According to a newly released report by Barracuda Labs, based on a two-month study reviewing more than 25,000 trending topics and 5.5 million search results, Google remains the most popular search engine used by malicious attackers, relying on poisoned keywords.

The company, which also sampled Yahoo Search, Bing, and Twitter, contributes Google’s leading position to the fact that Google remains the market share leader in online search, and consequently the most targeted search engine.

Key highlights of the study:

* Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
* The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
* Over half of the malware found was between the hours of 4:00 a.m. and 10:00 a.m. GMT. The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

Interestingly, based on the data gathered, the most popular topic of choice for cybercriminals were spyware related searches, followed by entertainment news, with hosting sites, P2P and proxies related searches showing a significant growth. What’s worth highlighting while interpreting the data, is that it’s only valid for a specific period of time. How come? Controversial to the common misunderstanding that cybercriminals are picky about popular search terms, what they do is automatically syndicate the Web’s buzz for their malicious purposes.

Poisoned search engine results have been an active tactic in the arsenal of the cybercriminal for several years. The practice, known as blackhat SEO (search engine optimization) is now the primary source for hijacked legitimate traffic, which in a combination with the automatic compromising of hundreds of thousands of legitimate sites, exposes end users to everything a cybercriminal has to offer.

Go through related posts:

* Cybercriminals syndicating Google Trends keywords to serve malware
* Federal forms themed blackhat SEO campaign serving scareware
* 9/11 related keywords hijacked to serve scareware
* Haiti earthquake themed blackhat SEO campaigns serving scareware
* The ultimate guide to scareware protection

Although, Google’s aware of the situation, and is catching up pretty fast, cybercriminals remain ahead of the game, doing nothing else but playing by the SEO book. For instance, in a report released by Google in April, the company found out that scareware accounted for 15% of all malware, and that scareware represented 50% of the malware delivered through malvertising. The thing evasive practice that cybercriminals took advantage of to achieve these results, is by checking for the correct HTTP referrer.

Poisoned search engines are the inevitable result of the real-time Web, allowing cybercriminals to take advantage of the same tools and tactics, that legitimate marketers do. But being the market leader in online search, means that in 2010 your crawlers shouldn’t be that easily tricked into loading the legitimate content, with the malicious one served to the average Internet user.

What do you think? Is Google doing enough to protect its users from poisoned search engine results? Most importantly, can Google protect the end user from himself at the end of the day? Would the current situation have been any different if, for instance, Bing or Yahoo was the market share leader in online search?

http://www.zdnet.com/blog/security/google-tops-comparative-review-of-malicious-search-results/7009

Richard Clarke is interviewed in a video regarding Google and new national cybersecurity threats.

Google Inc. accused Vietnam on Wednesday of stifling political dissent with cyberattacks, the latest complaint by the Internet giant against a communist regime following a public dispute with China over online censorship.

Like China, Vietnam tightly controls the flow of information and has said it reserves the right to take “appropriate action” against Web sites it deems harmful to national security.

The cyberattacks targeted “potentially tens of thousands,” a posting on Google’s online security blog said.

HANOI

Google Inc. accused Vietnam on Wednesday of stifling political dissent with cyberattacks, the latest complaint by the Internet giant against a communist regime following a public dispute with China over online censorship.

Like China, Vietnam tightly controls the flow of information and has said it reserves the right to take “appropriate action” against Web sites it deems harmful to national security.

The cyberattacks targeted “potentially tens of thousands,” a posting on Google’s online security blog said.

It said it was drawing attention to the Vietnam attacks because they underscored the need for the international community “to take cybersecurity seriously to help keep free opinion flowing.”

Google apparently stumbled onto a scheme targeting Vietnamese-speaking Internet users around the world while investigating the surveillance of e-mail accounts belonging to Chinese human rights activists, one analyst suggested.

The attackers appear to have targeted specific Web sites and duped users into downloading malware programs, said Nart Villeneuve from The Citizen Lab at the University of Toronto. That may have allowed the infiltration and surveillance of activists, he said.

“This kind of stuff happens all the time in China,” said Villeneuve. “It has a chilling effect. It silences people.”

Google engineer Neel Mehta wrote in the posting, “these attacks have tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country.”

The mining project involving a subsidiary of Chinese state-run aluminum company Chinalco is planned for Vietnam’s Central Highlands and has attracted strong opposition.

Foes fear the mine would cause major environmental problems and lead to Chinese workers flooding into the strategically sensitive region.

The computer security firm McAfee, which has investigated the malware, also discussed the attacks in a blog posting Tuesday.

“We believe that the perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam,” wrote George Kurtz, McAfee’s chief technology officer.

Vietnamese officials did not respond to requests for comment Wednesday.

Last fall, the government detained several bloggers who criticized the bauxite mine, and in December, a Web site called bauxitevietnam.info, which had drawn millions of visitors opposed to the mine, was hacked.

The malware apparently began circulating at about that time, according the McAfee blog. It said someone hacked into a Web site run by the California-based Vietnamese Professionals Society and replaced a keyboard program that can be downloaded from that site with a malicious program.

Google says its dispute with China was triggered by a hacking attack that emanated from the mainland and attempts to snoop on dissidents’ e-mail.

