A group of academics and public interest organizations released a joint letter to Prime Minister Stephen Harper today, voicing their grave concerns about legislation that would allow for warrantless online spying on Canadians (“Lawful Access” legislation). The letter calls on the government to, at minimum, give the proposed legislation an appropriate hearing instead of rushing it through Parliament.

The letter to the Prime Minister is just the latest in a series of protests about the legislation. The Stop Online Spying Coalition has prompted more than 46,000 Canadians to sign an online petition at http://www.StopSpying.ca lambasting the government’s anti-privacy initiatives, and earlier this year every federal and provincial Privacy Commissioner signed a letter to the government criticizing the legislation and questioning the need for bringing in these repressive measures.

For the full original article, see here.

One or more hackers is repeatedly tormenting the Conservative Party of Canada as it prepares for a convention starting Thursday where party stalwarts are gathering to celebrate their majority government victory.

A day after someone hacked into the Conservative Party website to post a false announcement about Stephen Harper, a Twitter user claims to have also broken into Tories’ donor database – posting names and emails that they said were stolen from the trove of private data.

On Tuesday, the party’s website was defaced with a fake story about how Mr. Harper was rushed to hospital after choking on a hash brown. A Twitter user, with the account name LulzRaft, took credit for the stunt.

The Tory Party’s spokesman, Fred DeLorey, insisted at the time that there had been no breach of its “database and email systems.”

On Wednesday morning, however, LulzRaft had more to announce: “The Conservatives said no contributor data was accessed..I wonder where this sample came from then!,” LulzRaft tweeted, linking to a web page that listed names and email addresses purported to be a “small sample” of Tory party “donation contributors.”

…

For full original article, see here

The e-G8 can be summarized by intra-government differences, intra-industry differences, and deep divisions between governments and industry. This is reflected in the final G8 Deauville communique—where as Reuters points out—the section on the Internet failed to produce any specific and concrete proposals for policies.

Concerns over intellectual property rights remained unsolved at the International level. At the summit, Rupert Murdoch—the billionaire exec at News Corporation—argued, “We hope that the G8 will strongly affirm that the property rights of artists and creators are more than just a matter of protecting cultures.” The G8 governments renewed their “commitment to ensuring effective action against violations of intellectual property rights in the digital arena, including action that addresses present and future infringements.” However, the commitment did not include any international commitments, and the final communique largely left this area in the hands of national governments.

The biggest division that was revealed at the e-G8 was the one between governments that wanted more regulation for the Internet, and Eric Schmidt of Google who stated on a panel that, “You want to tread lightly on regulating brand new, innovative industries.” He added, “Clearly you need some level of regulation for the evil stuff. But I would be careful about over-regulating the Internet,” and that “I cannot imagine any delegate in this conference that would want Internet growth to be significantly slowed by a government that slows it down because of some stupid rule that they put in place.”

In the Internet Governance Project’s blog post “The G8: A Declaration of the Dependence of Cyberspace,” written just prior to the eG8 meeting, Milton Mueller predicted that “You can be sure that this Summit will focus more on how to control unruly users and protect vested interests than on issues such as online censorship and surveillance, developing new growth potential through disruptive innovation or protecting the security and civil liberties of ordinary users.” Indeed, these concerns were not addressed in the final communique. Although the communique stated that, “Freedom of opinion, expression, information, assembly and association must be safeguarded on the Internet as elsewhere,” the communique also states that, “Arbitrary or indiscriminate censorship or restrictions on access to the Internet are inconsistent with States’ international obligations and are clearly unacceptable,” thus leaving room for online restrictions as determined acceptable by governments (for instance, justifying the US IP Protect Act which proposes the use of DNS blocking to prevent domestic access to sites infringing on intellectual property—something which Google’s Schmidt cautioned as setting a bad precedent and something which Anonymous protested against this week vis-a-vis a DDoS attack on the US Chamber of Congress).

On the question of privacy, the G8 called for greater protection of personal data and individual privacy on the Internet—however, this point failed to address issues of surveillance or lawful data access.

Amid the e-G8 summit, Ronald Deibert put forth a cyberspace policy proposal for Canada to consider. Deibert suggests that, “It is unlikely that such an ambitious agenda will emerge from Canada to influence this year’s meeting of the G8. But hopefully the meeting will set in motion a process of urgent reflection on the scope of the challenges that lay ahead.” For Deibert, it is hoped that such an agenda would focus around building a secure and open cyber commons, with rules focused around the promotion of norms of mutual restraint in cyberspace, protections for privacy and civil liberties, joint vigilance against cyber crime networks, and respect for the free flow of information, as opposed to a closed domain defined by controls and a dilution of civil liberties.

