The Cyberwar Thread

[Glassfan]

Since October is National Cybersecurity Awareness Month, I thought it appropriate to open this thread.

Some quotes;

Spoiler :

"Like everyone else who is or has been in a US military uniform, I think of cyber as a domain. It is now enshrined in doctrine: land, sea, air, space, cyber. It trips off the tongue, and frankly I have found the concept liberating when I think about operationalizing this domain. But the other domains are natural, created by God, and this one is the creation of man. Man can actually change this geography, and anything that happens there actually creates a change in someone’s physical space. Are these differences important enough for us to rethink our doctrine?"
-General Michael V. Hayden, USAF, Retired.


"The establishment of the U.S. Cyber Command marks the ascent of cyberspace as a military domain. As such, it joins the historic domains of land, sea, air, and space. All this might lead to a belief that the historic constructs of war—force, offense, defense, deterrence—can be applied to cyberspace with little modifcation. Not so. Instead, cyberspace must be understood in its own terms, and policy decisions being made for these and other new commands must relect such understanding.
-Cyberdeterence And Cyberwar, MARTIN C. LIBICKI

"Adding an efficient and effective cyber branch alongside the Army, Navy and Air Force would provide our nation with the capability to defend our technological infrastructure and conduct offensive operations. Perhaps more important, the existence of this capability would serve as a strong deterrent for our nation's enemies." - Gregory Conti and John Surdu (USARDC)

Working Definitions

Cyberwarfare. Defensive (Cybersecurity) and offensive (Cyberattack) measures, carried
out in the Internet domain, to achieve anonymous advantage over information.

Cyberattack refers to the digital penetration of telecommunications or Internet systems by a nation-state, NGO, corporations or individuals; for the purposes of data theft, espionage, harassment, or the sabotage of computer systems or the physical infrastructure they control.

Cyber counter-intelligence are measures to identify, penetrate, or neutralize foreign operations that use cyber means as the primary tradecraft methodology, as well as foreign intelligence service collection efforts that use traditional methods to gauge cyber capabilities and intentions.

Cybersecurity. Also known as information security. The objectives of CS includes protection of information and property from theft, corruption and attack, while allowing the information and property to remain accessible and productive to its intended users. Cybersecurity includes the identification of system vulnerabilities, the hardening of networks, and the detection and prevention of intrusion.

Hackers. In reference to Cyberwarfare, the term hacker normally signifies someone who circumvents a computer system's security with malicious or criminal intent (also: Cracker). In a more general context, however, hacker is also used as a slang synonym for computer expert or hobbyist - usually suggesting an antiauthoritarian and free-Internet philosophy.


There are two main cyber-security organizations in the US;

Homeland Security, a cabinet department of the United States federal government, is responsible for domestic, infrastructure and commerce protection under NCSD, The DHS National Cyber Security Division.

NCSD is responsible for the response system, risk management program, and requirements for domestic cyber-security in the U.S. The division is home to US-CERT (Office of Cybersecurity and Communications) operations and the National Cyber Alert System. The DHS Science and Technology Directorate helps government and private end-users transition to new cyber-security capabilities. This directorate also funds the Cyber Security Research and Development Center, which identifies and prioritizes research and development for NCSD. The center works on the Internet's routing infrastructure (the SPRI program) and Domain Name System (DNSSEC), identity theft and other online criminal activity, Internet traffic and networks research. On October 30, 2009, DHS opened the National Cybersecurity and Communications Integration Center. The center brings together government organizations responsible for protecting computer networks and networked infrastructure.

United States Cyber Command (USCYBERCOM), located at Ft. Meade, is led by USA General Keith B. Alexander. "Cyber Command" centralizes military command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks.

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to it's adversaries.

Other government agencies, like the FBI's Computer Investigations and Infrastructure Threat Assessment Center (CITAC), the Marine Corps Forces Cyberspace Command, or commercial entities like McAfree, Microsoft or Norton, are either part of DHS and CyberCom, or work closely with them.


Items of interest;

Spoiler :

Current US military strategy makes explicit that a cyberattack is a casus belli, just as a traditional act of war.

