Projecting Borders into Cyberspace

My Grey Goose colleague Jeffrey Carr makes a compelling argument about the need for nation-states to patrol their own territory in cyberspace. Specifically, Jeffrey writes,

One way to improve our ability to attribute attacks is to require that ISPs and nations exercise greater control. A recent breakfast conversation with a colleague on this topic resulted in what I think is a great way to assign attribution: Structure cyberspace like airspace or territorial waters with designated areas of state responsibility. In other words, each nation controls and is responsible for its own cyberspace.

In the case of airspace and territorial waters, enforcement is by international treaty. Perhaps one solution is to add cyberspace to this body of law as a fourth environment after air, land, and sea. There are penalties for violating a nation’s airspace. It seems logical to apply those penalties to cyberspace as well.

If enacted, this would put the onus on hosting companies licensed to do business in their respective countries to more vigorously enforce anti-piracy software laws, require registrars operating within their borders to make a better effort at validating WHOIS data, and require hosting companies to be more attentive to gross violations by their customers or be subject to civil and criminal penalties.

Ive expressed similar beliefs in previous blog posts on how to develop a cyber deterrence strategy. While there are certainly civil liberty, privacy, and other issues to resolve before we can implement international standards and norms regarding the use of cyberspace, the mounting losses from rampant cyber crime and espionage demonstrate the alternative of an ungoverned Internet is proving itself to be an unsustainable model.

Secrecy and Cyber Deterrence

On Monday, April 27, 2009, the New York Times published the first article in a series on the "growing use of computing power as a weapon." While I applaud the Times for reporting on this important issue, I was disturbed by the backwards thinking of policy makers revealed by the article.

Specifically, the article the touches on the problem of defining a cyber deterrence strategy. This is a topic in which I am extremely interested in and have previously written about here and here. The article states,

But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.

Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of American cyberweapons.

While I understand the need for secrecy in matters of national security, I am deeply troubled that the culture of secrecy surrounding cyber warfare will negatively impact the United State's ability to create a credible cyber deterrent.

Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

It will be very difficult for the US to convince an adversary that it faces a credible prospect of punishment if our adversaries do not understand our offensive cyber power. I do not believe we need to publicly inventory our cyber weapons arsenal, but it would behoove us to publicly demonstrate our offensive capabilities. Public demonstrations like the Aurora Generator Test are good examples of how we can demonstrate our offensive capabilities to our adversaries.

A policy of publicly demonstrating offensive capabilities is nothing new. During the Cold War, the US military repeatedly tested nuclear weapons and conducted large-scale conventional military exercises. The US used these tests and exercises in part to demonstrate its offensive prowess so that its adversaries, including the Soviet Union, would understand the United State's ability to cause harm. Cyber is just a new domain of warfare and I see no reason to treat it any differently than we have previously treated warfare in the past. As such, it makes sense to publicly demonstrate our offensive capabilities. This will increase our deterrent capacity and help stave off future cyber wars. Excessive secrecy only makes cyber deterrence harder to achieve.

Comparing the Strategic Defense Initiative and the Comprehensive National Cybersecurity Initiative

This past week, during a panel discussion I moderated at RSA on how lessons from the Cold War could be applied to cyber conflict, an interesting line of discussion emerged. A member of the audience compared the use of cyber warfare strategies and tactics to the Strategic Defense Initiative (SDI).

While I am typicall skeptical of embracing historical analogies due to their frailties and tendency to lead policy makers astray, the similarities between cyber warfare and SDI are appealing enough to warrant further investigation. Our panel discussion and further in-depth discussions with colleagues revealed the followed parallels:

• During the Cold War, the Soviet Union felt compelled to invest increased amounts of resources into its nuclear weapons delivery systems in an effort to counter the purported defensive capabilities of SDI.

• In response to the threat of cyber warfare, the United States feels compelled to invest increased amounts of resources into cyber defenses designed to protect critical infrastructure targets. The Bush administration's Comprehensive National Cyber Security Initiative reportedly allocated close to $30 billion over the life of the program.

