Sunday, January 31, 2010

Web 2.0 Suicide Machine

If you are sufficiently freaked out by the perils of a public presence on the Internet then investigate the Web 2.0 Suicide Machine. The Suicide Machine "lets you delete all your energy sucking social-networking profiles, kill your fake virtual friends, and completely do away with your Web2.0 alterego. The machine is just a metaphor for the website which moddr_ is hosting; the belly of the beast where the web2.0 suicide scripts are maintained. Our service currently runs with Facebook, Myspace, Twitter and LinkedIn! Commit NOW!"

Personally, i think this is a drastic step. Rather than bury your head in the sand in an attempt to avoid the dangers of the digital age, you should instead learn to interact responsibly and securely on the Internet.

Friday, January 29, 2010

Online Anonymity

You are sitting at your computer staring at the screen. You havent logged into any website. You are just casually surfing. You feel pretty confident that you are relatively anonymous, right? How could anyone possible uniquely identify you?

Well, the Electronic Frontier Foundation is striving to answer that question. They just launched the Panopticlick website which is designed to, in the EFF's words, test "your browser to see how unique it is based on the information it will share with sites it visits."

You can test the uniqueness of your browser here -

Personally, i was surprised to learn that my browser was unique among the more than 220,000 browsers tested. Im browsing with Chrome 4.0 on a MacBook Air running Snow Leopard. I know there are more variables used to determine my browsers configuration (plugins, screen resolution, etc) but its hard to believe that theres not another person with the same configuration as me. Bruce Schneier has similar thoughts here.

Call for Interns

If you are a current or former student of mine interested in a summer internship working as a cyber intelligence analyst then drop me a line. I am especially interested in any students with foreign language skills.

Thursday, January 28, 2010

Clive Thompson on Obscurity

Clive Thompson wrote a great blog post about the value of obscurity. He touches on an important theme that we will discuss throughout the semester about the value of privacy. While reading Thompson's piece substitute 'obscurity' for 'privacy' and you'll understand why privacy is important.

Thompson writes,
The lesson? There’s value in obscurity.

After all, the world’s bravest and most important ideas are often forged away from the spotlight — in small, obscure groups of people who are passionately interested in a subject and like arguing about it. They’re willing to experiment with risky or dumb concepts because they’re among intimates. (It was, after all, small groups of marginal weirdos that brought us the computer, democracy, and the novel.)

Technically speaking, online social-networking tools ought to be great at fostering these sorts of clusters. Blogs and Twitter and Facebook are, as Internet guru John Battelle puts it, “conversational media.” But when the conversation gets big enough, it shuts down. Not only do audiences feel estranged, the participants also start self-censoring. People who suddenly find themselves with really huge audiences often start writing more cautiously, like politicians.
In the same way that obscurity fosters the generation of ideas, privacy also fosters intellectual, social, and cultural experimentation that allows societies to thrive.

Wednesday, January 27, 2010

US oil industry hit by cyberattacks: Was China involved?

On January 25, The Christian Science Monitor published an article detailing cyber attacks against three Oil & Gas companies. According to the article,
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.

The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show.

The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says.

The attackers appear to have gained access to their targets by patiently researching which key personnel to target with phishing attacks designed to downloaded malware into the victim's networks.

The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.

The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show.

The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says.

But, according to the source and documents obtained by the Monitor, her response was too late. The fake had already been forwarded to other people – and someone had clicked on the link it contained. Instantly, an unseen spy program started spreading stealthily across Marathon’s global computer network.

Nearly identical fake e-mails that appeared to come from senior executives were also sent to colleagues in key posts at ExxonMobil and ConocoPhillips – all containing a request for them to analyze the Economic Stabilization Act noted on the subject line, a source familiar with the attacks says.

The entire article is worth the read. It highlights the systemic nature of the cyber threat to US economic and national security.

Tuesday, January 26, 2010

Social Engineering via Social Networks

The Financial Times reports that the hackers responsible for attacking Google used social networking sites to infiltrate the search engine's network. According to the Financial Times,
The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.“We’re seeing a lot more up-front reconnaissance, understanding who the players are at the company and how to reach them,” said George Kurtz, chief technology officer at security firm McAfee.“Someone went to the trouble to backtrack: ‘Let me look at their friends, who I can target as a secondary person’.”
This article highlights how our personal information can be exploited in unexpected ways and provides a real-world example to many of concepts we discussed in class.

