“Because the Internet Census had so many different vantage points — 420,000 in total — it offered a unique look at the computers on many different networks.”

Read the full piece here.

The post Is it wrong to use data from the world’s first ‘nice’ botnet? appeared first on The Citizen Lab.

HMRC has categorically refused to provide any details regarding any investigation into Gamma’s export practices, arguing it is statutorily barred from releasing information to victims or complainants. The law enforcement agency denies that it has any obligation to be transparent about any activities relating to the potentially illegal exports of British surveillance technology by Gamma International.

Six month ago, PI sent HMRC a dossier of evidence that included many Citizen Lab reports showing Gamma’s potentially illegal exports and called for an investigation into their practices. Unfortunately every attempt both PI and UK Members of Parliament have made to find out what is been done since has been blocked.

View the full press release.

The detailed PI reports (Part 1 and Part 2) are also available.

The post PI files for judicial review of HMRC refusal to reveal state of investigation into Gamma International appeared first on The Citizen Lab.

Titled, “Internet Security and Networked Governance in International Relations”, the paper asks whether the Internet’s heavy reliance on nonhierarchical, networked forms of governance is compatible with growing concerns about cyber-security from traditional state actors. Networked governance is defined as a semipermanent, voluntary negotiation system that allows interdependent actors to opt for collaboration or unilateral action in the absence of an overarching authority.

Two case studies — Internet routing security and the response to a large-scale botnet known as Conficker — show the prevalence of networked governance on the Internet and provide insight into its strengths and limitations. The paper concludes that both cases raise doubts about the claim that introducing security concerns into Internet governance necessarily leads to more hierarchy and/or a greater role for governments.

Click here to read the article.

The post Fellow Brenden Kuerbis co-authors new Internet Governance article appeared first on The Citizen Lab.

Listen to the interview in Arabic.

The post Citizen Lab Senior Researcher Helmi Noman interviewed on France24 Arabic appeared first on The Citizen Lab.

In a report published by The School of Public Policy at the University of Calgary, professor Ron Deibert argues that Canada has potential to be a global leader in cyber security, but this opportunity is being squandered because of the lack of a clear strategy in this area. “Canada should be forging a leading position in global cyberspace governance and security,” Deibert writes. “We certainly stand among those with the most to lose should cyberspace continue its spiral into censorship, securitization, militarization, and crime.”

To read the full report, see here.

The post Director Ron Deibert authors new report on Canada’s role in promoting cyber security appeared first on The Citizen Lab.

For several weeks, it has been difficult to open a newspaper or watch a Sunday talk show without hearing about the advent of “cyber war.” The media has been filled with an avalanche of cyber threat-related stories: the hacking of leading newspapers, evidence of Chinese government involvement in intellectual property theft, and now, further distributed denial of service attacks against U.S. banks. All these events present real and serious national security challenges. But cyber-espionage, cyber-crime and the malicious disruption of critical infrastructure are not the same as war, and the distinction is important.

The idea that America is in the middle of a “cyber war” isn’t just lazy and wrong. It’s dangerous. The war analogy implies the requirement for military response to cyber intrusions. America genuinely needs effective civilian government cyber defense organizations with strong relationships with the private sector and the active engagement of an informed general public. Creating and even promoting the fear of “cyber war” makes that more difficult. Here’s why:

First, while the U.S fights its wars using the highly-trained professional within the U.S. Armed Forces, defending against cyber threats does not necessary require military expertise or prowess. True, most private individuals and corporations lack the knowledge and training needed to fight off attacks from elite Chinese, Iranian and Russian cyber “warriors.” As a result, there is and will continue to be a pressing need for highly qualified information security experts to help defend the larger U.S. cyber landscape. Nonetheless, there are relatively simple ways to make it more difficult for the bad guys without escalating to a “war” standing. In 2011, the Australian Defence Signals Directorate (their equivalent of the U.S. National Security Agency) showed that by taking just four key measures–“whitelisting” (i.e., allowing only authorized software to run on a computer or network), very rapid patching of applications and of operating system vulnerabilities, and restricting the number of people with administrator access to a system–85 percent of targeted intrusions can be prevented. These might appear more like prophylactic public health measures than warfare–and that’s the point. The United States does not need to declare “war” and call up the military to fend off cyber threats.

For the full article, see here.

The post Why the U.S. is not in a cyber war appeared first on The Citizen Lab.