• In both cases, the efficacy of the strategies and tactics were unproven. SDI was never fully deployed, but the mere idea of a space based ballistic missile defense system spooked the Russians into allocating extra resources to countering its purported capabilities. Similarly, advanced cyber warfare strategies are at this moment theoretical. Yes, Estonia and Georgia have been attacked by crippling DDoS attacks, but large-scale coordinated attacks against critical infrastructure targets like the power grid have not yet been proven possible. While it is unclear whether or not the grid could be taken down by remote attackers, we are frantically spending money to counter this threat.

• In each case, the Soviet Union and the United States response appears to have been based on fear and not inspiration.

Do not get me wrong, I am not claiming we should ignore cyber security. Nor am I stating that cyber attacks against critical infrastructure are to be dismissed as fantasy. Rather, it is my feeling that our cyber security programs should be based on more than desperation and fear. For example, rather than respond with frantic patching and other point defensive measures, it would make more sense to use the threat to critical infrastructure as a tool to sponsor and encourage more secure coding initiatives. As my friend Ed Skoudis points out, software engineers in the United States are not required to study secure programming in order to earn a computer science degree. It would seem that the Federal Government would be smart to invest more of its $30 billion allocated to CNCI towards sponsoring education programs designed to foster secure software design.

As my colleague Dave Sulek likes to say, policy responses based solely on desperation without any hope or inspiration are destined to fail. In order to properly address the cyber security problem, we must seek to adopt policy prescriptions that are equal part inspiration and desperation.

Achieving Cyber Deterrence

Many cyber security experts and national security policy makers assume that it is impossible to achieve a comprehensive cyber deterrence strategy. Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

One reason that cyber deterrence is viewed as impossible because unlike the Cold War there is not one monolithic adversary to deter. During the Cold War the United States only had to worry about deterring nation-states and primarily achieved this goal via the threat of a nuclear retaliation. In today's cyber threat environment there are a number of adversaries including:

• nation-states;
• terrorists;
• patriotic hackers and;
• cyber criminals.
  

Each of these adversaries have different interests and objectives. Further, some of these adversaries, like terrorists, believe they have nothing to lose and therefore are not threatened by the use of force - digital or physical.

Accordingly, cyber security experts and policy makers believe it is difficult to develop a deterrent strategy to address all of these adversaries. While it is certainly more difficult to develop individual deterrence strategies for the above adversaries rather than the one deterrent strategy needed to counter the Soviet Union during the Cold War, it is by no means impossible. A closer examination of the various adversaries capabilities and intentions reveals the United States can easily develop a credible cyber deterrent strategy for its adversary.

Deterring nation-states is relatively straight forward. The United States still possesses its nuclear deterrent used to counter the Soviet Union during the Cold War. This deterrent capability can still be used to deter nation-state adversaries from launching devastating cyber attacks on critical infrastructure targets.

Deterring terrorists, patriotic hackers, and cyber criminals is a more difficult challenge. Currently, terrorist groups have demonstrated intent but not the capability to launch crippling cyber attacks against critical infrastructure targets. Therefore, in order to successfully deter terrorist from pursuing cyber warfare the United States should focus on improving its cyber security and resiliency. Improved defense may convince terrorist groups that the execution of a successful cyber attack is well beyond its capabilities. Additionally, improved resiliency may convince terrorist groups that even if successful a cyber attack may not have the desired crippling effect. Improved resiliency, via the use of redundant systems, can be designed to prevent devastating and cascading failures in critical systems. A terrorist group may be less likely to waste precious resources attacking a target they perceive to be invulnerable to attack.

Patriotic hackers have demonstrated the capability and intent to launch successful cyber attacks against critical infrastructure targets. For example, Chinese patriotic hackers are believed to be responsible for an ongoing series of cyber espionage attacks against various targets within the Defense Industrial Base sector. According to media reports, untold amounts of valuable intellectual property and military logistics data were lost in these attacks. Given the patriotic hackers de facto connection to a nation-state it is reasonable to treat this adversary as an extension of its patron nation-state. The United States should carefully articulate its belief that attacks carried out by patriotic hackers will be treated as attacks sponsored by the hacker's patron nation-state. As such, the United States should threaten the patron nation-state with retaliation in an effort to deter attacks launched by patriotic hackers. Ideally, nation-states will find this threat credible and seek to control and limit attacks emanating from patriotic hackers within their borders.