Monday, January 25, 2010

Enabling Surveillance and Censorship

In an op-ed on CNN security technologist Bruce Schneier states that the US Government inadvertently create a situation that allowed Chinese hackers to eavesdrop on GMail. Schneier writes,

In order to comply with government search warrants on user data,Google created a backdoor access system into Gmail accounts.

This feature is what the Chinese hackers exploited to gain access.Google's system isn't unique. Democratic governments around the world -- in Sweden, Canada and the UK, for example -- are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

Many are also passing data retention laws, forcing companies to retain information on their customers. In the U.S., the 1994 Communications Assistance for Law Enforcement Act required phone companies to facilitate FBI eavesdropping, and since 2001, the National Security Agency has built substantial eavesdropping systems with the help of those phone companies.

Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic. The FBI illegally wiretapped the phones of Americans, often falsely invoking terrorism emergencies, 3,500 times between 2002 and 2006 without a warrant. Internet surveillance and control will be no different.

Official misuses are bad enough, but it's the unofficialuses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don't.

China's hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won't be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collectedInternet data or eavesdrop on phone and IM conversations?

The entire piece is worth the read.

Tuesday, January 19, 2010

Facebook: Behind the Scenes

On January 11, 2010, the online magazine, published a very interesting interview with an anonymous Facebook employee. The employee, a veteran of the company, appears very knowledgeable about both the technology used to power Facebook as well as the policy decision made by management that govern the site.
The Rumpus: On your servers, do you save everything ever entered into Facebook at any time, whether or not it’s been deleted, untagged, and so forth?

Facebook Employee: That is essentially correct at this moment. The only reason we’re changing that is for performance reasons. When you make any sort of interaction on Facebook — upload a photo, click on somebody’s profile, update your status, change your profile information —

Rumpus: When you say “click on somebody’s profile,” you mean you save our viewing history?

Employee: That’s right. How do you think we know who your best friends are? But that’s public knowledge; we’ve explicitly stated that we record that. If you look in your type-ahead search, and you press “A,” or just one letter, a list of your best friends shows up. It’s no longer organized alphabetically, but by the person you interact with most, your “best friends,” or at least those whom we have concluded you are best friends with.
The entire interview provides an interesting look at how Facebook values its user privacy.

Monday, January 18, 2010

More Targeted Attacks

The same tools, techniques, and procedures used to attack Google and other private sector companies are also used to actively attack the US military in cyberspace. F-Secure highlights this recent attack against US military contractors.

Saturday, January 16, 2010

Google's Counter Attack

Two interesting articles, one in the New York Times and one in the San Jose Mercury News, discuss how Google officials investigated the cyber attacks against Google's infrastructure and users of the company's services.

According to the New York Times Google
managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at at least 33 other companies, including Adobe Systems, Northrop Grumman and Juniper Networks, according to a government consultant who has spoken with the investigators. Seeing the breadth of the problem, they alerted American intelligence and law enforcement officials and worked with them to assemble powerful evidence that the masterminds of the attacks were not in Taiwan, but on the Chinese mainland.
The San Jose Mercury News writes
When Tenzin Seldon, a 20-year-old sophomore at Stanford, logged onto her Gmail account from New York over winter break, she may have helped Google understand the widespread penetration of its network by unidentified hackers in China.Unknown to Seldon, a regional coordinator of Students for a Free Tibet, at the same moment she was reading her e-mail in Queens, someone in China was logged into her account as well. Top Google officials, including chief legal officer David Drummond, later told Seldon that the suspicious situation alerted them that she was one of the human rights activists whose electronic mail was routinely being spied upon by someone in China.
The San Jose Mercury News article continues,
According to Google officials, her black Hewlett-Packard laptop with the red Stanford "S" sticker on the outside was one of perhaps two machines Google examined for signs of malicious software, or "malware," that would have allowed cyberspies entry to her Gmail account. Despite spending six days going through her laptop in early January, Google was unable to find any signs of malware on it. An industry source familiar with the case said her laptop may have been infected with a sophisticated form of malware programmed to harvest and relay back Gmail passwords, before erasing itself from her hard drive.
These accounts raise two interesting questions. First, should private companies like Google be empowered to respond to cyber attacks with attacks of their own? In many cases, the attacking system may belong to a private citizen or company that has no idea their system has been compromised and is participating in an attack. Further, a counter strike, even one that is designed only to gather information and not destroy the attacking machine, may cause unintentional damage and have unintended consequences.

