Security experts have discovered the biggest series of cyber attacks to date, involving the infiltration of the networks of 72 organizations including the United Nations, governments and companies around the world.

Security company McAfee, which uncovered the intrusions, said it believed there was one “state actor” behind the attacks but declined to name it, though one security expert who has been briefed on the hacking said the evidence points to China.

The long list of victims in the five-year campaign include the governments of the United States, Taiwan, India, South Korea, Vietnam and Canada; the Association of Southeast Asian Nations (ASEAN); the International Olympic Committee (IOC); the World Anti-Doping Agency; and an array of companies, from defense contractors to high-tech enterprises.

In the case of the United Nations, the hackers broke into the computer system of the UN Secretariat in Geneva in 2008, hid there unnoticed for nearly two years, and quietly combed through reams of secret data, according to McAfee.

“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” McAfee’s vice president of threat research, Dmitri Alperovitch, wrote in a 14-page report released on Wednesday.

“What is happening to all this data … is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

McAfee learned of the extent of the hacking campaign in March this year, when its researchers discovered logs of the attacks while reviewing the contents of a “command and control” server that they had discovered in 2009 as part of an investigation into security breaches at defense companies.

It dubbed the attacks “Operation Shady RAT” and said the earliest breaches date back to mid-2006, though there might have been other intrusions as yet undetected. (RAT stands for “remote access tool,” a type of software that hackers and security experts use to access computer networks from afar).

Some of the attacks lasted just a month, but the longest –on the Olympic Committee of an unidentified Asian nation — went on and off for 28 months, according to McAfee.

“Companies and government agencies are getting raped and pillaged every day. They are losing economic advantage and national secrets to unscrupulous competitors,” Alperovitch told Reuters.

“This is the biggest transfer of wealth in terms of intellectual property in history,” he said. “The scale at which this is occurring is really, really frightening.”

…

For full original article, see here

At the moment, both organised crime groups and national governments have the upper hand in the security fight, with some former US officials declaring that the era of cyberwar has already begun and that the west is losing.

Most PCs have some form of malicious software on them at any given time, security companies say, and the percentage that are the most dangerous – the variants that record every keystroke, sucking up passwords, financial information and corporate secrets and transmitting them elsewhere – is also on the rise.

US President Barack Obama devoted an unprecedented speech solely to cybersecurity in May last year and more recently appointed a White House co-ordinator on the issue.

Source: Joseph Menn, The Financial Times.

Chipmaker Intel’s $7.7bn purchase of McAfee, the security software provider, on Thursday gave dramatic proof of how concerns about cybercrime and cyber espionage have penetrated deeply into the technology establishment.

Even within a security industry that had been expecting a wave of consolidation, the deal is surprising.

Intel is paying a 60 per cent premium to Wednesday’s closing price of McAfee shares and McAfee’s reputation has suffered recently. And, as a chipmaker selling to manufacturers, Intel cannot immediately help put McAfee’s products inside the computers of the software group’s key customer base of corporations trying to protect themselves against cyber attacks.

But the long-range view of governments and cybersecurity experts is that security must be tied as much as possible to the architecture of the internet and to the fundamental building blocks of the devices used to access it.

“We’ve all been talking about security being needed to be built in from the ground up, down to the chip level”, said Paul Kurtz, former top US cybersecurity official, now a private adviser at Good Harbor Consulting. He called the acquisition “jaw-dropping”.

Security breaches at the microprocessor level are rare, though Dell recently said that a virus had been found in some Asia-made replacement chipsets it had installed. But the Pentagon has been pushing for better reviews of computer components, especially those made outside the US, to ensure they do not have hidden switches that could allow a foreign power to shut them off.

“Everybody’s focused now on the attacks at the application layer,” Mr Kurtz said, such as those taking advantage of flaws in Microsoft Word or Adobe Reader. “But what is really concerning people deep into the security business is the supply chain and secure code. How do we make sure the products we produce are secure?”

At the moment, both organised crime groups and national governments have the upper hand in the security fight, with some former US officials declaring that the era of cyberwar has already begun and that the west is losing.

