“The security forces of President Bashar Assad has moved ahead on multiple fronts. An estimated 10,000 people have been arrested and there are reports that some dissidents have been tortured to reveal their Facebook passwords. Foreign journalists have been banned from entering the country and access to the Internet and the mobile phone network has been curtailed.

Meanwhile, a shadowy group calling itself the Syrian Electronic Army (SEA) has orchestrated an array of cyber attacks in three key areas: spamming popular Facebook pages, such as President Barack Obama, the U.S. Department of State, French President Nicolas Sarkozy and Oprah Winfrey with pro-Assad propaganda; defacement attacks against Syrian opposition group websites, and defacement of Western websites.

“It’s the first case of an open, organized and orchestrated pro-government web attack group with a public presence on a national network in the Arab world,” explained Helmi Noman, a senior researcher with the OpenNet Initiative, a collaborative partnership between the Citizen Lab inside the Munk School of Global Affairs at the University of Toronto, the SecDev Group in Ottawa and the Berkman Center at Harvard University.”

The post Syria Uses Cyber Warfare to Attack Pro-Democracy Supporters appeared first on The Citizen Lab.

Security firm McAfee surveyed 200 IT executives working for utility companies in 14 countries.

Eight out of 10 said their networks had been targeted by hackers during the past year.”

From BBC News

Internet-based attacks on critical systems such as gas, power and water have increased around the world, a report suggests.

Security firm McAfee surveyed 200 IT executives working for utility companies in 14 countries.

Eight out of 10 said their networks had been targeted by hackers during the past year.

China was seen as the most likely source of attacks, followed by Russia and the United States.

The number of reported incidents was higher than in 2009 when just over half of those asked said they had fallen victim.
Denial of service

Most of the reported security breaches took the form of distributed denial of service (DDOS) attacks.

These typically involve a network of computers, under the control of criminals, overwhelming a company’s internet-connected systems.

While such incidents have the potential to impact websites and corporate networks, researchers said it was unlikely they were intended to cut off energy supplies.

However, there remained a possibility that DDOS attacks could do more harm in future, according to Stewart Baker, a former US national security advisor to President George W Bush and one of the report’s authors.

“We asked what what the likelihood was of a major attack that causes significant outage.

“That is one that causes severe loss of services for at least 24 hours, loss of life or personal injury or failure of a company.

“Three quarters thought it would happen within the next two years,” he said.
Stuxnet

Arguably the best known example of an internet-borne threat disrupting an industrial system is the Stuxnet worm, which was discovered in 2010.

Analysis suggests that the malicious computer code was specifically designed to take control of machinery in either Iran’s Bushehr or Natanz nuclear facilities.

While it was known that the worm had spread more widely than its intended target, McAfee’s research suggested the full extend of its reach.

Among those utility companies that had carried out a search for Stuxnet on their computer systems, 40% found traces of it.

“It probably didn’t result in any obvious interference with the systems, because it wasn’t designed to do that,” said Mr Baker.

“But the fact that it spread so widely and could have done so if it had been differently designed is very, very troubling if you are worried about cyber attacks by hostile nations or extortion attempts by well organised criminal gangs.”
Government help

Respondents were also questioned about how much involvement they had with their governments on tackling cyber security issues.

Japan came out on top, along with China and the United Arab Emirates, although the survey did not ask if that cooperation was voluntary or enforced.

The United Kingdom scored lowest of all those taking part in the study.

A Cabinet Office spokesman told the BBC that the situation had improved dramatically since the launch of its National Security Strategy in October 2010.

The policy document recognises cyber attacks as one of the top four national security threats facing the country.

“We have recently launched an initiative with the private sector to help develop greater awareness of the threats and better protection for dealing with them,” said the spokesman.

http://www.bbc.co.uk/news/technology-13122339

The post Internet-based attacks on critical systems rise appeared first on The Citizen Lab.

From Jay P. Kesan

Abstract

Cyberwar has become a reality. The question is no longer “if” the United States will experience a major cyberattack aimed at disrupting critical infrastructure, but “when.” In July of 2010, Iranian uranium enrichment activities were severely hindered by the Stuxnet worm, which used a number of zero-day exploits and damaged the Iranian nuclear infrastructure. In early 2011, documents leaked from the files of a computer security company provide evidence that there are “cyber contractors” in the United States that provide subscriptions to lists of exploitable vulnerabilities in popular software. Additionally, there exists the threat of Distributed Denial of Service (DDoS) attacks that could be used to knock a system’s defenses off-line and render the system more vulnerable to further attacks.

In the United States, highly visible corporations and privately owned critical infrastructure are both likely targets for debilitating cyberattacks, and there is an urgent need to ensure that these groups are protected. Currently, there is no consistently effective domestic or international criminal law regime to deter these sorts of attacks, and resorting to civil litigation is likely to prove impractical. A major barrier to punishing cyberattackers is the difficulty of identifying individual attackers. Passive defense methods, like firewalls, software patches, and antivirus software, do not require potential attackers to be identified to be effective. However, passive defense methods are not used consistently enough to have a perfect deterrent effect, and are all but useless against attacks utilizing zero-day exploits. For these reasons, we strongly urge a regulatory regime that would govern the use of active defense technologies, especially technologies that would enable mitigative counterstriking.