Cyberspace has become an all-immersive domain, and the global communications environment in which all of society, economics, and politics are now embedded. Its constituent parts are widely conceived of as critical national infrastructure.

But the domain of cyberspace is entering a potentially chaotic and very dangerous phase of its evolution, which is why it has become a key issue for consideration at today’s G8 summit in Deauville, France.

The Canadian government is late to the cyber security arena, and only recently released a cyber security strategy last fall that pales in comparison to the scope of the challenges, or to equivalent strategies released by our allies, like the United States.

It devotes far too few resources to the problem, does not fully address the division of appropriate institutional responsibilities, and only barely nods at the importance of a foreign policy for cyberspace. A recent investigation revealed our public sector infrastructure was so thoroughly infiltrated with malicious activity emanating from foreign jurisdictions that the entire Treasury Board was taken offline for weeks. Embarrassingly, a recent security study ranked Canada among the highest of countries for the hosting of malicious content.

Not surprisingly, our government’s capacity to engage forcefully and strategically on these issues has been muted. We are absent in the international arenas where cyberspace governance is debated and territorialized controls are being normalized by China, Russia and other democratically challenged states.

Although the G8 summit will cover a range of issues, President Nicolas Sarkozy has signaled that cyber security issues will rank high on the agenda. What will be Canada’s contribution to the discussions? What will Prime Minister Stephen Harper bring to the table?

Cyberspace has always been characterized by change, but there has been a major architectonic shift in the nature of the medium with the rise of social networking, the shift to cloud computing, and the rapid emergence of mobile forms of constant connectivity.

While convenient and fun, these new modes of communicating have emerged so fast that they have created unforeseen security and privacy liabilities and unintended consequences for individuals and organizations alike.

Mobile communications operate along an entirely different ecosystem than desktop PC infrastructures. Among other respects, they lend themselves to much more precise geolocation tracking, the information for which may be shared with third parties in ways that are not necessarily transparent to users.

Meanwhile, social networking and cloud computing services have produced an exponential increase in the sharing and networking of once discrete data sources. We click on documents, links, and attachments with carefree abandon as we move from the office to the internet cafe to the airport lounge. Personal photographs, sensitive documents, business spreadsheets, classified reports are entrusted to server farms of privately owned infrastructures that can span multiple political jurisdictions.

Any epidemiologist studying such a dynamically growing ecosystem would not be surprised to find a huge expansion in the cyber equivalent of disease: although cybercrime has formed a hidden shadow along every step of the Internet’s history, its growth has suddenly become so explosive in recent years by virtually any estimate that it is beyond control, and perhaps even beyond estimation.

According to security companies there are around 60,000 new malicious software (malware) samples discovered every day, with the number rising steadily. Massive botnets – global networks of infected computers – now routinely count in the tens of thousands worldwide.

A huge black market for cybercrime tools and products thrives as a kind of hidden underbelly of globalization, driving everything from petty identity theft to high-stakes political and commercial espionage. If precise estimates could be obtained, it would surely rank as one of the world’s largest economic growth sectors, as millions of new digital natives from the developing world find a rewarding and elegant means to personal enrichment.

Not surprisingly, governments have begun to react, but in doing so may be contributing more to the problem than creating solutions.

Generally speaking, there has been a sea-change the world over in the way governments approach cyberspace. Whereas 10 years ago, states were either oblivious to the Internet or took a laissez-faire approach, today they are moving swiftly to assert their power and shape the domain in ways that suit their strategic domestic and foreign policy interests. Whether for purposes of copyright control, anti-terrrorism, or to shore up regimes from meddlesome human rights and opposition networks, governments are building up an advanced suite of cyberspace controls, ranging from filtering and surveillance to the black arts of computer network exploitation.

Alarmed by consistent high-level penetrations of its own critical infrastructures, the United States has led the way with numerous cyber strategy documents, legislation, and institutional reform. The most significant of these was the establishment of the U.S. Cyber Command in 2010, which helped trigger a major industrial shift in the defense industry and a fundamental force restructuring among allies that is still unfolding.

It has also triggered a global cyber arms race. Unable to compete on the same level, adversaries of the United States seek comparative advantage by exploiting criminals and patriotic hackers to do their bidding instead. Major incidents of computer network attacks and espionage have been traced back to the Chinese and Russian criminal underworld, or to pro-regime sympathizers of Iran, Burma, Libya, Syria, and others. Others have followed the US lead and set up “cyber commands” of their own.