Most PCs have some form of malicious software on them at any given time, security companies say, and the percentage that are the most dangerous – the variants that record every keystroke, sucking up passwords, financial information and corporate secrets and transmitting them elsewhere – is also on the rise.

The popularity of social networks and of portable storage devices that plug into computers is making it much easier for hackers to get around network-based defences, while traditional antivirus detection thus far has been unable to keep up with stealth programs that have been trained to change their configuration with each infection they make.

US President Barack Obama devoted an unprecedented speech solely to cybersecurity in May last year and more recently appointed a White House co-ordinator on the issue.

Companies have been increasingly focused on forensic tools that track where data are transferred to, assuming some hacking is inevitable. And they are turning to more layered defences that examine unusual behaviour by employees’ machines or within the network.

Intel said it now hopes to have some security at an even more basic level, protecting not just PCs but smartphones and other devices that must connect to the internet in order to function fully.

“The threats and opportunities are simply too large to tackle alone”, said Renee James, Intel software chief.

http://www.ft.com/cms/s/2/e1e79e1a-abbe-11df-9f02-00144feabdc0.html

A new report by McAfee, Inc. has highlighted the need for industry to be more proactive in fighting cyber crime. The report, titled “Security Takes the Offensive,” serves as a “call to arms” for the security industry and contains strategies from a number of international experts.

“Cybercriminals prosper because they have very little reason to fear the consequences,” said Jeff Green, senior vice president of McAfee Labs. “As security experts, it’s time to take a hard look at what we do, how we do it, and what our ultimate goals are. The tools and techniques of cybercrime continue to grow in number and sophistication at alarming rates. Every time we release a new statistic about the rise in malware it points to our failure as an industry.”

Instead of operating on the defensive, waiting for attacks to take place, the report calls upon industry to involve law enforcement, marshal forces and present an aggressive front.

“As we look at the evolution of risky domains and websites over multiple years, we can’t avoid the conclusion that the risk keeps increasing in both volume and sophistication,” said David Marcus, director of security research and communications for McAfee Labs. “If we want to stop being victims, then the good guys need to advance security efforts as threats evolve.”

The report includes the following recommendations:

1) Use the techniques of hackers

2) Provide data to law enforcement to track and prosecute cyber criminals

3) Share information

4) Implement “shuns” and “stuns”, whereby networks are ostracized by the Internet community or hit out at botnets

5) Use tactics which make cyber crime riskier

6) Increase cyber education for governments

http://www.thenewnewinternet.com/2010/08/10/mcafee-labs-calls-for-industry-to-be-proactive-in-combating-cyber-threats/

Tags: Aurora, Botnets, China, Google, Malware.

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

* it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
* There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

The attackers are believed to have gained access to the companies’ systems by sending targeted messages to employees that led to malicious code being installed on their computers. The code let the attackers make contact with the computers; from there they used knowledge of the way corporate systems are typically designed to gain access to other systems and steal information.

Security experts have said the perpetrators used a previously unidentified flaw in Microsoft Corp.’s Internet Explorer Web browser to initiate the attack.

Several people close to the investigation say that some of the computers that appeared to be used in the attack contained malware that had been delivered through popular software from Adobe Systems Inc. that reads documents in the format known as PDF. Despite the different attack method, these people believe that the incidents are linked because they have other similarities, such as the timing, the kind of information that the criminals were after, and the locations on the Internet that the addresses the malware communicated with.

One potential reason for a different delivery mechanism is if employees attackers targeted used the Firefox Web browser, which would have protected them against the attacks based on Microsoft’s Internet Explorer.

An Adobe spokeswoman said the company wasn’t aware of any link between its software and the attacks. “We are continuing our investigation into the incident, but to date, we have no evidence that Adobe technology was used as an attack vector,” she said. “If anyone’s investigation has shown otherwise, we would welcome the opportunity to be briefed on the details.”

McAfee Inc., a security company that is working with some of the affected companies, said in a January blog post that it didn’t believe that Adobe’s software was used in the attacks.

One way that security experts determine whether attacks are linked is by tracing Web addresses that the hackers use to communicate with the code they’ve hidden on computers. In this case, the attackers used so-called dynamic addresses that allow people to maintain connections to computers even if Internet addresses are constantly changing.