Active defense, however, has been a controversial subject, and it is this controversy that we seek to engage in. The reason that commentary about active defense has been so tentative and inconclusive up to this point is that active defense is intuitively bothersome and seen as amounting to vigilantism that carries significant danger of collateral damage. We assert that researchers have been analyzing this topic incorrectly as a unitary whole, instead of by looking at the different aspects of active defense (detecting, tracing, and counterstriking) and the two possible characterizations of counterstrikes (mitigative and retributive). A mitigative counterstrike would involve actions taken in self-defense in order to interrupt an attack in progress and mitigate immediate harm to a target system. Self-defense in cyberspace is a necessity, especially to protect critical infrastructure. Our analysis concludes that cyber counterstriking is readily justifiable under a self-defense framework, provided principles of mitigation are observed. Mitigative counterstriking is also legally justifiable under several areas of domestic and international law, and can be made consistent with other areas of law by amending the law or by reinterpreting it.

After evaluating the technologies, the potential types of attacks, and the legal context, we conclude that mitigative counterstriking would be the most effective when used in response to DDoS attacks originating from botnets. Such a counterstrike would interrupt the attack and mitigate harm to the victim system, while also preserving the victim system’s defenses against additional attacks. Harming non-attackers through counterstrikes is also a potential concern, but we observe that the technological capabilities to engage in self-defense are advancing rapidly and provide the capability to avoid unnecessary harm to third parties. We urge that the government should regulate active defense and oversee mitigative counterstriking, perhaps as part of a public-private partnership to take advantage of the core competencies of both the public and private sectors on this topic. Our recommended regime to permit mitigative counterstrikes as self-defense would also include liability rules to protect third parties in the event that a counterstrike causes harm to a party other than the initial attacker.

In short, the current situation with cyberattacks is ominous, and more effective methods must be provided to potential victims to permit them to protect themselves. The time to act is now, and we must legally solidify the right to use self-defense in cyberspace, while also protecting the rights of potential uninvolved third parties who might be harmed by mitigative counterstrikes.
Suggested Citation

Jay P. Kesan and Carol M. Hayes. 2011. “MITIGATIVE COUNTERSTRIKING: SELF-DEFENSE AND DETERRENCE IN CYBERSPACE” ExpressO
Available at: http://works.bepress.com/jay_kesan/4

http://works.bepress.com/jay_kesan/4/

The post Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace appeared first on The Citizen Lab.

From The Diplomat

According to the Go proverb ‘Play on the Point of Symmetry,’ when right and left have the same shape, there’s play in the centre. The ancient Chinese game of Go provides an apt metaphor for how China and Russia are leveraging US multinational corporations’ economic requirements to accomplish strategic goals that could quite plausibly include covert technology transfer of intellectual property, access to source code for use in malware creation and backdoor access to critical infrastructure.

Take the case of Chinese entity Huawei Symantec. Although Huawei has reportedly been blocked by the Committee on Foreign Investment in the United States (CFIUS) in its effort to acquire 3Leaf, and AT&T was said to be officially discouraged from purchasing equipment from Huawei by the National Security Agency (both due to national security concerns), Huawei successfully formed a joint venture with Symantec in 2007 called Huawei Symantec Technologies Co. Ltd. (HS). Huawei is the majority partner with 51 percent ownership, with the entity being headquartered in Chengdu, China.

According to the Huawei Symantec website:

‘Huawei Symantec Technologies Co. Ltd. (Huawei Symantec) is a leading provider of network security and storage appliance solutions to enterprise customers worldwide. Our solutions are developed to keep pace with evolving risks and demanding availability requirements facing enterprises. As a joint venture, Huawei Symantec combines Huawei’s expertise in telecom network infrastructure and Symantec’s leadership in security and storage software to provide world-class solutions that address the ever-changing needs in network security and storage for enterprises.’

However, a 2008 corporate briefing describes the history, capabilities, and business goals of HS, one of which is to ‘build China’s first laboratory of attack and defense for networks and applications.’

Following all this to its logical conclusion, this essentially means that Symantec, a major US information security company, is ‘assisting’ China’s cyber security research in computer network attack and defence — research that has high potential for abuse by state and non-state actors in China.

In the last few months, HS has formed two new joint ventures with US companies — SYNNEX and Force10 Networks. Why? In the case of SYNNEX, the goal is apparently to ‘distribute Huawei Symantec’s storage and security products to its resellers throughout North America.’

For Force10 Networks, Huawei Symantec said the firm ‘is pleased to establish this strategic partnership with Force10 Networks, and expects the relationship to further drive strong results for our existing North American customer base as well as tap into new business opportunities.’

Both SYNNEX and Force10 Networks currently sell to the US government. Force10 Networks’ website says that they sell their products to ‘defense, intelligence and civilian agencies to advance the bandwidth needs and reliability demands of government IT infrastructure while ensuring the economics and performance of mission critical networks.’ Since Huawei’s growth strategy includes financial support from Chinese banks that enable it to offer very low cost bids on key contracts, and since many governments (including India and the United States) have legal provisions that require them to go with the lowest bidder, these partnerships provide an apparently winning strategy for SYNNEX and Force10 Networks to secure government sales thanks to Huawei Symantec’s low manufacturing costs – all without HS’s name likely ever having to appear on the contract.

