T3H Blog

The Canadian Information Warfare Monitor released two great reports related to cyberspace espionage and crime: Tracking GhostNet: Investigating a Cyber Espionage Network and Shadows in the Cloud: An investigation into cyber espionage 2.0.

The reports document a complex ecosystem of cyber espionage and crime that systematically targets and compromises computer systems around the world (Afghanistan, India, Russia, all the way to Zimbabwe), and organizations (an alphabet soup of acronyms from the U.N. to NATO, and lots of NGOs). The reports point out an ever enlarging ecosystem of crime and espionage taking root in cyberspace. Much of the reports easily point to China – with its stated aim to advance China’s economy via any means – seen as the obvious culprit (currently).

The reports and the recent plethora of exploit revelations indicate that China is well ahead with the deployment of its INFINT, with the likely assistance from its global HUMINT network.

Consequently and in addition to these two reports, with their stated aims of INFINT (Information Intelligence), we need now a report studying the great HUMINT network China deployed worldwide and its connection to their INFINT. For a start, China has citizens in just about every center of higher learning around the world – from the National Technological University of Argentina to the University of Zagreb – not to mention governments, companies, and so on. These post-graduate and graduate students learn the best a country has to offer; and, often contributing to local organizations as interns. However, the end game is to return home with a solid body of knowledge (BoK) readily usable to advance China – nothing wrong with that, especially since they pay full price, often inflated, for the education and the take home BoK.

Premise: How many of these ‘students/interns’ leave little gift in computers (and throughout networks) they have access to during their stay?

What is extremely interesting in both reports is that they reveal the harbinger of things to come. However, in my opinion I think that much of the complaints among the industrialize countries regarding China’s cyberspace activities may be a little sour grape… The “Free World” needs a villain, always – the USSR is dead; long live the PRC!

Note 1: INFINT (Information Intelligence) – information gathering in cyberspace by compromising computer systems – the term is more reflective of the current cyberspace activity than SIGINT (Signal Intelligence) the predominate mean of information gathering in the not so distance past and still going strong with its COMINT (communications intelligence) and ELINT (electronic intelligence) elements in some part of the “physical” world.

Note 2: Currently, there is not a single country among the current 192 United Nations (UN) member states without a Chinese community (excluding diplomats).

If the People and Soldiers Unite as One, All Enemies Under Heaven Will Disappear

MessageLabs Intelligence identified the number one source of malicious emails – Shaoxing, Zhejiang province in eastern China. Shaoxing is the birthplace of the pragmatic Zhou Enlai（周恩来） and a Third Department facility training and operation location.

In its March 2010 report, MessageLabs Intelligence traced 12 billion emails and found that almost 30 per cent of malicious emails were sent from China and 21.3 per cent came from the city of Shaoxing. They said key targets for the hackers were experts in Asian defense policy and human rights activists, suggesting state involvement.

Cyber-espionage uses emails sent in small volumes with legitimate-looking attachments or documents to fool the user into letting a malicious code infect their computer. According to the report, “The ultimate aim . . . is to gain access to sensitive data or internal systems by targeting specific individuals or companies.”

Researchers succeeded in tracing individual computer registration numbers to find the true source of the attacks. Previously hackers in China had been able to camouflage themselves behind servers in Taiwan and Hong Kong.

The findings show China was the source of 28.2 per cent of global targeted attacks. It was followed by Romania with 21.1 per cent, presumed to be mostly attempts at commercial fraud. The US was third, followed by Taiwan and then Britain, with 12 per cent of attacks.

While China improves it’s SIGINT and IMINT capabilities and continues to use its HUMINT intelligence collection to advance its economic position globally. Through the Third Department of the General Staff Department of the Central Military Commission, its national agency responsible for managing China’s strategic SIGINT program, China continues to modernize its intelligence gathering capabilities to obtain access to advanced technologies and gain economic advantages.

Its SIGINT efforts are an integral part of its multipronged approach to intelligence gathering with the use of open source information gathered through its HUMINT activities – using students and businesspeople scattered at around the globe, scientific researchers on exchanges, attending conferences, and seminars worldwide, and the New China News Agency – to gather tidbits of intelligence. China is demonstrating that it knows where to focus its efforts to gain economic advantage while keeping its INT well exercised for other activities.