Cyber criminals have also demonstrated the capability and intent to launch cyber attacks against critical infrastructure targets. Cyber criminals have launched successful attacks against various targets in the financial sector. Additionally, CIA analyst Tom Donohoe publicly stated that presumed cyber criminals caused blackouts overseas. Donohoe said, "we have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet." Cyber criminals appear to be the most difficult adversary to deter due to their perceived capability to overcome advanced defenses as well as the inability to tie them directly to a patron nation-state. While difficult, the United States can deter cyber criminals by improving its attribution capabilities. Improved technical attribution coupled with effective intelligence gathering and increased information sharing by international law enforcement partners will enable the United States to more accurately identify the sources of a cyber attack. Once identified the United States should use traditional law enforcement strategies to pursue and arrest cyber criminals. Improved attribution and an effective response from law enforcement will likely discourage cyber criminals from launching high profile attacks on critical infrastructure targets like the power grid.

Developing a comprehensive cyber deterrence will by no means be easy to achieve and will take lots of patient work. Just because our Cold War deterrent strategy is no longer applicable and a replacement is not immediately obvious it does not mean we should conclude that cyber deterrence is impossible. After World War II and the introduction of nuclear weapons, policy makers took time to develop the sustainable framework of mutually assured destruction. This strategy was not immediately obviously at the dawn of the Cold War and we should therefore not expect that a cyber deterrent strategy will also be immediately obviously.

Hacking with iPwn

I'm kicking myself for missing the Hacking Exposed session with Stuart McClure and George Kurtz at RSA. These guys were able to pwn a Windows Primary Domain Controlled from an iPhone. Wow! Thats some pretty amazing stuff.

For those interested in getting in the weeds with computer security I highly recommend you read Stuart and George's book Hacking Exposed. Its considered by many to be the bible for penetration testing.

The Cold War Reloaded?

In its 2007 Virtual Criminology Report McAfee stated that "cyber crime has expanded from isolated attacks initiated by individuals or small rings to well-funded, well-organized operations using sophisticated technology and social engineering." Further, the report noted that an estimated 120 countries are developing or utilizing cyber espionage or warfare capabilities. The report speculated that we are now entering a "cyber Cold War." 

This past week at the RSA Conference in San Francisco I had the pleasure of moderating two panels that discussed this cyber Cold War analogy. The specific purpose of these panels was to more thoroughly analyze the Cold War analogy and tease out those similarities that could aid policy makers in better understanding the current threat environment and discarding those differences that would lead decision makers astray.

The conclusion of both panels was that we are indeed facing an exacerbated cyber threat. Some panelists concluded that we were indeed engaged in a cyber cold war with various adversaries, while other attendees were hesitant to label the currently threat environment as a "war". Further, the panelists found some useful similarities and distracting differences between the Cold War and the current cyber threat environment. Its my intention to blog about some of these similarities and differences that we discovered in future blog posts. Stay tuned!

A Cyber Cold War?

Next week, i'm headed out to the RSA Conference in San Fracisco to moderate a panel that will discuss whether or not the United States is currently engaged in a "cyber cold war". The panel abstract gives a overview of the planned discussion:

It is widely believed that the world is in the midst of a "cyber cold war". China's alleged cyber espionage against the U.S. and Russia's flexing of its cyber muscles on its neighbors are purportedly examples of this new cold war. It is clear that nation-states use cyber warfare to achieve political goals, but is there a new "cyber cold war"?

The other panelists and I will closely examine the comparison of Cyber War to the Cold War. Specifically, we will analyze the similarities and differences between the geopolitical structure of the Cold War world and today's world order. Further, we will study the specific weapons technologies of the Cold War and of Cyber War and debate if the differences between these technologies negates any comparisons between the eras.

It should make for an interesting discussion and I am very excited to share the stage with renowned cyber security experts including Ed Giorgio, Thomas Fuhrman, Dmitri Alperovitch, and one of my mentors Ed Skoudis.

I'll be sure to post updates from San Francisco about the conference.

Scanning the Grid

Last week's WSJ article has stirred controversy within the cyber security community. Many, including myself, recognize the vulnerabilities in the power grid but nonetheless feel this specific story was was hype. Others believe the real threat to the grid is from insiders, not external hackers.

