however. This impediment presents one of the biggest challenges for those seeking international solutions to the problem of hate speech."

However, even with legal issues, it is possible to develop some mechanisms to limit hate speech:

"Experts agree that part of the solution lies in working with businesses that provide access to the Internet or online applications. While the government cannot outlaw hate speech, a company has the right to establish a policy that requires users to abide by stated limits on what can be posted online."

Internet Hate: A Tough Problem to Combat

Cat and Mouse: Social Networks Help Protesters and Police

2009-03-27T10:21:00.000-07:00

In a classic study of the power of online communications, social networking sites such as Twitter will be used both by protesters of the G20 meeting in London and by law enforcement to monitor the protesters:

"Marina Pepper, one of the organizers of G20 Meltdown, said that Twitter, the blogging tool that allows short updates to be filed, published and read via cellphones, would be used to coordinate the protests -- and warn participants of possible trouble.
"In terms of mobilizing people and shifting them around, Twitter will be used next week," Pepper told CNN. "We can also keep people empowered, because information is power."
"But Commander Simon O'Brien, one of the senior officers involved in policing security around the G20, said social networking sites would also be a "key area of our intelligence gathering."
"That's where we are picking up a lot of our intelligence about numbers and what certain groups are aiming to achieve," O'Brien said."

Protesters, police go online in G20 battle

Canada Sees Cyber Security As Top National Security Concern

2009-03-17T07:57:00.000-07:00

Canada's Public Safety Minister is in Washington for bilateral talks on security and in an interview discussed Canada's cyber concerns:

"Canada is facing a growing threat of cyber attacks from hostile governments and criminals that could cripple critical infrastructure and financial systems, says Public Safety Minister Peter Van Loan."

In fact, the Minister sees cyber attacks as one of the top security concerns for Canada:

"...Van Loan said cyberspace and border security will top the agenda for high-level meetings with his America."

Cyber war tops Public Safety agenda

UN Concern over "Cyber Weapons"

2009-03-16T10:15:00.000-07:00

Every day, there is a rash of articles on the potential of cyber war and what should or shouldn't be done about it. The U.N. is becoming involved and now considers "cyber weapons" an issue for disarmament discussions:

"So worried are governments by the prospect of an all-out cyber-attack that last month UN secretary-general Ban Ki-moon revealed that cyber-weapons are to be added to the list of arms falling under the remit of the UN's Advisory Board on Disarmament Matters, which develops policy on weapons of mass destruction. Ban said recent breaches of critical systems represent "a clear and present threat to international security", since the public and private sectors have grown increasingly dependent on electronic information."

Pentagon readies its cyberwar defences

U.S. Legal Issues on Cyber War

2009-03-13T09:12:00.000-07:00

The Congressional Research Service has published a report on the legal and policy issues related to cyber warfare and defense in the United States. The paper summarizes the issues in terms of the three branches of the Federal government:

"Given that cyber threats originate from various sources, it is difficult to determine whether actions to prevent cyber attacks fit within the traditional scope of executive power to conduct war and foreign affairs. Nonetheless, under the Supreme Court jurisprudence, it appears that the President is not prevented from taking action in the cybersecurity arena, at least until Congress takes further action. Regardless, Congress has a continuing oversight and appropriations role. In addition, potential government responses could be limited by individuals’ constitutional rights or international laws of war."

One of the key problems with the Comprehensive National Cybersecurity Initiative (CNCI) is that originated in a classified Presidential Directive. This immediately causes conflict with the private sector on which the government is dependent:

"Given the secretive nature of the CNCI, one of the common concerns voiced by many security experts is the extent to which non-federal entities should have a role in understanding the threat to the nation’s telecommunications and cyber infrastructure and assist with providing advice, assistance, and coordination in preparation and response for ongoing and future intrusions and attacks."

The report provides background and discussion on the various roles and responsibilities of the three governmental branches and recommends the following Congressional actions to clarify and strengthen the legal basis for government action:

determine the most appropriate and effective organizational entity in which the nation’s principal cybersecurity prevention, response, and recovery responsibilities should reside;

require the senior U.S. government official in charge of all CNCI related activities be a Senate confirmable position to facilitate ongoing information exchange regarding Initiative plans and areas of progress and difficulty;

enact legislative language recognizing and defining the classified and unclassified aspects of the CNCI and the need for greater transparency and inclusiveness;

require the new Administration to develop and revise annually a classified and unclassified national cyber security strategy and intelligence community generated National Intelligence Estimate that provides Congress, the telecommunications industry, and the American public information related to the CNCI, the current and strategic cyber threats facing the nation, and programs being implemented to prepare for evolving technological risks;

define the privacy and civil liberty considerations that should accompany all aspects of the CNCI;

include legislative language in applicable authorizations bills to establish a programmatic foundation for CNCI related programs and suggest funding for current and future year’s activities; or

identify and codify relevant laws defining a national security related cyber offense against the United States, offensive versus defensive cyber activities, and the situations in which the Congress should be notified prior to the United States undertaking an offensive or counteroffensive cyber act.

The full report is available through the Washington Post:

Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations

Religious Cyber Wars on Facebook

2009-03-13T08:58:00.000-07:00

TG Daily is reporting on an ongoing conflict on Facebook between a Christian group and Islamic supporters.

"The attack appears to be ongoing as the group's image has been changed, and the group's Basic Info section has also been changed to carry several paragraphs which claim to report on the foundation of Islam, including the first principle declaration in two parts, and several passages relating to the deity Allah and his prophet/servant/apostle Muhammad."

The article not only provides a chronology of activity but provides some of the religious history behind some of the postings.

UPDATE #3: Religious hack attack against Christianity seen on Facebook

Militarizing Cyberspace

2009-03-13T08:47:00.000-07:00

PCWorld discusses what it calls the militarization of the Internet - from the increasing use of distributed denial of service attacks:

"Governments are interested in using DDOS attacks since tracing their originators and financiers proves difficult for security researchers."

The article discusses the government attempts to censor dissidents and opponents and the use of DDoS attacks such as those in Estonia.

Political Cyberattacks to Militarize the Web

"Political Hacking" Is a Growing Trend

2009-03-10T10:24:00.000-07:00

International Relations and Security Network (ISN) published an article on the increasing nature of politically motivated computer crime and hacktivism:

"A growing trend of politicized hacking or "hacktivism" is emerging. The incidents in Estonia and Georgia were most likely carried out by state-encouraged Russian nationalist youth groups and criminal organizations, as well as at-large volunteers. One German youth claimed on a web forum that, with instruction from a Russian website, he was initiating fully functional denial-of-service attacks against targets in Georgia in a manner of hours. In reaction to a Danish newspaper cartoon of the Prophet Mohammad, loose groups of hackers in Turkey and other Muslim countries cyberattacked that publication's website."

The report summarizes some of the related recent activity.

The State of the Data War

California May Censor Google Earth

2009-03-05T09:00:00.000-08:00

Following reports that terrorists in India and Israel were using Google Earth in planning attacks, California lawmaker Joel Anderson has introduced a bill (AB 255) in the California Assembly to force censorship of potential targets:

"(a) An operator of a commercial Internet Web site or online service that makes a virtual globe browser available to members of the public shall not provide aerial or satellite photographs or imagery of a building or facility in this state that is identified on the Internet Web site by the operator as a school or place of worship, or a government or medical building or facility, unless those photographs or images have been blurred.

"(b) An operator of a commercial Internet Web site or online service that makes a virtual globe browser available to members of the public shall not provide street view photographs or images of the buildings and facilities described in subdivision (a)."