Meanwhile, the private sector that owns and operates the vast majority of cyberspace is caught in the cross-hairs, continuously blitzed by mounting assaults on its networks while simultaneously being pressured by governments looking to download their responsibilities to police cyberspace.

Research In Motion, the Canadian maker of BlackBerry products, has been dogged by such demands to the point of seeming frustration. When asked by the BBC whether RIM had made deals to hand over its encrypted data to security services, CEO Mike Lazaridis cut short the interview.

Some companies have seized on the commercial opportunity opened up by cyberspace contests; a massive cyber security market, now measured to be anywhere between $80- and $150-billion annually, provides filtering, data mining and fusion, and computer attack capabilities to security services worldwide. One of our research projects, the OpenNet Initiative, has documented how a Canadian company, Netwsweeper, provides services to the regimes of UAE, Bahrain, Qatar, and Yemen – countries known for pervasive censorship – so that they can “block inappropriate content … based on social, religious or political ideals,” according to a page on their website which has since been changed.

As one of the world’s largest economies and home to some of the greatest thinkers of communications, from Harold Innis and Marshall McLuhan to William Gibson, Canada should be leading the way instead of muddling along. We certainly stand among those to lose the most should cyberspace continue its spiral into censorship, militarization, and crime. What should be done?

First, a comprehensive strategy to protect the cyber commons should begin by linking the international consequences of domestic policies. If liberal democratic countries pass legislation that permits access to data for state security services without judicial oversight, as the Harper government is reportedly set to do with lawful access provisions of the forthcoming Omnibus Crime bill, then there is no moral basis for condemning those actions when they occur in places like China, Iran, or Belarus.

It is certainly true that law enforcement is overwhelmed with the surge of cyber crime, but the case has not been made that to deal with it effectively requires access to private data and a major dilution of civil liberties that are basic to a liberal democratic society. In fact the opposite may be more the case.

The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. We need to give law enforcement new resources, capabilities, proper training and equipment to sort through voluminous flows of existing data. But alongside those resources, Canada should be setting the highest standard of judicial oversight and public accountability. New resources, yes, but the same if not more rigorous checks and constraints on powers.

The same principle holds true for Canadian companies operating abroad.

Rather than catering to regimes that violate human rights, or colluding with security services with dubious track records, Canadian companies should be held to the same basic minimum standards that we expect in Canada when offering services abroad. Regulatory measures should be introduced that set standards for the private sector around mandatory disclosures of security breaches, strong privacy protections built by design, and restrictions on the sale of products and services that contribute to violations of human rights abroad.

Part of Canada’s cyberspace strategy needs to focus outward. Our Foreign Affairs department should be at the forefront of the promotion of decentralized and distributed security mechanisms, while actively resisting proposals that seek to alter the constitution of cyberspace through top-down, heavy-handed government controls.

Diplomatically, we should work to build a broad community of like minded-states who share this common vision, and have an interest in a secure and open cyber commons across the many different venues of cyberspace governance. Such rules should include the promotion of norms of mutual restraint in cyberspace, protections for privacy and civil liberties, joint vigilance against cyber crime networks, and respect for the free flow of information. We should also work as a liaison between our allies and the governments of China, Russia and others to limit the dangerously escalating tensions that exist in cyberspace.

It is unlikely that such an ambitious agenda will emerge from Canada to influence this year’s meeting of the G8. But hopefully the meeting will set in motion a process of urgent reflection on the scope of the challenges that lay ahead.

Ron Deibert is Director, the Canada Centre for Global Security Studies and the Citizen Lab, Munk School of Global Affairs, University of Toronto. He gave the keynote address at Wednesday’s mesh conference on the Internet.

This article originally appeared in Huffington Post Canada on May 26, 2011.

Last week, we learned that Canada has been shooting up the chart of cybercriminals’ “most favoured nation” status, now the sixth most likely country to host servers running malicious programs after spending a few years in the mid-teens.

Let’s be clear from the outset, though: The fact that Canada is moving up that list is not all bad, nor does it mean that ordinary Canadians are about to experience a sudden upsurge of digital assaults directed at them. It means that people engaged in Web malfeasance who could be anywhere in the world have discovered they get less grief and resistance by launching their attacks from servers based in Canada than from their home base.

