T3H Blog

According to the new Fear, Uncertainty, and Doubt (FUD) mill, APT is apparently the work of skilled professional teams (often working in relays). As the name implies, it is a very skilled long-term siege of a network and computer systems. The attack is taken slowly and carefully; the stealth approach is so as not to trigger any IPS/IDS alerts or be detected during internal pen test, vulnerability scans, and logs reviews at the target.

Based on the scale and logistics of the detected (known) APT operations, these professionals are more likely state or terrorist organization sponsored. However, I would be surprise if they were not some operations backed by well-funded organized crime organizations. (For an organized crime organization, APT would be part of a long-term business plan with clear ROI.)

According to people knowledgeable about this, APT teams aim is to compromise networks and systems for gaining access to information and set-up so that they can keep coming back. According to the media, what makes APT frightful is that regardless of the countermeasures put in place to thwart attacks; these people have the resources and knowledge to work around those countermeasures.

As I have been saying, systems infiltration has been, is, and will be around for a long time – granted that they many are routed in old programme like the AUSCANZUKUS signals intelligence (SIGINT) collection and analysis network Echelon and evolved (or is it intelligently designed) into “Dynamically Unique Metrics Based Analysis for Secure Systems” or DUMBASS programmes. It is not surprising that cold war era methodology to still state and defence secrets would find it was into the hands of those seeing financial gains from financial institutions, ecommerce retailers, or just about anyone with a cyberspace presence.

The uncomfortable inconvenient truth is that in most organization with a cyberspace presence top management is more concern with their take home package than the cyber security of their ICT infrastructure; the people in charge of the ICT infrastructure are busy make life easier for themselves; and, the general population (users) just could not be bothered with having to jump trough a few simple hoops to avoid oops. (Biometrics, encrypted data (like EFS), mandatory UTM, and opt-in intelligence agencies supported blacklist, etc.)

Security is always an afterthought, like condoms! Therefore, DUMASS programmes to redistribute wealth, knowledge, and anything else of value will flourish – my only astonishment is that we learn very little but new rhetoric and acronyms from our security laps…

References:

Wired: The Advanced Persistent Threat Attack

TMCNet: Espionage via APT or Advanced Persistent Threat Widespread

SCMA Magazine: State of the Hack – Addressing the Advanced Persistent Threat

ZDNet: Advanced Persistent Threats: Should your panties be in a bunch, and how do you un-bunch them?

(And lots more…)

DUMBASS reference from AEON Security Blog

With Google gone, Baidu rules China and with a little effort if can gain substantial market-shares around Asia, easily.

What can I say but thank you Google.

News media reports describing the praise coming from every possible opinionated spectrum about Google’s recent decision to end government-induced censorship over its search results and pullout of China,

Hey, wake-up! Google’s actions in China are purely self-serving – the pretentious Googlelites could not get things there way so they had a tantrum, took their toys, and went hope – boohoo!

Google commonly censors and/or alter search results to comply with many countries’ laws or government requests (i.e., Germany and France: Nazi memorabilia, anti-Semite statements, etc.) – yet, we do not ear Google breaking laws, threatening to pullout, and political dribble about Google’s “a remarkable, historic and welcomed action.”

Simply put Google found itself in a market it could not dominate, adequately compete in, and likely loose money – so it moved on.

I am not fan of censorship of any kind, but let us face it cyberspace is a wild frontier that chafe politicians and nationalists everywhere – people incapable to imagine a self-regulated space in no need of their controls. Their psychosis, which normally insure that their mouth gets in gear before their brain get anywhere near, their need to control leads to some form or another of suppression to satisfy their delusions of persecution.

(If you want to read more abut Internet Censoring Countries start here.)

As for the hacking (by governments) – well folks welcome to the ‘big brother’ factor, which goes tongue and groove with paranoia and small minded politicians and nationalists! (By criminals) Well the Internet is big business for many organizations and easy picking for criminals. The Internet will never be 100% safe, we just have to learn to protect ourselves better.

(One would not walk into a dark alley in a cede neighbourhood alone or step on a battlefield naked… commonsense is a key word here.)

In addition, there is no reason to condemn Microsoft and others for staying and abiding by Chinese laws, just as they do elsewhere.