ASSEMBLY BILL No. 255

Internet Censorship in the Middle East

2009-03-04T09:08:00.000-08:00

Lebanon's Daily Star analyzes the motivation for network control and censorship in the Middle East. The author provides three motivations:

The degree of Internet proliferation;
Press freedom and democracy; and,
Culture

The report provides statistics concerning how each of these elements affects censorship in various countries. For example:

"Obviously, to the extent that internet usage in a given country is low due to economic or technological reasons or because of the absence of the requisite human resources, there is no need to regulate the internet through legislation because there is no internet. Thus Yemen had only 1.4 percent internet penetration in 2008, followed by Libya (4.2), Sudan (8.7) and Algeria (10.4). Conversely, the Middle East countries with the most internet legislation and regulation are also the leaders in internet penetration: Israel (52 percent), the UAE (49.8), Turkey (36.9), Iran (34.9), Kuwait (34.7), Tunisia (27), Saudi Arabia (22) and Egypt (12.9 percent)."

For many Arab states, internet suffocation is the norm

Online Communication of Operations by Terrorists

2009-03-04T08:45:00.000-08:00

An interesting article on why terrorist organizations do not plan or communicate operations online. The article discusses a blog posting proposing "...al-Qaida on the Arabian Peninsula (QAP) fire Katyusha rockets from the Saudi shore of the Gulf of Aqaba toward Sharm al-Sheikh, where international leaders are meeting...".

As the article points out, "...the jihadi internet is used for many things, but not for operational planning.":

"...the idea [for an attack] is useless the moment you post it on online for all the intelligence services in the world to see.
"The posting is nevertheless interesting, first of all because it is unusually specific and shows that we cannot completely dismiss the Internet’s potential as an arena for operational brainstorming. At the same time, it illustrates the lack of military know-how of many online jihadists. In much of the forum material, there is a spectacular disconnection between intention and capability. Unfortunately, the haute couture of terrorism is prepared behind closed doors."

Prêt à porter terrorism

Use of Technology by Terrorists Targeting India

2009-03-04T08:33:00.000-08:00

Frontier Media, an Indian blog on defense and intelligence issues, posted an article with the following concerning terrorist use of technology:

"Cyber and communications crimes attained maturity as a result of two incidents. The first was the hacking of a wireless network by the so-called Deccan Mujaheedin terrorists (desperate Pakistani terrorists use such generic names for projecting it as an Indian outfit), which resulted in an e-mail threat that implicated a foreigner. The second incident was the Pakistani terrorists Lashkar-e-Taiba’s (Jamaat-ud-Dawa) use of a satellite phone and Russian server during the attack on Mumbai, which resulted in the deaths of more than 180 Indians and foreign citizens alike – women and children among them."

Unfortunately, the rest of the article mostly delves into spam, phishing and fraud issues.

Software for meeting India’s Cyber- and IP-related challenges

Political Motivation Still Top Motive for Web Defacement

2009-02-27T08:49:00.000-08:00

Breach Security, Inc has released its annual report analyzing web page defacement. The study found that although financial motivation for web attacks is increasing, political and ideological motivations are still the primary drivers:

"On the other end of the spectrum, the ideologists use the Internet to convey their message using Web hacking. Their main vehicle is defacing web sites."

...

"When further analyzing defacement incidents, we found that the majority were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign. Others have a cultural aspect, mainly Islamic hackers defacing western web sites."

The report also looks at who is targeted most often for web defacements:

"Government is a prime target due to ideological reasons, while universities are more open than other organizations. These statistics, however, are biased, to a degree, as the public disclosure requirements of government and other public organizations are much broader than those of commercial organizations..."

"On the commercial side, Internet-related organizations top the list. This group includes retail shops, comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers."

THE WEB HACKING INCIDENTS DATABASE 2008

A New Military Branch for Cyber Warfare?

2009-02-25T09:37:00.000-08:00

IANewsletter has published an article (starting on page 14) looking at the need for a separate cyber branch of the U.S. military on par with the Army, Navy, Marines and Air Force.

The authors review the historical context of the existing branches and the unique nature of cyber warfare:

"...occasionally, a new technology is so significant that it creates a discontinuity in the conduct of war that necessitates creation of an entirely new military service. This situation occurred in the United States, resulting in the formation of the Air Force in 1947. The advent of air power fundamentally altered the conduct of warfighting and drove the transformation of the Army Air Corps into the United States Air Force.

"The revolution in cyberwarfare places today’s militaries at a similar cusp in history and necessitates the formation of a cyberwarfare branch of the military, on equal footing with the Army, Navy, and Air Force."

...

"Cyberwarfare is fundamentally different from traditional kinetic warfare. National boundaries in cyberspace are difficult, if not impossible, to define. Lawyers and pundits are still debating the
formal definition of an “act of war.” Asymmetries abound and defenders must block all possible avenues of cyber attack. An attacker need only exploit a single vulnerability to be successful."

The article then discusses why it would be better to have a separate military branch rather than trying to integrate cyber capabilities into each existing branch:

"The cultures of today’s military services are fundamentally incompatible with the culture required to conduct cyberwarfare. This assertion in no way denigrates either culture. Today’s militaries excel at their respective missions of fighting and winning in ground, sea, and air conflict; however, the core skills each institution values are intrinsically different from those skills required to engage in cyberwarfare. Cyber requires a deep understanding of software, hardware, operating systems, and networks at both the technical and policy levels."

Army, Navy, Air Force, and Cyber—Is it Time for a Cyberwarfare Branch of Military?

Russian Consulate Website Attacked to Protest Sinking of Ship

2009-02-23T08:58:00.001-08:00

Several sites are carrying information concerning an attack on the Russian Consulate in Shanghai to protest the Russian Navy's sinking of a Chinese ship as it tried to escape after being impounded for alleged smuggling.

The website was defaced with a protest message:

“Russia invaded our territory to kill people from the People’s Republic. Hack done for the Chinese crew of controversy! Russia must be punished! ! ! Hacked BY: Yu”

Yu is described in the article as "a network security enthusiast that has been defacing Chinese, Japanese, Korean, Taiwanese and U.S sites for a while, but had to give up his activities due to college studies."

Chinese hackers deface the Russian Consulate in Shanghai (ZDNet)

Chinese hackers take down Russian Consulate website (Dark Visitor)

Azerbaijan Cellular Website Attacked from Iran

2009-02-23T08:48:00.000-08:00

From a very short article describing an attack on the website of Catel, Azerbaijan’s first CDMA operator:

"Iranian hackers, who describe themselves as “Balck [sic] Hats”, changed the appearance of the index page by posting a banner which reads that they will destroy the websites of companies with a US and Israeli stake."

Hackers attack Azerbaijan’s first CDMA operator’s website

New Arrest in Indymedia Investigation in the U.K.

2009-02-17T09:20:00.000-08:00

The investigation of the online activist site, Indymedia, as discussed several weeks ago, continues in the U.K. with the arrest of an individual hosting a server for the group. Police are investigating the publication of personal information belonging to a judge in an animal rights trial.

This case is an excellent study of the conflicting issues related to free speech and political dissent, the need to investigative crimes, international and cultural differences concerning privacy and how laws passed to give investigative powers in one area (terrorism) are quickly applied in unrelated areas (invasion of privacy).

Indymedia's view of the situation and events is provided below:

"This Monday, Kent Police arrested a man in Sheffield under the Serious Crime Act 2007 in relation to the recent Indymedia server seizure. His home was raided, all computer equipment and related papers taken. He was released after eight hours. The person had neither technical, administrative nor editorial access to the Indymedia UK website. He was only associated to the project by hosting its server.
"The arrest took place under Section 44-46 of the Serious Crime Act, which was passed into law on 1st October 2008 to combat serious international crime like drug trafficking, prostitution, money laundering and armed robbery. Sections 44-46 refer to “encouraging or assisting offences”.
"Kent police claim that they are after the IP address of the poster of two anonymous comments to a report about a recent animal liberation court case, which included personal details of the Judge. The IP address of the poster is not stored as Indymedia does not log IP addresses. This was acknowledged by British Transport Police in 2005, after the Bristol IMC server seizure.