In 2011 there were 403 million unique variants of malware, compared to 286 million in 2010. (Source: Symantec ISTR, April 2012)

At 54% combined, the government/public sector, manufacturing and finance were the most targeted industries when it came to email cyber attacks in 2011. (Source: Symantec)

Companies are increasingly using cloud applications instead of company-managed software to store files or communicate. Although there are benefits to cloud computing, there are also cyber security and legal risks involved. (Source: Symantec ISTR, April 2012.)

Problems and controversy;

There has been debate on whether the term "Cyberwarfare" (formerly "Infowar") is accurate. Despite efforts by the language police however, Cyberwar is now the most commonly used term to describe Internet and telecomunications attacks, penetrations, sabotage and espionage.

The problem of Attribution - Who did it? Cyberattacks can be launched from literally anywhere, including cybercafés, open Wi-Fi nodes, and suborned third-party computers - especially at universities. They do not require expensive or rare machinery. They leave next to no unique physical trace. Thus, attribution is difficult, often guesswork.

Escalation. Even if retaliation is in kind, counterretaliation may not be. A fight that begins in cyberspace might spill over into the real world with grievous consequences.

Vulnerability. Targetted systems must possess weakness that can be identified, penetrated and manipulated to the attacker's advantage. Cybersecurity's intent is to eliminate vulnerabilities.

There are concerns that the Pentagon and NSA will overshadow any civilian cyber defense efforts. There are also concerns on whether Cyber Command will assist in civilian cyber defense efforts. There are traditional Big Government and Big Brother concerns and questions about American civil liberties, privacy, constitutional protections and Internet freedom. "The only problem is that the Internet, by its very nature, has no borders and if the U.S. takes on the mantle of the world's police; that might not go down so well." - General Alexander

The question of Cyberwar talent. In the United States most college campuses are hostile to military recruiting programs. The best computer talent (grads) goes to private industry which pays higher salaries. There are also salary caps to civilians in Homeland Security. Concerns are that US Cyber defense will be composed of amateurs. As has been the traditional case with military pilots - military cybertechs - just as they become experienced and most effective, will leave the service to find better paying jobs in the commercial world.


Conclusion

Clausewitz said, "War is the continuation of Policy by other means". I would paraphrase Clausewitz and say, "Cyberwar is the continuation of warfare by other means". To strike at your enemy without bullets or bombs - or to defend yourself from his cyber attack, is a higher level of asymetrical warfare.

 

[Glassfan]

The White House
Office of the Press Secretary

For Immediate Release October 01, 2012
Presidential Proclamation -- National Cybersecurity Awareness Month, 2012

NATIONAL CYBERSECURITY AWARENESS MONTH, 2012

- - - - - - -

BY THE PRESIDENT OF THE UNITED STATES OF AMERICA

A PROCLAMATION

Today, Americans are more connected to each other and to people around the world than ever before. Many of us depend on the Internet and digital tools in our daily lives -- from shopping at home and banking on our mobile devices to sharing information with friends across the globe. And America far outpaces the rest of the world in adoption of cutting-edge wireless broadband technology. Our growing reliance on technology reminds us that our digital infrastructure is not just a convenience; it is a strategic national asset. During National Cybersecurity Awareness Month, we recommit to ensuring our information and infrastructure remain secure, reliable, and resilient.

Though our Nation benefits immensely from the Internet, increased connectivity brings increased risk of theft, fraud, and abuse. That is why my Administration has made cybersecurity a national and economic security priority. By bringing together Federal, State, and local governments and private industry partners, we have made great progress in securing cyberspace for business, education, entertainment, and civic life. In November 2011, we released the Blueprint for a Secure Cyber Future -- a strategic plan to protect government, the private sector, and the public against cyber threats today and tomorrow.

As we continue to improve our cybersecurity under existing authorities, comprehensive legislation remains essential to securing our critical infrastructure, facilitating greater cyber information sharing between government and the private sector, and protecting the privacy and civil liberties of the American people. My Administration looks forward to working with the Congress to address these goals.

Cybersecurity cannot be guaranteed by government, industry, and law enforcement alone. Each of us has an important role to play in reducing the cyber threat and increasing our resilience following cyber incidents. The Department of Homeland Security's "Stop.Think.Connect." campaign continues to empower digital citizens with the information and tools they need to stay safe online. To learn more about how we can all contribute to the security of our shared cyber networks, visit www.DHS.gov/StopThinkConnect.

