BEWARE OF CHINESE HACKERS – THEY ARE GOOD

Post Google attack by Cyber Criminals many experts have come out with interesting views. Here are some -

George Kurtz, CTO of McAfee, and his team were involved in the analysis of just what happened during these attacks which he dubs “Aurora”.    He revealed in his blog on January 14th that the primary mechanism was a Trojan horse that exploited a new vulnerability in Internet Explorer.   What is interesting to note is Kurtz’s surprise at the dramatic turn the threatscape has taken.
“All I can say is wow. The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value. “
There have been many instances of Chinese hacking of US research and defense organizations.  To date the US State Department has remained aloof. Hiliary Clinton’s Remarks on Internet Freedom are worth noting because they are the first time a US Secretary of State has so explicitly endorsed Internet freedom and access to information.  Full text and video is available here.
“The same networks that help organize movements for freedom also enable al-Qaida to spew hatred and incite violence against the innocent. And technologies with the potential to open up access to government and promote transparency can also be hijacked by governments to crush dissent and deny human rights.
In the last year, we’ve seen a spike in threats to the free flow of information. China, Tunisia, and Uzbekistan have stepped up their censorship of the internet. In Vietnam, access to popular social networking sites has suddenly disappeared. And last Friday in Egypt, 30 bloggers and activists were detained.”
The most important thing Ms Clinton said in my opinion:
“On their own, new technologies do not take sides in the struggle for freedom and progress, but the United States does. We stand for a single internet where all of humanity has equal access to knowledge and ideas. And we recognize that the world’s information infrastructure will become what we and others make of it.”
Them’s fight’n words and the Chinese reacted in kind.  Xinhua, the official news agency of the Chinese government, published a Commentary: Don’t impose double standards on “Internet freedom” My favorite quote:

“As is widely recognized, freedom is always relative, and such is also the case with Internet freedom.”

That says it all and the lines are drawn.

Evgeny Morozov, the Yahoo! Fellow at Georgetown University characterized Ms. Clinton’s remarks as laced with cold war rhetoric. He predicted correctly that China would reciprocate with criticism of US restrictions on Internet communications.  While Evgeny may denigrate Cold War thinking (keep in mind that he grew up on the wrong side of the Iron Curtain: Belarus)  there is something to be said for recognizing China is indeed engaged in regional hegemony and global jockeying for power and control that is reminiscent of the Cold War.  Never lose sight of China’s nuclear arsenal, standing army, and caustic rhetoric.

Marcus Ranum got a little heated in his contribution to the discussion.   Aside from inferring that all of the rest of people I am quoting here are clueless he had this to offer:
“My prediction for you: The Chinese Government will offer to block access to Google. I.e.: “Want to pull out of China? Here, let us help you.” Google will shut up, and the whole thing will blow over.”
He might just be right there as Google has yet to carry through on their threat to stop censoring search results at Google.cn.
Bruce Schneier, cryptographer, author, and critic of the TSA, singled out a different aspect of the story.  He criticizes the existance of so-called back doors that Google and other Internet services have built in so that they can comply with government demands for information.
“China’s hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won’t be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?”
Schneier may have jumped to conclusions based on too little information.   Read this refutation by John Mark Walker here.

L. Gordon Crovitz, the Information Age columnist at the Wall Street Journal invoked the ‘Shores of Tripoli” when he called for Washington to fix the cyber security problem.   If you have not heard the story of how Thomas Jefferson finally beat the Barbary Pirates as a shining example of how law enforcement can be effective you have missed out.   I first heard the story applied to Internet security in 2004 when Steve Forbes recited it at a dinner he sponsored in California.  It is telling that we have to go back 200 years in history to find a good example of the US effectively dealing with brigands.   Crovitz calls for a government crackdown, claiming:
“Just as the traders of the 18th century could not protect open sea lanes by themselves, technology companies, even ones as powerful as Google, today cannot keep digital sea lanes open on their own. Washington has started to talk about the seriousness of the problem. Now it needs a plan to fix it.”
If he digs into it a bit Mr. Crovitz will find that the government has far less ability to keep the Internet sea lanes open than those who own and operate the networks.
Brahma Chellaney, Professor of Strategic Studies at the Indian Centre for Policy Research gives us the perspective of someone who is a little closer to China.  His blog contains a post “A new war, a new frontier”.
“In peacetime, China is intimidating India through intermittent cyber warfare, even as it steps up military pressure along the Himalayan frontier. In a conflict, China could cripple major Indian systems through a wave of cyber attacks. With cyber intrusions against Indian government, defence and commercial targets ramping up since 2007, the protection of sensitive computer networks must become a national-security priority.”