The fundamental problem with the WSJ article is that it provided no specific information to support its claims. Sure, its logical to assume that rival nation-states, like Russia and China, are interested in developing offensive cyber warfare strategies and tactics - including the capability to take out a power grid. However, without solid attribution data it is difficult to state with certainty that China and Russia have indeed penetrated our grid.

As we've discussed attribution is difficult, but not impossible. Thankfully, independent cybersecurity researchers have stepped into the void and attempted to provide more reliable attribution data. Team Cymru recently published a study documenting the origination point of probes for SCADA systems. As we've discussed in class, SCADA systems are used to monitor and control power plants and the power grid. If a hacker were able to locate and gain control of a SCADA system responsible for power generation or distribution, the hacker could presumably crash the SCADA system and disrupt the grid.

According to Team Cymru's research,

scans of our Darknet for 2008 for udp/20000, tcp/502, udp/2222, tcp/44818 and udp/44818. These ports encompass protocols that are believed to control a large section of currently deployed SCADA systems. The IPs scanning for these ports seem to be grouped into four geographic regions:

USA: The two main hotspots for scanning appear to emanate from IPs located in Houston, Texas and Miami, Florida.

Western Europe: There are hotspots in London, United Kingdom, Seville, Spain, and apparently in locations in Scandinavia and Southern France.

Eastern Europe: Hotspots in this region include St Petersburg and Moscow as well as a location in the Ukraine and Bucharest, Romania.

Far East: By far the most concentrated grouping of hotspots, the Far East contains concentrations of SCADA scanning IPs in Thailand, Hong Kong, Taiwan, Korea, Japan and several locations in China.

On the surface, this data appears to indicate that hackers in China and Russia are actively scanning the Internet in search connected SCADA systems. I appluad Team Cymru's efforts to bring analytical clarity to the question of whether rivals are penetrating our power grid. However, I do feel compelled to point out a couple of limitations of their studies.

First, just because a scan originates from China does not mean the hacker executing the scan is based in China or Russia. A hacker from another country could easily connect to a bot in China or Russia to carry out a scan.

Second, its important to note next to China and Taiwan, the United States was the third most popular origination point for scans for SCADA systems. Does this mean that hackers in the United States are also probing for SCADA systems? Or does it mean that hackers are using bots based in the US to carry out thier scans?

My point is that more data and analysis is required in order to accurately identify the source of a probe or a cyber attack. Again, attribution is difficult but impossible and it is absolutely necessary.

Privacy vs. Security - An Example

As you may recall during our social engineering exercise, one of the attack vectors we discussed used a URL shortening service and Twitter. The implicit trust between users on social networking sites like Twitter, increases the chances that a user will click on links from someone they "follow". The use of URL shortening services to save precious character space makes it more difficult for a user to vet the site they are clicking through to and therefore leaves many users in jeopardy of visiting a malicious site.

Some URL shortening services, like TinyURL, have responded to this problem by creating a preview function that allows users to view the full URL of the destination website prior to visit the site. For those interested in utilizing this service visit http://tinyurl.com/preview.php.

I bring this service to your attention for two reasons. First, I strongly encourage those users of Twitter or TinyURL to make use of this feature for security purposes. Second, this service demonstrates a tension between privacy and security.

TinyURL is interested in protecting the security of its users and therefore created this URL preview service so that users could defend themselves against social engineering attacks. However, this URL preview feature is enabled via the use of cookies. A cookie is a persistent file written to your hard drive that allows TinyURL to uniquely identify you (or more precisely your computer). As a result, TinyURL is able to log all the links you (or someone using your computer) visit. As we discussed in class, this type of data collection represents a threat to privacy as users may not fully understand that a portion of their surfing history is being tracked by TinyURL. As a result of this data collection a host of other privacy concerns are raised including the possiblity of secondary use.

I am in no way seeking to condemn TinyURL. I believe it is doing the right thing by creating this preview functionality to protect its users from social engineering attacks. Further, using a cookie is far less intrusive then requiring users to register for an account and provide personal information. That being said, I believe TinyURL can do a much better job explaining to its users what its data rention policy is and how it protects the surfing history of its users from abuse.

Cyber Security Hype Reloaded

Following up on our original discussion about the hype surrounding the threat to the power grid, Nart Villeneuve shreds the myths surrounding the WSJ story and shines a light on the more pressing threat to critical infrastructure.