This means that Huawei, while being publicly blocked by US lawmakers from selling directly to the US government, has played on the ‘point of symmetry’ and has quietly secured access to US Defence Department and intelligence community customers through collaborative partnerships that no one has so far contested.

It’s not just China that seems to be placing itself in an advantageous strategic position.

Intel’s work in the Russian Federation dates back to 2002 with its sponsorship of a laboratory on wireless technology at Nizhny Novgorod State University (NNGU). The laboratory, located in the Department of Radiophysics, benefits from NNGU’s decades-long experience with Russia’s defence industry, especially the radar and air defence sector. According to an August 2004 Businessweek article, the lab was working on security software for high-speed wireless applications.

The laboratory’s activity is overseen by a guidance board that includes Leonid Yurevich Rotkov, the head of the Center for Security of Information Systems and Telecommunications Facilities also located in NNGU’s Department of Radiophysics. Leonid Rotkov is a noted expert on IT security. Conference agendas show he works as a security consultant for the Federal Security Service (FSB).

Until around 2008, the Center’s website stated that it was sponsored by the Federal Security Service (FSB). This statement has since been removed. However, the faculty listing for the Center includes one individual who is also an employee of the Nizhny Novgorod Branch of Scientific Technical Center (STC) Atlas. STC Atlas was previously directly subordinate to the FSB, however, it’s now a Federal State Unitary Enterprise (government owned) research institute that still works on IT security. The Nizhny Novgorod branch is one of four major STC Atlas research facilities. STC Atlas is currently certified by FSB for work on security issues including cryptology and ‘special studies.’

The physical location of Intel’s lab in a building that seems to be controlled by the FSB; performing research in a key area of interest to the FSB; and if the web evidence is to be believed is overseen by a person who worked as a security consultant for the FSB, could all potentially pose a significant security conflict for Intel’s US government customers, one that has been made even more complex by Intel’s recent acquisition of McAfee and its announced interest in acquiring database security firm Sentrigo. This is especially so as cloud services are one of Russia’s top R&D investment priorities according to the Russian Academy of Sciences.

Additional leverage is afforded to the Russian government through article 15 of Federal law N 40-FZ ‘On the Federal Security Service.’

This is a substantial threat vector because it seems to legally enable the FSB to view or ask for modifications in whatever proprietary data it wants from Intel Russia. In the past, this type of information access would have to be done through espionage. Now it can be done with a simple request. Considering Intel’s recent announcement that it’s working on a chip-based solution to end the zero-day malware problem, the FSB’s access to Intel’s technology could make any present or future solution by the company questionable, at best.

So, should US firms shun Russia and China? The economics of continued growth for many US multi-national corporations means that they can’t afford to turn away from conducting business in Russia or China. This necessity, when combined with the inherent security weaknesses of a networked world, could be leveraged by the governments of Russia and China to advance their political goals against the United States and other nation states without having to resort to traditional warfare.

This strategy is perfectly legal and can be implemented with complete plausible deniability. Yet almost no one outside of the US national security community appears ready to offer a counter-strategy.

Jeffrey Carr is an IT security analyst and the author of ‘Inside Cyber Warfare: Mapping the Cyber Underworld’ (O’Reilly Media, 2009). His blog can be found here.

http://the-diplomat.com/flashpoints-blog/2011/04/17/chinas-silent-cyber-takeover/

The post China’s Silent Cyber Takeover? appeared first on The Citizen Lab.

And at the moment, many experts believe China may have gained the upper hand.

Though it is difficult to ascertain the true extent of America’s own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.”

From The Globe and Mail

As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.

And at the moment, many experts believe China may have gained the upper hand.

Though it is difficult to ascertain the true extent of America’s own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.

According to U.S. investigators, China has stolen terabytes of sensitive data – from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up. “The attacks coming out of China are not only continuing, they are accelerating,” says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.

Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches – colourfully code-named “Byzantine Hades” by U.S. investigators – to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China’s People’s Liberation Army.

Privately, U.S. officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.

U.S. efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department’s Cyber Threat Analysis Division noted that several Chinese-registered Web sites were “involved in Byzantine Hades intrusion activity in 2006.”

The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the “precise” postal code in Chengdu used by the People’s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. “Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other” electronic spying units of the People’s Liberation Army, the cable says.

Reconnaissance bureaus are part of the People’s Liberation Army’s Third Department, which oversees China’s electronic eavesdropping, according to an October 2009 report by the U.S.-China Economic and Security Commission, a panel created by Congress to monitor potential national security issues related to U.S- China relations. Staffed with linguists and technicians, the Third Department monitors communications systems in China and abroad. At least six Technical Reconnaissance Bureaus, including the Chengdu unit, “are likely focused on defence or exploitation of foreign networks,” the commission report states.

The precise relationship with the Chinese Army of suspected hacker Chen Xingpeng could not be immediately determined by Reuters. A spokesman for the Chinese embassy in Washington did not respond to multiple requests for comment. The U.S. State Department declined to comment.