America's digital infrastructure underpins our progress toward strengthening our economy, improving our schools, modernizing our military, and making our government more open and efficient. Working together, we can embrace the opportunities and meet the challenges cyberspace provides while preserving America's fundamental belief in freedom, openness, and innovation.

NOW, THEREFORE, I, BARACK OBAMA, President of the United States of America, by virtue of the authority vested in me by the Constitution and the laws of the United States, do hereby proclaim October 2012 as National Cybersecurity Awareness Month. I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and trainings that will enhance our national security and resilience.

IN WITNESS WHEREOF, I have hereunto set my hand this first day of October, in the year of our Lord two thousand twelve, and of the Independence of the United States of America the two hundred and thirty-seventh.

BARACK OBAMA

 

[civ_king]

I was into Cyberwarfare before it was cool.

Don't worry, the US power grid is highly vulnerable.

 

[AlpsStranger]

We must all become extreme Mennonites.

Tis' the only sure way, English.

 

[Glassfan]

A short list of "reported" cyberoperations. Most go unreported in public media. As usual, attribution is largely guesswork.

In the 2006 war against Hezbollah, Israel alleged that cyber-warfare was part of the conflict, where the Israel Defense Force (IDF) intelligence estimated several countries in the Middle East used Russian hackers and scientists to operate on their behalf. As a result, Israel attached growing importance to cyber-tactics, and became, along with the U.S., France and a few other nations, involved in cyber-war planning.

Operation Shady RAT was an ongoing series of cyber attacks starting in mid-2006 reported by Internet security company McAfee in August 2011. The attacks had hit at least 72 organizations, including defense contractors, businesses worldwide, the United Nations and the International Olympic Committee. The operation, a derivation of the common computer security industry acronym for Remote Access Tool, was characterized by McAfee as "a five year targeted operation by one specific actor". The report suggests that the targeting of various athletic oversight organizations around the time of the 2008 Summer Olympics "potentially pointed a finger at a state actor behind the intrusions". That state actor is widely assumed to be the People's Republic of China.

In April 2007, Estonia came under cyber attack ("Web War I") in the wake of relocation of the Bronze Soldier of Tallinn. The largest part of the attacks were coming from Russia and from official servers of the authorities of Russia. In the attack, ministries, banks, and media were targeted. NATO, in response, established a Cyber Defense Center in Tallinn.

In September 2007, Israel carried out an airstrike on Syria dubbed Operation Orchard. U.S. industry and military sources speculated that the Israelis may have used cyberwarfare to allow their planes to pass undetected by radar into Syria.

In 2008, Russia engaged in a series of attacks on Georgian government websites - carried out along with military operations in South Ossetia.

During 2008, the computer systems of the American Department of Defense registered 54,640 attacks on its computer systems.

In 2008, Chinese "Nationalist hackers" attacked CNN as it reported on Chinese repression in Tibet.

In July 2009, there were a series of coordinated denial of service attacks against major government, news media, and financial websites in South Korea and the United States. While many thought the attack was directed by North Korea, one researcher traced the attacks to the United Kingdom.

During 2009-10, Chinese spies hacked into America's Lockheed Martin and Britain's BAE Systems to steal vast amounts (tetrabytes) of data on the F-35 Joint Strike Fighter.

GhostNet was a 'vast surveillance system' reported by Canadian researchers based at the University of Toronto in March 2009. Using targeted emails it compromised thousands of computers in governmental organisations, enabling attackers to scan for information and transfer this back to a 'digital storage facility in China

In September 2010, Iran was attacked by the Stuxnet worm (atrib; USA, Israel), thought to specifically target its Natanz nuclear enrichment facility. The worm is said to be the most advanced piece of malware ever discovered and significantly increases the profile of cyberwarfare.