Nart writes,

Now, the point here is not to diminish the threat of attack against critical infrastructure but to point out that the hype-based approach ends up bringing focus on the wrong kinds of threats. By focusing on external Internet-based threats (that may or not really exist) the focus on the insider threat is lost.

In many cases the insider threat is of more importance than an external, Internet-based threat (especially when such systems are *not* connected to the Internet).

As a point of reference, Nart helped lead the Ghostnet investigation and is widely respected throughout the Information Security community. His opinions should be taken very seriously. You can find him online here.

Use Sandboxie

If you're interested in enhancing the security of your online interactions and protecting your personal data you should make use of Sandboxie.

During our brief discussion about the Pwn2Own contest we noted that Chrome was the only browser not to be hacked. Chrome survived the onslaught in large part due to its use of sanbox technology.

Sandboxie operates on a similiar principal. You can run your web browser or your email application through Sandboxie. This will protect your computer by running these programs in a virtualized environment and prevent malware, such as keyloggers, from being installed on your computer.

Deconstructing Attribution

Conventional wisdom dictates that it is nearly impossible to assign attribution of a cyber attacker. According to this school of thought the open nature of the Internet allows an attacker to spoof their IP address and obfuscate their identity by routing through a series of proxy servers or utilizing a botnet. Further, it is believed that even with the technical capacity to accurately trace the origin of an attack, it is impossible with current technology to know who is at the keyboard executing the attack.

As the attribution problem is central to a number of vexing cyber security predicaments, it is important to study and validate the assumption that attribution is nearly impossible. While it is technically difficult to trace the origin of attack through a confusing maze of proxy servers or infected bots, attribution is not solely dependent on the technology needed to identify an accurate IP address.

A number of others technical and non-technical data points can help identify the source of an attack. For example, if the source of an attack is a bot investigators can attempt to identify who wrote the bot code and who currently controls the bot. In the summer of 2008 a large botnet was used to launch DDoS attacks against targets in Georgia. While the use of a botnet appeared to complicate the task of identifying those responsible for the attack, a closer examination revealed that the botnet used during the attack was known as "Machbot". According to Arbor Network's Danny McPherson, "Machbot is primarily a Web-based Russian DDOS botnet written in Russian, used by several different groups, but not widely available." While the identification of the botnet used for the attacks on Georgia does not provide irrefutable proof of Russia's responsibility for the attacks, it certainly does provide compelling evidence that Russian nationalist hackers and possibly the Russian government were involved in these attacks.

Additionally, analyzing the attacker's target may help reveal his or her identity. The target of the attack reveals information about the intentions of the attacker and can therefore aid in attribution. Returning to the example of the cyber attacks against Georgia, the corresponding phsyical conflict between Russian and Georgian troops in South Ossetia led many analyst to suspect that Russian nationalist hackers, possibly at the direction of the Russian Government, were responsible for the DDoS against Georgian websites.

Finally, patient and clever cyber intelligence gathering can reveal a tremendous amount of information the individuals or entities responsible for an attack. After the presence of the Ghostnet cyber espionage network was revealed, Heike and Jumper from the Dark Visitor blog demonstrated that patient cyber intelligence gathering can aid in attribution. Specifically, via clever analysis of whois registration data and patient trolling of chinese hacker forums, Heike and Jumper were able to identify at least one individual believed to be responsible for the Ghostnet cyber espionage network.

In short, it vitally important to understand that attribution is difficult, but not impossible. There may not be fancy technology that can discover the origination point of an attack and identify the individual at the keyboard. However, through patience and old school detective work it is possible to identify the hackers, criminals, spies, or terrorists responsible for a cyber attack.

What is a Cyber Attack?

I came across an interesting argument raised by Kent Anderson at the Politically Motivated Computer Crime and Hacktivism Blog. Mr. Anderson notes some interesting inconsistencies in the recent Wall Street Journal report that claimed Chinese and Russian hackers had infiltrated the U.S. power grid. Specifically, the article stated,

The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

However, the article also claims,

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on.

Mr. Anderson astutely notes that the contention that the "intruders haven't sought to damage the power grid" is fundamentally flawed. According to our discussion of information security theory, specifically the concepts of confidentiality, integrity, and availability, the act of installing malicious code into the power grid is a cyber attack. Although the hackers haven't attacked the availability of the grid, the installation of this code does attack the integrity of the power grid.