Take spam, which, according to Bell Canada, accounts for about 95 per cent of the e-mail traffic that carriers transmit every month. Canadian addresses look good on a spam e-mail precisely because the country has such a decent reputation around the world. If it comes from Canada, the theory goes, it must be above board.

Another heart-warming fact from a Canadian perspective: The United States is still way ahead as the top location for the hosting of so-called “phishing” sites, spoof Web pages that hope to persuade users to give up sensitive data, such as passwords, once directed there by spam or other devious methods.

So things could be worse. However, if Canada doesn’t get its act together, it might get worse.

There have been indications recently that Chinese and Russian authorities are tiring of the level of criminal activity hackers generate from their territories, partly because it tarnishes their reputation and partly because it contaminates and overloads their own network systems.

Canada cannot afford to become the next go-to destination for aspiring hackers, crackers and Internet ne’er-do-wells – if it does, the amount of malware originating in Canada will soon lead to an increase the vulnerability of Canadian consumers, both private and corporate.

A bedrock of cybercriminality is the “distributed denial of service” attack, in which tens of thousands of zombie computers enslaved by viruses to a command-and-control machine will lay siege to a company’s or organization’s system. The most sophisticated of these so-called botnets use 40 gigabytes of bandwidth per second, which no single company or even government can resist on their own.

This is where Canada remains more vulnerable than others. Canada is the only major Western country that does not have a government-run computer emergency response team (CERT). Instead, the job is contracted out to a private operation – doubtless it does a fine job, but the defence of the country’s critical national infrastructure, which is what a CERT monitors, needs to be in government hands.

Canada has also been relatively slow to develop co-ordinated responses among law enforcement, intelligence services, the private sector and the military. There are three main areas of malfeasance on the Internet: crime, industrial espionage and warfare. In principle, the RCMP and other law-enforcement agencies should be policing cybercrime; the private sector must assume most responsibility for industrial espionage and the military should take care of cyber security issues between states.

However, interconnectivity means there has to be considerable co-ordination between these agencies. After all, you never know whether your hacker is working for Russian organized crime, an Indian manufacturer, or the People’s Liberation Army. Relative to other Western countries, Canada’s cyberdefences lack funding and a coherent strategy.

DarkMarket, Misha Glenny’s book on cybercrime, will be published in September.

Canada’s squeaky clean image earned a few smudges recently in a report released by Internet security firm Websense which named the country as now the world’s number two host for phishing sites.

Canada, which was 13th on a list of countries favoured by cyber criminals just last year, is now second only to the United States, according to the report.

“Our Internet monitoring stations registered a 53 per cent increase in botnet activities in the past eight months in Canada,” Patrik Runald, senior manager for Websense’s Security Labs told ITBusiness.ca.

The security expert however, was quick to add that this does not mean cyber crime rings have physically moved their headquarters to Canada.
“A lot of these operations remain based in Eastern European locations such as Russia, Ukraine, the former Czech Republic and then in China,” said Runald. “The attacks are merely being hosted by compromised or hacked machines in Canada.”

Greater government involvement required

Technology-based protection continues to improve but government involvement in the battle against cyber crime is critical, according to Ron Deibert, director of the Internet watchdog organization Citizen Lab based at the Munk Centre for International Studies at the University of Toronto.
“Unfortunately, the Canadian government lags behind other jurisdictions in the development of a comprehensive cyber security strategy,” he told ITBusiness.ca.

Deibert said the problem is not so much the legislation of anti-cyber crime laws but rather the allocation of resources to enforcement agencies. “There are not enough resources and funding to enable law enforcement agencies to do their jobs effectively.”

Are the Chinese spying on Ottawa resident Maggie Wenzhuo Hou?

Hou, a 41-year-old Chinese dissident who has lived in Ottawa since June 2009, is convinced that agents of the government of China are monitoring and blocking her e-mail and telephone communications.

While she can’t prove her allegations, she can offer up a long list of circumstantial evidence to support her claims. Based on her dissident status and documented attacks by China-based hackers, security experts say hers is a credible story.

Alex Neve, secretary general of Amnesty International Canada, says Chinese monitoring of human rights activists in this country is a “well-known and notorious pattern.”

Hou is a “high-profile, outspoken human rights activist who has some real credibility because she’s freshly out of China, has first-hand experience with human rights violations and is quite well connected to a number of known human rights activists still inside China,” Neve says.

“So it does not surprise me at all that she could be, would be or was targeted for some sort of hacking or computer surveillance by the Chinese authorities.”