Like the old Hebraic proverb says – ברומא התנהג כרומאי (In Rome act like a Roman)

What Google should have done is stay in China and used some of the googleions to support projects like to advance cyberspace freedom and choice:

The Information Warfare Monitor is a joint project of the Citizen Lab and the SecDev Group, (Ottawa Ontario). The aim of the Information Warfare Monitor is to monitor and analyze the exercise of power in cyberspace.

The OpenNet Initiative is a partnership with The Berkman Center for Internet & Society at Harvard Law School and The SecDev Group. The aim of the ONI is to document patterns of Internet censorship and surveillance worldwide.

The aim of Opennet.Asia is to engage academic, policy, and civil society stakeholders in each of the countries of the regions concerned by surveillance and censorship to build institutional capacity and networked resources to conduct research and public policy advocacy around those issues.

PsiLab is a joint activity of the Citizen Lab and Psiphon, oriented around advanced research of circumvention technologies, threat analysis, and the consideration of political and legal issues surrounding their use in denied environments.

If the People and Soldiers Unite as One, All Enemies Under Heaven Will Disappear

MessageLabs Intelligence identified the number one source of malicious emails – Shaoxing, Zhejiang province in eastern China. Shaoxing is the birthplace of the pragmatic Zhou Enlai（周恩来） and a Third Department facility training and operation location.

In its March 2010 report, MessageLabs Intelligence traced 12 billion emails and found that almost 30 per cent of malicious emails were sent from China and 21.3 per cent came from the city of Shaoxing. They said key targets for the hackers were experts in Asian defense policy and human rights activists, suggesting state involvement.

Cyber-espionage uses emails sent in small volumes with legitimate-looking attachments or documents to fool the user into letting a malicious code infect their computer. According to the report, “The ultimate aim . . . is to gain access to sensitive data or internal systems by targeting specific individuals or companies.”

Researchers succeeded in tracing individual computer registration numbers to find the true source of the attacks. Previously hackers in China had been able to camouflage themselves behind servers in Taiwan and Hong Kong.

The findings show China was the source of 28.2 per cent of global targeted attacks. It was followed by Romania with 21.1 per cent, presumed to be mostly attempts at commercial fraud. The US was third, followed by Taiwan and then Britain, with 12 per cent of attacks.

While China improves it’s SIGINT and IMINT capabilities and continues to use its HUMINT intelligence collection to advance its economic position globally. Through the Third Department of the General Staff Department of the Central Military Commission, its national agency responsible for managing China’s strategic SIGINT program, China continues to modernize its intelligence gathering capabilities to obtain access to advanced technologies and gain economic advantages.

Its SIGINT efforts are an integral part of its multipronged approach to intelligence gathering with the use of open source information gathered through its HUMINT activities – using students and businesspeople scattered at around the globe, scientific researchers on exchanges, attending conferences, and seminars worldwide, and the New China News Agency – to gather tidbits of intelligence. China is demonstrating that it knows where to focus its efforts to gain economic advantage while keeping its INT well exercised for other activities.

NATO will have to look the other way if they want local support as someone at Strategic Advisory Group quipped “we don’t trample the livelihood of those we’re trying to win over” – thus postponing eradication. That will not sit well with many drug enforcement agencies around the globe, especially in the EU, UK, and the US (the byproducts marketplaces).

So to ease the dilemma that the poppy fields will likely generate much needed revenues for the Taliban SAG should be planning realistic replacement crops and/or industries instead to just ignoring this conundrum until it is OK to start eradication again (after they unlikely win the hearth and minds of the offending farmers) – kind of disinfecting a wound after you stitched it. It may be simpler to connect the Afghans with an extended NAOMI study (North American Opiate Medication Initiative) where heroin-assisted therapy benefits people suffering from chronic disease.

Another option would be for governments to purchase the harvest outright from Afghan opium poppy farmers – the price at the end of the supply chain is certainly affordable when compare to the cost of suppression at the street end (opium and heroin); thus keeping all things in balance in Afghanistan.

Personally, I always though of poppies as commemorating the sacrifices of members of the armed forces and of civilians in times of war – at the end of the day it is better to turn a blind eye so that Afghanistan’s poppy fields do not give rise to another poem like Lieutenant Colonel John McCrae’s In Flanders Fields…

Reference:

http://www.nytimes.com/2010/03/21/world/asia/21marja.html?scp=1&sq=poppy%20field&st=cse

Here is a very scary thought – Some fool (or fools) has charged the U.S. Department of Justice’s lawyers to determine what constitute an act of war during a cyber attack. No matter how smart these government lawyers are (or the fool in question think they are) leaving the definition of Casus belli to any government lawyers, but especially from a warmongering nation, is just a guaranteed war looking for an excuse…

Reference:

http://bbvm.wordpress.com/2010/02/21/justice-lawyers-try-to-define-cyber-war/

The Saudi Communication and Internet Technology Commission (CITC) has reportedly contacted Canada’s Research in Motion (RIM) seeking to have access to and monitor communications by BlackBerry Messenger, known as BBM.