Last week, Google shut down its search operations in China, Vietnam’s northern neighbor, after complaints of cyberattacks and censorship there. Google now redirects search queries from China’s mainland to the freer Chinese territory of Hong Kong.

On Tuesday, many users of the Chinese Google search engine experienced difficulties. Analysts suggested the troubles may be linked to the company’s decision to move to Hong Kong.

Google initially said it was an in-house technical problem but later shifted its explanation, blaming the “Great Firewall” — the nickname for the network of filters that keep mainland China’s Web surfers from accessing material the government deems sensitive.

The sudden disruption and lack of explanation fit with how the government has brought companies to heel previously in the heavily monitored Chinese Internet industry, analysts said.

“I don’t think anyone should be surprised,” said Bill Bishop, a Beijing Internet entrepreneur and author of the technology blog Digicha. Tuesday’s problems were payback by the government, he said, because “Google humiliated China.”

http://www.businessweek.com/ap/financialnews/D9EPO6R81.htm

On January 12, we announced on this blog that Google and more than twenty other U.S. companies had been the victims of a sophisticated cyber attack originating from China, and that during our investigation into these attacks we had uncovered evidence to suggest that the Gmail accounts of dozens of human rights activists connected with China were being routinely accessed by third parties, most likely via phishing scams or malware placed on their computers. We also made clear that these attacks and the surveillance they uncovered—combined with attempts over the last year to further limit free speech on the web in China including the persistent blocking of websites such as Facebook, Twitter, YouTube, Google Docs and Blogger—had led us to conclude that we could no longer continue censoring our results on Google.cn.

So earlier today we stopped censoring our search services—Google Search, Google News, and Google Images—on Google.cn. Users visiting Google.cn are now being redirected to Google.com.hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong. Users in Hong Kong will continue to receive their existing uncensored, traditional Chinese service, also from Google.com.hk. Due to the increased load on our Hong Kong servers and the complicated nature of these changes, users may see some slowdown in service or find some products temporarily inaccessible as we switch everything over.

Figuring out how to make good on our promise to stop censoring search on Google.cn has been hard. We want as many people in the world as possible to have access to our services, including users in mainland China, yet the Chinese government has been crystal clear throughout our discussions that self-censorship is a non-negotiable legal requirement. We believe this new approach of providing uncensored search in simplified Chinese from Google.com.hk is a sensible solution to the challenges we’ve faced—it’s entirely legal and will meaningfully increase access to information for people in China. We very much hope that the Chinese government respects our decision, though we are well aware that it could at any time block access to our services. We will therefore be carefully monitoring access issues, and have created this new web page, which we will update regularly each day, so that everyone can see which Google services are available in China.

In terms of Google’s wider business operations, we intend to continue R&D work in China and also to maintain a sales presence there, though the size of the sales team will obviously be partially dependent on the ability of mainland Chinese users to access Google.com.hk. Finally, we would like to make clear that all these decisions have been driven and implemented by our executives in the United States, and that none of our employees in China can, or should, be held responsible for them. Despite all the uncertainty and difficulties they have faced since we made our announcement in January, they have continued to focus on serving our Chinese users and customers. We are immensely proud of them.

Posted by David Drummond, SVP, Corporate Development and Chief Legal Officer

An email with PDF attachment containing a Trojan virus, which allows hackers to download or delete files, were sent by the hackers.

However, it was detected and officials were warned against logging in until the virus was destroyed.

Security measures like frequently changing passwords and using e-mails only for routine communication have been included in the protocol prescribed by the Ministry of External Affairs and Indian embassies for its officers.

Along with that a periodic security review of all computers are done to avert cyber threats.

India had reported a total of 6,023 cases of defacement in 2009, while in 2010, Computer Emergency Response Team, a cyber security advisory and referral agency of the Department of Information Technology informed that 570 Indian web sites were defaced in Jan.

OneIndia News

Harry was a Russian secret service agent who spoke perfect English and wore cowboy boots with his uniform. I never knew what his face looked like because he wore a mask during the lengthy interrogation sessions he put me through during five days of captivity in Federal Security Service (FSB) hands in Chechnya in 1999. The first item taken from me by Harry and his friends was my laptop. I was as much unnerved as relieved when it was returned on my release. “I can have it back?” “Yeah, have it back,” the FSB agent replied, and laughed.

Within 24 hours of arriving home in London the laptop was deluged with spam, pornography and Russian hate mail, eventually crashing completely. The act was more a digital slap on the wrist than the attacks that the Russians would allegedly inflict on entire countries several years later, but it was my first experience of cyberwar.

The incident came to mind eight years later on a February morning in Helmand, southern Afghanistan, when I heard a Royal Marines colonel briefing his officers. He mentioned, almost as an aside, that one of the men’s e-mail accounts had been closed after being compromised by a “hostile intelligence agency”. In other words, someone hacked into a soldier’s computer to see what might be found there. Last December, in Sri Lanka, a senior UN official confided to me that his e-mails were being intercepted by a “key log” program that allowed everything he wrote and received to be read by an intelligence agency.