The US based firm CyberSitter announced in January 2010 that it was suing the Chinese government, and other US companies, for stealing its anti pornography software, with the accusation that it had been incorporated into China's Green Dam program, used by the state to censor Chinese citizens' internet access. CyberSitter accused Green Dam creators as having copied around 3000 lines of code. They were described as having done 'a sloppy job of copying,' with some lines of the copied code continuing to direct people to the CyberSitter website. The attorney acting for CyberSitter maintained “I don't think I have ever seen such clear-cut stealing".

MI6 reportedly infiltrated an Al Qaeda website and replaced the recipe for a pipe bomb with the recipe for making cupcakes.

On January 13, 2010, Google Inc. announced that operators, from within China, had hacked into their Google China operation, stealing intellectual property and, in particular, accessing the email accounts of human rights activists. The attack was thought to have been part of a more widespread cyber attack on companies within China which has become known as Operation Aurora. Intruders were thought to have launched a zero-day attack, exploiting a weakness in the Microsoft Internet Explorer browser, the malware used being a modification of the trojan Hydraq. Concerned about the possibility of hackers taking advantage of this previously unknown weakness in Internet Explorer, the Government of Germany, then France, issued warnings not to use the browser.

In August 2010, the U.S. for the first time warned publicly about the Chinese military's use of civilian computer experts in clandestine cyber attacks aimed at American companies and government agencies. "The People's Liberation Army is using 'information warfare units' to develop viruses to attack enemy computer systems and networks, and those units include civilian computer professionals. Diplomatic cables highlighted US concerns that China was using access to Microsoft source code and 'harvesting the talents of its private sector' to boost its offensive and defensive capabilities".

In July 2011, the South Korean company SK Communications was hacked, resulting in the theft of the personal details (including names, phone numbers, home and email addresses and resident registration numbers) of up to 35 million people. A trojaned software update was used to gain access to the SK Communications network. Links exist between this hack and other malicious activity and it is believed to be part of a broader, concerted hacking effort.

 

[AlpsStranger]

China wants their internet censored? I say we help 'em out. We can build the "Great Firewall Around China."

Maybe I'm just bitter because two of my gmail accounts were compromised a few years back.

 

[trader/warrior]

http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

A fun read on Stuxnet, the most advanced cyberattack ever, used to literally blow up Iranian uranium enrichment centrifuges.

 

[AlpsStranger]

Wow, trader/warrior, I just got done reading that. It seemed kinda Hollywood, but maybe that was just the writer's style.

 

[Glassfan]

I was into Cyberwarfare before it was cool.

Indeed, there have been previous discusions of cyberwarfare on these forums, but they seemed to include a lot of denial and resistance. There is still a lot of controversy, but not at Black Hat or any of the '"Stakeholder" conferences. Awareness and action on this problem has grown from initially just antivirus companies, to government and even military entities.

...A fun read on Stuxnet, the most advanced cyberattack ever,...

That's a fine article t/w, thanks for sharing. I'd like to amplify certain passages.

"Once a specialized offshoot of computer science, computer security has grown into a multibillion-dollar industry over the last decade keeping pace with an explosion in sophisticated hack attacks and evolving viruses, Trojan horses and spyware programs." "...Of the more than 1 million malicious files Symantec and other AV firms received monthly,..." This is a real growth industry, and will probably get a lot worse before it gets better.

"His first encounter with malware had been in 1996 when a fellow student at the College of Dublin crafted a virus targeting the university’s network." "...There was one primary way Stuxnet would spread from one facility to another, and that was on an infected USB thumb drive smuggled into the facility in someone’s pocket." Scientists, engineers and researchers are notoriously lax on security, so inside-jobs are made all the easier. I've always thought (IMHO) that the numerous Microsoft viruses are not only due to it's being the dominant planetary operating system and the obvious reverse-engineering, but also because of Microsoft insider hacktavists.

"Within a week of establishing the sinkhole, about 38,000 infected machines were reporting in from dozens of countries. Before long, the number would surpass 100,000. Stuxnet was spreading rapidly, despite signatures distributed by antivirus firms to stop it." Scary.

"In addition to the LNK vulnerability, Stuxnet exploited a print spooler vulnerability in Windows computers to spread across machines that used a shared printer. ... Additionally, Stuxnet exploited a static password that Siemens had hard-coded into its Step7 software." Scarier. Evil genious at work.

