Thursday, November 18, 2010

Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic

From the National Defense Magazine ...

For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.

This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee, the world’s largest dedicated Internet security company.

In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

Nobody outside of China can say, at least publicly, what happened to the terabytes of data after the traffic entered China.

The incident may receive more attention when the U.S.-China Economic and Security Review Commission, a congressional committee, releases its annual report on the bilateral relationship Nov. 17. A commission press release said the 2010 report will address “the increasingly sophisticated nature of malicious computer activity associated with China.”

Said Alperovitch: “This is one of the biggest — if not the biggest hijacks — we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows.”

The telephone giants of the world work on a system based on trust, he explained. Machine-to-machine interfaces send out messages to the Internet informing other service providers that they are the fastest and most efficient way for data packets to travel. For 18 minutes April 8, China Telecom Corp. told many ISPs of the world that its routes were the best paths to send traffic.

For example, a person sending information from Arlington, Va., to the White House in Washington, D.C. — only a few miles away — could have had his data routed through China. Since traffic moves around the world in milliseconds, the computer user would not have noticed the delay.

This happens accidentally a few times per year, Alperovitch said. What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service. In previous incidents, the data would have reached a dead end, and users would not have been able to connect.

Also, the list of hijacked data just happened to include preselected destinations around the world that encompassed military, intelligence and many civilian networks in the United States and other allies such as Japan and Australia, he said. “Why would you keep that list?” Alperovitch asked.

The incident involved 15 percent of Internet traffic, he stressed. The amount of data included in all these packets is difficult to calculate. The data could have been stored so it could be examined later, he added. “Imagine the capability and capacity that is built into their networks. I’m not sure there was anyone else in the world who could have taken on that much traffic without breaking a sweat,” Alperovitch said.

McAfee has briefed U.S. government officials on the incident, but they were not alarmed. They said their Internet communications are encrypted. However, encryption also works on a basis of trust, McAfee experts pointed out. And that trust can be exploited.

Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.

Among the certificates is one from the China Internet Information Center, an arm of the China’s Ministry of Information and Industry.

“If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said. “It is a flaw in the way the Internet operates,” said Yoris Evers, director of worldwide public relations at McAfee.

No one outside of China can say whether any of these potentially nefarious events occurred, Alperovitch noted. “It did not make mainstream news because it is so esoteric and hard to understand,” he added. It is not defined as a cyberattack because no sites were hacked or shut down. “But it is pretty disconcerting.”

And the hijacking took advantage of the way the Internet operates. “It can happen again. They can do it tomorrow or they can do it in an hour. And the same problem will occur again.”


Anonymous said...

The researchers stated that they do not know whether the traffic was diverted on purpose.

Furthermore they do not know whether or not traffic was captured and analysed by the Chinese, nor whether the government of the country played any role in the incident.

I wonder what the definition of "proof" is at the editorial desk of National Defense Magazine.

Erin Booth said...

China’s state-controlled telecommunications agency was able to hijack Internet traffic for 18 minutes, totaling 15% of the world’s Internet traffic. Shouldn’t this get more media attention?

According to this article, after U.S. government officials were informed about the hijacking, they “were not alarmed” because government communications are encrypted. Even so, how secure are their encryptions? And what’s to say that China, who probably now has this information stored, cannot figure out a way of decrypting it.

The U.S.-China Economic and Security Review Commission released its annual report on November 17th. According to CBS News, the annual report states that the hijacking “affected traffic to and from U.S. government (''.gov'') and military (''.mil'') sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM." Are the government officials alarmed now?

It is time to stop ignoring Internet security issues just because they are too “difficult for those outside the cybersecurity community to grasp.” The U.S. government and U.S. companies need to start taking the precautions necessary to further secure their data before it becomes an issue of international security.

Sean Delaney said...

Agreed. However, I think that one of the main problems isn't that the government ignores these issues because they are too difficult for those outside the tech industry to understand, rather, it is that most of the people making the decisions about security and policy are just as uninformed as the rest of the "outside world." We need better education at the upper levels of government and better processes in place to make sure that the people with the right technical expertise have appropriate channels available to them to ensure that the risks they identify are being heard.