"For the police to arrest the person who happened to sign the contract for server hosting, is sheer intimidation, in light of Indymedia’s openly stated policy of no IP logging.
"With the implementation of the EU Data Retention Directive in March 2009, the UK government attempts to turn every internet service provider in the country into part of the law enforcement apparatus. This legislation will provide a legal basis to track, intimidate, harass, and arrest people who are doing valuable and necessary work for social change, for example as peace activists, campaigners for economic and social justice or against police brutality."

Also of interest are the comments to this post discussing activists perceptions of this situation and similiar issues encountered by other political activists around the world.

DNI: Cyber Security a Top U.S. National Security Issue

2009-02-13T10:15:00.000-08:00

The U.S. Director of National Intelligence, Dennis Blair, has provided his annual threat assessment to Congress. His Statement for the Record has been published and cyber security issues are defined as a major threat to the United States. Mr. Blair's statement includes the following summary of the threat (emphasis has been added):

"A growing array of state and non-state adversaries are increasingly targeting—for exploitation and potentially disruption or destruction—our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year.

"We assess that a number of nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. Terrorist groups, including al-Qa’ida, HAMAS, and Hizballah, have expressed the desire to use cyber means to target the United States. Criminal elements continue to show growing sophistication in technical capability and targeting and today operate a pervasive, mature on-line service economy in illicit cyber capabilities and services available to anyone willing to pay. Each of these actors has different levels of skill and different intentions; therefore, we must develop flexible capabilities to counter each. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.

"We expect disruptive cyber activities to be the norm in future political or military conflicts. The Distributed Denial of Service (DDoS) attacks and Web defacements that targeted Georgia in 2008 and Estonia in 2007 disrupted government, media, and banking Web sites. DDoS attacks and Web defacements targeted Georgian government Web sites, including that of Georgian President Saakishvili, intermittently disrupting online access to the official Georgian perspective of the conflict and some Georgian Government functions but did not affect military action. Such attacks have been a common outlet for hackers during political disputes over the past decade, including Israel’s military conflicts with Hizballah and HAMAS in 2006 and 2008, the aftermath of the terrorist attacks in Mumbai last year, the publication of cartoons caricaturing the Prophet Mohammed in 2005, and the Chinese downing of a US Navy aircraft in 2001."

The report also discusses online activity by organized crime.

Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence

Recommended: Detailed Report on the State of Network and Information Security in Europe

2009-02-13T09:24:00.000-08:00

For anyone that deals with cyber security issues in Europe, it is always a challenge to keep up on each member country's initiatives, institutions and regulations. A new report looks to be a valuable resource in navigating the complex European environment.

The European Network and Information Security Agency (ENISA) has published an extensive (over 600 pages) report on network and information security in its 30 member countries (the 27 EU member countries plus 3 members of the European Economic Community). This report is an excellent who's who of cyber security in Europe.

The report is structured by country and provided details of cyber security activities including:

General country information including statistics on IT use;
The major governmental and private stakeholders that set and implement cyber security policies and their relationships;
An overview and detailed look at current initiatives, focus points and activities of each entity;
Cyber security events taking place in each country;
Cyber security trends including information on security breaches

An excellent reference on the state of cyber security in Europe. Let's hope they plan to keep in updated.

ENISA Country Reports

Chinese Cyber Attacks Back in the News

2009-02-13T08:44:00.000-08:00

Attacks from China have resurfaces in the news although its difficult to determine from the coverage if these are new attacks. In a recent interview, Rep. Bennie Thompson, Chairman of the House Homeland Security Committee, provided a few details concerning attack targets:

"Currency trading is among the financial networks targeted by hackers, Thompson said. An attack would be particularly damaging in light of the financial system’s troubled state, he said.

"He said electric utilities’ networks also have several points of weakness.

“We were provided alarming data on the vulnerability of our electrical grid in this country,” he said."

China strongly denies the allegations:

“Allegations that the Chinese government is behind cyber attacks against the U.S. computer networks are totally unwarranted and misleading for the America public,” Wang [Baodong, a spokesman for the Chinese Embassy in the U.S.] said in an e-mailed statement.

Wang said the Chinese government is “cracking down” on computer hacking and other cyber crimes.

Chinese Hackers Attack U.S. Computers, Thompson Says

More 'Political Hacking' in India

2009-02-10T08:57:00.000-08:00

CyberMedia India Online (CIOL) looks at politically motivated computer crime in an article with the subtitle "Imagine if computer hackers, the daredevils of the networked world, turn into principled political activists".

The article mostly reviews incidents around the world, not all with political motivation. However, it does discuss some recent activity in India related to attacks that are alleged to have originated in Pakistan or are in support of Islamic causes:

"In a virtual act of mocking the cyber crime department of the police the official website of the Andhra Pradesh Crime Investigation Department (CID), www.cidap.gov.in, was hacked and defaced recently. Though no one has publicly claimed responsibility for the act, the abusive message posted on the website points to some Islamic fundamentalist group.

"The group had hacked nearly five India's site, including that of the ONGC, in a 'retaliatory' action against the hacking of the site of Pakistan's OGRA (Oil and Gas Regulatory Authority)

"Amidst reports from all over the world regarding hacking celebrity sites and other websites, the community site of the former President of India, Dr. APJ Kalam, in Orkut World, was recently targeted by Pakistani hackers."

Is hacking a war tool?

"Cyber War" to Protect Sharia Law?

2009-02-10T08:37:00.000-08:00

In an article titled "Protection of Sharia (Islamic Law) and social reforms in AIMPLB [All India Muslim Personal Law Board]" the India-based ShahilOnline website is reporting on recent speeches given by Islamic scholars to more than 25,000 people.

During one of these speeches, the issue of cyberwar and technology came up:

"Moulana Salam Nadvi in his address said that the younger generation of the community should obtain higher education particularly they have to gain proficiency in the field of 'Information Technology' not for the purpose of accumulating wealth by getting employment in American companies in Bangalore, but to fight against the cyber-war being waged by anti-Islamic lobby particularly by western media [sic]."

Protection of Sharia (Islamic Law) and social reforms in AIMPLB

Why Are There No Internet Terrorist Attacks?

2009-02-09T08:34:00.000-08:00

Strategy Page posted an analysis of the fact that we have not seen a significant Internet based terrorist attack:

"The Internet Jihad (struggle) has been mostly smoke, and very little fire.

"Attempts by terrorists to recruit hackers have had very poor results. There are a growing number of programmers and Internet specialists in the Moslem world, but most of them have legitimate jobs in software firms, or maintaining software and Internet services for companies."

The article also rightly points out that what little activity we have seen has been ineffective and isolated:

"At most, there have been some defacing of web pages, often by hackers driven more by nationalism than religion."

The post goes on to explain categorically why:

"Counter-terrorism organizations know why there have not been more of these attacks by al Qaeda, or any other self-proclaimed Islamic warriors. The fact is that the Islamic terrorists are not nearly as well organized or skilled as the mass media would lead you to believe."

The premise that we are not seeing major cyber terrorist attacks is correct but I disagree with the conclusion. The potential of the Internet is the fact that it does not take a lot of organization to exploit it's strengths (positively or negatively). This is why an individual or small (unorganized) group can have a presence and voice on the world stage. As the article points out, "there are Cyber War tools available that even the poorly educated terrorist computer user could operate."

If a group has the organization to recruit a suicide bomber, they have at least the potential to launch a cyber attack. Furthermore, if the almost chaotic organization of various hacktivist protesters can launch (mostly ineffective) cyber attacks then most terrorist organizations could do at least the same; and that's the key - the effectiveness of these types of attacks.