But Ron Deibert, the director of the University of Toronto’s Citizen Lab, which in 2009 uncovered GhostNet, a cyberspy ring based in China that was gathering intelligence in more than 100 countries, counsels caution when assessing cases such as Hou’s.

“There are so many people who read about issues of espionage or information-based attacks and jump immediately to the extreme conclusion,” Deibert says.

For her part, Hou says “Canadian authorities” are interested in her experiences, and have interviewed her three times about them. She decided to go public to warn Canadians about what she calls China’s “silent cyber war.”

“The Canadian public is just sleeping while, as we Chinese say, a tiger’s sleeping next to you. People should wake up. This country is slipping into danger,” she says. “When I came to Canada, I thought I’d be safe. I don’t feel safe anymore. I feel like I’m in China.”

Hou first got involved in human rights and political activism in China while attending Sichuan University in 1989, the year of the Tiananmen Square massacre. In 2003, she founded and led a now-defunct human rights group in Beijing. She’s now director of the human rights committee of the Democratic Party of China, an exiled opposition party.

While in China, she was arrested and detained many times, most recently at the time of the 2008 Beijing Olympics, when she was imprisoned for 18 days for her involvement in human rights protests.

When she became pregnant late that year, she managed, with help from some Canadian friends, to leave China for a teaching job at the University of Ottawa. She gave birth a month later and taught courses in human rights and political activism in China at the university’s graduate school of international and public affairs the during the 2009-10 academic year. She has had protected person status in Canada since last August.

She first started noticing some “funny things” going on around the time of Prime Minister Stephen Harper’s visit to China in December 2009, when she was involved in demonstrations and an online petition. “My e-mails started to be irregular,” she says. “There were lost e-mail messages.” When people signed the online petition, their names didn’t appear. Friends told her that when they opened her Gmail messages, their computers slowed down noticeably.

Google Inc., which owns Gmail, told Hou at the time that the problem was with her computer. But the company has since accused Chinese authorities of interfering with its Gmail, leading to access problems.

Last May, Hou travelled to Toronto to have her computer examined by Greg Walton, a computer security expert who worked for Citizen Lab on the GhostNet project. According to Hou, Walton told her the computer was heavily hacked and was communicating with dozens of IP addresses, including some in China.

Walton, now based in London, England, agrees there were “anomalies” in the network traffic. “However, the traffic was almost entirely consistent with common malware to which all Internet users are exposed, associated with cyber criminals motivated by profit rather than the targeting of political dissidents.”

Despite his failure to find anything linked to Chinese spying on Hou’s computer, Walton says “credible sources within the investigations community have repeatedly indicated that there has been growing unease about the surveillance of dissidents in Canada.”

In an e-mail to the Citizen, an official at the Chinese Embassy in Ottawa said allegations that the Chinese government supports hacking are “groundless and with ulterior motives.”

“The Chinese government has consistently been firmly opposing any illegal activities that sabotage the Internet and computer networks, including computer hacking,” the official wrote, adding that China’s government “is ready to work with countries to counter hacking and other forms of Internet crime.”

But Rafal Rohozinski, chief executive of Ottawa-based SecDev Group, who worked with Citizen Lab on the GhostNet project, say Hou’s allegations are credible.

“We’ve got plenty of precedent where these kinds of techniques have been used against inconvenient political actors,” says Rohozinski, though whether the perpetrators are Chinese authorities or “patriotic hackers” is difficult to determine.

Whenever Hou communicates with people in China, “she has to work through services that invariably pick up her identifying IP address or the address of the e-mail she’s using,” Rohozinski says. “If someone’s on a watch list, it’s pretty simple to be able to identify that individual.”

Wesley Wark, a security expert and visiting professor at the University of Ottawa, says there’s lots of evidence that China is involved in state-sponsored efforts to “harass and survey” Chinese expatriates. “It’s a big part of what the Chinese do, and they do it because they have global reach, because they are determined to monitor overseas dissident groups and individuals.”

Deibert notes that Hou isn’t an ordinary person. “She’s someone who’s connected politically to Chinese events. That puts her in a different category right off the bat.”

Wark thinks the Canadian government should be meeting regularly with Chinese officials to emphasize that spying and hacking are not tolerated in Canada. “But that’s not a message we’ve heard from recent governments. The big message is trade and better relations.”

Hou acknowledges that speaking out carries risks. “I definitely am worried,” she says. “I know their people are watching me. Their people maybe hate me. But I feel I have an obligation for myself, for Chinese people and for people at large, including Canadians.”