That holds true not just for India.  Every country has to realize that the protection of sensitive computer networks must become a national security priority.

Wow, the world has changed this week.

A NEW WAR – A NEW FRONTIER

India’s abilities to ward off attacks on its computer networks and other infrastructure are basic at best

Brahma Chellaney Mint, January 22, 2010

Even though India showcases its world-class information-technology and knowledge skills and civilian space assets, it lags far behind China’s cyberspace capabilities. Worse, it has developed no effective means to shield its rapidly expanding cyber infrastructure from the pervasive attacks that are now being carried out both in search of competitive intelligence and to unnerve the Indian establishment.

In peacetime, China is intimidating India through intermittent cyber warfare, even as it steps up military pressure along the Himalayan frontier. In a conflict, China could cripple major Indian systems through a wave of cyber attacks. With cyber intrusions against Indian government, defence and commercial targets ramping up since 2007, the protection of sensitive computer networks must become a national-security priority.

The cyber threat is at two levels. The first is national, as manifest from the attacks already carried out against India’s National Infomatics Centre (NIC) systems, the office of the national security adviser and the ministry of external affairs. By scanning and mapping some of India’s major official computer systems, China has demonstrated a capacity to steal secrets and gain an asymmetrical advantage. Cyber intrusion in peacetime allows China to read the content and understand the relative importance of different Indian networks so that it knows what to disable in a war situation.

The second level of cyber threat is against chosen individuals. Such targets in India range from functionaries of the Tibetan government-in-exile and Tibetan activists to Indian writers and others critical of China. The most-common type of intrusion is an attempt to hack into the e-mail accounts. The targets also can face the so-called Trojan horse attacks by e-mail that are intended to breach their computers and allow the infiltrators to remotely remove, corrupt or transfer files.

To be sure, it is not easy to identify the country from where a particular cyber attack originated if it is camouflaged. Through the use of so-called false flag espionage and other methods, attacks can be routed through the computers of a third country. Just as some Chinese pharmaceutical firms have exported to Africa spurious medicines with Made-in-India label — a fact admitted by Beijing — some Chinese hackers are known to have rerouted their cyber intrusion through computers in Russia, Iran, Cuba and other countries. But like their comrades in the pharmaceutical industry, such hackers tend to leave telltale signs that allow investigators in the victim countries to trace the origin of the disguised attacks to China. Then there are many cases where the attacks have directly originated in China.

So the reasonable supposition at the highest levels of the Indian government is that most cyber attacks have been carried out from China. That is also the conclusion Google reached when it reported “a highly sophisticated and targeted attack on our corporate infrastructure originating from China” and threatened to end “our business operations in China.” Cyber strikes are just the latest example of how China’s actions — from manipulation of the renminbi’s value to the large-scale dumping of artificially cheap goods — are beginning to rankle other nations, undercutting its claims of a “peaceful rise.”

Let’s be clear: If China can carry out sophisticated cyber attacks on at least 34 U.S. companies, including Google, as part of a concerted effort to pilfer valuable intellectual property, it certainly has the capability to outwit the elementary safeguards found in most Indian computer systems. Google today is crying foul but it was instrumental is aiding online censorship controls in a country that is most fearful of the free flow of information. It custom-built for China a search engine that expurgates the search results of references and Web sites that Beijing considers inappropriate. Now, Google itself has become a victim of China’s growing cyber prowess, in the way the appeasement of Hitler had recoiled on France and Britain.