Today barely a week passes without the phrase “cyberattack” in the news. It is a loose term, incorporating everything from criminal hacking and commercial espionage to attempts to seize control of weapon systems or sabotage national infrastructures. Britain is treating the surge of hostile computer activity seriously enough to have established two organisations last year to co-ordinate, assess and expand its cyber strategy. The Office for Cyber Security (OCS), established by the Cabinet Office, was created in the autumn after a warning by intelligence chiefs that China may have acquired the ability to cripple key points of infrastructure such as telecommunications.

Whitehall departments were allegedly first targeted by Chinese hackers in 2007. Later that year Jonathan Evans, director-general of MI5, wrote to 300 chief executives warning of potential Chinese hacking attacks and data theft. In the year up to November 2009 Britain suffered 300 cyber intrusions — defined as a sophisticated attempt, successful or not, to steal data or sabotage systems — on government and military networks.

The OCS, at present staffed by 14 people, including personnel from the security services and military, is to be fully operational with a strength of 20 later this year. It works closely with a second organisation, the secretive Cyber Security Operations Centre, located within Government Communications Headquarters in Cheltenham. A key part of the approach is establishing rules of engagement for retaliatory cyberstrikes should critical infrastructure be attacked and crippled.

“If I go and bomb someone’s power station, that is an act of war,” Baron West of Spithead, the Permanent Under Secretary of State for Security and Counterterrorism, told The Times. “But if I use a computer to make that power station effectively not work, is that an act of war? That is a simple stark example. There are much more complex examples. These were issues that hadn’t been addressed before, and we are now at the forefront of doing so.”

The majority of attacks have been to obtain funds from commercial organisations, and a full assault on a country’s banks, stock market, energy grid, telecommunications and health systems is more likely if countries are already in a “hot” war. There are several other potential triggers, however. In 2007 Estonian ministries, banks and newspapers were bombarded with denial-of-service attacks — mass requests for information that cause systems to crash — for several days after the Government moved a Soviet war memorial in the capital, Tallinn.

In 2008 Georgia complained of similar attacks during its brief conflict with Russia over the breakaway province of South Ossetia. The Russians were blamed in both cases, although they denied involvement.

The threats and scenarios of cyberwar require some sideways thinking. British assessments conclude, for example, that the risk of a serious attack in this country is still lower than that of a flu pandemic — but that a flu pandemic would be a lot worse if combined with an attack on NHS computer systems involved in vaccine distribution. American academics have predicted that the physical damage from a country shutting the US power grid for three months would be several times greater than the damage done by Hurricane Katrina in Louisiana.

The strategy being developed by Lord West is not limited to risk assessment; retaliation is part of the package. “We could do what these people do [to us] if we wanted to,” he said. “We’re looking at … the ethics of all of this. If someone dropped a bomb on us, I would have no hesitation in shooting their bloody plane down and giving them a slapping … So we need to think through how we react to these ‘other things’ and the implications.”

The murky world of cyberwar is inhabited by small-time hackers, criminal syndicates and people operating with the support of their government.

“Everything that happens to us is called an ‘attack’,” said a senior official with a lead role in British cyber operations, “[but] most of what we see on a large scale … is about the exfiltration of data — theft, not an attack.” There exists, however, an overlap between the interests of hostile state intelligence agencies and cybercriminal syndicates seeking to steal intellectual data for profit. Russian cybercrime syndicates, better known as partnerka, lead commercial espionage in Europe and are known to have links with Harry and his comrades in the FSB. China has its own dedicated cyber operations headquarters within the People’s Liberation Army but also holds top rank in the league of cyberhostile countries — the list used by Western security companies to warn business clients of cyber-threat.

The West’s nuclear strategy was based on deterrence — the assurance that a guaranteed second strike would prevent a first strike from coming. Yet cyberwar is more complex because the attacks have certain things in common: they are fast, cheap and hard to trace.

“Attribution is unbelievably difficult,” admitted Lord West. “These guys could attack [as if it was from] your site — the attacks would come in from different nodes in a strange way that you can’t even identify. Follow the attack back and it gets to you — but it wasn’t you.”

The sophistication of commercial and state-sponsored activity has developed immensely since the attacks on Estonia and Georgia, with denial-of-service operations now considered relatively low-grade. More worrying is “zero-day malware” — an unidentifiable new generation of Trojan programs that are implanted into a host computer and lie dormant until activated.

“Let’s say that someone has received an e-mail that looks like it’s from someone they know, about a subject they feel comfortable with,” said Ian McGurk, associate director for information security at Control Risks, a security consultancy. “As a consequence they trust the material. If there’s an attachment — a photograph, a Word document, whatever — embedded within that attachment is some sort of malicious code that is going to install itself on the machine. That machine is then compromised, and a Trojan is installed that can search for information.”

As well as transmitting information back to its handler, zero-day malware can also hand a computer to outside control before going on to infect an entire system.

Raimund Genes, the chief technical officer of Trend Micro, said: “We grew up fearing the mushroom cloud, now we should fear a roomful of hackers with their electricity and internet bills paid for by a government.”

Tags: Aurora, Botnets, China, Google, Malware.

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

* it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
* There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

Hosts compromised with Aurora botnet agents and rallied to the botnet Command-and-Control (CnC) channels were distributed across multiple countries before the public disclosure of Aurora, with the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.