Another demonstration that many ‘conservative’ governments paranoiac needs to control all information flow… or maybe they want to keep better tab on their Al Queda membership!

http://www.google.com/hostednews/afp/article/ALeqM5i7NxlHItbx2fl-LqFf9SAqD9c1QA

Again , this is not big deal most ME and many Asian countries monitor and/or keep copies of text messages (SMS, emails, twitters, etc.) – as demonstrated when two Emirates airlines cabin crew were ordered jailed for three months in Dubai over sexually explicit text messages. Of course the loudest complains against this practice comes from the U.S.A. – were one recalls that the U.S. government, with assistance from major telecommunications carriers including AT&T, engaged in a massive program of surveillance of domestic communications and communications records of millions of ordinary Americans (people).

References:

http://www.canada.com/technology/story.html?id=2695216 – Emirates airline crew members face jail over sexual text messages

http://www.eff.org/issues/nsa-spying – NSA Spying

China is among the world’s most dynamic countries when it comes to information and community technology research, development and consumer use. It is now the world’s largest national Internet population. China is also the world’s most pervasive filterer of Internet content engages in widespread electronic surveillance and has been suspected of global cyber-espionage against adversaries abroad. This paper draws upon the experiences of several Canadian-based research and development projects that focus directly upon (and confront) China’s cyberspace control strategy to map out its main features and discuss the challenges they present for Canada (and by extension many others).

The main part of the paper provides an overview of China’s content filtering, surveillance and information warfare policies and practices. This overview is followed by a consideration of issues for Canada. Like many other countries, Canada depends on economic exchange with China and is home to a large and growing Chinese Diaspora community that can be vocal critics of China’s human rights policies. Canada is also the home of some of the leading research and development projects on Internet censorship, surveillance and information warfare that, at times, are antagonistically linked to China. The conclusion considers some of the challenges and opportunities for Canadian interests and presents three recommendations for Canadian policy.

Dr Deibert’s paper is a good and timely read.

http://www.canadianinternationalcouncil.org/download/resourcece/archives/chinapapers/chinapapersno7deibertpdf?attachment=1

Dr Deibert is a Director, The Citizen Lab, Munk Centre for International Studies, University of Toronto. His academic website at http://deibert.citizenlab.org/ is a great source of knowledge.

Law Enforcement agencies and cybersecurity experts warned that they have seen significant increased bank fraud attacks targeting small and mid-sized organizations. Attackers prefer organizations that use small regional banks since they most likely do not have adequate security measure in place. The current increase involves the automated clearinghouse (ACH) transfers that can be processed overnights. Attackers typically send targeted phishing emails that install keyloggers, Trojan, and/or malware that can harvest victim’s credential to initiate transfers (hops) over the weekend or overnight.

Typically, using the stolen credential of people authorized to manage bank accounts the attackers will initiate a string of transfers (hopes) to a final destination were the funds can be withdrawn soonest (cashed in). Even if the bank manages to trace the transfers, there are simply no funds to recover.

This trend will certainly continue to increase as banks continue to encourage their clients to go on-line – as on-line banking save banks significant cost of doing business, but in most case actually show real revenue. Unfortunately, too many banks fail to devote any portion of their new found ROI into realistic security measures, including employees and clients education; this compounded with simply pitiable security measures taken by the majority of their online banking clients.

Online accounts related fraud is a multi-billion euro business – simply too good a revenue stream for criminal not to invest efforts and money in.

http://uk.finance.yahoo.com/news/online-bank-fraud-doubles-in-two-years-tele-3f0e4cea61be.html?x=0

http://www.compareprepaid.co.uk/cards/videos/03/2010/bank-fraud-on-the-rise/

According to numerous media sources, malfeasants attacked the China’s ministry of defense’s English Website [http://eng.mod.gov.cn], launched last year (August), more than 2.3 million times in its first month.