This week, the U.S. Department of Justice and the FBI took action to disable the “Coreflood” botnet. In an unprecedented move, a federal judge granted permission to authorities to seize control of the botnet, which compromised private computers with malicious software that captured private online banking information from users. The Internet Systems Consortium, a non-profit organization, was given permission to takeover the botnet’s command-and-control servers — used to communicate with infected private computers — and replace the servers with its own. These servers would respond to command and control requests from infected computers, and send a “stop” command to infected machines, effectively interrupting the botnet by stopping the malware from running on private computers. According to this Wired article, Coreflood is designed to run whenever an infected computer is rebooted. The replaced servers are required to send the “stop” command after every reboot, until the malware is removed from the victim’s computer. A similar method was used by Dutch authorities in 2010 to takedown the Bredolab botnet.

Botnets have become a popular tool in the underground economy of cyber crime. By exploiting personal computers infected with malware—effectively turning these computers into “zombie computers” controlled by a botmaster—the underground economy has indeed become a lucrative one. According to this US request filing, Coreflood victims included private companies such as a North Carolina investment firm and a Tennessee defence contractor which lost USD 151,201 and USD 241,886 respectively. In late 2010, Nart Villeneuve and the Information Warfare Monitor released Koobface: Inside a Crimeware Network, a report on the Koobface botnet, detailing its propagation strategies, counter-security measures, and business model. Villeneuve found that over the course of one year, through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, Koobface operators were able to earn over USD 2 million.

The Globe and Mail notes that, “the Corefood investigation was aided immensely by a geographic fluke – the fact that many of the perpetrators and victims resided within a single jurisdiction, the United States”. Indeed, Villeneuve explains, botnet operators are able to benefit from the fact that their criminal acts spread across multiple jurisdictions—the issue of multiple jurisdictions often complicate investigations and hinder law enforcement and takedown efforts. In the case of Coreflood, US authorities were able to successfully takeover the botnet because its servers were located within US jurisdiction—in Georgia, Texas, Ohio, California, and Arizona. For the official documents see here for the Justice Department’s press release, here for the complaint, here for the seizure warrant, and here for the Coreflood temporary restraining order.

Users have expressed discomfort with the government performing actions against their computers. In this Wired article, the EFF commented, “Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood this would still be an extremely sketchy action to take. It’s other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine.”

While underground crime represents one aspect of the economics of cyberspace, the global economy of cyber controls represents another. A few weeks ago, we reported on the release of the the OpenNet Initiative’s West Censoring East: The Use of Western Technologies by Middle East Censors, 2010-2011, a report that details the complicity of Western companies (Websense, Netsweeper, Intel) in the online censorship of over 20 million citizens in nine countries in the Middle East and North Africa. The complicity of Western companies in filtering has placed a major spotlight on the actions of private actors in cyberspace. While some companies such as Google have pulled out from territories requesting its compliance in censorship others such as RIM has decided to adjust its policies to appease governments. This week, RIM’s Mike Lazaridis walked out on a BBC Interview when asked whether “security issues” in India and the Middle East had been “sorted out”—referring to the security implications for users in territories where governments have threatened to ban the service if the company failed to comply with its requests for access to encrypted communications. Yesterday, it was reported that the UAE government had asked telecom companies Etisalat and Du, to restrict access of a new and more secure version of Blackberry’s service to only “qualifying organizations”—not private individuals.

While restrictive cyberspace controls are often thought of as a characteristic of authoritarian governments this week Canadians were informed about a plan from their government to enact greater control over their communications.

In Canada, the Conservative government included a commitment in their election platform to pass a bundled “crime and justice” bill that includes lawful access legislation through Parliament within 100 days if re-elected. Michael Geist has a timely analysis of this issue in this blog. This bill will, as Geist states, “fundamentally reshape the Internet in Canada,” as it establishes a three pronged approach to deal with lawful access, focusing on information disclosure, mandated surveillance technologies, and new policing powers. This bill will effectively establish Internet surveillance requirements as well as create the conditions for potential disclosure of personal information (IP address, device identification numbers, address, phone number, etc) without oversight from the courts. It will require ISPs to develop technical surveillance capabilities in order to isolate communications and engage in interception. Police will also be given new powers to access surveillance data. Cyber crime is a serious issue that requires focused attention. However, the possible impact of these proposals on user privacy in Canada is a cause for concern.

A series of cyber attacks were launched this week. Many of which appear to be politically motivated.