Dozens of these addresses were used in the attacks, people familiar with the investigation said, which is one reason they believe the attackers targeted more companies.

Google traced the attackers’ actions to a dynamic-addressing service provided by Dyn Inc., according to Tom Daly, president of the Manchester, N.H., company. Mr. Daly said the hackers apparently used his company’s service to maintain contact with the code placed on the infected computers.

Dyn’s service is offered for free and Mr. Daly says it is used almost exclusively for legitimate purposes by people looking to do things like access information on their home computers from a remote location.

Source: PTI, DUBAI:

India is among the list of countries that are “least confident” of their preparedness against cyber attack or stealthy infiltrations by high-level adversaries, according to a leading web security firm.

“More than one-third of those surveyed believe their sector is unprepared to deal with major attacks or stealthy infiltrations by high-level adversaries,” said a report commissioned by McAfee and authored by the Centre for Strategic and International Studies.

India, Saudi Arabia and Mexico have emerged as the least confident, said the report, adding that the recent high profile cyber attacks in China revealed by Google underscore risk to critical infrastructure.

The survey report has found 40 per cent of critical infrastructure organisations expect major attacks in next 12 months.

Over one-third of those surveyed believe their sector is unprepared to deal with major attacks or stealthy infiltrations by high-level adversaries.

McAfee also said the staggering cost and impact of cyber attacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks.

“Some unknown foreign power … broke into the Department of Defence, to the Department of State, the Department of Commerce, probably the Department of Energy, probably Nasa. They broke into all of the high tech agencies, all of the military agencies and downloaded terabytes of information,” said Lewis.

This isn’t just America’s pulp fiction tale either. Russia allegedly swarmed the computers of most major facets of Estonian life in 2007, hitting banks, newspapers, broadcasters, telephones and Parliament, allegedly in anger over Estonia’s plans to relocate a bronze soldier.

It is still disputed whether Brazil, a nation with reputedly the highest number of cyber criminals in the world, was hit with a cyber attack that blacked out the electrical grid north of Rio in 2005 and 2007. A bigger blackout this November plunged half the nation into darkness.

This past year University of Toronto researchers were called in to help the Dalai Lama’s infiltrated network. They uncovered what has now been dubbed GhostNet, a huge spy network based in China that has infiltrated embassies, foreign ministries and media in 103 countries. The malware even has the ability to turn on a computer’s camera and microphone to record a user’s conversations in the room.

Indeed, in a survey done at this year’s World Economic Forum by McAfee, 54 per cent of IT security executives report their systems had already been attacked, almost two-thirds of them believe by foreign governments. Power and fuel companies were hit hardest.

Who do they believe are the two most likely threats? The United States [36 per cent] and China [33 per cent].

But it was last month’s Operation Aurora that I believe will go down in the history books as the day our airy information age crashed headlong into the real-world political arena.

You might know Operation Aurora more familiarly as the breach that triggered Google to threaten to pull out of China. Google found its servers being used to target Chinese dissidents and 34 US companies, from Adobe to Dow Chemical.

Why should this story be any different from any of the others that have come before?

Simply put, how it was played. Not only did we find out about this attack quickly, but Google and the US Government gave it to us on a plate, standing like twin countries on the world stage.

Hillary Clinton shook her finger directly at China. Instead of hiding the breach for years until consumers could hear it was safely fixed, one of the world’s most powerful corporations very publicly used the attack to try to leverage another nation’s international policy.

While US reports mused over lost market share, Ernest J. Wilson, Dean of the Annenberg School for Communication and Journalism wrote in the Huffington Post, “They ignored what may be the biggest really important story, which is Google’s impact on the future of US international relations in the coming decades.”

Governments spent the last century fighting to defend the open dissemination of the building blocks of our industrial age, from steel to cars. While we were distracted with talk of terrorism at the turn of this new millennium, the first significant battles of the information age were raging when we weren’t looking.

Google’s spin that this is about human rights is a red herring. This is about the age-old battle for access to open markets. The difference today is that nearly the entire value of Google’s product is the free worldwide access itself.

In a game of chicken, Google is playing as if they were any other nation state. I’ll face-shame you to every potential foreign investor if you don’t play by our rules, Google has threatened.