Damballa identified additional botnet CnC domains used by these criminal operators and established a timeline of malware associations back to May 2nd, 2009 by tracking the evolution of the malware used by Aurora’s operators

This botnet has a simple command topology and makes extensive use of Dynamic DNS (DDNS) CnC techniques. The construction of the botnet would be classed as “old-school”, and is rarely used by professional botnet criminal operators any more. Reliance upon DDNS CnC is typically associated with new and amateur botnet operators

The criminals behind the Google attack appear to have built and managed a number of separate botnets and run a series of targeted attack campaigns in parallel. This conclusion is based upon CnC domain registration and management information. The earliest of the CnC domains associated with these botnets, reliant upon DDNS service provisioning, appear to have been registered on July 13th 2009

The botnet operators behind the Aurora attacks deployed other malware families prior to the key Trojan.Hydraq release. Some of these releases overlapped with each other. Two additional families of malware (and their evolutionary variants) were identified as “Fake AV Alert /Scareware – Login Software 2009” and “Fake Microsoft Antispyware Service,” both of which employed fake antivirus infection messages to socially engineer victims into installing malicious botnet agents.

The recent announcement by the United States giant search engine Google that it might withdraw from China made the headlines in world media. The Google decision highlighted the aggressiveness of the Chinese hackers who had been penetrating cyber fortresses like the Pentagon or the White House (as well as the PMO or the MEA in India!).

Claude Arpi spoke to Shishir Nagaraja, the co-author (with Ross Anderson) of The Snooping Dragon: Social malware Surveillance of the Tibetan Movement, published by University of Cambridge Computer Laboratory in March 2009.

Shishir Nagaraja, currently associated with the Information Trust Institute of the University of Illinois (US), tells rediff.com, not only about the Google episode, but also his experience with the Office of the Dalai Lama in Dharamsala and the world of hackers, in general.

He believes that we have only seen the beginnings of the cyberwar, the ‘war of tomorrow’. In the not-too-distant future, it will affect each one of us.

What according to you has happened with Google in China?

From what I could gather, they targetted some people connected to the Tibetan movement and some mainland activists.

The second aspect is that the infrastructure used by Google to carry out censorship in China was a part of the attack. Not very much has been made public by Google in this regard, so we can’t be very sure.

Third, Google itself was a victim and they claim to have lost intellectual property. What we know for sure is that the email accounts of the Tibetan activists were read regularly from IP addresses in China.

What is new in these attacks? One reads that they were highly sophisticated?

No, it is the same old story. Nothing is new. It is the same thing that we wrote about [The Snooping Dragon report] or Greg Walton wrote about [Tracking GhostNet report]. Same thing!

The only new thing is that they have targetted Gmail addresses, but this was known to us. In fact, I had approached Google in September [2008] after the Office of the Dalai Lama’s Representative in New York had got in touch with me; they had found out that somebody had maliciously configured their SMTP [outgoing mail] server so that it would forward all their emails to a certain Google account.

It is interesting because a lot of space is needed for this and Google has that space. Isn’t it better to use something already available?

The Dalai Lama’s Office [in New York] found out that even that [Google account] space had overflowed; they had not removed the wiretrap and the forwarded mail started bouncing from Google. It is then that they realised what was going on.

When I was approached, I advised them to talk to Google. Later, on their behalf, I informally talked to the person in Google responsible for investigating malicious activity. He said, ‘You can put a formal complaint if you want, but there is not much that we can do.’ This is the response that I got.

Some 30 other companies are said to have been attacked at the same time.

Yes, we had projected [such attacks] in our report. In fact, the theft of Google’s IP is exactly the sort of attack we warned against. We had said that more and more people will use tactics pioneered by the ‘Chinese hackers’. The attack this time is not different; the attack vector is the same, ‘abuse of social trust’.

The [attackers] make your emails look like from someone you trust, not from a stranger. This is done by replaying past messages with minor modifications, and I expect the attackers will mature to the point of using victim input in real time to construct attack emails: for instance, by embedding malware into an attachment even as the victim composes a message.

Now for that part about why Google is behaving like this [threatening to withdraw]? There are no new technical reasons for doing so. There might be business reasons though. It is a tough market. They don’t have a large share in China compared to their competitors.

This could be a face saving excuse or a bargain striking maneuver, I don’t know.

Ultimately, to threaten to withdraw is good for their image?

It is favourable to their image. There is a lot of anti-China sentiment in the West. [Google's decision] plays into this, while giving them a good reason to withdraw, though I am not sure that they really want to withdraw, because political censorship climate has remained unchanged in China.

Ten/fifteen years ago, when they came to China, the Chinese government told them the same thing: you have to censor the Web. Today, Google says: ‘We are negotiating with the Chinese government. We don’t want to censor the Web!’ The reasons stated now to leave the market were valid even when they entered the market.

Playing in a capitalist world, Google knew the rules of the game, and they were willing to play by it as long as they turned a profit. It was the same then, it has not changed, formally or informally.

Since 1989, the Chinese government is clear about their policy of censorship.

Could you tell us your experience with the Office of the His Holiness the Dalai Lama (OHHDL). Tell us about Snooping Dragon? It seems to have been interesting in the sense that you found an organisation willing to be openly studied, which not the case for governments, banks, Army, etc.

Yes, it is not usual, though since 2004 there have been some cases documented through Congressional hearings. In contrast, by agreeing to make the findings public, the Buddhists have shown themselves to be truly enlightened.