Here is a very scary thought – Some fool (or fools) has charged the U.S. Department of Justice’s lawyers to determine what constitute an act of war during a cyber attack. No matter how smart these government lawyers are (or the fool in question think they are) leaving the definition of Casus belli to any government lawyers, but especially from a warmongering nation, is just a guaranteed war looking for an excuse…

Reference:

http://bbvm.wordpress.com/2010/02/21/justice-lawyers-try-to-define-cyber-war/

The Saudi Communication and Internet Technology Commission (CITC) has reportedly contacted Canada’s Research in Motion (RIM) seeking to have access to and monitor communications by BlackBerry Messenger, known as BBM.

Another demonstration that many ‘conservative’ governments paranoiac needs to control all information flow… or maybe they want to keep better tab on their Al Queda membership!

http://www.google.com/hostednews/afp/article/ALeqM5i7NxlHItbx2fl-LqFf9SAqD9c1QA

Again , this is not big deal most ME and many Asian countries monitor and/or keep copies of text messages (SMS, emails, twitters, etc.) – as demonstrated when two Emirates airlines cabin crew were ordered jailed for three months in Dubai over sexually explicit text messages. Of course the loudest complains against this practice comes from the U.S.A. – were one recalls that the U.S. government, with assistance from major telecommunications carriers including AT&T, engaged in a massive program of surveillance of domestic communications and communications records of millions of ordinary Americans (people).

References:

http://www.canada.com/technology/story.html?id=2695216 – Emirates airline crew members face jail over sexual text messages

http://www.eff.org/issues/nsa-spying – NSA Spying

China is among the world’s most dynamic countries when it comes to information and community technology research, development and consumer use. It is now the world’s largest national Internet population. China is also the world’s most pervasive filterer of Internet content engages in widespread electronic surveillance and has been suspected of global cyber-espionage against adversaries abroad. This paper draws upon the experiences of several Canadian-based research and development projects that focus directly upon (and confront) China’s cyberspace control strategy to map out its main features and discuss the challenges they present for Canada (and by extension many others).

The main part of the paper provides an overview of China’s content filtering, surveillance and information warfare policies and practices. This overview is followed by a consideration of issues for Canada. Like many other countries, Canada depends on economic exchange with China and is home to a large and growing Chinese Diaspora community that can be vocal critics of China’s human rights policies. Canada is also the home of some of the leading research and development projects on Internet censorship, surveillance and information warfare that, at times, are antagonistically linked to China. The conclusion considers some of the challenges and opportunities for Canadian interests and presents three recommendations for Canadian policy.

Dr Deibert’s paper is a good and timely read.

http://www.canadianinternationalcouncil.org/download/resourcece/archives/chinapapers/chinapapersno7deibertpdf?attachment=1

Dr Deibert is a Director, The Citizen Lab, Munk Centre for International Studies, University of Toronto. His academic website at http://deibert.citizenlab.org/ is a great source of knowledge.

Law Enforcement agencies and cybersecurity experts warned that they have seen significant increased bank fraud attacks targeting small and mid-sized organizations. Attackers prefer organizations that use small regional banks since they most likely do not have adequate security measure in place. The current increase involves the automated clearinghouse (ACH) transfers that can be processed overnights. Attackers typically send targeted phishing emails that install keyloggers, Trojan, and/or malware that can harvest victim’s credential to initiate transfers (hops) over the weekend or overnight.

Typically, using the stolen credential of people authorized to manage bank accounts the attackers will initiate a string of transfers (hopes) to a final destination were the funds can be withdrawn soonest (cashed in). Even if the bank manages to trace the transfers, there are simply no funds to recover.

This trend will certainly continue to increase as banks continue to encourage their clients to go on-line – as on-line banking save banks significant cost of doing business, but in most case actually show real revenue. Unfortunately, too many banks fail to devote any portion of their new found ROI into realistic security measures, including employees and clients education; this compounded with simply pitiable security measures taken by the majority of their online banking clients.

Online accounts related fraud is a multi-billion euro business – simply too good a revenue stream for criminal not to invest efforts and money in.

http://uk.finance.yahoo.com/news/online-bank-fraud-doubles-in-two-years-tele-3f0e4cea61be.html?x=0

http://www.compareprepaid.co.uk/cards/videos/03/2010/bank-fraud-on-the-rise/

According to numerous media sources, malfeasants attacked the China’s ministry of defense’s English Website [http://eng.mod.gov.cn], launched last year (August), more than 2.3 million times in its first month.

Experts say that it is currently averaging nearly a million attacks a month since going online, without any incident (success) to date. The ministry deflected all the attacks with its security measures in-place (FW, WAF, IDS, EB1, etc.). However, I doubt very much that the MOD would tell anyone if it was hacked!