America’s generals and spymasters have decided they can secure a better future in cyberspace through, what else, covert warfare, preemptive attacks, and clandestine intelligence. Our rivals are indeed seeking to harm U.S. interests and it is perfectly within the president’s purview to use these tools in response. Yet this is an unwise policy that will ultimately backfire. The undoubted, immediate national security advantages will be at the expense of America’s longer-term goals in cyberspace.

The latest headlines on covert and preemptive cyberplans highlight just the latest phase of a cyber “cult of offense” dating back to the 1990s. Unclassified details are scarce, but the Atlantic Council’s study of cyber history reveals covert plans, apparently never acted upon, to drain the bank accounts of Slobodan Milosevic and Saddam Hussein. More recent press accounts detail cyber assaults on terrorist networks (including one that backfired onto U.S. servers) and Stuxnet, which destroyed Iranian centrifuges. American spy chiefs say U.S. cyber capabilities are so prolific that this is the “golden age” of espionage, apparently including the Flame and Duqu malware against Iran and Gauss, which sought financial information (perhaps also about Iran) in Lebanese computers.

Offensive cyber capabilities do belong in the U.S. military arsenal. But the continuing obsession with covert, preemptive, and clandestine offensive cyber capabilities not only reduces resources dedicated for defense but overtakes other priorities as well.

For the full article, see here.

The post Obama’s cyberwarfare strategy will backfire appeared first on The Citizen Lab.

Ryan Naraine talks to Vupen CEO Chaouki Bekrar about the controversies surrounding the sale of zero-day vulnerabilities and exploits, his company’s business dealings and the work that goes into winning the CanSecWest Pwn2Own hacker contest. This interview was done just moments after Bekrar’s research team demonstrated a zero-day attack against Microsoft Internet Explorer 10 on Windows 8, an exploit that bypassed all mitigations including the browser sandbox.

See more here.

The post Vupen CEO Chaouki Bekrar addresses zero day marketplace controversy at CanSecWest appeared first on The Citizen Lab.

“There’s no cyberwar without a real war,” argues cryptographer Bruce Schneier. Yet some sort of cyberconflict with China is afoot. After the U.S. Air Force asked, I considered what a cyberwar, with some real shooting, might look like between the United States and China. In it, I thought cyber-arms would blind, cripple and confuse, but missiles, bombs and torpedoes would do the killing. That will likely change.

News of cyber-attack is omnipresent. But in answering the question of what makes a cyber-attack an act of war, remember that in computer science such attacks are no more than attempts to subvert the function of a system. Compromising a system to steal data, rob property or blow up an oil refinery are all attacks, but only the last of them would likely be considered an act of war or terrorism. We have a lexical problem.

As for rules of engagement, that’s for lawyers interpreting the laws of armed conflict to consider. I see no clear universal redlines. As long as they work, countries and plenty of others will launch cyber-attacks that blur the differentiation between power of persuasion and hard coercive force in combinations of diplomacy, trade, covert action and military intervention. A friend suggested a term for placement of cyber-action across the spectrum of international affairs: shoft (mostly soft, but with some hard elements). Most soft U.S. cyberpower is in Silicon Valley. But there is a growing area of cyber-action with physical ramifications in other places — see Stuxnet and Shamoon.

For the full article, see here.

The post Hacking isn’t cyberwar, for now appeared first on The Citizen Lab.

Cyber criminals have targeted government officials in more than 20 countries, including Ireland and Romania, in a complex online assault seen rarely since the turn of the millennium.

The attack, dubbed “MiniDuke” by researchers, has infected government computers as recently as this week in an attempt to steal geopolitical intelligence, according to security experts.

MiniDuke is the latest in a string of cyber attacks aimed at governments and other high-profile institutions, following revelations about the suspected Chinese hacking of western defence and media organisations.

Unusually, security researchers said there was no clear indication of who was behind the latest online attack.

The cybersecurity firm Kaspersky Lab, which discovered MiniDuke, said the attackers had servers based in Panama and Turkey – but an examination of the code revealed no further clues about its origin.

Goverments targeted include those of Ireland, Romania, Portugal, Belgium and the Czech Republic. The malware also compromised the computers of a prominent research foundation in Hungary, two thinktanks, and an unnamed healthcare provider in the US.

For the full article, see here.

The post Hackers attack European governments using ‘MiniDuke’ malware appeared first on The Citizen Lab.