Though, from a political perspective, agreeing to make the subject public made a lot of sense [for them]. In the diplomatic battle between China and Tibet, the latter has always sought to portray an image of a victim set against an aggressive Chinese position.

It played [in favour] of their PR image. However, banks, governments and companies seek an image of ‘nothing is wrong with our security’. But this is a rational explanation. I don’t think His Holiness invited us with this in mind.

When we were invited to have a look, the OHHDL was not aware of the extent of damage being caused by the attacks much less being in a position to perform accurate diplomatic calculations.

It was quite bad?

Oh, yes, it was bad. Their electronic infrastructure was completely compromised. The bad news is that this attack can also be carried out on any usable computing infrastructure with very few exceptions, very few people believed in this assertion when our report came out, but the successful attacks on Google vindicate our position.

Could, for example, the attackers have known the position of the Dalai Lama’s team before they went to Beijing for talks?

Very much possible if their position [for talks] was prepared and recorded on the computers. These days, the OHHDL is fairly tech savvy and use email and electronic storage for almost all their activities.

The Chinese stole detailed meeting notes, plans for school construction, basically any data sitting on an OHHDL computer was lifted. One of the most important was the refugee database.

It means all the registration details of all the Tibetans refugees who had fled to India.

The sys-admins took it offline as soon he realised that the attack was going on. Regarding the sys-admins, I have a lot of respect for the decisions they took. They took the right decisions and the level of response with speed and accuracy would be in line with the best trained sys-admins.

It is quite commendable really. They found a problem, and they asked experts for help immediately without trying to hide the problem or hoping it would go away. . . they wanted to find out. They found the best experts to help them. Usually the IT security culture of most organisations is to hide mistakes.

The sort of openness that the OHHDL has in matters of general policy as well in the management of their computer security is very commendable.

It is because of this culture [of openness] that they were able to discover the extent of surveillance going on. And for these reasons, we are much more aware of Chinese info-warfare capability.

To what extent the security holes have been closed, I am not sure. I don’t think they have been closed. They are very much there and the attacks might be repeatable; it is a tough problem to solve.

If embassies or government offices can be attacked, one can presume that it is easier to penetrate relatively smaller office like the Dalai Lama’s?

Yes, you are right. Similarly, if Google can be attacked, then most companies can be successfully targetted as well.

A news item mentioned that Tibetans would have stolen data from the Chinese, particularly the laptop of a lady-member of the United Front Works Department, the Chinese ministry dealing with the Dalai Lama’s Envoys. Are you aware of this?

I don’t know. I have not heard about this.

There is always the question of what constitutes proof in a computer security investigation. In the case of the OHHDL, the evidence I have used during the investigation, wasn’t the IP address of the control server or similar information.

The main evidence comes from the fact that the Chinese foreign ministry used some of the intelligence information gathered from electronic surveillance and used it to apply diplomatic pressure on those invited to meet with the Dalai Lama.

When the Chinese foreign ministry showed full knowledge of OHHDL emails — this constitutes strong evidence in my eyes — it showed that there was Chinese government involvement at some level, although they might not have carried out the attack themselves.

The ownership of the attack is squarely with the Chinese government even if they might have ‘outsourced’ the attack to Chinese cyber-guerrillas.

In our report, we provided additional explanation on why we chose to point fingers at the Chinese government. We also considered other theories: who else could have been motivated to carry out this attack and why and if they had done it, what would be the evidence.

We have seen strong evidence of Chinese government involvement, and none to the contrary.

The media has recently dealt at great length on the so-called independent hackers and the role of the Chinese State.

In my mind, it is a little bit like guerilla warfare; a much sought-after alternative to conventional forces. Guerilla warfare provides plausible deniability to the sponsoring State. If you consider US-Iraq, US-Afghanistan, Pakistan-India or Israel-Palestine conflicts, we often see a model of ‘guerilla warfare’ playing out. It appears that such a model of warfare is gaining popularity.

If the quality of the fighters is very good on the ‘open market’, why not hire them instead of training your own and risking bad press.

Don’t you think that China has this type of mindset to use these tactics while it is not present in India?

Well, there are documented cases of India’s intelligence agencies using the underworld (Dawood versus Chhota Rajan, for example). But these are home affairs and have little to do with other countries.

In comparison, the Chinese use of guerrilla hacker networks is quite popular. Timothy Thomas has documented this quite well [it is referenced in the Snooping Dragon report].

The Chinese attacks on the OHHDL appear to have been carried out by semi-skilled amateurs. From the quality of the work, I can say that it was not a very skilled person, not a real expert. If they had experts on hand, then the situation would have really been different in terms of difficulty analysis.

This points to two things: one: analysis will get tougher in future as attacks get more sophisticated, and, second, if amateurs can carry out successful attacks on Google and OHHDL, then that signals a very real danger.

About Chinese ‘experts’: do you believe that many of them have been trained in the US or the West and later returned to China?

Possibly! But there is no need for a good hacker to be trained in the US. People with good computer skills are very much there in countries like India, Pakistan or China. Some very, very skilled people might not even have had elementary education.

The Chinese recently closed a ‘hacking’ school in Hebei province. Is it eyewash, or will it make a difference?