Recall that according to the National Institutes of Standards and Technology, "a loss of integrity is the unauthorized modification or destruction of information." According to the WSJ, "software tools" were installed within the power grid "that could be used to destroy infrastructure components." This represents a clear attack on integrity.

The WSJ article appears to have raised the threshold for what defines a cyber attack. By this new definition, an attack must involve physical damage or economic damage. Some advice to the WSJ, when reporting on complex cyber security stories please do your homework and do not rely on "anonymous sources".

Hacking for Dummies

From the San Jose Mercury News,

Santa Clara County officials have declared a local emergency after they said someone intentionally cut an underground fiber optic cable in south San Jose, causing a widespread phone service outage in southern Santa Clara and Santa Cruz counties today that included disruption to 911 emergency phone service.

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables.Britton also said there was a report of underground cables being cut in San Carlos.

Barrett Lyon of BitGravity states that the damage from these cuts included,

many people in Silicon Valley woke up without 911 service, Internet, cellular phones, and in some cases TV. Web sites were impacted and Internet traffic between a few major datacenters stopped flowing.

If cables were cut at a number strategic locations the impacts can be significant. In December 2006 a massive earthquake off the coast of Taiwan damaged multiple underseas fiber optic cables and disrupted traffic throughout Asia for days.

The apparent intentional cable cuts in San Francisco demonstrate that attacks on the cyberspace can have the same impact as the attacks in cyberspace.

Extremist Web Sites Are Using U.S. Hosts

Today's Washington Post reports on the Taliban's use of U.S. Internet Service Providers (ISP). The article states,

On March 25, a Taliban Web site claiming to be the voice of the "Islamic Emirate of Afghanistan" boasted of a deadly new attack on coalition forces in that country. Four soldiers were killed in an ambush, the site claimed, and the "mujahideen took the weapons and ammunition as booty."

Most remarkable about the message was how it was delivered. The words were the Taliban's, but they were flashed around the globe by an American-owned firm located in a leafy corner of downtown Houston.

For those writing their final paper on how terrorist groups use the Internet, I recommend that you read it in full. Despite the articles implication that the use of U.S. ISPs is a "new" trend, it is important to understand that terrorist groups, specifically al-Qaeda, have long made use of U.S. ISPs to deliver their message. Ive seen groups use U.S. ISPs for the last five years. Ive also seen terrorist ulilize other American online services such as YouTube!, the US Government funded Internet Archive, and WordPress to name a few.

Cyber Security Hype

From the Wall Street Journal,

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

This isnt really news. As we've discussed in class, similar reports have surfaced in the past few years.  As there is not much new in this WSJ story, my cynicism of politics on Capitol Hill leads me to believe that this story was planted by people interested in pushing the Cybersecurity Act of 2009. 

To be clear, I do believe that there are vulnerabilities in the power grid and other critical infrastructures.  Further, I believe that hostile nation-states and non-state actors currently have the capability and intention to penetrate our critical infrastructure.  However, I am not convinced that federalizing cyber security is the answer.

UPDATE: This piece in Forbes validates my suspicion that this story was planted in order to pressure the private sector into accepting more stringent regulations.

UPDATE: Richard Stiennon from the ThreatChaos blog is in total agreement that this story is hype.

Skimming Identities

From the Consumerists blog,

This past weekend I went to use the local WaMu ATM to get some cash money. When I walked up to the ATM something struck me as funny…I couldn't quite put my finger on it but the card reader didn't look right, like it wasn't completely attached. I grabbed and pulled at the card reader and, lo and behold, it came off! It was actually a card skimmer attached to the ATM over that actual card reader. On the back there is a battery, flash memory card, and a mini USB port – it was set up so that ATM cards would first go through the skimmer and then into the ATM itself so you'd never know the difference.

While this type of attack is different then the type of phishing and other targeted cyber attacks then we've discussed this semester, it is important to note the varied technical means criminals employ to achieve their goals.

The Profile Police

From the Washington Post,

As high school students flock to social networking sites, campus police are scanning their Facebook and MySpace pages for tips to help break up fights, monitor gangs and thwart crime in what amounts to a new cyberbeat ...

