Collateral damage and the NSA’s stash of cyberweapons

This morning’s Observer column:

All software has bugs and all networked systems have security holes in them. If you wanted to build a model of our online world out of cheese, you’d need emmental to make it realistic. These holes (vulnerabilities) are constantly being discovered and patched, but the process by which this happens is, inevitably, reactive. Someone discovers a vulnerability, reports it either to the software company that wrote the code or to US-CERT, the United States Computer Emergency Readiness Team. A fix for the vulnerability is then devised and a “patch” is issued by computer security companies such as Kaspersky and/or by software and computer companies. At the receiving end, it is hoped that computer users and network administrators will then install the patch. Some do, but many don’t, alas.

It’s a lousy system, but it’s the only one we’ve got. It has two obvious flaws. The first is that the response always lags behind the threat by days, weeks or months, during which the malicious software that exploits the vulnerability is doing its ghastly work. The second is that it is completely dependent on people reporting the vulnerabilities that they have discovered.

Zero-day vulnerabilities are the unreported ones…

Read on

Watergate 2.0

This morning’s Observer column on the hacking of the Democratic National Committee’s computer networks:

Needless to say, it’s been dubbed Watergate 2.0, in memory of the burglary of the DNC HQ in June 1972 by people working for Richard Nixon’s campaign team. And now, just as in 1972, the key questions are: who were the burglars? And what were their motives? A number of cybersecurity firms investigated the DNC hacks and concluded that the culprits were two agencies of the Russian government, one the FSB (successor to the KGB), the other Russia’s military intelligence agency, the GRU. A clinching piece of evidence linking the hack to the Russians was the existence of an internet address in the DNC malware that had also been found in a piece of malware used in a Russian attack on the German parliament’s servers.

So it seems pretty clear that Putin’s lot were the burglars. But what were their motives? Here the conspiracy theories begin…

Read on

Forget North Korea – the real rogue cyber operator is closer to home

This morning’s Observer column.

The company [Symantec] goes on to speculate that developing Regin took “months, if not years” and concludes that “capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state”.

Ah, but which nation states? Step forward the UK and the US and their fraternal Sigint agencies GCHQ and NSA. A while back, Edward Snowden revealed that the agencies had mounted hacking attacks on Belgacom, a Belgian phone and internet services provider, and on EU computer systems, but he did not say what kind of software was used in the attacks. Now we know: it was Regin, malware that disguises itself as legitimate Microsoft software and steals data from infected systems, which makes it an invaluable tool for intelligence agencies that wish to penetrate foreigners’ computer networks.

Quite right too, you may say. After all, the reason we have GCHQ is to spy on nasty foreigners. The agency was, don’t forget, originally an offshoot of Bletchley Park, whose mission was to spy on the Germans. So perhaps the news that the Belgians, despite the best efforts of Monty Python, are our friends – or that the UK is a member of the EU – had not yet reached Cheltenham?

Read on

Cyberwarfare: Iran ups its game

Intriguing NYT story about the next phase of cyberwarfare. Phase One, you will recall, was the Stuxnet attack, organised by the US and Israel.

On Aug. 15, more than 55,000 Saudi Aramco employees stayed home from work to prepare for one of Islam’s holiest nights of the year — Lailat al Qadr, or the Night of Power — celebrating the revelation of the Koran to Muhammad.

That morning, at 11:08, a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus to initiate what is regarded as among the most destructive acts of computer sabotage on a company to date. The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.

United States intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech warning of the dangers of computer attacks, cited the Aramco sabotage as “a significant escalation of the cyber threat.” In the Aramco case, hackers who called themselves the “Cutting Sword of Justice” and claimed to be activists upset about Saudi policies in the Middle East took responsibility.

Google turns to the spooks

I know that cloud computing is wonderful, etc. but have you noticed this development?

Just the thought is enough to send an involuntary little shiver up your spine: Google — keeper of a vast repository of data on our activities, interests and connections — working hand-in-hand with the National Security Agency — the top-secret electronic surveillance specialists who have been known to go rogue from time to time. But according to sources who spoke to the Washington Post, there are delicate talks now going on to form such a partnership with the goal of fortifying Google’s defenses against the kind of espionage-oriented hacking attacks launched from China against it and dozens of other U.S. companies in December.

Google reportedly approached the NSA shortly after the attacks, but in an indication of the sensitivity of such arrangement, the talks have been going on for weeks. Reports the Post: “Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google’s policies or laws that protect the privacy of Americans’ online communications. The sources said the deal does not mean the NSA will be viewing users’ searches or e-mail accounts or that Google will be sharing proprietary data.” What the agency would be do, as it has with other corporations, is help Google evaluate hardware and software vulnerabilities and gauge the sophistication of its attackers.