But the leaked cables and other U.S. government reports underscore how Chinese and other state-sponsored and private hackers have overwhelmed U.S. government computer networks. In the last five years, cyber-intrusions reported to the U.S. Computer Emergency Response Team, a unit of the Department of Homeland Security, have increased more than 650 per cent, from 5,503 incidents in fiscal 2006 to 41,776 four years later, according to a March 16 report by the Government Accountability Office.

THE BUSINESS OF SPYING

The official figures don’t account for intrusions into commercial computer networks, which are part of an expanding cyber-espionage campaign attributed to China, according to current and former U.S. national security officials and computer-security experts.

In the last two years, dozens of U.S. companies in the technology, oil and gas and financial sectors have disclosed that their computer systems have been infiltrated.

In January 2010, Internet search giant Google announced it was the target of a sophisticated cyber-attack using malicious code dubbed “Aurora,” which compromised the Gmail accounts of human rights activists and succeeded in accessing Google source code repositories.

The company, and subsequent public reports, blamed the attack on the Chinese government.

The Google attack “was certainly an escalation of Chinese network operations against the U.S.,” says Joel Brenner, former counterintelligence chief for the Office of the Director of National Intelligence. “Thousands” of U.S. companies were targeted in the Aurora attacks, Brenner says – far more than the estimated 34 companies publicly identified as targets so far – a scale which Brenner says demonstrates China’s “heavy-handed use of state espionage against economic targets.”

Many firms whose business revolves around intellectual property – tech firms, defence group companies, even Formula One teams – complain that their systems are now under constant attack to extract proprietary information. Several have told Reuters they believe the attacks come from China.

Some security officials say firms doing business directly with Chinese state-linked companies – or which enter fields in which they compete directly – find themselves suffering a wall of hacking attempts almost immediately.

The full scope of commercial computer intrusions is unknown. A study released by computer-security firm McAfee and government consulting company SAIC on March 28 shows that more than half of some 1,000 companies in the United States, Britain and other countries decided not to investigate a computer-security breach because of the cost. One in 10 companies will only report a security breach when legally obliged to do so, according to the study.

“Simply put, corporations cannot afford negative publicity (about computer security breaches),” says Tom Kellermann, vice president of security awareness at Core Security Technologies and a contributor to the study.

GONE PHISHING

What is known is the extent to which Chinese hackers use “spear-phishing” as their preferred tactic to get inside otherwise forbidden networks. Compromised e-mail accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that “we have given up on the idea we can keep our networks pristine,” says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It’s safer, government and private experts say, to assume the worst – that any network is vulnerable.

Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in “target development” for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees’ job descriptions, networks of associates, and even the way they sign their e-mails – such as U.S. military personnel’s use of “V/R,” which stands for “Very Respectfully” or “Virtual Regards.”

The spear-phish are “the dominant attack vector. They work. They’re getting better. It’s just hard to stop,” says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.

Spear-phish are used in most Byzantine Hades intrusions, according to a review of State Department cables by Reuters. But Byzantine Hades is itself categorized into at least three specific parts known as “Byzantine Anchor,” “Byzantine Candor,” and “Byzantine Foothold.” A source close to the matter says the sub-codenames refer to intrusions which use common tactics and malicious code to extract data.

A State Department cable made public by WikiLeaks last December highlights the severity of the spear-phish problem. “Since 2002, (U.S. government) organizations have been targeted with social-engineering online attacks” which succeeded in “gaining access to hundreds of (U.S. government) and cleared defence contractor systems,” the cable said. The e-mails were aimed at the U.S. Army, the Departments of Defense, State and Energy, other government entities and commercial companies.

Once inside the computer networks, the hackers install keystroke-logging software and “command-and-control” programs which allow them to direct the malicious code to seek out sensitive information. The cable says that at least some of the attacks in 2008 originated from a Shanghai-based hacker group linked to the People’s Liberation Army’s Third Department, which oversees intelligence-gathering from electronic communications.

Between April and October 2008, hackers successfully stole “50 megabytes of e-mail messages and attached documents, as well as a complete list of usernames and passwords from an unspecified (U.S. government) agency,” the cable says.

Investigators say Byzantine Hades intrusions are part of a particularly virulent form of cyber-espionage known as an “advanced persistent threat.” The malicious code embedded in attachments to spear-phish e-mails is often “polymorphic” – it changes form every time it runs – and burrows deep into computer networks to avoid discovery. Hackers also conduct “quality-assurance” tests in advance of launching attacks to minimize the number of anti-virus programs which can detect it, experts say.

As a result, cyber-security analysts say advanced persistent threats are often only identified after they penetrate computer networks and begin to send stolen data to the computer responsible for managing the attack. “You have to look for the ‘phone home,’” says Roger Nebel, managing director for cyber-security at Defense Group Inc., a consulting firm in Washington, DC.

It was evidence of malicious code phoning home to a control server – a computer that supervises the actions of code inside other computers – that provided confirmation to U.S. cyber-sleuths that Chinese hackers were behind Byzantine Hades attacks, according to the April 2009 State Department cable.

As a case study, the cable cites a 10-month investigation by a group of computer experts at the University of Toronto which focused in part on cyber-intrusions aimed at Tibetan groups, including the office of the exiled Dalai Lama in Dharamsala, India.

Referencing the Canadian research, the cable notes that infected computers in the Dalai Lama’s office communicated with control servers previously used to attack Tibetan targets during the 2008 Olympics in Beijing. Two Web sites linked to the attack also communicated with the control server.