An expedition into a thicket of blinking MySpace profiles found high school students discussing drugs, sex and fights. It was all publicly available (although in language that caused a reporter to blush).

"It's crazy, the things they put on there," Loudoun County Sheriff Stephen O. Simpson said. "They seem to think they're invisible."

Some students object, 

"It's not really [their] business to be looking at students' profiles," said Eleni Gibson, 15, a freshman at Robinson. "Because they might see something that students didn't want them to see." But she acknowledged that the practice might be worthwhile for safety."

Others acknowledge the presence of police on social networking sites,

"I think that we all know that [they] can look at our Facebooks, and they do," said LeighAnne Baxter, 17, a senior at Robinson. "If you do put up incriminating pictures, you have to be prepared for the consequences."

Hunting the GhostNet Hacker

Heike and Jumper from the Dark Visitor blog recount their search for the hacker behind the Ghostnet cyber spying network. Its a fascinating read and it provides an excellent case study of cyber intelligence tradecraft.

For those interested in writing on Chinese cyber espionage or cyber intelligence gathering tradecraft for their final paper I highly recommend you read this specific post as well as the entire Dark Visitor blog. Heike and Jumper do great work.

Weekly Roundup

• China pwns Britain?
• Britain's Snooper Charter to monitor social networking sites
• US Senate wants to regulate cyberspace
• Internet Fraud complaints up 33% in 2008
• PowerPoint zero-day in the wild
• Senator Nelson pwned (by China?)
  
• Multiple DNS providers under DDOS attack
• China pwns Australian Prime Minister (notice a pattern here?)
  

Conficker World Maps

Shadowserver and Conficker Working Group have produce these maps that illustrate the distribution of hosts infected with the Conficker worm.

Ghostnet In Action

Symantec has created a great video that demonstrates the use and function of Ghostnet.



You can also read Symantec's write-up about the Ghostnet backdoor here.

Heading to Tallin

I'm headed to the Cooperative Cyber Defense Center of Excellence's Conference on Cyber Warfare in Tallin, Estonia. The Conference is in mid-June and boasts an outstanding line-up of speakers - you can visit the website for more detailed information.

I'll be giving a presentation on historical analogies for cyberspace. Specifically, my colleague and I will examine if there are other alternatives to the oft discussed digital Pearl Harbor and cyber Katrina analogies. I am concerned about the current narrative surrounding cyberspace in general and am in particular concerned that policy makers are narrowly driven by fear of a massive cyber attack. It is my concern that this fear will drive over regulation and cause more problems than the regulation attempts to solve.

If this argument sounds familiar it should. Jonathan Zittrain outlined this same concept of the 'generative dilemma' in his book the Future of the Internet.

Kreb's on Conficker

Lots of great reporting from Brian Kreb's on the threat from Conficker.  Kreb's echoes a lot of points that we discussed in class and have previously made on this blog.

But whatever the number of infected machines, I think one important aspect of this and other date-based threats like Conficker is that they are in danger of being overlooked amid all the the I-told-you-sos and the nothing-to-see-here-move-along type sentiments.

One problem with over-hyped threats that fail to live up to expectations (as they invariably do) is that they tend to desensitize the average user to more insidious, stealthier threats.

All of that said, the truth is that the threat from Conficker is as real today as it was three days ago on April 1: The worm's author(s) could easily decide to wait until everyone's guard is down to instruct all infected systems to update themselves with additional malicious components, or to attack some target online or start blasting spam.

As stated earlier, we need to move past overhyped vulnerability analysis and embrace a more holistic risk analysis paradigm that encompases threat, vulnerability, and consequence.

Balancing Security and Privacy in Cyberspace

In the race to legislate solutions to our nation's vulnerabilities in cyberspace are we giving up more privacy protections?  A recent piece in Mother Jones offers a good examination of the trade-offs between privacy and security in cyberspace in current legislation being proposed on Capitol Hill.

From Mother Jones,

a bill to establish the Office of the National Cybersecurity Advisor - an arm of the executive branch that would have vast power to monitor and control Internet traffic to protect against threats to critical cyber infrastructure.  That broad power is rattling some civil libertarians.