"Or had they purchased it from Zlob’s authors (believed to be East European criminal hackers) on the exploit black market, where zero-days can sell for as high as $50,000 to $500,000?" Scariest. So, one can buy viruses on the open market?

"Stuxnet required an enormous amount of resources to produce, but its cost-benefit ratio is still in question." Cost-benefit ratio is perhaps the most salient point. What is money to a state, if it can inflict damage on it's enemies at virtually no political/military cost to itself?

As a candidate for the US Presidency in 2008, Barrack Obama promised, "Iran will not get the bomb". Most commentary and speculation has focused on the uselessness of economic santions and the ugly possibility of deliberate military intervention. But recent analysis has suggested that Stuxnet pushed the Iranian Atom Bomb Program back two years - roughly equivelent to an Israeli bombing attack - yet without the civilian deaths and the political fallout of the 1982 Osiraq raid.

 

[Glassfan]

Cyber Europe;


The European Network and Information Security Agency (ENISA) is the cybersecurity agency of the European Union. ENISA was created in 2004 by EU Regulation No 460/2004 and was fully operational since September 1st, 2005. It has its seat in Heraklion, Crete (Greece).

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market. ENISA assists the Commission, the Member States and, consequently, the business community in meeting the requirements of network and information security, including present and future EU legislation. ENISA ultimately strives to serve as a centre of expertise for both Member States and EU Institutions to seek advice on matters related to network and information security.


The Government Communications Headquarters (GCHQ) is a British intelligence agency responsible for providing signals intelligence (SIGINT) and information assurance to the UK government and armed forces. Based in Cheltenham, it operates under the guidance of the Joint Intelligence Committee.

The Communications-Electronics Security Group (CESG) of GCHQ provides assistance to government departments on their own communications security: CESG is the UK national technical authority for information assurance, including cryptography. CESG does not manufacture security equipment, but works with industry to ensure the availability of suitable products and services, while GCHQ itself can fund research into such areas, for example to the Centre for Quantum Computing at Oxford University and the Heilbronn Institute at the University of Bristol.


The National Cyberdefence Centre is a German government agency established to respond to attacks on government computers in Germany. The interior ministry's spokesman announced in December 2010 that the agency would be established. The German government reports that in the first 9 months of 2010, there were 1600 attacks on computer systems used by local and federal government in Germany. A large proportion of attacks come from China.


ANSSI, Agence nationale de la sécurité des systèmes d’information. ANSSI is the French National agency responsible for computer security. Created in July, 2009, it provides a service for monitoring, detection, warning and response to cyber attacks, especially on networks of the state.


CCDCOE, officially the Cooperative Cyber Defence Centre of Excellence (Estonian: K5 or Küberkaitse Kompetentsikeskus) is one of NATO Centres of Excellence, located in Tallinn, Estonia. The CCDCOE was established in the wake of the 2007 cyberattacks on Estonia and the Bronze Night events.

 

[Glassfan]

The Great Firewall of China;

Spoiler :

October 28, 2012

China Blocks NY Times Website Over Story on Wen Jiabao
Chinese government censors moved quickly to block the New York Times website Friday after it published a blockbuster story detailing the massive wealth accumulated by the family of Prime Minister Wen Jiabao.

The report threatened to shatter the public image of Wen, who is known as a compassionate, reformist leader with a modest background. The Times says a review of corporate and regulatory records indicate the prime minister's relatives control assets of at least $2.7 billion.

Just hours after the article was posted, access to the paper's English and Chinese-language websites was blocked throughout China. Censors also hurried to delete references to the prime minister and his family on China's Twitter-like Weibo microblog, while the Times' Chinese social media accounts were also deleted.

Chinese Foreign Ministry spokesperson Hong Lei condemned the article on Friday, telling reporters that it was meant to "smear China" and had "ulterior motives."

New York Times Reacts

Eileen Murphy, the paper's spokeswoman, expressed disappointment and said she hopes full access is restored soon. But she said the Times refuses to compromise its journalistic standards. Following the June launch of its Chinese-language site, the paper made a similar commitment, vowing not to tailor its content based on "the demands of the Chinese government."

In a move suggesting it anticipated China's anger at the Friday article on Wen, the Times made the Chinese-language version available for download in PDF format, making it much easier to distribute.