Note: According to the MOD, it had over 3.1 billion page viewed to date (first six months).

http://www.reuters.com/article/idUSTRE5AI0SP20091119

http://english.peopledaily.com.cn/90001/90776/90786/6816970.html

http://www.dailytech.com/China+Defense+Ministry+Targeted+by+Cyber+Attacks+2+Million+Times/article16891.htm

http://www.chinadaily.com.cn/china/2009-11/18/content_8995678.htm

http://www.digitaltrends.com/computing/china-defense-ministry-targeted-by-mass-cyber-attacks/

http://www.physorg.com/news177759440.html

http://www.networkworld.com/news/2009/111809-china-defense-ministry-site-fends.html

Just about any one involved with cyber security in this region knows that hundred of servers operated by local governments in Japan are vulnerable to cyber-attacks; and, most entities failing to take countermeasures.

According to the Japanese Local Authorities Systems Development Center report describes that servers managed by nearly 200 prefectural and municipal governments across Japan (and likely national-level ministries), and other government affiliated organizations, can easily be compromised.

About 1,400 local entities – mainly prefectural and municipal governments – belong to the center, a foundation operated under the jurisdiction of the Internal Affairs and Communications Ministry. Each year, it surveys these local entities regarding server safety and other matters. However, until now it has never publicly released information on how local governments manage their servers.

In fiscal 2008, the center investigated 3,467 servers operated by 647 local entities. The result showed that 193 entities, or 30 percent of those investigated, continue to use problematic servers.

Of these entities, 70 had so many server-related problems the center concluded they needed to urgently improve their operational environments.

The 495 servers contain residents’ personal information, but use an old cryptographic system in which defects were detected more than a decade ago.

Furthermore, 27 servers loaded with basic software are still being used without updated security measures after the support period provided by a software company expired more than five years ago.

In both cases, the center pointed out that the use of such servers was problematic.

According to a post-survey questionnaire, despite being fully aware that local residents’ personal information could be leaked, 54 entities of those with security problems, said they had no plans to improve their operational environments, with some saying they could not afford to do so, while others said the matter was of no importance (the later being my all time favorite, having heard it so often over the last 10 years).

Elsewhere, many governments are trying to establish Voluntary Breach Disclosure regulations. (Australia, Canada, New Zealand, United States) Currently there is no common way for organizations to safely and confidentially share data about attacks they suffer, nor is there necessarily much incentive to do so.

Aside from the obvious privacy concerns and worries about damage to their public images in the event of a publicly disclosed hack. Many organizations have reservations about sharing their breach information with law enforcement because it is often more of a one-way street than an information-sharing arrangement. They supply their attack information to the authorities and more often than not never hear back from them.

But that soon could change, at least in the United States. FBI director Robert Mueller last week in a keynote address at the RSA Conference 2010 said while today it’s the exception rather than the rule for organizations to report cyber-attacks to the bureau, he promised some big changes that could allay privacy concerns. “We will minimize the disruption to your business. We will safeguard your privacy and your data. Where necessary, we will seek protective orders to preserve trade secrets and business confidentiality. And we will share with you what we can, as quickly as we can, about the means and methods of attack,” Mueller told attendees.

Well that would be a definite step in the right direction and an impetus for other to follow.

Source: Voluntary Breach Disclosure Rare But Valuable by Kelly Jackson Higgins, Dark Reading

The UK Centre for the Protection of National Infrastructure (MI5) prepared a short ‘restricted’ report back in 2007~08 entitled “The Threat from Chinese Espionage” – that was widely distributed to UK business organizations worldwide – to little effect.

The report of bugging and burgling by agents from the People’s Liberation Army and the Ministry of Public Security. It warns also of electronic gifts given at exhibitions and seminars riddled with Trojans capable of creating a backdoor, ferreting and transmitting specific data, and remotely triggered malware.

According to CPNI “The Chinese government represents one of the most significant espionage threats to the UK because of its use of widespread electronic hacking.” UK cybersecurity experts suspect that Chinese cyberwarfare units have directed concerted hacking exercises against UK’s defence, energy, communications, and manufacturing entities.

In their great wisdom MI5 and CPNI believe that “any UK company might be at risk if it holds information which would benefit the Chinese.”

At the time of the ‘restricted’ letter released by MI5′s DG it was observed in Schneier on Security (4 December 2007) that sending a confidential letter to 300 businesses and expecting it to be kept so was not such a good idea – publicity, and lots of it, should have been the order of the day. The Chinese Ministry of Public Security must have had a good laugh at the time (from reading their own copy); it sure did not slow them down any…

References:

MI5 alert on China’s cyberspace spy threat, Exclusive: director-general of MI5 sends letter to British companies warning systems are under attack from China, From The Times, published: 1 December 2007

Britain Warned Businesses of Threat of Chinese Spying, By Jonh F. Burns, published: 31 January 2010

The Internet has opened global markets and revolutionized modern business practices. Yet, while providing new opportunities, reliance on the Web has also exposed new vulnerabilities. McAfee estimates that in 2008, “companies worldwide lost more than $1 trillion” from IP and data theft. A recently released PwC report on the rising threat of e-espionage asks: “Are companies aware and ready to respond?” In general, the resounding answer is, “No.”