The Cybersecurity Act of 2009 gives the president the ability to "declare a cybersecurity emergency" and shut down or limit Internet traffic in any "critical" information network "in the interest of national security." The bill does not define a critical information network or a cybersecurity emergency. That definition would be left to the president.

The bill does not only add to the power of the president. It also grants the Secretary of Commerce "access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access." This means he or she can monitor or access any data on private or public networks without regard to privacy laws.

Do you think the Executive Branch needs these kinds of authorities to protect cyberspace? 

NSA and the Equities Dilemma

The equalities dilemma can best be described as weighing the pros and cons of exploiting or disclosing a vulnerability.  For example, imagine that the National Security Agency (NSA) discovers a flaw in Microsoft Outlook that allows a remote attacker to read the entire contents of a target's email account.  Does the NSA inform Microsoft of this vulnerability or does it use it to exploit the target's vulnerable email account for signals intelligence collection?  Will keeping the vulnerability secret hurt the United States - as other hackers, cyber criminals, or nation-states may have discovered the same flaw and are using it to gather intelligence on US Government and private sector targets?

In a recent Wall Street Journal Op-Ed, Bruce Schneier nicely summarizes this dilemma stating, 

what happens when both the good guys the NSA wants to protect, and the bad guys the NSA wants to eavesdrop on, use the same systems? They all use Microsoft Windows, Oracle databases, Internet email, and Skype. When the NSA finds a vulnerability in one of those systems, does it aler the manufacturer and fix it - making both the good and bad guys more secure? Or does it keep quiet about the vulnerability and not tell anyone - making it easier to spy on the bad guys but also keeping the good guys insecure?

Can this dilemma be resolved via a calculation regarding our exposure to a vulnerability compared to the potential value of intelligence gained through the vulnerability? Is it possible to calculate our total exposure to a vulnerability when many of the targets of cyber crime and cyber espionage are in the private sector?

GhostNet Breakdown

The Information Warfare Monitor (IWM) provides an excellent in-depth analysis of the design and function of GhostNet. As we discussed GhostNet was a botnet comprised of approximately 1,300 infected machines. The infected machines were located in 103 countries and appear to have been specifically targeted because they contained access to politically sensitive information.

The following graphic produced by the IWM provides a breakdown of where the infected computers were located.

I highly recommend that you read the IWM report.

Are you Infected by Conficker?

Security researcher Joe Stewart has developed a very simple and incredibly easy to use tool that will tell you if you have been infected by Conficker. Visit Joe's website here and follow the instructions to test your local computer.

Joe's tool tests whether or not your computer can access a series of websites that are blocked by Conficker. If you can get to these sites then you're clean, if you can't then you've been infected. If you find that you've been infected visit the SANS Internet Storm Center and consult the listed resources for removing Conficker from your computer.

Conficker - A Balanced Assessment

Well, April 1st is here and the Internets are still working. Personally, im not surprised. This story was hyped because the media reported on the vulnerabilities caused by Conficker but did not provide an overall assessment of the risk presented by the worm.

Certainly, having 10 million infected hosts under the control of a mysterious group of hackers is a dangerous vulnerability. However, the measure of risk presented by this vulnerability can only be calculated when threat and consequence are measured.

Risk = Threat + Vulnerability + Consequence

As we've discussed in class, threat is a combination of capabilities and intention. In the case of Conficker, the hackers had the capabilities to do pretty much whatever they wanted with the infected hosts. They could have launched a massive denial of service attack or installed key-loggers on the infected machines and stolen personally identifiable information. However, at this point the intentions of the hackers are unclear. The intentions of hackers are unclear because know one knows who the hackers are or who they are working for. It is therefore impossible to measure the threat measured by Conficker and therefore an accurate assessment of risk cannot be determined.

Threat = Capabilities + Intentions

If the Conficker botnet is controlled by cyber criminals, which is the most likely scenario, then its highly probable that these criminals will rent out portions of the botnet for spam runs, denial of service attacks, click-fraud, and phishing attacks. As we've discussed in class these types of attacks occur everyday on the Internet and havent caused a cataclysmic meltdown yet. Worms aren't new and bots arent new. The Internets will survive.

We need to move past hysterical vulnerability assessments that claim the sky is falling and instead conduct through risk assessments before claiming the Internet will collapse.