For example, there have been previous cases of computers in hospitals hosting malicious bots. Breaking into these computers, without consultation with the system owner, may break the machine. In the case of the infected hospital computer this may adversely affect the doctors and patients that rely on the computer. Remember just because a computer is infected doesnt mean that it cant perform its other programmed functions.

Second, even though Google broke into a server participating in the attack against it, Google officials could not say with certainty who was responsible for the attack. The New York Times noted,
But while much of the evidence, including the sophistication of the attacks, strongly suggested an operation run by Chinese government agencies, or at least approved by them, company engineers could not definitively prove their case. In interviews in which they disclosed new details of their efforts to solve the mystery, Google engineers said they doubted that a nongovernmental actor could pull off something this broad and well organized, but they conceded that even their counterintelligence operation, taking over the Taiwan server, could not provide the kind of airtight evidence needed to prove the case.

Thursday, January 14, 2010

Timeline of Chiese Cyber Espionage

This image is from a Northrop Grumman report published by United States-China Economic and Security Review Commission that we will read later in the semester. It provides great context for Google's recent announcement about cyber attacks on its network.

More Details on China's Cyber Espionage Campaign

The Washington Post provides some additional insight into the recent the attack series traced to China. According to the article the attacks,
originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. At least 34 companies -- including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical were attacked, according to congressional and industry sources.
Further, the article points out that
the recent attacks seem to have targeted companies in strategic industries in which China is lagging, industry experts said. The attacks on defense companies were aimed at gaining information on weapons systems, experts said, while those on tech firms sought valuable source code that powers software applications -- the firms' bread and butter. The attacks also focused on obtaining information about political dissidents.
James Lewis, from the Center for Strategic and International Studies, provides insight into the Chinese government's motivations in sponsoring or allowing this espionage program to continue. Lewis states,
This is a big espionage program aimed at getting high-tech information and politically sensitive information -- the high-tech information to jump-start China's economy and the political information to ensure the survival of the regime.
The article also provides insight into the modus operandi used by the attackers.
The attackers, experts said, followed the familiar "phishing" ruse: A recipient opens an e-mail that purports to be from someone he knows and, not suspecting malicious intent, opens an attachment containing a "sleeper" program that embeds in his computer. That program can be controlled remotely, allowing the attacker to access e-mail, send confidential documents to a specific address -- even turn on a Web camera or microphone to record what is going on in the room.
Its interesting to note the responses provided by the other companies identified as targets of the espionage attacks in the Article.
Adobe, a software maker, confirmed on Wednesday that it learned of the attacks on Jan. 2 but said there was "no evidence to indicate that any sensitive information . . . has been compromised," while Symantec, which makes security software, said it is investigating to "ensure we are providing appropriate protection to our customers."Dow Chemical said that it has "no reason to believe that the safety, security and intellectual property of our operations are in jeopardy." Yahoo and defense contractor Northrop Grumman declined to comment on the attack.
These denials are standard fare for corporate America and provide a stark contrast to Google's admission. Google's candidness is an exciting development for the cyber security industry which is in dire need of a shake up and finding new approaches to dealing with a decades old problem.

Tuesday, January 12, 2010

Google's New Approach to China

I am truly amazed and impressed with Google today. Their candid account of Chinese cyber espionage activities on their network is significant simply because they are the rare company willing to disclose this type of activity. Additionally, Google's willingness to reassess their business operations in China shows that they are willing to move beyond mere rhetorical protestrations. Google appears to be the first Internet company willing to stand up to China and protect Internet free speech. Great job Google!

UPDATE (1/13/10): It could just be a coincidence that on the same day that Google announced targeted attacks on its infrastructure at GMail users they also announced that GMail will use HTTPS by default. No matter the reason this also good news for GMail users. Free security for everyone! Yeah!