A more likely explanation is that they choose not to use them for the same reason that they choose not to carry out low-level physical attacks - only a large, physical attack causes the damage groups such as al-Qaeda believe furthers their cause - creating fear and inspiring their followers. Even the best DDoS attack would only cause temporary outages. It might gain some headlines (which the hacktivist is happy to have) but would hardly inspire uneducated Jihadists in the slums of Middle East cities to rise up.

Terrorists groups do see the power of the Internet for communication, intelligence gathering and propaganda and will continue to use it for these purposes. Only if they truly believe a cyber attack will further their cause will they be motivated to carry one out. Even then, it won't have the same impact as a physical attack - inconvenience does not translate to fear.

What Happened To The Internet Jihad?

Indian Summary of Davos Discussions

2009-02-09T08:26:00.000-08:00

The Hindu Newspaper's Business Line reports on the discussions of cyber crime at the World Economic Forum in Davos and provides an Indian perspective:

"We, in India, have often seen reports of many Government of India Web sites being defaced, possibly from attacks originating from Pakistan.

"Fortunately these have been isolated instances, not amounting to a major cyber war. There is, however, no room for complacence. The government may not be able to share with us all that it has done to protect systems in India. We will have to rest content with the belief that we remain in a perpetual state of alertness to meet a severe challenge from neighbouring countries."

Don’t let down guard

Guessing at the Source of Cyber Attacks

2009-02-05T16:07:00.000-08:00

Yet another example of how difficult it is to determine both motive and source of cyber attacks. As with most "cyber war" attacks, it is pure speculation as to who is behind the latest activity against Kyrgyzstan and arguments can be made for any number of sources.

The New York Times has an article discussing two different possibilities for the most recent Kyrgyzstan attacks:

Russian "cyber-militias" are attacking to intimidate the Kyrgyzstan government for any number of reasons; or,
Kyrgyzstan hired Russian "hackers" to attack itself in order to "crackdown on an opposition party in Kyrgyzstan that uses the Internet to organize".

This is the danger: Without better intelligence and investigative capabilities, it will be next to impossible to determine exact source and motive. This leads to an inability to respond properly to a cyber attack or, potentially worse, responding inappropriately.

I have been involved in numerous complex, international cyber investigations where the source and motive were determined. However, it is almost never simple and requires extensive intelligence gathering and analysis (beyond basic Internet traffic analysis). This requires time and expenses beyond what most organizations are willing to invest in. Yet doing anything less leaves only guesswork.

Also see Analyzing Goggle Attacks - Plenty of Room for Error

Are ‘Cyber-Militias’ Attacking Kyrgyzstan?

NATO Officers Targeted by Trojan Code

2009-02-05T09:13:00.000-08:00

This BBC article looks at several aspects of NATO cyber defenses including Trojan code that is specifically designed and targeted to NATO officers for espionage purposes:

"Mr Anil reveals that there has been more than one incidence of Nato officials being socially profiled, and then subjected to "targeted trojans".
"He explains how their unseen adversaries gather as much information as possible about the individual then send them an email purporting to come from a friend or a relative."

Nato's cyber defence warriors

Convergence of Electronic and Network Warfare

2009-02-05T08:59:00.000-08:00

The Fort Leavenworth Lamp discusses the convergence of traditional electronic warfare (EW) with computer network operations (CNO):

"In the operational environment, the lines between CNO and EW are blurred," [Lt. Col. John] Bircher said. "We can use EW to disable our enemies' cellular phone device or we can use CNO to deny the device's access to its network."

"Do we use CNO or EW to deny our adversary, and does it matter to the tactical commander?" Bircher continued, "and in our conceptual research we found that it didn't matter. What's important is controlling the data, the bandwidth and the electromagnetic spectrum."

Electronic Warfare Proponent: Changes by adversaries, advances in technology drive EW's operational importance

Thailand Struggles with Internet Content

2009-02-05T08:41:00.000-08:00

The Bangkok Post ran an lengthy article discussing the issue of freedom of speech and control of inappropriate content. Much of the article is concerned with controlling disparaging comments made online about the Thai Monarchy.

The article provides an excellent example of how each culture is struggling to deal with these issues and the difficulty in enforcing any regulations that are passed:

"Blocking content on over 2,000 web sites just prevents Thai residents accessing them while others worldwide still can. This method therefore cannot truly protect the honour of the monarchy," added Chiranuch Premchaiporn, director of Prachathai, an online news web site.

"The ICT [Information and Communication Technology] Ministry's combative stance on cyperspace is viewed as another draconian measure, in addition to the Computer Crime Act 2007 that deals with cyber-dissidents or online criminals. But the group at the seminars fears that such extreme measures will do more harm than good.

"We support the law and the policy to handle such crimes as hacking, deception, child pornography, pirate video clips, and theft of personal information, but the measure that allows state agents to block and close web sites can also lead to a violation of freedom of speech and limits public access to information," said Supinya Klangnarong, CPMR [the Campaign for Popular Media Reform]."

IN NETIZEN, WE TRUST

Social Networks Limit Undercover Work

2009-02-04T10:28:00.000-08:00

Yet another "security" issue with social networks - intelligence agency recruitment:

"Herein lies the problem: if you're planning on having a second identity for undercover work, it doesn't help if your photos, friends and real name are splattered all over various social networking sites. Try finding a student at a university who hasn't done just that.

"The UK's intelligence agencies are worried. From schoolchildren on Bebo, through Facebook-obsessed young professionals, to well-networked CEOs on LinkedIn, having an online presence is a must in this day and age. But with the explosion of social networking sites, it has become virtually impossible to find recruits who don't have some sort of an online trail."

I would expect this to be a similar problem for law enforcement...

Social networking websites make recruiting spies difficult

Cyber Security Is a National Security Problem for the United States

2009-02-04T10:09:00.000-08:00

Vice Adm. Carl Mauney, deputy commander for the U.S. Strategic Command told the 2009 Network Centric Warfare conference that "cyber security is a national security problem".

During his presentation he told the audience some of the problems the DoD is facing and that cyber defense required better coordination of effort:

"Also complicating cyber sleuths’ lives is the world’s billions of eye-blink-fast interconnected computers. But keeping up is vital. “Cyberspace has become a warfighting domain like land, sea, air, space,” Mauney told attendees. “And in light of growingly astute cyber enemies, it’s in our interest to maintain freedom of action,” he said.

"However, he cautioned, “It can’t be done in isolation.” There’s a “compelling need to integrate all elements of cyberspace operation and to [move] at net speed.” This is because the DOD on a daily basis faces millions of denial-of-service attacks, hacking, malware, bot-nets, viruses and other ruinous intrusions, some of which are associated with nations and nation-states, he said."

More importantly, Admiral Mauney stressed the need for individual accountability:

"What is needed is “a focus on accountability, from leadership to the user level. Our mindset needs to reflect the way we treat other military systems,” he said. “We don’t accept substandard performance in maritime, air and ground ops — and this is no different.” [emphasis added]

Hear Hear!

Greater cooperation needed to defeat cyber enemies

Europe Needs More Work on Cyber Defense

2009-02-04T09:48:00.000-08:00

Trend News in Azerbaijan is reporting on a German DPA interview with Estonia's Minister of Defense concerning European readiness to defend against cyber attacks:

"For the time being, Europe's capability to defend itself from cyber-attacks is on the level of some of the capabilities of member states. Little value-added on the European level has been developed: we need to do more," he [Estonian Defence Minister Jaak Aaviksoo] said.

"In particular, the 27-member bloc must work harder to coordinate the efforts of various national defence and law-enforcement agencies and push for better cooperation with third countries which can serve as a safe haven for web-based attackers, he said."