Hackers in China have been carefully studying different software programmes to exploit their flaws. For example, hackers have found openings that allow them to infect victims’ computers through booby-trapped documents stored in the Acrobat Reader format. Opening such a document allows the hackers to automatically scan and transfer computer-stored files to a digital storage facility in China as part of a vast surveillance system dubbed “Ghostnet” by Canadian researchers. This is what happened when computers of the Tibetan government-in-exile in Dharamsala were methodically attacked last year. Officials in Germany, Britain and the U.S. have acknowledged that their government and military networks also have been broken into by Chinese hackers.

It seems unlikely that the hackers, especially those engaged in systematic cyber espionage and intimidation, are private individuals with no links to the Chinese government. It is more likely that the hackers are tied to the People’s Liberation Army. In war, this irregular contingent of hackers would become the vanguard behind which the regular PLA divisions take on the enemy.

India already is on the frontlines of one mode of asymmetrical warfare: Terrorism. That type of warfare has traumatized and bled India for long, with the country exposing itself as a soft state through the absence of an effective response. Now a new frontier of asymmetrical warfare is being opened against India, not by state-sponsored non-state actors but by state actors. It cannot fight two asymmetrical wars simultaneously, one against terrorists and extremists and the other against a state flouting international norms and wedded to cybercrime. The two asymmetrical wars indeed are a reminder that unconventional threats cannot be defeated through conventional forces alone. That is why India should treat the growing cyber attacks as a wake-up call to plug its vulnerabilities by developing appropriate countermeasures on a priority basis.

Brahma Chellaney is professor of strategic studies at the Centre for Policy Research in New Delhi.

CyberDragon – Chinese Art of CyberWar

The ART of CyberWAR

Let’s go back a couple of thousand years and examine Sun Tsu’s original treatise on The Art of War. In his book The Craft of Intelligence Allen W. Dulles, father of the CIA, writes:

“To Sun Tsu belongs the credit not only for the first remarkable analysis of the ways of espionage but also for the first written recommendations regarding an organized intelligence service. He points out that the master of intelligence will employ all five kinds of agents simultaneously; he calls this the “Divine Skein.” The analogy is to a fishnet consisting of many strands all joined to a single cord. He comments on counter-intelligence, on psychological warfare, on deception, on security, on fabricators, in short, on the whole craft of intelligence.”

Indeed, Sun Tzu devoted a separate section of The Art of War to the employment of spies. Dulles then says:

“It is no wonder that Sun Tzu’s book is a favorite of Mao-Tse-tung and is required reading for Chinese Communist tacticians. In their conduct of military campaigns and of intelligence collection, they clearly put into practice the teachings of Sun Tzu,”
This from the man in charge of the United States’ intelligence operations during the Cold War when China and the USSR were his primary adversaries.
In his 2004 paper “Sun Tzu’s Strategic Thought and Its Inspiration for Informationized Warfare” presented at the Sixth International Seminar on Sun Tzu’s Art of War, Chai Yuqui of the Nanjiing Army Command Academy called Sun Tzu a grand strategist without parallel in history. (Virtual Dragon p333)
Chinese theoreticians have been considering the implications of Information warfare for two decades. Look at the titles of some of their research:

• Wang Qingsong, Modern Military-Use High Technology, 1993
• Zhu Youwen, Feng Yi,and Xu Dechi, Information War Under High Tech Conditions1994
• Li Qingshan, New Military Revolution and High Tech War, 1995
• Wang Pufeng, Information Warfare and the Revolution in Military Affairs, Beijing: 1995;
• Zhu Xiaoli and Zhao Xiaozhuo, The United States and Russia in the New Military Revolution, 1996;
• Li Qingshan, New Military Revolution and High Tech War, 1995
• Dai Shenglong and Shen Fuzhen, Information Warfare and Information Security Strategy, 1996
• Shen Weiguang, On New War, 1997

According to China analyst Timothy L. Thomas (author of Decoding the Virtual Dragon, a publication of the US Army’s Foreign Military Studies Office), Dr. Shen Weiguang is known in China as the father of Information Warfare (IW) theory. Also in 1995, Shen wrote an introductory article on IW for the PLA Daily Newspaper. In it Shen states that the main target of IW is the enemy’s cognitive and trust systems and the goal is to exert control over his actions.