Surveys after reports after commissions unanimously demonstrate that the Internet (Web, cyberspace) is unsecured. Threats are multiplying and growing evermore successful in gaining access to desired data or results. Nevertheless, no one in is right mind stays away – yet, most do very little to protect their property, even themselves – Why?

One answer is ease of use – the Internet is too simple to use and yields too much benefits at a click – how can something this beneficial be this nefarious!

Until we find the right answer, we will continue to barrel down towards an unparalleled cataclysmic  catastrophe where not only IP or data will be lost, but lives…

References:

Study Finds Growing Fear of Cyberattacks, by John Markoff, Published: 28 January 2010

Unsecured Economies: Protecting Vital Information, The first global study highlighting the vulnerability of the world’s intellectual property and sensitive information, December 2009

Securing Cyberspace for the 44th Presidency, A Report of the CSIS Commission on Cybersecurity for the 44th Presidency, December 2008

The Electronic Frontier Foundation (EFF), whose lawyers brought the National Security Agency’s warrantless surveillance program case to court in 2008, unsurprisingly lost their case and plans to appeal. This means that the practice of funnelling Internet traffic by Telcos to government security agencies will continues unabated in the US.

This will also give leverage to security and law enforcement agencies to persuade ISPs (and in some case developers) to provide exploitable backdoors to access emails unimpeded and continue Internet filtering unhindered by privacy regulations. However, more damaging will be the international repercussion; countries like Australia, Canada, the EU, Germany, Russia, Sweden, the United Kingdom, and many others around the world will be embolden in advancing greater Internet surveillance and joint the ranks of the likes of China, Iran, and many others oppressive (draconian) governments.

Nothing surprising here, governments will always find at least one reason to eavesdrop on its citizens – be it to protect wayward nationals at one end of the spectrum to insecure politicians to give themselves an edge over the masses’ discontent (justified or not), or simply because they can do it under the guise of prevention or perversion.

So get over it, short of setting-up your own clean email address servers that you access via TOR sites – governments sponsored hacking and surveillance is here to stay, and they will apply the 5Ws to fit their political or personal agenda.

Note: Clean email address is where you write emails in draft form, and not send them, but allow trusted contacts to also access the account, read the draft message, and type a draft response. The Onion Router (TOR) – the general idea for TOR is that your connection goes through a server that then processes the encrypted connection through a series of proxy servers. The result is a virtual dead-end for anyone trying to analyze the path you took to get to your clean mail server.

References:

Internet censorship on the rise, by Ersu Abalk, published 27 January 2010

Top 10 technologies to beat tyranny, By Iain Thomson, published: 25 January 2010

U.S. enables Chinese hacking Google, by Bruce Schneier, Special to CNN, published 23 January 2010

In a recent NY Times article Amichai Shulman, the chief technology officer at Imperva examined a list of 32 million accounts that an unknown hacker stole last month from RockYou – they found that the 32 million accounts shared about 5000 passwords.

I have been maintaining for almost 20 years that the safest user/password access combo, and now the easiest now, is the ten passwords at your fingertips and the one user ID in your face – a simple choice now that almost all laptops have built-in fingerprint reader and camera, or can be added via the USB port.

If the sign-in provider is too lazy to add the few lines of code needed to take advantage of biometrics, let someone come up with a elegant face recognition to user ID and fingerprint to password conversion application that generates unique user ID and password based on an individual’s biometrics (contact me if you want to know how it works).

We have the technology people, let’s get with the program…

References:

If Your Password Is 123456, Just Make It HackMe by Ashlee Vance, Published: January 20, 2010

Facial Recognition Door Lock and Time Clock for Less than $500 by Aaron Saenz, Published: December 29, 2009

RockYou Hack: From Bad To Worse by Nik Cubrilovic Published: December 14, 2009

Biometrics Turns Your Ear Into Your Password by Drew Halley, Published: May 6, 2009

Computer security researchers found strong evidence of the digital fingerprints of the authors, suspected to by Chinese, in the software programs used in attacks against Google. It apparently attacked Google’s source code – akin to the modifications of Cisco Systems source code found in Cisco routers knockoffs that have appeared on the market.