Minister: Europe has not yet done enough on cyber-defence

Indymedia Server Seized - A Lesson in Network Resilience

2009-02-02T23:11:00.000-08:00

Indymedia - one of the largest international clearinghouses of news and information for social activism - was recently raided by police in the UK. The raid was apparently the result of an investigation into the publication of personal information belonging to a trail judge in a comment to an article on an animal rights trial.

Indymedia had already removed the offending article per their own policies, however, police seized a server containing a large quantity of information:

"...by seizing this server they [the police] are not only getting information on Indymedia but also on wholly unrelated groups."

However, the seizure of the server did not interrupt Indymedia operations. Indymedia's network is highly distributed and redundant with extensive mirroring of data:

"As with previous cases, Indymedia UK stayed online this time. This was possible due to a system of "mirrors", which was set up to protect the technical infrastructure of the alternative media project. Despite the resource intensive interruptions caused by server seizures, the DIY-media activists continue to provide a platform for "news straight from the streets"."

Although it appears the police were not attempting to censor the information, this case shows both the flexibility, power and dynamic nature of online communication. However, this resilience cuts both ways: Activists and other politically motivated sites are difficult to censor or disrupt, but likewise, when commercial or government sites are the target of online protests by hacktivists, their online attacks often have limited or no operational impact on their targets for the same reason.

Other case studies of this phenomenon are documented in Hacktivism and Politically Motivated Computer Crime.

Police Seize UK Indymedia Server (Again)

Turkish "Hacker" Spied for PKK

2009-02-02T15:32:00.000-08:00

The Turkish newsite,Today's Zaman, is reporting that a "hacker" originally arrested for theft is now accused of supporting the Kurdistan Workers' Party (PKK).

Analysis of his system and recovered media revealed classified information which he is alleged to have transferred to the PKK in Northern Iraq.

The article discusses an interesting method of obtaining the information:

"[The suspect] said during police interrogation that the contact between him and the PKK's Karayılan was established through a terrorist friend of his who resides in France. He also stated that he acquired confidential information belonging to the General Staff, MİT [the Turkish National Intelligence Organization] and other institutions through computer virus programs he placed on pornographic Web sites visited by army members."

PKK hacker faces up to 10 years in prison

World Economic Forum Short on Answers to Cyber Warfare and Computer Crime

2009-02-01T15:39:00.000-08:00

The World Economic Forum in Davos held a panel discussion on cyber threats and named cyber warfare as one of the top three (crime and the basic design of the web were the other two).

Most of the discussion of cyber warfare centered around Russian attacks against its neighbors but also discussed the difficulty of control on the Internet:

"...the internet[sic] is a global network, it doesn't obey traditional boundaries, and traditional ways of policing don't work," one expert said."

The panel also discussed what should be done about the problem and it appears from news reports that there were no new ideas. In fact, some panelists seemed to think just letting things work themselves out was the best answer:

"But several panellists worried about the heavy hand of government. The internet's strength was its open nature. Centralising it would be a huge threat to innovation, evolution and growth of the web.
"The amount of control required [to exclude all risk] is quite totalitarian," one of them warned.
"Instead they suggested to foster the civic spirit of the web, similar to the open source software movement and the team that had sorted the YouTube problem"

While no one wants "totalitarian" control of the Internet, it is dangerously naive to think that fostering "civic spirit" would even begin to make a dent in computer crime. In fact, one could argue that civic spirit is a major motivator for politically motivated cyber attacks.

Cybercrime threat rising sharply

Looking at the Pattern of Cyber Attacks from Russia

2009-02-01T10:41:00.000-08:00

Terming cyberattacks against Russian's neighbors as "cyber bullying", Strategy Page provides a synopsis of previous attacks originating from Russia and discusses their escalation to the present attack against Kyrgyzstan. The article also discusses NATO reaction including the creation of the Cyber Defense Center in Estonia last year:

"The Center will study Cyber War techniques and incidents, and attempt to coordinate efforts by other NATO members to create Cyber War defenses, and offensive weapons."

CyberBully

A Cyber Iron Curtain?

2009-01-28T10:16:00.000-08:00

HOSTEXPLOIT.com has published an interesting article summarizing recent cyber attacks allegedly originating from Russia and suggesting there is a new Cyber Iron Curtain:

"Hence from a ‘Cyber Iron-Curtain’ perspective there is now provided a ‘control at will’ by Russia of communication and increasing cyber influence over its former Soviet satellites, a modern parallel to Winston Churchill’s post second world war description of the Soviet sphere of influence. Separately, the blocking of these major websites in Kyrgyzstan suggests that we should probably move this country up the relative scale of importance for the monitoring cyberwar around the world."

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Denial-of-Service Attack against Kyrgzstan

2009-01-28T10:01:00.000-08:00

The Wall Street Journal is reporting that Kyrgzstan's Internet infrastructure is under attack allegedly from Russia. There is very little detail in the report and only speculation on possible motives:

"Theories for the reason behind the current attack in Kyrgyzstan center on the U.S. use of an air base in the country to help with its military operations in Afghanistan. Another theory is that the attack was directed at the fledgling Kyrgyz opposition movement, which has used the Internet to express its discontent."

Wired Magazine offers a little more in-depth speculation:

"Using denial-of-service to clamp down opposition sounds a bit more plausible. During Kyrgyzstan's "Tulip Revolution" in 2005, demonstrators often depended on cell phones and text messages to organize. In post-Soviet states, where a smaller portion of the population is online, the authorities often allow the Internet to thrive as an outlet for dissent and free expression while clamping down on traditional media. But when the net becomes a more effective organizing tool -- or a more effective medium for investigative reporting -- the powers that be begin to take note."

Kyrgyzstan Knocked Offline (WSJ)

Russian 'Cyber Militia' Takes Kyrgyzstan Offline? (Wired)

Parent Support Website Attacked in China

2009-01-27T08:27:00.000-08:00

In China, a webite was set up for parents of children affected by tainted milk. The Dark Visitor, a website that follows the computer underground in China, is reporting that the parent's website, jieshibaobao.com, has been attacked by "patriotic" hackers:

"A group of patriotic Chinese hackers have joined together to attack the website and force it down. They claim the website is illegal, posting photoshopped pictures and fabricating the condition of the patients. This casts a bad light on China’s period of prosperity and therefore, jieshibaobao.com has become the target of resentful patriotic youth."

Patriotic Chinese hackers attack website of melamine poisoned children

Egyptian Use of Socal Networks for Protest

2009-01-27T07:54:00.000-08:00

Last week, I posted on how Saudis were using social networking sites to protest when physical protests were limited. The New York Times ran a lengthy report on the same phenomenon in Egypt:

"Freedom of speech and the right to assemble are limited in Egypt, which since 1981 has been ruled by Mubarak’s National Democratic Party under a permanent state-of-emergency law. An estimated 18,000 Egyptians are imprisoned under the law, which allows the police to arrest people without charges, allows the government to ban political organizations and makes it illegal for more than five people to gather without a license from the government. Newspapers are monitored by the Ministry of Information and generally refrain from directly criticizing Mubarak. And so for young people in Egypt, Facebook, which allows users to speak freely to one another and encourages them to form groups, is irresistible as a platform not only for social interaction but also for dissent."

The article discusses how social networks (Facebook in particular) and blogging was used to protest and discuss various aspects of the Gaza conflict:

"In most countries in the Arab world, Facebook is now one of the 10 most-visited Web sites, and in Egypt it ranks third, after Google and Yahoo. About one in nine Egyptians has Internet access, and around 9 percent of that group are on Facebook — a total of almost 800,000 members. This month, hundreds of Egyptian Facebook members, in private homes and at Internet cafes, have set up Gaza-related “groups.” Most expressed hatred for Israel and the United States, but each one had its own focus. Some sought to coordinate humanitarian aid to Gaza, some criticized the Egyptian government, some criticized other Arab countries for blaming Egypt for the conflict and still others railed against Hamas."