At face value, it all sounds reasonable, especially given the suspicions of state support for the Chinese hacking, but of the many things the NSA can tap, a deep reservoir of public trust is not one.

Amen.

The FT’s Gideon rachman spent the morning at the International Institute for Strategic Studies’s briefing on their annual survey of the ‘Military Balance’. He reports that

The briefing offered by the IISS experts ranged fascinatingly over a variety of topics from the Iranian nuclear programme, to Russia’s new military doctrine and the links (or lack of them) between al-Qaeda and Iran.

But the thing I found most interesting was the confirmation that cyber-security is the hot issue of the day. John Chipman, the head of the IISS, says the institute is about to launch a special study of cyber-security which raises all sorts of fascinating issues about hard power, about the responsibilities of states and about international law. What if a country’s infrastructure could be destroyed as effectively by a cyber-attack, as by an invasion of tanks? How do you defend against that? How do you identify the culprits? And what does international law have to say about the issue – might we have to revise our definitions of what constitutes an act of war? Chipman argues, plausibly, that we are now at an equivalent period to the early 1950s. Just as strategists had to devise whole new doctrines to cope with the nuclear age, so they willl have to come up with new ideas to cope with the information age.

And over at the Guardian Charles Arthur has an exhaustive (or should that be exhausting?) analysis of whether the UEA Climate Research Unit’s emails were hacked. His conclusion:

After the July incident, perhaps CRU failed to batten down the hatches, either through technical failings or because someone inside was subverting the efforts. So what happened in November?

Rotter blogged his theory last year. “In the past I have worked at organisations where the computer network grew organically in a disorganised fashion. Security policies often fail as users take advantage of shortcuts … one of these is to share files using an ftp server … This can lead to unintentional sharing with the rest of the internet.”

He added that files were perhaps put “in an ftp directory which was on the same central processing unit as the external webserver, or even worse, was on a shared driver somewhere to which the webserver had permissions to access. In other words, if you knew where to look, it was publicly available”.

If this hypothesis turns out to be true, UEA may end up looking foolish. For there will be no one to arrest.

In other words, the cock-up theory of history rules ok.

A wilderness of mirrors

From today’s NYTimes..

It is an axiom that “on the Internet nobody knows that you are a dog.”

By the same token, it is all but impossible to know whether you are from North Korea or South Korea.

That puzzle is plaguing law enforcement investigators in several nations who are now hunting for the authors of a small but highly publicized Internet denial-of-service attack that briefly knocked offline the Web sites of some United States and South Korean government agencies and companies.

The attack, which began over the Fourth of July weekend and continued into the next week, led to South Korean accusations that the attack had been conducted by North Korean military or intelligence agents, possibly in retaliation for new United Nations sanctions. American officials quickly cautioned that despite sensational news media coverage, the attacks were no different from similar challenges government agencies face on a daily basis.

Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world.

“It would be incredibly difficult to prove that North Korea was involved in this,” said Amrit Williams, chief technology officer for Bigfix, a computer security management firm. “There are no geographic borders for the Internet. I can reach out and touch people everywhere.”

This is the back-story to the post by Mark Anderson that I blogged earlier in the week.

Does Skype have a back door?

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?

CyberCrime 2.0

From the Register

Selling “installs” is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

Zombie machines infected with Trojan horse malware can be used to relay spam or launch denial of service attacks. Compromised machines can be also be pointed to websites from which additional items of malware can be downloaded. The practice is normally used to update Trojan code, but it also creates a means for cybercrooks to make a “nice little earner”.

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

MeesageLabs culled its figures from a malware distribution site in Russia, the existence of which we’ve verified. The site is loaded with malware and for that reason we’ll refer to it by a shortened version of its name, installscash.org.

What the attacks on Estonia have taught us about online combat

Good piece in Slate by Cyrus Farivar…

The Estonia case also shows how easy it is to cause massive panic on a shoestring budget. All you need to deploy a cyberattack is some malicious software, a bunch of zombie computers distributed around the world, and an Internet connection. Sure, you may need to pay for a “professional-grade” botnet—a network of computers that have been surreptitiously infected to run nefarious software. But surely that costs orders of magnitude less than the price of heavy artillery, battleships, and nuclear submarines.

Perhaps the most telling lesson here is how difficult it is to catch the perpetrators of online terrorism. Covering one’s fingerprints and footprints online is relatively simple, compared with getting rid of physical evidence. IP addresses can be spoofed, and an attack that appears to come from one place may actually originate somewhere else. As such, the Kremlin (or anyone else) can plausibly deny that they had anything to do with the attacks, even if the Estonians’ server logs show that the attacks first originated from Moscow. If the Russians don’t want to hand over data or documents—or even pick up the phone, for that matter—there’s not much that Estonia, or anyone else, can do to figure out the real story…