[These days] there are loads of resources online, so closing one school won’t make a difference for the same reason that closing a terror school hasn’t made a difference.

If someone wants to learn, it does not take much effort. It is important to understand that the main innovation is not technological, it is a psychological one. The entire computer industry has progressed technologically, but computer security is not a technology issue.

Technologies are fine, they are there. The question is the human link. The way humans interact with computer security is poorly understood by software engineers.

The current technology does not consider humans as they are: humans are fitted into a user model of how they are ‘supposed’ to be. Each time there is a security problem, security experts are quick to point to the user’s fault! The user did not do this or that! This mindset has to change.

Technology needs to understand and accept user behaviour and provide security assurances with this in mind. We should accept people as they are, accept the diversity in human behaviour, there is no point in writing manuals and designing secure systems for somebody else.

The users are not going to do change, so user education is the wrong place to spend security budget.

In their White Paper of Defence, the Chinese strategy has undergone a shift from ‘active defense’, (never attacking someone first, but being ready to respond if attacked) to ‘active offense’. Don’t you think that a nation practicing this will always be a step ahead of its opponent?

As usual, computer security is quite asymmetric. It takes less to attack than to defend. You have only to find one hole to be successful in attack, while defence has to plug all the holes.

For this reason, it appears that attacking is easier than defending, computer systems or physical world security.

Recently, an article in the Indian Press affirmed that the National Technical Research Organisation which deals with cyber attacks in the government pretends that their Rapid Action Group can tackle an attack in less than 90 minutes. What are your views on this?

Assuming they mean ‘any’ intrusion, it is highly, highly unlikely to be true. If it was true, it would be a five-star research contribution, probably worth a Nobel Prize.

Instead, if they are claiming that the exact same attack would be detectable that’s straight forward but close to useless in defending against future attacks (they won’t be the same as past attacks).

Attacks don’t repeat the same way. . . why should they? They always evolve. To prove that nobody can steal an organisation’s data, you have to prove that every hole has been closed.

[However] there are not just bugs in software; there are also bugs in human operation. For example the attack on the OHHDL was not due to a computer bug, the software defects were there, but they were incidental to the attacks.

When humans authenticate emails, they do so based on socio-cognitive signals based on the text of the email. It is a highly sophisticated pattern analysis-based authentication mechanism that is used by humans.

The attackers found a way to beat it by simply replaying the text. In this type of an attack, detectability is very low. If the attacker decides to intrude and stay around your network, it might take a couple of years before he/she is detected, [he can remain dormant].

In the case of the OHHDL, they were probably there for a year or so. The attackers were detected, because they increased the frequency of attacks way too much. They made two mistakes: one they replayed emails too many times, and second, they showed that they knew some information that they could have not known without spying.

But the attackers will learn and the second generation of social malware attacks will be more covert. Will we detect them? Unlikely! In half an hour? Very, very unlikely!

When the Pentagon or the White House have been penetrated [in the past], it took [sometimes] years to find out. They are ways to remain covert, attack covertly (no replays), transmit covertly (using covert channels/’96 there are lots of them).

Presence of attacks on OHHDL could be found out [relatively easily]. But if they deployed covert communication over the Internet to transfer stolen information, then they can remain virtually undetectable for a very long time.

Recently, DefExpo India 2010 was held in Delhi. The Indian government is planning to spend Rs 50,000 crore (Rs 500 billion) in military hardware, don’t you think that it is not the ‘war of yesterday’?

Oh, yes! Absolutely! What you mentioned is conventional warfare. Now we are speaking of guerilla warfare. A significant national security risk to India lies in the area of computer security which can’t be addressed with Sukhois.

With the increasing reliance on computer networks, India’s information infrastructure is growing rapidly. The budget for computer security has to increase too.

There is a very real risk that China has control over significant parts of the government’s computer infrastructure. Military capability will mean little if the enemy has high quality intelligence.

Supremacy in information security is crucial, for economic security reasons too. For example, how to protect IP from India’s software industry from being stolen? Social malware can be used to steal software.

Another example involves injecting false data into accounting systems. Each company has an accounting system which is automated using computers. Social malware can be used to infect a majority of the computers of an accounting system.

With banks having a hard time coping with 1 per cent of customer machines being infected, how can a company run an accounting system with 50 per cent of its machines being compromised?

The scale of such economic fraud could run into hundreds of millions of dollars. And it is increasing, even as we speak.

We all need security against social malware attacks. Political organisations could be hit and have their political secrets revealed. Consumers and business organisations will be hit by accounting frauds.

In today’s economic climate, such frauds might be enough to put small companies out of business. Today, even for a small company, you can’t do your accounts manually. . . if a malware introduced false transaction amounts of Rs 10,000 or Rs 15,000, this won’t even be noticed until it is too late and money has been siphoned off using Western Union.

If the behaviour of banks in the case of ATM frauds is anything to go by, then banks will simply dump the liability on the end users saying ‘it is your fault; the malware was in your computer.’

The negative fallout will always have to be taken by the customers who do not have the means to defend themselves. I foresee that we will witness new instances of social malware attacks, targetting businesses and individuals in the near future.

Tell us something about your project in India

I will move to India shortly. I will take a position of Assistant Professor at the IIIT Delhi and, with a group of three colleagues, will start a Security Group conducting research and teaching in computer security.