According to their Online Security Blog, Google has noticed “highly targeted and apparently political motivated attacks,” against activists. The attacks exploit a publicly-disclosed MHTML vulnerability in Windows XP and later Windows operating systems.
Over the weekend, The Irrawaddy (exiled independent Burmese media based in Thailand) was attacked by hackers posting fake articles on its Web site. The articles were detailed and strategic—the authors used made up quotes by actual contributors to The Irrawaddy. One article attempted to tarnish exiled media by exercising an editorial line used by the Burmese junta which portrays exiled Burmese as those living lavishly and funded by Western governments. As such, the editor of the Irrawaddy expressed that it is “clear that someone who has intelligence on the ground…has been assigned to write fake articles to cause damage to us[.]” Although direct attribution is difficult to make, another exiled Burmese media organization, the Democratic Voice of Burma, has stated, “Fake articles were posted by a hacker on a popular exiled Burmese news website over the weekend in what may be a new tactic in the Burmese junta’s cyber offensive on independent media.”

Hackers for Iran’s Revolutionary Guard’s paramilitary Basij group announced that they have launched attacks on Web sites of “enemies.” Associated Press has noted that this was a rare acknowledgement from the country that it is involved in “cyber warfare.” According to the acting commander of the Basij, General Ali Fazli, the attack was in retaliation for similar attacks on Iran. Since the release of Stuxnet (which targeted Iran’s uranium enrichment program), Iran has been stepping up on its cyber-capabilities.

Finally, on Thursday, the security firm RSA announced that its security systems had “identified an extremely sophisticated cyber attacked in progress being mounted” against it. RSA’s investigation has determined that the attack falls into the Advanced Persistent Threat (APT) category. As Kim Zetter explains in Wired, an APT attack is distinct from other types of attacks in terms of the data that is targeted: “Unlike most intrusions that go after financial and identity data, APT attacks tend to go after source code and other intellectual property and often involve extensive work to map a company’s infrastructure.” The attack on RSA has resulted in the extraction of information pertaining to its SecurID two-factor authentication products from its systems.

A group of security researchers have discovered a new type of DDoS botnet—known as the JKDDOS botnet—which launches attacks against large corporate investment groups, particularly those with mining-related interests. Between October 21 and 31, 2010, the JKDDOS botnet was launched against a well-known investment company based in New York City, on six separate occasions. According to Jeff Edwards of Arbor Networks, the longest attack lasted 33 hours. The botnet is controlled through a command infrastructure in China. The Register’s John Leydon has suggested that JKDDOS is a “tool in an underground denial of service for hire service.” The Arbor Networks analysis of the JKDDOS botnet can be found here.

It was reported this week that a coordinated effort between Microsoft, Pfizer, network security provider FireEye and security experts at the University of Washington was successful in taking down the Rustock botnet—the world’s largest spam botnet, which sent over 1,000 thousand spam e-mails per second prior to the takedown. On Wednesday March 16, M86 Security Labs reported that spam had completely stopped and that known Rustock control servers had stopped responding. This story first emerged on Brian Kreb’s blog. Microsoft’s announcement can be found here.

CYBER SECURITY INDUSTRY AND GOVERNMENT INITIATIVES

Thursday’s Information Technology Security Forum at Stanford drew an audience of 300 security technologists and entrepreneurs from Silicon Valley and policy makers from Washington. For VentureBeat, the message at the forum was that cyber security will become a hot sector with large returns. Amid rising cyber security threats, such as this week’s discovery of vulnerabilities in Adobe products as well as recent concerns over mobile-device vulnerabilities and Stuxnet, governments, law enforcement, big companies, start-ups and venture capitalists are turning their eyes towards cybersecurity. This article from VentureBeat details the forum as well as the economy of cybersecurity and provides a list of the mega acquisitions in the security market. It is expected that the security tech market will see a 14 percent growth rate to USD 82 billion by 2012. While the article states “acquisitions are one sign that the ecosystem is healthy,” some academics have questioned the impact of concentration and centralization of capital in Internet related industries on the Internet itself. A recent piece by John Bellamy Foster and Robert McChesney looks at this problematique.

Meanwhile, the US government has continued to step up on national cyber security capabilities. This week, the US Department of Defense announced that it will begin supplying the country’s top Internet service providers with military cyber security tools for the purpose of stopping and detecting network attacks. This trial run may be loosely based off the Defense Industrial Base Information Sharing Environment program—a collaboration between the DoD and a group of 40 defense contractors whereby contractors voluntarily share information about attacks on their networks, malware, and data thefts in return for DoD help in fixing weaknesses in their computer systems. The project is expected to run for five years, and the DoD is looking for USD 113 million to fund the project’s expansion and to include more suppliers.