It is not the first time that Beijing has blocked Chinese access to Western news outlets that posted stories exposing senior level government corruption. Bloomberg's website has been blocked since June, when it ran a similar story describing the wealth amassed by the family of Vice President Xi Jinping, who is likely to become the country's leader for the next decade.

The stories are a major embarrassment for the Communist Party, which has vowed to crack down on corruption following widespread public anger over several high profile scandals. They also come just before a sensitive, once-a-decade leadership transition, which begins in less than two weeks with the 18th Party Congress.

The transition has already been overshadowed by the downfall of former Politburo member Bo Xilai, whose wife was convicted of corruption and murder in August. State media said Friday that Bo, under investigation for corruption and bribery, has been stripped of his legal immunity, suggesting he will soon stand trial.

Censorship

China's extensive network of Internet censors, dubbed the Great Firewall of China, has been working extra hard in the lead-up to the Nov. 8 Congress to delete any sensitive online content regarding Bo or other senior Communist Party members.

Many analysts, speaking on the condition of anonymity, say they expect the censorship to get worse as the date of the Congress approaches, noting that Beijing has in the past throttled Internet communication ahead of sensitive political events.

Some foreign journalists in China have already reported slower than usual Internet connections and increased trouble accessing VPNs, which allow users to circumvent Chinese censorship. The cause of the problem is difficult to identify, since Internet access in China is normally inconsistent and those wanting to access barred foreign websites must already play a cat-and-mouse game in order to do so.

Recent problems with the Internet have become so widespread that The Relevant Organs, a spoof Chinese government Twitter account, joked this week that the "next notch on the Internet Slower-Downer is off," saying foreigners should "catch the hint and get out of town for the Party Congress."

 

[innonimatu]

Cyberwarfare (definition): new cash cow for a number of services&"security" companies peddling their wares to governments.

/cynical mode

 

[King Kalmah]

The Great Firewall of China;

We should be careful since America could end up like that soon.We already have our ISP holding our info for a year(or longer if the government deems it necessary)

 

[Glassfan]

Cyberwarfare (definition): new cash cow for a number of services&"security" companies peddling their wares to governments.

/cynical mode

A healthy scepticism is always warranted. Yet commercial opportunism does not seem to me to be inconsistant with the level of the threat. Corporations that have failed to adequately defend themselves have at the least been embarrassed (SONY) - and at worst, bankrupted (DigiNotar). IMHO, while stock in McAfee, Norton and Symantec have certainly soared, the fact that governments are now girding themselves for war is revealing.

We should be careful since America could end up like that soon.We already have our ISP holding our info for a year(or longer if the government deems it necessary)

Diligence is the price of Freedom. We must find the middle path between liberty and security (Franklin aside). But in my opinion, American Internet freedom and Chinese Internet censorship are more stark contrast than comparison.

Spoiler :

Internet censorship in the People's Republic of China, known in the West as The Great Firewall of China (aka, The Golden Shield Project; aka, cyber nanny) is the concerted effort by the Communist authorities to control, limit and even block Internet information accessable to it's citizens.

A number of websites are routinely blocked, such as the BBC's Chinese language service, and social media sites like Facebook, Youtube and Twitter. Blockage may be permanent or intermittent - targeting specific content objectionable to the Communist authorities. And to exercise this control, the state closely monitors internet traffic within the country and all web content that crosses its borders.

This Great Chinese Firewall uses several tools.

All internet traffic into China passes through a small number of gateways, giving the government a chance to control the information.

Sometimes Beijing will block access to a site that has been blacklisted by the government. The authorities may also prevent the look-up of certain domain names, thus causing a "site not found" error message on the user's screen.

Many Chinese netizens complain that domestic social media sites filter their comments. If a site is not on any blacklist but its URL - web address - contains a prohibited word, the site may be blocked - and this may also happen if a prohibited keyword is published anywhere on the page a user is viewing.

A new tool increasingly used is "Throttling", where overseas sites are not actively blocked, but service is slowed to a crawl, or throttled (ie.,choked). Extreme slowness is employed to discourage users who enter prohibited search terms.