TARGETS DETAILED

The same sites had also been involved in Byzantine Hades attacks on U.S. government computers in 2006, according to “sensitive reports” cited in the cable – likely a euphemistic reference to secret intelligence reporting.

The computer-snooping code that the intrusion unleashed was known as the Gh0stNet Remote Access Tool (RAT). It “can capture keystrokes, take screen shots, install and change files, as well as record sound with a connected microphone and video with a connected webcam,” according to the cable.

Gh0st RAT succeeded in invading at least one State Department computer. It “has been identified in incidents – believed to be the work of (Byzantine Hades) actors – affecting a locally employed staff member at the U.S. Embassy in Tokyo, Japan,” according to the cable.

Evidence that data was being sucked out of a target network by malicious code also appears to have led cyber-security investigators to a specific hacker, affiliated with the Chinese government, who was conducting cyber-espionage in the United States. A March, 2009 cable identifies him as Yinan Peng. The cable says that Peng was believed to be the leader of a band of Chinese hackers who call themselves “Javaphile.”

Peng did not respond to three e-mails seeking comment.

The details of alleged Chinese military-backed intrusions of U.S. government computers are discussed in a half dozen State Department cables recounting intense global concern about China’s aggressive use of cyber-espionage.

In a private meeting of U.S., German, French, British and Dutch officials held at Ramstein Air Base in September 2008, German officials said such computer attacks targeted every corner of the German market, including “the military, the economy, science and technology, commercial interests, and research and development,” and increase “before major negotiations involving German and Chinese interests,” according to a cable from that year.

French officials said at the meeting that they “believed Chinese actors had gained access to the computers of several high-level French officials, activating microphones and Web cameras for the purpose of eavesdropping,” the cable said.

TESTING THE WATERS

The leaked State Department cables have surfaced as Reuters has learned that the U.S. is engaged in quiet, proxy-led talks with China over cyber issues.

Chronic computer breaches have become a major source of tension in U.S. relations with China, which intensified after the major Google hack was disclosed in January 2010, according to U.S. officials involved in the talks. Even before the Google hack, Chinese officials had recognized the problem as well.

In mid-2009, representatives of the China Institutes for Contemporary International Relations, a nominally independent research group affiliated with China’s Ministry of State Security, contacted James A. Lewis, a former U.S. diplomat now with the Center for Strategic and International Studies (CSIS).

Lewis said that in his first meeting with his Chinese counterparts, a representative of the China Institutes asked: “Why does the Western press always blame China (for cyber-attacks)?” Lewis says he replied: “Because it’s true.”

There was no response to request for comment on the talks from the Chinese embassy in Washington.

Preliminary meetings at CSIS have blossomed into three formal meetings in Washington and Beijing over the last 14 months. According to two participants, the talks continue to be marked by “a lot of suspicion.” Attendees have focused on establishing a common understanding of cyber-related military, law enforcement and trade issues. Cyber-espionage isn’t being discussed directly, according to one participant, because “the Chinese go rigid” when the subject is raised.

One reason: for China, digital espionage is wrapped into larger concerns about how to keep China’s economy, the world’s second largest, growing. “They’ve identified innovation as crucial to future economic growth – but they’re not sure they can do it,” says Lewis. “The easiest way to innovate is to plagiarize” by stealing U.S. intellectual property, he adds.

There have been a few breakthroughs. U.S. and Chinese government officials from law enforcement, intelligence, military and diplomatic agencies have attended in the wings of each discussion. “The goal has been to get both sides on the same page,” says Lewis. “We’re building the groundwork for official discussions.”

A former senior national security official who has also attended the talks says, “Our reports go straight to the top policymakers” in the Obama administration.

Chinese participants have sought to allay U.S. concerns about a Chinese cyber-attack on the U.S. financial system. With China owning more than $1.1-trillion in U.S. government debt, Lewis says China’s representatives acknowledged destabilization of U.S. markets would, in effect, be an attack on China’s economy, itself.

Despite the talks, suspected Chinese cyber-espionage has hardly tapered off. Documents reviewed by Reuters show that CSIS itself recently was the target of a spear-phish containing malicious code with a suspected link to China.

On March 1, an e-mail sent from an address on an unofficial U.S. Armed Forces family welfare network called AFGIMail was sent to Andrew Schwartz, chief spokesman for CSIS. Attached to the message was an Excel spreadsheet labelled “Titan Global Invitation List.”

An analysis conducted for Reuters by a cyber-security expert who asked not to be identified shows the email may have been sent from a compromised AFGIMail e-mail server. The Excel spreadsheet, if opened, installs malicious code which searches for documents on the victim’s computer. The code then communicates to a Web-site hosting company in Orange County, California that has additional sites in China.

http://www.theglobeandmail.com/news/technology/tech-news/in-cyberspy-vs-cyberspy-china-has-the-edge/article1985224/page4/

The post In cyberspy vs. cyberspy, China has the edge appeared first on The Citizen Lab.

Attached to the mysterious email was an Excel spreadsheet with recently-discovered Adobe Flash zero day flaw CVE 20110609. With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system. The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. RSA saw the attack, using its implementation of NetWitness, and stopped the attack before more damage could be done.”