We have a Master’s and a PhD programme. My first priority will be to carry out a comprehensive analysis of the scale of computer crime in India. Today, this research is carried out by people from outside [India].

To carry out defensive actions, we have to know the scale of exposure to [computer piracy]. What we did for the OHHDL, we will do for various companies and governmental organisations. It means high level audits. It is a lot of work. All the information is scattered today, it may take a while to get the data, analyse it, publish the results and take remedial measures.

The government can’t do everything, but it can start programmes to improve computer security for the public.

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.

When he was head of the country’s national intelligence, he scared President Bush with visions of e-doom, prompting the president to sign a comprehensive secret order that unleashed tens of billions of dollars into the military’s black budget so they could start making firewalls and building malware into military equipment.

And now McConnell is back in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton. He’s out in front of Congress and the media, peddling the same Cybaremaggedon! gloom.

And now he says we need to re-engineer the internet.

We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds. More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.

Re-read that sentence. He’s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Administration can pinpoint users and their computers for retaliation if the U.S. government doesn’t like what’s written in an e-mail, what search terms were used, what movies were downloaded. Or the tech could be useful if a computer got hijacked without your knowledge and used as part of a botnet.

The Washington Post gave McConnell free space to declare that we are losing some sort of cyberwar. He argues that the country needs to get a Cold War strategy, one complete with the online equivalent of ICBMs and Eisenhower-era, secret-codenamed projects. Google’s allegation that Chinese hackers infiltrated its Gmail servers and targeted Chinese dissidents proves the United States is “losing” the cyberwar, according to McConnell.

But that’s not warfare. That’s espionage.

McConnell’s op-ed then pointed to breathless stories in The Washington Post and The Wall Street Journal about thousands of malware infections from the well-known Zeus virus. He intimated that the nation’s citizens and corporations were under unstoppable attack by this so-called new breed of hacker malware.

despite the masterful PR about the Zeus infections from security company NetWitness (run by a former Bush Administration cyberczar Amit Yoran), the world’s largest security companies McAfee and Symantec downplayed the story. But the message had already gotten out — the net was under attack.

Brian Krebs, one of the country’s most respected cybercrime journalists and occasional Threat Level contributor, described that report: “Sadly, this botnet documented by NetWitness is neither unusual nor new.”

Those enamored with the idea of “cyberwar” aren’t dissuaded by fact-checking.

They like to point to Estonia, where a number of the government’s websites were rendered temporarily inaccessible by angry Russian citizens. They used a crude, remediable denial-of-service attack to temporarily keep users from viewing government websites. (This attack is akin to sending an army of robots to board a bus, so regular riders can’t get on. A website fixes this the same way a bus company would — by keeping the robots off by identifying the difference between them and humans.) Some like to say this was an act of cyberwar, but if it that was cyberwar, it’s pretty clear the net will be just fine.

In fact, none of these examples demonstrate the existence of a cyberwar, let alone that we are losing it.

But this battle isn’t about truth. It’s about power.

For years, McConnell has wanted the NSA (the ultra-secretive government spy agency responsible for listening in on other countries and for defending classified government computer systems) to take the lead in guarding all government and private networks. Not surprisingly, the contractor he works for has massive, secret contracts with the NSA in that very area. In fact, the company, owned by the shadowy Carlyle Group, is reported to pull in $5 billion a year in government contracts, many of them Top Secret.

Now the problem with developing cyberweapons — say a virus, or a massive botnet for denial-of-service attacks, is that you need to know where to point them. In the Cold War, it wasn’t that hard. In theory, you’d use radar to figure out where a nuclear attack was coming from and then you’d shoot your missiles in that general direction. But online, it’s extremely difficult to tell if an attack traced to a server in China was launched by someone Chinese, or whether it was actually a teenager in Iowa who used a proxy.

That’s why McConnell and others want to change the internet. The military needs targets.

But McConnell isn’t the only threat to the open internet.

Just last week the National Telecommunications and Information Administration — the portion of the Commerce Department that has long overseen the Internet Corporation for Assigned Names and Numbers — said it was time for it to revoke its hands-off-the-internet policy.

That’s according to a February 24 speech by Assistant Commerce Secretary Lawrence E. Strickling.

In fact, “leaving the Internet alone” has been the nation’s internet policy since the internet was first commercialized in the mid-1990s. The primary government imperative then was just to get out of the way to encourage its growth. And the policy set forth in the Telecommunications Act of 1996 was: “to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.”

This was the right policy for the United States in the early stages of the Internet, and the right message to send to the rest of the world. But that was then and this is now.

Now the NTIA needs to start being active to prevent cyberattacks, privacy intrusions and copyright violations, according to Strickland. And since NTIA serves as one of the top advisers to the president on the internet, that stance should not be underestimated.

Add to that — a bill looming in the Senate would hand the president emergency powers over the internet — and you can see where all this is headed. And let the past be our guide.

Following years of the NSA illegally spying on Americans’ e-mails and phone calls as part of a secret anti-terrorism project, Congress voted to legalize the program in July 2008. That vote allowed the NSA to legally turn America’s portion of the internet into a giant listening device for the nation’s intelligence services. The new law also gave legal immunity to the telecoms like AT&T that helped the government illegally spy on American’s e-mails and internet use. Then-Senator Barack Obama voted for this legislation, despite earlier campaign promises to oppose it.