Thomas discovered more interesting thinking in a 2004 article by General Xu Xiaoyan, the former head of the Communications Department of the Chinese General Staff. Xu dissects the realm of Information Warfare. At the granular level he points out the need for:

“Network confrontation technology—intercepting, utilizing, corrupting, and damaging the enemy’s information and using false information, viruses, and other means to sabotage normal information system functions through computer networks.” (Virtual Dragon p. 66)

Thomas goes on to offer the following observations:

“If Xu’s suggestions were accepted, then one might expect to see more active reconnaissance and intelligence activities on the part of the PLA (as seems to be occurring!)”

That exclamation point is Thomas’s and written after Titan Rain(2004) but before the GhostNet report on Chinese hacking of the Dalai Lama’s network (2009).

Last Tuesday Google announced that they had been hacked by sources in China. The target was email accounts of Chinese activists and bloggers.  An outraged Google threatened to discontinue censoring search results at the Google China search engine google.cn.   Yahoo chimed in in support of Google. Yahoo of course is another Internet company with a history of bowing to Chinese requests including providing information that led to the arrest and imprisonment of Shi Tao, a Chinese journalist who still has four years of his sentence to serve.
According to the New York Times
“Several human rights advocates in China said last week that their Gmail accounts had been compromised, among them Ai Weiwei, an artist, and Teng Biao, a lawyer.”

In addition, two foreign journalists, one from the Associated Press, claim their gmail accounts were compromised.
Google claims they found evidence of attacks on 33 companies.  Some of these have acknowledged the attacks: Yahoo, Symantec, Northrup Grumman, Dow Chemical, a law firm involved in suing China, Adobe, and even India has gone public with accusations that China has been hacking them.
Chinese cyber espionage should come as no surprise.  A historical perspective is needed to understand how these attacks against Google and others are merely an extension of spying activity that has been documented at least since 2001.
There is a group of foreign intelligence analysts whose job it is to keep an eye on China and interpret what is going on there. Since 2001 these analysts have devoted their efforts to understanding China’s thinking on modern warfare and, in particular, Information Warfare. The body of knowledge they have to work with is extensive and surprising in the level of logic and careful consideration that China’s military theoreticians have applied to what they call the Revolution in Military Affairs (RMA).

China is engaging in systematic industrial and military espionage via the Internet.  Do not be surprised as more and more organizations announce that they too have been targets.  For that matter, do you know if your own organization has been the victim of Chinese cyber spying?

Source Research: http://www.threatchaos.com – Putting Chinese cyber espionage in perspective

Hacking attacks on Google boost outlook for cyber-security

Hacking attacks on Google boost outlook for cyber-security

For U.S. military firms, the latest revelations of highly sophisticated hacker attacks on Google Inc. are highlighting a new THREAT VECTOR AND reality, and a potentially lucrative business: The battlefield is shifting to cyberspace.

Google’s admission last week that it and other large companies were infiltrated by cyber-spies ( Chinese? Russian?) is bolstering prospects for major military contractors that in recent years have been intensifying their focus from developing weapons to defending computer systems and networks.

“Cyber-security is shaping up to be a major growth opportunity for the defense industry,” said Loren Thompson, a military policy analyst for the Lexington Institute, a think tank in Arlington, Va. “We’ve spent the last 20 years putting all of our information onto computers. Now, we don’t have any choice but to defend ourselves against foreign intrusion.”