The irony is that China is rightly making the exact same argument but with real, not virtual, muscle to back it up. Google’s timing couldn’t be worse.

This week China is now spitting tacks at the news of America’s sale of arms to Taiwan. That won’t bode well for the Chinese seeing Google as a pawn, not a player.

I believe Google will lose this battle, and badly. The bigger question is who will be the new political players in a new world order that will, by necessity, fight for control of what is now the world’s most valuable currency – information.

www.traceybarnett.co.nz

If such an easy bifurcation were ever accurate, it no longer is. As a result, government agencies, lawmakers and the private sector need to change their approach to cyber defense.

Certain nations increasingly see criminal organizations as useful allies, both for their hacking skills and the “cover” they offer to a rogue nation to distance itself from an act it sponsored that might be termed an act of cyber war.

For examples of this growing phenomenon, one must only look at the cyber attacks that followed recent military strife between Russia and Georgia or, closer to home, the July 4 denial-of-service attacks that pounded U.S. federal agencies, the New York Stock Exchange, Nasdaq and many major private-sector networks. While investigations into both events are ongoing, it is unlikely either will produce definitive answers.

Were the perpetrators common criminals, foreign agents, or perhaps a little of both? Does it matter?

Rather than continue with this false framing device — that is, cyber crime carried out by criminals and cyber war carried out by adversarial nation states — Congress, federal agencies and the private sector will be better served by deploying technological, diplomatic, military and law enforcement solutions that reflect the borderless reality of the cyber world.

Grouping the private sector with governmental organisms may strike some as odd, but the breaking down of barriers among perpetrators is also happening among targets. The simple fact is that private-sector networks inevitably will find themselves caught in the crossfire of attacks intended for government targets. Or, to use another metaphor, private-sector networks are part of the collateral damage.

However, while the potential fallout of cyber attacks knows no borders and does not distinguish between victims, it is, inevitably, the U.S. government that has the most power to make positive changes — even if the collaborative role of the private sector, especially for technology development, is a vital one.

To that end, here are three things the U.S. government would be well served to do as it moves to strengthen cyber defense across the public and private sectors:

• Define public/private partnership. Create an entity that has the ability to transcend corporate competition. This will allow trust to be brokered and will build relationships so that the best counsel is provided to the national leadership before, during and after cyber attacks happen.

• Develop security standards and best practices collaboratively. Define U.S. government cyber security standards with input from the private sector and government agencies that have experience with cyber security. Specify process, performance criteria or functional specifications, not specific products or technologies.

• Reform FISMA. Transform the Federal Information Security Management Act into a standard, measurable, repeatable, relevant and meaningful measure of security. Agencies must be required to conduct an annual gap analysis to identify security deficiencies, while creating objectives and milestone plans to close these gaps and acquire necessary funding.

These aren’t the only measures that can or should be taken, but they represent a positive direction and, most importantly, reflect the world as it is.

DeWalt is the president and CEO of McAfee Inc., a security technology company.

Source:

http://thehill.com/opinion/op-ed/70319-no-line-between-cyber-crime-and-cyber-war

The number of reports of cyberattacks and network infiltrations that appear to be linked to nation-states and political goals continues to increase, McAfee said.

“There is active debate as to when a cyberattack reaches the threshold of damage and disruption to warrant being categorized as cyberwarfare,” said the report.

“With critical infrastructure as likely targets of cyberattacks, and private company ownership of many of the information systems in these sectors, private companies will likely be caught in the crossfire,” the report warned.

McAfee CEO Dave DeWalt said, “Experts disagree about the use of the term ‘cyberwar,’ and our goal at McAfee is not to create hype or stoke unwarranted fear. But our research has shown that while there may be debate over the definition of cyberwar, there is little disagreement that there are increasing numbers of cyberattacks that more closely resemble political conflict than crime.

“We have also seen evidence that nations around the world are ramping up their capabilities in cyberspace, in what some have referred to as a cyber arms race.

“If cyberspace becomes the next battleground, what are the implications for the global economy and vital citizen services that rely upon the information infrastructure?” DeWalt asked. “What should those of us outside the military do to prepare for the next wave of cyberattacks?”