Experts say that it is currently averaging nearly a million attacks a month since going online, without any incident (success) to date. The ministry deflected all the attacks with its security measures in-place (FW, WAF, IDS, EB1, etc.). However, I doubt very much that the MOD would tell anyone if it was hacked!

Note: According to the MOD, it had over 3.1 billion page viewed to date (first six months).

http://www.reuters.com/article/idUSTRE5AI0SP20091119

http://english.peopledaily.com.cn/90001/90776/90786/6816970.html

http://www.dailytech.com/China+Defense+Ministry+Targeted+by+Cyber+Attacks+2+Million+Times/article16891.htm

http://www.chinadaily.com.cn/china/2009-11/18/content_8995678.htm

http://www.digitaltrends.com/computing/china-defense-ministry-targeted-by-mass-cyber-attacks/

http://www.physorg.com/news177759440.html

http://www.networkworld.com/news/2009/111809-china-defense-ministry-site-fends.html

Just about any one involved with cyber security in this region knows that hundred of servers operated by local governments in Japan are vulnerable to cyber-attacks; and, most entities failing to take countermeasures.

According to the Japanese Local Authorities Systems Development Center report describes that servers managed by nearly 200 prefectural and municipal governments across Japan (and likely national-level ministries), and other government affiliated organizations, can easily be compromised.

About 1,400 local entities – mainly prefectural and municipal governments – belong to the center, a foundation operated under the jurisdiction of the Internal Affairs and Communications Ministry. Each year, it surveys these local entities regarding server safety and other matters. However, until now it has never publicly released information on how local governments manage their servers.

In fiscal 2008, the center investigated 3,467 servers operated by 647 local entities. The result showed that 193 entities, or 30 percent of those investigated, continue to use problematic servers.

Of these entities, 70 had so many server-related problems the center concluded they needed to urgently improve their operational environments.

The 495 servers contain residents’ personal information, but use an old cryptographic system in which defects were detected more than a decade ago.

Furthermore, 27 servers loaded with basic software are still being used without updated security measures after the support period provided by a software company expired more than five years ago.

In both cases, the center pointed out that the use of such servers was problematic.

According to a post-survey questionnaire, despite being fully aware that local residents’ personal information could be leaked, 54 entities of those with security problems, said they had no plans to improve their operational environments, with some saying they could not afford to do so, while others said the matter was of no importance (the later being my all time favorite, having heard it so often over the last 10 years).

Elsewhere, many governments are trying to establish Voluntary Breach Disclosure regulations. (Australia, Canada, New Zealand, United States) Currently there is no common way for organizations to safely and confidentially share data about attacks they suffer, nor is there necessarily much incentive to do so.

Aside from the obvious privacy concerns and worries about damage to their public images in the event of a publicly disclosed hack. Many organizations have reservations about sharing their breach information with law enforcement because it is often more of a one-way street than an information-sharing arrangement. They supply their attack information to the authorities and more often than not never hear back from them.

But that soon could change, at least in the United States. FBI director Robert Mueller last week in a keynote address at the RSA Conference 2010 said while today it’s the exception rather than the rule for organizations to report cyber-attacks to the bureau, he promised some big changes that could allay privacy concerns. “We will minimize the disruption to your business. We will safeguard your privacy and your data. Where necessary, we will seek protective orders to preserve trade secrets and business confidentiality. And we will share with you what we can, as quickly as we can, about the means and methods of attack,” Mueller told attendees.

Well that would be a definite step in the right direction and an impetus for other to follow.

Source: Voluntary Breach Disclosure Rare But Valuable by Kelly Jackson Higgins, Dark Reading

Recently I travelled to Kuala Lumpur, Singapore, and Jakarta. In KL I attended a cyber security seminar – interestingly enough the so called ‘emerging’ economies are doing somewhat better overall than the ‘advanced’ economies in respect to security; I gather it comes from less legacy baggage and the benefits of years of experimenting by old countries (in term of cyberspace).

As for Singapore, in the last year I was in SIN 14 times, but this was my first time in downtown in a long time. Given a free weekend, I walked about town and even managed to find nature among all that concrete.

In Jakarta, time was precious and rain abundant – being the rainy season. Nevertheless, some of my local colleagues took time to drive me about town on an overcast, but rain free, Sunday. I took in the sites (or was it sight) and a few pictures. The highlight of the day was being mobbed by munchkins while visiting a museum.

PS. On blogging, it is not so much as not having time as not having the discipline to blog in a consistent manner, sorry.