As the threat becomes more coordinated and complex, military firms say that demand for sophisticated cyber-security will rise. The attacks on Google alarmed security analysts because it appeared that a new battle was being waged in which corporate computers and the valuable intellectual property they hold had become a target of a foreign government. In the past such intricate attacks were primarily aimed at military and state secrets.

The military industry, having already done extensive work protecting federal government computers, may be in a good position in the emerging market that could exceed $100 billion in revenue within the next decade, analysts said.

It may have little choice. Pentagon spending on weapons is expected to slow, leaving military firms scrambling for new business.

“Each of these companies recognizes that growing demand for cyber skills could help cover any shortfall in revenues,” Thompson said.

The federal government is expected to set aside $8.3 billion this year for protecting its computers from hackers, up 60% from just four years ago. In a speech last year, Deputy Secretary of Defense William J. Lynn said that at the Pentagon alone, there were an “estimated 90,000 people engaged in administering, monitoring and defending 15,000 networks connecting 7 million computers.”

With attacks increasing more than 200% since 2006, federal spending on cyber-security is expected to grow 8.1% annually over the next four years, according to Input, a Reston, Va., government contracting research firm.

“That’s significant growth, given the budget pressure that the government is under,” said John Slye, principal analyst at Input.

Exactly how much private firms are spending to protect themselves from hackers is unknown, because many do not like to admit that their computers have been breached.

“In today’s current state, there’s a good chance that you’ve already been compromised,” said Timothy McKnight, vice president of Northrop Grumman Corp.’s intelligence systems division. “We want to stay ahead of this problem. We’re doing everything to stay on the cutting edge.”

To bolster their staffs, military firms have been hiring former top government officials, partnering with universities for young talent and swallowing up smaller cyber-boutiques.

Century City-based Northrop, maker of the B-2 stealth bomber and nuclear submarines, in 2007 acquired Essex Corp., which specializes in encryption technology used by U.S. intelligence agencies that could be applied to protecting valuable data.

Northrop last year consolidated its cyber-security business, scattered among various divisions across the country, into one unit.

And in December, Northrop created a cyber-security research consortium with Carnegie Mellon University, the Massachusetts Institute of Technology and Purdue University as a way to tap new technologies and recruit emerging talent.

Defense rival Lockheed Martin Corp. took a different route assembling a cyber-security alliance with tech companies, including Microsoft Corp, Cisco Systems Inc. and Dell Inc., to collaborate on developing measures against hackers.

In November, the nation’s largest military contractor finished a 5,000-square-foot facility in Gaithersburg, Md., that’s dedicated to cyber-security research. Lockheed has also recruited Lee Holcomb, former chief technology officer for the Department of Homeland Security, to head the company’s cyber-security initiatives.

Another military firm, General Dynamics Corp., has built a lucrative business protecting companies from cyber attacks. In 2007, the company helped the parent of discount retailers T.J. Maxx and Marshalls patch a security breach in which hackers had gained access to computers that had information on 50 million customers’ credit and debit cards.

“Nobody is building aircraft carriers anymore,” said James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc., a national-security firm. “It looks like, from now on, the big money is in cyber space.”

Indian NSA has recently alleged that Indian PMO websites are hacked by Chinese. This should serve as a wake-up call to Indian companies to consider IT Security as a NEED TO HAVE budget item from Nice To Have item status.

Indian companies are very vulnerable to coordinated cyberAttacks – they have unprotected websites, applications and databases. Most of the so called IT Security is left to low level system administrators and network admin guys. There is very little understanding of application security – where tons of sensitive, IP related, Customer data, Design data reside.

My recommendation is that CEO’s and Top Management should include a IS Security statement in the published Balance Sheets as part of disclosure to public and shareholders. This should be based on a IT Governance committee and audit report – like a audited financial report. Unless law mandates such a system – IT Security will remain a discretionary budget item.

Source Research: For Military Firms, A New Spy Market
(Los Angeles Times)…W.J. Hennigan