The article then looks at internal protest within Egypt, in particular, the April 6 Youth Movement that attempted to organize a national strike in Egypt. The case study not only shows how social networks can be used for protest but that they are not risk free:

"[Facebook] ...members who identified themselves as government security agents joined the April 6 group, too, posting comments under the insignia of the Egyptian police, and as April 6 approached, the government issued a strong warning against participation in the strike."

Shortly after, the Facebook organizer, Esraa Rashid was arrested.

The popularity of Egyptian and other online protests has caught the attention of the U.S. State Department:

"State Department officials ... believe that social-networking software like Facebook’s has the potential to become a powerful pro-democracy tool. They pointed to recent developments in Saudi Arabia, where in November a Facebook group helped organize a national hunger strike against the kingdom’s imprisonment of political opponents, and in Colombia, where activists last February used Facebook to organize one of the largest protests ever held in that country, a nationwide series of demonstrations against the FARC insurgency."

Revolution, Facebook-Style

China Releases a White Paper on National Defense

2009-01-23T11:19:00.000-08:00

The Chinese government has released a white paper on their national defense strategy. The paper discusses information warfare and what the call the "informationizing" of the People's Liberation Army (PLA). The preface summarizes the cyber strategy:

"Conducting training in complex electromagnetic environments. The PLA is spreading basic knowledge of electromagnetic-spectrum and battlefield-electromagnetic environments, learning and mastering basic theories of information warfare, particularly electronic warfare. It is enhancing training on how to operate and use informationized weaponry and equipment, and command information systems. It is working on the informationizing of combined tactical training bases, and holding exercises in complex electromagnetic environments."

White paper on national defense published

Saudis Turn to the Internet for Protest

2009-01-23T10:24:00.000-08:00

The Middle East Online discusses the increase in protest blogging in Saudi Arabia and makes the case that part of the driving force in its popularity is due to Saudi limitations on other forms of physical protest:

"Since the police’s dispersal of a demonstration in support for Palestinians in Gaza with rubber bullets and tear gas last December in the east of Saudi Arabia, hundreds of blogs and forums have flourished on the Web to carry out jihad (holy war) against Israel and the "puppet" Arab regimes."

This ability to voice anger and decent online has increased use of the Internet within the Kingdom:

"Today, the kingdom - with a population of 28.14 million, including 5.57 million expatriates - is under the influence of “Internet fever”. With over 6.2 million users in 2007, Saudi Arabia has got the 37th largest number of Internet users in the world, according to statistics compiled on December 18, 2008 by the CIA.

"By heavily showing their anger on the Web, Saudis prove they are the most faithful (Muslims) to the Palestinian cause," wrote a Saudi blogger.

"So we avoid the demagogy of rowdy street demonstrations," he added."

The article gives several examples of the use of blogs and social networks to vent anger over the Gaza conflict such as:

"We are the promoters of the Electronic Intifada. Our supporters are no less numerous than the demonstrators on the streets. We put our expertise to the resistance, to denounce the war against Gaza and the Arab silence ... without red lines to prevent us from expressing our anger," said a Saudi on YouTube."

Barrage of fire in Gaza, online ‘intifada’ in Saudi

Al Jazeera Report on Isaeli-Palistinian Online Conflict

2009-01-23T10:14:00.000-08:00

Al Jazeera's English website has posted an analysis of the Israeli-Palestinian cyber conflict and provides a good summary of the classic pattern on online escalation:

"With the internet becoming a battleground of ideas, the average person, armed with a keyboard and an internet connection, became a participant in the conflict.

"On December 27, 2008, Israel launched 'Operation Cast Lead' against Hamas targets in the Gaza Strip. Within minutes of the first missile landing in Gaza, global reactions appeared online.

"During the first few days of the war, online discussions were restricted to war of words. Both sides engaged in heated debates and blamed each other for the fatal surge in military operations.

"As the discussions grew, attempts were then made by supporters of both sides to establish a coordinated response aimed at combatting [sic] the other side's propaganda."

Waging the web wars

Obama Adminstration Releases National Security Agenda Including Cyber Security

2009-01-23T09:46:00.000-08:00

The new Obama Administration has posted their strategy for national security on the White House website. The document specifies a number of agenda items including terrorism, nuclear weapons and... information security.

The agenda is broad and encompasses many areas of information security that historically have been neglected, drowned in red tape and infighting or handed over to technical PhDs that can't see beyond the length of an encryption key to develop "solutions" that can't be implemented.

It remains to be seen if the new Administration can implement real change. However, if even a few of these initiatives were properly implemented it would be a major step forward.

Here is the full text of the cyber security section:

"Protect Our Information Networks
"Barack Obama and Joe Biden -- working with private industry, the research community and our citizens -- will lead an effort to build a trustworthy and accountable cyber infrastructure that is resilient, protects America's competitive advantage, and advances our national and homeland security. They will:

Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.

Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.

Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.

Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.

Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.

Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age."

THE AGENDA • HOMELAND SECURITY

Information Security Makes GAO High Risk Report for the 12th Year

2009-01-23T09:28:00.000-08:00

The U.S. Government Accountability Office (GAO) has updated its list of governmental projects that are at risk "due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. GAO also identifies high-risk areas needing broad-based transformation to address major economy, efficiency, or effectiveness challenges."

Information security continues to make the list - for the 12th year. In the section titled: "Protecting the Federal Government’s Information Systems and the Nation’s Critical Infrastructures", the report makes note that the Department of Homeland Security (DHS) has made some progress but still falls short:

"Federal information security has been on GAO’s list of high-risk areas since 1997; in 2003, GAO expanded this high-risk area to include cyber CIP [Critical Infrastructure Protection]. The continued risks to information systems include escalating and emerging threats; the ease of obtaining and using hacking tools; the steady advance in the sophistication of attack technology; and the emergence of new and more destructive attacks."

Specifically, the report refers to numerous detailed past GAO reports and summarizes several areas requiring attention:

"Since 2006, GAO has made numerous recommendations in the following key areas:
bolstering cyber analysis and warning capabilities.
reducing organizational inefficiencies.
completing actions identified during cyber exercises.
developing sector-specific plans that fully address all cyber-related criteria.
improving cyber security of infrastructure control systems.
strengthening DHS’s ability to help recover from Internet disruptions.
"Until these and other key cyber security areas are effectively addressed, the nation’s cyber critical infrastructure is at risk of increasing threats posed by terrorists, nation-states, and others."

HIGH-RISK SERIES: An Update

A Look at the Future of U.S. Cyberwar

2009-01-19T19:03:00.000-08:00

Aviation week takes a look at the future (and convergence) of cyber and other electronic warfare. Some of the more notable quotes from the article include:

"In a few years, the U.S. Army, Navy and Marine Corps expect to be delivering airborne electronic fires and cyber-attacks for ground troops with a fusion of radio battalions, EA-6B Prowlers, EA-18G Growlers and a range of UAVs."

"...As cyber- and electronic attack technologies emerge, it is becoming harder to distinguish between cyberwarfare, directed energy and electronic attack, intelligence gathering and information operations. Rationalization of all these elements also is complicated by shrinking manpower and funding."

"...However, researchers are worried that pieces of the digital puzzle are still missing - in particular, projection of new threats that foes may throw at the U.S."

Cyber-Attack Operations Near

Social Networks Becoming an Important Method of Online Protest

2009-01-14T09:37:00.000-08:00

The importance of social networking in online protest is becoming more apparent during the Israeli Palestinian conflict in Gaza. The use of various networks such as YouTube and Flickr allow both side to show and tell their story but it appears that Facebook is where the action is.