From Gartner

RSA had a conference call today with various analysts to discuss more details of the attack, and how they are communicating the after-effects to and with their customers.

RSA said the attack started with phishing emails sent to small groups of low-profile RSA users (presumably employees). The emails were surreptitiously titled “2011 Recruitment Plan” and landed in the users’ email Junk folders. (At least RSA’s SPAM filters were working, even if their social engineering training for employees was not).

Attached to the mysterious email was an Excel spreadsheet with recently-discovered Adobe Flash zero day flaw CVE 20110609. With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system. The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. RSA saw the attack, using its implementation of NetWitness, and stopped the attack before more damage could be done.

RSA came clean and told its customers immediately about the attack (which is something other companies have not done) and should be credited for handling a bad situation as well as it can.

The irony though with RSA is that they don’t eat their own dog food. In other words, they relied on yesterday’s best of breed tools to prevent and detect the attack. They gave a lot of credit to NetWitness for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time, which means the signals and scores weren’t high enough to cause a person to shut down the attack in real time.

RSA sells its own fraud detection systems based on user and account profiling which use statistical Beysian models, and rules, to spot abnormal behavior and intervene in real time to re-authenticate users and verify the authenticity of suspect access, behavior, or transactions. (RSA appears in the leaders quadrant of Gartner’s 2010 Web Fraud Detection Magic Quadrant). They should have applied these techniques to their own internal systems. They need to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems.

Perhaps this will shake them up so that they start moving a lot faster, like some of the small agile start ups they acquired in the past. They need to make it possible for the innovation to bubble up quickly into products and services that they not only sell and implement at customer sites, but that they use themselves internally.

I’m sure they are not the only company where this phenomena is true. The old adage rings true – the shoemakers children have no shoes.

http://blogs.gartner.com/avivah-litan/2011/04/01/rsa-securid-attack-details-unveiled-they-should-have-known-better/

The post RSA SecurID attack details unveiled – lessons learned appeared first on The Citizen Lab.

“There’s an arms race in cyberspace, and a massively exploding new cyber-industrial complex that serves it. Like all arms races before it, the growing tensions in cyberspace and the proliferation of tools and services that feed it create a climate of fear and insecurity. And as Samuel Coleridge once said, ‘What begins in fear usually ends in folly.’ A dangerous, lawless atmosphere is spreading in cyberspace.”

From The Globe and Mail

In the aftermath of the revolution that brought down Egypt’s Hosni Mubarak, protesters burst into the building that housed the state security services and combed through thousands of documents left by the departing regime. Among the files listing paid informants, tortured confessions and acts of secret manipulation was one rather exceptional document: a contract from an obscure German firm selling cyberwar software to the Egyptian regime. The document, quickly posted on the Internet, provided a detailed glimpse inside the black arts of today’s world of electronic warfare.

For those who study the geopolitics of cyberspace, the revelation was hardly surprising. There’s an arms race in cyberspace, and a massively exploding new cyber-industrial complex that serves it. The German firm is but one small manifestation.

It has become a truism to say that the offence has the advantage over the defence in cyber conflicts. Attack tools are cheap and widely available. Attackers can mount their assaults with lightning speed from anywhere on the planet to anywhere else, disguising their origins and masking responsibility.

Scholars of war and human nature have long understood that, in an offence-dominant environment such as this, the pressure is on to keep up or be left behind. Fear and insecurity increase, threats lurk everywhere, and rash decisions can lead to unexpected outcomes and chaos.

While this may sound ominous for most, for those in the defence industry, it presents an irresistible market opportunity. A new cyber military-industrial complex has exploded, estimated to be between $80-billion and $150-billion (U.S.) annually. Like Dwight Eisenhower’s military-industrial complex before it, this massive cyber-industrial complex is intimately connected to militarization processes in the West and, in particular, the United States. Major corporate giants that arose in the Cold War, such as Boeing and Northrop Grumman, are now repositioning themselves to service the cyber security market.

But as the Egyptian security service files show, the market knows no boundaries. Advanced deep pack inspection, content filtering, social network mining, cellphone tracking and computer network attack and exploitation capabilities, developed primarily by U.S., Canadian and European firms, are sold to hungry buyers worldwide – many of them authoritarian regimes.

Like all arms races before it, the growing tensions in cyberspace and the proliferation of tools and services that feed it create a climate of fear and insecurity. And as Samuel Coleridge once said, “What begins in fear usually ends in folly.” A dangerous, lawless atmosphere is spreading in cyberspace.

Both Indian and Iranian officials have gone on public record condoning hackers who work in the state’s interest. As if on queue, a group of hackers using the name Iranian Cyber Army defaces U.S.-supported websites, including those of the Voice of America and Radio Farda. Not long afterward, Sudan’s ruling party warns activists that the state’s “cyber jihadists” will crush their opposition movement.

A Jacobin-like collective of vigilante hackers, called Anonymous, targets websites, services, and companies that cross their conception of the “general will.” One week Visa is targeted, the next it’s Tunisia, and then an obscure racist religious congregation in the southern U.S. feels their wrath.

One cyber security firm, HBGary, that had developed infowar plans to identify Anonymous members and target WikiLeaks supporters, had their computers hacked by Anonymous, which then published 70,000 of the firm’s confidential e-mails.