McAfee believes the private sector at large needs to prepare for cyberattacks, and “those businesses that can weather the storm better than their competitors could be in a position to gain considerable market share.”

McAfee also called for greater transparency in current discussions on combating cybercrime. The report said, “Too much of the debate on policies related to cyberwar is happening behind closed doors.”

Analysts said although the Obama administration rectified this by bringing the cybercrime debate into the open, many other countries in the industrialized world still insist on confidentiality over the issue.

Industry sources believe criminal organizations have built alliances with adversarial governments that seek to achieve military or political advantage over democracies in the West, Asia, Latin America and elsewhere.

So intense is the interaction between cybercriminality and hostile governments that the distinction between cybercrime and cyberwar is increasingly blurred.

“The line between cybercrime and cyberwar is blurred today in large part because some nation-states see criminal organizations as useful allies. Nation-states have demonstrated that they are willing to tolerate, encourage or event direct criminal organizations and private citizens to attack enemy targets.”

In the case of the cyberattacks on Georgia, for example, civilians carried out the cyberattacks on targets while the Russian military invaded Georgia by land and air in August 2008. There is evidence that these civilians were aided and supported by Russian organized crime, as cited in a report by the U.S. Cyber Consequences Unit, an independent research institute.

Russia denied that its government or military provided any help to the attackers or communicated with them. Yet the same US-CCU report found that “the cyberattacks were so close in time to the corresponding military operations that there had to be close cooperation between people in the Russian military and the civilian cyberattackers,” McAfee said.

In a sobering conclusion, McAfee said, “While experts may disagree on the definition of cyberwar, there is significant evidence that nations around the world are developing, testing and in some cases using or encouraging cyber means as a method of obtaining political gain.”

Although much of that activity is shrouded in secrecy, “there is already a constant, low level of conflict occurring in cyberspace. Whether these attacks are labeled as cyber espionage, cyber activism, cyber conflict or cyberwar, they represent emerging threats in cyberspace that exist outside the realm of cybercrime.”

The report said “international cyber conflict has reached the tipping point where it is no longer just a theory, but a significant threat that nations are already wrestling with behind closed doors. The impact of a cyberwar is almost certain to extend far beyond military networks and touch the globally connected information and communications technology infrastructure upon which so many facets of modern society rely.

“With so much at stake, it is time to open the debate on the many issues surrounding cyber warfare to the global community,” said the report.

© 2009 United Press International, Inc. All Rights Reserved.

“ If it is someone stealing information or planting logic bombs, it’s far more difficult to find them ”
Chris Wysopal, Veracode

The US is known to have an operating manual governing the rules and procedures of how it can use cyber warfare tactics. It is known to have used hack attacks alongside ground operations during the Iraq war and has continued to use this cyber capability while policing the nation.

Mr Day said there was evidence of a growing number of attacks that could be classed as “reconaissance” in advance of a future conflict. The ease with which the tools of such attacks can be gathered and used was worrying, said Mr Day.

“To go to physical war requires billions of dollars,” he said. “To go to cyber war most people can easily find the resources that could be used in these kind of attacks.”

The targets of such future conflicts were likely to be a nation’s infrastructure, said Mr Day, because networks of all kinds were now so embedded in peoples’ lives.

In response, he said, many nations now have an agency overseeing critical national infrastructure and ensuring that it is adequately hardened against net-borne attacks.

Chris Wysopal, chief technology officer at Veracode which advises many governments on security, said cyber war presented its own problems when it came to deciding motive and finding the perpetrators.

“In physical warfare it’s pretty clear who has which weapon and how they are using them,” he said. “In the networked world that attribution is incredibly difficult.”

The same is true for cyber crime, he said, where following a trail of money can lead investigators back to a band of thieves.

“If it is someone stealing information or planting logic bombs, it’s far more difficult to find them,” he said.

Mr Wysopal said many governments had woken up to the threat and were starting to put in place systems and agencies that could help protect them.

However, he said, they still had some weaknesses.

“The thing about governments doing this is that they have a time horizon of many years,” he said. “But the criminals are doing it in a matter of months.”

Story from BBC NEWS:

http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8363175.stm

Published: 2009/11/17 08:18:24 GMT