However, I think that experts are giving Chinese hackers too much credit by assuming, in general, that the attacker gain access externally, unaided, to Google’s jewels. I would make a small wager that it was (a) an insider’s job or (b) a combo job (most probable) where malfeasants have an insider drop keyholes (Trojan horse) among the Hollerith cards or modify some code (backdoor)…

The theft of intellectual property through modified software (application) and co-opted hardware (knockoff or compromised) is about to become a standard cost-of-doing business, not only in China, but worldwide, in just about every industry.

At first governments will mostly support it as an extension of their Intelligence Services, like China, which is committed to make great techno-economic strides to keep the masses busy – too many idle hands only create problems – e.g., look at the Middle East. Their Cyber-Intelligence units will pass on the gathered tidbits from their info-warfare (IW) endeavors to their industries.

(Several countries have well defined C⁴ISTAR units capable of waging cyber-warfare – has seen recently during the cyber attacks on Estonia (2007) during the Bronze Soldier of Tallinn incident and Georgia (2008) during the South Ossetia war. These cyber-warriors are the evolution of the Cold War’s tactical and strategic SigInt operators gifted with patience and blessed with luck that intercepted, decoded, and analyzed signals and/or data to gain some sort of advantage on their targets.)

Eventually, since all things digital reign supreme in the commercial world, organizations will draft individuals to penetrate the competition as workers to drop malware in the cogs to gleam a perceived advantage. Malware to spy and reveal business secrets; or, to erode slowly an opponent’s business model; or, simply siphoned off intellectual property for later nefarious use.

Cybersecurity technologists capable of certifying and fingerprint applications as secure (given certain environments) and able to recognize any modifications, especially unauthorized one, will be worth their weight in platinum. They will have to be digital detectives of the caliber of Sir Arthur Conan Doyle’s Sherlock Holmes, the imaginary sleuth famous for his clever use of incisive observation, deductive reasoning, and forensic skills to defeat malfeasants.

Let the bon temps role!

References:

Fearing Hackers Who Leave No Trace, by John Markoff and Ashlee Vance, published: January 19, 2010

Evidence Found for Chinese Attack on Google, by John Markoff, published: January 19, 2010

China: Cyber warfare, weapon of mass destruction? Published by Heike August 8, 2008

The recent hacking of Google left corporate networks, worldwide, questioning their cyber security, justifiably so. How malware find their way into networks is not as important as taking measures to make everyone aware of the possibility and implementing strict countermeasures automatically, back by strict penalties for not following security rules that reflect realities.

One improvement is to abandon the user/password methods and replace it with biometrics. Regardless of what the industry says the deployment of the technology is not difficult at all, just slightly troublesome for people. Although not the perfect deterrent, biometrics can reduce greatly email accounts highjacking, corporate networks penetrations, and even credit cards cloning.

Simple enrolment procedures of employees’ several biometrics measurement can take less than one (1) minute. A computer connected to a USB device such as a fingerprint reader or a camera biometrics can harvest and verify one’s ID faster than typing in a user/password combo. (Currently, 99% of all computers in used worldwide have at least one USB port.)

As for credit/debit cards, the chip on most of them can store enough information to enable solid biometrics ID at most point-of-sale interfaces.

However, no system connected to the Internet (cyberspace) will ever be 100% secured against a determine malfeasant! Additional organization-wide measures such as establishing sustainable Information Security Management Systems and reliable corporate governance are needed. Further, these measures must be backed by frequent independent audits conducted by trusted third party using such standard as ISOs 20000 (Information Technology Infrastructure Library), 24762 (Disaster Recovery), 27001 (Information Security Management System), 28000 (Supply Chain Management Security), 38500 (Governance of Enterprise IT), and BS 25999 (Business Continuity Management or ISO 22399).

One problem solved, now to the next generation of cybercrimes – the one committed by robots and AIs in the ever-growing virtual world… stay tuned!

References:

In Rebuke of China, Focus Falls on Cybersecurity by Miguel Helft and John Markoff Published: January 13, 2010

Companies Fight Endless War Against Computer Attacks by Steve Lohr Published: January 17, 2010

Hackers Said to Breach Gmail Accounts in China by Edward Wong Published: January 18, 2010

The Open Web Application Security Project (OWASP) has released a new Top 10 most critical Web application security risk. Top Ten 2010 version provides a powerful awareness document to mitigate Web application security risk.

Further, this time around the Top 10 are presented from a risk-base approach, thus playing to a wider audience.

You can download the Release Candidate version here — http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf

Really worth the time.