Want to mount a distributed denial of service attack of your own to bring down a group you don’t like? It’s easy. Websites in China and Ukraine will sell you daily, weekly, monthly or even “lifetime” rentals of botnets with 24/7 technical support.

U.S. legislators, meanwhile, propose giving the President powers to shut off the Internet in an emergency, while Egyptian and Libyan authorities demonstrate just how easily it’s done.

Nothing, it seems, is sacred in cyberspace any longer.

This was not the way it was supposed to be. Cyberspace’s early architects foresaw a kind of digital agora that would fulfill long-standing democratic aspirations.

In 1937, the futurist H.G. Wells wrote an essay called the World Brain in which he predicted a time when technology would make information available to all citizens of the planet in real time:

“The whole human memory can be, and probably in a short time will be, made accessible to every individual. … It need not be concentrated in any one single place. It need not be vulnerable as a human head or a human heart is vulnerable. It can be reproduced exactly and fully, in Peru, China, Iceland, Central Africa, or wherever else seems to afford an insurance against danger and interruption.”

Imagine if Wells were alive today to see how close we’ve come to achieving that dream, only to allow it to slip into chaos.

We have indeed created a kind of “world brain”; the problem is, it’s a typically aggressive and insecure human one.

Ron Deibert is director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Rafal Rohozinski is CEO of the Ottawa-based SecDev Group.

http://www.theglobeandmail.com/news/opinions/opinion/the-new-cyber-military-industrial-complex/article1957159/

The post The “new cyber military-industrial complex” appeared first on The Citizen Lab.

The breach is an embarrassment for EMC Corp., also a premier security vendor, and potentially threatens highly sensitive computer systems.

The incident is a rare public acknowledgement by a security company that its internal anti-hacking technologies have been hacked. It is especially troubling because the technology sold by EMC’s security division, RSA, plays an important role in making sure unauthorized people aren’t allowed to log into heavily guarded networks.”

From The Globe and Mail

The world’s biggest maker of data storage computers on Thursday said that its security division has been hacked, and that the intruders compromised a widely used technology for preventing computer break-ins.

The breach is an embarrassment for EMC Corp., also a premier security vendor, and potentially threatens highly sensitive computer systems.

The incident is a rare public acknowledgement by a security company that its internal anti-hacking technologies have been hacked. It is especially troubling because the technology sold by EMC’s security division, RSA, plays an important role in making sure unauthorized people aren’t allowed to log into heavily guarded networks.

The scope of the attack wasn’t immediately known, but the potential fallout could be widespread. RSA’s customers include the military, governments, various banks and medical facilities and health insurance outfits. EMC, which is based Hopkinton, Mass., itself is an RSA customer.

EMC said in a filing with the Securities and Exchange Commission that RSA was the victim of what is known as an “advanced persistent threat,” industry jargon for a sophisticated computer attack. The term is often associated with corporate espionage, nation-state attacks, or high-level cyber-criminal gangs.

EMC didn’t offer clues about the suspected origin of the attack. It said it recently discovered an “extremely sophisticated” attack in progress against its networks and discovered that the infiltrators had made off with confidential data on RSA’s SecurID products. The technology underpins the ubiquitous RSA-branded keychain “dongles” and other products that blanket important computer networks with an additional layer of protection.

The products make it harder for someone to break into a computer even if a password is stolen, for example. The RSA device, working in concert with back-end software, generates an additional password that only the holder of the device would know. But if a criminal can figure out how those additional passwords are generated, the system is at risk.

RSA is one of the best-known names for this type of “two-factor authentication” technology.

RSA declined to comment on what type, or how much, information was stolen.

Richard Stiennon, a security analyst with the IT-Harvest firm, said there would be “tremendous repercussions” if the criminals were able to silently tap into critical systems using the stolen information.

“You’d never have a sign that you’ve been breached,” he said.

In its SEC filing, RSA said that it is “confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers.” However, it warned that “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

“We have no evidence that customer security related to other RSA products has been similarly impacted,” said the company’s executive chairman, Art Coviello. “We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company said it is providing “immediate remediation steps” for customers. It didn’t specify what those are. It outlined some generic security tips that offer clues about how its customers might be targeted with the information stolen from RSA, such as closely monitoring the use of social networking websites by people with access to critical networks and the need to educate employees on the danger of clicking on links or attachments in suspicious e-mails.

http://www.theglobeandmail.com/news/technology/tech-news/data-storage-makers-anti-hacking-division-hacked/article1946954/

The post Data storage maker’s anti-hacking division hacked appeared first on The Citizen Lab.

The report followed an announcement in January that Iran had formed its first cyber police unit in an attempt by authorities to gain an edge in the digital world.”

From The Globe and Mail

Iranian hackers working for the powerful Revolutionary Guard’s paramilitary Basij group have launched attacks on websites of the “enemies,” a state-owned newspaper reported Monday in a rare acknowledgment from Iran that it’s involved in cyber warfare.

The report followed an announcement in January that Iran had formed its first cyber police unit in an attempt by authorities to gain an edge in the digital world.