The United Kingdom will launch a similar project. The Cyber Security Operations Centre (CSOC) will begin to partner up with major communications, power, and transport providers so that the intelligence agency can start analyzing streams of data for evidence of attacks. Negotiations between PM David Cameron and critical infrastructure firms to share their network data with CSOC have recently begun.

In Australia, a new cyber investigations unit under the Australian Security and Intelligence Organization will be set up with the mandate of investigating and providing advice on state-sponsored cyber attacks against the country. In Canada, industry insiders have claimed that attackers have been penetrating the country’s power grid and as a result, have been calling for government action.

OTTAWA — A federal cabinet minister said Thursday that hackers, perhaps from China, compromised computers in two Canadian government departments in early January, leaving bureaucrats with little or no Internet access for nearly two months.

The minister, Stockwell Day, the president of the Treasury Board, told reporters that hackers had infiltrated computers in his department, which supervises the bureaucracy and government operations, as well as in the Department of Finance, which is responsible for the government’s budget and fiscal policy.

“Every indication we have at this point is that our sensors and our cyberprotection systems got the alerts out in time, that the information doors were slammed shut,” Mr. Day said.

He added that the attack, the latest in a series of confirmed assaults on government computer systems, was more directly focused than were previous strikes against Canada.

“It was a significant one — significant that they were going after financial records,” he said.

After the attack was discovered in early January, the government largely isolated computers in the two departments from the Internet. The computers have, for the most part, remained disconnected while security officials searched individual computers for evidence in case of a criminal investigation and to remove the compromising software.

While the attack was not confirmed until late Wednesday, shortly before a Canadian Broadcasting Corporation report about it, signs that something was wrong have been evident for some time. For the past six weeks, thousands of public servants employed by the two departments have either been staying home to use Internet connections or slipping out of their offices to use wireless Internet connections at nearby cafes.

The employees were not told why they had been returned to the pre-Internet age, creating what one Treasury Board employee earlier called a “weird” situation in which it was difficult to complete work.

There are concerns that the hackers may have gained advance knowledge of the federal budget, to be released next month. Because Canadian budgets are generally not amended after being presented to Parliament, they are prepared in great secrecy to prevent advance knowledge of their contents from being used for financial gain.

Vic Toews, the minister of public safety, said in an e-mail that “we have no indication that budget security has been compromised.”

Mr. Toews and other officials have declined to publicly outline the nature of the attack. But a government computer specialist who was briefed about the attack confirmed the CBC’s report on the condition that he not be identified because of the government’s policy of not discussing computer security issues.

According to the CBC and other Canadian news organizations, the attackers adopted the same approach as the one used by a China-based computer espionage ring that stole information from the Indian Defense Ministry. That gang was exposed last year by a team of researchers from the Munk School of Global Affairs at the University of Toronto.

The hackers used a technique that is sometimes known as “executive spear phishing.” First they took control of computers used by senior officials in the affected departments. Once inside, the hackers generated messages that appeared to be from those officials to the departments’ information technology section, which provided the hackers with passwords to various government computer systems.

At the same time, other employees in the departments received e-mails that falsely appeared to come from the senior officials that included Adobe PDF attachments. Once opened, those attachments started hidden programs that hunted for information on the government network to send back to the hackers.

While security scanning software is supposed to catch and block destructive software hidden in attachments, the hackers either developed programs that were unknown to software security companies or found a novel method of hiding their unwanted computer code.

The Canadian news reports said that the government had traced the hackers to an Internet address in China.

Rafal A. Rohozinski, one of the Munk School researchers who documented the earlier Chinese attack, said it should be possible for the Canadian government to determine if the attack originated in China or if the hackers had merely disguised their location by using Chinese servers.

Nevertheless, Mr. Rohozinski said that China was the most likely source of the attack, although that did not necessarily indicate that it was a government-sanctioned action.

“There are more people online in China than anywhere else,” he said. “Most of them are young, so you see a lot of digital promiscuity coming from China.”

Ma Zhaoxu, a spokesman for China’s Foreign Ministry, rejected suggestions of a link to China, Reuters reported. “What you mentioned is purely fictitious and has an ulterior motive,” he said.

Meanwhile, Mr. Rohozinski was skeptical that Canadian government investigators could demonstrate that no information was stolen from the systems. The government adopted a new computer security plan last fall, but he said that very little of the plan had been put in effect, leaving security largely uncoordinated and varying in quality from department to department.