Amnesty International notes that China “has the largest recorded number of imprisoned journalists and cyber-dissidents in the world.” The offences of which they are accused include communicating with groups abroad, signing online petitions, and calling for reform and an end to corruption. The size of the Internet police is rumored at more than 30,000.

 

[civ_king]

How Georgia doxed a Russian hacker (and why it matters)

On October 24, the country of Georgia took an unusual step: it posted to the Web a 27-page writeup (PDF), in English, on how it has been under assault from a hacker allegedly based in Russia. The paper included details of the malware used, how it spread, and how it was controlled. Even more unusually, the Georgians released pictures of the alleged hacker—taken with his own webcam after the Georgians hacked the hacker with the help of the FBI and others.

The story itself, which we covered briefly earlier this week, is fascinating, though it remains hard to authenticate and is relayed in a non-native English that makes for some tough reading. But what caught my eye about the whole cloak-and-dagger tale is the broader points it makes about hacking, jurisdiction, and the powerful surveillance devices that our computers have become.

It's also an example of how hacks and the alleged hackers behind them today play an increasing role in upping geopolitical suspicions between countries already wary of one another. Georgia and Russia have of course been at odds for years, and their conflict came to a head in a brief 2008 war; Russia still maintains a military presence in two tiny breakaway enclaves that Georgia claims as its own.

But first, the backstory.

Targeted strike

The attack itself was highly targeted. The hacker behind it began by infiltrating various news sites within Georgia, then modified only specific pages within those sites most likely to cover topics like NATO, the Georgian military, and US-Georgia relations. These modified pages included a "script" tag in their HTML code which pointed to a remote IP address serving up the inconspicuously-named "frame.php." Anyone visiting the page would automatically have their Web browser execute the script, which served up a crypted version of the malware installation tool TrojanDownloader:JS/SetSlice. The code used known vulnerabilities in Windows to instigate a "drive-by download" in which a user's browser would download and execute a file called "calc.exe" without throwing up an alert.


A Georgian news website showing the added script code.

Instead of launching a calculator, calc.exe scanned the computer it was on to see if it was located in the UTC+3 or UTC+4 time zones, which includes Eastern Europe all the way to Moscow. The malware would only install on computers within those regions (though this restriction was lifted in later versions). Calc.exe then injected itself into explorer.exe and also created a file called usbserv.exe—the actual malware—and wrote that filename into the Windows registry so that it would autorun. Usbserv.exe then ran in the background, performing one basic task: scanning all Word, PDF, Excel, text, rich text format, and PowerPoint files for a list of keywords that included items like "NATO." Such files were copied and uploaded to command and control servers, where they were retrieved by parties unknown and then deleted.

The result was a specific strike, hitting only those machines which revealed a user's interest in news about issues related to the Georgian military, which used the Georgian language, and which were in the region. Over the course of a year, the malware only infected 390 computers, 70 percent of which were in Georgia. The majority of these were in government ministries, parliament, and banks.

The malware activity was first noticed in March 2011 by Georgia's Computer Emergency Response Team (CERT), which was modeled on similar teams in the US (and is now replicated in places like the Ukraine, Poland, and Germany). After figuring out how the malware worked, Georgia contacted the three main Internet providers in the country and had them block access to the command-and-control servers for the malicious code (these had been written into the malware's binary file and pointed to machines scattered across the US, Georgia, France, Germany, Hungary, and the Czech Republic; fallback mechanisms kept these blocks from being wholly effective, however).

The virus author tweaked his creation throughout 2011 to evade countermeasures. By September, the malware had a new infection mechanism and new tools for bypassing antivirus scanners and firewalls. By November, the malware had become more heavily encrypted and could infect Windows 7 as well. By December, it added the capability to record video from a user's screen, webcam, or microphone, and it could spread to other machines on the same network.

The malware even had its own API. According to security firm ESET, which looked at the software earlier this year, the API accepted 19 simple commands, including:

find [PATTERN]: Find file names containing the pattern
dir [FOLDER]: Directory listing of a folder
load : Download the specified executable...o the rest of us have?[/QUOTE] Seems relevant

 

[Glassfan]

A fine story c_k. The Russian FSB's attacks on Georgia, Chechnia and Estonia have been widely speculated upon by media and the Black Hat community. I'll be submitting an entry on Russia's cyberwar efforts soon. There certainly does appear to be a growing hacktavist arms race.