As anyone slightly versed in the internet knows, the net has flourished because no government has control over it.

But there are creeping signs of danger.

Where can this lead? Well, consider England, where a new bill targeting online file sharing will outlaw open internet connections at cafes or at home, in a bid to track piracy.

To be sure, we could see more demands by the government for surveillance capabilities and backdoors in routers and operating systems. Already, the feds successfully turned the Communications Assistance for Law Enforcement Act (a law mandating surveillance capabilities in telephone switches) into a tool requiring ISPs to build similar government-specified eavesdropping capabilities into their networks.

The NSA dreams of “living in the network,” and that’s what McConnell is calling for in his editorial/advertisement for his company. The NSA lost any credibility it had when it secretly violated American law and its most central tenet: “We don’t spy on Americans.”

Unfortunately, the private sector is ignoring that tenet and is helping the NSA and contractors like Booz Allen Hamilton worm their way into the innards of the net. Security companies make no fuss, since a scared populace and fear-induced federal spending means big bucks in bloated contracts. Google is no help either, recently turning to the NSA for help with its rather routine infiltration by hackers.

Make no mistake, the military industrial complex now has its eye on the internet. Generals want to train crack squads of hackers and have wet dreams of cyberwarfare. Never shy of extending its power, the military industrial complex wants to turn the internet into yet another venue for an arms race.

And it’s waging a psychological warfare campaign on the American people to make that so. The military industrial complex is backed by sensationalism, and a gullible and pageview-hungry media. Notable examples include the New York Times’s John “We Need a New Internet” Markoff, 60 Minutes’ “Hackers Took Down Brazilian Power Grid,” and the WSJ’s Siobhan Gorman, who ominously warned in an a piece lacking any verifiable evidence, that Chinese and Russian hackers are already hiding inside the U.S. electrical grid.

Now the question is: Which of these events can be turned into a Gulf of Tonkin-like fakery that can create enough fear to let the military and the government turn the open internet into a controlled, surveillance-friendly net.

What do they dream of? Think of the internet turning into a tightly monitored AOL circa the early ’90s, run by CEO Big Brother and COO Dr. Strangelove.

That’s what McConnell has in mind, and shame on The Washington Post and the Senate Commerce, Science and Transportation Committee for giving McConnell venues to try to make that happen — without highlighting that McConnell has a serious financial stake in the outcome of this debate.

Of course, the net has security problems, and there are pirated movies and spam and botnets trying to steal credit card information.

But the online world mimics real life. Just as I know where online to buy a replica of a Coach handbag or watch a new release, I know exactly where I can go to find the same things in the city I live in. There are cons and rip-offs in the real world, just as there are online. I’m more likely to get ripped off by a restaurant server copying down the information on my credit card than I am having my card stolen and used for fraud while shopping online. “Top Secret” information is more likely to end up in the hands of a foreign government through an employee-turned-spy than from a hacker.

But cyber-anything is much scarier than the real world.

The NSA can help private companies and networks tighten up their security systems, as McConnell argues. In fact, they already do, and they should continue passing along advice and creating guides to locking down servers and releasing their own secure version of Linux. But companies like Google and AT&T have no business letting the NSA into their networks or giving the NSA information that they won’t share with the American people.

Security companies have long relied on creating fear in internet users by hyping the latest threat, whether that be Conficker or the latest PDF flaw. And now they are reaping billions of dollars in security contracts from the federal government for their PR efforts. But the industry and its most influential voices need to take a hard look at the consequences of that strategy and start talking truth to power’s claims that we are losing some non-existent cyberwar.

The internet is a hack that seems forever on the edge of falling apart. For awhile, spam looked like it was going to kill e-mail, the net’s first killer app. But smart filters have reduced the problem to a minor nuisance as anyone with a Gmail account can tell you. That’s how the internet survives. The apocalypse looks like it’s coming and it never does, but meanwhile, it becomes more and more useful to our everyday lives, spreading innovation, weird culture, news, commerce and healthy dissent.

But one thing it hasn’t spread is “cyberwar.” There is no cyberwar and we are not losing it. The only war going on is one for the soul of the internet. But if journalists, bloggers and the security industry continue to let self-interested exaggerators dominate our nation’s discourse about online security, we will lose that war — and the open internet will be its biggest casualty.

Photo: Michael McConnell, then-Director of National Intelligence, watches on in 2008 as President Bush announced the Protect America Act. White House file photo.

See Also:

Massive Wave of Estonia Cybarmageddon Debunking Begins
Estonia DDoS Attacks Make Tech Reporters Into Daring War Correspondents
‘Cyberwar’ and Estonia’s Panic Attack
Did Hackers Cause the 2003 Northeast Blackout? Umm, No
No Chinese Hackers Found in Florida Outage Either
Brazilian Blackout Traced to Sooty Insulators, Not Hackers …
Conficker War Room! Your Front Row Seat For Cyber Armageddon
NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven …
Put NSA in Charge of Cyber Security, Or the Power Grid Gets It …
Google Asks NSA to Help Secure Its Network

Read More http://www.wired.com/threatlevel/2010/03/cyber-war-hype/#ixzz0h2BjcvLa