Olivia George said...

I also agree that the larger problem is not so much that this didn’t receive news coverage because of its “esoteric” nature, but more that the issue is “esoteric” at all. It seems that both politicians and the common American continue to be ignorant in the latest threat that technology poses. The U.S. needs to realize that they might well be on the verge of a cyber cold war, and then react accordingly by building programs and institutions dealing with this “esoteric” topic of cyber threats.

What is truly “alarming” to me is the very fact that the government officials are NOT alarmed. Even they fall prey to the false sense of security that so many Americans (myself previously included) harbor when it comes to the online world. While I don’t profess to be especially knowledgeable on the subject of computer science, I now know enough that something needs to be done- attention needs to be called to the subject. And while I might not know exactly what actions are needed, I’m sure those “in the field” have an idea or two they’d like to share with policymakers. Hopefully those in the government will realize the need to consult those with the knowledge to advise on this topic… before the U.S. finds itself in a losing battle, trying to catch up to China in technological prowess.

Ian Kerr said...

I agree that the U.S. government should increase it awareness and understanding of information security, and also take more precautions to secure its data from future threats like this. But, at the same time, I think we also need to consider the types of measures that improved security would entail. While my limited knowledge of the subject prevents me from listing specifics, I would imagine that at least some of the measures would make government systems less user friendly.

Indeed, a common theme running throughout the course has been the unending struggle between privacy/security and convenience. While ordinary citizens and government officials are growing relatively more aware of the Internet's "insecurity," the costs of achieving improved security often render it undesirable. This is precisely what happened during the first Wikileaks release: in pursuit of combat benefits for front line units, the DOD gave authorized users unrestricted access to sensitive military reports and other information. As we all know, this pursuit of convenience and efficiency backfired. However, it seems to me that all Americans - public or private - will continue taking this risk for the foreseeable future.

In this way, I would argue not that the government isn't alarmed or unaware of the risks, but rather that for the moment the costs of pursuing greater security are perceived to outweigh any potential benefits. Given the importance of rapid communication and efficiency to our government institutions, I'm not sure when the demand will shift in the direction of greater security.

Adam Fine said...

Given President Obama's Cyberspace Policy Review and the 12-part supporting Comprehensive National Cybersecurity Initiative, it can be assumed that the government has started to realize the reality of cybersecurity concerns and has started to take action- especially in the government sector. While there is definitely a demand of rapid and efficient communications within our government institutions, but the cost of pursuing greater security does not outweigh any potential benefits. Whereas the “unending struggle between privacy/security and convenience” rages on in the public sector and there may be no clear answer to solving the debate, it is only logical that the government sector must be expected to give up some convenience of communication in the interest of bolstering national security. Can you put a price on our national secrets? I'm not sure that I can.

Morgan Falzone said...

I agree with everyone that the government needs to be taking more steps to secure our communications and educate those in power about cyber security. It bothers me that no one can "publically" say for sure what happened to all the traffic once it entered China. The 2010 US-China Economic and Security review said the data passing through China could “conceivably be monitored, censored, or replaced with data. This could take place quickly enough to go unnoticed by the computer user." I wonder if anyone went back and checked the data that passed through China for alterations. And even though China says the hijack was unintentional, they nevertheless demonstrated they have the power to hijack internet traffic. Either way it's not good news for us - especially if it was an accident, because that means they could probably do worse if they were really trying.

Benjamin Kussman said...

I also wonder how dangerous a threat like this exactly is. I'm not surprised that China can accomplish something like this with its advanced technological infrastructure and number of skilled hackers, but can this be done on a smaller basis?

Can a single small phone company route traffic through it and use this for all of the many things we've discussed in class-from identity theft to information collection?

This also reinforces the importance of keeping the nippernet away from the public internet. This would be -very- detrimental if secret military communications could easily be picked up by enemies abroad without even wire-tapping or any physical espionage.