The Internet has also been a key outlet for Iran’s opposition since the 2009 disputed presidential election. In addition, Iran has been trying to boost its web defences after the Stuxnet computer worm made its way into computers involved with the country’s controversial nuclear program.

Gen. Ali Fazli, acting commander of the Basij, was quoted by state-owned IRAN paper as saying Iran’s cyber army is made up of university teachers, students and clerics. He said its attacks were a retaliation for similar attacks on Iran, according to the semi-official Mehr news agency. There were no further details about the possible targets or the time of the attacks.

“As there are cyber attacks on us, so is our cyber army of the Basij, which includes university instructors and students, as well as clerics, attacking websites of the enemy,” Fazli said. “Without resorting to the power of the Basij, we would not have been able to monitor and confront our enemies.”

So far, the Revolutionary Guard – Iran’s military-industrial powerhouse – was believed linked to the secretive “Cyber Army” that emerged to fight opposition websites and blogs after President Mahmoud Ahmadinejad’s disputed re-election in 2009.

In February, Guard chief, Gen. Mohammad Ali Jafari, signalled that the force supports the cyber army, describing it as a “defensive, security, political and cultural need for all countries.” Jafari claimed at the time that the Guard have been successful in cyber warfare.

Iran has been seeking to master the digital world as a crucial step to prepare for what it calls “soft war,” which includes fighting against cyber attacks such as the Stuxnet computer worm that Iran said was aimed at sabotaging its uranium enrichment program.

Iranian officials claimed there were no setbacks in nuclear operations from Stuxnet but a November report by the U.N. nuclear agency said Iran’s enrichment program was temporarily shut down in a possible link to the worm’s infiltration at the Natanz nuclear facility.

The origins of Stuxnet are unclear. But it’s considered a highly sophisticated malware designed to attack industrial systems and could have been aimed at the centrifuges used in uranium enrichment. Washington and others worry that Iran could eventually produce nuclear material for warheads, but Iran insists it only seeks to enrich uranium for energy and research.

The country has also been wary about Western cultural influences while trying to gain the upper hand in cyberspace against web-savvy opposition groups. Opposition groups use proxy servers and other tactics to stay ahead of authorities.

http://www.theglobeandmail.com/news/technology/tech-news/iran-launches-cyber-attack-on-enemies-of-state-report/article1940818/

The post Iran launches cyber attack on ‘enemies’ of state: report appeared first on The Citizen Lab.

In the emails, made public earlier this month by the activist hacker group Anonymous following a vengeful hack, an HBGary researcher said Morgan Stanley provided him details of the attack but asked that the information be kept secret.”

From SC Magazine

Chinese hackers that attacked systems at Google and Adobe also infiltrated global financial services firm Morgan Stanley, according to internal emails stolen from HBGary, a security firm that was working with the bank.

In the emails, made public earlier this month by the activist hacker group Anonymous following a vengeful hack, an HBGary researcher said Morgan Stanley provided him details of the attack but asked that the information be kept secret.

The financial institution was one of those targeted in a series of coordinated attacks that have been dubbed “Operation Aurora.” Bloomberg News first reported this story on Monday.

“They were hit hard by the real Aurora attacks (not the crap in the news),” Phil Wallisch, senior security engineer at HBGary, wrote in a June 4 email to HBGary President Penny Leavy-Hoglund.

The attacks leveraged a previously unknown vulnerability in Internet Explorer to compromise systems at Google, Adobe and dozens of other companies. Morgan Stanley is the first financial institution to be identified as a victim.

“They have given me access to a very sensitive report on their Aurora experience,” Wallisch wrote in a May 10 email to Leavy-Hoglund.

In the same email, Wallisch said Morgan Stanley requested that he not share the information with anyone.

In a statement sent to SCMagazineUS.com on Tuesday, Morgan Stanley said the incident occurred more than a year ago and the bank has notified regulators, law enforcement and a “handful” of clients who may have been affected.

“Morgan Stanley invests significantly in IT security and manages a robust program to deal with malware and attempted computer compromises,” the statement said. “Like any other company in our industry, we deal with these matters in the normal course of conducting business.”

Dmitri Alperovitch, vice president of threat research at McAfee, told SCMagazineUS.com on Tuesday that Operation Aurora-style attacks are happening on a daily basis targeting a range of industries but most are never disclosed publicly.

“Most major global companies have come under these persistent and targeted attacks over the last few years and many have been successfully compromised,” Alperovitch said.

Operation Aurora is unique, he said, because of all the details that have emerged about the attacks.

Last January, Google disclosed that its systems were compromised to steal intellectual property on behalf of Chinese hackers. Adobe, Juniper Networks and Rackspace have also confirmed that their systems were targeted in the attacks. According to reports, Yahoo, Symantec, Northrop Grumman and Dow Chemical also were among the victims.

HBGary’s internal emails, which out Morgan Stanley as a victim, were stolen last month by Anonymous after Aaron Barr, CEO of HBGary Federal, a sister firm to HBGary, told the Financial Times he planned to reveal his research around the activist collective at an upcoming security conference.

He never did. Barr has since resigned so he could repair his reputation.

http://www.scmagazineus.com/hbgary-emails-out-morgan-stanley-as-aurora-victim/article/197335/

The post HBGary emails out Morgan Stanley as Aurora victim appeared first on The Citizen Lab.