These social networks are used by individuals, groups and governments to convey their messages, rally support, solicit donations and organize physical protests.

"On Dec. 30, the Israeli consulate in New York conducted a news conference on the war entirely on Twitter, the social messaging site where users communicate in short, rapid-fire notes, or "tweets."
"As a chance to field questions from a world audience, the experiment succeeded, but with questions and answers limited by Twitter to 140 characters, it didn't exactly make for nuanced discussion, even when consulate staffers rewrote the abbreviations." - McClatchy

"The IDF itself has also begun an Internet effort, making use of YouTube and a blog to post official army videos and information about the situation in Gaza. ...its videos had been viewed over 750,000 times. " - The Jerusalem Post

There are even meta-protest sites that allow visitors to vote or pick which side they want to support:

"It doesn't get any simpler than www.israel-vs-palestine.com, where visitors can just pick sides. With nearly 500,000 votes cast, the race is a virtual tie, while the Web site's server is overloaded." - McClatchy

This isn't limited to the current Israel-Gaza conflict. Ukraine-vs-Russia.com allows people to voice their opinion on the gas standoff with the EU.

Online and traditional media are increasingly reporting not just the use of social networking but their effectiveness:

"More than 1,000 students and ethnic minorities swarmed the streets of Hong Kong Sunday responding to a Facebook call to march against Israel’s deadliest assault yet on impoverished Gaza." - Saudi Gazette

Traditional social networks are not the only places online protest is showing up. Virtual worlds such as Second Life are developing protest movements as well:

"Virtual worlds have been left mostly to their own devices and the picture is somewhat different with no overt ‘official’ presence from the Israeli government or Hamas. Both sides of the conflict are therefore, represented in Second Life by, Second Life Israel and the Palestinian Holocaust Memorial Museum (slurl) hosted by the IslamOnline site. Second Life Israel (slurl) has been the focus of some limited protest within Second Life, while the Palestinian Holocaust Memorial Museum is much more of an information hub." - MetaSecurity

In fact, the issue of security and protest in virtual worlds now has its own blog, MetaSecurity.net which states its purpose as:

"... a blog that seeks to explore ideas relating to the security implications of virtual communities. The blog will post articles and commentary relating to security events in this rapidly growing sector. Specific topics include:

Fraud
Money Laundering
Inworld criminal activity
Legal responses
Inworld extremist acvivity
Software Security"

The introduction of social networks and virtual worlds has increased the relevance of online protest but the importance of the media in furthering online political causes is not new and was seen in the 1980s and 1990s:

"Politically motivated computer crime differs from traditional “hacking” in that the target is chosen - and the attack is designed - to effect a change in the behavior or activity of the victim. Therefore, a cyber attack, in isolation, most likely will not accomplish the goal of the attacker. It is for this reason that politically motivated cyber attacks are often combined with extensive public relation campaigns." - Politically Motivated Computer Crime and Hacktivism

It is obvious that this activity will evolve quickly. As the effectiveness of these types of protests increase, I'm sure we will see an increase in attempts to censor or block them. We're not in Kansas anymore...

Some other media quotes related to social network protest movements:

"As soon as Operation Cast Lead began to take shape just over a week ago, Dan Peguine started the program QassamCount, a system that updates users' statuses on Facebook with the number of Kassams that hit Israel.

"Within the first three days, 10,000 people had donated their statuses to the cause.
"Peguine first started a program counting Kassams about a week before the operation in Gaza began. He used Twitter, which sends users' statuses to all their "followers," to help people understand how often rockets hit the South" - The Jerusalem Post

"An enormous number of people around the world are using blogs, YouTube and social networking sites such as Facebook and Twitter to register their support or opposition to the war. Thousands of images — from Palestinians under siege in Gaza to Israeli neighborhoods that have been hit by Hamas rocket attacks — have filled photo-sharing sites such as Flickr and Picasa."

"So how are young people protesting the conflict in Gaza through Facebook? Well, in many, and often time creative ways, such as through status messages, notes, and most significantly through the formation of groups. Some of the groups that have been created in response to the airstrikes include, “Stop Israeli attacks on Gaza,” “Gaza is bleeding,” “Prayers for Gaza People,” and “Let’s collect 50,000 signatures to support the Palestinians in Gaza.” - The Examiner

Gaza War's New Front: Facebook (Wired Magazine)
Social networking boost for Gazans (Saudi Gazette)
Gaza war also being waged in cyberspace (McClathy)
Twitter, Facebook users show solidarity with QassamCount (The Jerusalem Post)
Gaza, Information War and Second Life (MetaSecurity)
Increased Use of Social Networks in Protests (PoliticalHacking)
Politically Motivated Computer Crime and Hacktivism

Online Attacks against Anti-War Group

2009-01-14T09:23:00.000-08:00

The U.K. based anti-war group, "Stop the War", claims its website, Facebook and YouTube sites are being disrupted:

"Stop the War believes pro-Israeli groups could be behind the internet campaign, although a spokesman admitted it had no proof this was the case.
"A spokesman said of the cyber-war it was facing: "It's a well-known tactic. The same thing happened to us before our anti-Iraq war protests in 2003. We obviously can't prove any connection but the timing would suggest that it's a supporter of Israel."
"The spokesman told The Independent: "At the same time that our website was under attack, a number of videos went up on YouTube which claimed the demonstration had been cancelled. Someone posted notices on our Facebook groups saying the same thing."

Stop the War's website 'disabled by pro-Israeli hackers'

Timing Chinese Attacks?

2009-01-13T00:50:00.000-08:00

With all the news, speculation and hysteria concerning cyber attacks from China, it would be great if we could predict when the "next big attack" will occur. Well, the Dark Visitor has provided just such an analysis and a 2009 calender to help get ready!

The conclusion:

"That’s right! [Chinese] Off days, holidays and late at night are the perfect time to cyber mobilize a massive number of people for a “Cyber People’s War”."

The perfect time for a massive Chinese cyber attack

Online Propaganda Explodes during Gaza Strip Conflict

2009-01-13T00:33:00.000-08:00

Propaganda has always been a part of any conflict and the Israeli-Palestinian war is no exception. The Internet just makes dissemination faster, easier and to a wider audience than ever before.

The manipulation of video and other media is easier as well:

"As the Israeli military spokesman Major Avital Leibovich said, explaining why Israel had set up a YouTube page: "The Blogosphere and the new media are basically a war zone [in a battle for world opinion]."

"It is fitting, then, that the famous first casualty of war - truth - should have been so swiftly slain and laid to rest online.
"This month, both sides have posted hoax stories and misleading videos in order to demonise their opponents."

The article provides several examples.

Gaza propaganda war escalates on the internet

Radio Station Attacked by Jihadist Supporters

2009-01-12T09:59:00.000-08:00

A U.K. radio station's website was defaced by Jihadist sympathizers in apparent support for Ahmed Al-Qahtani (who is suspected of involvement in the 9/11 attacks). The radio station also believes the attack may have been in retaliation for some of the Christmas music they had recently played.

"The site was compromised on Monday morning and again on Wednesday. The hijacker used the name ‘Soldier of Allah’ and ‘M03sl3m H4ck3rs’ - or Muslim Hackers written with numbers.

"The message warned: ‘Whoever thinks of insulting Islam or Muslims will suffer the same fate.

‘We are the nightmare of western websites in the cyber war.’

"The hackers claim they are defending Islam from harassment by America, Israel and Denmark."