The story reinforces several important issues with information warfare. Particularly attribution, and the exploitation of system vulnerabilities. It seems as if Firewalls and anti-virus software are inadequate protection against cyberwarriors backed by the resources of a nation-state. The Microsoft Operating system has been thoroughly cracked and it's shortcommings exploited. And once you do know something - what can you do about it? How can you prove anything? How do you hold anybody accountable?

To push the disease analogy to it's limit, cyberwar isn't just simple virus/infection. It's more like HIV/AIDs - it may appear long dormant, but when it does become active it can use the system's defenses against itself.

"Big Brother, on your lap. Many casual home computer buyers give no thought to the fact that they are bringing a powerful surveillance tool into their homes, one that can eavesdrop on conversations, watch them walk about the room (and worse), and follow every move they make online."

The good news - I found another use for duct tape!

 

[innonimatu]

A healthy scepticism is always warranted. Yet commercial opportunism does not seem to me to be inconsistant with the level of the threat. Corporations that have failed to adequately defend themselves have at the least been embarrassed (SONY) - and at worst, bankrupted (DigiNotar). IMHO, while stock in McAfee, Norton and Symantec have certainly soared, the fact that governments are now girding themselves for war is revealing.

Diginotar had totally broken systems which anyone with half a brain would find laughable! If I recall the news they had no network separation inside the company, so that one compromised computer would open the way to all their systems, and used windows for everything! Such companies getting broken into should not alarm anyone; such companies having passed themselves as suppliers of trusted services (as was the case with Diginotar) are the alarming thing!

The russian hacker case described by those georgians is another laughable story! Are we seriously to believe that some government-employed hacker would be so incompetent as to open unknown files on his own personal work laptop? If true, are we to be scared of such incompetents? It's a tale of script kiddies. Which, incidentally, ate the only kind of hackers that the likes of Norton or Symantec and their employees can hope to catch.

Real security involves a lot of inconvenience. That's the trade-off. And inconvenience means additional cost to get anything done. Which is why commercial companies will never supply a good service on this area. Why all companies and most state institutions settle for weak but "good enough" security. And why the US, which still spends by far the most on this kind of activity, has no cause for hysteria over "cyberwar": the advantage it has is still huge. Some hysteria is, of course, understandable: it keeps that funding coming! But your country has no "hacker gap".

 

[Glassfan]

The USA is at it again.

What about Cyber-Vote?

 

[civ_king]

The USA is at it again.

What about Cyber-Vote?

USA #1

Oh God no, there is no way to have it secure enough and guarantee voter privacy

 

[Glassfan]

"Plan X"

DARPA, the Defense Advanced Research Projects Agency, recently held (15-16Oct12) a Stakeholder conference on cyberspace "battlefield mapping and tools for situational awareness".

Spoiler :

"Plan X, announced in May 2012, is the first DARPA program of its kind. It will attempt to create revolutionary technologies for understanding, planning and managing DoD cyber missions in real-time, large-scale and dynamic network environments. Plan X will conduct novel research on the cyber domain. The Plan X program is explicitly not funding research and development efforts in vulnerability analysis or generation of cyberweapons (ie., defense, not offense)."

"These high-level plans will synthesize human-on-the-loop interfaces through missions scripts, which will manage, plan and understand large-scale, dynamic, real-time network cyberwarfare environments. The cyberwarfare acumen will deliver visually intuitive large-scale cyber battlespace and situational war game real-time awareness and visual Internet mapping."

The gist of all this is the idea that once a cyberattack is occuring, gatekeepers must quickly recognize, identify and respond to the threat in realtime - that is, be prepared (ahead-of-time) to stop the attack while it's happening. Response time is obviously critical in preventing damage. Plan X is a proposal to the US Federal Government (fbo.gov) to create a defense-response system which "maps-out" the cyberdomain so as to immediately fascilitate defensive response. The goal is to give gatekeepers the ability to visualize, comprehend and interdict the digital battlefield.

More on this as it developes...

DARPA News

itworld commentary

examiner commentary