Radio hijacked by Muslims as they are offended Cliff Richards halleluiah

NATO and US Army Systems Targeted by Palistinian Supports

2009-01-12T09:49:00.000-08:00

Supports of Palestine have defaced several US Army, NATO and UN websites in the continuing escalation of cyber attacks related to the current situation in the Gaza Strip:

"Four websites belonging to the United States Army's Military District of Washington... have been defaced by a Turkish hacker affiliated with a group called “Peace Crew.” The attacker, who identified himself as Agd_Scorp, has posted threatening messages in English. “Stop attacks u Israel and USA! You cursed nations! One day Muslims will clean the world from you!,” the pages displayed.

"The website of the Joint Force Headquarters, National Capital Region... of the Northern Command has also been defaced by Agd_Scorp, and the same message has been posted along with the image of a Palestinian throwing a rock at a tank. In addition, the same attacker also hacked the websites of the NATO Parliamentary Assembly... and UNICEF Italy, in order to express his support for Palestine."

Palestinian Supporters Hack NATO and U.S. Army Sites

Botnet Set Up to Support Israel in Conflict

2009-01-12T09:39:00.000-08:00

A group of Israeli supporters have set up a web site to download code to create a botnet allowing denial-of-service attacks against Palestinian targets. It appears to be modeled after a similar system used by Russian sympathizers during the Georgian conflict.

"Installing this program onto a computer will turn it into a drone, and will place it at the disposal of the hacktivists. What differentiates this tool from regular malware is that the installation is performed voluntarily by individuals who sympathize with Israel's efforts.

“Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are,” the website set up by the group reads. The hackers included an uninstaller for the application and vowed to dismantle the botnet, once the conflict in Gaza Strip is over."

Botnet Tool to Support Israel's Offensive: End-users willingly turn their computers into zombies

U.K. Police Can Compromise Computer Systems without a Warrant

2009-01-06T15:08:00.000-08:00

The U.K. Home Office has adopted plans to allow investigators to remotely search computers without a court order. The reports to date do not discuss the legal issues of using these techniques outside of the U.K.:

"Even though remote searching has existed in Britain since the '90s, when it was introduced as an amendment to the Computer Misuse Act, it has rarely been used until now and has been strictly controlled under the Regulation of Investigatory Powers Act. According to the new proposal, police forces or MI5 agents will be able to conduct such intrusive surveillance based merely on the decision of a senior officer that it is “proportionate” and necessary to the investigation of an offense that is punishable with a minimum sentence of three years in jail.

"In order to conduct the remote searching, the police will be able to act much like the cyber-criminals do, by developing malicious code, distributing the spyware via e-mail attachments, installing keylogging software or intercepting WLAN traffic. "

British Police Can Hack Computers Without Requiring Court-Issued Warrants

More Attacks on Israeli Websites

2009-01-05T08:30:00.000-08:00

As expected, more reports of web defacements related to the Israeli-Palestinian conflict are coming in. Current estimate is around 10,000 websites have been attacked worldwide.

"The defacements have primarily affected small businesses and vanity Web pages hosted on Israel's .il Internet domain space. One such site was that of Israel's Galoz Electronics Ltd. On Wednesday, the hacked Web site read "RitualistaS GrouP Hacked your System!!! The world isn't insurance!!! For a better world."
"Other attackers have placed more incendiary messages condemning the U.S. and Israel and adding graphic photographs of the violence."

We should expect this trend to escalate as events on the ground continue.

With Gaza Conflict, Cyberattacks Come Too

Tunisia Bloggers Protest Government Censorship

2009-01-05T08:21:00.000-08:00

Bloggers in Tunisia are debating an online protest against government censorship. The campaign known in English as Action Post Blank called for bloggers to only post a protest graphic on their website.

The article also discusses online action by the Tunisian government to censor websites:

"Numerous bloggers complained in 2008 of intrusions and blockages of websites by the Tunisian Internet Agency (ATI). Many Tunisians also accuse ATI of supporting bans on a number of popular websites. It was this issue that prompted journalist Ziad El Heni to file a lawsuit against the agency, accusing it of blocking the social networking website Facebook before it was re-opened last August based on an order from the President."

Online censorship protest turns into debate among Tunisian bloggers

Politically Motivated Computer Crime and Hacktivism

Cyber Terrorism

Recommended: Internet Use in Ukraine's Orange Revolution

North Korea Not Believed to Be Responible for 2009 Attacks

Applying International Law to Cyber Space

Increased Espionage against US Defense Contractors

Recommended Reading: Shadows in the Cloud

North Korea Develops Its Own Operating System Aimed at User Monitoring

Fine Line between Criminal Activity and National Security

U.K. Internet Cafes Asked to Monitor Web Usage for Terrorism

Increasing Use of the Internet by Terrorist Groups

Report: Internet Controls Violate Human Rights

Law Firms Increasingly the Victims of Espionage

Political Cyber Crimes Growing

NATO Facing Increased Cyber Threats

Germany Suspends Communication Data Retention Law

Political Motivation Behind Google Ruling in Italy?

In a Cyberwar, US Would Lose

Hacktivists Attack Australian Government Systems

US Faces "Significant" Threat from Cyber Espionage

Wide Ranging Espionage by China in Britian

Analyzing the Google Attacks - Plenty of Room for Mistakes

Attack on London Based Jewish Website

Indian National Security Advisor Believes Cyber Attacks Originated from China

Attempted Cyberattack on Law Firm that Sued China

Google Throws Down the Gauntlet to China - Maybe

Belarus to Implement Controls over Internet

Isaeli Chief of Military Intelligence Comments on Cyberwar

U.S. Predator Drones Compromised

Importance of the Internet for Opposition Groups in Iran

International Telecommunications Union (ITU) Focus on Cybersecurity

Russian FSB Arrests for Dagestan Intrusions

Attack Aimed at Foreign Journalists in China

Singapore Creates Agency to Protect against IT Threats

Changes to India's Cybercrime Laws

Report on Georgian Cyber Attacks

Analysis of Report on Power Grid Intrusions

Does China have "Exploit Factories" to Discover Vulnerabilities?

U.S. Electrical Grid Intrusions

Indian Political Party Calls for Cyber Warfare Preparations

Intercept Modernisation Programme to Include Social Networks

Famous Last Words

U.K. Intelligence Fears Chinese Made Telecommunication Systems

GhostNet: Massive Spy Network Uncovered

Dealing with Online Hate Speech

Cat and Mouse: Social Networks Help Protesters and Police

Canada Sees Cyber Security As Top National Security Concern

UN Concern over "Cyber Weapons"

U.S. Legal Issues on Cyber War

Religious Cyber Wars on Facebook

Militarizing Cyberspace

"Political Hacking" Is a Growing Trend

Recommended Reading: Combating Extremists Online

Recommended Reading: Internet Radicalization by Extremists in Southeast Asia

California May Censor Google Earth

Internet Censorship in the Middle East

Online Communication of Operations by Terrorists

Use of Technology by Terrorists Targeting India

Political Motivation Still Top Motive for Web Defacement

A New Military Branch for Cyber Warfare?

Russian Consulate Website Attacked to Protest Sinking of Ship

Azerbaijan Cellular Website Attacked from Iran

New Arrest in Indymedia Investigation in the U.K.

DNI: Cyber Security a Top U.S. National Security Issue

Recommended: Detailed Report on the State of Network and Information Security in Europe

Chinese Cyber Attacks Back in the News

More 'Political Hacking' in India

"Cyber War" to Protect Sharia Law?

Why Are There No Internet Terrorist Attacks?

Indian Summary of Davos Discussions

Guessing at the Source of Cyber Attacks

NATO Officers Targeted by Trojan Code

Convergence of Electronic and Network Warfare

Thailand Struggles with Internet Content

Social Networks Limit Undercover Work

Cyber Security Is a National Security Problem for the United States

Europe Needs More Work on Cyber Defense

Indymedia Server Seized - A Lesson in Network Resilience

Turkish "Hacker" Spied for PKK

World Economic Forum Short on Answers to Cyber Warfare and Computer Crime